Saturday, November 12, 2011


I feel a rant coming on...
Virginia Commonwealth University alerts 176,567 faculty, staff, students and affiliates to hacking incident
November 11, 2011 by admin
A notice was posted today on Virginia Commonwealth University’s web site:
To the VCU and VCU Health System communities:
A security incident has resulted in unauthorized access to a Virginia Commonwealth University computer server containing files with personal information on current and former VCU and VCU Health System faculty, staff, students and affiliates. We believe the likelihood is very low that any personal data on the individuals in the files was compromised, but it is impossible to be completely certain, [because we don't bother to record what happens on our servers? Bob] so we are notifying all involved via email and first-class mail.
On October 24, routine monitoring of servers supporting a VCU system uncovered suspicious files on one of the devices. The server was taken offline and a forensic investigation was launched [to see if we could figure out what the missing logs would have told us instantly Bob] to identify what unauthorized activities had taken place and the vulnerabilities that led to the compromise. The vulnerabilities have been corrected, and it has been determined that this server contained no personal data.
Five days later, VCU’s continuing investigation revealed two unauthorized accounts had been created on a second server, which also was taken offline. Subsequent analysis showed the intruders had compromised this device through the first server. [Apparently the “forensic examination' did not discover this... Bob] The intruders were on the server a short period of time and appeared to do nothing other than create the two accounts.
Files on this second server contained data on 176,567 individuals. Data items included either a name or eID, Social Security Number and, in some cases, date of birth, contact information, and various programmatic or departmental information.
Our investigation was unable to determine with 100 percent certainty that the intruders did not access or copy the files in question. [...since there was no log. Bob] We believe the likelihood that they did is very low. However, because this data was potentially exposed, we are proactively informing of this event and subsequent actions affected individuals can take to monitor personal information.
… VCU continues its investigation and is working with local and federal law enforcement agencies.
… VCU is reviewing its information technology security measures and procedures and will make improvements to prevent this type of incident from happening again. [But we still won't bother with logs... Bob]
It’s a good description but I wish they wouldn’t rush to minimize risk. The fact is, as they say, that they don’t know. Under such circumstances, why not just tell people what you do know and let them form their own assessment of their risk so they can decide what to do, if anything?
Previous breaches involving VCU can be viewed on DataLossDB.org.
[Gibberish from the CBS6 article:
The hackers infected one of the servers with some type of virus that allowed the, to download 16 minutes worth [It's not a TV show.. Bob] of confidential information including name or id, date of birth, and even social security numbers.
"We can't be 100 percent certain that these files were not acessed," said VCU Chief Information Officer Mark Willis. "But we were able to attract [Track? Bob] the activities of the intruders very well. So, we know what they were up to, what they were doing."
Willis believes the information that could have been compromised goes back as far as to 2005. [and this was needed online, why? Bob]


What other facts are not correct?
The Twitter Wikileaks case: how an outdated law makes a researcher’s impressive analysis somewhat irrelevant
November 12, 2011 by Dissent
Over on Slight Paranoia, privacy and security researcher Chris Soghoian does a brilliant job of delving into a section of the recent opinion in the Twitter Wikileaks case.
In the opinion issued this week, Judge O’Grady addressed the issue of whether three people associated with Wikileaks had any reasonable expectation of privacy in their IP addresses. In a nutshell, after reviewing Twitter’s privacy policy and the “I agree” button that they had to click to obtain their Twitter accounts, the judge decided that they had no reasonable expectation of privacy with respect to their IP addresses.
In his blog post, Chris criticizes the judge’s analysis on a few grounds. Importantly, the privacy policy that the judge quoted in explaining his ruling was not the privacy policy that was in place at the time the three users first signed up for their accounts. Big oops, yes. Chris argues that the version in effect at signup would have given the users a reasonable expectation of privacy in their IP addresses – assuming that any of them had even read it. As everyone except the judge seems to recognize, almost no one actually reads privacy policies. [Apparently, lawyers didn't read it either Bob]
Although the judge did cite and analyze the wrong version of the policy, it is not clear that this is the judge’s error as we do not know whether counsel for the three individuals ever submitted the version that was in effect when they signed up. If they didn’t, that is unfortunate, although it wouldn’t have any bearing on the issue of whether people actually read the privacy policy or any updates to it.
Chris writes:
If the judge were to examine the privacy policy that existed when these three targets signed up for a Twitter account, he might decide that they do in fact have a reasonable expectation of privacy and that the government needs a warrant to get the data.
I disagree with Chris on that. Even if the judge had acknowledged that Twitter’s privacy policy at the time of signup created a reasonable expectation of privacy, the court could still simply point out that a company’s privacy policy cannot trump a 2703(d) order. Application for a 2703(d) order does not involve demonstrating that the target had no reasonable expectation of privacy. It only requires that “the governmental entity offers specific and articulable facts showing that there are reasonable grounds to believe that the contents of a wire or electronic communication, or the records or other information sought, are relevant and material to an ongoing criminal investigation….”
Not only does a privacy policy does not exempt the provider from complying with an order under existing law, but the judge also cites Third Party Doctrine: (Order at p. 28) (Order at p. 30)
Game over. And I don’t blame the judge who is just applying existing law. The problem is with existing laws that desperately need updating.
ECPA needs to be updated so that a warrant is required to obtain users’ data from online providers. And we need to throw out outdated Third Party Doctrine and recognize that users have and are entitled to have a reasonable expectation of privacy for much of their online activities.
The Twitter Wikileaks case also reminds us – as if we needed more proof – that businesses that collect and retain data for months or years increase the risk to our privacy.
Lawyers for the three individuals have not yet announced any decision as to whether to appeal Judge Liam’s ruling. Frankly, I don’t think they can prevail. Not because they’re wrong, but because the law is wrong. And Congress needs to fix that.


Another outdated set of laws? An interesting take on why pirating continues...
How litigation only spurred on P2P file sharing
Do you remember back in 2001 when Napster shut down its servers? US courts found Napster Inc was likely to be liable for the copyright infringements of its users. Many of Napster's successors were also shut down.
Aimster and its controversial CEO were forced into bankruptcy, the highest court in the US strongly suggested that those behind Grokster and Morpheus ought to be held liable for "inducing" their users to infringe, and Kazaa's owners were held liable for authorisation by our own Federal Court. Countless others fled the market in the wake of these decisions with some, like the formerly defiant owners of Bearshare and eDonkey, paying big settlements on the way out.
By most measures, this sounds like an emphatic victory for content owners. But a funny thing happened in the wake of all of these injunctions, shutdowns and settlements: the number of P2P file sharing apps available in the market exploded.
… I would argue pre-P2P era law was based on a number of "physical world" assumptions. That makes sense, since it evolved almost exclusively with reference to physical world scenarios and technologies. However, as it turns out, there is often a gap between those assumptions and the realities of P2P software development.
Four such physical world assumptions are particularly notable in explaining this phenomenon.
The first is that everybody is bound by physical world rules.
that it is expensive to create distribution technologies that are capable of vast amounts of infringement.
that distribution technologies are developed for profit.
that rational developers of distribution technologies won't share their secrets with consumers or competitors.
Dr Rebecca Giblin is a member of Monash University's law faculty in Melbourne. Her new book Code Wars tells the story of the decade-long struggle between content owners and P2P software providers, tracing the development of the fledgling technologies, the attempts to crush them through litigation and legislation, and the remarkable ways in which they evolved as their programmers sought ever more ingenious means to remain one step ahead of the law.
… Visit codewarsbook.com where you can read the first chapter in full. Physical copies can be ordered online from stores like Amazon and Book Depository, and electronic copies are available via Google books at a heavily discounted price. [What? No P2P sharing? Bob]

(Related) How to alienate just about everyone...
"In a court case between Hotfile.com and Hollywood studios, Warner Brothers admitted they sent takedown orders for thousands of files they didn't own or control. Using an automated takedown tool provided by Hotfile, Warner Brothers used automated software crawlers based on keywords to generate legal takedown orders. This is akin to not holding the Post Office liable for what people mail, or the phone companies liable for what people say. But the flip side is that hosters must remove files when receiving a legal takedown notice from the copyright holder — even when the copyright holders themselves don't know what material they actually own."


In contrast to those who fight consumers to control content, these people make money by giving content away.
"Cryptic Studios, the developer of the Star Trek Online MMO, announced that they are switching to a Free-to-Play model on January 17th. Free subscribers to the game will be able to play, but will not get the same benefits as paying subscribers still get. Free accounts will be Silver, while paid accounts will be called Gold. Silver accounts will be able to pay for features that Gold members will get as part of their paid subscription. These features include but are not limited to respecs and extra character slots."
EverQuest II is jumping on the free-to-play bandwagon as well.


Who pushes technology adoption?
"Britain's biggest ISPs are struggling to convince customers to upgrade to superfast broadband. Of the six million customers who can get fiber broadband from BT, Britain's biggest ISP, only 300,000 have done so — a conversion rate of only 5%. Only 2.3% of Virgin Media customers, meanwhile, have upgraded to 50Mbits/sec or 100Mbits/sec connections. The chief of Ofcom, Britain's telecoms regulator, admits that take-up is 'still low' and says only families with teenage children are bothering to upgrade to fiber."


Perspective
People Now Watch Videos Nearly 30 Percent Longer On Tablets Than Desktops
It may come as no surprise, but Americans are watching more and more online video. In fact, they’re practically jonesin’ for it. According to comScore’s numbers, 182 million Americans watched online video content in September (for an average of 19.5 hours per viewer), while the U.S. video audience tallied a total of 39.8 billion video views. But what may be a bit more surprising is the extent to which people are now watching their video on tablets.
Ooyala, the provider of online video technology and services just released its first quarterly review, which you can find here.


For my Ethical Hackers (don't forget my finder's fee)
"There's a thriving trade in zero-day vulnerabilities, predicated on keeping knowledge of these vulnerabilities out of the public domain. For security researchers with knowledge of a bug that's not worth much, or for researchers who question the ethics of selling any bug information, there are alternatives. Vulnerability information service Secunia launched its Secunia Vulnerability Coordination Reward Program, which formalizes what Secunia says it's been doing informally for some time: It acts as a go-between for security researchers that have discovered a vulnerability in a product, and the vendor of that product. Do such practices jeopardize security for the many, while safeguarding just the few? It's still unclear whether Stuxnet's authors discovered the zero-day vulnerabilities themselves, procured them from a legal market, or bought them on the black market. If you're going to cash in, you face some tough ethical questions."


I want one. Is it too early to send Santa a Tweet?
"Designer Chris Hoffmann developed the Ryno, a heavy duty electric unicycle with a top speed of 25 mph, a range of up to 30 miles and an impressive 25-inch thick tire. The cost for a pre-production Ryno is a whopping $25,000, and Hoffmann already has five orders, but he expects the market model to cost about $3,500."


A whole bunch of interesting stuff...
...Idaho will become the first state to mandate that all high school students take at least 2 credits online in order to graduate. The move has been very controversial, with the Idaho Education Association blasting the Board of Education’s decision.
...The Department of Education and the Department of Defense launched the Learning Registry this week. The site is a joint effort between the two departments, the White House and numerous other federal agencies. The Learning Registry is meant to serve as an online clearinghouse of sorts for educational content. (That content includes information from various publishers and organizations, including the National Archives, the Smithsonian, PBS Learning Media, and OER Commons.) But it’s not a portal or a website that educators will visit per se. Rather it’s both an open technology platform that will allow for the exchange of data about learning resources (metadata, ratings, reviews, and so on), their usage, their standards alignment, and so on. The aim of the Learning Registry is to help remove some of the silos for educational resources.
...Codecademy added a new course to its learn-to-program website: jQuery. The startup also added a “scratchpad,” an “in-browser JavaScript editor that allows you to play around with what you’ve learned.”
...The University of Texas at Austin announced this week that it plans to give its 450,000 alumni lifetime access to their @utexas.edu email accounts. The university switched to Google Apps for Education last year.

Friday, November 11, 2011


We can help you remove your data from the web – just give us all the data you want removed...
Another tool to help you remove your personal information from the web
November 11, 2011 by Dissent
Another startup to watch: MelonCard.
Michelle Doellman writes:
Privacy is a hot topic when it comes to the Internet and technology. Issues like cyber bullying and identity theft show that it’s still like the wild West. With the mission of protecting your privacy, California-based MelonCard is hoping to make you feel safer.
Founders Robert Leshner and Geoff Hayes came up with the idea for MelonCard purely by fate. While the pair was working on their first project – Drawn.to – they stumbled across researching how to remove personal information from the web.
“After looking around, we found it’s a really cumbersome and time consuming process,” explained Leshner. “You have to send faxes all over saying please stop selling my information. The process is broken so we took 24 hours and dedicated ourselves to building this really rough prototype of MelonCard.”
Once a MelonCard account is set up, members click on the Dashboard and select which sites remove information from. The type of information removed varies from basics like phone numbers to interests and views on politics. A tally on the dashboard shows how many sites have been expunged and a grade level of privacy.
Read more on Tech.li
Note: I have not looked into this yet so do not take this as an endorsement or recommendation. Their privacy policy is certainly short and sweet:
  • We collect personal information with the express purpose of trying to protect your privacy.
  • Your personal information will ONLY be shared with third-parties specifically to opt you out of their services.
  • You will specifically execute each opt-out request which utilizes your personal information.
  • We will never sell or rent our mailing list or user information, in any way shape or form. Never.
  • We’re eager to hear your questions or concerns at privacy@meloncard.com; we will personally respond.
Some info on how long data are retained or stored and whether users can delete their accounts totally and permanently would be helpful, but this seems somewhat promising. You can check out their site and their blog.


Looking only at the Twitter equivalent of a pen register, I don't see much to suppress the search, nor do I see much useful evidence. What if the actual messages were: “Hey Bob, want to read a secret document?” “No! And stop asking!” OR: “Anyone know who is leaking this data?” “Nope”
Judge Rules Feds Can Have WikiLeaks Associates’ Twitter Data (updated)
November 10, 2011 by Dissent
Kevin Poulsen reports the expected, but bad nevertheless, news:
The Justice Department is entitled to records of the Twitter accounts used by three current and former WikiLeaks associates, a federal judge ruled Thursday, dealing a victory to prosecutors in a routine records demand that turned into a fierce court battle over online privacy and free speech.
In a 60-page opinion (.pdf), U.S. District Court Judge Liam O’Grady in Alexandria, Virginia upheld a magistrate’s decision earlier this year allowing prosecutors to obtain information on the accounts, including records showing when they sent direct messages to one another, and from what internet IP addresses. The ruling does not expose the content of the messages, nor information on other Twitter users who follow the accounts.
Read more on Threat Level.


We are reading article claiming that the FBI trains its agents to consider all Muslims as terrorists. This data would show how they attempt to prove that... Right?
New York Times Writer Loses Bid for FBI Data
November 10, 2011 by Dissent
Now what did Candidate Obama pledge about transparency?
Adam Klasfeld reports:
The FBI can shield its terrorism-investigation data from the prying eyes of New York Times investigative journalist Charlie Savage, a federal judge ruled.
Savage repeatedly sought FBI data through the Freedom of Information Act for a series of articles exposing how federal authorities vigorously probed thousands of people without reasonable suspicion.
Read more on Courthouse News.


Note that this is virtually an “Auditor Full Employment Act” rather that the more common Lawyer version... Are the lawyers getting bored or do they expect the auditors to drop a pre-made case in their laps every few years?
Facebook, FTC Near Privacy Settlement
November 10, 2011 by Dissent
Julia Angwin, Shayndi Raice, and Spencer E. Ante report:
Facebook Inc. is finalizing a proposed settlement with the Federal Trade Commission over charges that it engaged in deceptive behavior when changing its privacy settings, according to people familiar with the situation.
The proposed settlement – which is awaiting final approval from the agency commissioners – would require Facebook to obtain “express affirmative consent” if Facebook makes “material retroactive changes,” some of the people said.
The agreement would require Facebook to submit to independent privacy audits for 20 years, the people said. Google Inc. agreed to similar audits in March, when it settled FTC charges of falsely representing how it would use personal information.
Read more on Wall Street Journal. Alicia Eler of ReadWriteWeb also covers the story but suggests that the settlement is actually finalized.
If Facebook leaked this, is it because they want to get the word out before the FTC releases its own statement that could sound more critical? Are they just trying to get out in front of this?

(Related) Facebook would do the entire e-community a service by summarizing all they have learned (at great pain and expense) about Privacy. At minimum it would make an interesting student paper (take that as a hint, law students).
German agency may fine Facebook over program
November 10, 2011 by Dissent
Ah, if it’s Thursday, Facebook must be in trouble with German data protection again.
Bloomberg reports:
Facebook Inc. may be fined by a German data-protection agency over a feature that uses facial-recognition software to suggest people to tag in photos on its social-networking site.
Facebook introduced the feature in Europe “without informing users or getting the required consent” it is obliged to under European Union and German laws, the Hamburg data- protection authority said in a statement on its website Thursday.

(Related) Does this cover the same issues as the lawsuits? i.e. would it suggest a safer path for Facebook for example?
New Self-Regulatory Principles for Multi-Site Data
November 11, 2011 by Dissent
This week, the Digital Advertising Alliance (the “DAA”) unveiled new “Self-Regulatory Principles for Multi-Site Data” (the “Principles”), aimed at expanding the scope of industry self-regulation with respect to online data collection. The Principles are designed to supplement the Self-Regulatory Principles for Online Behavioral Advertising which were issued in July 2009. The DAA is composed of several constituent industry groups such as the American Association of Advertising Agencies, Council of Better Business Bureaus, the Direct Marketing Association and the Interactive Advertising Bureau.
[...]
Notably, the Principles prohibit third parties or service providers from collecting, using or transferring any Multi-Site Data in order to determine an individual’s eligibility for employment, credit, health care treatment or insurance. The Principles also require entities to (1) treat personal information in accordance with the Children’s Online Privacy Protection Act, and (2) obtain opt-in consent to collect and use Multi-Site Data that contains health or financial information (with an exception for operational or systems management purposes).
Read more on Hunton & Williams Privacy and Information Security Law Blog then scoot over to CIS to read Jonathan Mayer’s, “A Brief Overview of the Supplementary DAA Principles.”


This is likely to be difficult. “Yeah, we paid you in stock, but now it's worth a lot more than we thought it was then so we want to un-pay you...”
"Zynga seem to think they were overly generous handing out stock to early employees. Fearing a 'Google Chef' situation they are leaning on some employees to hand back their unvested stock or face termination. From the article: 'Zynga's demand for the return of shares could expose the company to employment litigation—and, were the practice to catch on and spread, would erode a central pillar of Silicon Valley culture, in which start-ups with limited cash and a risk of failure dangle the possibility of stock riches in order to lure talent.'"


This would be good. Rather than relying on a single, easily guessable word, base access on how you walk into the room, the geometry of your hand, you fingerprint, retina and iris scans and the face that you suffer from morning flatulence...
"Researchers from the Defense Advanced Research Projects Agency will next week detail a new program it hopes will develop technology to dramatically change computer system security authorization. The program, called Active Authentication, looks to develop technology that goes way beyond today's use of hard to remember password protection and determine identity through 'use of software applications that can determine identity through the activities the user normally performs,' DARPA said."


Compare this with President Clinton's an see who the better dodger is...
November 10, 2011
President Richard Nixon's Watergate grand jury testimony released
"The National Archives and Records Administration (NARA) has publicly released the transcripts of President Richard Nixon's Watergate grand jury testimony. In collaboration with the U.S. Government Printing Office (GPO), the collection has been released on Fdsys. This collection has been made public as a result of the July 29, 2011 order by Chief Judge of the United States District Court for the District of Columbia Royce C. Lamberth that the June 1975 transcript of Nixon's testimony and the "Associated Materials" to that testimony be released to the public following the review of these documents for any information that must be redacted as required by law. It is rare for any grand jury testimony to be made public." These documents are available on three websites as follows:


I keep telling the Psych majors that there is a need for guidance here...
November 10, 2011
Pew: Teens, kindness and cruelty on social network sites
Teens, kindness and cruelty on social network sites by Amanda Lenhart, Mary Madden, Aaron Smith, Kristen Purcell, Kathryn Zickuhr, Lee Rainie. Nov 9, 2011
  • "Social media use has become so pervasive in the lives of American teens that having a presence on a social network site is almost synonymous with being online. Fully 95% of all teens ages 12-17 are now online and 80% of those online teens are users of social media sites.
  • We focused our attention in this research on social network sites because we wanted to understand the types of experiences teens are having there and how they are addressing negative behavior when they see it or experience it. As they navigate challenging social interactions online, who is influencing their sense of what it means to be a good or bad “digital citizen”? How often do they intervene to stand up for others? How often do they join in the mean behavior? Many log on daily to their social network pages and these have become spaces where much of the social activity of teen life is echoed and amplified—in both good and bad ways."


Convergence: It's a Cloud Phone! Why stop with two numbers? You could put the entire corporate PBX on your phone!
VMware fits work phone into personal phone
If you’re sick of having to carry around two smartphones, one for work and one for your personal life, there are options coming that will save you grief and the need to carry multiple devices everywhere.
One such product is the VMware Horizon Mobile solution. Basically, this platform enables a user to run a “phone-in-a-phone,” meaning both work and personal mobile environments separately on the same device. Users would be able to have two phone numbers and data accounts on the same smartphone.


For my Computer Security students
November 10, 2011
National Initiative on Cybersecurity Education Workforce Framework
"The NICE Cybersecurity Workforce Framework offers a working taxonomy and common lexicon that can be overlaid onto any organization's existing occupational structure. Although much work has gone into this framework, we need to ensure that it can be adopted and used across the nation. We are actively seeking to refine this framework with input from every sector of our nation's cybersecurity stakeholders."

(Completely unRelated) We would never teach our students this kind of thing... Okay, maybe sometimes...
Secret Snoop Conference for Gov't Spying: Go Stealth, Hit a Hundred Thousand Targets


For my Ethical Hackers, because you may need to detect it (and transfer my cut to me) Suggestion for a research paper: How to do it better!
"In Russia, most cell phone SIM cards are prepaid. One of the major Russian operators offers a legal service that allows anyone to transfer the prepaid amount of money from a SIM card to a bank account, a credit card, another cell phone number (via a text message) or to express money transfer service Unistream. This particular service is heavily misused by cyber crooks who use it to launder money collected through ransomware campaigns, mobile malware and SMS scam campaigns. Kaspersky Lab's Denis Maslennikov takes us though the steps of each of these types of scams and shares insights into the shady economy that has sprung up due to cyber criminals' need to get their hand on the collected money without leaving a direct trail."


This should explain why I find the loss of a laptop with all those unencrypted files so distressing.
The 5 Best Ways To Easily & Quickly Encrypt Files Before Emailing Them [Windows]

Thursday, November 10, 2011


Reminds me of McDonalds: “Over 1 Billion ill-served”
Over One Billion Records Exposed According to Risk Based Security, Inc.
November 9, 2011 by admin
From the press release:
The slowdown in the global economy has certainly not translated into a corresponding slowdown in criminal efforts to compromise personal information, according to Risk Based Security, Inc. The total number of records exposed during the first 9 months of 2011 is 176,385,870 compared to 88,473,589 records for all of 2010. An even more alarming statistic is that as of October 2011, there have now been over 1 billion records exposed according to research by the Open Security Foundation.
Risk Based Security’s 3rd Quarter “Data Breach Intelligence” report just released for customers shows that nearly 50 percent of the reported data breaches in 2011 involved retail businesses, and those breaches accounted for nearly 25 percent of the total records exposed so far in 2011. Organizations providing medical related services accounted for nearly 31 percent of the data breaches reported in the first nine months of 2011. This same sector represented 29 percent of the reported 2010 breaches.
The Data Breach Intelligence report also revealed that a hack or computer-based intrusion was responsible for 25 percent of the 2011 breaches, totaling 147,496,666 records. This represents nearly 84 percent of the total number of exposed records in 2011. Although stolen laptops remains the number one breach type all-time, the hack breach type has replaced stolen laptop at number one for the past two years.
Read the rest of the release on MarketWatch.


Was this inevitable?
Facebook For The Famous
Backed by heavyweights in three disparate industries--Amazon, CAA, and Greylock Partners--WhoSay.com lets celebrities do something Twitter and Facebook don't: own their online content.
… Twitter's Terms of Service, (which are similar to Facebook's), state that "You agree that this license includes the right for Twitter to make such Content available to other companies, organizations or individuals who partner with Twitter for the syndication, broadcast, distribution or publication… Such additional uses by Twitter, or other companies, organizations or individuals who partner with Twitter, may be made with no compensation paid to you with respect to the Content that you submit…" When you are a living brand, that lack of compensation can rankle, especially if your work leads to someone else's compensation at your expense.


Global Warming! Global Warming! What is science, what is politics?
"As a follow up to the previous slashdot story, there has been a new release by the International Energy Agency indicating that within 5 years we will have irreversible climate change. According to the IEA, 'There are few signs that the urgently needed change in direction in global energy trends is under way. Although the recovery in the world economy since 2009 has been uneven, and future economic prospects remain uncertain, global primary energy demand rebounded by a remarkable 5% in 2010, pushing CO2 emissions to a new high. Subsidies that encourage wasteful consumption of fossil fuels jumped to over $400bn (£250.7bn).'"

(Related)
Surprise! No warming in last 11 years


Infographic
Inside 5 Of America’s Largest Data Centers


Infographic
Google versus Facebook on Privacy and Security

Wednesday, November 09, 2011


Based on the number of articles, this is going to be a biggie.
Reflections on the Oral Argument in United States v. Jones, the GPS Fourth Amendment Case
November 8, 2011 by Dissent
Orin Kerr comments on oral arguments in United States v. Jones, the GPS case argued before the Supreme Court this morning:
1) My basic reaction was that the outcome was too close to call. The Justices gave both sides a very hard time, and few Justices tipped their hand. The Justices pushed Michael Dreeben (arguing for the United States) on the consequences of his argument: If the Government was right, they noted, then the government can install a GPS device on all the Justices’ cars and watch them, too, along with everybody else. They pushed Steve Leckar (arguing for Jones) on the difficulty of identifing a clear Fourth Amendment principle to distinguish visual surveillance from GPS surveillance. The votes were hard to count, but if you had to summarize a reaction of the Court as a whole, I would say that the Justices were looking to find a principle to regulate GPS surveillance but unconvinced (at least as of the argument) that there was a legal way to get there without opening up a Pandora’s Box of unsettling lots of long settled practices.
2) The Justice who most clearly showed his cards was Justice Scalia. Justice Scalia made clear that he would overrule Katz v. United States; make common law of trespass the test for what is a search; and say that the installation of the device was a search because it was a technical trespass.
Read more on The Volokh Conspiracy.

(Related)
More reactions to this morning’s oral argument at SCOTUS
November 8, 2011 by Dissent
Another helpful write-up on oral argument this morning in United States v. Jones – this one by Kashmir Hill of Forbes, who starts her piece:
The Supreme Court justices were decked out in their usual black robes today for a case involving the question of whether police need to get a warrant in order to attach a GPS tracker to someone’s car. But given their paranoia about possible technology-enabled government intrusions on privacy, it might not have been surprising if they had also been wearing tin foil hats.
Read more on Forbes. Personally, I don’t think I’d describe concerns about widespread government intrusion on privacy as “paranoid,” but I’m unabashedly a “privacy wonk.” I think some of the justices got it exactly right: if the government prevails, there is nothing that stops the government from monitoring our movements in public 24/7/365 if they feel like investing in the technology – no warrant required.
The transcript of this morning’s oral argument can be found here and it makes for a fascinating read.


I think this is a first also...
Online Advertiser Settles FTC Charges ScanScout Deceptively Used Flash Cookies to Track Consumers Online
November 8, 2011 by Dissent
Online advertiser ScanScout has agreed to settle Federal Trade Commission charges that it deceptively claimed that consumers could opt out of receiving targeted ads by changing their computer’s web browser settings to block cookies. In fact, ScanScout used Flash cookies, which browser settings could not block. The proposed settlement bars misrepresentations about the company’s data-collection practices and consumers’ ability to control collection of their data. It also requires that ScanScout take steps to improve disclosure of their data collection practices and to provide a user-friendly mechanism that allows consumers to opt out of being tracked.
… According to the FTC complaint, from at least April 2007 to December 2010, ScanScout’s website privacy policy discussed how it used cookies to track users’ behavior. The privacy policy stated, You can opt out of receiving a cookie by changing your browser settings to prevent the receipt of cookies.” However, changing browser settings did not remove or block the Flash cookies used by ScanScout, the FTC charged. The claims by ScanScout were deceptive and violated the FTC Act, the complaint alleged.
Source: FTC
Related case materials: In the Matter of ScanScout, Inc., a corporation; FTC File No. 1023185


“Thank you for helping us make a safer product!” NOT!
Apple expels serial hacker for publishing iPhone exploit
November 8, 2011 by Dissent
Dan Goodin reports:
Charlie Miller, the serial hacker who has exposed more than a dozen critical vulnerabilities in Apple’s Mac and mobile platforms, was kicked out of the company’s iOS developer program after publishing an application that demonstrated a serious new bug in iPhones and iPads.
Miller’s InstaStock app, which was accepted into the iTunes App Store in September, bills itself as a program that tracks stock prices in real time. On Monday, Miller announced that the app contained a secret hack that bypassed protections built into iOS devices that prevent code from running on them unless it has been signed by Apple’s official cryptographic seal.
As a result, Miller was able to endow InstaStock with powerful capabilities that were never approved during the app store application process, including the ability to remotely download pictures and contacts stored on an iPhone or iPad that has the app installed.
Read more on The Register.
Ah, my fears about apps have been reinforced, it seems. Although Miller may be one of the good guys, who knows what else is going on out there?


So, we can pass a new law that overrides EU law?
Updated European law will close Patriot Act data access loophole
November 8, 2011 by Dissent
Zack Whittaker reports:
European lawmakers have been revising and updating the data protection laws that apply to all 27 European member states, after it was discovered that the United States can use the Patriot Act to access European citizens’ data without their consent.
The European Commission’s justice commissioner Viviane Reding met with German Consumer Protection Minister Ilse Aigner, discussed the new directive yesterday and outlined plans for the updated law to compel any non-European company — with customers or clients within Europe — to comply with European regulations.
Read more on ZDNet.


Local (...and in its spare time, it will host “Leisure Suit Larry”)
IBM picked to supply Wyo. climate supercomputer
IBM has beaten out three competitors and won a bid to supply one of the world's most powerful supercomputers for use in climate research at a new facility in Cheyenne.
The supercomputer, to be called Yellowstone, will begin running computations next summer for scientists associated with the Boulder, Colo.-based National Center for Atmospheric Research, NCAR announced Monday.
The machine will be capable of 1.6 petaflops. That's 1.6 quadrillion operations per second — or more than 221,000 calculations per second for every man, woman and child on Earth — making it 30 times more powerful than the machine currently in use at NCAR's Mesa Laboratory in Boulder.


Curious, because it was never about taking a picture, was it? It was about having the print
"Long before Facebook and Twitpic, photos were shared by simply handing someone a print. No camera made this easier than the once-ubiquitous Polaroid. Nothing represented instant gratification better in the film era than having a print develop before your eyes, ready to hand out in a minute. Unfortunately for Polaroid, the advent of digital photography sounded the death knell for its iconic instant print cameras. A brief reprieve in the form of inexpensive sticker-printing versions was ended by the cellphone camera revolution. Now, after a decade in remission, Polaroid has returned with a full-up digital camera that incorporates instant printing technology. The Polaroid Z340 is a 14MP digital with an integrated Zink-enabled (Zero Ink) printer. In a nostalgic touch, the new camera prints 3×4-inch images, the same size as the original Polaroid film cameras. Remarkably, all this fits in a one-pound, seven-ounce package, about the same weight as a mid-range DSLR."


Dr. Michelle Post send me this list. Michelle is an expert on the technology of teaching...

Tuesday, November 08, 2011


Another candidate for the Forrest Gump award?
"Researchers have demonstrated a vulnerability in the computer systems used to control facilities at federal prisons that could allow an outsider to remotely take them over, doing everything from opening and overloading cell door mechanisms to shutting down internal communications systems. ... The researchers began their work after [John] Strauchs was called in by a warden to investigate an incident in which all the cell doors on one prison's death row spontaneously opened."
[From the article:
While the computers that are used for the system control and data acquisition (SCADA) systems that control prison doors and other systems in theory should not be connected to the Internet, the researchers found that there was an Internet connection associated with every prison system they surveyed.


Another article to chase away that warm fuzzy feeling... Something for my Ethical Hackers.
Darpa Begs Hackers: Secure Our Networks, End ‘Season of Darkness’
The Pentagon’s far-out research agency and its brand new military command for cyberspace have a confession to make. They don’t really know how to keep U.S. military networks secure. And they want to know: Could you help them out?
… U.S. networks are “as porous as a colander,” Richard Clarke, the former White House counterterrorism chief turned cybersecurity Cassandra, told a packed ballroom.


Another poor method for estimating damages in a Privacy Breach...
How Much Is Your Identity Worth?
November 8, 2011 by admin
This may come as a blow to the narcissists among us, but your identity isn’t worth very much these days. Indeed, you might get more using the per pound formula.
Brian Krebs reports:
How much does it cost for thieves to discover the data that unlocks identity for creditors, such as your Social Security number, birthday, or mother’s maiden name? Would it surprise you to learn that crooks are selling this data to any and all comers for pennies on the dollar?
At least, that’s the going price at superget.info. This fraudster-friendly site has been operating since July 2010, and markets the ability to look up SSNs, birthdays and other sensitive information on millions of Americans.
Read more on KrebsonSecurity.com


Perhaps this will help illustrate how evil Social Networking can be?
Judge Orders Divorcing Couple To Swap Facebook And Dating Site Passwords
November 7, 2011 by Dissent
Kashmir Hill writes:
Most divorces require spouses to part with some of their property, but in Connecticut, a soon-to-be ex-husband and wife are being asked to give up more than just investments, cars, TVs, kids, and pets. They have to hand over their social networking passwords. At the end of September, Judge Kenneth Schluger ordered that the attorneys for Stephen and Courtney Gallion exchange “their client’s Facebook and dating website passwords.”
Read more on Forbes.
[From the article:
Everyone knows that evidence from social networking sites comes in handy for lawsuits and divorces. Attorneys usually get that material by visiting someone’s page or asking that they turn over evidence from their page, not by signing into their accounts. But judges are sometimes forcing litigants to hand over the passwords to their Facebook accounts. Should they be? What was the reason behind the court-authorized hacking in the Gallion case?
I spoke with Stephen Gallion’s divorce lawyer, Gary Traystman, who amazingly has no computer or e-mail account. “I see the information people can get from computers, in lawsuits and through hacking,” says Traystman. “They scare the hell out of me.”
… During a deposition, Traystman asked Courtney Gallion for the passwords for her Facebook account, as well as EHarmony and Match (which she had apparently already joined). She initially refused but was then counseled by her lawyer to hand them over (Ed. note: questionable legal advice there).
Traystman says she immediately texted a friend and asked that person to change the passwords and delete some of her messages. That’s when he got the judge involved, to issue an injunction that she not delete any material and order the attorneys to exchange passwords for both spouses so that they could conduct discovery.


Is this overkill? An iPad and three people (in the photo that accompanies the article) in order to fill out a paper ballot? Why not just one person with a pencil? Or an iPad that sends an encrypted ballot?
Oregon Pioneers iPads as Vote-Recording Machines
… Voters in five Oregon counties will get to vote using the iPad this year. Apple even donated five of the tablets to the cause.
… Election officials can tote the lightweight iPad and portable printer from location to location, and users simply tap the device to pick candidates, and print out their ballots.
… Voters can mail in their printed ballot, or place it in a designated ballot box.
… To roll out the program statewide, though, Oregon would need about two iPads per county, which would run the state about $36,000. Still, using iPads could end up being less expensive in the long run. Last year, Oregon spent $325,000 on providing accessible voting tools.


(Un-Related) but an interesting video


“In for a penny, in for a pound,” a very British expression. Makes Murdoch & company sound like New York mobsters...
News of the World hired investigators to spy on hacking victims’ lawyers
November 7, 2011 by Dissent
The News of the World phone hacking scandal just gets worse and worse. Now Nick Davies reports:
The News of the World hired a specialist private investigator to run covert surveillance on two of the lawyers representing phone-hacking victims as part of an operation to put pressure on them to stop their work.
The investigator secretly videoed Mark Lewis and Charlotte Harris as well as family members and associates. Evidence suggests this was part of an attempt to gather evidence for false smears about their private lives.
The News of the World also took specialist advice in an attempt to injunct Lewis to prevent him representing the victims of hacking and attempted to persuade one of his former clients to sue him.
Read more on The Guardian.


It does not look like they track which medication you take, but rather are you taking whatever medication it is correctly
By Dissent, November 7, 2011
Shannon Ross reports:
You probably know that credit reporting companies collect personal information, like if you pay your bills on time. But, did you also know that they also keep track of the medications you take and assign it a score?
Senator Chuck Schumer says they take that score and sell it to other companies, which could affect things like whether you get a new job or a mortgage.
He’s pushing the FTC to look into whether all this is legal.
Read more on WIVB. Jay Jochnowitz also covers the story on Albany Times Union. Both articles reproduce Senator Schumer’s letter to the FTC.
[From the Times-Union Blog:
The New York Times reported a while back that FICO, one of the entities that does credit ratings, is coming out with a “Medication Adherence Score.” It’s a score driven by statistics and certain personal traits — such as home ownership, job stability, and marital status — to predict how likely you are to take prescription drugs.
… The FICO medication score is based on publicly available data, like home ownership and job status, and does not rely on a patient’s medical history or financial information to predict whether he or she will take medication as directed. So, like a credit rating, it can be compiled without a person’s knowledge or permission.


This harassment of Muslims will continue until we have a Muslim President... Oh wait...
Muslims angry over NYPD surveillance program find privacy laws may not be on their side
November 8, 2011 by Dissent
Chris Hawley of Associated Press reports that the sense in the Muslim community in New York is that there is not much they can do about what appears to be targeted surveillance against them in the wake of 9/11. AP has been publishing a number of pieces on this issue for the past few months to spotlight the problem. For background on the situation, see previous coverage from September and October. Hawley reports:
“The police do what they want,” he said, standing in front of the empty storefront where his café used to be. “If I went to court to sue, what do you think would happen? Things would just get worse.”
It’s a common sentiment among those who are considering their legal options in the wake of an Associated Press investigation into a massive New York Police Department surveillance program targeting Muslims. Many of the targets feel they have little recourse — and because privacy laws have weakened dramatically since 9/11, they may be right, legal experts say.
It’s really not clear that people can do anything if they’ve been subjected to unlawful surveillance anymore,” said Donna Lieberman, executive director of the New York Civil Liberties Union.
[...]
Lawsuits filed by surveillance targets themselves are notoriously hard to win, said Paul Chevigny, a law professor at New York University and expert on police abuse cases.
The fact that you feel spooked and chilled by it doesn’t constitute an injury,” Chevigny said. Even in cases where surveillance notes leak out, the chances of winning a lawsuit are “marginal” unless the leaking was done with the clear intent of harming someone, he said.
Read more on Chicago Tribune. Hawley cites specific laws and rulings that may have weakened people’s rights or redress.
This situation needs greater exposure and discussion – and yes, outrage. As a long-time New Yorker, I have no doubt in my mind that if the NYPD engaged in the very same conduct but targeted Jews, there would be holy hell to pay in NY. Yet they are reportedly targeting another religious group and the majority of the public shrugs or ignores the problem?
What does that say about us all? Have too many people bought into governmental FUD and now distrust all Muslims? If so, that would be tragic as well as offensive.
We’re the melting pot, remember?
We’re the ones who stand up for religious freedom and the rights of the underdog.
We’re the ones who presume to spread tolerance and freedom to other lands.
Let’s clean up our own backyard.


“We need this because after hundreds of close observations we've noticed that they never carry identification!”
Thumbs down on stripper fingerprint plan
November 7, 2011 by Dissent
Tom Godfrey reports:
A plan to fingerprint 1,000 exotic dancers in Niagara Region has outraged strippers who claim the precedent-setting scheme is insulting and discriminatory.
The Adult Association of Canada predicted the plan, if approved by Niagara Regional Council, will be adopted in the Toronto area and other parts of the province.
A proposed bylaw would demand that dancers be fingerprinted when renewing or obtaining a licence needed to perform in strip clubs.
Read more on CNEWS.


Why would anyone care what a college dropout thinks? Because he's a Billionaire college dropout...
Zuckerberg on 'Charlie Rose': Why Facebook rules
… They talked about how Google, Yahoo and Microsoft were far more heinous when it came to taking liberties with your privacy than was Facebook -- which is so, so open and transparent, you see.
… Sandberg insisted that the users are the most important part of Facebook -- something that might come as a surprise to, well, the users.
She said: "Their trust is sacred." She added: "Privacy is the most important thing we do."


Okay, Ethical Hackers can no longer earn points for jailbreaking a MS phone...
"A tool to unlock (or 'jailbreak' if you like) Windows Phone devices is now available with Microsoft's blessing. ChevronWP7 Labs was withdrawn at Microsoft's request a year ago, but is back now, allowing users to run any app on their phones for a cost of $9."


Geek out, dudes!
Firefox 8 Is Available Now For Download [News]

(Related)
Amazon’s Kindle Cloud Reader Now Available For Firefox, Too


...and just because.
Monday, November 7, 2011
This one is for the music teachers, US History teachers, and lovers of jazz music. Today, through Open Culture I learned about a documentary titled 1959: The Year that Changed Jazz. The documentary was produced by the BBC. The documentary examines four musicians and the landmark albums they released in 1959. Those featured musicians and albums are Miles Davis: Kind of Blue, Dave Brubeck: Time Out, Charles Mingus: Mingus Ah Um, and Ornette Coleman: The Shape of Jazz to Come.