Saturday, October 01, 2011

“Everyone has the right to an opinion, just as I have the right to laugh at the really stupid ones.” Bob Anonymous
On Newspapers, Public Discourse, and the Right to Remain Anonymous
October 1, 2011 by Dissent
Over on EFF, Jillian York and Trevor Timm respond to an editorial in the Washington Times:
In a recent Washington Times editorial titled “Internet trolls, Anonymity and the First Amendment,” Gayle Falkenthal declared that “the time has come to limit the ability of people to remain anonymous” online. She argued that any benefit to online pseudonyms has long since dissipated and anonymous commenters have polluted the Internet “with false accusations and name-calling attacks.” Newspapers, she wrote, should ban them entirely.
This argument is not only inaccurate, it’s also dangerous
Read more on EFF.

Ubiquitous surveillance. Now you can track terrorists (or stalk your ex-girlfriend) just as easily as the CIA, FBI, TSA, m-o-u-s-e...
How To Use A GPS Enabled Smartphone As A Tracking Device

This is not very amusing. It suggests a “test” for malware that does not include a process for identifying valid and unmodified applications. What would happen if a Payroll system or nuclear reactor alarm system was “accidentally deleted?”
Microsoft Anti-Malware Tool Mistakenly Snuffs Google Chrome
Microsoft’s Security Essentials anti-malware tool has mistakenly identified Google Chrome as a password-pilfering trojan — and actually removed the browser from many users’ machines — but a fix for this rather amusing false positive is now available.
… Google declined to comment on the matter Friday morning, but a company spokesperson has since pointed us to a blog post where the company says that over the next 24 hours, it will release an update that will automatically repair Chrome for those affected by Microsoft’s false positive.

I like my statistics to fit on a normal curve. Some of these seem to curve into the 9th dimension...
Hitwise: Singaporeans Spend The Most Time On Facebook Per Session
Hitwise just published a new study examining how much time people living in different countries spend on Facebook. Singaporeans actually spend the longest on the social network, with an average of 38 minutes and 46 seconds per session, while people living in Brazil spend less than half that with an average of 18 minutes and 19 seconds per Facebook session for August 2011.
… Facebook was the most visited Social Networking site in the US in August 2011 receiving 91% of visits among the sites followed by Twitter with 1.92% of visits. ranked 3rd for the first time, passing with 1.04% of US Internet visits.
The fastest growing country in terms of visits is India, which saw an an increase in market share of 88% in August 2011 compared to August 2010. The US also experienced a market share increase from Facebook of 5% year on year.
It’s no surprise that Facebook is seeing major growth internationally and in the U.S. Marc Zuckerberg just revealed that as many as 500 million members have used used Facebook in a given day, which is a milestone for the network. [and here I thought there were only about 300 million people in the US. Bob]

INFOGRAPHIC : Making The First Page Of Search Results
… Ever since Google burst onto the scene, it’s been a constant battle between them and Microsoft and Yahoo, each one constantly trying to outdo the other, in exchange for a bit more market share.
… And you have to wonder who will be the next bloodied casualty, especially with persistent reports that Microsoft’s Bing is losing a staggering $11 million a day.

For those who are actually paying for student textbooks...
Kindle Textbook Rental: Rent Textbooks On Kindle & Kindle Apps
… Amazon has a huge collection of textbooks in its catalog and it is now allowing students to rent them on Kindle devices and various Kindle apps for computers and mobile devices.
The books can be rented from 30 to 360 days, and can be converted to a purchase anytime during that period. Even if you don’t own a Kindle, you can read them on the Kindle app for PC, Mac, iPhone, etc.
Check out Kindle Textbook Rental @

Friday, September 30, 2011

There's nothing like a little security breach to mess up your IPO...
Notification delayed is notification denied? Betfair admits data hack… after 18 months
September 30, 2011 by admin
Nicole Kobie reports:
Gambling website Betfair has admitted its systems were attacked 18 months ago, but says it didn’t warn customers on the advice of UK police.
The gambling company was hacked in March 2010, according to a report leaked to The Telegraph, but Betfair didn’t notice the attack until six days later.
The report said card details of most of Betfair’s users were taken, as well as 3.15 million account names with associated security access questions, 2.9 million account names with addresses, and 89,744 sets of bank account details. The report into the attack was apparently dated at the end of September 2010, just days after Betfair had announced its IPO.
Read more on PC Pro. The company’s explanation for not notifying/disclosing was three-fold, it seems: SOCA advised them not to, they say, their security made the data unusable, and they were able to recover it all intact.
For additional coverage see Alistair Osborne’s report on The Telegraph.
[From the Telegraph article:
… a report into the crime by London-based consultants Information Risk Management lambasted Betfair for the inadequacy of its systems security.
"Information security was not implemented in accordance with best practice," the report said, adding: "Appropriate information security governance is not in place within Betfair and as a consequence the business has been exposed to significant risks."
… Because of our security measures, the data was unusable for fraudulent activity … [Interesting phrasing. What was it usable for? Bob]

Follow up Apparently not a concept they are familiar with...
By Dissent, September 30, 2011
Sig Christensen has the confirmation for my hunch that the SAIC breach involved theft and not just loss of the backup tapes:
Science Applications International Corp., a Pentagon contractor, said Thursday the worker had been given the job of taking the tapes from one federal facility to another when they were stolen.
A San Antonio police report said the tapes containing the sensitive information, including diagnoses and treatment information on beneficiaries in the Defense Department’s Tricare program, were left in the car for most of the day.
Police said the car was parked at 300 Convent from 7:53 a.m. to 4:30 p.m. Sept. 13. A stereo system valued at $300 was taken from the worker’s 2003 Honda Civic, as was a GPS device and the backup tapes. The worker valued the data tapes at $100.
As I indicated previously, this appears to be the second report of stolen backup tapes from SAIC since June 2010. Despite the losses, the firm continues to earn huge contracts with the government.
[From the article:
They were being relocated in hopes of finding a way to encrypt the data so the tapes could work with an operating system, Guidry said. The system used to back up information on the tapes could not encrypt data to federal standards.
Guidry didn't say if the worker violated a company rule in leaving the tapes in his car, but conceded “if they weren't in the car, they wouldn't be stolen.” But he said there was no evidence so far that “the data has been accessed by unauthorized persons.”

It's a shame that this concept doesn't translate well from the Canadian...
Ca: Lawful access would trample rights
September 30, 2011 by Dissent
Craig McInnes has some nice reporting on the controversy over lawful access in Canada and legislative proposals:
B.C.’s Information and Privacy Commissioner is worried that Canadians don’t really understand what is at stake.
“I see lawful access as one of those fundamental tipping points,” Elizabeth Denham said in a telephone interview this week.
“If you are setting up private sector in a way that will provide easier access to the police, that’s shifting our fundamental outlook about privacy and civil rights protections of constitutional rights.”
Under the proposed changes, if police want to know what people are saying on the Internet, they will still need to get a warrant. But Internet providers would be required to turn over on request information that includes subscribers names and addresses, phone numbers, email addresses and even their ISP addresses and information about the kind of machines and software they are using.
“These appear to be minor pieces of personal information but they are personal information and it’s a slippery slope to give them up without judicial oversight,” Denham says.
Read more on Vancouver Sun.

For my Ethical Hackers...
"Earlier this week, Microsoft released an announcement about the disruption of the Kelihos botnet that was responsible for spam messages, theft of sensitive financial information, pump-and-dump stock scams and distributed denial-of-service attacks. The botnet had a complex, multi-tiered architecture as well as a custom communication protocol and three-level encryption. Kaspersky Lab researchers did the heavy lifting, reversing the protocol and cracking the encryption and then sink-holing the botnet. The company worked closely with Microsoft's Digital Crimes Unit (DCU), sharing the relevant information and providing them with access to our live botnet tracking system."
[Related Links:

It might be fun to explore some “what could possibly go wrong” scenarios with a bunch of lawyers. For example, could a change of privacy policy be a form of “bait & switch?”
Class Action Lawsuit Targets Pandora
September 29, 2011 by Dissent
Eriq Gardner reports:
Pandora, the web service that allows users to customize radio stations based on listening preferences, is facing a class action lawsuit in Michigan.
Peter Deacon, a Michigan resident, is leading the lawsuit with claims that Pandora is breaching customer privacy by making users’ profile pages, including favorite songs and listener history, publicly available and searchable online. Additionally, the class action asserts that Pandora is violating privacy by integrating users’ listening records with their Facebook accounts.
The openness is claimed to be a violation of Michigan’s Video Rental Privacy Act and Consumer Protection Act. The plaintiffs are demanding statutory damages of $5,000 per person.
Read more on Hollywood Reporter.
When are businesses going to learn that some users really really really don’t like you taking their data and posting it to Facebook without their explicit consent? And that changing your privacy policy may be legal but it’s not smart if you apply it to existing accounts without actually contacting users or customers to alert them and give them a chance to opt out or delete their accounts?

Nothing helps to fund NASA (any scientific endeavor actually) more than someone else doing well. This is unlikely to create the same level of response as Sputnik, but at least we have something to point to when we say “We gotta do something!”
China Takes First Steps Toward A Space Station, Launches Tiangong 1
As NASA’s steps get smaller, China’s space program is making big leaps with plans to have a manned space station in orbit by 2020.

Geeky stuff...
Canonical Releases Windows Version of Ubuntu One
Canonical, the commercial backer behind the Ubuntu Linux distribution, have been hosting a file synchronization service called Ubuntu One for a couple years now. A free account gets you 5GB of storage, and the client side controls have been baked into the last couple of releases of the Ubuntu distribution. It works pretty much like Dropbox or similar services, but has been — until today — Linux-only.
In an announcement late last night, Canonical has revealed that there is now a Windows client for Ubuntu One, allowing you to access all your files from either Linux or Windows computers.

Really interesting rumor. But, what would they do with it?
Rumour: Amazon eyeing smartphone sector via Palm acquisition

Stay current!
Jargon Watch: Flytilla, Botcloud, Dot-Brand
Botcloud n. A botnet comprised of hundreds or thousands of virtual computers leased from a cloud computing provider like for nefarious purposes. It allows hackers to avoid the risk and hassle of commandeering PCs to spread a virus.
Dot-brand n. A top-level domain consisting of a company name, like .pepsi or .ibm. Companies and organizations can apply for one for $185,000, a promotional opportunity that some interest groups—compelled to pay to protect their trademarks—consider extortionary.

Once again, Dilbert to the rescue. Here he demonstrates how to avoid malware on Flash Drives!

Thursday, September 29, 2011

Big, but not a record. Another case of backups being lost (or perhaps stolen?)
By Dissent, September 29, 2011
TRICARE, the health care program serving Uniformed Service members, retirees and their families worldwide, issued the following public statement on their web site:
On September 14, 2011, Science Applications International Corporation (SAIC) reported a data breach involving personally identifiable and protected health information (PII/PHI) impacting an estimated 4.9 million military clinic and hospital patients. The information was contained on backup tapes from an electronic health care record used in the military health system (MHS) to capture patient data from 1992 through September 7, 2011, and may include Social Security numbers, addresses and phone numbers, and some personal health data such as clinical notes, laboratory tests and prescriptions. There is no financial data, such as credit card or bank account information, on the backup tapes.
Notice that they haven’t told us the nature of the breach, but Sig Christenson of reports that a SAIC spokesperson indicated the breach “consisted of the loss of storage media, not an electronic breach. There was a loss of magnetic storage media.”
“Loss” as in, “we lost it” or as in “loss due to theft?” It would be nice to have some clarification on that. The fact that it was reported to the police as soon as the loss was discovered leads me to think this may have involved theft, but we’ll find out eventually.
SAIC has been involved in previous breaches affecting large numbers of individuals. Some breach-related news on SAIC prior to 2009 can be found on while a 2010 incident involving stolen backup tapes was reported to the Maryland Attorney General’s Office.

Apparently neither backup nor portable drives were addressed in their security policy. Perhaps they never created a backup last November? Perhaps they sued an employee's drive and he took it home? Perhaps they are totally out of control?
By Dissent, September 28, 2011
Sandra Davis reports:
A new policy regulating the storage of electronic personal health information will be in place within the next two weeks as a result of the disappearance of a USB memory stick last November at the Saint John Regional Hospital.
The memory stick contained personal patient information, including Medicare numbers, of about 1,500 patients of a hospital pediatric endocrinologist over the past six years, Nancy Lindsay, chief privacy officer for Horizon Health, confirmed Tuesday.
Lindsay said she was made aware that the memory stick – used as backup to the main system – was missing on Aug. 8, after extensive searching failed to locate it.
“We don’t have the sense that it was stolen,” Lindsay said.
“They think it has been accidentally misplaced.”
Affected patients were notified via letter earlier this month.
Read more on Telegraph-Journal.
So patients first got notified 10 months after the drive went missing? That’s definitely unacceptable.

Is the fact that they didn't “intentionally disclose” the information sufficient to protect them? There is no requirement to “adequately” or even “reasonably” protect the data? Wow, dumb law.
Sony did not breach Australian Privacy law, says Privacy Commissioner Timothy Pilgrim
September 29, 2011 by admin
Chris Griffith reports:
SONY Computer Entertainment Australia did not breach the Privacy Act when it fell victim to a cyber-attack, Privacy Commissioner Timothy Pilgrim has found.
In a report released this afternoon, Mr Pilgrim found “no evidence that Sony intentionally disclosed any personal information to a third party”.
“Rather, its Network Platform was hacked into,” he said.
While the Privacy Commissioner found no breach of the Privacy Act by SCE Australia, he was concerned about the time that elapsed between Sony becoming aware of the incident and notifying customers and the Office of the Australian Information Commissioner.
Read more on The Australian. You can find the Office of the Australian Information Commissioner’s report on the OAIC site.

This is one of those long, boring self-congratulatory press releases that seem mandatory after any trivial success, but it raises a few questions. Was this a security breach? If so, why not report it? Why make a (very poor) attempt to hide the names of the breached firm?
By Dissent, September 28, 2011
Eric McNeal, 37, of Atlanta, Georgia, pleaded guilty today in federal district court to intentionally accessing a protected computer of a competing perinatal medical practice without authorization.
United States Attorney Sally Quillian Yates said, “The citizens of our community should expect that their confidential patient information is just that—confidential—and that it will not be hacked and used for direct-mail marketing purposes. This criminal misuse of sensitive personal information resulted in a federal felony conviction for this defendant, which should serve as a warning for anyone else considering such hacking.”
… According to United States Attorney Yates, the charges, and other information presented in court: McNeal worked as an information technology specialist for “A.P.A.,” a perinatal medical practice in Atlanta. He separated from employment with A.P.A. in November 2009, and subsequently joined a competing perinatal medical practice, which was located in the same building as A.P.A. In April 2010, McNeal used his home computer to hack into A.P.A.’s patient database without authorization. He downloaded the names, telephone numbers, and addresses of A.P.A.’s patients, and then “wiped” A.P.A.’s database, deleting all the patient information from A.P.A.’s system.
McNeal subsequently used the patient names and contact information to facilitate a direct-mail marketing campaign for the benefit of his new employer. There is no evidence that he downloaded or misused specific patient medical information.
McNeal was charged in a criminal information on September 16, 2011, and pleaded guilty to its count of intentionally accessing a protected computer without authorization. He could receive a maximum sentence of five years in prison and a fine of up to $250,000.
SOURCE: U.S. Attorney’s Office, Northern District of Georgia
So how was McNeal able to access his former employer’s database after his employment terminated? Did he still having a working password/login?
Although court documents refer to McNeal’s previous employer as “A.P.A.,” a simple Google search reveals that at one time, he had listed himself as Vice President of Operations at Atlanta Perinatal Associates. His subsequent employer, listed as “S.B.” in court documents, is revealed by a Google search as SeeBaby, where McNeal’s position was listed as Office Manager. Both APA and SeeBaby are in the same building on Peachtree St. Northeast in Atlanta.
There is no breach listing in HHS’s breach tool for this incident, so it is not clear to me whether less than 500 patients were involved or if APA did not report the incident. Nor is it clear whether APA ever notified its patients of the breach. I’ve sent APA an inquiry about the incident and will update this entry if/when I hear back from them.

Guilty (of focusing on just one facet of the problem)
Privacy legal fights should focus on intrusion, not hurt feelings
September 28, 2011 by Dissent
Jessica Martin writes:
Privacy lawsuits in the United States usually seek damages for revealing embarrassing but true facts by the media— the so-called “disclosure tort” — but this is a “poor vehicle for grappling with the problems of privacy and reputation in the digital age,” says Neil M. Richards, JD, privacy law expert and professor at Washington University in St. Louis School of Law.
“The disclosure tort has never really worked successfully,” he says.
“It’s largely unconstitutional. The problem with suing the press for publishing the truth is that it’s their job. And the government can’t be in the business of telling the press what’s in the public interest and what’s private.”

As long as we're considering new angles on Privacy, perhaps we should consider how anyone subject to FOIA or SEC restrictions or any other record retention requirements can use “personal” communications technologies.
Does Gove’s webmail policy breach Data Protection Act too?
September 29, 2011 by Dissent
Amberhawk Training writes:
Does the use of Gmail or Hotmail by a Minister’s Private Office (in order to evade Freedom of Information (FOI) obligations) also lead to breaches in the Data Protection Act? Well, I can see how this could be the case.
The press has raised this issue only in the context of FOI. Yesterday’s Sunday Times, for example, noted that the allegations facing Michael Gove and his special adviser, Dominic Cummings, were that by using personal email accounts, they were assuming that any requested information could not be held by a public authority and therefore not subject to a FOI regime.
Read more on The Register of their analysis of the situation and whether the private email accounts, even if exempt under FOI, fall under the Data Protection Act and would impose certain obligations on them.

Imagine that!
If you didn’t watch Mark Zuckerberg’s Facebook announcements last week — and of course the vast majority of Facebook users did not — you may be in for a surprise.
… Facebook is making sharing even easier by automatically sharing what you’re doing on Facebook-connected apps. Instead of having to “Like” something to share it, you’ll just need to click “Add to Timeline” on any website or app, and that app will have permission to share your activity with your Facebook friends.
What activity, you ask? It could be the news articles you read online, the videos you watch, the photos you view, the music you listen to, or any other action within the site or app. Facebook calls this auto-sharing “Gestures.”
Can you see the possible issue here?

(Related) Is Facebook about to confront problems of their own making?
Reddit users overwhelm Facebook with data requests
September 28, 2011 by Dissent
The floodgates have already opened, it seems. Emil Protalinski reports:
Reddit users have flooded Facebook with personal data requests via the service’s official form. This appears to have overwhelmed Facebook’s Data Access Request Team, forcing the group to send out e-mails telling users there will be a significant delay.
It all started with a Reddit submission titled “How to annoy Facebook” by Reddit user realbigfatty.
Read more on ZDNet. (h/t, @moniquealtheim)
I was interested to read the following on Kashmir Hill’s blog yesterday:
(What I was surprised not to see here was a list of the things that L.B. had looked at and/or clicked, such as other peoples’ profile pages, photos, or status updates. As we have seen before, that is something Facebook knows about its users.)
If Facebook does retain that information, shouldn’t it have been provided in response to the access request? And if they have withheld data they collected, then that sets up an interesting complaint/investigation under Ireland’s data protection laws, doesn’t it? And what will the DPC do if Facebook fails to comply with the 40-day response requirement of law?

Perhaps a project for my Ethical Hackers?
"American court judges need to learn science. That's the message from the National Academies and the National Research Council, which today released the first new edition in 11 years of the Reference Manual of Scientific Evidence. It has new chapters about forensic science, mental health, and neuroscience, but unfortunately nothing about computer science. The manual is available as a free download and it's also online."

Sometimes jokes become law and often laws are jokes... Didn't Will Rogers say something like that?
Obama proposes letting the jobless sue for discrimination
Advocates for the unemployed have cheered a push by the Obama administration to ban discrimination against the jobless. But business groups and their allies are calling the effort unnecessary and counterproductive.
The job creation bill that President Obama sent to Congress earlier this month includes a provision that would allow unsuccessful job applicants to sue if they think a company of 15 more employees denied them a job because they were unemployed.

Geek out, dude!
Try Out Windows 8 In VirtualBox Right Now For Free
All you need to do is download the free ISO file and set up VirtualBox properly.
… Just head to Microsoft’s free Windows 8 download page to get started. There’s no need to sign up, and the download links are direct. You’ll need to choose between the 32 and 64 bit versions of Windows 8.
… You’ll need to install VirtualBox next, which you can download here. It works on Windows, OS X and Linux computers. If you don’t know much about VirtualBox, here’s what you need to know. It allows you to run an entire operating system within the one you already have. Check out the MakeUseOf VirtualBox manual for more information.

These should work almost as well for non-teachers...
Wednesday, September 28, 2011

Wednesday, September 28, 2011

By Dissent, September 27, 2011
A follow-up on a case reported previously on this blog by Erica Meltzer:
A nurse accused of improperly accessing patient records at numerous hospitals in the Denver metro area faces five counts of identity theft and 46 counts of theft of medical records in connection with his time at Boulder Community Hospital between May 2010 and January 2011.
Cannon Lamar Tubb, 31, worked for a now-defunct Denver nurse staffing agency that placed him as an intensive care unit nurse in numerous Centura Health facilities, the Platte Valley Medical Center and Boulder Community Hospital, according to court documents.
Read more on Daily Camera.

Fanatically local. Using a TSA wand to check body cavities has to hurt! Safer (and less painful) to sit in front of the TV. Looks like I won't be traveling to Green Bay.
Green Bay Packers to use TSA wands to check fans entering Lambeau Field starting with Sunday’s game against the Denver Broncos
September 27, 2011 by Dissent
More on a disturbing new policy of the NFL:
Lambeau Field may seem a lot like an airport beginning Sunday.
The Packers will use TSA hand-held wands to check fans entering Lambeau Field starting with the game against the Denver Broncos as part of the NFL’s enhanced security measures. Pat-downs also may be used for the process.
The procedure will use the same lines at entry gates, but fans should expect a longer wait to get into the stadium. That’s why the Packers organization is asking fans to arrive early to allow for extra time when entering the stadium.
“The enhanced security procedures at Lambeau Field recommended by the NFL will increase the safety of fans at our games,” said Doug Collins, Packers director of security/risk management.

I wonder how many of these machines have been purchased and “couldn't possibly” be replaced before the next Presidential election. And what percentage of these districts vote for which party...
An anonymous reader tips news of a vulnerability discovered in the Diebold Accuvote voting system, which could be used to alter voting results without leaving evidence of tampering. Quoting Salon:
"[T]he Argonne team's attack required no modification, reprogramming, or even knowledge, of the voting machine's proprietary source code. ... The team's video demonstrates how inserting the inexpensive electronic device into the voting machine can offer a "bad guy" virtually complete control over the machine. A cheap remote control unit can enable access to the voting machine from up to half a mile away. ... The video shows three different types of attack, each demonstrating how the intrusion developed by the team allows them to take complete control of the Diebold touch-screen voting machine. They were able to demonstrate a similar attack on a DRE system made by Sequoia Voting Systems as well."

Apparently a “smiley face” is a legitimate (as in not automatically edited out) character in the FIU database. Also it is apparent that they do not monitor the database for security breaches or unusual activity.
Smiley Face Emoticon Triggers FIU Data Scare
September 27, 2011 by admin
Steve Litz reports:
Thousands of students at Florida International University are hoping their personal information is not used against them after being informed of a possible security breach of the university’s computer system.
An undergraduate education database containing 19,500 current and former students’ names, social security numbers, birth dates, and grade point averages was discovered to be unsecured when university officials found someone had typed a smiley face emoticon on the database’s internal website.
Students and alumni who took the College-Level Academic Skills Test and other standardized exams during a multi-year period were informed in letters that their personal details may have been “inappropriately accessed.”
Read more on NBC Miami.
This makes FIU’s fourth known incident. And of three previous incidents, an incident last year also involved a database that reportedly held 19,500 names, social security numbers, birth dates, and grade point averages.
So… was this the same database that was exposed last year?
And how many times does a university have to have a breach before they do a better job of protecting SSN? When, oh when, will we finally see the day when universities stop using SSN as identifiers and disconnect all legacy databases that still contain SSN from the internet?
[From the article:
"We do not know if someone actually took this data, downloaded the data, or is actually utilizing the data," said Robert Grillo, FIU's chief information officer.

Yesterday they told the Wall Street Journal that they did gather data after logout, after earlier denying that they did. Now they say they don't, except that their cookies do, but they don't talk to those cookies and anyway it the users' fault!
Facebook addresses latest privacy concern over cookies
September 28, 2011 by Dissent
Richard Chirgwin follows up on the recent privacy flap over Facebook cookies tracking users who had logged out.  Of note, Facebook sent The Register a statement, which says in relevant part:
Nik Cubrilovic provided us with additional information that allowed us to identify three cookies on some users’ computers that inadvertently included unique identifiers when the user had logged out of Facebook. However, we did not store these identifiers for logged out users. Therefore, we could not have used this information for tracking or any other purpose. Even though we weren’t using this information, it’s important to us that we address even potential issues, and we appreciate that Nik Cubrilovic brought it to our attention.
There was no security or privacy breach—Facebook did not store or use any information it should not have. Like every site on the internet that personalizes content and tries to provide a secure experience for users, we place cookies on the computer of the user.
Read more on The Register.
On Twitter, @Internetlock argues that Facebook did nothing wrong and nothing that other companies don’t do. The gist of the argument seems to be that users “should know” to clear cookies at the end of a browser session. As I replied, there are many things people “should know,” but companies still have a responsibility to inform them and be transparent about their practices. And in a litigious world, it is even more prudent for companies to be clear about their practices and to inform users of what users need to do.

For Data Mining and e-Discovery purposes...
Which Telecoms Store Your Data the Longest? Secret Memo Tells All
The nation’s major mobile-phone providers are keeping a treasure trove of sensitive data on their customers, according to newly-released Justice Department internal memo that for the first time reveals the data retention policies of America’s largest telecoms.
The single-page Department of Justice document, “Retention Periods of Major Cellular Service Providers,” (.pdf) is a guide for law enforcement agencies looking to get information — like customer IP addresses, call logs, text messages and web surfing habits – out of U.S. telecom companies, including AT&T, Sprint, T-Mobile and Verizon.

The most respected newspaper in the country did this? Wow, you'd think Rupert Murdock owned them...
Wall Street Journal Revises its Privacy Policy
September 27, 2011 by Dissent
Julia Angwin reports:
The Wall Street Journal revised its website privacy policy on Tuesday to allow the site to connect personally identifiable information with Web browsing data without user consent.
Previously, the Journal’s privacy policy stated that it would obtain “express affirmative consent” to combine personal data with “click stream information” culled from the website.
Read more on WSJ.
While I am pleased to see the paper call attention to the change through its own reporting, it is disappointing that the same paper that gave us the “What They Know” series would take a backwards step on user consent. Rather than achieving consistency across sites by making this change, why not change the other sites to make them more privacy-oriented?

Under Fire, OnStar Revises Plan To Continue Tracking Former Subscribers
September 27, 2011 by Dissent
Devin Coldewey reports more on the OnStar kerfluffle that got some Senators involved:
Faced with a flurry of criticism from users, sites like this one, and even Congress, OnStar has gone back on at least one of the changes.
OnStar announced today it is reversing its proposed Terms and Conditions policy changes and will not keep a data connection to customers’ vehicles after the OnStar service is canceled.
If OnStar ever offers the option of a data connection after cancellation, it would only be when a customer opted-in, Marshall said. And then OnStar would honor customers’ preferences about how data from that connection is treated.
Read more on TechCrunch. Kashmir Hill, who had diplomatically described OnStar’s original plan as “boneheaded” has more on the company’s new direction.

Consider that you no longer have a relationship with the owner of the local bookstore. Now your relationship is the “Property” of the local bookstore and they can sell it if they want to...
You can opt out of having your Borders’ data transferred to B&N, but you only have 15 days
September 27, 2011 by Dissent
Nick Brown reports:
A bankruptcy judge gave Borders Group Inc (BGPIQ.PK) the go-ahead to sell its customer information to former rival Barnes & Noble Inc (BKS.N) after both sides addressed concerns about customer privacy.
At a hearing on Thursday, Glenn voiced uncertainty about whether Borders’ customer privacy policy covered longer-standing customers and whether the sale would require customer consent. He held off on approving the deal until he could be sure state and federal regulators supported it.
The deal announced on Monday gives customers 15 days to opt out of the transfer by responding to an email that will be sent when the deal closes, Borders lawyer Andrew Glenn said at the hearing. A closing date is still uncertain, but the parties are working to close as quickly as possible, added Glenn, no relation to the judge.
Read more on Reuters.

Another interesting find by Gary Alexander. This is not the only tool – they are becoming increasingly common.
Desktop Encryption Moves to the Cloud
The most sensational stories about data loss tend to involve a government or corporate road warrior losing a laptop full of sensitive data while out of the office. Those stories are perhaps extreme examples of carelessness, but data loss is a real problem and can happen in any number of ways. Laplink recently introduced PC Lock, an all-new utility that encrypts files on a computer or laptop and even remotely protects computers if they're lost.
… For lawyers and other professionals handling sensitive data, encryption is an increasingly popular and necessary utility. According to the 2010 ABA Legal Technology Survey, 17 percent of those surveyed said that their firm had experienced a data breach. The survey also found that a quarter of legal professionals reported having encryption software in their firm, up from 18 percent the year before.

This is interesting as it addresses both “employee owned” computing and transfer of organizational data out of the traditional environment.
Zenprise Launches New Product To Lock Down iPhones And iPads In Enterprise
Mobile device management company Zenprise is today introducing its new enterprise-grade mobile DLP (Data Leakage Prevention) that aims to help I.T. departments with the growing “bring your own device” to work trend.
… The problem with I.T.’s lack of control over end user devices is that they’re starting to create a blind spot for companies with sensitive data. Executives are emailing themselves documents and viewing them on their iPads. Other times, they’re accessing them via an online storage service, instead of using traditional, albeit less glamorous, solutions like laptops that access the company’s SharePoint servers.

The “negotiated in secret” agreement...
We've been following the Anti-Counterfeiting Trade Agreement for over three years, from its secretive beginnings, to the controversy and debate that followed, and to the document it eventually evolved into. Now, Japan has announced that the agreement will finally be signed on Saturday during a ceremony that follows an anti-piracy symposium on Friday.
"The negotiation has been carried out among Australia, Canada, the European Union and its Member States, Japan, the Republic of Korea, Mexico, Morocco, New Zealand, Singapore, Switzerland, and the United States, and reached a general agreement at the negotiation meeting held in Japan in October 2010, followed by the completion of technical and translation work in April 2011. ... The signing ceremony will be attended by the representatives of all the participants in the ACTA negotiations, and those that have completed relevant domestic processes will sign the agreement. The agreement is open for signature until May 1, 2013."
[From the comments:
Mexican Senate has already voted to not let president sign ACTA, yet, mexican IP officials and the content industry local representatives frequently make public statements about Mexico signing ACTA.

This is strange. What do you suppose really happened?
"A year ago, Google sued the U.S. government because the government's request for proposals for a cloud project mandated Microsoft Office; Google felt, for obvious reasons, that this was discriminatory. Google has now withdrawn the suit, claiming that the Feds promised to update their policies (PDF) to allow Google to compete. The only problem is that the government claims it did no such thing."

The scope of the Cloud? Either “Wow, look how fast we are growing!” or “Wow, did we underestimate our requirements or what?”
Microsoft Builds Two-Headed Data Center in Feds’ Backyard
Microsoft will spend $150 million dollars building a second data center alongside its $499 million facility already under construction in southern Virginia — a move that underlines the software giant’s efforts to create a set of “cloud computing” services that compete with the likes of Google and Amazon.
… Governor Bob McDonnell announced Microsoft’s $150 million Virginia expansion on Friday, saying the company would add 21 megawatts of electric power capacity to the Boydton site.
… As Data Center Knowledge points out, the announcement may indicate that Microsoft needs more data center capacity in the short term than previously expected. Other outfits such as Google, Facebook, and Yahoo! will build multiple data centers on the same site, but typically, they will complete one before building more. Microsoft, it seems, is now building two Boydton facilities at once.

Another guide to Social Media...
September 27, 2011
Marine Corps Social Media Principles Manual

This seems strange. A bio of Steve Jobs, available only from one of his major competitors...
Fortune releases Kindle-only Steve Jobs biography

Tuesday, September 27, 2011

Google reminds us that it is 13 years old today. Would someone remind me what we did before Google?

Gathering intelligence (not just raw data) about you is important to advertisers.
Facebook: We do track logged-out users, but trust us
There are those for whom Facebook is a way of life.
They commit themselves to it because it's automatic and just so self-empowering.
Many would not have been concerned when, this weekend, a hacker called Nik Cubrilovic offered the interesting information that Facebook seemed to be sucking in data from even those users who have actually logged out.
Indeed, Cubrilovic claimed that even if you log out, Facebook "still knows and can track every page you visit," as its cookies burrow away in your laptop's entrails, consumed by the compulsion to share.
You might think Facebook immediately issued denials at this seemingly pickpocketish process. You might think that flies will only feast on foie gras.
For the company confirmed to the Wall Street Journal that, yes, indeed, Cubrilovic's information was accurate.
But, don't worry, Facebook reportedly said, trust us.

(Related) Golly gee willikers! What could be more fun than sending a data request to Facebook? Suing them – which is what we have to do in the US.
Get your Data! Make an Access Request at Facebook!
September 26, 2011 by Dissent
I would love to be a fly on the wall at Facebook if even 1/10 of their users all submitted such requests in the same time period:
According to European data protection law every individual has the right to get a copy of all personal data a company holds about him (right to access). This law is applicable to facebook too, since every European user has a contract with “Facebook Ireland Limited”, based in Dublin, Ireland.
Facebook has a well hidden page, where you can send them an access request.
Generally all nonusers have the same right to access data that Facebook might hold about them.
Read more on Europe vs. Facebook.

What must be secure and what must be made public? (anything in between those extremes?)
"Today Google and the Israel Museum have made the famed Dead Sea Scrolls available for online viewing. This is a great step forward for scholars and those curious about the oldest known copies of many biblical texts. But why has it taken nearly 50 years for the contents of this material to be made fully public? Blogger Kevin Fogarty thinks the saga of the scrolls since their discovery — along with the history of religious texts in general — is a good example of how people seek to gain power by hoarding information. In that regard, it holds some important lessons for the many modern debates about information security and control."

So, “public data” isn't public?
Fr: CNIL Cites French Yellow Pages Operator for Illegal Use of Social Media Data
September 26, 2011 by Dissent
Winston Maxwell writes:
France’s Data Protection Authority, the Commission Nationale de l’Informatique et des Libert├ęs (CNIL) announced on September 23, 2011 that it had found the French provider of universal telephone directory services, “Pages Jaunes,” guilty of violating several provisions of the French data protection law. The CNIL did not fine Pages Jaunes, but published a detailed warning, listing each privacy violation that the CNIL had identified during its investigation of Pages Jaunes’s activities.
Read more on Hogan Lovells Chronicles of Data Protection. It’s interesting that CNIL flatly rejected Yellow Page’s claims that it could crawl social media sites and use the data because the TOS of those sites warned users that public profiles could be crawled.

If at first you don't succeed, sue, sue again! (Remember, it's not about winning.)
After a major copyright settlement case featuring The Expendables was found to be fatally flawed last month, United States Copyright Group and client Nu Image dropped the case. Now, sidestepping an uncooperative judge in Columbia, the team are hoping to get more joy from one of his counterparts in Maryland, but they still haven’t learned their lesson. Tests by TorrentFreak reveal that 98% of 4,165 potential defendants in the case are being sued in the wrong jurisdiction.

For my Ethical Hackers
"An Australian IT security company, Command Five Pty Ltd, has just released a detailed analysis (PDF) of the recent SK Communications hack in which the personal details of up to 35 million users were stolen. This new analysis gives details of the attackers' malicious infrastructure and contains as-yet unreported technical details of the malware used in the attack (including the fact that it has the capability to sniff raw network packets on infected machines). The report also identifies links with other malware and malicious infrastructure, demonstrating that the attack is likely to be part of a broader concerted effort by well organized attackers." [Criminals or a government intelligence service? Bob]

Data Mining and Data Analysis. Everyone should be doing this... But, “Real Time?” What would they be looking for that requires an immediate reaction? Is the economy that fragile?
Federal Reserve looking to monitor social media
The Federal Reserve Bank of New York (FRBNY) has invited companies specializing in sentiment analysis the chance to bid on a contract, which will allow the regional bank to monitor what people are saying about the Fed online. The solutions designed by hopeful vendors will need to track reactions and opinions expressed by the public in real time.

I'll worry when robots train robots at Robot U.
"For years, robots have been replacing workers in factories as technology has come to grips with high-volume, unskilled labor. An article in Slate makes the case that the robot workforce is poised to move into fields that require significantly more training and education. From the article: 'In the next decade, we'll see machines barge into areas of the economy that we'd never suspected possible — they'll be diagnosing your diseases, dispensing your medicine, handling your lawsuits, making fundamental scientific discoveries, and even writing stories just like this one. Economic theory holds that as these industries are revolutionized by technology, prices for their services will decline, and society as a whole will benefit. As I conducted my research, I found this argument convincing — robotic lawyers, for instance, will bring cheap legal services to the masses who can't afford lawyers today. But there's a dark side, too: Imagine you've spent three years in law school, two more years clerking, and the last decade trying to make partner — and now here comes a machine that can do much of your $400-per-hour job faster, and for a fraction of the cost. What do you do now?'" [Sue the bastards! Bob]

Monday, September 26, 2011

...extra points for Ethical Hackers!
Millions of student exams, tests and data exposed?
September 26, 2011 by admin
On September 19, Darren Pauli reported:
Multiple zero-day security vulnerabilities have been found in the world’s most popular educational software – holes that allow students to change grades and download unpublished exams, whilst allowing criminals to steal personal information.
Vulnerabilities in the Blackboard Learn platform have the potential to affect millions of school and university students and thousands of institutions around the world.
The platform is used by the United States military to train soldiers.
After several weeks of investigation by university IT managers, security professionals and SC Magazine, Blackboard Learn has acknowledged it is sending a security advisory to customers to address the issue.
Read more on CRN.
On September 22, Blackboard responded to the concerns on their blog. Jessica Finnefrock writes, in part:
So how does that finding contrast with some of the headlines you may have read? Put simply: although these issues are important, and we’re committed to fixing them quickly, most of them could only have a limited impact at the class level, do not seriously threaten the overall institution or system data, and – most importantly – there have been no client reports of exploitation of any of these vulnerabilities. [Did they know they should be testing? Bob] Most of the issues raised are common to lots of Web applications, not just Blackboard Learn. That doesn’t make them less important – but it is important to understand that their scope and potential impact are generally low.
What are the issues exactly? Most involve common attacks like phishing. To give you an example, a successful exploit would require an authenticated user with a valid login to create a malicious website and then create a link within Blackboard to that website. The user would need to convince another user to actively click on a suspicious link and provide their user credentials again. These issues do not involve actual system break-in or data vulnerabilities such as SQL injections.
What’s the risk? While the exploits could enable access to another user’s account, a successful attack is not highly probable, requires significant user intervention, and even then exposure would be limited to only functions which may be performed by the impacted user. These issues would not allow access to the entire system for grades or other system-wide information. The likelihood of an administrator account being compromised is low, and any attempted malicious actions would be logged and traceable.
Read more on Blackboard.

An easy but unverifiable conclusion. I would be much more concerned if a “Single point of failure” was being addressed...
Data Security: SK Communications Data Breach Due To “Cheap” Foreign Antivirus Software
September 25, 2011 by admin
Sang Lee provides a follow-up on the SK Communications hack that affected 35 million South Koreans, covered previously on this blog:
According to South Korean media, the Korean Committee on Culture, Sports, Tourism, Broadcasting & Communications released a report yesterday noting that, of the 50 or so antivirus software available in the Korean market, SK Comm used Norton from Symantec.
Per the articles covering the issue, the specific malware that caused the SK Comm breach was detected by five particular antivirus solutions. Norton was not part of that group of five. However, it appears that Norton is less expensive than some solutions that were tested.
This prompted the Committee to slam SK Comm for using “cheap” foreign antivirus software and accused it of being pennywise and pound foolish. And by slammed SK Comm I mean they brought in the CEO and told it to his face.
Read more on AlertBoot.

Every new technology is adopted with no thought of the lessons learned using earlier technologies. Therefore we always start with no security, no backups, no privacy, etc.
USA Today's Twitter account falls victim to hackers
The same group that hacked NBC News' Twitter account on September 9 and sent tweets about a bogus attack on Ground Zero apparently grabbed hold of USA Today's Twitter feed today and fired off a clutch of messages.
The taunting tweets from someone claiming to be The Script Kiddies asked if Twitter had the courage to suspend the group again and encouraged Twitter users to vote for the next account to be hacked.

(Related) “SmartPhones are much more that “phones” but since we never secured phones, why bother securing SmartPhones?
How security is becoming a must-have on smartphones (Inside Apps)
When writing a weekly column about the apps business, it's easy to get caught up on the new opportunities, capabilities and trends emerging from this burgeoning area. It's equally easy, however, to forget that they come alongside new threats.
These threats, which include rogue apps that can swipe your personal data or steal passwords for your bank accounts, are real and they're growing.
A study conducted by security software provider McAfee found that the amount of malicious software, also known as malware, targeting Android had jumped 76 percent since the previous quarter, a remarkable rise in just three months. At the same time, Android had surpassed Symbian as the most often attacked mobile platform.

(Related) Think of this as a threat that many managers won't be able to match to a technology they are using!
From the man who discovered Stuxnet, dire warnings one year later
… Like the Hiroshima bomb, Stuxnet demonstrated for the first time a dangerous capability – in this case to hackers, cybercrime gangs, and new cyberweapons states, he says in an interview.
With Stuxnet as a "blueprint" downloadable from the Internet, he says, "any dumb hacker" [...and imagine what the good ones can do. Bob] can now figure out how to build and sell cyberweapons to any hacktivist or terrorist who wants "to put the lights out" in a US city or "release a toxic gas cloud."

This should cause a kerfuffle. Or perhaps those who drank the Kool-Aid just don't care?
Logging out of Facebook is not enough (Updated)
September 25, 2011 by Dissent
Nik Cubrilovic writes:
Dave Winer wrote a timely piece this morning about how Facebook is scaring him since the new API allows applications to post status items to your Facebook timeline without a users intervention. It is an extension of Facebook Instant and they call it frictionless sharing. The privacy concern here is that because you no longer have to explicitly opt-in to share an item, you may accidentally share a page or an event that you did not intend others to see.
The advice is to log out of Facebook. But logging out of Facebook only de-authorizes your browser from the web application, a number of cookies (including your account number) are still sent along to all requests to Even if you are logged out, Facebook still knows and can track every page you visit. The only solution is to delete every Facebook cookie in your browser, or to use a separate browser for Facebook interactions.
Read more on Nik Curbrilovic Blog and do note his update where he reports that he contacted Facebook a few times about this issue over the past year and got no response.
Is this a deceptive business practice under the FTC Act? Wouldn’t the average user believe that if they are logged out, their data are not being sent back to
UPDATE: Facebook denies these allegations. See their statement to The Register.

Facebook: ‘We don’t track logged-out users’
September 26, 2011 by Dissent
Richard Chirgwin reports:
Facebook has attempted to shoot down claims that it leaves cookies on users’ machines even after they log out of the social network. The response came after an Australian blogger alleged the site can still snoop on your web surfing after you’ve signed out. [See previous coverage on here - Dissent]
However, Facebook doesn’t agree. Whether or not Cubrilovic’s claim that he notified Facebook without response during 2010 is accurate, he certainly got a hair-trigger response from Facebook this time.
In a comment on Cubrilovic’s blog, a Facebook engineer – identifying himself as staffer Gregg Stefancik – said that “our cookies aren’t used for tracking”, and that “most of the cookies you highlight have benign names and values”.
“Generally, unlike other major internet companies, we have no interest in tracking people,” [None? Bob] the insider added.
Read more on The Register.