Saturday, June 04, 2011

You know your reputation is shot when Google starts translating “Sony” as “Joke”

Sony Europe hacked by Lebanese hacker… Again

June 4, 2011 by admin

Chester Wisniewski writes:

By my count this is unlucky hack number 13 for Sony. A Lebanese hacker known as Idahc dumped another user database at Sony Europe containing approximately 120 usernames, passwords (plain text), mobile phone numbers, work emails and website addresses.

Read more on Naked Security.


LulzSec: Sony was asking for it - millions of records compromised (Update)

Michael Lynton, the Chairman and Chief Executive Officer, and Amy Pascal, the Co-Chairman of Sony Pictures, issued the following statement today.

"The cybercrime wave that has affected Sony companies and a number of government agencies, businesses and individuals in recent months has hit Sony Pictures as well. Yesterday afternoon a group of criminal hackers known as "LulzSec" claimed to have breached some of our websites.

"We have confirmed that a breach has occurred and have taken action to protect against further intrusion. [We've heard that before... Bob] We also retained a respected team of experts to conduct the forensic analysis of the attack, which is ongoing.

"In addition, we have contacted the U.S. Federal Bureau of Investigation and are working with them to assist in the identification and apprehension of those responsible for this crime. We deeply regret and apologize for any inconvenience caused to consumers by this cybercrime."


Hackers target Sony, Nintendo and FBI partner Web site

Hackers went on a rampage late today, targeting Sony Europe, Nintendo, and the FBI-affiliate InfraGard Atlanta in a series of intrusions and security compromises that appears to have exposed passwords of some Sony and federal government employees.

The moves follow reports of hacks hours earlier that involved Acer Europe, Iran, NATO and the United Arab Emirates.

Kind of an interesting question: In the pantheon of hackers – ranging from the script kiddies through organized crime to government sponsored cyber-warriors – has the threat level increased for everyone?

What impact will the Sony and Infragard hacks have?

June 4, 2011 by admin

Chester Wisniewski writes:

In a self-titled hack attack called “F**k FBI Friday” the hacking group known as LulzSec has published details on users and associates of the non-profit organization known as Infragard.

Infragard describes itself as a non-profit focused on being an interface between the private sector and individuals with the FBI. LulzSec published 180 usernames, hashed passwords, plain text passwords, real names and email addresses.


Read more on Naked Security.

In its press release yesterday, LulzSec posted to Pastebin:

LulzSec versus FBI (we challenge you, NATO!)


Dear Internets,

It has come to our unfortunate attention that NATO and our good friend Barrack Osama-Llama 24th-century Obama have recently upped the stakes with regard to hacking. They now treat hacking as an act of war. So, we just hacked an FBI affiliated website (Infragard, specifically the Atlanta chapter) and leaked its user base. We also took complete control over the site and defaced it, check it out if it’s still up:

While not very many logins (around 180), we’d like to take the time to point out that all of them are affiliated with the FBI in some way. Most of them reuse their passwords in other places, which is heavily frowned upon in the FBI/Infragard handbook and generally everywhere else too.

One of them, Karim Hijazi, used his Infragard password for his personal gmail, and the gmail of the company he owns. “Unveillance”, a whitehat company that specializes in data breaches and botnets, was compromised because of Karim’s incompetence. We stole all of his personal emails and his company emails. We also briefly took over, among other things, their servers and their botnet control panel.

After doing so, we contacted Karim and told him what we did. After a few discussions, he offered to pay us to eliminate his competitors through illegal hacking means in return for our silence. Karim, a member of an FBI-related website, was willing to give us money and inside info in order to destroy his opponents in the whitehat world. We even discussed plans for him to give us insider botnet information.

Naturally we were just stringing him along to further expose the corruption of whitehats. Please find enclosed Karim’s full contact details and a log of him talking to us through IRC. Also, enjoy 924 of his internal company emails – we have his personal gmail too, unreleased.

We call upon journalists and other writers to delve through the emails carefully, as we have uncovered an operation orchestrated by Unveillance and others to control and assess Libyan cyberspace through malicious means: the U.S. government is funding the CSFI to attack Libya’s cyber infrastructure. You will find the emails of all 23 people involved in the emails.

Unveillance was also involved in a scheme where they paid an Indian registrar $2000 to receive 100 domains a month that may be deemed as botnet C&Cs. Shameful ploys by supposed “whitehats”.

We accept your threats, NATO. Game on, losers.

Now we are all sons of bitches,

Lulz Security

Links to the chat log and Karim’s email followed the text above.

The recent hacks by LulzSec have generated mixed reactions. On the one hand, there are those who appear to be reveling in the hacks and the group’s apparently successful attempts to embarrass Sony. On the other hand, there are those who point out that people’s personal information is being exposed and that they have become victims/pawns in the campaign to embarrass others.

Undoubtedly the Secret Service will be all over these hacks. But where does Congress go from here? Will they look at the recent spate of attacks and take it as a wake-up call to impose serious security and data protection/retention requirements on businesses or entities that collect and store personally identifiable information? Or will they look at everything and say, “Well, woe, maybe we shouldn’t be too harsh because if it’s happening to even well-funded operations, what chance do small businesses have to provide adequate security?”

And what will consumers make of all this? Will they do anything differently going forward in terms of not reusing passwords across sites or not giving their real data to entities if it’s not really needed? Are consumers becoming numb to breaches and going into a learned helplessness pattern instead of taking action to change the future?

I'm sure some of my students thought (at the beginning of the class) that I'm the only one in the world who thinks about security breaches like this.

Global Financial Aid Services reports a completely avoidable security breach

June 3, 2011 by admin

For those who remember the Peter, Paul, and Mary song, feel free to sing along with me: ”When will they ever learn? Oh when will they ever learn?”

Global Financial Aid Services of Gulfport, Mississippi recently notified the New Hampshire Attorney General’s Office that a laptop containing unencrypted student names, addresses, and Social Security Numbers was stolen.

By letter dated May 23, GFAS noted that the theft occurred April 17 in a hotel conference area during a symposium in Hawaii.

The total number of students affected by the breach was not indicated, but the letter to affected students is irritating to this privacy advocate, to say the least. First, the letter claims that “We have taken steps to address it [the security situation] out of an abundance of caution.” How is notifying people that they are now at increased risk or reminding your employees of proper security measures and protocols an “abundance of caution?” It’s not.

Second, the letter tells the affected students, “The laptop is equipped with technology designed to prevent unauthorized access and we have no evidence your information has been accessed.” What technology are they referring to? The password on the computer or something else? In their cover letter to the state, they do not indicate that the laptop was equipped with any software that would enable them to determine if the contents of the drive were accessed. So is this just a fancy way of making a simple password sound more protective than it really is or do they really have some genuine security technology on the laptop?

Third, although the cover letter to the state indicates that students’ addresses were on the laptop, the letter to students makes no mention of their addresses, and tells them that their “[client] account number, social security number and name” were stored on the computer. The cover letter to the state does not inform the state that client account numbers were also involved.

So no, I am not impressed at all by the breach notification and disclosure. And why, oh why, are we still seeing students’ Social Security Numbers in use for purposes that have nothing to do with Social Security, and why, oh why, are we still seeing laptops with unencrypted data being stolen? Enough already…

/End of Rant

Is there a proper (ethical) way to avoid an “Arab Spring?” What would define a legitimate grassroots protest v. an “AstroTurfed” attempt to discredit a legitimate government? Seems a question we should have an answer for...

Syria Drops Off the Internet As Turmoil Spikes

"In what appears to be the latest bid by a government to throttle access to news and information amid growing civil unrest, the Syrian government Friday shut down all Internet services. Internet monitoring firm Renesys reported that starting around 7 a.m. EDT today, close to two-thirds of all Syrian networks were suddenly unreachable from the global Internet. In just 30 minutes, routes to 40 of 59 Syrian networks were withdrawn from the global routing table, Reneys' chief technology officer James Cowie said in a blog post. The shutdown has affected all of SyriaTel's 3G mobile data networks as well as several of the country's ISPs, such as Sawa, INET and Runnet. Also down are the Damascus city government page and the customs web site. The only networks that appear to be somewhat reachable are a handful of government-owned networks such as one belonging to Syria's Oil Ministry, Cowie noted. 'We don't know yet how the outage was coordinated, or what specific regions or cities may be affected more than others,' Cowie wrote. 'If Egypt and Libya are any guide, one might conclude that events on the street in Syria are reaching a tipping point.'"

(Related) But unlikely to be influential...

U.N. Report Declares Internet Access a Human Right

A United Nations report said Friday that disconnecting people from the internet is a human rights violation and against international law.

The report railed against France and the United Kingdom, which have passed laws to remove accused copyright scofflaws from the internet. It also protested blocking internet access to quell political unrest (.pdf).


Anonymous steals 10,000 Iranian government emails, plans DDoS attack

Anonymous has hacked into Iranian government servers and procured over 10,000 email messages from the Ministry of Foreign Affairs.

The Ministry’s website is still down as of this writing, and the servers are under Anonymous control. One of the Iranian members of Anonymous involved with the operation sent me a message from the compromised email servers as evidence that they were still under Anonymous control.

While email addresses can be spoofed, the collection of 10,000 emails is a pretty good indication that they have no need for spoofing.


China Calls US Culprit In Global 'Internet War'

On Wednesday we discussed news of Google's accusation that sources originating in China were interfering with Gmail using malware and phishing techniques, targeting Chinese political activists, US government officials, military personnel, and others. In response to the accusations, a Chinese official denied government involvement in the attacks, while the US government indicated they would investigate the matter. The attacks were more sophisticated than a typical phishing attempt, they involved Yahoo and Hotmail as well, and they have likely been going on for months. Now, according to a CBS report, "The Chinese military accused the US on Friday of launching a global 'Internet war' to bring down Arab and other governments, redirecting the spotlight away from allegations of major online attacks on Western targets originating in China."

Some ideas for securing your Internet use...

How the Epsilon Breach Hurts Consumers

June 3, 2011 by admin

Yesterday, following the Congressional hearing where Sony and Epsilon testified, we had a bit of a lively – if truncated – debate on Twitter about breach notification. Not surprisingly, George V. Hulme raised the issue of breach notice fatigue and how notifications should be confined to situations where there is some real risk.

Also not surprisingly, I disagreed with him, as did Douglas Davidson and Adam Shostack.

Deciding that this would take more than 140 characters, Adam cleverly blogged about the issue. You can read his commentary, How the Epsilon Breach Hurts Consumers on the New School of Information Security Blog.

As someone who also uses vendor-specific email addresses, I agree with Adam completely. And what really concerns me is that under existing laws, Epsilon’s clients were seemingly not obligated to notify us at all about the breach. We need to fix that. Maybe to prevent breach fatigue we need a tiered system like the color alert levels, [No, no, no, no, no! That's a level fuchsia bad idea! Bob] but I do think consumers need to be notified so that they can make informed decisions.

“Half the world is below average”

June 03, 2011

Tenth Study by the Digital Future Project Finds High Levels of Concern about Corporate Intrusion in Personal Lives

Press Release and Highlights: "The annual study of the impact of the Internet on Americans conducted by the Center for the Digital Future found that almost half of Internet users age 16 and older -- 48 percent -- are worried about companies checking their actions on the Internet. By comparison, the new question for the Digital Future Study found that only 38 percent of Internet users age 16 and older are concerned about the government checking what they do online."

Speaking of “below average” “We're the government. We ain't gotta follow no rules!” OR “I'll huff and I'll puff and I'll disrupt Social Security payment just before the next election” Murphy

Tornado Risk Seen for Social Security Project

June 3rd, 2011 : Rich Miller

The recent outbreak of powerful and deadly tornadoes across the United States raises a question: Should data centers be engineered to survive stronger wind storms? Curiously, the Social Security Administration has moved in the other direction. The SSA has elected to build its new $800 million data center to withstand wind speeds of only 90 miles an hour, rather than the 120 miles an hour standard common in most mission critical facilities

Could the Court compel me to list my garage sale items on Craig's List?

Court Demands American Airlines List Its Flights On Orbitz

"American Airlines, which removed its flights from late last year, was ordered by a Chicago court on Thursday to allow the travel site access to its flight and fare information. American Airlines filed an anti-trust suit against Travelport in December, claiming that the company, which owns just under half of Orbitz's shares and runs the service compiling fare information for travel site, was trying to control the sale of tickets. Before the lawsuit, a considerable amount of American's revenue had been coming from tickets booked through Orbitz and Travelport."

Gary Alexander understands that I have Ethical Hacking students who might find this academically interesting... (and this qualifies him for 10% of my 10%),2817,2386312,00.asp

FaceNiff Is a Hacker's Dream for Android Users

… The only prerequisite for FaceNiff is a rooted Android phone. Once installed, the app will tear through the Wi-Fi network for any accounts that are logged in. Protected networks aren't safe from this, as FaceNiff can access WEP, WPA, and WPA2 Wi-Fi networks.

The developer put a disclaimer at the top of the FaceNiff site. "Legal notice: this application is for educational purposes only. Do not try to use it if it's not legal in your country."

(Related) Gary also sent this one...

Five Security Apps That Can Help Recover a Stolen Laptop

Friday, June 03, 2011

The world, according to Sony (and Epsilon)

Lawmakers Question Sony, Epsilon on Data Breaches

June 2, 2011 by admin

Grant Gross reports:

Recent data breaches at Sony’s PlayStation Network and at e-mail service provider Epsilon will lead to legislation focused on improving cybersecurity at U.S. companies, the chairwoman of a U.S. House of Representatives subcommittee said Thursday.

Representative Mary Bono Mack, a California Republican, said she will soon introduce legislation focused on ensuring that companies holding personal data secure it. [What a concept! (but shouldn't the Board of Directors already require that?) Bob] Although she didn’t provide many details, the legislation will include a data breach notification requirement, Bono Mack said during a hearing of the House Energy and Commerce Committee’s trade subcommittee.

Read more on PCWorld.

[From the article:

Companies need U.S. government support to fight cyber-attacks, Schaaff added. "Despite spending millions of dollars to secure your networks, despite all of the best efforts known to us, our networks are not 100 percent protected," he said. "It's a process that requires continual investment. I think without additional support from the government, it's unlikely that we will all, collectively, be successful, and that will threaten the livelihood of the growing Internet economy." [“Give us a tax break for doing what we should be doing...” Bob]

[For written testimony and the webcast:

(Related) So bad, they get their own acronym! I wonder if this came up in their testimony?

YASH (Yet Another Sony Hack)

June 2, 2011 by admin

From the this-can’t-be-good dept. and the folks at Lulz Security:

Greetings folks. We’re LulzSec, and welcome to Sownage. Enclosed you will find various collections of data stolen from internal Sony networks and websites,all of which we accessed easily and without the need for outside support or money.

We recently broke into and compromised over 1,000,000 users’ personal information, including passwords, email addresses, home addresses, dates of birth, and all Sony opt-in data associated with their accounts. Among other things, we also compromised all admin details of Sony Pictures (including passwords) along with 75,000 “music codes” and 3.5 million “music coupons”.

Due to a lack of resource on our part (The Lulz Boat needs additional funding!) we were unable to fully copy all of this information, however we have samples for you in our files to prove its authenticity. In theory we could have taken every last bit of information, but it would have taken several more weeks. [See why I'm always complaining about bandwidth? Bob]

Our goal here is not to come across as master hackers, hence what we’re about to reveal: was owned by a very simple SQL injection, one of the most primitive and common vulnerabilities, as we should all know by now. From a single injection, we accessed EVERYTHING. Why do you put such faith in a company that allows itself to become open to these simple attacks?

What’s worse is that every bit of data we took wasn’t encrypted. Sony stored over 1,000,000 passwords of its customers in plaintext, which means it’s just a matter of taking it. This is disgraceful and insecure: they were asking for it.

This is an embarrassment to Sony; the SQL link is provided in our file contents, and we invite anyone with the balls to check for themselves that what we say is true. You may even want to plunder those 3.5 million coupons while you can.

Included in our collection are databases from Sony BMG Belgium & Netherlands. These also contain varied assortments of Sony user and staffer information.

Follow our sexy asses on twitter to hear about our upcoming website. Ciao! ^_^

Files and materials linked from LulzSecurity. Depressingly, I note a number of .gov email addresses with plaintext passwords in one of the databases they have released. I hope those folks do not re-use passwords across sites and their work computer or this could be even more problematic.

(Related) And an article about what you should do if you've been “Sony'd”

Six tips for surviving the Sony breach

1. Beware of fraudulent e-mails.

2. Use a different e-mail for "junk."

3. Look out for fraudulent calls.

4. Use a unique password for every account.

5. Change your security questions.

6. Don't give up information in the first place. B

How Korea will do it... Perhaps the US Congress could learn something?

Korea Announces Regulations to Personal Information Protection Act

June 2, 2011 by Dissent

As reported by Kwang Hyun Ryoo and Ji Yeon Park of Bae, Kim & Lee LLC in Korea, on May 24, 2011, the government of South Korea published draft regulations to the Personal Information Protection Act (“PIPA”), the Republic’s new omnibus data protection law.

As we previously reported, PIPA was enacted on March 29, 2011, after past privacy legislation had languished in the Korean Parliament. The recently published regulations (an Enforcement Decree and Enforcement Regulations) apply to any “handler of personal information” or “data handler,” which is any entity that uses personal information for business purposes.

Read more on Hunton & Williams Privacy and Information Security Law Blog.

[From the article:

Data handlers create and adhere to administrative and technical security procedures at each place of business where personal information is handled.

… Furthermore, the Regulations impose mandatory contractual provisions for data handler and sub-contractor agreements and require public disclosure of these relationships.

California again takes the lead in education – but not about sexting... (If ever an article lent itself to double entendre... )

California Senate: Schools can expel for sexting

I'm not sure the kids are going to like this.

At least not the kids in California. For it seems the California Senate has, with a show of hands that left none hanging, decided to add sexting to the list of bad behavior for which a student can be expelled from school.

In a move that seemed designed to avoid too much naked publicity, the Associated Press reported that the Senate passed a bill Tuesday that specifically cited sexting and defined it as "the sending or receiving of sexually explicit pictures or video images by means of an electronic act."

Should you be a parent, or should you, indeed, be a school student sitting with your cell phone with little to do, you might be wondering just how extensive the Senate's delineation might be.

Well, the ever-helpful AVN reports that the bill actually amends California's Education Code.

This limits schools' ability to expel to the following areas: 1. While on school grounds. 2. While going to or coming from school. 3. During the lunch period whether on or off the campus. 4. During, or while going to or coming from, a school sponsored activity.

Oh, and there's another subsection that the sexting has to be "directed specifically toward a pupil or school personnel."

Sharp minds will be immediately wafting through the nuances of all this. My blunt one suggests that it might still be just fine for, say, a 14-year-old to text a naked picture of himself to anyone, so long as the recipient has nothing to do with the school.

So will this cause scenes in which schools not only attempt to discover what students are sending but also try to ascertain whether the recipient is on their verboten list? Some might find this very slightly icky.

However, Democratic Senator Ted Lieu told the AP that sexting is a vast problem, so much so that one study declared that 20 percent of teens have either sexted or received sexts. However, how much of that sexting activity was, in fact, between teens in the same school?

I'm sure there's a perfectly logical explanation...

Judge Finds Cisco, US Authorities Deceived Canadian Courts

"The Vancouver Sun reports that 'The giant computer company Cisco and US prosecutors deceived Canadian authorities and courts in a massive abuse of process to have a former executive thrown in jail, says a B.C. Supreme Court judge.' Peter Adelkeye was arrested last year as he was testifying in a special hearing in Vancouver. It turns out he was there because US authorities would not grant him permission to enter the US to testify in a civil case between him and Cisco. The Canadian judge said that almost nothing in the US Attorney's letter was true, and has overturned his extradition order. Slashdot discussed this case in April."

About time.

June 02, 2011

More than 4,000 National Academies Press PDFs Now Available to Download for Free

News release: "The National Academies—National Academy of Sciences, National Academy of Engineering, Institute of Medicine, and National Research Council—are committed to distributing their reports to as wide an audience as possible. Since 1994 we have offered “Read for Free” options for almost all our titles. In addition, we have been offering free downloads of most of our titles to everyone and of all titles to readers in the developing world. [Now taxpayers can enjoy the same benefits as citizens of third world countries! Bob] We are now going one step further. Effective June 2nd, PDFs of reports that are currently for sale on the National Academies Press (NAP) Website and PDFs associated with future reports* will be offered free of charge to all Web visitors. For more than 140 years, the NAS, NAE, IOM, and NRC have been advising the nation on issues of science, technology, and medicine. Like no other collection of organizations, the Academies enlist the nation’s foremost scientists, engineers, health professionals, and other experts to address the scientific and technical aspects of society’s most pressing problems. The results of their work are authoritative and independent studies published by the National Academies Press. NAP produces more than 200 books a year on a wide range of topics in science, engineering, and health, capturing the best-informed views on important issues."

For my Ethical Hackers... Extra points for “the Tweet most likely to result in a heart attack”

“Please call to arrage a time for your audit.”

TweetForger: Create A Fake Tweet From Any Twitter User

As the name suggests, TweetForger lets you create a tweet that can make people think it came from somebody else’s account.

All you need to do is tell the tool which Twitter handle you want to forge, and write the tweet. Once generated, the tweet will look exactly like it’s coming from the original account. It won’t appear in any Twitter streams but will look completely real for a few seconds before a huge message drops down declaring that it is a forged tweet. [We can remove that... Bob] The tool gives you a permanent URL for each tweet so you can share it with friends.

Also for my Ethical Hackers:

How To Find Files Online Without Having To Use P2P Software


EFF Publishes Study On Browser Fingerprinting

"The Electronic Frontier Foundation investigated the degree to which modern web browsers are susceptible to 'device fingerprinting' via version and configuration information transmitted to websites. They implemented one possible algorithm, and collected data from a large sample of browsers visiting their Panopticlick test site, which we've discussed in the past. According to the PDF describing the study, browsers that supported Flash or Java on average supplied at least 18.8 bits of identifying information, and 94.2% of those browsers were uniquely identifiable in their sample. My own browser was uniquely identifiable from both the list of plugins and available fonts, among 1,557,962 browsers tested so far."

For my Data Mining and Data Analysis students. An interesting summary...

Too Much Data? Then 'Good Enough' Is Good Enough

"While classic systems could offer crisp answers due to the relatively small amount of data they contained, today's systems hold humongous amounts of data content — thus, the data quality and meaning is often fuzzy. In this article, Microsoft's Pat Helland examines the ways in which today's answers differ from what we used to expect, before moving on to state the criteria for a new theory and taxonomy of data."

An interesting Cloud application...

CodeGuard Raises $500K To Monitor And Protect Websites

CodeGuard, which was the audience choice winner from Startup Alley, helps protect and monitor websites from attacks and data thefts. The startup provides a virtual version control system and stores site data in the cloud. Backups are stored hourly or daily, allowing users to see what files have changed. If there is a hack or suspicious change in data, webmasters can quickly revert to the last known “clean” version.

Is it time to call your Broker?

Groupon’s IPO Filing Reveals Incredible Growth And $2.6 Billion Revenue Run-Rate (Charts)

Groupon finally filed for its IPO today and now we can see it’s finances laid bare (click for full financial table). Groupon has been growing at an astounding rate. Last year, it’s revenues grew more than 22,000 percent to $713 million. And in the first quarter of 2011 alone, it nearly matched all of its revenue from last year with $644 million in sales, up 13,575 percent from a year ago.

Thursday, June 02, 2011

Expect this number to grow... Why else would you steal the keys?

Three military contractors linked to post-RSA attacks

So far this week, the news has focused on Lockheed Martin and L-3, two military contractors who appear to have suffered targeted attack attempts in the wake of the massive breach at RSA earlier this year. Now, a third contractor has emerged, as insiders place Northrop Grumman on the list.

So... An Act of War or some curious kid writing a report on “How people use G-mail?”

Google reveals breaches; reminds users how to stay safe online

June 1, 2011 by admin

Eric Grosse posted the following to Google’s blog today:


Through the strength of our cloud-based security and abuse detection systems*, we recently uncovered a campaign to collect user passwords, likely through phishing. This campaign, which appears to originate from Jinan, China, affected what seem to be the personal Gmail accounts of hundreds of users including, among others, senior U.S. government officials, Chinese political activists, officials in several Asian countries (predominantly South Korea), military personnel and journalists.

The goal of this effort seems to have been to monitor the contents of these users’ emails, with the perpetrators apparently using stolen passwords to change peoples’ forwarding and delegation settings. (Gmail enables you to forward your emails automatically, as well as grant others access to your account.)

Google detected and has disrupted this campaign to take users’ passwords and monitor their emails. We have notified victims and secured their accounts. In addition, we have notified relevant government authorities.

It’s important to stress that our internal systems have not been affected—these account hijackings were not the result of a security problem with Gmail itself. But we believe that being open about these security issues helps users better protect their information online.


If you use Gmail, do see their advice/instructions in the blog to secure your account.

(Related) If they do anything in another country, is it an Act of War?

UK Plans Cyber Weapons Program

"The Ministry of Defence says they are working on a range of offensive cyber weapons to increase the country's defensive capabilities. The armed forces minister, Nick Harvey, says, 'The consequences of a well planned, well executed attack against our digital infrastructure could be catastrophic With nuclear or biological weapons, the technical threshold is high. With cyber the finger hovering over the button could be anyone from a state to a student.'"

(Related) Who teaches “Un-ethical Hacking?”

North Korea Training "Cyberwarriors" Abroad

"A North Korean defector claims that the secretive totalitarian state is nurturing a team of "cyberwarriors," identifying young people with computer skills and sending them abroad to learn the latest hacking techniques, while lavishing privileges on their families at home to keep them loyal. This could lead to an escalation in tensions, especially given that the US military believes that cyberattacks from foreign countries constitute acts of war."

Good news....

PlayStation Store back online

Sony flipped the switch tonight to bring the last remaining piece of its PlayStation Network back online, the PlayStation Store.

...Bad news? For debate: Sony should ignore these braggarts...

Tupac hackers to Sony: 'Beginning of the end'

A group that made headlines for hacking the PBS Web site earlier this week is apparently turning its attention to Sony.

The group known as LulzSec has been promising Sony attacks since this past weekend when it posted to its Twitter account that it is engaged in an operation it calls "Sownage," shorthand for Sony Ownage. The group stated at the time that it was working on hatching a plan that would be the "beginning of the end" for Sony. It has yet to reveal what it has planned. But yesterday the group said that the attack was already under way, seemingly without Sony's knowledge.

"Hey @Sony, you know we're making off with a bunch of your internal stuff right now and you haven't even noticed?" LulzSec tweeted. "Slow and steady, guys."

Is this a record?

Cashing in on privacy breaches

June 2, 2011 by Dissent

Terry Baynes reports:

The hacking of a Sony Corp customer database this spring has attracted class-action lawyers and consumers eager to cash in on the high-profile privacy breach. At least 40 lawsuits have been filed–including at least two this week–on behalf of millions of Sony PlayStation users in federal courts, according to Westlaw data.


Take a look at some of the most notable privacy settlements from recent years, and what the settlements were worth to the lawyers and plaintiffs.

Read more on Thomson Reuters.


Honda Data Breach Triggers Lawsuit [repost]

June 1, 2011 by admin

[repost] Mathew J. Schwartz reports:

… As with the Sony breach, lawyers for Honda customers filed a class action lawsuit on behalf of affected customers, seeking 200 million Canadian dollars ($206 million). The claim says that the breach exposed customers to “theft of their identity, theft from their bank accounts, and theft from their debit and credit cards.” It also says that Honda failed to disclose the breach to customers “in a reasonable amount of time.”

Read more on InformationWeek.

I don’t expect that the lawsuit has much chance of prevailing, but there’s another interesting aspect to the breach mentioned in the news story:

Honda’s data breach apparently also puts the company in violation of Canadian law. “Data breaches like these underline the importance of one of the fundamental tenets of Canadian privacy law: that personal information shall be retained only as long as necessary to fulfill the purposes for which it was created or collected and, once no longer required, should be destroyed, erased, or made anonymous,” said David Elder, a lawyer at Ottawa-based law firm Stikeman Elliot, in a blog post.

For my ethical hackers. Don't assume hackers have no resources...

New MacDefender Defeats Apple Security Update

"Apple released a security update yesterday designed to rid Macs of the menacing MacDefender malware that has plagued users for nearly a month. But mere hours after the update, cyber-criminals released a new variant of the malware that easily defeated Apple's belated security efforts. That didn't take long."

For my Computer Security students. Create logs and actually review them – or you can say “We have no idea what data was accessed...”

Preliminary Thoughts about the HIPAA Accounting of Disclosures NPRM

By Dissent, May 31, 2011

Rebecca Herold comments on the HIPAA Privacy Rule Accounting of Disclosures under the Health Information Technology for Economic and Clinical Health Act Notice of Proposed Rule Making (NPRM).


Logging access to ePHI has been around since the Security Rule went into effect. So, even though the original accounting for disclosures requirements did not include activities for TPO, CEs should theoretically already have the access/disclosure logging activities implemented. As should BAs after the HITECH rule went into effect. However, realistically, I doubt if more than 40% (and this is my own spit-wad estimation which is likely on the high side) actually have such logging in place. The Accounting of Disclosures NPRM is a wake-up call for CEs and BAs alike to get this portion of the Security Rule implemented. Once it is implemented, then creating easy-to-understand reports to show these accesses will be a matter of creating or updating existing applications that access ePHI. This could take some time to plan for and implement if starting from scratch.

Read Rebecca’s full commentary on Privacy Guidance.

Is this good parenting or parental spying? - Monitor What Children Do On Facebook

Aptly-titled Minor Monitor, it empowers parents to analyze all the interactions their children have on Faeebook. These are presented via an interface that minimizes the time that would be spent looking for that very information on Facebook itself. Parents will be able to identify over-age friends, contacts with a low number of mutual friends and also offensive language and outright sexual references.

Accounts can be created for free, and the tracking process will start once the parent has linked the Facebook account of his child to his Minor Monitor account.

How will they enforce this? Son goes to friends home, enters password so they can watch “Transformers” for the 39th time, cops break down the door?

Tennessee Makes it Illegal To Share Your Netflix Password

"State lawmakers in Tennessee have passed a groundbreaking measure that would make it a crime to use a friend's login — even with permission — to listen to songs or watch movies from services such as Netflix or Rhapsody. The bill, which has been signed by the governor, was pushed by recording industry officials to try to stop the loss of billions of dollars to illegal music sharing. They hope other states will follow."

“Papers, Citizen! Then assume the position and allow us to welcome you to New York City.”

NYPD Stopped and Frisked Record Number of Innocent People during First Quarter of 2011

June 1, 2011 by Dissent

The NYPD stopped and interrogated more than 161,000 completely innocent New Yorkers in the first quarter of 2011, the highest number over a three-month period since the Police Department began reporting data on its troubling stop-and-frisk program.

About 88 percent of the 183,326 stop-and-frisk encounters recorded from January through March resulted in neither an arrest nor a summons, according to figures the NYPD released quietly over the holiday weekend. About 84 percent of those stopped by police were black or Latino.

Read more on ACLU’s blog.

This is similar to the adoption of mini-computers by accounting departments, personal computers (usually Macs) by marketing and a number of other technologies (PDAs, cell phones, etc.) As in each of these, normal 'due diligence' is ignored...

IT increasingly bypassed on cloud adoption

IT departments, long criticized as being too slow in offering new technologies and services, may be facing a grassroots rebellion in many companies over cloud services.

A new survey that looked at cloud adoption inside companies found that many business executives are bypassing IT altogether in adopting cloud services -- and they face few consequences for doing so.

Free is good! For the toolkit...

Free Premium Download: WonderFox DVD Ripper

We have got a great honor to give an exclusive chance to download and enjoy WonderFox DVD Ripper for free to visitors. It’s a paid product, but now is being given away from June 1 to June 7, 2011. During this period, You can get this full licensed software for free without any functional limitations without doing anything. Yes, you just need to download it!

WonderFox DVD Ripper is the powerful and professional ripper software. It is the good solution which is also easy to use for ripping content of DVDs to a wide range of mainstream video formats such as AVI, MPEG, MP4, MOV, FLV, WMV, 3GP etc. The WonderFox DVD ripping software is also a powerful DVD converter which supports to convert DVDs to the popular portable devices such as iPhone, iPad, iPod, Nokia N8, BlackBerry PlayBook, Motorola Xoom…

Dilbert elegantly explains “undue reliance” (For my Excel students too)

Wednesday, June 01, 2011

Who are these guys? They are not acting like a “mad genius teenager” nor are they doing what I'd expect hackers from say North Korea to try either...

Second Defense Contractor L-3 ‘Actively Targeted’ With RSA SecurID Hacks

An executive at defense giant L-3 Communications warned employees last month that hackers were targeting the company using inside information on the SecurID keyfob system freshly stolen from an acknowledged breach at RSA Security.

The L-3 attack makes the company the second hacker target linked to the RSA breach — both defense contractors. Reuters reported Friday that Lockheed Martin had suffered an intrusion.

“L-3 Communications has been actively targeted with penetration attacks leveraging the compromised information,” read an April 6 e-mail from an executive at L-3’s Stratus Group to the group’s 5,000 workers, one of whom shared the contents with on condition of anonymity.

The attacks come as the Pentagon is in the final stages of formalizing a doctrine for military operations in cyberspace, which will reportedly view cyberattacks that cause death or significant real-world disruption as the equivalent of an armed attack.

… Asked if the RSA intruders did gain the ability to clone SecurID keyfobs, RSA spokeswoman Helen Stefen said, “That’s not something we had commented on and probably never will.”

If the intruders have gained cloning ability, the implications could be far-reaching. SecurID is used by most federal agencies and Fortune 500 companies. As of 2009, RSA counted 40 million customers carrying SecurID hardware tokens, and another 250 million using software clients.

RSA has been privately briefing its customers about its intrusion, but only after placing them under nondisclosure agreements, and the company has shared few details with the public.

No seriously, we really mean it this time.

PlayStation Network should be fully restored by Friday

However, as the calendar of disruption moves towards six weeks, Sony claims the fully restored PSN service will be back online by Friday—except for those in Hong Kong, Japan and South Korea.

More pointedly, according to an official post from the PlayStation Blog, Sony has said any remaining services missing from the online network (i.e., PlayStation Store, Qriocity) will be up and running by the end of week.

More “Joys of a Data Breach”

Michaels Stores hit with 2nd suit seeking class-action status

May 31, 2011 by admin

Becky Yerak reports:

Michaels Stores Inc., which disclosed that its checkout-line PIN pads were tampered with in Illinois and 19 other states, has been hit with two lawsuits seeking class-action status by consumers alleging that the arts and crafts retailer failed to safeguard shoppers’ credit and debit card information and PIN numbers.

The latest lawsuit was filed Friday in U.S. District Court in the Northern District of Illinois by Libertyville resident Mary Allen, who said an $18.16 purchase at a Michaels in Vernon Hills on March 15 led to more than $1,000 in unauthorized transactions.

Read more in The Chicago Tribune.

Early notice. A quick Google News search shows only articles in German.

De: Hackers steal 1.2 million names and email addresses

May 31, 2011 by admin

Relying on Google’s translation is always risky, but here goes:

Spiegel Online appears to be reporting that hackers acquired 1.2 million names and email addresses of customers registered on, a mail order firm.

If anyone can provide a reliable translation, please use the comments section below to add any important details.

via @PrivaSens

Unprecedented? Has anyone ever classified a non-weapons attack as equivalent to a weapons attack? Earlier disruptive technologies include: The book, telegraph, telephone, radio, tv and microwave pizza.

May 31, 2011

WSJ - Pentagon Considers Cyberattacks as Acts of War

WSJ: "The Pentagon has concluded that computer sabotage coming from another country can constitute an act of war, a finding that for the first time opens the door for the U.S. to respond using traditional military force. The Pentagon's first formal cyber strategy, unclassified portions of which are expected to become public next month, represents an early attempt to grapple with a changing world in which a hacker could pose as significant a threat to U.S. nuclear reactors, subways or pipelines as a hostile country's military. In part, the Pentagon intends its plan as a warning to potential adversaries of the consequences of attacking the U.S. in this way. "If you shut down our power grid, maybe we will put a missile down one of your smokestacks," said a military official. Recent attacks on the Pentagon's own systems—as well as the sabotaging of Iran's nuclear program via the Stuxnet computer worm—have given new urgency to U.S. efforts to develop a more formalized approach to cyber attacks. A key moment occurred in 2008, when at least one U.S. military computer system was penetrated. This weekend Lockheed Martin, a major military contractor, acknowledged that it had been the victim of an infiltration, while playing down its impact."

They're all probably guilty. This way they can prove their innocence...

FL: Scott signs law requiring drug testing for welfare recipients

June 1, 2011 by Dissent

Kathleen Haughney reports:

Thousands of the state’s poorest Floridians will have to take a drug test if they want to qualify for welfare assistance, under a law signed by Gov. Rick Scott Monday.

The idea, plugged by Scott and the GOP-dominated Legislature, is that drug tests will root out welfare recipients who are using public dollars to buy drugs. But Democrats and advocates for the poor say the requirement could violate individuals’ constitutional rights to privacy, and the American Civil Liberties Union is likely to challenge the law in court.

Read more in the Sun-Sentinel.

Probably not a “best practice” for a terrorist organization...

May 31, 2011

NPR: Al-Qaida's Paper Trail: A 'Treasure Trove' For U.S.

Dina Temple-Raston, NPR Counterterrorism Correspondent: "When U.S. commandos stormed Osama bin Laden's compound earlier this month, they spent much of their time on the ground shoving papers, CDs and thumb drives into huge document bags strung around their necks. That sweep was considered an integral part of the operation, and it confirmed what the intelligence community had long believed: that bin Laden was obsessive about documenting everything. From its earliest days, al-Qaida leaders insisted on receipts. If fighters were buying a car for an operation, or even disc drives and floppy disks for their computers, they were required to return to base with a precise accounting of everything they had spent. Experts say that was the influence of bin Laden. Before he became the ideological leader of al-Qaida, he got an undergraduate degree in economics and public administration. He clearly applied what he learned to the organization... More proof of its corporate structure: As odd as it sounds, al-Qaida had excellent HR benefits..."

“Oh come on! You don't actually believe that the government has to follow the law like regular people.” If Senator Udall knows what is going on, why not just tell us?

Unmasking “Secret Law”: New Demand for Answers About the Government’s Hidden Take on the Patriot Act

May 31, 2011 by Dissent

As I hoped, the ACLU has filed a FOIA request about the “secret” interpretation of the PATRIOT Act that Senators Wyden and Udall referred to during the renewal debate in Congress:

In the days before last week’s Patriot Act reauthorization vote, members of the Senate Intelligence Committee raised concerns — see here and here — about the way that the Justice Department has interpreted and used the Patriot Act’s Section 215, which is perhaps the most controversial of the provisions that Congress reauthorized. “When the American people find out how their government has secretly interpreted the Patriot Act,” Colorado Senator Mark Udall said, “they will be stunned and they will be angry.”

Today we filed a Freedom of Information Act (FOIA) request demanding that the Justice Department release information about the government’s use and interpretation of Section 215. We anticipate litigating the request.

Read more on ACLU’s Blog.

For my Disaster Recovery and Computer Security students... Shouldn't everyone in your company use a service like this? Might even want to start one myself...

Entrustet Ensures Your Digital Assets Are Smoothly Passed On After You Pass On

Most online companies are happy to close an account after death, but don’t want to get bogged down with the confusion involved in account succession. You can imagine how difficult it would be to ensure requests were real! But, not to worry. Entrustet gives us a way to get things under control from one single control point.

… If you think your online accounts aren’t assets, think again. What will happen to your domains? Where’s that Adsense money going? What about your PayPal account? What about your blog? How will your family update things to ensure your work now benefits them? Do you have lots of photos in Flickr? The half-finished novel backed up in Dropbox? How will your family have access to these?

Now, consider your options here. If you want to give someone access to an account after your death, how will you do it? Give them the password now? Write the password into your will (and update your will every time you change your password)? Keep a secret list with that password on it? None of these options are ideal — they all post a current security threat and leave the plan vulnerable if you forget to update the password with them in time.

… Sign-up with Entrustet is free, meaning you can set things in motion without paying a cent. After verification, you can immediately begin to add your accounts to Entrustet, nominating what should occur with them after your death.

Note that Entrustet cannot control accounts which are covered by a regular will, such as bank accounts.

… You may choose a digital executor for your estate. This person will receive an email immediately notifying them of their role.

... If you already have a lawyer looking after your affairs, you may add their details to Entrustet, ensuring they can easily work together when the time comes. You should also ensure your lawyer knows about your plans with Entrustet and your digital executor.

If you don’t yet have a legal will, Entrustet can point you in the direction of some who understand digital estates. There’s also plenty of places online where you can ask legal questions for free and get an understanding of what you need to do.

Tuesday, May 31, 2011

Imagine what a more subtle “false news story” might accomplish...

PBS Web Sites and Databases Hacked

"Late Sunday night, hackers gained access to several areas of PBS Web servers and were able publish a fake news story on a PBS news blog. The group also published PBS internal user login information that they were able to siphon out of PBS databases. The fake story was about rapper Tupac Shakur, who died in 1996 after being shot in Las Vegas, being been found alive and well in a small resort in New Zealand. A group going by the name of 'LulzSec' claimed responsibility for the hack, saying the attack was a protest against a PBS Frontline broadcast last week about WikiLeaks."

We never intended for the government to comply with the law – after all we just make rules, we don't follow them.

Conservative group accuses Education Dept of invading students’ privacy with new FERPA rules

May 30, 2011 by Dissent

Matthew Boyle reports:

A conservative non-profit is raising privacy concerns over a Department of Education (DoED) rule change that will allow for “personally identifiable information” about students to be shared with other government departments. Personally identifiable information that could potentially be shared includes hair color, blood type, family health history and students’ grades and other academic records.

The DoED rule changes are part of a reinterpretation of the Family Educational Rights and Privacy Act of 1974 (FERPA). The proposed changes have conservative group American Principles in Action (APIA) up in arms. APIA says they are a breach of students’ and families’ privacy rights.

Read more in The Daily Caller

The DOE’s proposal is not only in conflict with the intentions of FERPA, but the government appears actually stupid about data security issues if they think that appointing a Chief Privacy Officer is any protection. The DOE and states have all failed to ensure adequate data protection of student and employee personal and sensitive information and this is a nightmare waiting to happen.

[From the article:

“Under the proposed changes, students and parents would lose their right to prevent disclosure of personal information and, in most cases, would have no way of knowing that a disclosure has even been made,” APIA wrote in its official comment to the DoED in early May.

Gagging gossiping Twits may be as difficult as herding cats... Is “I heard it was Joe Blow” a gag order violation?

New Twitter breach as claims of celebrity gagging orders published

May 30, 2011 by Dissent

Paul Cahalan reports:

Lawyers and media specialists last night called on the courts to take action to enforce injunctions broken over the internet after another social media user purported to publish details of celebrity gagging orders.

A newly created Twitter account posted details of 13 alleged injunctions early yesterday morning, directing users to a website for further detailed information. After attracting more than 500 followers within the first 10 hours of publication, the tweets were removed, but Mark Stephens, a media lawyer who represents WikiLeaks’ founder Julian Assange, said the courts would now be compelled to act.

Read more in The Independent.

Interesting economic question: Another “too big to fail” problem? Would FdEx or UPS buy all or part of the Postal Service?

May 30, 2011

Commentary: The U.S. Postal Service Nears Collapse

Bloomberg BusinessWeek: "The USPS is a wondrous American creation. Six days a week it delivers an average of 563 million pieces of mail—40 percent of the entire world's volume. For the price of a 44¢ stamp, you can mail a letter anywhere within the nation's borders... If your recipient can no longer be found, the USPS will return it at no extra charge. It may be the greatest bargain on earth. It takes an enormous organization to carry out such a mission. The USPS has 571,566 full-time workers, making it the country's second-largest civilian employer after Wal-Mart Stores (WMT). It has 31,871 post offices, more than the combined domestic retail outlets of Wal-Mart, Starbucks (SBUX), and McDonald's (MCD). Last year its revenues were $67 billion, and its expenses were even greater. Postal service executives proudly note that if it were a private company, it would be No. 29 on the Fortune 500. The problems of the USPS are just as big. It relies on first-class mail to fund most of its operations, but first-class mail volume is steadily declining—in 2005 it fell below junk mail for the first time. This was a significant milestone. The USPS needs three pieces of junk mail to replace the profit of a vanished stamp-bearing letter. During the real estate boom, a surge in junk mail papered over the unraveling of the postal service's longtime business plan. Banks flooded mailboxes with subprime mortgage offers and credit-card come-ons. Then came the recession. Total mail volume plunged 20 percent from 2006 to 2010. Since 2007 the USPS has been unable to cover its annual budget, 80 percent of which goes to salaries and benefits. In contrast, 43 percent of FedEx's (FDX) budget and 61 percent of United Parcel Service's (UPS) pay go to employee-related expenses. Perhaps it's not surprising that the postal service's two primary rivals are more nimble. According to SJ Consulting Group, the USPS has more than a 15 percent share of the American express and ground-shipping market. FedEx has 32 percent, UPS 53 percent. The USPS has stayed afloat by borrowing $12 billion from the U.S. Treasury. This year it will reach its statutory debt limit. After that, insolvency looms."

It's good to see that once again the EU has the answer to “Life, the Universe and Everything.”

May 30, 2011

EU Commission sets out "blueprint" for Intellectual Property Rights to boost creativity and innovation

EUROPA press release: "Intellectual property rights (IPR), which comprise patents, trademarks, designs and geographical indications, as well as copyright (authors' rights) and rights related to copyright (for performers, producers and broadcasters), have been around for centuries. Often, without our even realising, they affect our daily lives: they protect the technology we use (cars, mobile phones, trains), the food we eat and the music we listen to or the films we watch. But in the last few years, technological change and, in particular, the growing importance of online activities, have completely changed the world in which IPR operate. The existing mix of European and national rules are no longer adapted and need to be modernised. That is why the Commission has adopted today a comprehensive strategy to revamp the legal framework in which IPR operate. Our objective is to enable inventors, creators, users and consumers to adapt to the new circumstances and to enhance new business opportunities. The new rules will strike the right balance between promoting creation and innovation, in part by ensuring reward and investment for creators and, on the other hand, promoting the widest possible access to goods and services protected by IPR. Getting this balance right will make a real difference to businesses (from the individual artist working alone to the big pharmaceutical companies) by encouraging investment in innovation. This will benefit the EU's growth and competitiveness which is delivered through the single market. Consumers will benefit from wider and easier access to information and cultural content, for example online music. The strategy deals with many issues to ensure IPR are covered comprehensively - from the patent a business needs to protect an invention to tackling the misuse of such inventions via a proposal also adopted today which will strengthen action on counterfeiting and piracy. Among the first deliverables of this IPR overall strategy are today's proposals for an easier licensing system for so-called "orphan works" that will allow many cultural works to be accessible online, and for a new regulation to reinforce customs actions in fighting trade of IPR infringing goods."

(Related) Another opinion?

Patch For The Witcher 2 Removes DRM Shortly After Release

"A little over a week after its release, The Witcher 2 is getting its first patch, and with it all versions of the game will now be DRM free. 'Our approach to countering piracy is to incorporate superior value in the legal version,' explained development director Adam Badowski. 'This means it has to be superior in every respect: less troublesome to use and install, with full support, and with access to additional content and services. So, we felt keeping the DRM would mainly hurt our legitimate users. This is completely in line with what we said before the release of The Witcher 2. We felt DRM was necessary to prevent the game being pirated and leaked before release.'"

Not hard to imagine NASA in the Cloud...

May 30, 2011

NASA First Federal Agency to Launch Platform Using Slideshare

Federal Computer Week: "NASA is the first federal agency to venture into creating an aggregation network on the SlideShare Web platform, officials announced May 16. The NASA Universe network that started May 16 on SlideShare provides links to the agency’s videos, slide presentations and other documents shared from SlideShare channels sponsored by NASA headquarters and its 10 field centers. NASA Universe takes advantage of the new aggregation network technology, which SlideShare recently established and currently customizes for a handful of clients, including NASA, IBM and Dell. The SlideShare networks automatically and continuously aggregate content from many channels. NASA headquarters and the field centers each has its own channel on the site feeding documents into NASA Universe."

How could I not pass this valuable tool on to my students?

May 29, 2011

GovSpeak A Guide to Government Acronyms & Abbreviations

GovSpeak - A Guide to Government Acronyms & Abbreviations: "This guide lists acronyms and abbreviations commonly used by the United States federal government. Each acronym is defined and links to the home page (or best alternative) of the identified department, agency, office, program or publication. While Appendix A of the U.S. Government Manual provided the foundation of GovSpeak, this expanded list includes hundreds of acronyms not included in that publication; most have been discovered by manual reviews of department websites. Links are checked and updated monthly."

If it's not important for me to socialize with you, I won't. I can only tolerate so many Twits...

Human Brain Places Limit On Twitter Friends

"Back in early '90s, British anthropologist Robin Dunbar began studying human social groups, measuring the number of people an individual can maintain regular contact with, and came up with 150 — a number that appears to be constant throughout human history — from the size of neolithic villages to military units to 20th century contact books. But in the last decade, social networking technology has had a profound influence on the way people connect, vastly increasing the ease with which we can communicate with and follow others, so it's not uncommon for tweeters to follow and be followed by thousands of others. Now Bruno Goncalves has studied the network of links created by three million Twitter users over four years. After counting tweets that are mutual and regular as signifying a significant social bond, he found that when people start tweeting, their number of friends increases to a saturation point until they become overwhelmed. Beyond that saturation point, the conversations with less important contacts start to become less frequent and the tweeters begin to concentrate on the people they have the strongest links with. So what is the saturation point? The answer is between 100 and 200, just as Dunbar predicts. 'This finding suggests that even though modern social networks help us to log all the people with whom we meet and interact,' says Goncalves, 'they are unable to overcome the biological and physical constraints that limit stable social relations (PDF).'"

An interesting research tool: A system like Google Trends but in reverse...

May 30, 2011

Google: Find searches that correlate with real-world data

Official Google Blog - Mining patterns in search data with Google Correlate: "...[Using] Google Correlate, which we’re launching today on Google can upload your own data series and see a list of search terms whose popularity best corresponds with that real world trend. In the example below, we uploaded official flu activity data from the U.S. CDC over the last several years and found that people search for terms like [cold or flu] in a similar pattern to actual flu rates. Finding out these correlated terms is how we built Google Flu Trends.

  • We encourage you to read our white paper describing the methodology behind Google Correlate