Monday, June 04, 2012

Entities need to up their game when it comes to breach disclosures
June 4, 2012 by admin
Help Net Security reports on a new Experian/Ponemon survey, “Consumers confused about data breaches.” Over 60% of respondents had trouble understanding the notification letters or felt the entity did not give them sufficient details.
One take-home message is what I’ve been saying for years: breach notifications need to be written in plain language and include sufficient detail. While overall, my impression is that the quality of notifications has generally increased over the years, and that more consumers are dissatisfied because they’ve become more savvy about what they want to know, there are still many notices that do not answer the questions consumers are likely to have. Here’s my list/opinion as to what elements should be included in plain language:
1. What happened?
If an outsider was involved, what do you know about them? If a contractor or business associate or vendor was involved, where they following procedures you had specified in a contract? If an insider was involved, have they been arrested?
2. How did it happen?
3. When did it (first) happen and for how long did this breach go on?
4. When did you first find out about this?
5, How did you find out?
6. What kinds of information about me are involved?
7. What should I do?
8. What will you do to help restore me to my pre-breach state?
9, What will you do to reduce the likelihood that this or another breach will happen again?
The survey points out that notifications should also include an estimate of risk of harm. That’s something that I’ve had recurring concerns about because many notifications seem to be so reassuring that individuals may not act to protect themselves even though their odds of becoming a victim of fraud or ID theft have increased. Consider even a “crime of opportunity” where a laptop with sensitive data is stolen in a smash and grab. The thief may have no interest in the data, true, but when the thief sells the laptop, can we say the same for the person who purchases it after it’s been inexpertly wiped (if it’s been wiped at all)?

(Related) See how easy it is to find a bad example?
Penn Station issues warning to customers after data breach
Penn Station East Coast Subs, a popular food chain in the Midwest, issued a warning to customers via its website on Friday, after some 20% of their franchisee-owned restaurants suffered a data breach. The breach resulted in unauthorized access to an untold number of debit and credit cards.
… According to Penn Station, the breach impacted less than 20% of their chain, exposing names and credit/debit card numbers, but it’s the missing information that makes this breach notification seem strange.
For example, the company says that the breach likely started at the beginning of March, and warns that customers who ate at the chain between then and April be on alert. How many customers are we talking about, hundreds? Is it thousands, or tens of thousands? Penn Station didn’t say.
Also missing from the basic notification letter on the website is Penn Station’s reason for waiting a month to tell anyone, and exactly how the breach was detected – which is odd given that it’s mentioned the franchisees switched card processing methods due to the breach itself.

Of course they knew nothing about it. Some guys in black helicopters drop in one night and ask for your support, but you turn them down... (At least they guy who had your job before he disappeared turned them down...)
"Microsoft disclosed that 'unauthorized digital certificates derived from a Microsoft Certificate Authority' were used to sign components of the recently discovered Flame malware. 'We have discovered through our analysis that some components of the malware have been signed by certificates that allow software to appear as if it was produced by Microsoft,' Microsoft Security Response Center's Jonathan Ness wrote in a blog post. Microsoft is also warning that the same techniques could be leveraged by less sophisticated attackers [Are we suggesting that cirtification is worthless? Bob] to conduct more widespread attacks. In response to the discovery, Microsoft released a security advisory detailing steps that organizations should take in order block software signed by the unauthorized certificates, and also released an update to automatically protect customers. Also as part of its response effort, Microsoft said its Terminal Server Licensing Service no longer issues certificates that allow code to be signed."

“There are some things man was not meant to know,” and there are “some things we wouldn't understand even if we did know.”
UK: Google was allowed to destroy data haul after ICO spent less than three hours examining information collected by Street Cars
June 3, 2012 by Dissent
Daniel Martin reports:
Britain’s privacy watchdog spent less than three hours examining the private information stolen by Google’s fleet of Street Cars, it emerged yesterday.
Phil Jones, formerly a senior member of the Information Commissioner’s Office, said it had not wanted to spend money on hiring a computer expert to fully analyse the material.
Instead they spent just over two hours looking at a small sample of the information which had been captured from home computers.
The commission then gave Google permission to destroy the evidence even though it had not been properly sifted.
Read more on The Daily Mail.
That’s pretty….. irresponsible, no?

“What;s for dinner?”
June 03, 2012
Google's' Zagat Restaurant Guide with Reviews and Ratings Now Free
"We’re excited to announce that our content is now free on and a cornerstone of the new Google+ Local experience. Now, the world’s highest quality reviews are available to more people, whether they are at their desks or on the go, As we’ve always done, we will continue to develop high quality content based on consumer surveys, and make that content available in print, online and on mobile. We hope you will participate by sharing your opinions with the growing community on Google+ -- helping more people find great places around the world. But today is just the first step. You’ve welcomed us into new areas from Dublin to Dubai and Portland to Paris, and we’re looking forward to hearing what you have to say about the new places you discover."

I can honestly say I have no scientific value what-so-ever...
June 03, 2012
Research Blogs and the Discussion of Scholarly Information
Research Blogs and the Discussion of Scholarly Information, Shema H, Bar-Ilan J, Thelwall M (2012) Research Blogs and the Discussion of Scholarly Information. PLoS ONE 7(5): e35869. doi:10.1371/journal.pone.0035869: "The research blog has become a popular mechanism for the quick discussion of scholarly information. However, unlike peer-reviewed journals, the characteristics of this form of scientific discourse are not well understood, for example in terms of the spread of blogger levels of education, gender and institutional affiliations. In this paper we fill this gap by analyzing a sample of blog posts discussing science via an aggregator called (RB). aggregates posts based on peer-reviewed research and allows bloggers to cite their sources in a scholarly manner. We studied the bloggers, blog posts and referenced journals of bloggers who posted at least 20 items. We found that RB bloggers show a preference for papers from high-impact journals and blog mostly about research in the life and behavioral sciences. The most frequently referenced journal sources in the sample were: Science, Nature, PNAS and PLoS One. Most of the bloggers in our sample had active Twitter accounts connected with their blogs, and at least 90% of these accounts connect to at least one other RB-related Twitter account. The average RB blogger in our sample is male, either a graduate student or has been awarded a PhD and blogs under his own name."

June 03, 2012
NYT Infographic - 32 Innovations that will change your tomorrow
New York Times Magazine - 32 Innovations that will change your tomorrow - topics include: morning routine; commute; work; play; health; and home.
  • "We tend to rewrite the histories of technological innovation, making myths about a guy who had a great idea that changed the world. In reality, though, innovation isn’t the goal; it’s everything that gets you there. It’s bad financial decisions and blueprints for machines that weren’t built until decades later. It’s the important leaps forward that synthesize lots of ideas, and it’s the belly-up failures that teach us what not to do. When we ignore how innovation actually works, we make it hard to see what’s happening right in front of us today. If you don’t know that the incandescent light was a failure before it was a success, it’s easy to write off some modern energy innovations — like solar panels — because they haven’t hit the big time fast enough. Worse, the fairy-tale view of history implies that innovation has an end. It doesn’t. What we want and what we need keeps changing. The incandescent light was a 19th-century failure and a 20th- century success. Now it’s a failure again, edged out by new technologies, like LEDs, that were, themselves, failures for many years. That’s what this issue is about: all the little failures, trivialities and not-quite-solved mysteries that make the successes possible. This is what innovation looks like. It’s messy, and it’s awesome. Maggie Koerth-Baker."

Now there is even an App for this!
Asus to bring Android to Windows with BlueStacks
Asus has revealed a new partnership at Computex today to make its computers more Android-friendly. By teaming with BlueStacks (download), which makes an "app player" for running Android apps on Windows, the company will make Android apps available on 30 million Windows computers around the world.

(Related) So, now that you don't even need an Android phone...
Sunday, June 3, 2012
In my part of the world many school years won't start again until the day after Labor Day. As I write this, Wolfram Alpha tells me that day is 93 days away. Therefore, I decided to select 93 apps that teachers may be interested in trying this summer. I divided the list into sections for pre-K, elementary school, middle school, high school, and apps for all. Some of the apps could have been put into one than more category so even if you teach middle school you'll want to look at the elementary school and high school categories for apps that your students could probably use too.
[Slideshow on the website and on

It's a poorly designed course that allows undetectable cheating...
"As online courses become mainstream, some students are finding they are often easy to game. A group of clever students at one public university describe how they used a Google Doc during on open-book test for a new kind of 'cloud cheating.'"
Instead of "cloud" all the time, can't we switch it up with "on the internet"?
[From the article:
Mr. Smith figured out that the actual number of possible questions in the test bank was pretty small. If he and his friends got together to take the test jointly, they could paste the questions they saw into the shared Google Doc, along with the right or wrong answers. The schemers would go through the test quickly, one at a time, logging their work as they went. The first student often did poorly, since he had never seen the material before, though he would search an online version of the textbook on Google Books for relevant keywords to make informed guesses. The next student did significantly better, thanks to the cheat sheet, and subsequent test-takers upped their scores even further. They took turns going first. Students in the course were allowed to take each test twice, with the two results averaged into a final score.
"So the grades are bouncing back and forth, but we're all guaranteed an A in the end," Mr. Smith told me. "We're playing the system, and we're playing the system pretty well."

I'll add this to my “Would you like to pass?” toolkit.
Soshiku is a free personal planner designed for high school and college students. Soshiku lets students organize their assignments by course, add assignments, and receive text message and or email reminders before each assignment is due. Students can add assignments to their calendars directly on the Soshiku website or via text message. Registering and getting started with Soshiku is quick and the user interface is very intuitive and easy to learn. Soshiku has been optimized to run on iPads and Android tablets too.
Applications for Education
Soshiku is a good service for students to manage their assignment due dates. The options for assignment reminders can be received via email or text days or weeks before each assignment is due.

This looks very interesting... (You don't need a phone)
The popular visual bookmarking and homepage service Symbaloo now offers a free Android app and a free iPhone/ iPad app. Symbaloo allows you to bookmark your favorite websites and arrange them into tile boards that you can share or keep private. Symbaloo calls the tile boards webmixes. You can create multiple webmixes arranged according to topics of your choosing. Now those webmixes can be created, accessed, and remixed on your favorite tablet or phone.
Here's an overview of Symbaloo.
Here's an overview of Symbaloo for Android.
Here's an overview of Symbaloo for iPhone.
Applications for Education
Symbaloo does offer an education version, but the education version is not free except for individual use which doesn't make it different than signing up for a regular Symbaloo account. Symbaloo can be good for organizing a set of resources to share with your students or colleagues. You could also have students create their own Symbaloo accounts and create webmixes around topics that they are researching.

No comments: