Saturday, August 27, 2011

First, think up a way to coordinate hundreds (thousands?) of simultaneous withdrawals. Second, see if anyone bothers to come up with a security “fix” to keep it from happening, and when they don't... Third, DO IT AGAIN!

Coordinated, Global ATM Heist Nets $13 Million

"An international cybercrime gang stole $13 million from a Florida-based financial institution earlier this year, by executing a highly-coordinated heist in which thieves used ATMs around the globe to cash out stolen prepaid debit cards. 'Prepaid cards usually limit the amounts that cardholders can withdraw from a cash machine within a 24 hour period. Apparently, the crooks were able to drastically increase or eliminate the withdrawal limits for 22 prepaid cards that they had obtained. The fraudsters then cloned the prepaid cards, and distributed them to co-conspirators in several major cities across Europe, Russia and Ukraine.' The attack is eerily similar to the 2008 attack on RBS WorldPay that stole $9.4M. The men who pleaded guilty to the RBS attack were arrested and charged in Russia, but were later given only probation."

Wednesday, they “strongly suspected” that data was accessed. If it turns out there was Identity Theft, this will make them look rather bad. Would it come back to bite them in future lawsuits?

(update) ME: Voter database breach came from Millinocket, no information compromised

August 27, 2011 by admin

Eric Russell updates a report on a breach involving the Maine voter database:

The Secretary of State’s Office said Thursday that it appears no personal information was compromised during a potential security breach of Maine’s Central Voter Registration database.

The apparent breach was the result of malware — or malicious computer software — found on a workstation computer in the town clerk’s office in the northern Penobscot County town of Millinocket.

Read more on Bangor Daily News.

“It can't happen here!” “Why spend the money before we need it?” Perhaps there is a market for consultants with a plan and the resources to execute it?

Few e-retailers are prepared to notify consumers of a loss of card data

August 27, 2011 by admin

Don Davis writes:

Only 21% of online retailers are prepared to notify consumers in the event of a data breach that exposes cardholder data, according to a new survey sponsored by insurance agency Jacobson, Goldfarb & Scott Inc.

61% of the 300 e-retailers surveyed said they were not prepared to notify consumers and 18% were not sure.

Read more on Internet Retailer.

A project for my Computer Security geeks...

Protecting a Laptop From Sophisticated Attacks

mike_cardwell sends in a detailed writeup of how he went about protecting a Ubuntu laptop from attacks of varying levels of sophistication, covering disk encryption, defense against cold boot attacks, and even simple smash-and-grabs. (He also acknowledges that no defense is perfect, and the xkcd password extraction tool would still work.) Quoting:

"An attacker with access to the online machine could simply hard reboot the machine from a USB stick or CD containing msramdmp to grab a copy of the RAM. You could password protect the BIOS and disable booting from anything other than the hard drive, but that still doesn't protect you. An attacker could cool the RAM, remove it from the running machine, place it in a second machine and boot from that instead. The first defense I used against this attack is procedure based. I shut down the machine when it's not in use. My old Macbook was hardly ever shut down, and lived in suspend to RAM mode when not in use. The second defense I used is far more interesting. I use something called TRESOR. TRESOR is an implementation of AES as a cipher kernel module which stores the keys in the CPU debug registers, and which handles all of the crypto operations directly on the CPU, in a way which prevents the key from ever entering RAM. The laptop I purchased works perfectly with TRESOR as it contains a Core i5 processor which has the AES-NI instruction set."

A summary of bad things that could happen to you!

August 25, 2011

Symantec Intelligence Report - August 2011

"Symantec Corp. announced the results of the August 2011 Symantec Intelligence Report, now combining the best research and analysis from the MessageLabs Intelligence Report and the Symantec State of Spam & Phishing Report. This month’s analysis reveals that once more spammers are seeking to benefit from fluctuations in the turbulent financial markets, most notably by sending large volumes of spam relating to certain “pink sheets” stocks in an attempt to “pump” the value of these stocks before “dumping” them at a profit. In a pump-and-dump stock scam, spammers promote certain stocks in order to inflate the price as much as possible so that they may then be sold before their valuation crashes back to reality. The spam for these scams tries to convince the prospective mark that the penny stock is actually worth more than its valuation, or that it will soon skyrocket. Most of these claims are either misleading or false. A successful pump-and-dump spam campaign will artificially drive up the price of the stock to a point where the scammers decide to sell their shares. This usually coincides with them ending the spam campaign, which in turn reduces the interest in the stock, helping to drive its valuation back to the original low price." if we could only get someone to read it!

August 25, 2011

ACLU Guide to New Facebook Privacy Controls

"August 25, 2011 - Facebook is rolling out a series of changes to its privacy controls. We reviewed the changes in detail on Tuesday; now here’s how you can take advantage of these changes.

  • "Turn On “Profile Review” - One of the biggest changes to Facebook’s privacy controls is the option to review any content you’re tagged in (including photos, Places, and more) before that content is fed into your news feed. You can also review any tags that are added to photos or other content that you post yourself...."

Sounds more like a carrot.

Apple Puts $383 Million Handcuffs On CEO Tim Cook

"There are bonuses. And then there are bonuses. Apple's board, led by sadly frail-looking chairman Steve Jobs, signaled its long-term confidence in Tim Cook as the company's new leader, disclosing in a regulatory filing that it's awarding the new CEO one million restricted stock units that will vest over the next decade. Apple shares closed at $383.53 Friday. From the SEC filing: 'In connection with Mr. Cook's appointment as Chief Executive Officer, the Board awarded Mr. Cook 1,000,000 restricted stock units. Fifty percent of the restricted stock units are scheduled to vest on each of August 24, 2016 and August 24, 2021, subject to Mr. Cook's continued employment with Apple through each such date.'"

When I say there is a lot of data out there, I mean a LOT of data....

IBM Assembles Record 120-Petabyte Storage Array

How did they do it? Well, the easy part was plugging in the 200,000 individual hard drives that make up the array. The racks are extra-dense with units, and need water cooling, but beyond that the hardware is fairly straightforward.

The problems come when you start having to actually index this space. Some filesystems have trouble with single files above 4 GB or so, and some can’t handle single drives larger than around 3 TB. This is because they just weren’t designed to be able to track so many files over so large a space. Imagine if your job was to name everyone in the world a different name — it’s easy at first, but after a billion or so you start running out of permutations. It’s the same way with file systems, though modern ones are much more forward-looking in their design, and I doubt you’ll have that problem again — unless you’re IBM Research.

120 petabytes of storage is an insane amount, eight times larger than the 15 PB arrays already out there, and they already had to deal with address space issues. In IBM’s huge array, tracking the location and calling data for its files takes up fully 2 PB of its own space. You’d need a next-generation file index just to index the index!

Just because you decide to get out of the business noes not mean you turn off the production line. Best Buy had a mere 200,000 – imagine how many are in the pipeline! Will they still be $99? (Is that enough above cost to make continued production possible?)

HP TouchPads Slated For Return To Best Buy?

It was widely reported that Best Buy was sitting on over 200,000 TouchPads before HP enacted their drastic price cut, but the fire sale has come and gone, and that would normally be that. Instead, a notice in Best Buy’s Employee Toolkit system shows that their contentious relationship with the TouchPad may not be over just yet.

The image, sent to Droid Matters by a Best Buy insider, indicates that Best Buy stores will once again begin to receive TouchPad shipments.

(Related) Perhaps the Chinese would be interested?

Samsung Says It Won’t Buy HP’s PC Business, Making Spinoff More Likely

Dilbert has a cartoon to paste on every printer...

Friday, August 26, 2011

Sort of a “How To” (and a “how easy to”) for my Ethical Hackers

Was This the Phishing E-mail That Took Down RSA?

"'I forward this file to you for review. Please open and view it.' As a ploy to get a hapless EMC recruiter to open up a booby-trapped Excel spreadsheet, it may not be the most sophisticated piece of work. But researchers at F-Secure believe that it was enough to break into one of the most respected computer security companies on the planet, and a first step in a complex attack that ultimately threatened the security of major U.S. defense contractors including Lockheed Martin, L-3, and Northrop Grumman. The e-mail was sent on March 3 and uploaded to VirusTotal a free service used to scan suspicious messages, on March 19, two days after RSA went public with the news that it had been hacked in one of the worst security breaches ever."

A look at “Terms of Service” and what we trade to use the Internet...

3 Ways You’ve Sold Your Soul To The Internet

Facebook Owns Your Image

Twitter Borrows Your Thoughts

Google Knows Where You Are

Logic overrules “wishful thinking?”

August 25, 2011

EPIC - Federal Judge: Locational Data Protected Under Fourth Amendment

"A Federal judge has ruled that law enforcement officers must have a warrant to access cell phone locational data. Courts are divided regarding whether or not this type of data should be protected by a warrant requirement. Judge Garaufis of the Eastern District of New York, found that "The fiction that the vast majority of the American population consents to warrantless government access to the records of a significant share of their movements by 'choosing' to carry a cell phone must be rejected… In light of drastic developments in technology, the Fourth Amendment doctrine must evolve to preserve cell-phone user's reasonable expectation of privacy in cumulative cell-site-location records." EPIC has filed amicus briefs in several related cases. For more information see: EPIC: Commonwealth v. Connolly, EPIC: US v. Jones, and EPIC: Locational Privacy."

Too much privacy?

Providence police, hospitals at odds in medical privacy debate

By Dissent, August 24, 2011

Amanda Milkovits has a great report on the thorny intersection between law enforcement, state medical privacy laws, and HIPAA:

A judge in a murder trial in June wanted to see the medical records of a woman whose husband was charged with killing her.

Rhode Island Hospital’s records department rejected the court order –– and answered the subsequent subpoena by saying the law allowed 20 days to respond.

A Providence detective investigating an alleged murder requested the medical records of the victim, who died at Rhode Island Hospital. In his request for the records in March 2010 — nearly two years after the death –– the detective included a copy of the victim’s death certificate, plus two signed releases from the man’s father and adult son.

Rhode Island Hospital refused.

In March, the Providence police wanted to know if a man who’d been shot was still alive, before the suspect accused of shooting him was released on bail. If the victim was dead, the suspect would be held for murder.

Rhode Island Hospital wouldn’t say whether the wounded man existed.


Gee Mom, everyone else is doing it!”

Cybercrime Treaty Pushes Surveillance Worldwide

"As part of an emerging international trend to try to 'civilize the Internet', one of the world's worst Internet law treaties — the highly controversial Council of Europe (CoE) Convention on Cybercrime — is back on the agenda. Canada and Australia are using the Treaty to introduce new invasive, online surveillance laws, many of which go far beyond the Convention's intended levels of intrusiveness. Negotiated over a decade ago, only 31 of its 47 signatories have ratified it. Many considered the Treaty to be dormant but in recent years a number of countries have been modeling national laws based on the flawed Treaty. Leaving out constitutional safeguards, gag orders in place of oversight, and forcing service providers to retain your data may all be coming soon."

Interesting if it forces law enforcement to trace actors through an anonymous relay rather than seize everything in hopes of figuring it out later...

The EFF Reflects On ICE Seizing a Tor Exit Node

"Marcia Hofmann, senior staff attorney at the EFF, gives more information on the first known seizure of equipment in the U.S. due to a warrant executed against a private individual running a Tor exit node. 'This spring, agents from Immigration and Customs Enforcement (ICE) executed a search warrant at the home of Nolan King and seized six computer hard drives in connection with a criminal investigation. The warrant was issued on the basis of an Internet Protocol (IP) address that traced back to an account connected to Mr. King's home, where he was operating a Tor exit relay.' The EFF was able to get Mr King's equipment returned, and Marcia points out that 'While we think it's important to let the public know about this unfortunate event, it doesn't change our belief that running a Tor exit relay is legal.' She also links to the EFF's Tor Legal FAQ. This brings up an interesting dichotomy in my mind, concerning protecting yourself from the Big digital Brother: Running an open Wi-Fi hotspot, or Tor exit node, would make you both more likely to be investigated, and less likely to be convicted, of any cyber crimes."

Proving once again that one shouldn't make plans in advance of the facts...

Twitter study casts doubts on ministers' post-riots plan

A preliminary study of a database of riot-related tweets, compiled by the Guardian, appears to show Twitter was mainly used to react to riots and looting.

Timing trends drawn from the data question the assumption that Twitter played a widespread role in inciting the violence in advance, an accusation also levelled at the rival social networks Facebook and BlackBerry Messenger.

The unique database contains tweets about the riots sent throughout the disorder, which began in Tottenham, north London, on 6 August. It also reveals how extensively Twitter was used to co-ordinate a movement by citizens to clean the streets after the disorder. More than 206,000 tweets – 8% of the total – related to attempts to clean up the debris left by four nights of rioting and looting.

Amid a growing censorship row, government sources said the home secretary did not expect to discuss closing social networks, but wanted to explore what measures the companies could take to help contain future disorder, including how law enforcement agencies can use the sites more effectively.

David Cameron had previously indicated he would contemplate more restrictive measures. The day after the riots subsided, the prime minister told parliament the government was looking at banning people from using sites such as Twitter and Facebook if they were thought to be plotting criminal activity. Cameron said the government would do "whatever it takes" to restore order, adding that a review was under way to establish whether it would be right to attempt to prevent rioters from using social networks. He said he had also asked police if they needed new powers.

The Metropolitan police later revealed it had considered switching off social networks during the disorder in London, but had decided not to on legal advice.

What make email the “official” means of communication?

Student misses e-mail, loses college place

As CBS 5 in San Jose describes it, Kim turned up for freshman orientation, only to find it utterly disorientating. For he was told had had been un-enrolled from the school.

The school had originally sent him an e-mail telling him to disregard all communication about his placement tests. Then it sent him an e-mail about, um, placement tests that happened to mention a problem with his, well, placement test.

Kim admits that he had stopped checking e-mails from the school because they had all seemed unimportant. But he says he had been told to ignore e-mails about placement tests. (And CBS 5 saw the evidence.)

The school told CBS 5 that it expects students to be responsible for checking e-mails.

Enough to make a geek giggle.

Timeline of the Rise of Data

When Wolfram Research set out to build Wolfram Alpha, they set out to make all knowledge computable. Last week they published a Timeline of Systematic Data and the Development of Computable Knowledge.

You can interact with the timeline online, but far cooler (I think) will be hanging the 5-foot poster of the timeline ($7.25 + shipping) that links data and computable knowledge with history, science, and culture on the walls of our Math ELITEs.

The blog post about the timeline is pretty interesting too, discussing which civilizations have tracked the most data.

Thursday, August 25, 2011

I can see we're already looking forward to the 2012 election...

Maine voter registration system breached

August 24, 2011 by admin

Kevin Miller reports:

The Maine Secretary of State’s Office said Wednesday it is investigating a potential security breach in the computer system that contains records on Maine’s registered voters.

The state was notified [i.e. They hadn't noticed... Bob] Wednesday afternoon by the cybersecurity monitoring arm of the U.S. Department of Homeland Security that Maine’s Central Voter Registration system had been compromised. The breach was detected as part of a regular security check. [By DHS? Bob]

Maine Secretary of State Charlie Summers said a computer in an undisclosed town office apparently had been infected by malicious software — commonly known as malware — that may have then infected the centralized data system.

“I am in the process of assessing what, if any, information has been compromised,” Summers said in a statement released Wednesday afternoon. “I have taken immediate action to shut this computer down and disable the username and password assigned to the town clerk.”

The Central Voter Registration system, or CVR, contains personal information on registered voters including names, addresses, dates of birth and, in some cases, driver’s license numbers. The system does not contain Social Security numbers, Summers said in an interview Wednesday.

Read more on Bangor Daily News.

[From the article:

Summers said they strongly suspect that some information was accessed, however.

“We just don’t know how much or the size” of the breach, he said.


iSpeech app puts your words in Obama's mouth

Text-to-speech company iSpeech has released a pair of smartphone apps that tap the actual voices of President Barack Obama and former President George W. Bush to allow you to convert any text into audio that's a dead ringer for the president or former president.

Revenue at any cost?

NYC Mayor Wants Traffic Camera On Every Corner

"New York City Mayor Michael Bloomberg has made it clear that he wants to see more traffic light cameras in the Big Apple, saying that he'd have the devices on every street corner if possible. According to The New York Daily News, the city brought in $52 million in fines generated by red light cameras last year alone. Bloomberg doesn't just want a jump in the number of cameras, however. He also wants to publish the names of those who blow through the stop lights in local papers to help shame wrongdoers into changing their ways. What's more, the mayor wants to look into the possibility of adding speed cameras to the mix. Big brother is coming to NYC."

More fodder in the “What should we tell them and when” debate...

Illinois Amends Breach Notice Law to Specify Notice Content, Cooperation

August 24, 2011 by admin

Brendon Tavelli writes:

On August 22, Illinois Governor Pat Quinn signed House Bill 3025 into law. In doing so, he aligned Illinois with a small group of states responding to increased concern about privacy and information security by retooling their existing information security breach notification frameworks. HB3025, in particular, amends the state’s breach notification law to specify both the types of information that should be provided to notice recipients and the breach notice obligations of service providers that maintain or store, but don’t own or license, personal information about Illinois residents.

Read more on Proskauer’s Privacy Law Blog.

If I’m reading the “shall not” provisions of the law correctly (and I may not be), it appears that the entities are not allowed to reveal to those affected how many Illinois residents were affected by the breach. Why prohibit them from revealing that? Or am I reading the law incorrectly?

Interesting. I'll need to increase the number of times I tell my students to “Google it!” (and perhaps explain more about HOW to Google it.)

August 24, 2011

Commentary: Accessibility vs. access: How the rhetoric of “rare” is changing in the age of information abundance

Accessibility vs. access: How the rhetoric of “rare” is changing in the age of information abundance by Maria Popova.

  • "Over the past few years, the fledgling field of the digital humanities has made significant strides with a number of ambitious digitization projects bringing online rare cultural artifacts — manuscripts, canvases, celluloid, marginalia — that used to rot away in institutional archives. But while these efforts, both government-subsidized and privately initiated, may have made a wealth of information accessible, it’s an entirely different story to ask how many people these materials have reached — how many people have actually gained access to them — and it’s one that harks back to the shifting relationship between scarcity and value... Historically, the two main types of obstacles to information discovery have been barriers of awareness, which encompass all the information we can’t access because we simply don’t know about its existence in the first place, and barriers of accessibility, which refer to the information we do know is out there but remains outside of our practical, infrastructural or legal reach. What the digital convergence has done is solve the latter, by bringing much previously inaccessible information into the public domain, made the former worse in the process, by increasing the net amount of information available to us and thus creating a wealth of information we can’t humanly be aware of due to our cognitive and temporal limitations, and added a third barrier — a barrier of motivation."


August 24, 2011

The 1000 most-visited sites on the web - according to Google

Google Doubleclick Ad Planner - "You can see a list of the largest 1000 sites worldwide, based on Unique Visitors (users), as measured by Ad Planner. This list is updated monthly as new Ad Planner datasets are released. The list defines sites as top-level domains. For each site on the list, you'll be able to see: The site category; Unique Visitors (users); Page Views; Whether the site has ads."

Wednesday, August 24, 2011

That's $1.6 million to educate the school board, not the students.

Another webcam claim settled in Lower Merion

August 24, 2011 by Dissent

John P. Martin reports:

The Lower Merion School District has agreed to pay $10,000 to a teen secretly recorded by his school-issued laptop, the fourth settlement with a student since the webcam scandal broke last year.

The school board approved the payout at its meeting Monday night, spokesman Doug Young said.

Lower Merion paid more than $1.6 million last year to litigate and settle allegations that it spied on students through webcams on the laptops it gave to each of its nearly 2,300 high school students.


Just keeping score...

Keeping up with the hackers (chart)

To see the whole chart on one page click here.

True, Google does this. At least their computers do. So, if no human reads your mail, is there a violation?

Google Sued in Massachusetts for Scanning Emails Sent To Gmail Account

August 24, 2011 by Dissent

Lisa Branco writes about a lawsuit that may be interesting to follow:

A Massachusetts woman filed a class action suit in Mass. state court against Google on July 29, alleging that Google violated Massachusetts’ wiretap law by scanning messages she sent from her AOL account to recipients’ Gmail accounts. Massachusetts is one of several states that require all parties to give their consent to the interception or recording of communications (unlike federal law and the laws in a majority of states, which only require consent from one party to the communication). MGL Ch. 272 § 99(B)(4); § 99(C)(1).

Read more on Law Across the Wire and Into the Cloud

TSA (like all bureaucracies) wants to expand their scope... And they have the technology to do it. (Granted, this is a bit of a rant, but perhaps that is what we need to make the point.)

Future TSA: Track All ‘Daily Travels To Work, Grocery Stores & Social Events’

August 24, 2011 by Dissent

Ms. Smith writes:

While the TSA can’t explain why invasive patdowns without probable cause are legal, that isn’t stopping TSA from future plans to track all your daily travels, anywhere you go, from work, to stores, or even when you go out to play.

Read more on Network World.

If I was the suspicious type: “In case of an emergency, we need the names of those we intend to leave behind...”

AU: Safety database raises privacy concerns

August 23, 2011 by Dissent

Meagan Weymes reports:

Vulnerable Whittlesea residents will be added to a contact list to be shared between emergency agencies in a move privacy advocates have labelled “deeply concerning”.

Councils have been urged to seek advice from the privacy commissioner about establishing the database.

The Victorian Bushfires Royal Commission recommended in 2009 that elderly, frail, disabled or otherwise vulnerable people should be added to a list for police to access in an emergency situation.

Read more on Northern Weekly.

Because our students don't all have the same software...

10 Best Online Tools For Converting Documents

[Particularly handy: DOCX to DOC Convert Office10 Word files to use on earlier versions...

Tuesday, August 23, 2011

Interesting questions...

(follow-up) TX Comptroller’s breach: few sign up for credit monitoring

Barry Harrell has a follow-up on the Texas Comptroller’s breach that affected 3.5 million Texans.

I was interested to read that 100,000 people signed up for the offered credit protection monitoring, which is less than 3% of those offered it – at a cost to the state of $600,480. The state had originally offered those affected a discounted rate for credit monitoring services, but following public protest and media attention, changed the offer to free services.

That only a minority of people take advantage of offers to sign up for free credit monitoring is not new, but it’s somewhat mind-boggling to me that less than 3% of people informed that their information was available on the web for over a year took advantage of the offer. Is it that people are too lazy or disorganized to sign up, or that they don’t really believe they could be at risk, or what?

If studies show that consumers are concerned about ID theft or fraud but consumers don’t avail themselves of offered protections or free services, some might argue that federal law should be revised to allow the entities to enroll those affected in such services on their behalf. Readers may remember how Experian sued Lifelock to block them from placing fraud alerts as agents of the individuals. There was talk at the time of how the Fair Credit Reporting Act might at some point be revisited, but nothing ever happened.

I do not believe that breached entities should be able to sign individuals up for services they neither request nor want, and I realize that some might argue that the state wasted $600,000 for services that were not really needed since there has been no evidence of fraud (at least not yet).

But where do we go from here? Should we be encouraging people to sign up for such services when they are offered? If so, what do we need to do in terms of public awareness and education?

As I thought, there is a better way to track browsers...

Zombie Cookies Just Won't Die

"Microsoft embarrassed itself last week when it got caught using 'zombie cookies' — a form of tracking cookies that users can't delete, as they come back to life after you've 'killed' them. Microsoft says it'll stop the 'aberrant' practice. But Woody Leonhard says you ain't seen nothing yet. It turns out HTML5 offers a technical mechanism to give zombie cookies a new lease on life — and the Web browsers' private-browsing features can't stop them."

Lack of access increases piracy, therefore access should decrease piracy, right? “I want it NOW!”

Delay On Hulu Availability More Than Doubles Piracy Of Fox Shows

A week ago, Fox changed its licensing rules so that non-paying users of Hulu would be unable to watch new episodes of their shows until eight days after their air date. Put on your analyst hat and think about what effect this might have on, say, piracy of those shows. Did you determine that it would increase piracy? Congratulations, you are a better judge of consequences than Fox. Because piracy of Fox shows went up by a huge amount during this last week.

Actually, it’s likely that Fox anticipated this increase in piracy and simply considered it worth the trade-off. With worse options for free users, more will watch the live broadcast, they suppose, and ad prices go up with these increased projections. Query: if these people could watch it on live TV, why would they be watching it on Hulu in the first place?

Defining the legal environment of the Cloud.

Amazon, Dropbox, Google and You Win in Cloud-Music Copyright Decision

The disk drives powering Dropbox, Amazon’s Cloud Drive, and Google Music likely issued a small sigh of relief Monday, after a federal court judge found that the MP3tunes cloud music service didn’t violate copyright laws when it used only a single copy of a MP3 on its servers, rather than storing 50 copies for 50 users.

For Amazon and Google’s nascent cloud music services, the decision clears the way for them to make it easier and faster for customers to use their music services; gives them legal cover to reduce the amount of disk space needed per user; makes it less likely that new customers of their music services will bust through their ISPs data caps when signing up; and clears the way for the companies to let users add songs found on webpages and through search to their lockers with a single-click — all without either being sued by record labels for doing so.

Monday’s decision centers on MP3tunes, a cloud-based online music locker service, that allows a customer to upload the music from their hard drives to a “locker” on the web, where they can play back the songs from any connected device.

What happens when justifications like “We gotta do something!” wears off?

Balancing the Risks, Benefits, and Costs of Homeland Security

August 22, 2011 21:27 Source: U.S. Naval Postgraduate School

From the Homeland Security Affairs Journal abstract: By Mueller, John and Mark G. Stewart.

The cumulative increase in expenditures on U.S. domestic homeland security over the decade since 9/11 exceeds one trillion dollars. It is clearly time to examine these massive expenditures applying risk assessment and cost-benefit approaches that have been standard for decades. Thus far, officials do not seem to have done so and have engaged in various forms of probability neglect by focusing on worst case scenarios; adding, rather than multiplying, the probabilities; assessing relative, rather than absolute, risk; and inflating terrorist capacities and the importance of potential terrorist targets. We find that enhanced expenditures have been excessive. [What a surprise! Bob]

+ Direct link to full text of the article (PDF; 479 KB)

+ The article is also available in HTML and other formats.

For my Geeks. Be “Green” – re-purpose the HP Tablet.

Hack Your TouchPad to Run Android, Win a Prize

After HP announced it would discontinue production of its TouchPad tablet last week, it looked like early HP tablet adopters spent $500 on a dud. If you’re an enterprising software hacker, however, there could be an opportunity to make your money back — and then some.

A hardware-modification web site is offering a $1,500 cash bounty for the first person to successfully port a full version of the Android operating system over to HP’s TouchPad. offers a tiered bounty system for would-be TouchPad hackers: Just getting Android to run on the TouchPad without taking full advantage of the tablet’s hardware will win you a cool $450. But the more you’re able to integrate the system software into the device, the more cash you’ll earn. Get the Wi-Fi, multitouch capability, audio and camera up and running, and you’ll add another $1,050 to the pot.


Microsoft Pursues WebOS Devs, Offers Free Phones

"Taking advantage of Hewlett-Packard's departure from the tablet and smartphone market, Microsoft has offered webOS developers free phones, tools and training to create apps for Windows Phone 7. Brandon Watson, Microsoft's senior director of Windows Phone 7 development, made the offer on Twitter on Friday, and has been fielding queries ever since. 'To Any Published WebOS Devs: We'll give you what you need to be successful on #WindowsPhone, incl. free phones, dev tools, and training, etc.,' Watson said a day after HP's announcement. Before Friday was out, Watson said he had received more than 500 emails from interested developers, and later, that the count was closing in on 600."

Free is good! But imagine what $1 per student (paid to the Instructor, of course) would do to increase the number of free classes available...

More Stanford Computing Courses Go Free

"Following on the recent Slashdot item on the availability of a free Stanford AI course there is news that two other Stanford Computer Science courses are also joining in this 'bold experiment in distributed education' in which students not only have access to lecture videos and other course materials but will actively participate by submitting assignments and getting regular feedback on their progress. The subjects are Machine Learning with Andrew Ng and Database with Jennifer Widom. This open approach looks as if it might be a success with well over 100,000 prospective students signing up to the AI course alone."

Useful and free. - Create And Share Screenshots

Coupling a cool service with a slick interface, Pixtick makes it incredibly easy for people who need to share screenshots to get the job done with speed and precision. You see, users of Pixtick are enabled to share images that can be annotated and edited as much as it is needed, and all these editions and annotations can be handled from within the application. And not only does Pixtick run on the browser, the service is actually completely free.

The world, she is a changing...

The State of Digital Education Infographic

Monday, August 22, 2011

Not “Hackers” exactly, but “potential Identity Thieves”

FTC Approves Final Orders Settling Charges that Credit Report Resellers Allowed Hackers to Access Consumers’ Personal Information

August 22, 2011 by admin

From the FTC:

Following a public comment period, the Federal Trade Commission has approved final orders settling charges against three credit report resellers, SettlementOne Credit Corporation; ACRAnet, Inc.; and Fajilan and Associates, Inc., also doing business as Statewide Credit Services. The FTC alleged the companies did not take reasonable information security steps to protect consumers’ data, allowing hackers to access more than 1,800 credit reports without authorization. The FTC’s orders settling the charges require the companies to strengthen their data security procedures and submit to audits for 20 years.

Related: Statement of Commissioner Brill


In the Matter of SettlementOne Credit Corporation, a corporation, and Sackett National Holdings, Inc., a corporation File No. 082 3208

In the Matter of ACRAnet, Inc., a corporation File No. 092 3088

In the Matter of Fajilan and Associates, Inc., also doing business as Statewide Credit Services, a corporation, and Robert Fajilan, individually and as an officer of the corporation File No. 092 3089

Sound familiar? “I can't define 'esthetic,' but I know it when I see it.”

Taking Random Photos in Long Beach Can Put You in Handcuffs (Really)

... detaining people who are snapping pictures "with no apparent esthetic value" is within department policy, according to the Long Beach Post.

Chris confirms the obvious?

Chris Hoofnagle discusses online privacy

August 21, 2011 by Dissent

James Temple writes:

Despite widening criticism of online tracking, marketers are going to greater lengths than ever to ensure they can monitor online behavior even when consumers take steps to opt out.

That’s the finding of a research paper written by academics at UC Berkeley and elsewhere. It comes at a critical time, when the marketing industry is fighting proposed do-not-track rules that it claims are unnecessary and harmful.

Chris Hoofnagle, a lecturer at UC Berkeley Law School who oversaw the research, said the marketing sector has continually demonstrated the inability to police itself.

Read Temple’s interview of Chris on

Now you too can have a Congressman in your pocket!

August 21, 2011

A pocket Congress – track elected officials, read the latest bills and laws

"The government apps and mobile sites allow you to access official information on various topics from the palm of your hand. Learn more about apps."

  • Congress – A Pocket Directory - Sunlight Labs - "track elected officials, read the latest bills and laws. Want to know more about Congress?: Find your representatives by your location; See how they vote, read up on bills; Stay on top of floor activity, committee hearings; Be notified of new events

So how do we change this?

August 19, 2011

Commentary - Print vs. Online -The ways in which old-fashioned newspapers still trump online newspapers

The ways in which old-fashioned newspapers still trump online newspapers, by Jack Shafer

  • "My anecdotal findings about print's superiority were seconded earlier this month by an academic study presented at the annual meeting of the Association for Education in Journalism and Mass Communication. The paper, Medium Matters: Newsreaders' Recall and Engagement With Online and Print Newspapers, by Arthur D. Santana, Randall Livingstone, and Yoon Cho of the University of Oregon, pit a group of readers of the print edition of the New York Times against Web-Times readers. Each group was given 20 minutes reading time and asked to complete a short survey. The researchers found that the print folks "remember significantly more news stories than online news readers"; that print readers "remembered significantly more topics than online newsreaders"; and that print readers remembered "more main points of news stories." When it came to recalling headlines, print and online readers finished in a draw."

Sunday, August 21, 2011

How big? Limited to Korea?

Epson Korea says 35 million 350,000 customers’ data hacked (updated)

Update: Yonhap News issued another story that puts the number at 350,000, but didn’t correct their original url, cited below.

Good grief – yet another hack in South Korea affecting 35 million?! Yonhap News Agency reports:

Epson Korea Co., the South Korean unit of Japan’s Seiko Epson Corp., said Saturday that its Web site has been hacked, causing the private information of 35 million users to be leaked.

We have discovered through an internal investigation that the customers’ data were leaked. We apologize for causing the trouble,” said Epson Korea in a pop-up notice on its Web site.

The company said that it had detected the security breach a week ago but reported the cyber attack to the Korea Communications Commission (KCC) belatedly on Thursday. The company said that it has put more priority on informing its customers of the hacking.

Personal information leaked included names, user IDs, passwords and resident registration numbers, according to the company. Epson Korea said it is trying to track the hackers but has found no trace of them.

Epson Korea said that it has asked its customers to change their passwords on its Web sites and other portal sites.

Two popular Web sites operated by SK Communications Co. were hacked in late July, causing the private information of 35 million users to be leaked. A local court earlier this week ordered the operator of South Korea’s third most-visited Internet portal to pay a victim 1 million won (US$925) in compensation.

In contrast to Yonhap’s coverage, Reuters is reporting that the company indicated that 350,000 were affected.

There’s a statement on Epson Korea’s site, but I can’t translate it. If any site visitor would be kind enough to translate, I’d appreciate it.

How big? Another great job of masking the facts?

Thirty-one Gifts, two breaches, and a bunch of notification letters

It must be headache-inducing enough to investigate one security breach. To discover a second breach while investigating the first, well, pass the Prozac.

On August 8 , lawyers for Ohio-headquartered Thirty-One Gifts, LLC notified the New Hampshire Attorney General’s Office that while investigating how administrative credentials had been misappropriated and used to transfer some consultants’ commissions to an unknown individual’s own bank account, they discovered that a laptop containing consultants’ information was missing. The firm does not believe that the two incidents were related.

In the first matter, the unidentified suspect may have accessed 28 consultants’ names, addresses, Social Security Numbers, and bank account information. The firm reports that fraudulent transfers occurred over two commission cycles [So the transfers were not detected or stopped after the first occurrence? Bob] late last year and were quickly detected internally. During that investigation, however, the firm discovered that a laptop was missing. [No one noticed? Bob] At the request of law enforcement, they did not send out notifications about that matter until they were advised that they could – on August 10. The missing laptop contained an unspecified total number of consultants’ names, addresses, and bank account information; 27 residents of New Hampshire were notified about the missing laptop.

Thirty-One Gifts took a number of concrete steps to investigate both matters and to harden their security going forward, as outlined in their notification to the state and affected individuals, who were offered some free services.

Beware of Geeks bearing gifts..

Charging Stations May be 'Juice-Jacking' Data from Your Cellphone

In a world where laptop batteries, text messages and even old-school newspapers can hack into your life, the question seems not to be what's stealing your personal data, but rather what isn't. So it may not come as a shock to learn that those innocuous and oh-so convenient charging stations may be infiltrating your smartphone by "juice-jacking."

… Many smartphones are configured to transfer data or sync whenever they're plugged directly into USB ports, which is what cellphone power stations are equipped with. So a crafty hacker could make a simple tweak to the charging station and program it to automatically download all of your cellphone's data or upload malware.

How would you avoid a “Subway Spring?”

SF subway sets public debate on cell shutdown

BART, the San Francisco-area transit system targeted by hackers after it cut wireless service in its subway prior to a protest, posted a letter to customers today explaining its position and announcing plans for a public meeting on the issue.

"BART's temporary interruption of cell phone service was not intended to and did not affect any First Amendment rights of any person to protest in a lawful manner in areas at BART stations that are open for expressive activity," reads the letter, posted on the BART Web site and signed by Bob Franklin, president of BART's board of directors, and Sherwood Wakeman, the system's interim general manager. "The interruption did prevent the planned coordination of illegal activity on the BART platforms, and the resulting threat to public safety." [Because only 'illegal actors' were using the subway that day? Bob]

Yesterday Microsoft backed off “persistent cookies.” Today Apple points out a tracking feature and suggests developers should maybe, sorta consider not using it?

Apple Shifts Stance on Mobile Software Identifier

Apple Inc. is advising software developers to stop using a feature in software for its iPhones and iPads that has been linked to privacy concerns, a move that would also take away a widely used tool for tracking users and their behavior.

Developers who write programs for Apple's iOS operating system have been using a unique identifier specific to each device to gather personal data about users, in some cases creating detailed dossiers on how they use multiple apps. But Apple advised developers not to use that ID number, known as UDID or Unique Device Identifier, with a new version of the operating system that is expected to become available in coming weeks.

The company set no specific deadline for the change. But it stated on a website for developers that the feature "has been superseded and may become unsupported in the future." It said they could still create an identifier unique to each individual application, however.

… Developers say the companies have been mulling the change quietly for weeks, discussing alternative solutions but have not spoken publicly because they had all signed non-disclosure agreements with Apple.

They say one potential way to continue to track users across apps would be to track another unique identifier, known as a Media Access Control address, which let networks interface with devices. Some of them are also looking at ways to build "fingerprints" using other data that is accessible to developers.

An interesting consequence of Cloud Computing – and old license language in new areas. If you need a license for each “computer” what happens when you can “Create a computer” at will?

25,000 Danish Hospital Staff Moving To LibreOffice

An anonymous reader writes with news that 25,000 staff across 13 hospitals in Denmark will be switching to LibreOffice over the course of the next year.

"The group of hospitals is phasing out a proprietary alternative, 'for long term strategic reasons,' which at the same time saves the group some 40 million Kroner [about $7.7 million] worth of proprietary licenses. The ditching of the proprietary alternative is a consequence of the group's move to virtual desktops, allowing staff members to log in on any PC or thin client. The group found that deploying this new desktop infrastructure would 'trigger unacceptably high costs' for proprietary office licenses... The move is Europe's second largest migration project involving public administrations using an open source office suite."

For my Geeks looking to start a small business...

Mobile Phone Monitoring Service Found

Lion Gu writes:

We’ve been reporting about several NICKISPY variants — Android malware that can monitor a phone’s activities, like SMS, phone calls, and location — here on the Malware Blog, and we’ve been curious of how use such kind of private information, and how they earn money from it.

Now, we have a clear example. We’ve found a Chinese website which offers a mobile phone monitoring service. Once a customer decides to employ the service, he or she will get an account to log into a backend server of the service, where information gathered from a target device can be viewed.

Read more on TrendMicro’s Malware Blog.

Luddites live! “I don't understand it, therefore it must be evil so I want to ban it.” As we integrate new technologies into the education arena, someone will undoubtedly find bad things to do with them. Do we toss the baby out with the bathwater?

Missouri teachers sue to block social media law

Kevin Murphy of Reuters reports:

In the face of a lawsuit, a Missouri state senator defended on Saturday a new state law that will prohibit teachers from communicating privately with students over the Internet.

A teachers group filed a lawsuit Friday afternoon contending the new lawsuit violates free speech and other rights, but the senator who sponsored it says it does nothing of the kind.

It doesn’t stop any avenue of communication whatsoever, it only prohibits hidden communication between educators and minors who have not graduated,” said state Senator Jane Cunningham, a St. Louis Republican and key sponsor of the law.

Read more on WSAU

[From the article:

The law permits teacher-student contact if the Internet site can be viewed by parents, administrators or the public. [Isn't that a FERPA violation? Bob] Teachers and students can still e-mail and text each other as long as someone is copied, Cunningham said.

(Related) I thought for a minute that Argentina might be expecting their own “Arab Spring” but this is simply a case of the “experts” who provide Internet services not understanding how those services work...

Argentina Censors Over a Million Blogs

"A judge in Argentina ordered ISPs to block two websites — and According to Google,many ISPs have simply blocked the IP instead of using a targeted DNS filter. Over a million blogs are hosted by Blogger at this IP. Freedom of speech advocate Jillian York wrote, 'IP blocking is a blunt method of filtering content that can erase from view large swaths of innocuous sites by virtue of the fact that they are hosted on the same IP address as the site that was intended to be censored. One such example of overblocking by IP address can be found in India, where the IP blocking of a Hindu Unity website (blocked by an order from Mumbai police) resulted in the blocking of several other, unrelated sites."

Looks a bit clumsy, but that will improve.

August 21, 2011

Pronunciation Book channel on YouTube

Pronunciation Book - spoken pronunciation of words, via YouTube (worth visiting)