Wednesday, May 23, 2012

Anyone up for some light Summer reading? Justice Statistics reports things like crime studies, not details of ongoing investigations.
Hackers associated with well known hacker-activist group “Anonymous Operations” have released a massive cache of data they say was obtained when they hacked a website belonging to the United States Department of Justice. “Today we are releasing 1.7GB of data that used to belong to the United States Bureau of Justice, until now,” Anonymous wrote in a statement on its website. The hackers claim the file contains emails as well as “the entire database dump” from the DOJ website.
… The Justice Department confirmed the breach in a statement given to ZDNet. “The department is looking into the unauthorized access of a website server operated by the Bureau of Justice Statistics that contained data from their public website,” a DOJ spokesperson said. “The Bureau of Justice Statistics website has remained operational throughout this time. The department’s main website,, was not affected.”
The 1.7GB file containing data Anonymous says it obtained during the DOJ breach is available for download as a torrent.

Food for thought. Will customers agree that there is a difference in outcome between hacking and social engineering? What kind of hacker deletes the data on the victims database, but publishes it elsewhere? (How good are their backups?)
WHMCS victim of social engineering; over 500,000 client records stolen, deleted from server, and dumped publicly
May 22, 2012 by admin
Why hack when you can socially engineer employees into giving you the keys to the kingdom?
Client management billing platform WHMCS reports that hacker group UGNazi successfully socially engineered their web hosting firm into providing the hackers with admin credentials. The hackers then proceeded to acquire their data, delete it, and dump it.
The attack took place yesterday, and within hours, WHMCS had reported the problem on their blog. Later in the day, developer Matt Pugh posted an update:
The person was able to impersonate myself with our web hosting company, and provide correct answers to their verification questions. And thereby gain access to our client account with the host, and ultimately change the email and then request a mailing of the access details.
This means that there was no actual hacking of our server. They were ultimately given the access details.
This is obviously a terrible situation, and very unfortunate, but rest assured that this was no issue or vulnerability with the WHMCS software itself.
According to John Leyden of The Register:
UGNazi also gained access to WHMCS’s Twitter account, which it used to publicise a series of posts on Pastebin that contained links to locations from which the billing firm’s customer records and other sensitive data might be downloaded. A total of 500,000 records, including customer credit card details, were leaked as a result of the hack.
In an email to their clients today, WHCMS wrote:
Date: 22 May 2012 01:40:03 GMT-03:00
To: XXXxxx
Subject: Urgent Security Alert – Please Do Not Ignore
Unfortunately today we were the victim of a malicious social engineering attack which has resulted in our server being accessed, and our database being compromised.
To clarify, this was no hack of the WHMCS software itself, nor a hack of our server. It was through social engineering that the login details were obtained.
As a result of this, we recommend that everybody change any passwords that they have ever used for our client area, or provided via support ticket to us, immediately. Regrettably as this was our billing system database, if you pay us by credit card (excluding PayPal) then your card details may also be at risk.
This is just a very brief email to alert you of the situation, as we are currently working very hard to ensure everything is back online & functioning correctly, and I will be writing to you again shortly.
We would like to offer our sincere apologies for any inconvenience caused. We appreciate your support, now more than ever in this challenging time.
WHMCS Limited
But UGNazi was not done interfering with WHMCS’s business. In an update to their blog today, Matt writes:
Right now to compound matters, we are experiencing a large scale DDOS attack, which started at around 1am last night, and continues to this moment, so accessing the site may be intermittent for the time being due to the protection hardware that has been put in place for that.
According to Ted Samson of InfoWorld, client passwords:
were stored in a hash format, and the credit card information was encrypted — but evidently not PCI-compliant, a point raised by WHMCS clients on the company’s forum. “Any support ticket content may be at risk — so if you’ve recently submitted any login details in tickets to us, and have not yet changed them again following resolution of the ticket, [so] we recommend changing them now,” Pugh cautioned.
Reportedly, WHMCS lost the previous 17 hours’ worth of support tickets and new orders from the attack.
There has been no statement from the hosting firm.

Is there a government somewhere that doesn't think they have the right to intrude on their citizens?
White Paper on Governmental Access to Data in the Cloud Debunks Faulty Assumption That US Access is Unique
May 23, 2012 by Dissent
Hogan Lovells has published a White Paper with the results of a study about governmental access to data in the cloud. The paper was written by Christopher Wolf, co-director of Hogan Lovells’ Privacy and Information Management practice, and Paris Office partner Winston Maxwell. It was released today at a program presented by the Openforum Academy in Brussels at which both Wolf and Maxwell spoke.
The paper examines governmental authority to access data in the Cloud in the following countries: Australia, Canada, Denmark, France, Germany, Ireland, Japan, Spain, United Kingdom, and the United States. Experienced counsel in each of those jurisdictions provided input on the scope and effect of their respective national laws.
The White Paper debunks the frequently-expressed assumption that the United States is alone in permitting governmental access to data for law enforcement or national security reasons. It examines the laws of the ten countries, including the United States, with respect to governmental authorities’ ability to access data stored in or transmitted through the Cloud, and documents the similarities and differences among the various legal regimes. The findings are set forth in the text of the White Paper and in a chart contained in the document.
Read more on Hogan Lovells Chronicle of Data Protection.

(Related) Since the answer to my question is most likely “No!”
FBI quietly forms secretive Net-surveillance unit
May 23, 2012 by Dissent
Declan McCullagh reports:
The FBI has recently formed a secretive surveillance unit with an ambitious goal: to invent technology that will let police more readily eavesdrop on Internet and wireless communications.
The establishment of the Quantico, Va.-based unit, which is also staffed by agents from the U.S. Marshals Service and the Drug Enforcement Agency, is a response to technological developments that FBI officials believe outpace law enforcement’s ability to listen in on private communications.
Read more on CNET.

Is this also related? Does the outline come with 17 pages of “or else?”
"Canada's proposed Internet surveillance was back in the news last week after speculation grew that government intends to keep the bill in legislative limbo until it dies on the order paper. This morning, Michael Geist reports that nearly all of the major Canadian telecom and cable companies have been secretly working with the government for months on the Internet surveillance bill. The secret group has been given access to a 17-page outline (PDF) of planned regulations and raised questions of surveillance of social networks and cloud computing facilities."

Hummm. How important is “Opt Out” to Facebook? If there was a chance the judge would have requied “Opt In,” Facenpbook may have settled at almost any cost.
Facebook Settling ‘Sponsored Stories’ Privacy Lawsuit
Facebook is agreeing in “principle” to settle allegations that its “Sponsored Stories” advertising platform breached its users’ privacy.
Terms of the deal (.pdf) were not immediately disclosed. The suit, (.pdf) filed in April 2011, claimed that the social-networking site did not adequately provide a way to opt out of the advertising program that began in January 2011.
Sponsored stories work like this: If a Facebook user “likes” an advertiser, that user’s profile and picture may appear on some of their friends’ Facebook pages — in ads — stating that the person, indeed, “likes” that advertiser. Facebook also reserves the right to do this on ads that appear on sites other than Facebook, though it has not done that.

What does IBM know that we should know?
IBM Outlaws Siri, Worried She Has Loose Lips
If you work for IBM, you can bring your iPhone to work, but forget about using the phone’s voice-activated digital assistant. Siri isn’t welcome on Big Blue’s networks.
The reason? Siri ships everything you say to her to a big data center in Maiden, North Carolina. And the story of what really happens to all of your Siri-launched searches, e-mail messages and inappropriate jokes is a bit of a black box.
IBM CIO Jeanette Horan told MIT’s Technology Review this week that her company has banned Siri outright because, according to the magazine, “The company worries that the spoken queries might be stored somewhere.”

Does the FCC's job include “approving” certain business strategies? Will they ban “I'm so cost efficient, I can lower my rates and make those other guys look like the price gougers they are.”
"FCC Chairman Julius Genachowski has publicly backed usage-based pricing for wired internet access at the cable industry's annual NCTA Show. He makes the claim that it would drive network efficiency. Currently most internet service providers charge a flat fee and price their packages based on the speed of the service, while wireless providers are reaping record profits by charging based on usage, similar to the way utilities charge for electricity. By switching to this model, the cable companies can increase their profitibility while at the same time blocking consumers from cutting the cord and getting their TV services online."

Oops? I kind of doubt it.
"After losing another 8.9% of its IPO value in its third day of trading, SEC Chairman Mary Schapiro has called for a review of the circumstances surrounding Facebook's IPO on the NASDAQ late last week. Unable to sell Facebook short, investors have instead taken to short-selling funds that owned pre-IPO shares as revelations come out that the underwriters involved revised their Facebook profit forecasts downward in the days before the offering without similarly revising the opening share price. Meanwhile, Thomson Reuters Starmine has come out with a post-party Facebook estimate of a meager 10.8 per cent annual growth rate, valuing the stock at a paltry $US9.59 a share, a 72 per cent discount on its IPO price, signaling that the battered stock may not have found the bottom yet."

Nasdaq expresses regret over Facebook IPO
Nasdaq would have delayed Facebook's IPO to address technical problems had it known the extent they would affect its trading system, a senior official for the exchange told customers today.

For my Website students.
"Mozilla has announced Webmaker, a web development initiative aimed at teaching the average user the building blocks of the web. Users can join a 'code party' and learn web development with provided authoring tools, and existing developers can volunteer to run their own events. To kick it off, Mozilla is announcing the Summer Code Party starting June 23."

Psst. Don't tell anyone.
NSA Teams Up With Colleges to Train Students for Secret Cyber-Ops Jobs
The National Security Agency is partnering with select universities to train students in cyber operations for intelligence, military and law enforcement jobs, work that will remain secret to all but a select group of students and faculty who pass clearance requirements, according to Reuters.
The cyber-operations curriculum is part of the Obama administration’s national initiative to improve cybersecurity through education, and is designed to prepare students for jobs with the U.S. Cyber Command, the NSA’s signals intelligence operations, the Federal Bureau of Investigation and other law enforcement agencies that investigate cyber crimes.

Perhaps my Psych students could create an App for that?
"Researchers led by Sriram Chellappan from the Missouri University of Science and Technology, collected internet usage data from 216 college students enrolled at the university. The usage data was collected anonymously without interfering with the student’s normal internet usage for a month. The students were tested to see if they had symptoms of depression and analyzed internet usage based on the results . Depressed students tended to use the internet in much different ways than their non-depressed classmates. Depressed students used file-sharing programs, like torrents or online sharing sites, more than non-depressed students (PDF). Depressed students also chatted more and sent more emails out. Online video viewing and game playing were also more popular for depressed students."

For all my students...
May 22, 2012
Google Search Education
Help your students become better searchers: "Web search can be a remarkable tool for students, and a bit of instruction in how to search for academic sources will help your students become critical thinkers and independent learners. With the materials on this site, you can help your students become skilled searchers- whether they're just starting out with search, or ready for more advanced training."

Is this why so many of my fellow teachers are Luddites? Who do they think teaches the machines?
"A study at six universities found that students taught statistics mainly through software learned as much as peers taught primarily by humans. And the robots got the job done more quickly. '... our results indicate that hybrid-format students took about one-quarter less time to achieve essentially the same learning outcomes as traditional-format students.' They add, 'There is every reason to expect these systems to improve over time, perhaps dramatically, and thus it is not foolish to believe that learning outcomes will also improve.'"

I have a few dozen lists of resources specific to the classes I teach, so this looks very interesting to me.
Learnist is a new site (still in beta) that aims to be like Pinterest but for sharing learning resources. On Learnist you can create pinboards of materials organized around a topic. You can create multiple boards within your account and make your boards collaborative. You can pin images, videos, and text to your boards by using the Leanist bookmarklet, by manually entering the URL of a resource, or by uploading materials to your boards. Take a look at the video below for a brief introduction to Learnist.
Learnist is still in a closed beta period so you will have to apply for an invitation (I got mine in a few days). Once you're in you can start following members of your professional learning community and collaborating on the collation of resources that are beneficial to you and your students.

Not to be confused with...
College students can use all the educational resources they can get their hands on. While books and notes go a long way, sometimes having somebody visually explain the material uniquely helps.
LearnersTV is a free to use web service that offers video lectures on a variety of subjects and topics. Covered subjects include biology, chemistry, physics, mathematics, statistics, computer science, medicine, dentistry, engineering, accounting, and management. You simply click on a subject and then a topic; you are shown a list of lectures that are appropriately ordered and labeled. Click on a lecture title to start viewing it.

No comments: