Saturday, October 29, 2011

If I wanted to steal Identities, I would set up this kind of system, “Tell me your Social Security Account Number so I can see if your data has been breached. Also tell me your Credit/Debit card number, your driver's license number, etc. etc. etc.
Got Pwned? Knows
October 28, 2011 by admin
Paul Roberts writes:
With more and more victims of identity theft minted every day, figuring out if you’re one of the unlucky masses with a leaked email password is yeoman’s work. Now one security researcher is trying to make it easy with, a Web site that collects leaked and stolen data, then tells Internet users whether their information is in it.
PwnedList is the brainchild of Alen Puzic, a security researcher who works for HP’s TippingPoint DVLabs on the Advanced Security Intelligence team. The biggest challenge, he says, is staying on top of the tsunami of leaked records – which are pouring in at a rate of 40,000 to 50,000 a week. Puzic chatted(*) with Threatpost editor Paul Roberts via Skype this week.
Read more on ThreatPost.

A manager's job is to plan, direct, organize and CONTROL the organization. It constantly disappoints me to see how frequently managers fail in the control part...
October 28, 2011
NIST Publishes Guide for Monitoring Security in Information Systems
  • "Information security continuous monitoring (ISCM) is defined as maintaining ongoing awareness of information security, vulnerabilities, and threats to support organizational risk management decisions. This publication specifically addresses assessment and analysis of security control effectiveness and of organizational security status in accordance with organizational risk tolerance. Security control effectiveness is measured by correctness of implementation and by how adequately the implemented controls meet organizational needs in accordance with current risk tolerance (i.e., is the control implemented in accordance with the security plan to address threats and is the security plan adequate).3 Organizational security status is determined using metrics established by the organization to best convey the security posture of an organization’s information and information systems, along with organizational resilience given known threat information."

(Related) “We don't want to change!” Nor do we want to go back and implement all the security controls we should have designed into our systems in the first place...
Would a federal data breach law really be too costly for the private sector?
October 28, 2011 by admin
Are you curious about the cost of a data breach notification law? Here’s the analysis of S. 1151, the Personal Data Privacy and Security Act of 2011, proposed by Senator Leahy. It appears that the biggest added cost to the private sector would be on improving security and not from breach notification since 46 states already require them to notify consumers of breaches.
The cost per entity of the data privacy and security requirements would depend on the rules to be established by the FTC, the size of the entity, and its current ability to secure, record, and monitor access to data, as well as on the amount of sensitive, personally identifiable information maintained by the entity. The majority of states already have laws requiring business entities to utilize data security programs, and it is the current practice of many businesses to use security measures to protect sensitive data. However, some of the new standards for data security in the bill could impose additional costs on a large number of private-sector entities.
For example, under the bill, businesses covered under subtitle A would be required to enhance their security standards to include the ability to trace access and transmission of all records containing sensitive personally identifiable information. [In other words, turn on their logs! Bob] The current industry standard on data security has not reached that level. According to industry experts, information on a particular individual can be collected from several places and, for large companies, can be accessed by thousands of people from several different locations. The ability to trace each transaction involving data containing personally identifiable information would require a significant enhancement of data management hardware [Only the storage of the log files Bob' and software for the majority of businesses. Further, the bill’s definition of sensitive personally identifiable information is broader than the current industry standard.
This definition would significantly increase the number of entities that would be required to implement new or enhanced data security standards. The aggregate cost of implementing such changes could be substantial.
Okay, but if they invest in what would be mandated security and save on breach-related costs, that doesn’t sound like a bad deal to me. Aren’t we constantly reminded how high breach clean-up costs are? And the trade-off here also seems to involve prohibiting a private cause of action for violation of contractual agreements – and isn’t that something that Facebook, Zynga, and others are fighting for?
I’m not saying that I particularly like or want this bill to be enacted. I’m just saying that from a cost standpoint, it doesn’t appear to be excessive when one considers what would be gained or off-set.
What do you think?

Ontology recapitulates phylogeny, as I always say. Each evolutionary step in computing requires management to re-learn the lessons of the previous generation...
October 27, 2011
Research Study - All Your Clouds are Belong to us – Security Analysis of Cloud Management Interfaces
All Your Clouds are Belong to us – Security Analysis of Cloud Management Interfaces - Juraj Somorovsky, Mario Heiderich, Meiko Jensen, Jörg Schwenk, Nils Gruschka, Luigi Lo Iacono. In Proceedings of the ACM Cloud Computing Security Workshop (CCSW), 2011.
  • "Cloud Computing resources are handled through control interfaces. It is through these interfaces that the new machine images can be added, existing ones can be modified, and instances can be started or ceased. Effectively, a successful attack on a Cloud control interface grants the attacker a complete power over the victim’s account, with all the stored data included. In this paper, we provide a security analysis pertaining to the control interfaces of a large Public Cloud (Amazon) and a widely used Private Cloud software (Eucalyptus). Our research results are alarming: in regards to the Amazon EC2 and S3 services, the control interfaces could be compromised via the novel signature wrapping and advanced XSS techniques. Similarly, the Eucalyptus control interfaces were vulnerable to classical signature wrapping attacks, and had nearly no protection against XSS. As a follow up to those discoveries, we additionally describe the countermeasures against these attacks, as well as introduce a novel ”black box” analysis methodology for public Cloud interfaces."

“Obviously we have been so successful at keeping terrorists (and leprechauns) away from airports that they must be looking for alternate means of transportation. Therefore...”
"TSA's VIPR program may be expanding. According to the Washington Times, 'TSA has always intended to expand beyond the confines of airport terminals. Its agents have been conducting more and more surprise groping sessions for women, children and the elderly in locations that have nothing to do with aviation.' In Tennessee earlier this month, bus passengers in Nashville and Knoxville were searched in addition to the truck searches discussed here previously. Earlier this year in Savannah, Georgia, TSA forced a group of train travelers, including young children, to be patted down. (They were getting off the train, not on.) Ferry passengers have also been targeted. According to TSA Administrator John Pistole's testimony before the Senate last June, 'TSA conducted more than 8,000 VIPR operations in the [previous] 12 months, including more than 3,700 operations in mass-transit and passenger-railroad venues.' He wants a 50% budget increase for VIPR for 2012. Imagine what TSA would do with the extra funding."

You don't have to do business with black-listed nations to have your products show up in those countries. That's what eBay and Amazon are for...
A few weeks ago, in reaction to claims that Blue Coat systems were being used to track internet use in Syria, a company spokesman denied the charges here, saying "To our knowledge, we do not have any customers in Syria," and that the company followed the web of regulations that would prohibit sale to certain countries, Syria among them. In response to the logs on which the claims were based, he said "it appears that these logs came from an appliance in a country where there are no trade restrictions." A report at the Wall Street Journal says that the company has now acknowledged that Blue Coat devices are being used in Syria after all; the paper reports that at least 13 of the censorware boxes are in use there, and cites an unnamed source who says "as many as 25 appliances have made their way into Syria since the mid-2000s, with most sold through Dubai-based middlemen."

Friday, October 28, 2011

Print your own “You can trust me!” certification. What more could a crook want?
EFF Data Shows Four CAs Compromised Since June
The EFF, through the use of its SSL Observatory, has taken a look at the data from certificate revocation lists for SSL certificates in recent months, and found that there were four separate CAs compromised in the last four months.
… Again, each of these incidents could have broken the security of any HTTPS website," Peter Eckersley of the EFF wrote in an analysis of the data.

A really small percentage of a really big number – does that translate across the Internet?
Facebook Sees 600,000 Compromised Logins Per Day
New figures from Facebook reveal how often the social networking site’s users are hacked. In the blog post announcing the forthcoming “Trusted Friends” feature, Facebook also an included infographic detailing Facebook’s security measures. One figure in particular jumped out at security researchers: every day, “only .06%” of Facebook’s 1 billion logins are compromised. Or, to put it another way, 600,000 logins per day are compromised.

Unfortunately, I think this is the most likely reaction when the police (or anyone identifiable) denies any protest group what they want. You can see how it would make a cop nervous.
Hackers target Oakland police after Occupy protest
Contact information, schedules, badge numbers, and other information about Oakland Police Department officers was posted to a public Pastebin page. Meanwhile, the department's Web site also was down temporarily this morning, according to SC Magazine.
… "A protester who did two tours in Iraq is in critical condition with fractured skull and brain injury after a cop shot him in the head with a "non-lethal" weapon," the Pastebin statement said. "A crowd of protesters were deliberately hit with a flashbang while rendering first aid to an injured protester."
"I'm offering a $1,000 reward, no questions asked, for the name of the officer who threw a flashbang at the injured Iraqi vet," the statement added

One of the downsides of being an early adopter.
Possible Dolphin Browser security and privacy issues found
October 28, 2011 by Dissent
Michael Crider writes:
Dolphin Browser HD is one of the most popular 3rd-party browsers in the Android Market, and with good reason. But an issue with version 6 and the current version 7 have raised the eyebrows of some users over at the ever-inventive XDA-Developers forum. According to forum poster “Fnorder”, the new Webzine feature records every link, search and visited page and sends them to a remote server. If true, the breach of Dolphin users’ privacy is very disturbing indeed.
Read more on Android Community.

The problem with having a very smart data aggregation and analysis tool is you don't want to wait for permission (Opt In) to start using it.
Is Klout Using Our Family to Violate Our Privacy?
October 27, 2011 by Dissent
Okay, this is disturbing. Danny Brown explains how even if you don’t authorize Klout to create a profile on you, Klout may be doing exactly that and linking it to your Facebook profile if you have one. And not only that, it’s doing this to kids:
He isn’t on Twitter, and he’s not super active on Facebook. He hasn’t given Klout permission to access his account, and he has his Facebook privacy settings at private. Just like Megan advises.
And yet here he is on Klout, with a profile and score of 38. However, that’s not the issue. The bigger issue is this. As you can see from the image (which I’ve blurred to protect his identity), you can clearly see that his Facebook icon is a live one (i.e., not shaded out), which means people can visit his Klout profile and be taken to his very private Facebook profile by clicking the Facebook icon.
So, a private Facebook profile with no access allowed to Klout is now on their system and, worse still, allowing any public visitor to Klout to be taken directly to Tonia’s son’s private Facebook account?
Doesn’t something smell incredibly rotten here?
Read more on B2C.
I hope Klout responds to the allegations.

I can see why they dropped the subsidy for phones (1870's technology), but why choose broadband as a replacement? (Because the phone companies want it?)
IDG reports that "The U.S. Federal Communications Commission has voted to overhaul a decades-old system of telephone subsidies in rural areas, with the funding refocused on broadband deployment. The FCC's vote Thursday would transition the Universal Service Fund's (USF's) high-cost program, now subsidizing voice service, to a new Connect America Fund focused on broadband deployment to areas that don't yet have service. The FCC will cap the broadband fund at $4.5 billion a year, the current budget of the USF high-cost program, funded by a tax on telephone bills." That cap, says Reuters, is "the first budget constraint ever imposed on the program."

Since I'm still trying to sort this out, I need more articles like this one.
Pointer: Cell Phone Data and Expectations of Privacy
October 28, 2011 by Dissent points us to an article by Peter A. Crusco in the New York Law Journal that provides a nice synopsis of Supreme Court and other cases on cell phone data – including location information – and the Fourth Amendment. You can read it on

Sometimes (often?) it is difficult to grasp the obvious.
Apple Gets in Bed With Business by Playing Hard to Get
… Today, the Forrester research firm — which just three years ago was telling corporate IT to steer clear of those pesky Macs — published a report saying that companies that want to succeed need to go ahead and show the Mac a little love.
… Fortune’s Philip Elmer-Dewitt sees Forrester’s about-face as a Hell-freezing-over kind of moment, but in an interview, Johnson says that his company’s advice has changed because the enterprise has evolved. Today, corporate workers are often running clunky old Windows XP desktops, and they’re getting frustrated. And many of them are buying shiny new Macs and iPads and bringing them into work to get stuff done.
That desire to get things done is pretty much what drove MS-DOS and then Windows users to start sneaking PCs into the enterprise about 30 years ago, he adds. “When end users and employees are making technology choices and bringing things into the office, it signals a sea change in IT.”

(Related) ...but a completely different strategy.
Google+ Embraces Big Business Via Google Apps
Google + — the web giant’s fledgling social network — is now available to businesses, universities, and schools using Google Apps.
When Mountain View first unveiled its Facebook rival in late June, those with Google accounts tied to the Google Apps suite — a collection of online office applications — were not permitted on the social network. Now, they are — if their administrator activates the service within their particular organization. Once the admin switch is flipped, individual users can sign up at
Google+ is also available to any organization that has chosen to automatically enable any new service pushed onto the suite.
… According to a Google blog post, Google Apps users will have access to all the same Google+ tools as ordinary users, but they’ll also have the option of sharing content with their entire organization — even if they haven’t added individual colleagues to their Google+ “circles.”

The times are changing, even for stuck-in-the-mud lawyer types...
October 27, 2011
New on Law Periodical Publishing Practices and Trends
Law Periodical Publishing Practices and Trends - Law librarian, criminal defense attorney and prolific author Ken Strutin brings into focus how electronic access to scholarly information is impacting library collection policies as well as professional publication formats, and as a result, how a new legal research environment is developing. Ken's article provides a selected collection of resources about the law review publishing process, emerging trends in the information cycle, and practical guides for developing an article and getting it to press.
[From the article:
Durham Statement on Open Access to Legal Scholarship (2009) ...calls for all law schools to stop publishing their journals in print format and to rely instead on electronic publication
Scholarship Advice for New Law Professors in the Electronic Age, 16 Widener L.J. 947 (2007) ...The substance and length of what law professors write, the formats in which they do so, and the fora in which they publish are evolving.
… Professors who have been writing for years may find some useful nuggets about citation practices regarding blogs, the impact of recent law review limits on article length, electronic methods of browsing journals and articles in other disciplines, access to government documents, and posting on open-access archives."

(Related) Does this also apply to legal writing?
October 27, 2011
UK is a world-leader in science and research according to new report from BIS
"The International Comparative Performance of the UK Research Base 2011 report was compiled by Elsevier and published by the Department for Business, Innovation and Skills. It shows that UK research attracts more citations per pound spent in overall research and development than any other country. It has also found that the UK research base is highly mobile, internationally competitive and diverse... The UK also has more articles per researcher, more citations per researcher, and more usage per article authored than researchers in US, China, Japan and Germany."

Thursday, October 27, 2011

A new breach of old data?
Ru: More than 1.6 million Mobile TeleSystems phone subscribers learn their details leaked online
October 26, 2011 by admin
Nathan Toohey and Alina Lobzina report:
The Vedomosti newspaper has reported that more than 1 million of mobile provider MTS’ users have had their personal data published on the website.
A resident of the town of Ufa, Fedor Ponomarev, alerted the newspaper to the massive data leak.
The data originated from 2006 and after learning about the leak MTS tightened its data security, Vedomosti reported, adding that a source at MTS said the leak was “due to the fault of the security services.” The exact security services branch was not named.
According to Vedomosti’s estimates the database on the website contains more than 1.6 million phones numbers with the prefix codes 917 and 911, which correspond to the Bashkiria and St. Petersburg regions.
The data base contains the name, surname and patronymic of private subscribers, as well as some address and passport details. [Perhaps you need a passport to call overseas? Bob]
Read more on The Moscow News.
Lukas I. Alpert also covers the breach on Moscow Times.
From available coverage, it sounds like the leak actually originally occurred in 2006 and that MTS may have known about a leak that year. But maybe I’m misunderstanding the news coverage…

Who benefits? Another politician? A news organization? A “concerned” government? What would the reaction be if the tap my Ethical Hacking students put on the US Congress was discovered?
Japanese Parliament officials and staff monitored by Malware
The recent revelations centering on Mitsubishi Heavy Industries isn’t the only cybercrime report coming out of Japan this week. As it turns out, the Lower House of the Japanese Parliament was attacked around the same time as Mitsubishi, which led to officials and staffers having their communications monitored.
Asahi Shimbun once again breaks the news, as sources tell them that 480 officials and staff in the Lower House were monitored for a least a month, thanks to Malware discovered on systems in late August. Investigators discovered that the Malware was installed sometime in July, after member of the Lower House opened a malicious email attachment.
The payload served additional Malware from a source in China, which included the ability to hijack passwords and other information. The speculation is that the attack was designed to gather information on national politics, such as foreign policy and defense policy.
A spokesperson for the Lower House told Asahi Shimbun: “We are investigating whether computers and servers are infected with viruses and undoing the damage. We are not aware of any tangible damage, such as data loss.” [This directly contradicts what the article reports Bob]

How to deal with a breach. (From Gary Alexander)
Stepping Into the Breach
Data breaches are going to happen, regardless of what an institution does. How effectively a school responds may be a more telling indicator of its preparedness.
The first step, though, is to come clean. The knee-jerk reaction for many administrators is to keep news of the breach quiet. That's a mistake. "If you let the media control the message, it is going to be a painful experience," says Jeremiah Grossman, chief technology officer with WhiteHat Security. "It has to be all about honesty and transparency to make sure there remains a level of trust in the institution."

I noticed this in a brief Q&A about Google Plus – the future may include “automated eavesdropping”
Inside Google Plus
Wired: Have you thought about how you’re going to make money off this?
Horowitz: It’s not the highest priority. And it would be premature to come up with that before we understand how it’s used. But if we do a good job of serving users, we can stick to the Google philosophy that ads are a kind of tax on the product. So, for example, if you and I are talking about where we’re going for dinner on Sunday, and the system is smart enough to recognize the nature of that discussion and offer me a 20 percent discount for a local restaurant, that’s not a nuisance. That’s an incredibly valuable offer.

Internet responsible for 2 per cent of global energy usage
Justin Ma and Barath Raghavan, researchers at the University of California, Berkeley and the nearby International Computer Science Institute respectively, estimate that the internet consumes between 170 and 307 GW. [Remember, it only takes 1.21 gigawatts to run a Delorian's flux capacitor Bob]

More perspective
Internet video consumption rivals basic cable
Sandvine's Global Internet Phenomena Report: Fall 2011 (PDF) (registration required) shows that real-time entertainment applications are the primary drivers of network capacity on fixed access (non-wireless) networks in North America, accounting for 60 percent of peak downstream network traffic from 7 p.m.-9 p.m., up from 50 percent in 2010.
The report also reveals that we've entered a post-PC era where the majority of the traffic is destined for devices other than a laptop or desktop computer.

Perspective Infographic
In 60 Seconds on the Web is a neat infographic displaying approximations of how much new stuff appears on the web every sixty seconds.

For my students. This is why we want to build the “Forever Wiki” to keep you current.
"Eric Bloom, an IT leadership coach and former CIO, has answered that eternal question 'does working on old software hurt your professional marketability' with a somewhat surprising 'no.' But, Bloom adds, 'a techie's skill set from a marketability perspective has a two year half-life. That is to say, that the exact set of skills you have today will only be half as marketable two years from now.'"

(Related) There is an old “case study” in the Harvard Business Review that analyzed a failed two-year applications development project. One of the main criticisms was that not development project should last more that six months! You can not see what the technology will be ten years down the road...
"America's new CIO Steven VanRoekel wants to revamp the federal government and make it as agile as a startup. But first he has to get rid of bugs like the Department of Agriculture's 21 different e-mail systems. From the article: '“Too often, we have built closed, monolithic projects that are outdated or no longer needed by the time they launch,” he said. As an example, he mentioned the Defense Department’s human resources management system. Dubbed the “Defense Integrated Military Human Resource System,” the project was meant to take seven years to develop. Instead, it took 10, cost $850 million and had to be scrapped after 10 years of development in 2010 because it ended up being useless.'"

Wednesday, October 26, 2011

This might grow interesting. When did it start? What percentage of Mitsubishi locations have been hacked/infected? Are they the ONLY defense contractor hacked?
"When Mitsubishi announced in September it had been hacked in August it was criticized for keeping quiet for a month. Now it appears that the attackers got nuclear power plant and military aircraft details according to sources quoted in the Japanese media."
[From the article:
The computers were found to have been hacked in August, and 83 computers were found to have been infected with a virus. Those computers were spread out over 11 locations, including the Kobe and Nagasaki shipyards that construct submarines and destroyers as well as the Nagoya facility that is in charge of manufacturing a guided missile system.
At that time, Mitsubishi Heavy officials said no confirmation had been made that information related to products or clients had leaked.
According to sources, a further investigation into dozens of computers at other locations found evidence that information about defense equipment and nuclear power plants had been transmitted from those computers to outside the company.

Identity theft is so simple, you can do it while on parole... (Hey, a guy has to pay his lawyers!)
Identity thief nabbed with over 300,000 victim profiles
Robert Delgado, 40, who lived in a Los Angeles suburb called Monterey Park, pleaded guilty earlier this year to conspiracy to commit bank fraud and was sentenced on Monday. At the time of his arrest in March 2011, Delgado had already been on parole for identity theft.
Court documents show Delgado was accused of obtaining credit card numbers, forging credit cards and government-issued ID sporting his (or a co-conspirator's) photograph, and using the identity documents to buy flat screen TVs, power tools, electronics, and jewelry. Those in turn would be sold for cash.

How ineffective is the TSA? The article is funnier than a the Sunday Comics. If the TSA is such a joke, why not eliminate the whole requirement for Airport security rather than put a bunch of individual contractors in its place?
Congressman: Secret Report On TSA Pat Downs, Body Scanner Failures Will “Knock Your Socks Off”
October 26, 2011 by Dissent
Steve Watson reports:
The chairman of the House Transportation and Infrastructure Committee, which oversees the TSA, has asserted that the release of a classified report on TSA security failures will renew calls for the replacement of the agency with private airport security personnel.
“The failure rate (for body scanning equipment) is classified but it would absolutely knock your socks off,” Florida Republican, Rep. John L. Mica told reporters during a briefing Monday.
Read more on Infowars.

There is just too much money involved... I wonder what you would need to pay for an “anonymous card?”
"The two largest credit-card networks, Visa Inc. and MasterCard Inc., are pushing into a new business: using what they know about people's credit-card purchases for targeting them with ads online. 'A MasterCard document obtained by the Journal outlines some of the company's plans, which included linking Web users with purchases. According to document, the credit card provider said it believes "you are what you buy." ... Visa is planning a similar service, which would aggregate its customers' purchase history into segments, including location, to make ads more effective at appealing to people in a respective area.'"

“Well, they have all this data just sitting there – of course we want to browse through it!”
Google’s updated Transparency Report reveals increase in government requests
October 25, 2011 by Dissent
Google released its semi-annual Transparency Report today, and it’s generating a lot of buzz. Here are two articles on the report you may want to read:
The data are intriguing, but frustrating, because of what they do not include or partial out. Like other privacy advocates, I would like to see even greater disclosure as to how many requests for user information were just requests and how many were subpoenas, warrants, or “emergency requests.”

For my Ethical Hackers. Just because they claim the records don't exist does not mean they won't prosecute you for hacking into their system and taking them – be sure to hide your tracks.
Feds Embrace Lying in Response to Public-Record Requests
The Justice Department is proposing new Freedom of Information Act rules allowing the government to inform the public that records do not exist even if they do.
The proposal, published in the Federal Registrar for comment, may codify existing practice, as the government has already lied to requesters of public records that relevant documents did not exist. Under normal practice, which seems Orwellian enough, the government may assert that it can neither confirm nor deny that relevant records exist if the matter involves national security.
Under the latest proposal, however, FOIA requesters might not sue to challenge the designation because the government has told them they did not exist, civil rights groups said.

More significant that it appears at first glance... Your automated “Power” searches will have to be revised...
Google Kills Its Other Plus, and How to Bring It Back
Google+ is the fastest-growing social network in history, with 40 million users since its June launch. To help them focus, Google’s quietly shuttered a number of products, removing iGoogle and Google Reader’s social features and closing Google Labs, Buzz, Jaiku and Code Search in the last two weeks alone.
But in doing so, they also killed off one of its oldest and most useful tools, from its most popular product.
On Wednesday, Google retired a longer-standing “plus”: the + operator, a standard bit of syntax used to force words and phrases to appear in search results.
Unlike their other recent closures, the removal of + was made without any public announcement. It could only be found by doing a search, which advised the user to double-quote the string from now on, making “searches” look like “awkward” “Zagat” “reviews.”
… Geeks from Reddit and Hacker News were quick to condemn the move.
The Alternatives
As Google marginalizes its core base, it’s opened the door for smaller, more nimble startups, such as DuckDuckGo, a one-man project that’s quickly becoming the go-to search engine for discriminating nerds.
For those unwilling to leave Google’s deep index, there are other solutions. One pseudonymous hacker made FindErr, a simple proxy that adds quotes to every search before shuttling the user off to Google.
My personal favorite is this simple userscript created by electrotype for Hacker News, which instantly adds quote marks to every submitted search. It works in Chrome natively and Firefox with the Greasemonkey plugin.

This could be fun
"The BBC reports that the Royal Society is putting all of its old papers online and has a fascinating sample of articles from the first several years. You can reach all the old journal articles from this page at the Royal Society by selecting a journal and going to past issues."

Tuesday, October 25, 2011

Apparently (we need a better translation) this includes airline tickets and the passport numbers that “prove” you aren't a terrorist. database with 715,000 customers’ personal information and 80,000 passport numbers leaky due to “stale” security
October 24, 2011 by admin
The following is via Google’s translation of what Brenno de Winter reported:
… leaked a database of 715,000 customers. Attackers did not just names but also tickets and passport numbers.
It found a source that reported on condition of anonymity. He discovered that the Windows Server 2003 environment, not all patches were rotated. Because the area was vulnerable to a weakness published in 2009, he was able to access the system containing the database with customer data.
Lot of personal information
In the database, the personal information of 715,000 customers, including full name, address, telephone number and meal preferences. Together, these customers took more than 1.2 million tickets away. For flights to destinations including the United States give their passengers through passport. 80,000 of them are certainly in the database.
[...] will not respond to questions from Macworld. But Raymond Vrijenhoek, CEO will come later today in a statement
Read more on Webwereld. In reading translations of other news stories on the breach, I chuckled over one translation of outdated/unpatched as “stale.” That seems about right.

Another Privacy Damages article. Would this apply to individuals? Replacing credit/debit cards is a cost to the banks. Credit monitoring or insurance is often paid for by the breachee, not the individual victims. If you do purchase insurance after notification of a breach where the organization breached claims there is no risk of identity theft, would the court see that as a breach-related expense, or an individual whim?
Federal Appeals Court Holds Identity Theft Insurance/Credit Monitoring Costs Constitute “Damages” in Hannaford Breach Case
October 24, 2011 by admin
I posted something on this decision earlier today, but David Navetta has such a helpful analysis of the ruling that I wanted to mention it here. His commentary begins:
In a significant development that could materially increase the liability risk associated with payment card security breaches (and personal data security breaches, in general), the U.S. Court of Appeals 1st Circuit (the “Court of Appeals”) held that payment card replacement fees and identity theft insurance/credit monitoring costs are adequately alleged as mitigation damages for purposes of negligence and an implied breach of contract claim. For some time, the InfoLawGroup has been carefully tracking data breach lawsuits that, for the most part, have been dismissed due to the plaintiffs’ inability to allege a cognizable harm/damages. In fact, we have been tracking the legal twists and turns of the Hannaford case with great interest (see e.g. here, here, here, here, here and here). The decision in Hannaford could be a game changer in terms of the legal risk environment related to personal data breaches, and especially payment card breaches where fraud has been perpetrated. In this post, we summarize the key issues and holdings of the Court of Appeals.
Read more on InformationLawGroup.

(Related) The 'earlier post'
Appeals court decision in Hannaford data breach case could signal new approach
October 24, 2011 by admin
Judy Greenwald reports that at least one lawsuit against Hannford Bros following their 2007 breach is still alive:
An appeals court’s decision to permit negligence and contract putative class action litigation to proceed in a grocery store chain data breach because of the alleged damages incurred could signal a change in courts’ approach to this issue, says an expert.
Twenty-six separate suits were filed against Hannaford arising from the breach and were consolidated into one suit. Plaintiffs said they experienced more than 1,800 unauthorized charges to their accounts and suffered several categories of losses as a result of the breach.
“Plaintiffs’ claims for identify theft insurance and replacement card fees involve actual financial losses from credit and debit card misuse,” a three-judge appeals court panel said in its Oct. 20 ruling. “Under Maine contract law, these financial losses are recoverable as mitigation damages as long as they are reasonable,” the court ruled in partly affirming and partly reversing a lower court ruling.

Is there a central repository of privacy laws and regulations Google would need to comply with in each country? (It doesn't pop up on the first few pages of a Google search) NOTE: The big audit firms would likely call on one another to conduct “independent” audits of their clients, so it is likely they each have this expertise.
FTC Gives Final Approval to Settlement with Google over Buzz Rollout
October 24, 2011 by Dissent
Following a public comment period, the Federal Trade Commission has accepted as final a settlement with Google, and authorized the staff to provide responses to the commenters of record. The settlement resolves charges that Google used deceptive tactics and violated its own privacy promises to consumers when it launched its social network, Google Buzz, in 2010. The agency alleged that the practices violate the FTC Act. The settlement bars the company from future privacy misrepresentations, requires it to implement a comprehensive privacy program, and calls for regular, independent privacy audits for the next 20 years.
The Commission vote approving the final settlement was 4-0. (FTC File No. 102-3136; the staff contact is Katherine Race Brin, Bureau of Consumer Protection, 202-326-2106; see press release dated March 30, 2011.)
Source: FTC

“It is illegal to be young and ignorant!” In “Ye Olde (Pre-Internet) Days” no one knew you were playing Doctor. Now teens have portable “x-ray machines” to better equip their examination rooms and they can send the images out for a “consultation.”
MI: Prosecutor to seek cell records in ‘sexting’ probe
October 25, 2011 by Dissent
Associated Press reports a story originally reported by WCSR in Michigan:
A prosecutor plans to subpoena cell phone records of students in Hillsdale and Branch counties as part of an investigation into widespread sharing of sexually explicit photos.
Assistant Hillsdale County Prosecutor Megan Stiverson told WCSR for a story Friday ( ) that the original “sexting” incident involved two female students at Hillsdale High School and a male student at Quincy High School.
She said at least a dozen others are involved with some students taking explicit photos of themselves and sending them with their cell phones.
Stiverson said sending a nude photo of a minor is a felony, even if the minor is sending it.
Is a subpoena the right requirement here, or should it be a warrant to search their cell phones? And are we (again) criminalizing youthful indiscretions?
The cases I mentioned earlier this week from Baltimore raise different issues – including uploading material to the Internet of people who neither knew they were being taped nor consented to it. In this case, if teens are voluntarily sharing nude photos of themselves, then however stupid or dangerous we think such behavior might be, do we really want this all handled as a criminal investigation? This is where we should try education. What have the schools in Michigan been doing to teach teens about privacy? [Or schools anywhere? Bob]

They should learn from Internet companies. “We'll give you a dollar a month. To receive more, sign up for our fun “fingerprinting & DNA” social network!”
Judge Orders Injunction On Florida’s Welfare Drug Testing Law
October 24, 2011 by Dissent
David Taintor reports:
A U.S. district judge on Monday ordered an injunction on a Florida law requiring welfare applicants to pass a drug test before receiving state benefits.
An ACLU lawsuit filed in September claimed the Florida law violates the Fourth Amendment by requiring welfare applicants to submit to a “suspicionless” drug test. The suit was filed on behalf of Luis Lebron, a 35-year-old Orlando resident and Navy veteran who applied for welfare benefits but refused to take the drug test.
Read more on TPMmuckraker.

Something to mention to all my students...
Privacy-protecting Facebook Disconnect app is downloaded 152,000 times
October 24, 2011 by Dissent
Rob Waugh reports:
Facebook’s reassurances about its privacy policies don’t seem to have calmed people’s fears of the internet giant – as users flock to shield their browsing histories from its all-seeing eye.
Facebook openly admits to tracking your use of other websites while you are logged in to the site. But the site’s attempts to reassure people that its use of their web browsing information is innocent don’t seem to have had the desired effect.
Facebook Disconnect – a browser extension which prevents Facebook ‘seeing’ which other sites you visit online – has been downloaded 152,000 times.
Read more on Daily Mail
So we know that there are at least 152,000 privacy-conscious people in the world. That’s nice. :)
[...until you remember that Facebook has over 700 million users. Bob]

If you saw this coming, where do you now stash your millions?
Swiss Banks Said Ready to Reveal Clients
… “The Swiss would like to get out of this by paying money, and they’ve done that with other countries,” said tax attorney H. David Rosenbloom of Caplin & Drysdale Chartered in Washington, who isn’t involved in the talks. “For the U.S., it’s not primarily a money question. It’s a matter of making sure the laws apply fairly among taxpayers.”
… UBS, which isn’t one of the 11 banks now under scrutiny, avoided prosecution in 2009 by paying $780 million, admitting it fostered tax evasion and handing over details on 250 secret accounts. It later disclosed another 4,450 accounts.

Because Infographics get the point across (usually)
INFOGRAPHIC : How SMS Messaging Is Changing The World

For my geeks
3 Websites To Help You Find The Best Software
Looking for software online has actually become easier these days. Do you want to see a comparison of all similar software for a specific task? There’s an app for that. Do you want to see all alternatives to a specific program? There’s an app for that too. You probably knew this from using the many rich repositories of software available on FileHippo, SourceForge, etc. However, there are other more recently developed applications with interesting approaches to listing software that might just help you find what you need quickly and painlessly.
CatchFree is a brilliant site that offers a very useful approach to software. You simply type the task you’re trying to accomplish on the site’s search bar, and you’ll be presented with software suitable for your specified task. What makes it stand out from other software repository sites is that it lists several products at once and displays in a nice comparison chart all the common features of the products so you’ll know exactly which ones can perform additional tasks or not.
AlternativeTo. You can use this site by first typing in the name of the software you’re trying to find an alternative for. After that, you’ll see a list of similar software sorted by user “likes”. You can filter by platform
… If you’re interested in more sites that can show you what other users prefer, check out the social network Wakoopa, Apps & Oranges, iusethis, FilePig, etc. There are plenty of resourceful lists on our site that will point you to some of the best applications and services for a variety of platforms.

Monday, October 24, 2011

Think it couldn't happen here?
Contract worker stole all Israelis’ personal information’
October 24, 2011 by admin
Okay, this is not a great headline to wake up to. The Jerusalem Post reports:
Information was used to create searchable database with sensitive information of every Israeli, living and deceased; computer technician put the database on the Internet for anyone in the world to access.
A contract worker from the Ministry of Labor and Welfare was charged with stealing the personal information of over 9 million Israelis from the Population Registry, the Justice Ministry announced Monday after a media ban was lifted.
The worker electronically copied identification numbers, full names, addresses, dates of birth, information on family connections and other information in order to sell it to a private buyer.
The information was also given to another individual who used it to design a software program called “Agron 2006″, which exploited the database to allow queries of all Israeli citizens, allowing information to be illegally sold based on various parameters. Those parameters could include familial relationships of the entire Israeli population, over several generations.
A copy of the software program, devoid of any protection mechanisms, was later obtained by a computer technician who uploaded it to the Internet. He even created a website with detailed instructions explaining how to download and use the Argon program with Israeli citizens’ personal information.
Read more on Jerusalem Post. This is not the first time we’ve seen an entire country’s information breached, but it’s still staggering and a reminder of the insider threat.
[From the Post article:
Ironically, the computer technician went through great lengths to hide his own identity. Using the online pseudonym "aRi", the suspect used various methods and software to hide his IP address and delete any traces of his activity from computers he used, the Justice Ministry said. [How to find the hacker? Match the government's database against the online database – whoever isn't online is your crook! Bob]
The significance of the personal information's release to the entire world, the Justice Ministry said, ranges from personal privacy to economic and physical security.

In “Ye olde days,” the worst that would happen is a teenager would earn a “reputation” in the neighborhood or if he really screwed up, become known as the village idiot. Today, anyone who sees something stupid/amusing/titillating is expected to post the video so all his buddies (and everyone else in the world) can have a laugh.
Lessons not learned: teens, sex in public areas, and reputations ruined
October 23, 2011 by Dissent
There have been many bad laws that have been proposed in the name of protecting children. And when those proposed laws collide with adults’ rights’ or wishes, the conflict can be intense. Now a situation in Maryland reminds us that sometimes, children may, indeed, need protection – even from the consequences of their own actions. But what will the fallout be?
The facts of the case are not yet clear, but it involves a video tape of a 14-year old student having sex on a Baltimore public school property. WJZ has been all over the story since the father of the student contacted them to express outrage that the video had gone viral on the Internet. He alleges that his daughter was bullied into having sex and had no knowledge she was being taped. Nor did she ever consent to being taped or having the tape uploaded, he claims.
Why, he asks, did YouTube, Facebook, and Twitter allow that tape – a tape that might legally be considered child pornography - to remain on their servers for four days before removing it?
I will give YouTube, Facebook, and Twitter the benefit of the doubt that they acted quickly once they became aware of the situation. But is it too easy to upload privacy-invasive or reputation-destroying videos to the Internet? I have no doubt that some will use this case to argue “yes.” There will likely be more calls for regulation or changes to try to prevent this type of situation, but it’s not the first time we’ve seen something like this, and sadly, I don’t think it will be the last time.’
Apart from issues about sex, teens are simply not getting the important messages about privacy.
In another case in Maryland – one seemingly involving consensual sex in a high school auditorium at Milford Mill Academy – three teenage students have been charged with perverted sex acts and indecent exposure. No one has been charged in that case with uploading video of those acts to the Internet, although there have been unconfirmed rumors that there is a videotape that was uploaded.
So what do we, as a society, do?
For the past few years, we’ve read a lot about anti-bullying programs in schools. We’ve heard a lot about teaching youth to respect their own privacy and to use the Internet safely. Sadly, and although educating is always a good first step, I doubt any of those programs will sufficiently prevent this type of thing – youth consciously choosing to upload a video that invades someone else’s privacy or that damages their reputation in ways that may impact their future. I’m beginning to think maybe we also need to incorporate courses on law in middle school and high school curricula that include defamation, criminal invasion of privacy, and statutory rape. And I think we need to be very clear that even if students try to hide their tracks if they engage in inappropriate or illegal online conduct, they will be identified and caught – and prosecuted.
I do not think self-regulation by businesses has failed. It’s the self-regulation by users that has failed, and we need to be mindful of that before proposing any new laws. Attempts to make businesses responsible for protecting users from themselves puts the responsibility on the wrong parties. But somehow, somehow, we do need to protect people from invasion of privacy and reputation harm because some teenager or adult decided it would be funny or vindictive to upload a video of someone else.

Perspective: Income from virtual products – no warehousing, shipping, returns for credit...
Facebook Will Probably Be More Profitable Than Amazon This Year
In the first six month of 2011 Facebook had $1.6 billion in revenue and abou $800 million in operating income, says a source I trust a lot. That revenue number has been reported before. And the 50% profit margin is in line with last year’s $2 billion in revenue and $1 billion in operating income.
With Facebook growing revenue and profit by more than 50% every six months, it won’t be surprising if they hit something close to $2 billion in operating income for the year.
… Of course Amazon has far more revenue than Facebook, nearly $10 billion per quarter, and Q4 will be much higher than $10 billion. Last year they had $34 billion in revenue.
They just have terrible margins compared to Facebook because they sell (and deliver) actual stuff. Facebook delivers ad impressions and Facebook credits to buy stuff on Zynga.

I pull in 20 feeds each morning (200+ articles) so I always recommend RSS readers. This tool might be useful to share (or backup?) a list of feeds on a particular subject.
ChimpFeedr: A Web App To Mash Up RSS Feeds
Chimp Feedr is a web service that mashes your RSS feeds together. The site does not ask you to create any accounts. All you have to do is keep entering the URLs of the RSS feeds that you want merged. When you are done you can click on the “Chomp Chomp!” button, name the new feed, and obtain its URL.
The new feed includes entries from all the feeds you entered sorted according to time. You can now add this feed to your RSS reader.
Also read related articles: 14 “OTHER” Ways to Use RSS Feeds.

Sunday, October 23, 2011

Don't you just love “test cases?”
"Bad Lip Reading is an independent producer known for anonymously parodying music and political videos by redubbing them with his humorous attempts at lip-reading, such as Everybody Poops (Black Eyed Peas) and Gang Fight (Rebecca Black). According to an interview in Rolling Stone, he creates entirely new music from scratch consisting of his bad lip readings, and then sets them to the original video, often altering the video for humorous effect and always posting a link to the original off which it is based. Although his efforts have won the respect of parody targets Michael Bublé and Michelle Bachman, not everyone has been pleased. Two days ago, Universal Music Group succeeded in getting his parody Dirty Spaceman taken down from YouTube, and despite BLR's efforts to appeal, in his words, 'UMG essentially said "We don't care if you think it's fair use, we want it down."' And YouTube killed it. So does this meet the definition of parody as a form of fair use? And if so, what recourse if any is available for artists who are caught in this situation?"

Read the TOS? What a concept! Why would MS limit emails? Just a trick to sell upgrades?
"ZDNet's Ed Bott warns small businesses that if you sign up with Microsoft's Office 365, make sure you read the fine print carefully as an obscure clause in the terms of service limits the number of recipients you're allowed to contact in a day, which could affect the business very badly. Office 365's small business accounts (P1 plan) are limited to 500 recipients per 24 hours and enterprise accounts are limited to 1500. That's a limitation of 500 recipients during a single day. And the limitation doesn't apply to unique recipients. It's not hard to imagine scenarios in which a small business can bump up against that number."

Perspective This was inevitable, once we started thinking about “transportable computers” – even though we needed a furniture dolly to move the first ones.
Bret Taylor: “A Few Years From Now, Most Every Single Person At Facebook Is Going To Be Working On Mobile”
How important is mobile to Facebook? Already, 350 million of its 800 million monthly active users are on mobile devices, and that number is just going to get bigger. “Fundamentally we view it as a really big shift for our company, as fundamental as the shift from desktop apps to the Internet,”

Geek tools...
"The new programming language Opa makes web programming easier by providing a one-tier one-language-for-everything approach. Now it goes one step further by providing a (very-minimalistic for now) web-based IDE that allows users to compile & deploy Opa programs in one click in your web browser. Give it a spin!"

Geeky stuff (for Fedora)
How To Set Up An Apache Web Server In 3 Easy Steps