Saturday, October 22, 2011

Sounds like a good deed, until you think of all the lost evidence, disrupted investigations and these sickos becoming harder to find.
"According to Security News Daily, Anonymous has taken down more than 40 darknet-based child porn websites over the last week. Details of some of the hacks have been released via pastebin #OpDarknet, including personal details of some users of a site named 'Lolita City,' and DDoS tools that target Hidden Wiki and Freedom Hosting — alleged to be two of the biggest darknet sites hosting child porn."

Keeping up with the “dark side”
"TDL4, a rootkit that helps build a powerful botnet, is pegged by security vendor ESET as one of the most sophisticated pieces of malware in the world. But its creators aren't resting on their laurels; they're rewriting some of the code from the ground up to make it difficult for antimalware to detect it, creating a hidden boot partition that guarantees malware code will be loaded even before the operating system is. It's part of a plan to turn TDL4 into a turnkey product that can be sold to other criminal operations." [Ethical question: Should universities subscribe to criminal tools for their Ethical Hacking students? Bob]

(Related) Thanks to technology, you don't need to drive to Beverly Hills to steal from the folks who live in Beverly Hills, why would anyone think they need to break into boardrooms to steal corporate information?
"Nasdaq's Directors Desk is a program sold to both listed and private companies, whose board members use it to share documents and communicate with executives. Apparently Directors Desk was infected during a breach widely publicized earlier this year. It has now become known that hackers were able to access confidential documents and communications of the corporate directors and board members who received this infected application, said Tom Kellermann, chief technology officer with security technology firm AirPatrol Corp. It is unclear how long the Directors Desk application was infected before the exchange identified the breach, according to Kellermann and another source."

Interesting that the number one 'petition' is to legalize pot. I wonder if this could be replicated on a state or congressional district level. Might actually be useful there...
"Last month the White House created an online petition system through which constituents can directly voice any grievances and concerns to the US government. Any petition that reaches 25,000 signatures (5,000 originally) is promised an official reply. This weekend the first petitions will be closing, and already many have far exceeded the required number of signatures. Is this the way for the voice of the electorate to gain more weight in modern politics, or is it the web version of a placebo button? Will the President's office really consider the top pleas, which include petitions to Legalize and Regulate Marijuana, Forgive Student Loan Debt, and Abolish the TSA?"

Perspective: If we can end a war with a Facebook update, can we start one with a Tweet? “Dude, Bomb this guy!”
On Facebook, NATO Chief Announces End to Libya War
This has to be a first in the annals of social media. The commander of NATO’s Libya war has announced his intent to end hostilities through Facebook.
In a short post on his Wall Friday morning, Adm. James Stavridis told the world, “I will be recommending conclusion of this mission to the North Atlantic Council of NATO in a few hours.”

Geek alert! Can we train our computers? NOTE: I'm assuming that if this works as advertised, I'll be getting an invitation based on this post.
"Virtually overnight, Siri, the personal assistant technology in Apple's new iPhone 4S, has brought state-of-the-art AI to the consumer mainstream. Well, it turns out there's more where that came from. Trapit, a second spinoff of SRI International's groundbreaking CALO project (Cognitive Assistant that Learns and Organizes), is preparing for a public beta launch this fall. The Web-based news aggregator lets users set up persistent 'traps' or filters on specific topics. Over time, the traps learn to include more articles that match users' interests and exclude those that don't. Philosophically, it's the exact opposite of social-curation news apps like Flipboard or Pulse, since it uses adaptive learning and sense-making technologies to learn what users like, not what their friends like. 'Just as Siri is revolutionizing the human-computer interaction on the mobile device, Trapit will revolutionize Web search as we know it today,' the company asserts."

Since I create a lot of short “how to” articles for my students, something like this could be quite handy.
Print Edit: Make Web Pages Printer Friendly
Some site developers are considerate enough to provide printer friendly versions of their webpages. Others however overlook this step and have websites that might take up a lot of your printer’s ink if printed as is, with unnecessary images and advertisements. Thankfully, for Firefox users, there is a great tool for this problem: Print Edit.
… Simply install the addon and then enter any webpage in the preview mode. In this mode you can exclude certain elements of the webpage. You can remove ads, images, frames, and any other labels or elements detected by the add-on.
… You can also use the “Delete All Except” option to select the portion you want to keep and delete everything else.

Since I'm teaching the website class this quarter, I have plenty of students to “test” this editor (See, homework can be useful!)
Create Webpages Five Times Faster Using the Bluefish Editor [Cross-Platform]
… When you first setup Bluefish, you’ll see the first reason I like it so much – it is designed to handle a huge assortment of programming languages, from straight HTML and PHP to Java, VB and even ASP. The kind of flexibility is a nice thing to have in a code editor, especially if you often have your hands into many different programming languages.
… When you launch a new document from the file menu, if you choose template you’ll see that Bluefish has a few pre-built program templates available. This is especially useful if you write a lot of web pages, for example, and don’t want to recreate the same generic XHTML or PHP structure. Instead, just launch Bluefish’s template and you can immediately get into creating the content.
… As you can see in the menu bar, there are also pre-built code snippets available under each program language. For example, HTML has standard code for web forms, and PHP has standard code snippets for how to connect to an ODBC or MySQL database.

Beware of degrees that come with fries...
STEM: Science Technology Engineering Mathematics
October 22, 2011 03:27
Source: Center on Education and the Workforce, Georgetown University
A new report from the Georgetown University Center on Education and the Workforce shows that 65 percent of Bachelor’s degrees in STEM (science, engineering, technology and mathematics) occupations earn more than Master’s degrees in non-STEM occupations. …
… demand for STEM talent is growing even faster outside of traditional STEM occupations.
… while STEM is high-paying, STEM students have access to higher-paying career options.
+ Link to full report (PDF; 3.37 MB)

Friday, October 21, 2011

When I see articles like this one...
Facebook to give German state privacy exemption
October 21, 2011 by Dissent
Facebook has offered a special exemption from its data handling practices to Schleswig-Holstein after the northern German state’s data protection commissioner complained about the online social network’s popular “like” button.
Thilo Weichert, who leads the state’s data protection efforts, said in August that the site’s “like” button violated German privacy laws because it allowed Facebook to track members’ interests without their consent and sent the personal data to the United States.
But in a private meeting between Weichert and Richard Allan, Facebook’s head of privacy policy in Europe, the US internet giant offered to shield visitors to websites operated from Schleswig-Holstein from having their data sent to the United States. It also provided a full accounting of how it collects and uses users’ data, public broadcaster NDR reported on Friday.
Read more on The Local.
So Facebook will use IP addresses, and those coming from certain IP addresses will not have their data sent to the U.S., it seems.
There is something … frustrating… that German and Irish data protection authorities may be doing more to protect their citizens’ privacy than the American Congress has done.

...I have to ask what else was included in the deal? After all, nothing suggests that Facebook stops collecting the information.
When a government spies on its people: German spyware scandal; second version of spyware reported
October 21, 2011 by Dissent
The use of spyware by the government is fast becoming THE surveillance scandal of the year. In typical fashion, however, rather than deal with the substantive issues its use raises, there are those who would shoot the messenger or whistleblower. Cyrus Farivar reports:
On Tuesday, a pair of German researchers working for Kaspersky Labs, a computer security firm, discovered that there is a second, more powerful version of the Federal Trojan spyware, which can be run on more recent, 64-bit Windows computers.
It is also capable of conducting surveillance on a total of 15 applications, including Yahoo Messenger and Internet Explorer, more than the previous version.
A research paper published Thursday by the official analysis wing of the German parliament said that the CCC’s [Chaos Computer Club's] publication of the trojan and its source code may in fact violate German law.
“Overall, it appears possible that the publication of the source code of a so-called trojan state is regarded as a criminal act under Section 258 of the Criminal Code obstruction of justice,” the paper said.
Anke Spriestersbach, the BKA spokesperson, added that some of those 23 cases, were ongoing prior to the halt of the surveillance software’s use.
The BKA had previously denied using the specific version of the spyware exposed by the CCC.
Read more about this matter on Deutsche-Welle. Not surprisingly, the company that makes the software now may be in the crosshairs of litigation:
In a related case on Thursday, Dominick Boecker, a Cologne-based IT attorney, announced his intention to file a civil lawsuit against DigiTask, the company behind the spyware. Boecker is representing Wavecon, a competitor based in Fürth, outside Nuremburg, in southern Germany.
DigiTask manufactured products and sold software to law enforcement agencies [that] met the criminal definition of unauthorized interception of data,” [Interesting. Are they saying that offering the police (the state) software that is illegal, constitutes “unfair competition?” Bob] Boecker wrote in a German-language statement on his website.

Who are you? Who are you online?
You Are Not Your Name and Photo: A Call to Re-Imagine Identity
… At the Web 2.0 conference this week, Poole gave a compelling talk that mapped this complexity, and which I hope will help reframe our discussion of identity. It’s hard to summarize, but in addition to the full video, I’ll try to pull out a few of the big ideas:
  • Both Google+ (with Circles) and Facebook (with Smart Lists) misunderstand the core problem of online identity: It’s not only about who you’re sharing with, but how you represent yourself. “It’s not who you share with, but who you share as.”
  • If you’re looking to keep score between the major social media companies: Twitter handles identity better than Facebook, because it allows for handles, multiple accounts, fake accounts and other features that keep Twitter interest-driven, not identity-driven. Google, in turn, “missed a gigantic opportunity to innovate” the representation of identity online by allowing for something as rich as Circles for self-representation, not just choice of audience. “Facebook and Google do identity wrong; Twitter does it better; and I want to think about what the world would be like if we did it right.”

(Related) Perhaps they really mean “Do no evil” – perhaps not.
"After months of Google+ being unsuccessful at taking the edge over Facebook, Google announces a new plan. Google executive Vic Gundotra announced yesterday that they will be 'adding features that will "support other forms of identity,"' a major victory for security and privacy advocates. If Google+ gets rid of their 'real names' policy, they will finally be the social networking site that people will flock to when running away from Facebook."
JWZ is a skeptic; he describes as "premature victory" (and much harsher things, too) any rejoicing in the announced policy change, writing in part "My guess? I'll bet they still require you to register with your 'real' name, but then they'll graciously allow you to have a linked nickname or two, meaning they're still fully prepared to roll over on you to authoritarian governments or advertisers at the drop of a hat."

(Related) This logic can be understood easily if you remember their perspective is: “I'm a politician so everyone is hanging on my every word. Anonymity won't win me any votes!”
"A Parliamentary Committee in the UK has suggested that sites should be protected against libel claims against contributors — as long as those contributors are identified. Anonymous postings should be taken down if someone complains of libel in them, in a set of proposals which online community groups have described as 'chilling.'"

For my Ethical Hackers: I would call this a hack, but since “there's an App for that” I'll just remind you that an App IS a hack...
Plan B: Cool Lost Mobile Tracking Application [Android]
People normally take precautions by installing mobile tracking applications on their phone. But what if your phone is already lost and you do not have such an app installed on it? The solution to that problem is an Android application called Plan B.
You start by remotely installing the app from the Android Marketplace. Then the app will automatically start, turn on the phone’s GPS, and email your phone’s location to your Gmail account. To keep a track of your phone simply text “locate” to your lost phone and its position will be communicated to you.
Similar tools: Puntalo, BuddyWay, BlueRetriever and iTag.
Also read related articles:

Is this part of Obama's jobs bill? Let's hire everyone who is currently unemployed to watch everyone else? Note that this would not have caught Tim McVeigh. He never drove his truck on a highway, nor would he have been required to use a weigh station...
"TSA is expanding its presence to the American road system. As part of its Visible Intermodal Prevention and Response (VIPR) program, TSA agents are now working at 5 weigh stations and two bus stations in Tennessee. They are randomly checking trucks with 'drug and bomb sniffing dogs', and encouraging truck drivers to join their First Observer Highway Security Program an report anything suspicious that they see to authorities. VIPR is allegedly not a response to any particular threat." [I suspect it isn't a “response” to any conceivable threat Bob]

(Related) Another case of politicians looking for a easy quick fix for a problem with no consideration of further implications. (This is the home of Forrest Gump, isn't it?)
"Lousiana has passed a law that says people may no longer use cash for second hand transactions. The idea is to make all transactions traceable, thus foiling copper theft, etc. This move has profound implications that range from constitutional rights to Bitcoin, Craigslist and so forth; I wonder if there are any Slashdotters at all that support such a move."
On the list of exceptions: people who deal in used goods or "junk" less frequently than once per month, and (drumroll, please) pawn shops. That means a pretty big chunk of the population who post in online classified ads in Louisiana are probably already in violation.

Is this a real problem or a “competitive kerfuffle?”
Google Apps Not Cutting It for LA’s Finest
Two years after the City of Los Angeles approved a $7.25 million deal to move its e-mail and productivity infrastructure to Google Apps, the migration has still not been completed because the Los Angeles Police Department and other agencies are unsatisfied with Google’s security related to the handling of criminal history data.
… Beyond the LAPD, the proposed amendment also demands a refund for the Fire Department Arson Investigators, City Attorney Criminal Branch, and several other “City entities that access criminal history data.” Further credits are also demanded because “e-Discovery will not be implemented.”
… Both CSC and Google released statements this week. According to Network World, CSC said it has “successfully migrated all of the City of Los Angeles’s employees, except those with the City law enforcement agencies, to the new Google Apps cloud computing solution,” and “subsequent to the award of the original contract, the City identified significant new security requirements for the Police Department. CSC and Google worked closely with the City to evaluate and eventually implement the additional data security requirements, which are related to criminal justice services information, and we’re still working together on one final security requirement.”
… Google, meanwhile, called out Consumer Watchdog for working with Google competitors, presumably Microsoft...
… The City has acknowledged Google Apps is more secure than its current system. Along the way, they’ve introduced new requirements which require work to implement in a cloud-computing environment, and we’ve presented a plan to meet them at no additional cost.”

Well, I find it interesting.
October 20, 2011
Pew: As learning goes mobile - slides
"Lee Rainie, Director of the Pew Research Center’s Internet & American Life Project, spoke about As learning goes mobile at the Educause 2011 annual conference. He described the Project’s latest findings about how people (especially young adults) use mobile devices, including smartphones and tablet computers. He discussed how the mobile revolution has combined with the social networking revolution to produce new kinds of learning and knowledge-sharing environments and described the challenges and opportunities this presents to colleges and teachers. Technology has enabled students to become different kinds of learners and Lee will explore what that means."

Hacking with “the Google”...
Now You Can Find Out Your IP Address Using Google

So far, just a list – but could be the start of something useful.
As we know, Google offers a lot of free products and services for a wide variety of purposes. Have you ever wondered just how many there are? Or where you can find them all? If so, Peter Beens has compiled a list of them all. The list can be found in this public Google Document.

Thursday, October 20, 2011

The flyer is up for the Privacy Foundation Seminar, at:

Something is still not adding up here, but I suspect we'll never get a straight story...
Military ‘Not Quite Sure’ How Drone Cockpits Got Infected
It’s been more than a month since a virus infected the remote “cockpits” of America’s drone fleet. And the U.S. military still doesn’t know exactly how the machines at Creech Air Force Base in Nevada got infected.
… the drone cockpit virus has already received so much publicity that the military decided to speak up, just a little. Last Wednesday, the Air Force issued a press release calling the infection “more of a nuisance than an operational threat.” [This type of malware tries to remain undetected so it can eavesdrop and steal information. Disrupting flight control systems would be immediately detected. Bob]
… The Air Force added that “credential stealer” code was transported from computer to computer through “portable hard drives.”
On Tuesday, Kehler appeared to walk that explanation back a bit. He said that the hard drives were one possible path of the infection — but not the only path.
“One of the things in the ground control system that we do is we transfer data using hard drives that we actually move from machine to machine and so, with that, there’s always a possibility to have something get in through the loops in the system,” he said. [But again, highly unlikely. All these computers should have anti-virus software running that immediately checks portable hardware as it is attached to the system. Bob]

Why did I say this was inevitable?
Stuxnet Jr. - Panic spreads as two vendors squabble over Duqu’s purpose
You can view the code here, just like millions of others have.

My French is inadequate, fortunately there are sub-titles.
Guy-Philippe Goldstein: How cyberattacks threaten real-world peace

Surveillance will become ubiquitous. Be the first kid on your block to have a full NSA-like spy tool!
Remote spying moves to phones with a vengeance
October 19, 2011 by Dissent
Earlier this week, I was disgusted to find a promotional e-mail from SMS Privato Spy in my inbox. The company sells a service by which it sends a spoofed SMS message to a target phone that then allows the subscriber to monitor the phone’s activity – all of it. The company attempts to cover their ass by a disclaimer on the home page,
“Disclaimer: SMS Privato Spy is an online software program designed to gather information about a phone. You should be the legal owner of the phone or have permission from the user of the phone in order to connect SMS Privato Spy on it.”
Uh huh. Sure. And the really disgusting part is that the disclaimer may actually cover their ass while those who purchase and use the service may face criminal charges if they are not the owner of the phone or don’t have consent to monitor.
Now some will say that’s just fine and it’s like guns – manufacturers can legally make them and sell them but responsibility for their use is with the purchaser or user. Personally, I have a problem with companies selling devices or services that they know damned well or can reasonably predict will be used for illegal purposes, but the government hasn’t seemed inclined to actually stop it. Maybe some really aggressive lawyers will file lawsuits charging these companies with conspiring to violate wiretapping laws or something. I don’t know, since I’m not a lawyer, but damn, I wish somebody would do something effective to stop all this sneaky remote spying.
Today, Kashmir Hill blogs on Forbes about a similar app, “Kare Log,” and the increasing use of phone-based spying tools. Read it and fume along with me.

Even Big Brother had to start somewhere. (and eventually, Bib Brother treats everyone as children)
"EU MEP Tiziano Motti (Italy), wants everything you do online to be logged and saved, for the sake of the children. Like a black box installed on every computer. He proposes an early warning system of criminal activity, specifically whenever an image of sexually abused children is detected, an alarm, goes to the authorities to be able to see who uploaded it. Tiziano Motti was a politician who just over a year ago managed to get a majority of European Members of Parliament to support the proposal to expand the data storage directive to Google searches. The purpose was to protect children from pedophiles — the same excuse he is using now. His proposal involves a technology called Logbox. And just as with an aircraft's black box, Logbox is installed on computers, laptops, smartphones, and e-readers because yes, all that can be connected to the internet."

Here we go...
An anonymous reader writes with this news on the ACTA treaty, straight from the EFF's release on the news:
"On Saturday October 1st, eight countries (the United States, Australia, Canada, Japan, Morocco, New Zealand, Singapore, and South Korea) signed the Anti-Counterfeiting Trade Agreement (ACTA) in Tokyo, Japan. Three of the participating countries (the European Union, Mexico, and Switzerland) have not yet signed the treaty, but have issued a joint statement affirming their intentions to sign it 'as soon as practicable.' ACTA will remain open for signature until May 2013. While the treaty's title might suggest that it deals only with counterfeit physical goods such as medicines, it is in fact far broader in scope. ACTA contains new potential obligations for Internet intermediaries, requiring them to police the Internet and their users, which in turn pose significant concerns for citizens' privacy, freedom of expression, and fair use rights."

I'm a “Hard” Science Fiction fan myself – never understood the fantasy side I guess. This turns out to be a good list and there are a few I still haven't read!
"T. N. Tobias writes that over the summer, over 60,000 people voted at NPR to select the top 100 science fiction and fantasy books of all time. The result? A list of 100 books with a wide range of styles, little context, and absolutely no pithy commentary to help readers actually choose something to read from it. Now SF Signal has come to the rescue with a 3800 x 2300 flowchart with over 325 decision points to help you find the perfect SF or Fantasy book to meet your tastes. Don't like to scroll? There's an interactive version that let's you answer a series of questions to find the perfect SF book."

Useful even for someone as artistically challenged as moi...
… online whiteboards are great collaborative tools to help you visualize your thoughts and brainstorm ideas. These Web apps not only throw out the smelly dry-erase markers, but also add a few tricks to make sharing your works faster and easier than ever.
A Web Whiteboard (AWW), developed by Senko Rasic, was designed to be minimalistic and simple to use like a real whiteboard. Coded in HTML5, AWW not only performs smoothly, but leaves little doubt to its functionality: users are given seven basic colors, three brush sizes, and a menu with sharing options.
… Users can collaborate with others in real time by enabling sharing in the menu and passing the URL to their friends or team members.
AWW can publish drawings to three major outlets : Facebook, Twitter, and Reddit. Users can also save their images in PNG format.
Twiddla flexes its muscles by offering a beefy selection of tools and extra methods of communication.
… In addition to standard drawing options such as brush size and color customization, Twiddla allows you to import documents, pictures, and even Web pages directly into the canvas.
… Each stroke is treated as a separate object layer, making corrections and edits a breeze when compared with erasing by hand.
In addition to sharing workspaces like AWW, Twiddla also adds a textbox and VoIP capabilities so multiple users can hold audio conferences in real time.

For my students. NOTE: This business model could be improved if I could schedule email/sms/tweet/whatever reminders to a list (class roster) for future delivery. Many reminder services send you an email “the day of” your scheduled event. I'd like a week's head start on my wife's birthday/anniversary gift buying...
Remind 2 Me is a free service for having reminders sent to your inbox. Using the service is very simple. To have reminders sent to you, just write out your reminder to yourself, enter your email address, and enter the date on which you need the reminder sent. You do not need to register for an account to use Remind 2 Me.
Remind 2 Me could be a helpful service for students who need help keeping track of important assignment dates.

Perspective: My students like it – that's good enough for me.
Khan Academy Triples Unique Users To 3.5 Million
Today at The Web 2.0 Summit in San Francisco, Founder of Khan Academy, Salman Khan, took the stage to share a few quick stats on the growth of his online video education platform. For those unfamiliar, Khan Academy is, as John Batelle noted this afternoon, one of Bill Gates’ favorite educators.
… The educational startup now counts over 2,600 videos in its library, with sessions or classes on everything from arithmetic to physics, including 211 practice exercises, to let students watch videos and learn at their own pace.
While Khan is a not-for-profit organization, the Academy has received donations from The Gates Foundation and also won Google’s “Project 10^100″. With the $2 million+ from Google and Gates in pocket, Khan told the crowd at Web 2.0 today that the academy is seeing 39 million pageviews and 3.5 million unique users per month. That 3.5 million unique users is up 309 percent year-over-year.

(Related) TED talk.

Wednesday, October 19, 2011

Is it me, or are we finally seeing some serious attention paid to Privacy issues? (and will my Ethical Hackers be able to turn on and redirect the “man in the middle” feature?)
EFF Gets Straight Privacy Answers From Amazon About New “Silk” Tablet Browser
October 19, 2011 by Dissent
Dan Auerbach writes:
Amazon recently announced that the new Kindle Fire tablet will ship with a brand new browser called Silk. The Silk browser works in “cloud acceleration” mode by routing most webpage requests through servers controlled by Amazon. The idea is to capitalize on Amazon’s powerful AWS cloud servers to parallelize and hence speed up downloading web page elements, and then pass that information back to the tablet through a persistent connection using the SPDY protocol. This protocol is generally faster than the standard HTTP protocol. This split-browser idea, not unique to Amazon, is a departure from the way major browsers work today.
Following the announcement, security experts as well as lawmakers have raised privacy questions and concerns about Silk. After all, while in cloud acceleration mode, the user is trusting Amazon with an incredible amount of information. This is because Amazon is sitting in the middle of most communications between a user’s Fire tablet on the one hand, and the website she chooses to visit on the other. This puts Amazon in a position to track a user’s browsing habits and possibly sensitive content. As there were a lot of questions that the Silk announcement left unresolved, we decided to follow up with Amazon to learn more about the privacy implications.
Our conversation with Amazon allayed many of our major concerns. Cloud acceleration mode is the default setting, but Amazon has assured us it will be easy to turn off on the first page of the browser settings menu. When turned off, Silk operates as a normal web browser, sending the requests directly to the web sites you are visiting.
Read more on EFF.

(Related) While Amazon offers speed in exchange for a peek at your data, Google offers a secure connection from your desktop to their servers (where they can peek at your data)
Google makes search more secure
October 19, 2011 by Dissent
From Google’s blog:
We’ve worked hard over the past few years to increase our services’ use of an encryption protocol called SSL, as well as encouraging the industry to adopt stronger security standards. For example, we made SSL the default setting in Gmail in January 2010 and introduced an encrypted search service located at four months later. Other prominent web companies have also added SSL support in recent months.
As search becomes an increasingly customized experience, we recognize the growing importance of protecting the personalized search results we deliver. As a result, we’re enhancing our default search experience for signed-in users. Over the next few weeks, many of you will find yourselves redirected to (note the extra “s”) when you’re signed in to your Google Account. This change encrypts your search queries and Google’s results page. This is especially important when you’re using an unsecured Internet connection, such as a WiFi hotspot in an Internet cafe. You can also navigate to directly if you’re signed out or if you don’t have a Google Account.
Read the full blog entry on Google.

(Related) and Twitter protects rioters?
Twitter chief: We will protect our users from Government
October 18, 2011 by Dissent
Emma Barnett reports:
Dick Costolo, Twitter’s chief, has stood by the company’s decision not to suspend the service during the UK riots or disclose user identities to authorities.
Speaking at the annual Web 2.0 Summit in San Francisco, Costolo referred specifically to the UK riots when talking about the need to ensure Twitter remains a platform upon which freedom of speech is prioritised, even during times of civil unrest.
“One of our core values is respect and the need to defend the user’s voice,” he explained. “In the case of the London riots…the majority of the tweets were more about organising cleans ups [rather than inciting violence].”
It was thought that after a number of executives from Twitter, Facebook and Blackberry were summoned to a meeting with Theresa May, the Home Secretary, after their services were used to coordinate and encourage looting during the UK riots, the Government would try to temporarily suspend the digital networks.
However, Costolo revealed that instead of engaging in shut down talks in such meetings, it told government officials that the “hope” is the majority of tweets around a hot topic such as the riots, will be geared at trying to help matters, rather than incite more violence.
He reiterated that a free speech was a core tenet of Twitter, citing the motto of the company’s General Counsel: “We are the free speech wing of the free speech party.”
Read more on The Telegraph. Previous coverage of Twitter’s standing up for its users can be found on the ThankTwitter page.

Perhaps this is why all those huge Internet &Social companies are paying attention? Statutory damages?
EPIC responds to Facebook et al.’s attempts to eliminate class action lawsuits based on statutory damages
October 18, 2011 by Dissent
Ah, thumbs up to EPIC – they jumped into a SCOTUS case that Facebook, LinkedIn, and Zynga had tried to use as an opportunity to free themselves from litigation where consumers could not demonstrate actual harm. The firms filed an amicus brief that argued that there should be no standing or statutory damages absent a showing of actual harm:
Specifically, under the Ninth Circuit’s ruling, if any of the millions of consumers who interact with one of these companies is willing (or can be enticed by a plaintiffs’ attorney) to allege that a generalized practice or act of the company violated a law providing for statutory damages, she could launch a putative class action on behalf of herself and millions of other “similarly situated” users—and pursue a concomitant multi-billion dollar statutory damages claim—without herself or a single other class member having suffered any injury from the practice or act at issue.
Allowing plaintiffs to file such no-injury class action lawsuits could subject businesses such as amici to damages demands that, at least on their face, would be potentially bankrupting. Just the threat of these massive damages claims create strong incentives to end even baseless suits with settlement payments, essentially rewarding plaintiffs (and their opportunistic counsel) for filing extortionate strike suits. While Internet businesses such as amici would almost certainly have valid defenses on the merits to such lawsuits, if they were unable to eliminate these strike suits “at the courthouse door,” the in terrorem effect of even a small chance of a devastating loss, as well as the prospect of significant litigation costs, would increase the likelihood of meritless suits being settled by monetary payments that benefit only plaintiffs’ attorneys.
While I think there are some meritless lawsuits, it is already hard enough for consumers to demonstrate standing and the elimination of statutory damages would make things even harder. Thankfully, EPIC responded with their own brief:
EPIC filed a “friend of the court” brief in the United States Supreme Court urging the Court to affirm Congress’ power to enact strong statutes that protect consumer privacy. First American v. Edwards presents the question of whether a person can sue to enforce a provision of the Real Estate Settlement Procedures Act (RESPA), which gives individuals a right to untainted real estate referral services, and enforces this right by specifying an amount of damages for which violators are liable. Surprisingly, Facebook, Linkedin, Yahoo, and Zynga filed a brief in support of the bank First American and arguing against enforcement of privacy statutes in certain circumstances. EPIC then filed a brief in support of the consumer Edwards and argued that if the Court did not uphold statutory damage provisions, “it would become virtually impossible to enforce privacy safeguards in the United States.” Statutory damage provisions help ensure compliance with Fair Information Practices, the foundation of modern privacy law.

This shouldn't surprise anyone... Before you fire the big guns, you should have a target in mind...
Son of Stuxnet Found in the Wild on Systems in Europe
A little more than one year after the infrastructure-destroying Stuxnet worm was discovered on computer systems in Iran, a new piece of malware using some of the same techniques has been found infecting systems in Europe, according to researchers at security firm Symantec.
The new malware, dubbed “Duqu” [dü-kyü], contains parts that are nearly identical to Stuxnet and appears to have been written by the same authors behind Stuxnet, or at least by someone who had direct access to the Stuxnet source code, says Liam O Murchu. He’s one of the leading experts on Stuxnet who produced extensive analysis of that worm with two of his Symantec colleagues last year and has posted a paper detailing the Duqu analysis to date.
… The new code does not self-replicate in order to spread itself — and is therefore not a worm. Nor does it contain a destructive payload to damage hardware in the way that Stuxnet did. Instead, it appears to be a precursor to a Stuxnet-like attack, designed to conduct reconnaissance on an unknown industrial control system and gather intelligence that can later be used to conduct a targeted attack.

For my Ethical Hackers – no need to install software or attach hardware!
"Researchers at Georgia Tech demonstrate that a mobile phone located near a keyboard can use its accelerometers to recover text typed by a target. 'The technique works through probability and by detecting pairs of keystrokes, rather than individual keys (which still is too difficult to accomplish reliably, Traynor said). It models “keyboard events” in pairs, then determines whether the pair of keys pressed is on the left versus right side of the keyboard, and whether they are close together or far apart. After the system has determined these characteristics for each pair of keys depressed, it compares the results against a preloaded dictionary, each word of which has been broken down along similar measurements (i.e., are the letters left/right, near/far on a standard QWERTY keyboard).'"

Stuff for students (Includes links to the tools mentioned)
How To Prepare Your Laptop For A Case Of Theft
Use Locks for Laptop Theft Protection
[Including physical locks Bob] However, there are several other ways to lock your laptop, for example using a USB flash drive and software. These locks can trigger an alarm when someone tries to break them, for example by removing the flash drive or by entering a wrong password.
Password Protect All User Accounts
Encrypt Sensitive Data
Backup Your Data
Install Applications to Track Down Your Laptop
Customize Your Laptop Data and Record Information

Tuesday, October 18, 2011

Another “Lawyers are evil” rant? If no one goes after the Breachers, what incentive do they have to “repent and reform?” It seems likely that courts (juries) have undervalued the damages. Can't wait to see if we can correct that in the Nov. 4th Seminar...
Exploiting Privacy Breaches
October 18, 2011 by Dissent
I recently commented on the rush to class action lawsuits that seems to have become the norm. Today, I was interested to see this column by John Halamka, MD, CIO, CareGroup Health System, Harvard Medical School. He writes, in part:
As with any profession there are those attorneys who use the law for personal gain. Here’s a list of privacy breach class action suits, comparing payments to attorneys versus their clients.
There are many good investors. Accelerating new technology by providing funding to those who can build high value businesses is a good thing. As with any profession, there are investors who put profits ahead of societal benefits.
I’ve heard discussion about an alarming new business model. Investors paying attorneys to file class action suits related to privacy breaches in return for a portion of the profits.
Investing in class action suits that asymmetrically benefit the finance and legal professions is not something that benefits society.
Read more on Healthcare Finance News. Although John is talking about the healthcare sector and as an insider, his points might seem a bit self-serving, I agree with him and his point applies equally well to other sectors. I think that those who are really sloppy with security and privacy protections should experience consequences and consumers should be compensated for any harm, time, or stress they incur as a result of negligent security or privacy practices, but most class action lawsuits really benefit no one but the plaintiffs’ attorneys. All these suits will do in the long run is discourage entities from coming clean about breaches, and then we all lose.

Interesting (even though I have omitted a bunch of detail) this still looks like one to track.
Aspiring actress sues IMDB and Amazon for revealing her true age and for misusing her credit card details to obtain it
Venkat Balasubramani kindly pointed me to this Jane Doe lawsuit against Amazon and its subsidiary,
If I understand the thrust of the complaint, Doe, an aspiring actress, had registered with using her stage name. When she upgraded to IMDBpro, however, she was required to provide a credit card number, and with it, the name on the credit card – her real name. Doe believed that the information would be kept confidential, but subsequently revealed her real date of birth in their database. Doe claims that IMDB and Amazon obtained her real birthdate by aggregating public sources based on the credit card data. She alleges that IMDBpro’s privacy policy had not indicated that other sources of information that they might collect would result in public disclosure of her private facts.
… So I trotted off to look at IMDBpro’s signup process and subscriber agreement. The service’s privacy policy says, in relevant part:
… Information from Other Sources: For reasons such as improving personalization of our service (for example, providing better movie recommendations or special offers that we think will interest you), we might receive information about you from other sources and add it to our account information. We also sometimes receive updated delivery and address information from other sources so that we can correct our records and deliver your next communication more easily
… That Amazon/IMDBpro would aggregate public records – assuming for now that they have, indeed, done that – does not surprise me.
That they would reveal personal information such as date of birth in a public profile without the consent of a subscriber does surprise me as there is nothing in their privacy policy that would appear to permit that. Or are they now the True Age Police?
That they would refuse to remove the information when made aware of the concern/complaint is mind-boggling. Even though their privacy policy does say “we might receive information about you from other sources and add it to our account information,” I do not think that most subscribers would interpret that to mean that information thus added would be publicly disclosed.
Another interesting case to watch.

“Nah nah na nah nah, you can't hack me!” Which part of “Never challenge a hacker” didn't you understand? (My Ethical Hackers will be pleased to know Chapters 18-21 are apparently unknown to DHS.)
DHS: Anonymous lacks the skill to harm ICS stability
A NCCIC (National Cybersecurity and Communications Integration Center) bulletin issued in September, released by on Monday, says that Anonymous has taken an interest in Industrial Control Systems, but that’s about it.
Actual harm to ICS stability is limited, the NCCIC notice says, because Anonymous lacks the skill to target anything other than Web-facing applications and access.

Perhaps we could create an automated rating service here – This App Policy contains 82% of the minimum recommended protections?
Draft Mobile Application Privacy Policy released by the Mobile Marketing Association
October 17, 2011 by Dissent
The Mobile Marketing Association (MMA) has released a draft Mobile Application Privacy Policy for public comment. You can read the accompanying press release here.

There are lots of ex-military in my Ethical Hacking classes, but I doubt any of them would buy these arguments. From a Political perspective, the problem with a cyber attack is, it doesn't show up dramatically on the evening news.
U.S. Considered Hacking Libya’s Air Defense to Disable Radar
Officials in the Obama administration considered launching a cyber offensive against Libya’s computer networks last March as part of the NATO-led air strikes against the Qaddafi regime.
The cyberattack would have involved breaking through the firewalls protecting Libyan computer networks in order to disrupt military communications and thwart early-warning radar systems that would detect planes coming in for a strike.
The officials and military officers ultimately decided against the plan out of fear that it would set a precedent for other nations to use similar techniques, [Highly unlikely. Bob] according to the New York Times. There were also unresolved questions about whether President Obama had the power to approve such an attack without first informing Congress, and whether there was sufficient time to conduct digital reconnaissance and write the attack code that would have been required to pull off such an attack.
… Had the computer-network attack against Libya gone ahead, administration officials told the Times they were confident the attack code could have been contained within Libya’s networks and not spread to other networks to cause collateral damage.
Such questions have become central to cyberwarfare discussions in the wake of the Stuxnet computer worm – a piece of malware that was launched in 2009 against computers in Iran to disrupt that country’s uranium enrichment program.
Stuxnet spread beyond the targeted systems, however, infecting more than 100,000 computers throughout Iran, India, Indonesia and elsewhere. Because the worm was skillfully crafted to affect only systems operating at one of Iran’s nuclear enrichment plants, it did not harm the other systems it infected.
[From the NYT article:
While popular fiction and films depict cyberattacks as easy to mount — only a few computer keystrokes needed — in reality it takes significant digital snooping to identify potential entry points and susceptible nodes in a linked network of communications systems, radars and missiles like that operated by the Libyan government, and then to write and insert the proper poisonous codes. [First, cyber attacks ARE easy to mount (ask any script kiddie) what is difficult is a subtle cyber attack. Second, let's not pretend that we have not carefully explored the computer networks of any potential adversary. That's just insulting. Bob]

This is inevitable, so we might as well start paying attention...
For iPads in the enterprise, hassles aplenty
In various talks yesterday, Gartner analysts highlighted a series of gotchas that need to be considered before jumping on the enterprise tablet bandwagon. Among the key issues:
  • Apple iPads and tablets may require a Microsoft license.
  • Securing iPads and tablets may require new skills.
  • Formatting.
  • Companies need to come up with consumption policies and new ways to present information.
  • Hosted virtual desktops don't solve everything.
  • Apple isn't an enterprise player.

Perspective: Twits are everywhere!
Twitter Is At 250 Million Tweets Per Day, iOS 5 Integration Made Signups Increase 3x
Twitter CEO Dick Costolo has just dropped some numbers at a speaker dinner here at Web 2.0 Summit in San Francisco. Costolo revealed that the company has gone from 90 million tweets per day in September of 2010 to 100 million at the beginning of this year to 1/4 billion tweets per day as of today, a 177% percent change. Twitter is now serving up a billion tweets every 4-5 days, Costolo said.

Monday, October 17, 2011

Now this is truly scary...
By Dissent, October 17, 2011
Pamela Lewis Dolan reports:
One-third of health care organizations, including physician practices, insurers and pharmacies, have reported catching a patient using the identity of someone else to obtain services, according to a report from the professional services firm PwC.
Medical identity theft is still a small percentage of the total amount of identity theft that occurs, but it’s the fastest-growing segment, said Jim Koenig, director and leader of PwC’s identity theft practice.
Read more on American Medical News.
[From the article:
The report, "Old Data Learns New Tricks," by PwC's Health Research Institute, said the problem -- and consequences -- of medical identity theft could get worse as electronic sharing of patient data increases. Physicians unwittingly could end up using information obtained during a visit with an identity thief in deciding how to treat a patient, for example.

Excellent summary. It takes much less effort and expense to check that these controls are in place than to deal with a security breach that didn't bother with them.
By Dissent, October 16, 2011
Tony Kennedy and Maura Lerner report on the aftermath of a contractor breach that affected patients at Fairview and North Memorial hospitals in Minnesota. For those who may not recall the Accretive breach, the reporters provide a summary:
On the night of July 28, according to police reports, a consultant named Matthew Doyle, who worked for Accretive Health Inc., left a Dell laptop in the back seat of a rental car parked in the Seven Corners bar and restaurant district in Minneapolis. When he returned after 10 p.m., the back window was smashed and the computer was missing.
The laptop contained information on 14,000 Fairview patients and 2,800 North Memorial patients, potentially exposing them to identity theft or other harm.
The bulk of the news story deals with Accretive Health’s failure to encrypt and adequately secure the data, noting that nationwide, there are about three reports per month of stolen laptops with unencrypted patient data. I think that estimate is way too low and that we’re only finding out about an average of three per month but there are likely many more.
But what have the Minnesota hospitals learned from the breach and how has it affected their relationship with Accretive?
Lois Dahl, Fairview’s information privacy director, said the mistake has taught the hospital to verify, not just trust, that its contractors are living up to privacy obligations.
Fairview also is considering dropping Social Security numbers from records shared with outside business partners, Dahl said. The hospital also wants to tighten practices to ensure it is not giving vendors more patient information than necessary, she said.
Bingo! It’s a shame it took this breach for them to learn those lessons, but if they’ve learned them now, I’m glad for that.
For its part, Accretive has started daily audits [I assume this is an automated audit – software checking that encryption programs are installed and active? Bob] to ensure encryption on all devices carrying patient information, Kazarian said. The company also has “reaffirmed” rules for keeping laptops secure, he said.
And what are their rules? It would be nice to know what they are instructing employees – other than not to leave a laptop in the back seat of a car in a bar parking lot.
Harley Geiger of the Center for Democracy and Technology (CDT) described the breach as “failure of diligence,” and I concur. But it’s not just the contractor’s diligence. As the hospital now realizes, covered entities need to verify that contractors are living up to the terms of any contract in terms of protecting the privacy and security of patient data.
Yesterday, in another sector, we saw how the SEC discovered that a contractor had shared data with unapproved and un-vetted subcontractors. SEC notified its employees of the breach, but the impressive part is that they audited and verified what was happening to data they had shared with the contractor. More HIPAA-covered entities would benefit from the “trust but verify” approach. It’s just not enough to have clauses in a contract and when covered entities are themselves audited, I hope they are asked to indicate how often and how they verify that business associates are adhering to the security and privacy protections in their contract.
“This was not the result of some sophisticated attack,” Geiger said.
No, indeed. And I am hard-pressed to think of any sophisticated attacks on patient data that we have seen. Most of them seem to be reasonably low-level attacks that could have been fairly easily prevented. Besides, why knock yourself out attacking networks when there is so much low-hanging fruit just lying around for the taking?

On one hand, this is done with fingerprints to avoid crime scene confusion. On the other hand, this make the cops feel like the second class citizens they serve and protect.
Police cite privacy concerns over their own DNA
October 16, 2011 by Dissent
Dave Collins of Associated Press reports:
When police in southern Louisiana were investigating the deaths of eight women in 2009, the sophistication of the crimes set off rumors that the serial killer was a police officer — speculation that became so pervasive that officials ordered DNA testing of law enforcement personnel to rule it out.
All local officers agreed to the testing and were eliminated as suspects, but the killer remains at large, said Jefferson Davis Parish Sheriff Ricky Edwards.
Having officers’ DNA samples on file is important for saving time in investigations and fending off doubt about evidence at trials because it allows authorities to identify unknown genetic material found at crime scenes, Edwards and other police and crime lab officials say.
Police in other parts of the country, however, are not as willing to hand over their DNA. Rank-and-file police from Connecticut to Chicago to Los Angeles have opposed what some experts say is a slowly emerging trend in the U.S. to collect officers’ DNA
Read more on SacBee.
Wow is this a slippery slope. If you collect DNA from police as a pre-condition of employment, and their DNA goes into a national database, what happens when the individual retires or quits the force? And what if a DNA search of the database reveals that a police officer is likely related to an unknown/as-yet-unidentified suspect?
I have long opposed the expanding collection of DNA from those who are not convicted of crimes. Collecting DNA for employment is equally – or even more – problematic, and I support the officers’ unions who are fighting this.

This is interesting (and not just because I didn't know Pirates had a Top Ten list) because I don't think any of these movies are interesting enough to borrow from the local library. Are they just easy to find online?

Keeping up. Perhaps Amazon could provide me with a market? “Centennial-Man: the book”
Amazon Signs Up Authors, Writing Publishers Out of Deal has taught readers that they do not need bookstores. Now it is encouraging writers to cast aside their publishers.
… “The only really necessary people in the publishing process now are the writer and reader,” he said. “Everyone who stands between those two has both risk and opportunity.”

Keeping up. Monetizing “Free” Did you like that viral video? Buy the T-shirt!
YouTube Now Allows Music Partners To Sell Merchandise, Digital Downloads And Event Tickets
We already know that YouTube is seeing 3 billion videos viewed per day day, but now the online video giant is now seeing a whopping 800 million people per month visiting the site, Google revealed in its third-quarter earnings report last week. And today, YouTube is also announcing the ability to sell merchandise, tickets and more via the site.
Through a feature called the Merch Store, YouTube partners will be able to sell artist merchandise, digital downloads, concert tickets and other experiences to fans and visitors. YouTube has partnered with a number of companies to launch these stores. Topspin is helping power merchandise sales, concert tickets and experiences; SongKick will help sell tickets for concerts; and iTunes and Amazon will power transactions for music downloads.

(Related) Interesting incentives for the music publishers... Something Apple and Amazon can't offer?
Google to launch cloud-connected music store?
With more than a healthy presence in major technology markets such as online search and computer operating software, it would appear Google is now angling to steal the limelight where online multimedia distribution is concerned.
That’s according to a report in the New York Times that claims the California-based titan plans to launch a cloud-connected music store capable of rivaling those of both Apple and Amazon.
… Some of the copyright protection tools enforced by said plan would see Google filtering piracy-related terms from search results and responding to publisher takedown notices within a period of 24 hours.

Might have value in any meeting. “Are we all on the same page?” Find out immediately, before everyone runs off and does their own thing...
An educational platform that aims to leverage the kind of technology which is actively available on classrooms nowadays, Socrative empowers teachers to engage their students with educational activities on laptops, smartphones and tablets. These include exercises, quizzes and games, and teachers are enabled to correct and grade everything instantly. And then, to provide their students with timely feedback. All of the Socrative apps can be set up in minutes, and they load in seconds.
When it comes to multiple choice, true/false and short answer questions, the responses of students are represented visually. And as far as pre-planned activities go, teachers can view reports online as a Google spreadsheet, or as an Excel file that's been sent via e-mail.
Socrative, then, allows teachers to assess their students and improve learning over time. A service like this one was long overdue - although laptops and tablets have become available within classrooms settings, they haven't really been put to the best possible uses yet. The right apps just weren't there. But now that companies like Socrative are delivering them, we might as well be on the verge of witnessing some really groundbreaking educational developments.