Saturday, November 19, 2011

Local low-life
16 Indicted In Colorado ID Theft Ring With 100+ Victims
November 18, 2011 by admin
Wayne Harrison reports:
CENTENNIAL, Colo. — Sixteen people have been indicted by a grand jury on 168 counts, after law enforcement discovered that the group was responsible for a statewide identity theft ring that victimized over a hundred individuals and businesses across Colorado.
Read more on The Denver Channel, but the coverage doesn’t give a clue how they obtained the identity information they misused.

Will this agreement be available in the US? (probably not without some FOIA lawsuits) What information would be so onerous that our government would be reluctant to tell us they collect and share it?
EU parliamentarians speak out over gag order on data deal
November 18, 2011 by Dissent
Jennifer Baker reports:
A leading Member of the European Parliament (MEP) has said that she will not be silenced on the shortcomings of a new deal to pass European airline travelers’ information to the United States.
Dutch Liberal MEP Sophie In’t Veld made the comments on Friday after the European Commission issued a press release extolling the virtues of the Passenger Name Register (PNR) agreement. Parliamentarians have been banned from talking about the content of the deal or making notes on the document and may only read it in a “sealed room.”
In’t Veld believes this is ridiculous. “This is highly unfortunate. MEPs can read it, but citizens should also have access to what is decided about their rights. I don’t feel particularly bound to any confidentiality, especially as the Commission has been making public statements, why should I be quiet about it? The whole situation is not very confidence inspiring,” she said.
Read more on TechWorld and a huge thumbs up to Ms In’t Veld.

I agree that once your data is captured for someone's database, it is unlikely that removal will stop the re-capture process.
Unenforceable’ right to be forgotten should not be included in new EU data laws, ICO says
November 18, 2011 by Dissent
Giving individuals the right to force organisations to delete the personal information they store them about would be misleading, unenforceable and have “implications” for free speech, the UK’s data protection watchdog said.
“The framework should strengthen individual rights to object to and block processing, and to have their data deleted, and reverse the burden of proof so the organisation has to provide compelling legitimate grounds for continuing processing,” the ICO said in a briefing (4-page / 113KB PDF) on what it would like revised EU data protection laws to provide for.

How quickly (non-US) out-of-office politicians fall to “second class citizen” status... I doubt anyone at TSA was fired, but it will be interesting to see if TSA says anything.
Unconfirmed: U.S. Officials Sacked for Frisking India’s Former President; Did TSA Go Too Far?
November 18, 2011 by Dissent
Sanskrity Sinha reports:
Two Transportation Safety Administration (TSA) officials involved in the recent frisking incident of former Indian president Dr. A.P.J Abdul Kalam at a U.S. airport have reportedly been sacked, according to an Indian national daily.
Though there are no confirmed reports of the lay-off either by TSA or U.S. Government, the Hindustan Times reported Thursday that the U.S. authorities had fired the executives for “exceeding their brief” as they made former Kalam, who is also an eminent scientist, face security checks a second time after he had boarded his aircraft.
Read more on IBTraveler. Additional background on the incident can be found on The Global Indian and Deccan Chronicle.
From the IBTraveler article:
"Appropriate procedures for expedited screening of dignitaries had not been followed," said the U.S. Embassy in New Delhi in a statement.
… under existing US regulation, Abdul Kalam does not fall into the category of persons exempt from security screening.
U.S. dignitaries, in contrast, are always exempt from security checks as a gesture of courtesy and respect in India.

November 17, 2011
Pew: 46% - Paying for Apps
"Just under half (46%) of cell phone and tablet users who have downloaded apps say they have paid for an app at some point, according to a survey conducted July 25-Aug. 26, 2011 by the Pew Internet & American Life project. That number is statistically equivalent to the 47% who reported doing so in May 2010. However, the number of people who have downloaded an application has grown, so only 16% of all U.S. adults have ever paid for an app -- this compares with 13% who said so in May 2010. This is a small but statistically significant increase."
  • Digital Trends: "What app developers might find interesting is that it appears owners of tablets are more likely to pay for an app than those downloading to a smartphone. Furthermore, those with tablets are more likely to spend a greater amount on an app than those who buy an app for use on a smartphone."

Perspective The second Infographic is eye opening...
November 17, 2011
2011 Cisco Connected World Technology Report
News release: "Demonstrating the increasing role of the network in people's lives, an international workforce study announced today by Cisco revealed that one in three college students and young professionals considers the Internet to be as important as fundamental human resources like air, water, food and shelter. The 2011 Cisco Connected World Technology Report also found that more than half of the study's respondents say they could not live without the Internet and cite it as an "integral part of their lives" – in some cases more integral than cars, dating, and partying. These and numerous other findings provide insight into the mindset, expectations, and behavior of the world's next generation of workers and how they will influence everything from business communications and mobile lifestyles to hiring, corporate security, and companies' abilities to compete."

Thanks to Gary Alexander, I didn't miss this entirely. It is a bit pricy, but it's almost Christmas so I'm sure the school will “Gift” me the registration fee...
2ND ANNUAL CYBERSECURITY SUMMIT--WEST: Securing Cyber, Mobile and the Cloud
Monday, December 5, 2011 from 7:00 AM to 5:00 PM (MT) Denver, CO

Toys for Hackers. Boot from the USB port and bypass all that password nonsense...
Tiny USB Stick Brings Android to PCs, TVs

A question for my Ethical Hackers: How come your hacker-wiki has 10X more entries than the government's?
The Surveillance Catalog: Where governments get their tools
November 19, 2011 by Dissent
From the WSJ:
Documents obtained by The Wall Street Journal open a rare window into a new global market for the off-the-shelf surveillance technology that has arisen in the decade since the terrorist attacks of Sept. 11, 2001.
The techniques described in the trove of 200-plus marketing documents include hacking tools that enable governments to break into people’s computers and cellphones, and “massive intercept” gear that can gather all Internet communications in a country.
The documents—the highlights of which are cataloged and searchable here—were obtained from attendees of a secretive surveillance conference held near Washington, D.C., last month.
Read more on The Wall Street Journal. I haven’t had time to read this all yet, but will definitely want to know what U.S. companies are enabling oppressive regimes.
[From the article:
The documents fall into five general categories: hacking, intercept, data analysis, web scraping and anonymity.

For my Ethical Hackers. Should make an interesting target...
"'Sometime early next year, Ford will mail USB sticks to about 250,000 owners of vehicles with its advanced touchscreen control panel. The stick will contain a major upgrade to the software for that screen. With it, Ford breaks the model in which the technology in a car essentially stayed unchanged from assembly line to junk yard' — and Ford becomes a software company. This shift created a hot new tech job at Ford: human-machine interface engineers — people who come from a range of backgrounds, from software development to mechanical engineers, and who can live in the worlds of art and science at once."

I'm always looking for ways to bring good, relatable science into the classroom...
How Many Sips in a Bottle of Beer?

Friday, November 18, 2011

Apparently security breaches are so common we no longer pay much attention to them. Allowing access to your control devices over the Internet is a major security risk. In this case, it may have been done to facilitate sales demonstrations. Much more interesting was the theft of passwords, which unfortunately, users tend to re-use on other systems...
U.S. water utility reportedly hacked last week, expert says
It appears that hackers breached the network of a company that makes SCADA (supervisory control and data acquisition) and stole customer usernames and passwords, said Joe Weiss, managing partner of Applied Control Solutions. "There was damage--the SCADA system was powered on and off, burning out a water pump," he wrote in a brief blog post.
The report did not identify the water utility attacked or the SCADA software vendor compromised, Weiss said in an interview with CNET. He declined to say where the utility is based because the report, released by a state terrorism information center, is marked "For Official Use Only." However, a Department of Homeland Security representative indicated the facility was located in Springfield, Ill.
"It is unknown, at this time, the number of SCADA usernames and passwords acquired from the software company's database and if any additional SCADA systems have been attacked as a result of this theft," he said, reading from a report entitled "Public Water District Cyber Intrusion." It was released November 10, two days after the water utility attack was discovered, he said.
… "DHS and the FBI are gathering facts surrounding the report of a water pump failure in Springfield Ill.," DHS spokesman Peter Boogaard said in a statement. "At this time there is no credible corroborated data that indicates a risk to critical infrastructure entities or a threat to public safety."
Weiss disputed this statement.
"The statement is inconsistent with the report from the Illinois Statewide Terrorism and Intelligence Center Daily Intelligence Notes dated November 10, 2011, titled 'Public Water District Cyber Intrusion,'" he said.
The water utility had noticed minor glitches in the remote access [Interesting, if uninformative phrase Bob] to the SCADA system for two to three months before it was identified as a cyber attack, Weiss said.

I want to adapt this for the classroom! And the highway! And Congress!!!!
"GeekWire reports that a pending Microsoft patent for monitoring workplace behavior would do Dwight Schrute proud. Three Microsoft inventors propose curbing obnoxious workplace habits in an equally obnoxious fashion — using a computer device for monitoring and analyzing workers' interactions over video conferences, telephone, text messages and other forms of digital communication to look for patterns of negative and positive behavior, and assigning behavior scores to employees based on what the system finds. Bad behavior, Microsoft explains, might include wearing dark glasses in a video conference, wearing unacceptable clothing to a business meeting, cutting off others during conversation, prolonged monologues, and even how one nods one's head in agreement, shakes one's head indicating disagreement, and makes hand gestures."

Binary Law by Bob
The arg... ...u ments
go back and forth
be cause there is
no middle
HA! I bet you didn't expect to find epic poetry in a blog!
Judge Declares Law Governing Warrantless Cellphone Tracking Unconstitutional
November 17, 2011 by Dissent
Julia Angwin:
In a succinct one-page ruling, U.S. District Court Judge Lynn N. Hughes of the Southern District of Texas declared that the law authorizing the government to obtain cellphone records without a search warrant was unconstitutional.
“The records would show the date, time, called number, and location of the telephone when the call was made,” Judge Hughes wrote in the decision, dated Nov. 11. “These data are constitutionally protected from this intrusion.”
Read more on Wall Street Journal.

Q: Why would a good manager choose not to backup their data? A: A good manager wouldn't.
"Businesses are on average backing up to tape once a month, with one alarming statistic showing 10 percent were only backing up to tape once per year, according to a survey by Vanson Bourne. Although cloud backup solutions are becoming more common, still the majority of companies will do their backups in-house. Sometimes they will have dedicated IT staff to run them, but usually it's done in-house because they have always done it like that, and they have confidence in their own security and safekeeping of data."

Thursday, November 17, 2011

Yes I got hacked. (No, it was actually the Hotmail server that was hacked) The Bad Guys grabbed my email address list and sent emails in my name. Looks like most of the recipients were wise enough to recognize a scam when they saw one or more likely, would never open a link I “suggest.”
I found this old Q&A that matches this hack exactly, so I'm going to suggest this is 1) Common, as in happens often and 2) Relatively trivial, as in it does not impact more than a few mail users at a time.
My hotmail has been sending random spam emails to my contacts, and I have no idea how to stop it. I have scanned my Harddrive, and I don't have any viruses. So what could be causing this?
As above, extremely common Hotmail problem that seems to have been going around for over a year. You probably got it from a legit looking e-mail from a friend but changing your password should fix it. If I recall it sends out spam (or legit looking e-mails with a link on it from you) in blocks of 6 contacts vs sending straight to all contacts in one go.
Most people only know they have had it if a friend questions them because I don't think it shows up on the sent items list. Because it's not a virus that runs on your computer, a virus scanner won't find anything.
Fair dues to the maker, it's a clever idea for it to still be running around causing mild confusion to random people after all this time. I don't think it's especially dangerous, just annoying.

If I was a cynical, sarcastic SoB, I might suggest that to me, “medical diagnoses” IS a medical record. As to being “in the process of encrypting” I have students who claim that “thinking about planning to take a few minutes to consider starting” means they are “working on it.”
By Dissent, November 16, 2011
Statement from Sutter Health today:
Sutter Physicians Services (SPS) and Sutter Medical Foundation (SMF) — two affiliates within the Sutter Health network of care — announced the theft of a company-issued password-protected unencrypted desktop computer from SMF’s administrative offices in Sacramento the weekend of Oct. 15, 2011. Following discovery of the theft, Sutter Health immediately reported it to the Sacramento Police Department. It also began an internal investigation. The computer did not contain patient financial records, social security numbers, patients’ health plan identification numbers or medical records. While no medical records themselves were on the computer, some medical information was included for a portion of patients.
Following a thorough internal review, Sutter Health discovered that the stolen computer held a database that included two types of information:
  1. For approximately 3.3 million patients whose health care provider is supported by Sutter Physician Services (SPS), the database included only the following patient demographic information dated from 1995 to January 2011: name, address, date of birth, phone number and email address (if provided), medical record number and the name of the patient’s health insurance plan. SPS is an organization that provides billing and managed care services for health care providers with which it contracts, including facilities within the Sutter Health network. Patients who think they may be affected should visit to see the list of impacted health care providers.
  2. For approximately 943,000 SMF patients, the database contained the above demographic data as well as the following information dated from January 2005 to January 2011: dates of services and a description of medical diagnoses and/or procedures used for business operations. Because the data of SMF patients was broader in scope, Sutter Medical Foundation has begun the process to notify these patients by mail. Patients should receive letters no later than Dec. 5.
“Sutter Health holds the confidentiality and trust of our patients in the highest regard, and we deeply regret that this incident has occurred,” said Sutter Health President and CEO Pat Fry. “The Sutter Health Data Security Office was in the process of encrypting computers throughout our system when the theft occurred, and we have accelerated these efforts.”
More to follow….

A clear indication that Japan will soon have much tighter Privacy & Breach laws...
Computer IDs, passwords of Japan lawmakers leaked
November 16, 2011 by admin
The computer IDs and passwords of all the lawmakers in the House of Representatives were leaked during recent cyber-attacks against the lower house’s server and personal computers, it has been revealed.
In a report released Monday, the lower house also said e-mails sent to its lawmakers might have been accessible to hackers for a maximum of 15 days.
On the same day, the House of Councillors said 29 of its personal computers were also found to have made improper communications with overseas Web sites as a result of cyber-attacks it discovered following the revelation of the lower house case.
According to the House of Representatives, the virus infection started July 25, when a lawmaker using a computer distributed for public use opened a virus-infected file attached to a targeted e-mail sent to the computer.
Eventually, the virus infection spread to the lower house’s server and a total of 32 computers.
Information stored in the computer first infected with the virus was suspected of having been stolen up to Sept. 1.

Today's “Compare & Contrast” exercise.
Europe Bans X-Ray Body Scanners Used at US Airports
Tuesday 15 November 2011 by: Michael Grabell , ProPublica
The European Union on Monday prohibited the use of X-ray body scanners in European airports, parting ways with the U.S. Transportation Security Administration, which has deployed hundreds of the scanners as a way to screen millions of airline passengers for explosives hidden under clothing.
The European Commission, which enforces common policies of the EU's 27 member countries, adopted the rule “in order not to risk jeopardizing citizens’ health and safety.”

"ProPublica reports that the TSA is backing off a previous promise to conduct a new independent study of X-ray body scanners used at airport security lanes around the country. Earlier this month, an investigation found that TSA had glossed over research about the risks from the X-rays."

No matter how well written, editorials, commentary, opinion pieces only reach people who can read (paper) not those who “text.”
Philip Hensher: The state wants to know what you’re up to. But why do we let it?
November 17, 2011 by Dissent
Philip Hensher has a great commentary on surveillance, privacy, and control in The Independent today, inspired by news that Oxford City Council wants CCTV in taxis. Here are a few excerpts from his piece:
But what balanced means, in this context, is what a three-year-old means by fair on Christmas morning. It means I think I ought to get whatever I want.
The truth is that what is driving these diverse attempts to introduce surveillance, based on such very different social issues, is not any serious attempt to diminish an evil. Most research shows that means of surveillance alone don’t have a cost-effective result in general, and that they often diminish in effectiveness quite quickly over time. There are much simpler, less intrusive, much cheaper remedies which have been shown to have a bigger effect. So what is driving a council to decide to record private conversations, for doctors to propose that the Government should inquire into and prevent a private habit in a private place?
Simply, the desire to control and subjugate. With the mantra that “If you’ve nothing to hide, you’ve nothing to fear”, the authorities have created a world in which it seems normal for some pathetic local authority to record your private conversations, to go through your bins, to inquire into what you do behind your front door in the evening. All we have left is the response that it’s none of your business. I wish there was some less feeble response to this constant, exhausting, draining surveillance we live under.
You can read the full commentary on The Independent.

What a concept!
IL: State says electronic messages from council meetings are public records
November 16, 2011 by Dissent
A reader sends in this pro-transparency ruling in Illinois:
City officials must turn over electronic correspondence council members send and receive during meetings, regardless of what kind of media or means they use to do so, the state attorney general’s office said Tuesday.
The legally binding opinion was sent to city officials and The News-Gazette after the city denied a July request from the newspaper under the Freedom of Information Act seeking “all electronic communications, including cellphone text messages, sent and received by members of the city council and the mayor during city council meetings and study sessions since and including May 3.”
On Tuesday, the binding opinion from the attorney general’s office stated that “whether information is a ‘public record’ is not determined by where, how or on what device the record was created.”
The question is whether one or more members of a public body used the record to conduct the affairs of government, the office determined.
“The City’s argument that text messages and emails pertaining to public business which are generated from private equipment are not public records is clearly inconsistent with the General Assembly’s intention, as stated in section 1 of FOIA (5 ILCS 140/ 1 (West 2010)), that the public have ‘full disclosure of information relating to the decisions, policies, procedures, rules, standards, and other aspects of government activity,’” wrote Michael Luke, counsel to the attorney general.
Read more on The News-Gazette.

Interesting to speculate on how this strategy evolved. (Which came first, the opportunity or the tools?)
Why Would Google Sell Music? 4 Big Reasons
… According to Bloomberg and others Google’s music store will do the same thing Amazon and iTunes do: sell individual music downloads for $.99 to $1.29. The twist: each song will apparently include some sort of sharing feature — a rumor that borne out by the apparent refusal of Warner Music Group to license the service yet, according to Bloomberg, due to “pricing and piracy concerns.”
… Bloomberg holds Google’s feet to the fire for launching a music store eight years after Apple launched iTunes, the first digital music store in the world to sell music from all (then five) major labels.
1. Eight years is not too late to figure out digital music.
Yes, eight years is a long time, but two incredibly important things happened in those eight years, both very recently. First, music can be delivered by apps now, rendering the need for consumer-visible DRM moot, even for subscription services. Second, everybody’s on social networks now, meaning that sharing can be built into these apps in ways that make iTunes look like an Edsel.
2. Google wants to be like Apple
As Apple has proven, companies with their fingers in multiple pies benefit from building entire ecosystems of hardware, software, services, and stores. Google already copied Apple’s approach to selling apps with the unified market, and copied iOS with Android. In order to complete the next step, Google needs a music store that works seamlessly with those things, and with its music locker, even if it loses money.
Facebook made major inroads with music this year. If Google+ wants to compete, it needs music too, and this is one way to do that. Sweetening the pot: Apple’s Ping didn’t take off; Facebook doesn’t have a music store; and Amazon doesn’t have a social network.
Also, music functions as a sort of “social glue,” sort of like how alcohol is a “social lubricant.” We figured out a way to use Google+ Hangouts to listen to music with other people at the same time, but that was a kludge. A real social music feature within Google+ would be far better. In addition, as wementioned this summer when we first started examining Google’s music potential closely, Google is tying employee bonuses to the social features they create, and music lends itself to social sharing.
Facebook didn’t kill MySpace as a music destination — YouTube did. Until recently, when Spotify launched in America and Rdio, Rhapsody, and MOG reacted by unveiling free, on-demand trials that similarly do not require a credit card, YouTube was by far the best place to find out what a band sounds like in seconds, and still works great for that purpose. With a music store, Google can attach “buy” links to all of those videos.

For the gang in Computer Forensics... The challenges are: 1) Create a detector/decoder and 2) find another protocol we can exploit.
"A group of researchers from the Warsaw University of Technology have devised a relatively simple way of hiding information within VoIP packets exchanged during a phone conversation. The called the method TranSteg, and they have proved its effectiveness by creating a proof-of-concept implementation that allowed them to send 2.2MB (in each direction) during a 9-minute call. IP telephony allows users to make phone calls through data networks that use an IP protocol. The actual conversation consists of two audio streams, and the Real-Time Transport Protocol (RTP) is used to transport the voice data required for the communication to succeed. But, RTP can transport different kinds of data, and the TranSteg method takes advantage of this fact."

For my Math students Don't let the fact that it is intended for grammar school students turn you off... (Also has a few Trig examples)
Wednesday, November 16, 2011
Math Open Reference is a free online reference for geometry teachers and students. Math Open Reference features animated and interactive drawings to demonstrate geometry terms and concepts. The table of contents on Math Open Reference is divided into four basic categories; plane geometry, coordinate geometry, solid geometry, and function explorer tools. Click on any subject in the first three categories to find definitions, examples, and interactive drawings. In the function explorer category users can select linear functions, quadratic functions, or cubic functions to explore how changes in variables affect the graphed output.
Math Open Reference probably still isn't complete enough to replace a textbook, but it could make a great supplement to the mathematics textbooks that you do use. For students who need visual references, Math Open Reference could be particularly helpful.

For my “students who read”
Litfy: A Resource For Reading Various Free eBooks Online
Litfy is a free to use website that offers you eBooks to read online. These eBooks cover a variety of genres that include mystery, romance, and fantasy.
Also read related articles:

Wednesday, November 16, 2011

For your security manager – You can't trust files that are “certified” safe!
"Security researchers claim that malware spreading via malicious PDF files is signed with a valid certificate stolen from the Government of Malaysia, in just the latest evidence that scammers are using gaps in the security of digital certificates to help spread malicious code. The malware, identified by F-Secure as a Trojan horse program dubbed Agent.DTIW, was detected in a signed Adobe PDF file by the company's virus researchers recently. The malicious PDF was signed using a valid digital certificate for, the Agricultural Research and Development Institute of the Government of Malaysia. According to F-Secure, the Government of Malaysia confirmed that the certificate was legitimate and had been stolen 'quite some time ago.'" [and never canceled? Bob]

I don't know
but I can guess,
Breach Reporting
is a mess!
(Marching song at Bob's Security Boot Camp) You could also say that government breach reporting has gone from virtually non-existent to merely very poor...
Ca: ‘Insider’ government data breaches soaring
November 15, 2011 by admin
Emily Chung reports:
The proportion of “insider” internet security breaches caused by employees are rising quickly within Canadian government departments and agencies, a new study shows.
Insider breaches in the government sector grew by 28 per cent between 2010 and 2011 and are up 68 per cent since 2008, the fourth annual Telus-Rotman joint study on Canadian IT security practices reported Tuesday. They now make up 42 per cent of breaches reported by government organizations, compared to 27 per cent of breaches at public corporations and 16 per cent at private businesses.
Read more on CBC.

Dang! Now I have to fight this battle for our Alumni Wiki... Fortunately, we have no “children” graduates.
Does FERPA ban schools from allowing students to post their schoolwork on the open Web?
Of the trio of laws that address children’s and students’ privacy and safety online, FERPA is often the one least cited outside of educational circles. The other two, COPPA and CIPA, tend to be in the news more often; the former as it relates to some of the ongoing discussions about privacy and social networking, the latter as it relates to BYOD and filtering programs. But in all cases, there seems to be a growing gulf between the laws and their practical application or interpretation, particularly since these pieces of legislation are quite old: COPPA was enacted in 1998, and CIPA in 2000. FERPA, the Family Educational Rights and Privacy Act, dates all the way back to 1974.
… The classic example used to explain how FERPA works: you can’t post a list of students’ names and grades on a bulletin board in the hallway.
But what about posting students’ work publicly online?
… Yesterday, Georgia Tech deleted all student history and participation from the school’s “Swikis,” the wikis that students use for their coursework. Georgia Tech has been using wikis for this purpose since 1997, pioneering the usage of the collaborative tools for undergraduate education. One of the features of the school’s wikis was that they allowed for cross-course and cross-semester communication. You could, should you choose, remain in a wiki for a class you’d taken previously, for example.

I must have missed earlier reports n this...
FTC Welcomes a New Privacy System for the Movement of Consumer Data Between the United States and Other Economies in the Asia-Pacific Region
November 16, 2011 by Dissent
The Federal Trade Commission welcomed the approval by the forum on Asia-Pacific Economic Cooperation (APEC) of a new initiative to harmonize cross-border data privacy protection among members of APEC. The initiative is designed to enhance the protection of consumer data that moves between the United States and other APEC members, at a time when more consumer information is moving across national borders.
On November 13, 2011, President Obama and representatives from the other APEC economies endorsed the APEC Cross-Border Privacy Rules at a meeting in Honolulu, Hawaii. The APEC privacy system is a self-regulatory code of conduct designed to create more consistent privacy protections for consumers when their data moves between countries with different privacy regimes in the APEC region.
… Companies that wish to participate in the APEC privacy system will undergo a review and certification process by third parties that will examine corporate privacy policies and practices and enforce the new privacy rules.
Source: FTC

What a surprise! (If the RIAA fails to stop them, I think I'll get into this business...)
"Ars Technica reports on the developing story between the RIAA and music reseller ReDigi, 'the world's first online marketplace for used digital music,' who first came online with a beta offering on October 11th, 'allowing users to sell "legally acquired digital music files" and buy them from others "at a fraction of the price currently available on iTunes.'' If the notion of selling 'used' digital content is challenged in court, we may finally receive a judicial ruling on the legality of EULAs that will overturn the previous Vernor v. Autodesk decision."

(Related) I'm sure it's brain damage...
An anonymous reader writes with a new twist in the recently resolved Canadian music label infringement lawsuit. From the article:
"Earlier this year, the four primary members of the Canadian Recording Industry Association (now Music Canada) — Warner Music Canada, Sony BMG Music Canada, EMI Music Canada, and Universal Music Canada — settled the largest copyright class action lawsuit in Canadian history by agreeing to pay over $50 million to compensate for hundreds of thousands of infringing uses of sound recordings. While the record labels did not admit liability, the massive settlement spoke for itself. While the Canadian case has now settled, Universal Music has filed its own lawsuit, this time against its insurer, who it expects to pay the costs of the settlement."

An interesting Tweet for the e-Discovery lawyers out there...
IBM's Ferucci: where we're going with Watson: Can we help people organize evidence...collect it and assess it? #chm #ibmwatson #cnet

Imagine a computer systems that doesn't second guess you! What a concept!
November 15, 2011
Google - Search using your terms, verbatim
Official Google Blog: "Behind the simplicity of Google search is a complex set of algorithms that expands and improves the query you’ve typed to find the best results. Automatic spelling correction ([vynal] to “vinyl”) and substituting synonyms (matching [pictures] to “photos”) are just two examples of the improvements we make...we’ve received a lot of requests for a more deliberate way to tell Google to search using your exact terms. We’ve been listening, and starting today you’ll be able to do just that through verbatim search. With the verbatim tool on, we’ll use the literal words you entered without making normal improvements such as
  • making automatic spelling corrections
  • personalizing your search by using information such as sites you’ve visited before
  • including synonyms of your search terms (matching “car” when you search [automotive])
  • finding results that match similar terms to those in your query (finding results related to “floral delivery” when you search [flower shops])
  • searching for words with the same stem like “running” when you’ve typed [run]
  • making some of your terms optional, like “circa” in [the scarecrow circa 1963]"

Some of my 'adult learners' will remember these – some don't remember these...
Play Old Games On New Systems
Even though we have multi-core processor videogame systems, high-definition, 3-D graphics rendered in stunning quality, and online networks that allow us to play with friends and enemies all over the world, we still reminisce over filling our pockets with quarters at the arcade and blowing the dust out of our old game cartridges. Unfortunately, our ancient hardware may not be able to hold up against the test of time for much longer. Fear not — it's possible to play basically any old game on a new console, though technical issues can occur during setup. Thankfully, there are a few tips, tricks and hacks you can use to re-live your gaming glory days once again.

Tuesday, November 15, 2011

Be “social” at your own risk?
Facebook 'virus' shows hardcore porn and violent images
Facebook says it is looking into reports that pornographic and violent images have been posted to its website.
… According to the technology site, ZDnet, the material is being spread via a "linkspam virus" which tempts members to click on a seemingly innocuous story link.

It will probably still be a few years before they plug the “I overpaid, send me a refund” bug...
wiredmikey writes with an analysis of a GAO report on the dismal failure of the IRS to implement secure IT practices. From the article:
"The Government Accountability Office has blasted the Internal Revenue Service for failing to implement stronger security measures after a succession of dismal reports on the subject. In a report issued to the Secretary of the Treasury last week, the GAO said that the IRS had met just 15 percent of the 105 previously reported recommendations where information security is concerned. Taking a blunt approach, the GAO said that the IRS 'lacks reasonable assurance as to the accuracy of financial information or the adequate protection of sensitive taxpayer information.' ... It also said it would issue a limited distribution report to the IRS that addresses details omitted from this most recent report due to the sensitivity of the information."

The old, “They are selling my personal information!” argument fails again.
LinkedIn Beats Referrer URL Privacy Class Action on Article III Standing Grounds–Low v. LinkedIn
November 14, 2011 by Dissent
Venkat Balasubramani writes:
Low brought a putative class action against LinkedIn, complaining about the fact that LinkedIn “allows transmission of users’ personally identifiable browsing history and other personal information to third parties, including advertisers, marketing companies, data brokers, and web tracking companies . . . ” He asserted a variety of different claims, including under the Stored Communications Act, the California Constitution, breach of contract, conversion, and California consumer protection statutes. The Court finds that Low failed to satisfy Article III standing and dismisses (with leave to amend).
Read more on Technology & Marketing Law Blog. After reviewing the decision, Venkat does a great job of explaining why so many potential class action lawsuits are getting tossed. And if you’re thinking of filing a lawsuit against some business alleging harm due to their practices, you’ll definitely want to read his comments and those of Eric Goldman below the piece.

US Guidelines? “Keep repeating, 'It's probably harmless.'”
EU adopts guidelines on airport body scanners to protect privacy
November 14, 2011 by Dissent
Associated Press reports:
The European Union adopted new guidelines Monday on using body scanners at airports, hoping to address the privacy concerns that have delayed their implementation across the continent.
Siim Kallas, the EU commissioner responsible for transport, said under the rules the technology will only be used with strict safeguards to protect health and fundamental rights.
Read more on The Washington Post.

I predict, this is exactly how they won't do it.
W3C Proposes Do Not Track Privacy Standard
November 14, 2011 by Dissent
Mathew J. Schwartz reports:
The World Wide Web Consortium (W3C), the standards body that develops the protocols and guidelines for the Web, Monday released the first draft of its proposed standard for implementing “Do Not Track” online.
Do Not Track refers to giving consumers the ability to opt out of having their personal information and online browsing habits tracked by advertisers, marketers, and websites in general. The final W3C Do Not Track standard–due out by the summer of 2012–will detail both how consumers can express their tracking preferences, as well as how websites and their affiliates will acknowledge those preferences.
Read more on InformationWeek.
From the W3C site:
To address rising concerns about privacy on the Web, W3C publishes today two first drafts for standards that allow users to express preferences about online tracking:
These documents are the early work of a broad set of stakeholders in the W3C Tracking Protection Working Group, including browser vendors, content providers, advertisers, search engines, and experts in policy, privacy, and consumer protection. W3C invites review of these early drafts, expected to become standards by mid-2012. Read the full press release and testimonials and learn more about Privacy.

Interesting. If I wrote a technical brief, explaining how Privacy could be protected, the courts would simply ignore it...
November 14, 2011
Commentary - Scholars' Briefs and the Vocation of a Law Professor
  • "At least within the loosely defined domain of public law, any law professor who does not get asked to sign a "scholars' briefs" is not much of a scholar. Scholars briefs, in which collections of professors appear as amici curiae to support a party in litigation before a court, appear to grow more common each year. During the 2010 Term, in which the Supreme Court decided 85 cases, it received 56 briefs on behalf of groups of self-identified legal scholars or law professors, with at least one such brief being filed in 30 cases, or more than a third of the total. The subject of scholars’ briefs, and the standards that law professors ought to apply in determining whether to sign them, has received almost no attention in the literature. Yet the topic is an important one. Besides forming an increasingly significant component of many law professors’ professional lives, scholars’ briefs open a window onto broader questions about law professors’ professional roles. We are long past the day, if there ever was one, when most law professors thought their sole professional contributions should come through traditional scholarship and teaching. Modern law professors familiarly participate in law reform initiatives, take on paid and unpaid client representation, and write regularly for non-scholarly audiences. Indeed, many law schools now boast in their alumni magazines and on their websites whenever their faculty publish op-ed articles, appear on radio or television programs, or even post comments on blogs."

Lying in a Singles Bar does not leave an evidence trail... Now that we record everything anyone says online and keep it forever, it becomes easy (automate-able?) to find BS artists! (We will need an exemption for politicians...)
DOJ: Lying on needs to be a crime
The U.S. Department of Justice is defending computer hacking laws that make it a crime to use a fake name on Facebook or lie about your weight in an online dating profile.
In a statement obtained by CNET that's scheduled to be delivered tomorrow, the Justice Department argues that it must be able to prosecute violations of Web sites' often-ignored, always-unintelligible "terms of service" policies.
The law must allow "prosecutions based upon a violation of terms of service or similar contractual agreement with an employer or provider," Richard Downing, the Justice Department's deputy computer crime chief, will tell the U.S. Congress tomorrow.

I think they do too (assuming they paid him more when he started Blogging...
"Noah Kravitz worked as a mobile phone reviewer for a tech website called Phonedog for four and a half years. While there, he started a Twitter account (of his own volition) with the handle @PhoneDog_Noah to tweet his stories and videos for the site as well as personal stuff about sports, food, music, etc. When he left Phonedog, he had approximately 17,000 followers and changed his Twitter handle to @noahkravitz. This summer, Phonedog started barking that it wanted the Twitter account back, and sued Kravitz, valuing the account at $340,000 (!), or $2.50 per follower per month. [That makes my Blog worth more than $10! Bob] Kravitz claims the Twitter account was his own property. A California judge ruled that the case can proceed and theoretically go to trial. Meanwhile, Kravitz continues to tweet."

For the Network Security students.
November 14, 2011
DoD IA Policy Chart - Build and Operate a Trusted Global Information Grid
"Building, operating and securing the Global Information Grid (GIG) for the Department of Defense is a complex and ongoing challenge. The Deputy Assistant Secretary of Defense (DASD) for Cyber Identity and Information Assurance has developed a strategy for meeting this challenge, which is available here: Build and Operate a Trusted GIG

Don't tell my students! (Do the edit Blogs?)
Kibin: Get Your Essays & Documents Edited For Free
There are numerous websites that offer editing services for a fee. But a new web service called Kibin is offering document editing by real people for free.
… Each edited document is proofread by the Kibin staff for quality. People who earn enough credits by editing others’ documents can have their own documents edited for free. The site also offers quality editing for $0.01 per word and at other rates.
Similar tools: Shutterborg, Notapipe and Revizr.

Monday, November 14, 2011

When I said “Ubiquitous Surveillance” was coming, did you understand what that meant?
UK: Oxford City Council’s plans to install CCTV in taxis concerns privacy advocates
November 14, 2011 by Dissent
Oliver Evans reports:
All conversations will be recorded in Oxford’s taxis by controversial new CCTV cameras, which critics last night claimed broke privacy rules.
The plan for the city’s 662 taxis was last night branded an “absolute invasion of privacy”.
But Oxford City Council said the video and audio scheme was vital to provide evidence of attacks on drivers and in cases where there were allegations of driver misconduct.
Recordings would not be accessed unless requested by the police or council licensing officers for a specific crime or licensing issue, it said. [Do you believe that? Bob]
Read more in The Oxford Times. Audio and video recording by CCTV is already in effect in buss and trains.
In a companion editorial on this issue, The Oxford Times writes:
Safety for passengers and drivers in Oxford’s taxis is a significant concern, but not one that allows council officials to ride roughshod over rights to reasonable privacy.
Oxford City Council’s scheme to introduce CCTV for all the city’s 662 licensed taxis had already proved controversial before we discovered that all conversations would be recorded as well.
Such a blanket scheme would seem to breach the Information Commissioner’s code of practice on the issue. It says recording conversations is unlikely to be justified and that sound on CCTV should usually be turned off. It refers to recording in a cab occurring only if a panic button is pressed.
Yet Oxford City Council does not believe it is flouting this code, saying the risk of intrusion is acceptable compared to public safety.
Read more on The Oxford Times.

The Drone Threat to Privacy
November 14, 2011 by Dissent
John Villasenor reports:
Technology, as Supreme Court Justice Antonin Scalia wrote in a 2001 Supreme Court opinion, has the power “to shrink the realm of guaranteed privacy.” Few other technologies have as much power to do this as drones. Because they can perch hundreds or thousands of meters in the air, drones literally add a new dimension to the ability to eavesdrop. They can see into backyards and into windows that look out onto enclosed spaces not visible from the street. They can monitor wi-fi signals or masquerade as mobile phone base stations, intercepting phone calls before passing them along. Using a network of drones, it would be possible to follow the movements of every vehicle in a city—a capability that would be invaluable to a police department tracking the getaway car in a bank robbery but invasive if used to track a patient driving to a clinic to get treatment for a confidential medical condition.
Read more on Scientific American. This is the second part of their series on security and privacy in drone warfare. Part 1 was The Drone Threat to National Security.

What do you say, law school students? Is your Facebook past clean enough to repeat this challenge in the US? (Even failure would teach us something.)
Austrian student takes on Facebook
Austrian law student Max Schrems may be just one of about 800 million Facebook users, but that hasn't stopped him tackling the US giant behind the social networking website over its privacy policy.
The 24-year-old wasn't sure what to expect when he requested Facebook provide him with a record of the personal data it holds on him, but he certainly wasn't ready for the 1,222 pages of information he received.
… "When you delete something from Facebook, all you are doing is hiding it from yourself," Schrems told AFP in his home city of Vienna.
Shocked, Schrems decided to act. Hitting a dead end in Austria, he took his complaints in August to the Data Protection Commissioner (DPC) in Ireland, where Facebook has its European headquarters.
Believing that Facebook was contravening European Union law, and had more data on him that it is not releasing, Schrems has filed 22 complaints with the DPC, details of which can be found on his website:
"It's a shock of civilisations. Americans don't understand the concept of data protection.
… The DPC said it aims to complete its audit on Facebook, which was planned even before Schrems filed his complaints, by the end of 2011.
If it finds Facebook to have been in the wrong, it can ask the company to mend its ways, and if the firm refuses, a court could then fine it up to 100,000 euros ($136,400). [Chump change Bob]

(Related) Unfortunately, I think this will substitute for true privacy laws – “We educated them, they can now choose to give up their privacy.”
November 13, 2011
European Security Agency Report - Risks and benefits of emerging life-logging applications
  • To log or not to log? - Risks and benefits of emerging life-logging applications, November 11, 2011 via European Network and Information Security Agency (ENISA) - "European Union (EU) agency which acts as a centre of expertise for the EU Member States and European institutions. It gives advice and recommendations on good practice, and acts as a “switchboard” for exchanging knowledge and information. The agency also facilitates contacts between the European institutions, the Member States, and private business and industry."
  • "Recording aspects of one’s life, or life-logging, has a long established history in human society, but it is undergoing transformational change in terms of depth, volume and type of data. Before the 20th century, life-logging was restricted to recordings on paper media and involved written accounts, such as books, diaries, or collections of letters between people as well as person-constructed images such as drawings or paintings. By the 20th century, the media had broadened to include still photographic images, sound and moving images and most families kept at least an image life-log in the form of a photo album. By the end of the 20th century, most of these life-log data were digitally recorded with both the resolution and frequency of recording dramatically increasing year on year. Paper diaries and letters gave way to blogs, e-mail, and social networking status updates with the significant difference that the latter were potentially recorded forever and with a vastly more complete history than the episodic fragments of days gone by."
  • Appendix I Scenario Building and Analysis Template, accompanying the deliverable "To log or not to log? - Risks and benefits of emerging life-logging applications".
  • Appendix II Risk Assessment Spreadsheet, accompanying the deliverable "To log or not to log? - Risks and benefits of emerging life-logging applications"

Perhaps I should purchase “”
"Schools nationwide, including The University of Missouri and Washington University, are snapping up .xxx domain names to avoid people making porn sites with their names in the url. The new .xxx domain will be launched later this year, and before that, everyone with a trademark will have the opportunity to reserve names during what's called a "sunrise period". Someone is promoting the possible horrors of what could happen as a way to sell these domains, which cost up to $200 dollars per domain per year. Even though these schools may already be protected from defamation and trademark infringement, they still feel compelled to buy these names."

Porn Legend Sasha Grey Reads to 1st Graders, School Attempts Cover-Up
… A rep for the school district is flatly denying Sasha was ever inside one of its classrooms -- telling TMZ, "We have several celebrities who read to our students each year. The actress you have indicated [Sasha] was not present."
Clearly, the photos we obtained show otherwise.

Clive Thompson on Why Kids Can’t Search
… Pan grimly concluded that students aren’t assessing information sources on their own merit—they’re putting too much trust in the machine.
Other studies have found the same thing: High school and college students may be “digital natives,” but they’re wretched at searching.
… Who’s to blame? Not the students. If they’re naive at Googling, it’s because the ability to judge information is almost never taught in school. Under 2001’s No Child Left Behind Act, elementary and high schools focus on prepping their pupils for reading and math exams. And by the time kids get to college, professors assume they already have this skill. [Not in my experience... Bob] The buck stops nowhere. This situation is surpassingly ironic, because not only is intelligent search a key to everyday problem-solving, it also offers a golden opportunity to train kids in critical thinking.
… Mind you, mastering “crap detection 101,” as digital guru Howard Rheingold dubs it, isn’t easy. One prerequisite is that you already know a lot about the world. For instance, Harris found that students had difficulty distinguishing a left-wing parody of the World Trade Organization’s website from the real WTO site. Why? Because you need to understand why someone would want to parody it in the first place—knowledge the average eighth grader does not yet possess.
In other words, Google makes broad-based knowledge more important, not less. A good education is the true key to effective search. But until our kids have that, let’s make sure they don’t always take PageRank at its word.

An interesting article, but it sounds like technology is being used to reduce cost rather than improve education.
My Teacher Is an App
… Teachers give short lectures and offer one-on-one help, but most learning is self-directed and online.
"If it seems strange, that's because it is strange," says Alberto Carvalho, superintendent of the Miami schools. But he sees no point in forcing the iPod generation to adapt to a classroom model that has changed little in 300 years. [How about “forcing” schools to adapt to modern (post-chalkboard) technology? Bob]
The drive to reinvent school has also set off an explosive clash with teachers unions and backers of more traditional education. Partly, it's a philosophical divide. Critics say that cyberschools turn education into a largely utilitarian pursuit: Learn content, click ahead. They mourn the lack of discussion, fear kids won't be challenged to take risks, and fret about devaluing the softer skills learned in classrooms. [Sounds like they're doing it wrong. Bob]

Because it came up recently, here is a quick overview for finding and removing Flash Cookies.
An Introduction to Flash Cookies; How to Manage Them

Apparently, my former students think I need this stuff...
1. You accidentally enter your PIN on the microwave.
2. You haven't played solitaire with real cards in years.
3. You have a list of 15 phone numbers to reach your family of three.
4. You e-mail and text the person who works at the desk next to you.
5. Your reason for not staying in touch with friends and family is that they don't have e-mail or text addresses.
6. You pull up in your own driveway and use your cell phone to see if anyone is home to help you carry in the groceries...
7. Every commercial on television has a web site at the bottom of the screen
8. Leaving the house without your cell phone, which you didn't even have the first 20 or 30 (or 60) years of your life, is now a cause for panic and you turn around to go and get it.
10. You get up in the morning and go on line before getting your coffee.
11. You start tilting your head sideways to smile. : )
12 You are too busy to notice there was no #9 on this list.
13. You actually scrolled back up to check that there wasn't a #9 on this list