Saturday, December 03, 2011
Dang. There goes another Drone/Maverick Targeting Tool...
Hole in Skype reveals location and downloading habits
December 2, 2011 by Dissent
Joan Goodchild reports:
Researchers have found a flaw in Skype, the popular Voice-over-Internet-Protocol service which allows users to make video phone calls and internet chat with their computers. The vulnerability can expose your location, identity and the content you’re downloading. Microsoft, which owns Skype, says they are working on the problem.
The issue was uncovered earlier this year by a team of researchers from Polytechnic Institute of New York University (NYU-Poly), MPI-SWS in Germany and INRIA in France and included Keith Ross, Stevens LeBlond, Chao Zhang, Arnaud Legout, and Walid Dabbous.
Read more on CSO Online.
Could it be that someone in Congress is starting to get it?
By Dissent, December 2, 2011
Five members of the House of Representatives have sent a letter to TRICARE Management Authority concerning the recent SAIC breach that affected over 4.9 million members of the military and their dependents.
In a series of questions, the legislators ask for details as to TRICARE’s policies and, in particular, any policies or contracts it had for SAIC. Noting that SAIC had experienced at least six prior breaches, they also ask what steps TMA took since these breaches and what steps it will take to prevent future incidents.
Actually, this is a killer letter that I encourage you to read in its entirety. Kudos to Reps. Markey, Barton, DeGette, Stearns, and Andrews for asking the right questions – including why TMA continued and continues to deal with SAIC in light of its track record.
I can’t wait to see the answers, which they’ve requested be provided by February 22.
In a press release today, Deborah Peel, M.D., of Patient Privacy Rights, said:
The fact that SAIC has continued to get billions in funds from the federal government despite repeated breaches of sensitive health information shows also that the federal process of awarding, monitoring and auditing, and assuring performance of billion-dollar contracts needs investigation.
Providers, healthcare organizations, and technology companies that do not use state-of-the-art data security for health information should not be allowed to work in the healthcare field. If you are unwilling to protect patient data, you don’t belong in healthcare.
This is an interesting idea. I never liked the idea that crooks would just 'give up' their tools. This suggest a thoughtful player with strategic vision – I think I'll start a fan club!
"Reuters has published a provocative article describing the findings of cyberwarfare expert John Bumgarner, a former Army intelligence officer. His contention is that Conficker identified targets, then opened the door for Stuxnet. 'His analysis challenges a common belief that Conficker was built by an Eastern European criminal gang to engage in financial fraud. The worm's latent state had been a mystery for some time. It appears never to have been activated in the computers it infected, and security experts have speculated that the program was abandoned by those who created it because they feared getting caught after Conficker was subjected to intense media scrutiny. If confirmed, Bumgarner's work could deepen understanding of how Stuxnet's commanders ran the cyber operation that last year sabotaged an underground facility at Natanz, where Iranian scientists are enriching uranium using thousands of gas centrifuges.'"
Is it “insurmountable” or simply the wrong approach? Do we care “How” they did it or “What “they did?
The Cookie Crumbles for Amazon Privacy Plaintiffs – Del Vecchio v. Amazon
December 2, 2011 by Dissent
Suggested musical accompaniment to this entry “Another One Bites the Dust.”
Venkat Balasubramani summarizes a recent order to dismiss in a federal action against Amazon
Plaintiffs sued Amazon, alleging that Amazon’s use of “flash” cookies and certain browser “tokens” was misleading. In a putative class action, Del Vecchio asserted claims against Amazon under the Computer Fraud and Abuse Act, and the Washington Consumer Protection Act, along with claims for trespass and unjust enrichment. The court dismisses the lawsuit, and although it grants leave to amend, it sends a pretty clear message to plaintiffs that they face a high (and likely insurmountable) hurdle.
Read Venkat’s analysis on Technology & Marketing Law Blog.
[From the article:
Let's hope that TSA agents will glow in the dark before people who travel occasionally by plane.
December 02, 2011
PBS Special Highlights Risks of Airport Body Scanners
"A PBS Newshour special highlights the radiation risks and security flaws of airport body scanners. The program follows EPIC's Freedom of Information Act lawsuits against the Department of Homeland Security. EPIC's suits forced disclosure of documents detailing the health risks and privacy hazards posed by the scanners as well as the proposed use of the scanners on public streets and in train stations
[Could someone explain to TSA how difficult it would be for terrorists to drive a train into a skyscraper? Bob]
Looks like I'll have to print off a Swiss passport...
"One in three people in Switzerland download unauthorized music, movies and games from the Internet, and — since last year — the government has been wondering what to do about it. This week their response was published, and it was crystal clear. Not only will downloading for personal use stay completely legal, but the copyright holders won't suffer because of it, since people eventually spend the money saved on entertainment products."
December 01, 2011
Pew Report: The internet as a diversion and destination
The internet as a diversion and destination - On a typical day, 53% of young adults go online just for fun and to pass the time, by Lee Rainie. December 2, 2011
"Americans are increasingly going online just for fun and to pass the time. On any given day, 53% of all the young adults ages 18-29 go online for no particular reason except to have fun or to pass the time. Many of them go online in purposeful ways, as well. But the results of a survey by the Pew Research Center’s Internet & American Life Project show that young adults’ use of the internet can at times be simply for the diversion it presents. Indeed, 81% of all young adults in this age cohort report they have used the internet for this reason at least occasionally."
Okay guys, next time...
Programmers Shred Pentagon’s Paper Puzzle Challenge
A team of California computer programmers has conquered the Pentagon’s latest civilian research challenge.
The military’s way-out research arm, Darpa, today announced that the team of three, called “All Your Shreds Belong To Us,” had scooped up the $50,000 prize. To do it, they’d required 33 days and 600 man hours, all to re-assemble five shredded documents. A whopping 9,000 teams entered the contest, which gave groups until Dec. 5 — meaning the winners barely scraped by — to use whatever means necessary to put pulverized papers back together.
Please, not in my classroom.
Angry Birds Launches Wonderful Pistachios Branded Game For Free [News]
Are you a fan of Angry Birds? Are you a fan of Wonderful Pistachios? If you answered yes to both of these questions than Rovio Mobile has a proposition for you. They have just launched a Wonderful Pistachios branded Angry Birds game that is 100% free and playable right in your web browser by simply heading to GetCrackin.com. That’s one interesting way to market your pistachio company.
… The game only works if you are using Google Chrome as your web browser (another bit of marketing perhaps). As long as you have Chrome installed, you just go to the website, and click “Play and Win now” to get started.
In addition to being a free game, you can also win prizes for playing. Prizes range from free pistachios all the way up to $25,000 in cash. [Remember my cut Bob]
Global Warming!...Global Warming!...See, this confuses me. If we went from an “inter-glacial period” (i.e. not an Ice Age) to an Ice Age, that seems to suggest that during the inter-glacial period the Earth was much warmer than it is now, before there was much “industrial pollution” and something triggered a rapid cooling. Would we be wrong to try and reverse that “climate event” rather than the “climate event” that is returning us to a warmer Earth?
Study: CO2 drop drove Antarctic ice birth
… "We went from a warm world without ice to a cooler world with an ice sheet overnight, in geologic terms, because of fluctuations in carbon dioxide levels."
Apparently it does confuse my students when I recommend a Cheat Sheet
Want To Be More Productive? Download Our 24 Free PDF Cheatsheets Today
We here at MakeUseOf have been committed from day one to teaching you how to do things faster, easier, and more efficiently. Now we have produced 24 PDF cheatsheets for you to download absolutely free of charge which will list all the shortcuts available for different popular programs such as Microsoft Outlook, Skype (including the secret emoticons), Firefox, Chrome, Gmail and many more.
The other programs for which cheatsheets are available are :
iPhone Gmail Twitter Photoshop CS5 iTunes (for both Windows and Mac) Windows Windows CMD Mac OSX Linux GIMP Chat smileys Facebook VLC Player Google Reader Mozilla Thunderbird Internet Explorer Google Chrome Mozilla Firefox (for both Windows and Mac) Google search
Interesting grouping for “security breach” and I like being able to “Hide” a category
Helioid’s Search Engine Provides Category Sorting To Aid Research, Targets Students And Professionals
Without billions of dollars in resources like Microsoft or a tight vertical focus like travel site Kayak to help attract users, would-be competitors haven’t been able to pull people away from Google.
Helioid is a small startup out of New York that’s trying to change that, by delivering results tied to categories of information. It’s aiming at students, professionals and others who are trying to do exploratory research across a topic, and aren’t just looking for a specific answer to a question.
Friday, December 02, 2011
It was all a misunderstanding – we didn't understand how to respond...
Carrier IQ clears the air on spying allegations
December 2, 2011 by Dissent
Chester Wisniewski writes:
In an interview with AllThingsD today Carrier IQ, the company accused of creating spyware software for mobile carriers, cleared the air and explained in detail what their software does and does not do.
Was this just a matter of lack of transparency but without anything really evil going on? Neither column includes any response from the researcher who first disclosed concerns, and it would be nice to hear his response to Carrier IQ’s explains.
Chester raises a good point, though:
So why all of the fuss? I think the community is becoming fed up with being spied upon, our personal lives and habits being invaded through secret programs and increasingly complicated and confusing privacy statements. [It would be nice to think so... Bob]
It is unfortunate that Carrier IQ didn’t simply disclose this information when Travis published his research. It is also sad that the mobile phone carriers involved didn’t make it possible to opt-out of sending this information.
Will Carrier IQ be this week’s privacy flame that burns out quickly? Quite possibly. But that probably won’t stop Carrier IQ from getting sued by someone who jumped on the earlier reports.
Company executives insist it doesn’t log or understand keystrokes. It’s simply looking for numeric sequences that trigger a diagnostic cue within the software. If it hears that cue, it transmits diagnostics to the carrier.
So, for example, if during a support call a technician asks a customer to enter a short code, CIQ will be listening for it; when it’s entered, CIQ will relay the appropriate diagnostic information to the carrier. Any keystrokes beyond that are ignored.
Critics Line Up to Bash Maker of Secret Phone-Monitoring Software
The backlash against a formerly obscure California mobile-monitoring software maker grew even larger Thursday, with a senator asking questions, citizens bombing the company with bad online reviews, and former customer Apple swearing it off.
Adding possible legal jeopardy to its woes, a former federal prosecutor is also publicly wondering whether Carrier IQ, whose phone-monitoring software was secretly installed on millions of phones, was illegally wiretapping Americans’ communications.
… The software cannot be removed or stopped by a phone’s owner unless the phone is rooted, though Apple says users can easily stop diagnostic data from being sent to Apple.
Carrier IQ initially threatened Eckhart with a lawsuit unless he apologized for his research and retracted his statement that it was a “rootkit,” but relented after Eckhart got legal help from the Electronic Frontier Foundation.
… Verizon, the nation’s largest wireless carrier, denies using the software.
Sprint, the third-place carrier, defended its use of the secret software.
… T-Mobile says it uses Carrier IQ, as well.
Yesterday it was Wikileaks... Potential employers for my Ethical hacking students?
Big Brother Incorporated
December 1, 2011 by Dissent
A lot of data being released this morning on businesses involved in surveillance. From Privacy International:
Privacy International and The Bureau have compiled a comprehensive database of companies that sell surveillance products. The database displays the types of product the company makes. Clicking the company name brings up a pop-up box with more information, including (where available) names of key individuals, addresses, websites and Google Map locations. There are also links to the brochures and other materials preleased by Wikileaks and Privacy International.
Read more on Privacy International and do check out their impressive compilation at Big Brother, Inc.
This is what happens when you believe you are superior to the second class citizens you were elected by...
Senate Wants the Military to Lock You Up Without Trial
Here’s the best thing that can be said about the new detention powers the Senate has tucked into next year’s defense bill: They don’t force the military to detain American citizens indefinitely without a trial. They just let the military do that. And even though the leaders of the military and the spy community have said they want no such power, the Senate is poised to pass its bill as early as tonight.
There are still changes swirling around the Senate, but this looks like the basic shape of the 2012 National Defense Authorization Act. Someone the government says is “a member of, or part of, al-Qaida or an associated force” can be held in military custody “without trial until the end of the hostilities authorized by the Authorization for Use of Military Force.” Those hostilities are currently scheduled to end the Wednesday after never. The move would shut down criminal trials for terror suspects.
Will these pictures ever go away? Even if you are found not guilty? False arrest? Mistaken identity?
On Google+, police present a portrait of crime
… The San Jacinto Police Department, in southern California's Riverside County, has added a Google+ account to its repertoire.
… But what makes the page intriguing to me isn't the text. It's the mugshots.
… Compare it to San Jacinto Police Department's Facebook page. The tiny thumbnails are of the same people, but unless you click on them, they're small. The Google+ page draws you in and makes you want to hear the story of what happened.
Another device that will join the Obsolete Scrap-pile...
"Almost every year, the estimated number of U.S. households owning TV sets goes up. Until now. This year, for the second time since 1970, TV ownership has gone down; by about 1%. TV ownership among the key adult 18-49 demo also declined even steeper, down 2.7 percent and percentage of homes without a TV is at the highest level since 1975. The reasons behind this appear to be online media content [Oh look! Everything I want is on the Internet! Bob] and the recession." [When the TV dies, it is increasingly difficult to justify buying a new one when your PC/laptop/tablet/smartphone works just as well... Bob]
In “Minority Report” they called it PreCrime. As long as we can predict, we might as well go ahead and arrest, try, convict and execute...
Model Predicts Who Will Run Red Lights
MIT researchers have developed an algorithm that can predict whether a car is about to run a red light, a calculation they estimate could prevent millions of crashes and 700 deaths each year if paired with vehicle-to-vehicle (V2V) communication.
For students taking Encryption... (Another indication that a Cyber-war is imminent?
Crack This Code and Become a British Spy
The GCHQ — Britain’s secretive agency of intelligence experts — wants to find new spies. To make sure it has a candidate who’s up to scratch, the agency is inviting hobbyist cryptanalysts to try and break a code online.
A website called “can you crack it” is being spread through a viral campaign around social networks like Twitter and Facebook. The site shows a seemingly senseless jumble of 160 pairs of numbers and letters, and a box to enter some kind of answer.
… This isn’t the first time a British intelligence agency has used a public puzzle to recruit new code-breakers. During World War II, the Government Code and Cypher School placed a letter in the Daily Telegraph, challenging readers to solve a crossword puzzle in under 12 minutes. The ones who did all got interviews to join the spy service.
I keep checking, but so far my picture isn't included...
Tuesday, November 29, 2011
The Museum of Obsolete Objects is a neat YouTube channel featuring videos about objects like cassette tapes that at one point represented cutting edge technology and are now obsolete. The MOOO isn't limited to 20th Century objects. The list includes things like quill pens and the telegraph.
A short video...
How to: Stream media from a PC to a Kindle Fire
You might want to read up before Israel removes it entirely...
Country Analysis Brief: Iran
Keeping students honest...
Many music fans download their music from the Internet for free. But downloading free MP3 files from websites is illegal. What is not illegal however in most countries is recording radio stations – that is exactly what an app called StreamWriter lets you do.
Who says electronic is the only way to go...
The World at Our Fingertips: 23 Beautiful Old Texts, Available Online
The Internet's collection of old manuscripts and texts is not only growing in size but improving in quality. With a few clicks of the mouse you can zoom in on some of the earliest Hebrew scrolls, the handwritten works of Leonardo da Vinci or Jane Austen, and the first drafts of the Declaration of Independence. The British Library's digital editions include supplemental materials such as translations, explanatory essays, and, in the case of Mozart's notes, audio files of the songs he sketched out.
Thursday, December 01, 2011
Do we (the US) take this seriously enough to make a hotline a reality?
"China should look at establishing a cyber crisis hotline with the United States, according to a Chinese newspaper seen as a window into official thinking. Discussions about a crisis hotline might seem an obvious first step in improving relations. But if it's a sign the Chinese government is beginning to think about how to coordinate a rapid, unified response to cyber emergencies, then it is an extremely important one."
(Related) Perhaps so...
"Deciding when malware becomes a weapon of war that warrants a response in the physical world – for example, a missile – has become a necessary part of the discussion of military doctrine. The Pentagon recently outlined (PDF) its working definition of what constitutes cyber-war and when subsequent military strikes against physical targets may be justified as result. The main issue is attribution of cyber attacks. The Department of Defense is working to develop new ways to trace the physical source of an attack and the capability to identify an attacker using behavior-based algorithms. 'If a country is going to fire a missile at someone, it better be sure it has the right target,' said one expert. A widely held misconception in the U.S. government is our offensive capabilities provide defensive advantage by identifying attacker toolkits and methods in foreign networks prior to them hitting our networks. So when do malware and cyber attacks become a weapon or act of war that warrant a real-world military response?"
Update: Nifty little app. Where does the data end up?
Did Carrier IQ Violate Wiretap Law in Millions of Cases?
November 30, 2011 by Dissent
The Carrier IQ kerfluffle that came to light after a researcher, Trevor Eckhart, revealed some really spooky snooping took a wicked turn. Andy Greenberg reports:
A piece of keystroke-sniffing software called Carrier IQ has been embedded so deeply in millions of Nokia, Android, and RIM devices that it’s tough to spot and nearly impossible to remove, as 25-year old Connecticut systems administrator Trevor Eckhart revealed in a video Tuesday.
That’s not just creepy, says Paul Ohm, a former Justice Department prosecutor and law professor at the University of Colorado Law School. He thinks it’s also likely grounds for a class action lawsuit based on a federal wiretapping law.
The Mountain View, California-based firm is really getting a lot of bad press since Trevor Eckhart published his findings. First they threatened to sue him – until EFF jumped in to defend him and made them see the errors of their way. Now this. Watch the video and be … appalled… offended… furious:
http://www.youtube.com/watch?feature=player_embedded&v=T17XQI_AYNo#! [Tedious and techie, but interesting! Bob]
Somewhat ironically, Carrier IQ’s most recent tweet, on November 21, was “Understanding the experience of the mobile user.” I guess they meant really, really, really, REALLY understanding the experience.
But not everyone agrees with Professor Ohm’s opinion that Carrier IQ could be facing a criminal wiretap charge or massive class action lawsuit. In a post on Pastebin today, security researcher Dan Rosenberg writes, in part:
After reverse engineering CarrierIQ myself, I have seen no evidence that they are collecting anything more than what they’ve publicly claimed: anonymized metrics data. There’s a big difference between “look, it does something when I press a key” and “it’s sending all my keystrokes to the carrier!”.
In response, Professor Ohm tweeted
Wiretap only if one “acquires” content, so maybe a defense, but “anonymized metrics data” may be content.
I guess we’ll have to wait to see if federal prosecutors charge the firm. What’s more certain is that at least some lawyers will rush to file a civil suit.
Small breach, but a good “bad example” You probably get away with this since your students (and certainly the reporters covering the story) don't know enough to ask the tough questions.
The College of New Jersey reports vulnerability might have exposed 12,815 student job applicants’ information
November 30, 2011 by admin
David Karas reports:
Officials at The College of New Jersey this week reported an unintentional data breach in the On-Campus Student Employment System, an in-house system designed to store information about students applying for on-campus jobs.
According to a notice sent to students and faculty Monday, a vulnerability in the system was identified Nov. 2 by a student who applied for a position and accidentally viewed the personal information of 12 other students. The student reported the incident, officials said, and the system flaw was repaired within hours.
“Though there is no indication that any of the additional 12,815 records contained in the system were accessed by any unauthorized individual,” the statement read, “the possibility exists that the database could have been accessed through this vulnerability.”
Read more on NJ.com
“No indication… but the possibility exists?” Do they have logs going back far enough or don’t they? The State Police ”has not found any evidence that data had been extracted from the system” (to date) is reassuring, but only if there are sufficient logs and the data weren’t indexed by a search engine.
So for how long did this vulnerability exist? Since 2002, when the system was built, or is this a more recent vulnerability?
And were these records indexed by Google?
There’s more information that we need to know to assess the risk of this incident, including what kinds of information were in the database.
In April 2010, the college also experienced an exposure breach, but that one involved an alumni database.
Lots of data, insufficient analysis? A few conclusions jumped to... Probably correct to sound the alarm. Still, it should have been detected and resolved months earlier...
Exclusive: Comedy of Errors Led to False ‘Water-Pump Hack’ Report
It was the broken water pump heard ’round the world.
Cyberwar watchers took notice this month when a leaked intelligence memo claimed Russian hackers had remotely destroyed a water pump at an Illinois utility. The report spawned dozens of sensational stories characterizing it as the first-ever reported destruction of U.S. infrastructure by a hacker. Some described it as America’s very own Stuxnet attack.
Except, it turns out, it wasn’t. Within a week of the report’s release, DHS bluntly contradicted the memo, saying that it could find no evidence that a hack occurred. In truth, the water pump simply burned out, as pumps are wont to do, and a government-funded intelligence center incorrectly linked the failure to an internet connection from a Russian IP address months earlier.
… Mimlitz says last June, he and his family were on vacation in Russia when someone from Curran Gardner called his cell phone seeking advice on a matter and asked Mimlitz to remotely examine some data-history charts stored on the SCADA computer.
Mimlitz, who didn’t mention to Curran Gardner that he was on vacation in Russia, used his credentials to remotely log in to the system and check the data. He also logged in during a layover in Germany, using his mobile phone.
“I wasn’t manipulating the system or making any changes or turning anything on or off,” Mimlitz told Threat Level.
… On Nov. 8, a water district employee investigating the pump failure called in a contract computer repairman to check it out. The repairman examined the logs on the SCADA system and saw the Russian IP address connecting to the system in June. Mimlitz’s username appeared in the logs next to the IP address.
The water district passed the information to the Environmental Protection Agency,
… But from there, the information made its way to the Illinois Statewide Terrorism and Intelligence Center, a so-called fusion center composed of Illinois State Police and representatives from the FBI, DHS and other government agencies.
Even though Mimlitz’s username was connected to the Russian IP address in the SCADA log, no one from the fusion center bothered to call him to ask if he had logged in to the system from Russia.
Lots more data?
"President Obama this week issued a directive to all federal agencies to upgrade records management processes from paper-based systems that have been around since President Truman's administration [Surely records go back a bit farther than that? Bob] to electronic records systems with Web 2.0 capabilities. Agencies have four months to come up with plans to improve their records keeping. Part of the directive is to have the National Archives and Records Administration store all long-term records and oversee electronic records management efforts in other agencies. Unfortunately, NARA doesn't have a stellar record itself (PDF) in rolling out electronic records projects. Earlier this year, due to cost overruns and project mismanagement, NARA announced it was ending a 10-year effort to create an electronic records archive."
Mark Zuckerberg Invents Two New Chief Privacy Officer Roles At Facebook
In a blog post today on Facebook's website, CEO and founder Mark Zuckerberg announced two new roles within the company's executive team: Chief Privacy Officer (Policy) and Chief Privacy Officer (Products).
Erin Egan, who recently joined Facebook from law firm Covington & Burling, will become Chief Privacy Officer (Policy).
Michael Richter, who has been Facebook's Chief Privacy Counsel on the company's legal team, will become Chief Privacy Officer (Products).
Facebook's FTC settlement won't change much, if anything
Federal Trade Commission officials spent the day touting a new settlement with Facebook, with FTC Chairman Jon Leibowitz saying the company now will be "obligated" to keep its privacy promises.
But in reality, the agreement is likely to have little, if any, actual impact on Facebook users.
One reason is that Facebook won't have to roll back any changes to its default privacy settings, which have grown more permissive over the last few years.
Since there is no agreement, Dr Cirka doesn't co-own this “online commentary” What does this indicate? Fear that an occasional angry patient might harm his practice? Fear that angry patients aren't that occasional? Apparently he never considered angry potential patients who are also professional writers with privacy concerns.
By Dissent, November 30, 2011
This may be more of a free speech than a privacy issues, but because a provider presented it as a “mutual privacy” issue, I’m posting this eyebrow-raising report by Nate Anderson:
When our own Timothy B. Lee stepped into a Philadelphia dentist’s office earlier this year, he had an unpleasant experience: the dentist required him to sign over control of all copyright in future online commentary related to that dentist. Here’s how Tim described the visit:
When I walked into the offices of Dr. Ken Cirka, I was looking for cleaner teeth, not material for an Ars Technica story. I needed a new dentist, and Yelp says Dr. Cirka is one of the best in the Philadelphia area. The receptionist handed me a clipboard with forms to fill out. After the usual patient information form, there was a “mutual privacy agreement” that asked me to transfer ownership of any public commentary I might write in the future to Dr. Cirka. Surprised and a little outraged by this, I got into a lengthy discussion with Dr. Cirka’s office manager that ended in me refusing to sign and her showing me the door.
Read more on Ars Technica.
Interesting recognition of reality?
"Internet freedom got a boost Wednesday when Italy's highest court ruled that the editors of online publications can't be held legally responsible for defamatory comments posted by their readers. The judges said online publications could not be treated in the same way as traditional print media and could not be expected to exercise preventative editorial control over readers' comments."
Not everyone gets it. Is there any conceivable way to save the printed book industry?
"Sci-fi author Charlie Stross has written a post about how the Big Six book publishing companies have painted themselves into a corner in the rapidly growing ebook industry. Between user-unfriendly DRM and the Amazon juggernaut, they're slowly pushing themselves out of business. Quoting:
'Until 2008, ebooks were a tiny market segment, under 1% and easily overlooked; but in 2009 ebook sales began to rise exponentially, and ebooks now account for over 20% of all fiction sales. In some areas ebooks are up to 40% of the market and rising rapidly. (I am not making that last figure up: I'm speaking from my own sales figures.) And Amazon have got 80% of the ebook retail market. ... the Big Six's pig-headed insistence on DRM on ebooks is handing Amazon a stick with which to beat them harder. DRM on ebooks gives Amazon a great tool for locking ebook customers into the Kindle platform.'"
Have I mentioned this business model before? If there is ONLY a proprietary solution, the more unique the better, reverse engineer it and sell your services to everyone when the rest of the industry catches up.
Google, VMware, and Cisco Throw Money at Puppet
Three giants of the IT game have invested big money in Puppet Labs, an outfit that develops open source software for automatically configuring and managing machines inside the data center.
… Kaines actually built Puppet Labs with Google in mind. Back in 2005, web giants such as Google and Amazon were using software that did automated IT tasks in their data centers, but these tools were completely proprietary. Kaines sought to bring this sort of IT automation to the masses, building an open source platform as well as an for-pay offering designed specifically for enterprises. “Our open source product solves most problems of every enterprise,” he says. “And our commercial product solves every problem of most enterprises.”
Well duh! Who do you think has been training these guys?
SPYFILES: Revelations of a Billion-Dollar Mass Surveillance Industry
December 1, 2011 by Dissent
Today Wikileaks releases nearly 1,100 internal documents, sales brochures and manuals for products sold by the manufacturers of systems for surveillance and the interception of telecommunications.
These new leaks reveal a mass surveillance industry that’s now worth $5 billion a year, with technologies capable of spying on every telephone and Internet network on a national scale. The flagships of this market are called Nokia-Siemens, Qosmos, Nice, Verint, Hacking Team, Bluecoat and Amesys. The documents detailing their interception capabilities will be progressively released online by Wikileaks.
OWNI, who worked in partnership with the Washington Post, The Hindu, L’Espresso, the German channel ARD and The Bureau of Investigative Journalism in this operation which has been dubbed the Spy Files, has attempted to present an overview of this new type of industry, by creating an interactive map and a dedicated site, SpyFiles.org. Andy Mueller-Maguhn, former spokesman for the German Chaos Computer Club (the most influential group of hackers in the world), is also associated with this investigation, to which he has devoted a site, BuggedPlanet.info.
To date, we have documented a total of 133 of these surveillance weapons dealers, including 36 in the United States, 18 in the United Kingdom, 15 in Germany, 11 in Israel and eight in Italy. As with “traditional” arms dealers, most of them are located in rich and democratic countries. 12 of the 26 countries documented are also part of the European Union, which accounts for 62 of these companies.
Read more on OWNI.eu.
Related: Wikileaks: The Spy Files
Attention Ethical Hackers! Welcome to the University Flight Center! Please do not buzz the Professors or harass the geese.
An anonymous reader sends this excerpt from the Seattle Times:
"Drone aircraft, best known for their role in hunting and destroying terrorist hideouts in Afghanistan and Pakistan, may be coming soon to the skies near you. Police agencies want drones for air support to find runaway criminals. Utility companies expect they can help monitor oil, gas and water pipelines. Farmers believe drones could aid in spraying crops with pesticides. 'It's going to happen,' said Dan Elwell, vice president of civil aviation at the Aerospace Industries Association. 'Now it's about figuring out how to safely assimilate the technology into national airspace.' That's the job of the Federal Aviation Administration, which plans to propose new rules for using small drones in January, a first
Wednesday, November 30, 2011
The return of Total Information Awareness. Now DHS will be able to FISS on citizens whenever they like. Assuming they are still authorized to purchase commercial data (e.g. data collected by “Behavioral Advertising” like in the next article) they could have quite a bit of detailed information on us...
The Department Of Homeland Security Wants All The Information It Has On You Accessible From One Place
November 30, 2011 by Dissent
Kashmir Hill reports:
Information sharing (or lack thereof) between intelligence agencies has been a sensitive topic in the U.S. After 9/11, there was a push to create fusion centers so that local, state, and federal agencies could share intelligence, allowing the FBI, for example, to see if the local police have anything in their files on a particular individual. Now the Department of Homeland Security wants to create its own internal fusion center so that its many agencies can aggregate the data they have and make it searchable from a central location. The DHS is calling it a “Federated Information Sharing System” and asked its privacy advisory committee to weigh in on the repercussions at a public meeting in D.C. last month.
Read more on Forbes.
(Related) Continuing the sad saga for Carrier IQ
BUSTED! Secret app on millions of phones logs key taps
Dan Goodin reports:
An Android app developer has published what he says is conclusive proof that millions of smartphones are secretly monitoring the key presses, geographic locations, and received messages of its users.
In a YouTube video posted on Monday, Trevor Eckhart showed how software from a Silicon Valley company known as Carrier IQ recorded in real time the keys he pressed into a stock EVO handset, which he had reset to factory settings just prior to the demonstration. Using a packet sniffer while his device was in airplane mode, he demonstrated how each numeric tap and every received text message is logged by the software.
Read more on The Register.
(Related) They didn't want to know what the advertising application was doing...
Jp: App sends user GPS data to ad firm in U.S.
The Yomiuri Shimbun reports:
A smartphone application that gathers information on the location of its users was downloaded by more than 1.5 million people, and the data was sent to an advertising company in the United States, according to experts.
The application in question is a goldfish catching game that does not require any information about the user’s location to play.
As the GPS data makes it possible to identify a user’s location with a margin of error of several meters, it would be possible to presume the user’s home or office address if such information was accumulated, they said.
An image showing what type of information is collected appears on the screen before installation, but only a small number of users correctly understand the explanations, the experts said.
According to an analysis by KDDI R&D Labs in Fujimino, Saitama Prefecture, at the request of The Yomiuri Shimbun, the free application released on the Internet last month was designed to send Global Positioning System information from smartphones to a U.S. advertising firm at a rate of about once per minute.
When the application is installed, an image appears on the screen with a message reading “the range of access authority and positional information.” Approval of the reading of positional information is requested but there is no mention of its purpose and whether the information will be transmitted remotely.
… “When we created the application, we built in the programs sent from a U.S. advertising company, with which we had made a contract for ad placement, without confirming their contents,” the president of the app development company said. “We had no idea that private information was being transmitted, because the game’s content has no connection with positional information.”
The U.S. advertising firm insists that information about users’ locations is collected to provide more convenient advertisements and that no problems will arise because information is treated anonymously.
Read more on Daily Yomiuri Online
Brilliant. A little privacy by design wouldn’t have killed the app developer, now would it? And what will they do now that they know?
Local. Not a good day for the former Arapahoe County Sheriff either...
CO: Former police chief accused of ID theft
November 29, 2011 by admin
Associated Press reports:
The former police chief in Platteville is accused of using Social Security numbers from fellow police officers to buy gas for his personal vehicle.
Read more on The Gazette.
Quelle surprise , dudes.
Facebook Settles FTC Charges That It Deceived Consumers By Failing To Keep Privacy Promises
From their press release:
The social networking service Facebook has agreed to settle Federal Trade Commission charges that it deceived consumers by telling them they could keep their information on Facebook private, and then repeatedly allowing it to be shared and made public. The proposed settlement requires Facebook to take several steps to make sure it lives up to its promises in the future, including giving consumers clear and prominent notice and obtaining consumers’ express consent before their information is shared beyond the privacy settings they have established.
The FTC’s eight-count complaint against Facebook is part of the agency’s ongoing effort to make sure companies live up to the privacy promises they make to American consumers. It charges that the claims that Facebook made were unfair and deceptive, and violated federal law.
“Facebook is obligated to keep the promises about privacy that it makes to its hundreds of millions of users,” said Jon Leibowitz, Chairman of the FTC. “Facebook’s innovation does not have to come at the expense of consumer privacy. The FTC action will ensure it will not.”
The FTC complaint lists a number of instances in which Facebook allegedly made promises that it did not keep:
- In December 2009, Facebook changed its website so certain information that users may have designated as private – such as their Friends List – was made public. They didn’t warn users that this change was coming, or get their approval in advance.
- Facebook represented that third-party apps that users’ installed would have access only to user information that they needed to operate. In fact, the apps could access nearly all of users’ personal data – data the apps didn’t need.
- Facebook told users they could restrict sharing of data to limited audiences – for example with “Friends Only.” In fact, selecting “Friends Only” did not prevent their information from being shared with third-party applications their friends used.
- Facebook had a “Verified Apps” program & claimed it certified the security of participating apps. It didn’t.
- Facebook promised users that it would not share their personal information with advertisers. It did.
- Facebook claimed that when users deactivated or deleted their accounts, their photos and videos would be inaccessible. But Facebook allowed access to the content, even after users had deactivated or deleted their accounts.
- Facebook claimed that it complied with the U.S.- EU Safe Harbor Framework that governs data transfer between the U.S. and the European Union. It didn’t.
The proposed settlement bars Facebook from making any further deceptive privacy claims, requires that the company get consumers’ approval before it changes the way it shares their data, and requires that it obtain periodic assessments of its privacy practices by independent, third-party auditors for the next 20 years.
Specifically, under the proposed settlement, Facebook is:
- barred from making misrepresentations about the privacy or security of consumers’ personal information;
- required to obtain consumers’ affirmative express consent before enacting changes that override their privacy preferences;
- required to prevent anyone from accessing a user’s material no more than 30 days after the user has deleted his or her account;
- required to establish and maintain a comprehensive privacy program designed to address privacy risks associated with the development and management of new and existing products and services, and to protect the privacy and confidentiality of consumers’ information; and
- required, within 180 days, and every two years after that for the next 20 years, to obtain independent, third-party audits certifying that it has a privacy program in place that meets or exceeds the requirements of the FTC order, and to ensure that the privacy of consumers’ information is protected.
The proposed order also contains standard record-keeping provisions to allow the FTC to monitor compliance with its order.
Facebook’s privacy practices were the subject of complaints filed with the FTC by the Electronic Privacy Information Center and a coalition of consumer groups.
… The FTC will publish a description of the consent agreement package in the Federal Register shortly.
“...and the proper response to meeting a Microsoft representative is a full kowtow.”
Microsoft software would detect, score and report obnoxious workplace habits
Todd Bishop reports:
Is Microsoft taking inspiration from Dwight Schrute these days?
It almost seems that way based on a newly surfaced patent application from the Redmond company. The filing describes a computer system that would monitor behavior in the workplace with the goal of stopping bad habits such as co-workers cutting each other off during meetings and bosses bugging their direct reports on their lunch breaks — but at no small cost to workplace privacy.
Read more on GeekWire.
[From the article:
[In addition] to an email or voice conversation, other forms of interaction such as gestures, mannerisms, etc. in a video conference may also be analyzed and reported (e.g. nodding one’s head in agreement, shaking one’s head indicating disagreement, hand gestures, and similar ones). Additionally, patterns of communication may also be detected (in addition to distinct phrases or mannerisms).
Tuesday, November 29, 2011
Are these little “extras” for subscribers(?) anything that concerns management? Perhaps they are viewed as so trivial, so removed from 'journalism' that they are not even monitored?
Globe and Mail online classroom hacked – again and again? Wake up, Globe and Mail!
November 28, 2011 by admin
Well, I posted this to DataLossDB.org the other day, but seem to have forgotten to have posted it here.
Globe and Mail, the Canadian newspaper, had their online classroom site hacked (globeclassroom.ca). The hack was disclosed on Pastebin on November 22, at which time I created an entry for it on DLDB. I then tried to notify Globe and Mail’s online classroom site that over 600 users’ names, e-mail addresses, clear-text passwords, job title, school, and school contact details had been acquired and dumped on the Internet. They did not respond to my courtesy notification, but one paste was removed. Another one, that I had missed, remained.
The removal triggered a response by a hacker, who re-posted the original paste and then pointed me to the the second data dump. I dutifully updated the entry on DLDB.
But now, digging into things a bit more, I see that this same site had been hacked back in July by a hacker who identified himself as part of #AntiSec:
Hi! I’m sepo. For today my target was http://globeclassroom.ca/. It was hacked by a simple SQL Injection. All the data (login email, password, first & second name, adress, school etc.) is dumped to one of my virtual server’s. I was thinking about a deface, but this wasn’t a good idea. Your sec sux! Your data can be stolen! This is a part of #Antisec.
The database reportedly held 4,000 users’ data.
So the site was hacked back in July and again in November. Does Globe and Mail even know? How many hackers have to point out to them that their site is insecure before they get the message? And how would all these users feel if they knew that their passwords were out there with their e-mail addresses?
Hacks like this one have become a common occurrence this year, and it is disturbing that so many sites that have been hacked do not seem to know it and do not check all their e-mail when people do try to notify them.
Maybe if I tweet it?
Attention Ethical Hackers: To really bring this home to judges in the US and Canada, I propose that we create detailed dossiers on each judge. Now, they may find this irritating so we don't want to have it traced back to us. We need an alias. I know this Professor at the Law School...
Judges out of touch on privacy issues, says Ontario privacy czar
Vito Pilieci reports:
Canadian judges and politicians have grown too old and out of touch with the reality of today’s digital world to be trusted to make sound policy decisions, according to Ontario’s Privacy Commissioner.
Speaking at the Privacy & Information Security Congress 2011 conference in Ottawa on Monday, Ann Cavoukian expressed her frustration with recent judicial decisions that she believes trivialize Canadian privacy rights.
Read more on Ottawa Citizen
(Related) What say you, your honor? No harm, no foul?
Courts Grapple with Concept of “Harm” in Online Privacy Suits
Glenn G. Lammi is clearly not a fan of the type of class action lawsuits we’ve been seeing on a weekly basis:
The fundamental legal principle that only those who have been “harmed” can sue in U.S. courts is being put to the test by the ever-evolving, subjective concept of “privacy” in the equally organic online world.
U.S. Supreme Court rulings on so-called Article III standing reflect that a harm must be 1) concrete, particularized, actual, and imminent; 2) fairly traceable to defendant’s actions; and 3) likely redressed by a favorable decision. If a party fails to meet this test, the court will dismiss the suit for lack of jurisdiction.
Plaintiffs’ lawyers, eager to add online privacy “violations” to their lucrative book of business, have been advancing broad theories of injury through class action lawsuits. Their claims of harm routinely center around either emotional or economic injury. Those efforts so far, with a few exceptions, have met resistance from federal judges.
Read more on Forbes.
I tend to agree with Glenn and think that most of these lawsuits are misplaced. If we want to discourage certain behavior, then we either withhold our business, try to effect change, or punt to the legislature. While the costs of litigation might dissuade businesses from engaging in certain conduct, for monster companies like Facebook, it just becomes part of the cost of doing business. In the meantime, we tend to clog up courts, and the only ones who make any money are the lawyers.
What;s going on here? Does Twitter need tools to break through corporate firewalls? (Send sensitive data out from within?) I know of no reason they would need to shut down their service – does anyone?
Twitter Adds Team Who Created Privacy Tools for Activists, But Was it at the Expense of Activists?
Amir Efrati reports:
Twitter on Monday announced the acquisition of a two-person startup called Whisper Systems, whose technology protected people’s mobile-phone calls and text messages from being obtained by third parties such as governments.
The deal terms weren’t disclosed. The acquisition led to speculation about what Twitter, an online-messaging service, might do with Whisper Systems founders Moxie Marlinspike and Stuart Anderson–who are well-known in computer security circles–and the technology they built exclusively for devices running on Google’s Android software.
Whisper Systems created a suite of services for human-rights activists or other privacy-conscious individuals, which were used by activists during the recent “Arab spring” actions. In a blog post, Marlinspike and Anderson said the services they created will “live on” though they had to temporarily shut them down.
Read more on WSJ.
Dan Goodin also covers the acquisition on The Register, and also covers concerns raised by privacy and security research Chris Soghoian:
Twitter’s acquisition of San Francisco-based Whisper Systems came on Monday, the same day Egyptian citizens participated in their nation’s first parliamentary elections since the ouster of Hosni Mubarak, whose repressive regime ruled the country for three decades. That means Egyptian dissidents who relied on Whisper Systems RedPhone to encrypt voice calls made with their Android smartphones abruptly lost the ability to protect calls from government-controlled eavesdroppers at a time they might need it most.
It was only nine months ago that Whisper Systems said it was rushing out an international version of the encryption software to support the historic protests that were then sweeping the African nation’s populace.
“The timing is atrocious,” said Chris Sogohian, a privacy researcher with the Open Society Foundations. “Today is Egypt’s first election after it threw out its old regime, and the only encrypted voice communication tool for Android goes dark. This couldn’t have happened at a worse time for people in Egypt.”
I really wish Twitter would be more forthcoming about its timing and its plans. I tend to give them the benefit of doubt, but Chris has raised some pointed criticisms about them – and not just over Whisper Systems. Chris has also publicly challenged Twitter to make HTTPS the default connection. And again, no response from Twitter. The same platform that fought to at least notify its users about a court order to compel production of their records seems to be falling behind its competitors in terms of other privacy protections.
So, Twitter, because I use you and like you, how about you agree to make HTTPS the default connection by Christmas, and you explain how your acquisition of Whisper System and its talented founders are going to benefit human rights activists, privacy, and free speech.
(Related) Does Twitter take this crackdown seriously enough to want a tool that hides their interaction with users in Europe? Technology they could sell to the other big Behavioral Advertising companies? And notice that the EU Commission does not fully understand Facebook.
EU: Facebook faces a crackdown on selling users’ secrets to advertisers (updated)
This has the potential to be huge.
Jason Lewis reports:
The European Commission is planning to stop the way the website “eavesdrops” on its users to gather information about their political opinions, sexuality, religious beliefs – and even their whereabouts.
Using sophisticated software, the firm harvests information from people’s activities on the social networking site – whatever their individual privacy settings – and make it available to advertisers.
However, following concerns over the privacy implications of the practice, a new EC Directive, to be introduced in January, will ban such targeted advertising unless users specifically allow it.
Even though most of the information it harvests is stored on computers in the USA, if Facebook fails to comply with the new legislation it could face legal action or a massive fine.
The move threatens to damage Facebook’s plans to float on the Wall Street stock exchange next year, by undermining the way it makes money.
Will EU do for Americans’ privacy what the American Congress has failed to do and what businesses have failed to do by self-regulation? We’ll have to wait and see.
Update: A report by ReadWriteWeb raises some questions about what will really be proposed in the EU and how it might affect Facebook.
At some point, Big Brother will point to Facebook and say, “You have volunteered to allow everything you complain that I do!”
How to stop Facebook from sharing your location
Facebook is at it again, releasing yet another feature that I never had the opportunity to politely opt out of: location sharing.
When Facebook decided to withdraw efforts from its short-lived check-in service, Places, it quickly implemented a more passive location-sharing feature that doesn't even have a name. It's just there. And it's creepy.
Now, every time you compose a post on a mobile device or desktop computer, you'll see a light gray location in the lower left of the status box.
Facebook sneakily grabs your location via GPS or Wi-Fi router, and attaches it to your post, so your friends can enjoy a more in-depth stalking experience.
“...and we shall name him Little Brother.”
The UK could get a Privacy Commissioner
Dave Neal reports:
The United Kingdom could get a dedicated Privacy Commissioner, according to a tabled discussion in the House of Lords.
We learned of the tabled amendment via Privacy International, which pointed followers towards the document on Twitter and told the INQUIRER that such a change is needed in the UK, due to what is a poor data protection situation for UK citizens.
“If successful, the UK could have a real privacy regulator rather than a weak one that merely oversees data protection,” it said.
Read more on The Inquirer.
So let’s get this straight – they’d have a data protection agency AND a privacy commissioner while over on this side of the pond, we have neither?
This is just so depressing. And infuriating.
Fighting certain doom? Granted it is embarrassing. What's true and what's opinion based on hearsay? (I doubt “everyone does it” and “It's not a big deal” are sufficient for acquittal.)
Feds Withholding Evidence Favorable to Bradley Manning, Lawyer Charges
The civilian lawyer for Bradley Manning, the Army private who allegedly leaked tens of thousands of classified U.S. government documents to WikiLeaks, is seeking to question the severity of the leak by requesting the government’s own internal damage assessments that reportedly contradict statements that Manning irreparably damaged national security.
… Published information about the various reports put them at odds with each other, Coombs notes. One assessment conducted by the Defense Intelligence Agency concluded that all of the information allegedly leaked was dated, represented low-level opinions, or was already commonly known due to previous public disclosures, while an official at another government office indicated that the leaks had caused damage to national security.
… “The defense requests any e-mail, report, assessment, directive, or discussion by — to the Department of Defense concerning this case in order to determine the presence of unlawful command influence,” the sentence reads.
At a press conference last week, members of the Bradley Manning Support Network, which has raised money for Manning’s defense, argued that public comments that President Obama made earlier this year suggesting that Manning is guilty constituted illegal command influence on the military court from the nation’s commander in chief.
Obama told an audience in April, “If I was to release stuff, information that I’m not authorized to release, I’m breaking the law.”
“I can’t imagine a juror who wants to have a future in the military … going against the statement of [guilty] made by his or her commander-in-chief,” said Kevin Zeese, a legal advisor to the Bradley Manning Support Network.
… In order to make the case that Manning wasn’t the only soldier to install unauthorized programs on classified networks, Coombs requested forensic images of each computer from the Tactical Sensitive Compartmented Information Facility (T-SCIF) and the Tactical Operations Center (TOC) at Forward Operating Base Hammer in Iraq, where Manning allegedly downloaded the data that was passed to WikiLeaks. Coombs is hoping to prove “it was common for soldiers to add unauthorized computer programs” to government systems, that apparently helped the soldiers do their work.
IT Governance Think this will catch on?
"Thierry Breton, CEO of Atos, Europe's Largest IT Company, wants a 'zero email' policy to be in place in 18 months, arguing that only 10 per cent of the 200 electronic messages his employees receive per day on average turn out to be useful, and that staff spend between 5-20 hours handling emails every week. 'The email is no longer the appropriate (communication) tool,' says Breton. 'The deluge of information will be one of the most important problems a company will have to face (in the future). It is time to think differently.' Instead Breton wants staff at Atos to use chat-type collaborative services inspired by social networking sites like Facebook or Twitter as surveys show that the younger generation have already all but scrapped email, with only 11 per cent of 11 to 19 year-olds using it. For his part Breton hasn't sent a work email in three years. 'If people want to talk to me, they can come and visit me, call or send me a text message. Emails cannot replace the spoken word.'"
Might be interesting to play with...
"Free software activists have released a peer-to-peer search engine to take on Google, Yahoo, Bing and others. The free, distributed search engine, YaCy, takes a new approach to search. Rather than using a central server, its search results come from a network of independent 'peers,' users who have downloaded the YaCy software. The aim is that no single entity gets to decide what gets listed, or in which order results appear. 'Most of what we do on the Internet involves search. It's the vital link between us and the information we're looking for. For such an essential function, we cannot rely on a few large companies and compromise our privacy in the process,' said Michael Christen, YaCy's project leader."
Oh goodie, now I can research why my Mother's ancestors were banished from Ireland.
British Library scans 18th and 19th-Century newspapers
Four million pages of newspapers from the 18th and 19th Centuries have been made available online by the British Library.
… The archive is free to search, but there is a charge for accessing the pages themselves.
What does Anatomy have to do with Health Care? Isn't that all about Billing customers?
Monday, November 28, 2011
Eleven days ago I mentioned a free and open Computer Science 101 course being offered through Stanford University. Today, through Open Culture, I learned that Stanford is offering thirteen other free and open online courses during the spring semester. One of the courses that might be appropriate for high school juniors and seniors interested in pursuing college programs in healthcare is an introductory anatomy course. The course description promises quizzes that students can use for self-assessment and self-pacing through the course.
Toys for my Ethical Hackers
"Although Barnes & Noble receives a lot of credit from the slashdot community for standing up to Microsoft and for allowing the nook to be so easy to root, but perhaps Amazon releasing the source code to the Kindle will help it gain back supporters it lost after remotely removing ebooks."