Saturday, September 24, 2011

I'm going to summarize these “get out of jail, free” user agreements on the back of my business cards. I'll be invulnerable!
"Electronic Arts has updated its Terms of Service Agreement for the Origin platform. Following Sony's steps, and taking it even further, EA has added a new clause that prevents users from suing them in both class action and jury trial forms."

“Hello, this is Peggy...”
September 22, 2011
Check Point Survey Reveals Nearly Half of Enterprises Are Victims of Social Engineering
News release: "Check Point® Software Technologies Ltd. announced the results of a new report revealing 48 percent of enterprises surveyed have been victims of social engineering, experiencing 25 or more attacks in the past two years, costing businesses anywhere from $25,000 to over $100,000 per security incident. The report, The Risk of Social Engineering on Information Security, shows phishing and social networking tools as the most common sources of socially-engineering threats – encouraging businesses to implement a strong combination of technology and user awareness to minimize the frequency and cost of attacks. Socially-engineered attacks traditionally target people with an implied knowledge or access to sensitive information. Hackers today leverage a variety of techniques and social networking applications to gather personal and professional information about an individual in order to find the weakest link in the organization. According to the global survey of over 850 IT and security professionals, 86 percent of businesses recognize social engineering as a growing concern, with the majority of respondents (51%) citing financial gain as the primary motivation of attacks, followed by competitive advantage and revenge."

I am surprised that the percentages are so low. Why wouldn't everyone ask for this stuff?
September 22, 2011
Symantec Survey Finds Emails Are No Longer the Most Commonly Specified Documents in eDiscovery Requests
News release: "Symantec Corp. announced the findings of its 2011 Information Retention and eDiscovery Survey which examined how enterprises manage their ever-growing volumes of electronically stored information and prepare for the eventuality of an eDiscovery request. The survey of legal and IT personnel at 2,000 enterprises worldwide found email is not the primary source of records companies must produce, and more importantly, respondents who employ best practices for records and information management are significantly less at risk of court sanctions or fines."
[From the press release:
When asked what types of documents are most commonly part of an eDiscovery request, respondents selected
files and documents (67 percent), and
database or application data (61 percent) ahead of
email (58 percent).
As evidence of just how many sources companies must be prepared to produce information from, more than half indicated
SharePoint files (51 percent), and nearly half cited
instant messages and text messages (44 percent) and
social media (41 percent).

It will be interesting to see if the “promised” new jobs actually materialize.
Gov. Jerry Brown signs Amazon sales tax collection law
… The new law will "create tens of thousands of jobs [How and where? Bob] and inject hundreds of millions of dollars back into critical services like education and public safety in future years," Brown said Friday at a ceremony held at the San Francisco headquarters of clothier Gap Inc.
… They also predicted that new jobs would flow into the state if Amazon, as expected, opens some large distribution centers to better serve California, which is estimated to represent as much as 20% of the company's market. [I'm betting they open their warehouses in Nevada... Bob]
… California law requires consumers to pay a "use tax" that is equal to the sales tax if the merchant doesn't collect the levy for the state. However, tax collectors generally do not enforce that obligation on non-commercial transactions, and less than one-half of 1% of taxpayers voluntarily pay, state officials said.

What do the students say?
September 23, 2011
Pew Report: The Digital Revolution and Higher Education
  • "As online college courses have become increasingly prevalent, the general public and college presidents offer different assessments of their educational value, according to a new Pew Research Center report. Just three-in-ten American adults (29%) say a course taken online provides an equal educational value to one taken in a classroom. By contrast, about half of college presidents (51%) say online courses provide the same value. More than three-quarters of college presidents (77%) report that their institutions now offer online courses, and college presidents predict substantial growth in online learning: 15% say most of their current undergraduate students have taken a class online, 50% predict that ten years from now most of their students will take classes online. The report is based on findings from two Pew Research Center surveys: a national poll of the general public, and a survey of college presidents done in association with The Chronicle of Higher Education. It analyzes the perceptions of the public and college presidents about the value of online learning, the prevalence and future of online courses, use of digital textbooks, the internet and plagiarism, and technology use in the classroom, as well as college presidents’ own use of technology."
[From the report:
Among all adults who have taken a class online, 39% say the format’s educational value is equal to that of a course taken in a classroom.

Friday, September 23, 2011

The cost of a security breach... Are they not acting like a victim because they see themselves as liable?
(follow-up) OH: Silence not broken nearly a year after security breach
September 23, 2011 by admin
The student paper at Ohio State University has continued to try to get answers to their questions about a breach at OSU last year that affected 760,000. You can read Ally Marotti’s recent update on The Lantern. The coverage paints an unflattering picture of the university in terms of transparency following the breach. Could the university really not have a detailed chronology or notes concerning steps it took after becoming aware of a breach? Despite a number of freedom of information requests, the campus paper is still having trouble getting answers to some questions, it seems.
The article also includes some figures on what the breach may have cost, in part:
After the breach, the university hired two computer security-consulting firms, Interhack Corp., based in Columbus, and Stroz Friedberg LLC, a New York-based firm.
According to an original estimate Lynch provided, OSU budgeted $200,000 and $22,000 for Stroz Friedberg and Interhack, respectively.
Additionally, $100,000 was budgeted for Vory’s, a legal consultant, and $50,000 for Adelman, a communications consultant.
For Experian, the incident notification consultant, OSU put aside $3.7 million, bringing the total estimated cost to $4.1 million. The university’s operating funds will go toward the costs, Lynch said.
The Lantern is still awaiting subsequent requests for the most recent estimates on how much the breach will cost OSU.
OSU hired Experian to provide year-long credit protection for those affected. OSU bought 500,000 activation codes from Experian, costing $3.19 each, for a total of nearly $1.6 million.

They don't teach this in medical school?
By Dissent, September 23, 2011
Alina Selyukh reports:
New technologies are flooding into the healthcare world, but the industry is not adequately prepared to protect patients from data breaches, [No surprise Bob] according to a report published on Thursday.
A vast majority of hospitals, doctors, pharmacies and insurers are eager to adapt to increasingly digital patient data. However, less than half are addressing implications for privacy and security, a survey of healthcare industry executives by PricewaterhouseCoopers LLP found.
PwC’s Health Research Institute interviewed 600 executives in the spring of this year and also found that less than half of their companies have addressed issues related to the use of mobile devices. Less than a quarter have addressed implications of social media.
Read more on Reuters.

It used to be that when someone irritated management they'd toss them out of the pub – on their butts if they insulted the owner's wife, on their heads if they insulted his mistress.
September 22, 2011
Report Provides Guidelines for Dilemmas of Account Deactivation and Content Removal
"A report released today by the Center for Democracy & Technology and the Berkman Center for Internet & Society highlights the dilemmas companies and users face when enforcement of a website's Terms of Use policy results in deactivation of user accounts or removal of user-generated content. The report recommends principles, strategies, and tools that both companies and users can adopt to lessen the negative effects of account deactivation and content removal. The report, Account Deactivation and Content Removal: Guiding Principles and Practices for Companies and Users, outlines select examples of good company practices. Such practices feature rules and enforcement policies that are sensitive to users' free expression and privacy rights and to the potential risks faced by human rights activists, who are increasingly using social media tools in their work."

45 pages to say “Play nicely”
Net neutrality rules kick in November 20
… The Net neutrality rules were originally passed by the FCC in late December, and shortly thereafter Verizon Communications sued the agency in federal court, saying the FCC had overstepped its authority. But the U.S. Court of Appeals for the District of Columbia Circuit dismissed the case, calling it premature, since the rules had not yet been added to the Register.
With that publication apparently upon us, Verizon and other companies could initiate additional legal challenges.
The FCC rules--the outcome of years of debate--lay out specific Net neutrality principles and essentially let Internet service providers ration access to their networks while preventing them from discriminating against content that comes from competitors.
ii. No blocking. Fixed broadband providers may not block lawful content, applications, services, or non-harmful devices; mobile broadband providers may not block lawful Web sites, or block applications that compete with their voice or video telephony services;

What would the equivalent have been 20 years ago? A wristwatch (replaced by cellphones)? Their own phone line (unlikely, they couldnot take it with them to show the other kids)?
"Nearly everyone is aware of the influence of technology, specifically that of the new-generation telephonic devices on our society. But, when one in every 3 under-ten kids start having their own mobile phones, only then we come to realize how deep rooted the influence really is — yes, that's what a new report claims. According to the latest findings by the cloud security outfit Westcoastcloud, near about 33 percent of all UK's under-ten kids are currently in possession of a mobile phone."

All my students carry these. This may be useful.
How To Auto-Launch Apps With A USB Stick [Windows]

This could be really handy! For backup or copy and paste, paste, paste, paste...
PickMeApp Lets You Transfer all Installed Programs from one Windows PC to Another

Thursday, September 22, 2011

Unfortunately, you sometimes have to nudge prosecutors by making it personal...
"Massachusetts Attorney General Martha Coakley said on Tuesday that her office would be inquiring into long-standing complaints about fraudulent purchases that leverage Apple's popular online music store. Coakley was herself a victim of identity theft in recent months, telling the audience that her stolen credit card information was used to make fraudulent iTunes purchases. When asked (by a Threatpost reporter) about whether such fraud constitutes a reportable event under the Bay State's strict data breach notification law, 201 CMR 17, Coakley said that her office would be looking into that question and demanding answers from Cupertino, which has steadfastly refused to respond to media requests regarding user reports about fraudulent iTunes purchases, and which has not reported the breaches to Massachusetts regulators."

A warning for the US?
Centralized, electronic medical records are touted as a means of increasing efficiency and patient safety. The "centralizing" and "turning electronic" phases, though, have some very rough edges. An anonymous reader writes with this excerpt from the Guardian about one such digitization project in the UK:
"An ambitious multibillion pound programme to create a computerised patient record system across the entire NHS is being scrapped, ministers have decided. The £12.7bn National Programme for IT is being ended after years of delays, technical difficulties, contractual disputes and rising costs."

Not what I expected.
Evaluating the Use of Public Surveillance Cameras for Crime Control and Prevention
September 21, 2011 22:04 Source: The Urban Institute
From the abstract:
This report summarizes the results of an evaluation of public surveillance systems in Baltimore, Chicago, and Washington, D.C., examining how systems in each of these jurisdictions were selected and implemented and assessing the degree to which they achieved their intended crime prevention impact. The study also explored whether surveillance cameras displaced crime or yielded a diffusion of benefits to areas just beyond the cameras reach, and included a cost-benefit analysis component in two of the three study sites. Findings indicate that in places where cameras were sufficiently concentrated and routinely monitored by trained staff, the impact on crime was significant and cost-beneficial, with no evidence of crime displacement.

Yet another indication that the HP BoD has too much access to wacky weed? Does this suggest they will keep the PC business?
HP Looks Set To Fire CEO Léo Apotheker. Now What?
… Early reports that HP’s board was meeting to oust Apotheker and potentially replace him with ex-eBay head (and California gubernatorial candidate) Meg Whitman began filtering out through press leaks yesterday morning. The New York Times had the fullest account of the board’s reported deliberations, citing unnamed insiders “not authorized by the board to speak publicly.”

For my Criminal Justice geeks...
"When it comes to a physical crime scene and the resulting forensics, investigators can ascertain that a crime took place and gather the necessary evidence. When it comes to digital crime, the evidence is often at the byte level, deep in the magnetics of digital media, initially invisible from the human eye. That is just one of the challenges of digital forensics, where it is easy to destroy crucial evidence, and often difficult to preserve correctly."

This one is for my fellow teachers. We'll need to integrate social networking into our Business curriculum...
Platlas: The world's first social-platform atlas
On the eve of F8, Facebook's annual developer conference, the world's busiest social network is expected to undergo its most radical change yet.
Facebook, now 7 years old, appears on the verge of becoming a full-on consumer brand powerhouse--where entire industries like publishing, film, and television will live and conduct commerce at an unprecedented rate and scale, industry watchers say. As Facebook grows and evolves, it's also becoming a more complex platform to understand and navigate. That's why Platlas, the world's first social-networking "atlas" was created.
"Facebook is an absolute must-have for every brand," Germano told CNET in a pre-F8 interview. "It's becoming the only way for brands to have communications with online users." Germano and his company seem to be in a good position to know having designed the very first brand experiences on Facebook's platform in 2007.
Germano's team plans to continuously track and update any and all changes to the Facebook platform. After F8, expect to visit Platlas and see how Facebook's social ecosystem has been modified.
In coming months be on the lookout for other social platforms to go through the Platlas process. There will be similar graphical social guides for Twitter, Foursquare, and Gowalla and eventually every social network.

Perhaps a short lecture in Ethical Hacking?
War with computer hackers hits the road
… The menu of future electronic features currently being studied by automakers--everything from Internet-based data and entertainment to car-to-car safety communications--has a dark shadow. Any one of them is a potential open window to computer hackers, says Georg Doll, senior director of automotive solutions at Wind River, the automotive software arm of Intel.
… Researchers at the University of California in San Diego and the University of Washington agree. The team published a paper in August warning that there are plenty of chinks in the automobile's armor.
Among their realistic scenarios:
-- A virus enters the vehicle though a downloaded piece of music and interferes with controls.
-- A hacker attacks the car using the same wireless frequency as its remote keyless entry.
-- Hackers reach into vehicle control units by long-range broadcast, using the auto's global positioning system as a receiver.

Wednesday, September 21, 2011

Interesting that this is treated as a breach. Do older X-rays include personal data 'burned' on the film?
By Dissent, September 20, 2011
Not the first time we’ve seen a breach like this and likely, it won’t be the last:
Barrels of X-ray film set to be destroyed were stolen from Good Samaritan Hospital in Baltimore by a man posing as a vendor employee, police said.
According to a Baltimore City police report, officers were called to the hospital Friday morning to investigate the theft of as many as two barrels of old X-ray film. Hospital officials said the films were “more than 5 years old” and the films “had been put aside to be either destroyed or recycled.”
“It appears he did this by misrepresenting himself as the vendor responsible for the disposing and/or the recycling of those items,” Baltimore police spokesman Kevin Brown said.
A statement released by Good Samaritan Hospital suggests the assailant’s motive may have been to extract and sell the silver contained in the films: “There is no clinical impact to patient care as medical reports associated with those films remain with the patient records. We are working diligently to determine the specific patients impacted by this occurrence so direct notification can be made to assist them.”
Read more on WBAL.

Is this the electronic equivalent of asking your neighbors about your biases?
Lawyers in Murray trial using Facebook, Twitter to screen jurors
After approximately a week of poring over 145 jury questionnaires, lawyers in the trial of Michael Jackson's doctor are due in court Wednesday to discuss removing jurors whose answers they believe should disqualify them from hearing the case.
But legal experts say prosecutors and defense attorneys in the Conrad Murray trial will be doing more than simply screening jurors based on their answers to the more than 100 questions filled out on September 8 and 9. They'll also be scrutinizing what prospective jurors may have said outside the courthouse and online about events surrounding the June 2009 death of pop star Michael Jackson.
… But Gabriel added that it is rare for a legal team to have time to do such vetting of prospective jurors, because jury selection is completed within hours in a vast majority of trials, [Sounds like a business opportunity: Instant social media search Bob] not over several weeks as in the Anthony case (and most likely Murray's as well).

Interesting but not unexpected statistics.
TalkTalk ISP Study Claims Half of Internet Connected Homes Suffer Cyber Attacks
A new TalkTalk commissioned YouGov study into the broadband habits of 19,828 UK adults ('Life Online') has claimed that almost half (45%) of all internet connected homes have suffered some form of cyber-attack, although this apparently included being "bombarded with unwanted 'pop-up' advertising".
The ISP estimates that more than 700,000 attempts at identity theft were also mounted on Britain’s homes during the first quarter of 2011 and that 89% of emails sent last year were SPAM (unwanted or malicious junk). The single most prominent form of cyber-attack was Adware (35%) related, which uses various methods (e.g. keyloggers) to collect sensitive private information from your computer.
The vast majority of respondents to the survey agreed that it was important to protect their internet connections, yet 10% of broadband ISP customers said they relied "solely on their own vigilance" instead of using security software. Personal vigilance alone is not enough to spot all threats, many of which can creep in silently.
Elsewhere 23% of parents claimed to have seen their children (those aged 6-17) accidentally download a virus on to the home computer and 5% witnessed them giving out personal information online; some 73% of parents sight this as being their "biggest concern".

(Related) Still, one out of three is better than 45%...
Data breaches affect 2m in Mass.
September 21, 2011 by admin
Hiawatha Bray reports:
Personal information from nearly one out of three Massachusetts residents, from names and addresses to medical histories, has been compromised through data theft or loss since the beginning of 2010, according to statistics released yesterday by the office of Attorney General Martha Coakley.
The attorney general’s office has received 1,166 data breach notices since January 2010, including 480 between January and August of 2011. About 2.1 million residents were affected by the various incidents, though it’s unknown whether any of them were actually defrauded as a result of the data leaks.
Of the reported incidents, 25 percent involved deliberate hacking of computer systems containing sensitive data. Another 23 percent involved accidental sharing of information with unauthorized people, such as sending faxes or e-mails with personal information to the wrong recipient. In 15 percent of cases, retailers reported the theft of customer credit card numbers. Data was also lost through thefts or accidental losses of laptop computers and paper documents, or in cases in which workers deliberately gained unauthorized access to client files.
Read more on Boston Globe.

I wonder if there will be a backlash if the cops start mailing out tickets based on this “evidence”
OnStar Begins Spying On Customers’ GPS Location For Profit
September 20, 2011 by Dissent
Jonathan Zdziarski writes:
I canceled the OnStar subscription on my new GMC vehicle today after receiving an email from the company about their new terms and conditions. While most people, I imagine, would hit the delete button when receiving something as exciting as new terms and conditions, being the nerd sort, I decided to have a personal drooling session and read it instead. I’m glad I did. OnStar’s latest T&C has some very unsettling updates to it, which include selling your personal GPS location information, speed, safety belt usage, and other information to third parties, including law enforcement. [Are the cops fishing for violators? Bob] To add insult to a slap in the face, the company insists they will continue collecting and selling this personal information even after you cancel your service, unless you specifically shut down the data connection to the vehicle after canceling.

Gary Alexander sends an interesting article... It is far easier to say “NO!!!” to everything than to actually read the laws and regulations and make an informed determination. Lots of lawyers (managers too) think there job is to say no. I think their job is to help me accomplish my job. And don't get me started on sending things by FAX (first patented before the Civil War) which requires someone to print out data, fax it, then someone else gets to type it back into a computer.
HIPAA on phones, faxes and e-mail
My wife Deborah Black (light of my life) is a neuropsychiatrist who works at two different clinics. Sometimes patients are referred from one clinic to the other, and the question arises of how to transmit the details of their medical record from one team to the other.
Anything concerning the privacy of medical data in the USA is governed by the Health Insurance Portability and Accountability Act (HIPAA) passed in 1996. The legislation is complex, and the U.S. Department of Health & Human Services (HHS) has set up an extensive Web site with detailed information and instructions about HIPAA.
One of the questions I’ve been asked by my wife’s staff is whether it is acceptable to send medical information by fax or e-mail; some of the security and information technology staff at her clinics have flatly forbidden such transmission, asserting baldly that HIPAA forbids such transmission. Unfortunately, their medical records systems are incompatible, so the data cannot be sent automatically from one clinic to the another with appropriate encryption and other safeguards.
However, the IT/security staff are wrong in their absolute interdiction of faxes and e-mail for medical records.
In the document entitled, “Does the HIPAA Privacy Rule permit a doctor, laboratory, or other health care provider to share patient health information for treatment purposes by fax, e-mail, or over the phone?”, the HHS writes (quoting in full),
Yes. The Privacy Rule allows covered health care providers to share protected health information for treatment purposes without patient authorization, as long as they use reasonable safeguards when doing so. These treatment communications may occur orally or in writing, by phone, fax, e-mail, or otherwise.

For my Computer Security students (all of whom use flash drives)
7 Best Antivirus To Save Your PC From Infected USB Flash Drives

For my Ethical Hackers.
Smart meters reveal TV viewing habits
September 21, 2011 by Dissent
Researchers at the Münster University of Applied Sciences have discovered that it is possible to use electricity usage data from smart electricity meters to determine which programmes consumers are watching on a standard TV set. The experiments were carried out as part of the state-funded DaPriM (data privacy management) project. By analysing electricity consumption patterns, it is, in principle, also possible to identify films played from a DVD or other source.
Read more on H-Online.
[From the article:
Until now, the general assumption has been that it would be possible to use typical electricity consumption data from the smart meter for different appliances to determine whether a customer had prepared his or her dinner in the microwave, on the hob or in the oven, but nothing more. That possibility had already spurred data protection officials in the USA, where smart meters are already widely used, into action – they demanded precise regulations on how electricity meters deal with and protect collected data.
Second by second data transfer makes it possible to carry out much finer analysis. In the opinion of the Münster-based research team, this calls for a tightening of data protection regulations. One solution might be to increase the polling interval or simply to transfer a statistical summary to the electricity generator or provider. This would make the high resolution consumption data required for close analysis unavailable. Either way, the consumer is reliant on the provider taking the appropriate measures.

Ditto Use the printer to make a skimmer that fits over the card slot on an ATM.
"An ATM skimmer gang stole more than $400,000 using skimming devices built with the help of high-tech 3D printers, federal prosecutors say. ... Apparently, word is spreading in the cybercrime underworld that 3D printers produce flawless skimmer devices with exacting precision. Last year, i-materialize blogged about receiving a client's order for building a card skimmer. In June, a federal court indicted four men from South Texas whom authorities say had reinvested the profits from skimming scams to purchase a 3D printer."

Tuesday, September 20, 2011

“etc.” is a weasel word that makes me (and the victims?) suspect much more was taken.
By Dissent, September 19, 2011
Yanez Dental Corporation in California recently reported a data breach to HHS.
In a notice on their web site dated June 15, they write, in part:
Our dental office was burglarized (5/22/2011). We have reported this incident to the police for investigation. The vandals stole three of our computers among other things. Personal information stored in these computers included names, birthdate, address, Social Security Number, telephone number, etc. It is important to mention that we are not aware that any personal information has been accessed or used inappropriately. For the purpose of security, each of the three computers has four level of passwords protection. However, we feel it is important for us to inform you of any potential situation, and explain steps you can to prevent or reduce any potential risk of identity theft or fraud loss.
According to HHS’s breach tool, 10,190 patients had information on the stolen computers.
I’m not quite sure I understand what the practice means by the “etc.” in types of information. Does “etc” include insurance account numbers, any financial information, etc.? It would have been helpful for them to be more inclusive in their description.

When will the default be “Encrypt sensitive data?” Demanding that one of their “Business Associates” improve their security isn't sufficient. All of their associates should be required to follow reasonable security practices.
By Dissent, September 19, 2011
On August 8, the Saint Barnabas Health Care System in New Jersey publicly disclosed a breach involving a Business Associate, MedAssets:
MedAssets, Inc., an independent revenue management and supply chain company that provides certain administrative and business services to the Saint Barnabas Health Care System, informed us on July 1, 2011 that an unencrypted external computer hard drive was stolen on June 24, 2011, from a MedAssets employee’s car, parked in a restaurant parking lot. The hard drive contained personal information used to determine eligibility for governmental benefits for certain patients of our six acute care hospitals.
The data contained patient names and for each such patient, information from one or more of the following categories: Medical Center account number, medical record number, date of birth, Medical Center charges incurred, amounts paid to the Medical Center, information on health insurance, eligibility for applicable governmental benefit programs and/or Medical Center admission and discharge dates. Social security numbers were included for about seven percent of the affected patients. The hard drive did not include any patient addresses, other financial information, or any clinical information regarding the patient’s care.
… MedAssets has provided written confirmation that it is implementing improved privacy safeguards to avoid similar incidents in the future, including eliminating the use of all unencrypted hard drives used for data back-up by its employees and strengthening the enforcement of its existing policy prohibiting their use.
… This is not the first time that Saint Barnabas has reported a breach involving a business associate. In September 2010, they disclosed a breach involving KPMG. Also last year, Newark Beth Israel Medical Center disclosed a web exposure breach involving Professional Transcription Company.
Saint Barnabas wasn’t the only hospital system affected by the MedAssets breach, however. Patients at the Cook County Health and Hospitals System in Chicago, Illinois was also affected.
… An unencrypted drive left in a car in a restaurant parking lost. Heads should have rolled for that one. What did this breach cost in terms of investigation and notifications? Those costs will ultimately drive up the cost of our health care. I find this type of breach inexcusable in this day and age and wish HHS/OCR would hand out a hefty fine or two to send the word that entities had damned well make compliance with good security practices more of a priority.

Think of it as an automated sideshow barker...
Inspired By ‘Minority Report,’ Immersive Labs Raises $810K For Digital Display Recognition
Immersive Labs is working on futuristic advertising displays like those in the well known book and film Minority Report, which tailor advertising to the individual viewer. Immersive Labs’ digital signs use cameras and facial recognition technology to determine viewer characteristics like gender, age, distance and time spent viewing the ad in order to then serve up the advertising that would be most relevant (see the demo video below).
The targeting technology has shown an over 60% increase in viewer attention time during pilot tests, according to CEO Jason Sosa.

What is the cost of a security breach? I'm sure it was a “separate” company to firewall the liabilities, but there must have been some assets...
twoheadedboy writes
"DigiNotar, the Dutch certificate authority which was recently at the centre of a significant hacking case, has been declared bankrupt. The CA discovered it was compromised on 19 July, leading to 531 rogue certificates being issued. It was only in August that the attacks became public knowledge. Now the company has gone bankrupt, parent firm VASCO said today. VASCO admitted the financial losses associated with the demise of DigiNotar would be 'significant.' It all goes to show how quickly a data breach can bring down a company."
Adds reader Orome1:
"This is unsurprising, since a report issued by security audit firm Fox-IT, who has been hired to investigate the now notorious DigiNotar breach, revealed that things were far worse than we were led to believe."

What is a violation of Privacy worth?
News Corp. Paying Phone Hack Victim’s Family $4.7 Million
September 19, 2011 by Dissent
Damon Poeter reports:
News International will reportedly pay the family of a British murder victim about £3 million ($4.7 million) in a settlement to close a phone-hacking case that led to the closure of the News of the World tabloid and rocked Rupert Murdoch’s News Corporation media empire to its core.
The settlement includes a £2 million payment to Milly Dowler’s family and the donation of an additional £1 million to charity, Reuters reported Monday, citing “sources close to the case.”
Read more on PC Magazine.

(Related) Hacking a phone is so easy, even a caveman could do it...
Il: Police Arrest 22 in Phone Tapping Case
September 19, 2011 by Dissent
Gavriel Queenann reports:
Israel’s Hebrew-language Maariv reported Monday that Israel Police arrested 22 ‘private investigators’ for installing spyware on mobile phones allowing access to private conversations and text messages.
Documents filed in a Rishon Letzion court revealed the Israel Police Lahav 433 unit and Computer Crimes unit conducted a covert protracted investigation into 11 detective agencies allegedly using software previously reserved for the security services.
Read more on Arutz Sheva.
[From the article:
The software allows mobile phones to be remotely accessed without leaving a trace or revealing to the owner they are being surveilled. All calls, text messages, and e-mail messages are transmitted to and from the infected phone can be received and recorded in real time.
A spokesman for the Israel Police said investigators believe hundreds of people across the country are using similar software to spy on competing businesses, family, or romantic partners.
[Try it yourself!
Tap A Cell Phone To Track Your Spouse Or Significant Other
How To Tap A Cell Phone | Can You Really Tap A Cell Phone?
Is Your Cell Phone Bugged?

I'm not sure I'd be bragging about this just yet. However, it does look like “location tracking” is getting some Privacy consideration.
Location based social network Foursquare has quietly released a new feature that allows places user categorize as their homes to be included in the system but not expose their exact addresses. Venues categorized as homes will now show up as a general area on a map, instead of a pin and street number, as restaurants and stores are displayed. The move was first reported by the independent blog AboutFoursquare.
It's a great little change that will enable users to check in at home without exposing too much information. This new feature will also allow people whose homes were listed on Foursquare against their wishes to easily obscure their addresses. [How does one learn if their home address is listed on Foursquare? Bob] Respecting home/away privacy is a key part of making people feel safe enough to expose their location at all, anywhere. Foursquare's approach is reminiscent of the new private location geofences Flickr launched earlier this month.
[From the AaboutFoursquare blog:
It appears foursquare has gone through and properly categorized lots of venues that appear to be homes, either by name or by checkin pattern (i.e., only one person has checked in). The number of venues named “home” but without a category has declined drastically over the past few days.
Venues that didn’t get caught by foursquare won’t receive any of the privacy protections, so it’s important for users to take the time to make sure their homes are properly categorized. If you have friends who’ve abandoned foursquare but left their miscategorized home venues in place, it might be worth a nudge to get them to come back to foursquare to get their home updated properly, too.
This is a great enhancement to user privacy on foursquare. Thousands of users have added their homes without realizing the privacy implications of posting that information on the internet, so it’s nice that foursquare has taken these proactive steps to help increase the security of their homes.
[In the same article, but completely(?) unrelated:
Below, a video about Flusquare - an interesting mash-up between Foursquare and CDC flu reports. Foursquare integration lets the app determine where you went when you were contagious! This little app hints at the potential of consumer geolocation technologies for the future.

The data is public and as far as I know legal to aggregate. So, aside from self-promotion, what;s the fuss about? (Or do the Senators have something they want to hide?)
"Social Intelligence Corp's online employment screening service, which preserves users' social media profiles and other data for use by potential employers, infringes on consumers' privacy and could be a violation of the law according to Senators Richard Blumenthal (D-CT) and Al Franken (D-MN). The Senators wrote to Social Intelligence Corp on Monday demanding answers to a host of questions about the service and how it collects data."
[From the article:
The firm says it looks for publicly posted content that is racially insensitive, sexually explicit, or demonstrates clearly illegal activity. Flagrant displays of weaponry are also flagged. Content limited only to users' friends is not included in the searches.
… The letter also suggests that Social Intelligence's practice of taking screenshots of social media profiles and pictures may violate the sites' terms of service.
"More troubling than the apparent disregard of these websites’ terms of service are what appear to be significant violations of users’ intellectual property rights to control the use of the content that your company collects and sells," the letter states, noting that pictures taken from sites like Flickr and Picasa are often licensed by the owner for a narrow set of uses.

Politicians without paper?
"The British government is examining whether it could save money by getting rid of its printers and giving civil servants free iPads instead. The head of the UK government skunkworks told that if he got rid of all of a major government department's printers and gave staff iPads, the savings on printing costs would pay for the tablets in less than 18 months. The UK parliament has already let tablets into the debating chamber, with politicians already starting to choose to use tablets rather than bundles of papers in debates."

For my Ethical Hackers...
How To Change The Apple ID On Your iPod Touch/iPhone

For my Math students
Desmos, a free online graphing calculator that I reviewed in June, recently added a handful of new options that should be appealing to mathematics instructors and students. The new features enable better handling of strict inequalities, polar inequalities, internalization, slider bars, and graph tracing. The video below provides an overview of the Desmos graphing calculator.

“I know it's here somewhere...”
Figure Out Folder Contents With Better Directory Analyzer
Better Directory Analyzer, which I will from now on call BDA, is a simple freeware program that scans through the contents of any selected folder and spits out more information about it than you thought was possible. All scanned files can be sorted in a handful of different ways, which helps you quickly find certain files that you may be looking for. So how is this helpful compared to Windows Search?
Although Windows XP‘s version of Windows Search actually packed more of a punch, Windows 7‘s version only lets you search by filename, file size, and date modified (without using hidden operators). Windows 7 users can find benefit the most by using BDA as there are many different parameters to search and select files.

Worth a look?
3 Light & Simple Ways To Take Screenshots In A Snap

A word to the wise...
Transfer Your Bookmarks By September 23 Or Lose Them [News]

Monday, September 19, 2011

This could be serious both in potential information loss but also in reputation.
Missile maker sees network hacked
The Reuters news agency said Japanese newspaper Yomiuri reported that information from Mitsubishi's computer system was stolen in the attack. A representative of the company confirmed the attack, Reuters reported, but said the company was still looking into whether any data had been taken.
The Yomiuri report said about 80 infected computers were found at Mitsubishi headquarters in Tokyo and various facilities in other areas of Japan, according to Reuters.

Increasing SPAM results in increased numbers of compromised systems. The question is: What will they be used for?
The unknown explosion of malicious email attachments
Commtouch, the original equipment manufacturer (OEM) for many security vendors dealing with anti-Spam and anti-Malware protections, discovered a massive jump in malicious email attachments last month. Beyond concerns regarding extra volume, the problem is no one seems to know why there was a sudden spike.
Since August, someone unknown - perhaps a group - has been targeting millions of systems worldwide with email containing malicious attachments. However, this isn’t the typical type of Spam, this is direct malware distribution on a mass scale resulting in abnormally high levels of malicious messages.
The pattern has been seen before: Fake messages with malicious attachments alleged to contain details on UPS and FedEx deliveries, credit card charge errors, and so on. Since the fall of the Rustock botnet, Spam levels across the globe have fallen, but, despite that, the volume of malicious email attachments has skyrocketed.
In August, Commtouch’s monitoring points noticed an average of a few hundred million to two billion malicious messages per day. On August 8, that number exploded to 25 billion Malware-laced emails.
“A review of several end-user forums reveals that the email campaigns have been successful – with many users having opened the malware attachments. The infection rate is generally linear – the more malware is emailed, the greater the final number of infections.

“Them pesky illegal immigrants are a problem. Let's make everyone who is not illegal prove it!”
E-Verify: De Facto national ID and the end of privacy
September 19, 2011 by Dissent
John Whitehead has this editorial in Desoto Times Tribune:
As technology grows more sophisticated and the American government and its corporate allies further refine their methods of keeping tabs on citizens, those of us who treasure privacy increasingly find ourselves engaged in a struggle to maintain our freedoms in the midst of the modern surveillance state.
The latest attack on our right to anonymity and privacy comes stealthily packaged in the form of so-called job protection legislation. Introduced by House Judiciary Committee Chairman Lamar Smith (R-Texas) in June 2011, H.R. 2885 (formerly H.R. 2164), the “Legal Workforce Act,” is being marketed as a way to fight illegal immigration and “open up millions of jobs for unemployed Americans and legal immigrants.” [Sure. Bob] However, this proposed federal law is really little more than a Trojan horse, a backdoor attempt by the powers-that-be to inflict a de facto National ID card on the American people.
Read more on Desoto Times Tribune.

(Related) Another way to identify individuals in the herd?
Massive Biometric Project Gives Millions of Indians an ID
Kiran has never touched or even seen a real computer, let alone an iris scanner. She thinks she’s 32, but she’s not sure exactly when she was born. Kiran has no birth certificate, or ID of any kind for that matter—no driver’s license, no voting card, nothing at all to document her existence.
… Now, for the first time, her government is taking note of her. Kiran and her children are having their personal information recorded in an official database—not just any official database, but one of the biggest the world has ever seen. They are the latest among millions of enrollees in India’s Unique Identification project, also known as Aadhaar, which means “the foundation” in several Indian languages. Its goal is to issue identification numbers linked to the fingerprints and iris scans of every single person in India.

This will be important for Windows 8, which assumes touchscreens are everywhere...
"Open up a cardboard tube, roll out a transparent film just millimeters thick, apply it on a flat object and *tada* you've got an interactive touch surface. Cambridge-based Visual Planet just launched its new massive-sized multitouch thin film drivers so you can create touchscreens from 30 to 167 inches in size! Their touchfoil is a transparent nanowire embedded polymer capable of sensing the touch of a finger, or even pressure from wind and translating that to a computer interface. It works on glass, wood, and other non-conductive surfaces."

Interesting, but not enough to drag us out of the recession...
Study: Facebook ‘App Economy’ Adds Over 200K Jobs, Contributes More Than $15B To The U.S. Economy
Although the U.S. employment and jobs economic outlook is bleak, a new study released today reports that Facebook is creating a thriving economy around its social network. According to new research from University of Maryland, the Facebook App Economy has added at least 182,000 new jobs and contributed more than $12.19 billion in wages and benefits to the U.S. economy this year. Using more aggressive estimates, the Facebook App Economy created a total of 235,644 jobs, adding a value of $15.71 billion to the U.S. economy in 2011.
… As we’ve written in the past, 2.5 million websites have integrated with Facebook, and Facebook users install 20 million apps every day. Every month, more than 250 million people engage with Facebook on external websites. Especially with the viral growth of gaming apps, as well as the use of the ‘Like’ button used by brands, more and more developers are building off the Facebook platform to tap into the network’s 700 million-plus userbase.

Sunday, September 18, 2011

Wouldn't it be simpler and safer to “presume guilt?” This will definitely go bad at some point (HIV Positive “suspect,” needles, thrashing around)
WY: Police take first forced blood draw
September 17, 2011 by Dissent
Lindsey Erin Kroskob reports:
Cheyenne police are believed to be the first in the state to forcibly take a person’s blood via court order under the state’s new DUI law.
Statutes changed July 1, allowing officers to obtain a search warrant to take a suspected intoxicated driver’s blood if he or she refuses to willingly provide a sample.
Prior to the change, warrants were only obtained for individuals involved in crashes with serious injury or fatality.
Usually, once we have the warrant they go ahead and cooperate with the blood draw,” Chief Brian Kozak said. “This is the first individual who refused to cooperate and had to be restrained.”
Read more on Wyoming Tribune Eagle.

(Related) Blood isn't just alcohol levels...
By Dissent, September 17, 2011
@Bainesy1969 has a thought-provoking blog entry on the retention of DNA samples vs. DNA profiles in the UK and what EU law requires. He begins:
On 26 July 2011 The Telegraph reported that “Innocent people’s DNA profiles won’t be deleted after all, minister admits”. It said that
“police will retain DNA profiles in anonymised form, leaving open the possibility of connecting them up with people’s names, ministers have admitted”.
In S and Marper v United Kingdom [2008] ECHR 1581 the European Court of Human Rights held that indefinite retention by the police of fingerprints and DNA samples of two people who had been arrested but not convicted of criminal offences was a breach of their rights under Article 8 of the European Convention on Human Rights (overturning a decision upheld at each instance in the English courts).
The Protection of Freedoms Bill proposes, accordingly, to amend the Police and Criminal Evidence Act 1984 (“PACE”) so that – broadly - a lawfully taken DNA sample (and fingerprints) must be destroyed after three (or in some cases five) years if the suspect has not been convicted of an offence to which the sample relates

I have seen many similar articles, but still have no idea what the tactical objective is. How will the computer be used to improve what subject area(s)? How will they measure the results? Will they train the teachers or just say, “Make this work!” (By the way: $200,000 / 250 students = $800 per student. Minus the $475 for the iPad that leaves $375 for the case. Must be some case!)
"'An Auburn, ME school district spent more than $200,000 to outfit every one of its 250 kindergartners with [iPads], along with sturdy cases to protect them. School officials say they are the first public school district in the country to give every kindergartner an iPad. Mrs. McCarthy says the tools give her 19 students more immediate feedback and individual attention than she ever could.' [Feedback at what level? I doubt they will even be able to Google (unless Maine kids read and write better than average). Bob] Will this improve low test scores, or be another case where spending more money does not produce a better educational outcome?"

Geeky tools...
NetbootCD: Install Ubuntu, Fedora, Debian & More From One CD [Linux]
Tired of burning a new CD every time a new version of your favourite Linux distro comes out? Then stop. Use NetbootCD to download and install your choice of Ubuntu, Debian, Fedora, openSUSE, Mandriva, CentOS or Slackware from a single disk. This handy disk downloads and runs the net installation tools for several distros, and is always capable of finding the latest version of your Linux operating system. Burn this tool once and you’ll never need to burn a Linux distro to CD again.
Using NetbootCD isn’t necessarily easy. You’ll need to learn to use text-based installers instead of the GUI versions found on live CDs. To me though, this is a small price to pay to contain my steadily-growing pile of Linux CDs.
First things first, you’ll need to download NetbootCD and burn the ISO to CD.
… If you like not to waste CDs but still use GUI installation tools, I suggest you check out Unetbootin or Linux Live USB Creator. Both of these tools make it possible to boot Linux from a USB drive or an SD card.