Saturday, June 02, 2012
Interesting how security breaches seem to grow beyond the initial size reported...
U. Nebraska breach also affected state colleges
June 1, 2012 by admin
Oh ho… so it wasn’t just U. of Nebraska affected by the hack reported May 23. The Lincoln Journal Star reports:
Nebraska State College System officials have been notified that their records were included in a security breach reported last week by the University of Nebraska in late May.
The State College System and NU began using a shared student information system known as NeSIS in 2009.
Investigation into the May 23 breach initially indicated it affected only the NU system, but State College Chancellor Stan Carpenter said he was notified Wednesday it also included data for the Chadron State, Peru State and Wayne State colleges.
Read more on Lincoln Journal Star.
“We noticed that your answer did not actually contain an answer...”
Congress critical of TRICARE’s response; requests detailed answers while criticizing TRICARE and SAIC
By Dissent, June 1, 2012
At least some members of Congress are not happy with the response to a letter they sent TRICARE following the theft of backup tapes from the unattended vehicle of an employee of their contractor, SAIC. The tapes contained information on approximately 5 million military beneficiaries and their dependents.
Although TRICARE’s response was not disclosed publicly, Rep. Ed Markey and colleagues from the bipartisan privacy caucus quoted portions of the response in a follow-up letter they sent to TRICARE on May 7.
Citing SAIC’s “history of serious security failures,” the members note that “it is disturbing that TRICARE engaged this contractor for such sensitive work.” They also note that it was not clear from TRICARE’s response whether TRICARE actually spot-checked SAIC or verified that it was implementing its Business Associate Agreement.
The members also criticized TRICARE for failure to deploy encryption even after this latest breach and for continuing to use unsafe methods of physically transmitting data instead of switching to secure virtual private networks. Although VPN is reportedly under consideration by TRICARE, no decision has as yet been made.
The congressmen called on TRICARE to provide more details about their security measures and to deploy encryption and better security measures to protect data. They also point out that at least some people have been paying for medical identity protection out of pocket because TRICARE and SAIC refused to provide such coverage.
Related: 5-7-12 Response to TRICARE (pdf)
What are the ethics of CyberWar?
"U.S. officials have acknowledged playing a role in the development and deployment of Stuxnet, Duqu and other cyberweapons against Iran. The acknowledgement makes cyberattacks more legitimate as a tool of not-quite-lethal international diplomacy. It also legitimizes them as more-combative tools for political conflict over social issues, in the same way Tasers gave police less-than-lethal alternatives to shooting suspects [There is an assertion that needs to be challenged. Bob] and gave those who abuse their power something other than a club to hit a suspect with. Political parties and single-issue political organizations already use 'opposition research' to name-and-shame their opponents with real or exaggerated revelations from a checkered past, jerrymander districts to ensure their candidates a victory and vote-suppression or get-out-the-vote efforts to skew vote tallies. Imagine what they'll do with custom malware, the ability to DDOS an opponent's web site or redirect donations from an opponent's site to their own. Cyberweapons may give nations a way to attack enemies without killing anyone. They'll definitely give domestic political groups a whole new world of dirty tricks to play."
(Related) CyberWar uses undetectable weapons?
Why Antivirus Companies Like Mine Failed to Catch Flame and Stuxnet
A couple of days ago, I received an e-mail from Iran. It was sent by an analyst from the Iranian Computer Emergency Response Team, and it was informing me about a piece of malware their team had found infecting a variety of Iranian computers. This turned out to be Flame: the malware that has now been front-page news worldwide.
When we went digging through our archive for related samples of malware, we were surprised to find that we already had samples of Flame, dating back to 2010 and 2011, that we were unaware we possessed. They had come through automated reporting mechanisms, but had never been flagged by the system as something we should examine closely. Researchers at other antivirus firms have found evidence that they received samples of the malware even earlier than this, indicating that the malware was older than 2010.
What this means is that all of us had missed detecting this malware for two years, or more. That’s a spectacular failure for our company, and for the antivirus industry in general.
… The truth is, consumer-grade antivirus products can’t protect against targeted malware created by well-resourced nation-states with bulging budgets.
… This story does not end with Flame. It’s highly likely there are other similar attacks already underway that we haven’t detected yet. Put simply, attacks like these work.
(Related) How vulnerable is our infrastructure?
Study: Yesterday’s Facebook Outage Also Slowed Down Major Media And Retail Sites
It’s a testament to how important Facebook has become in the web ecosystem that the social network’s performance issues yesterday didn’t just affect the site itself (and its 900 million users) but also a wide variety of other sites as well. Performance monitoring company Compuware APM, which analyses the performance of thousands of top sites, just sent us some interesting data about how Facebook’s problems yesterday correlated with significant slowdowns across major U.S. media and retail sites.
As our friends over at GigaOm pointed out today, “Facebook’s faltering didn’t lead to any noticeable traffic dip.” According to Compuware’s data, however, it did affect sites in other ways because of how tightly many media and retail sites integrate with services like Facebook’s “like” button, which was also affected by yesterday’s outage.
“Laws are the opiate of the people.”
Court Wary of Overturning Warrantless Spy Case Victory, But Might Have To
David Kravets reports:
A federal appeals court appeared troubled Friday by the Obama administration’s arguments that the government could break domestic spying laws without fear of being sued — and that the government’s argument might be correct, due to an oversight by Congress.
A two-judge panel of the 9th U.S. Circuit Court of Appeals heard an hour of oral arguments here by the government and a lawyer for two attorneys whom a federal judge concluded had been wiretapped illegally without warrants by the government.
Read more on Threat Level
[From the article:
Justice Department attorney Douglas Letter told Judge Michael Daly Hawkins and M. Margaret McKeown, both President Bill Clinton appointees, that they should dismiss the case outright because the government is immune from being sued for breaching the Foreign Intelligence Surveillance Act under a concept known as sovereign immunity.
“We think the simplest way here is the sovereign immunity argument,” Letter told the panel. He added that the aggrieved lawyers could sue individual government officials. But under that scenario, the government would declare the issue a state secret and effectively foreclose litigation.
“I’m trying to understand the government’s overall position,” Hawkins said. “The government’s position is you can’t sue the government, you can sue anybody else, but who those people are might be a state secret.”
“Correct, your honor,” Letter said moments later.
Can there be anonymous libel?
Idaho judge considers anonymous comments lawsuit
Nicholas K. Geranios of Associated Press reports:
A lawyer for The Spokesman-Review newspaper’s website argued today that people should be allowed to post anonymous comments on its blogs without fear of being identified and then sued.
But a Republican political leader in North Idaho, who is seeking the identities of three individuals who commented anonymously about her, argued that she was libeled by a comment and has the right to sue for damages.
Read more on The Spokesman-Review.
[From the article:
In late April, Jacobson filed a lawsuit against “John and/or Jane Doe” after an anonymous reader posted a comment on Huckleberries Online questioning whether $10,000 allegedly missing from the Kootenai County Central Committee might be “stuffed inside Tina’s blouse.” [Sounds like humor to me Bob] Two other anonymous readers posted follow-up comments.
“You can’t call someone a thief and expect to get away with it,” Andersen said in court Friday.
[Is it libel? She admits to being a Politician. Bob]
The opposite of anonymous?
“Juror One” revisited: Court holds that SCA does not apply
You may not remember his name, but regular readers of this blog will likely remember the case of “Juror Number One,” a juror who made some comments on Facebook during a criminal trial. Not surprisingly, the judge investigated the juror misconduct – or tried to – but hit a snag when it came to actually seeing the Facebook comments. And that’s when things got interesting because the judge ordered the juror to consent to Facebook turning over his material. Juror One objected that it violated his rights under the Stored Communications Act (SCA), the Fourth and Fifth Amendments to the Constitution, and his state and federal privacy rights.
I blogged about my concerns as the case wound its way through the California courts.
Yesterday, Venkat Balasubramani alerted me to a ruling by the California Court of Appeal in Sacramento.
Of note, the court held that the SCA did not apply to this situation because Juror One didn’t offer any rationale to support that claim:
Juror Number One has provided this court with nothing, either by way of the petition or the supporting documentation, as to the general nature or specific operations of Facebook. Without such facts, we are unable to determine whether or to what extent the SCA is applicable to the information at issue in this case. For example, we have no information as to the terms of any agreement between Facebook and Juror Number One that might provide for a waiver of privacy rights in exchange for free social networking services. Nor do we have any information about how widely Juror Number One‟s posts are available to the public.
As significantly, they note that even if the SCA did apply to Facebook postings that were only available to a select group of individuals, it would not apply in this case because it was not Facebook being ordered to provide the material. The compulsion was on Juror One to consent, thereby waiving any rights under the SCA:
… the question here is not whether respondent court can compel Facebook to disclose the contents of Juror Number One‟s wall postings but whether the court can compel Juror Number One to do so. If the court can compel Juror Number One to produce the information, it can likewise compel Juror Number One to consent to the disclosure by Facebook. The SCA has no bearing on this issue.
Sadly, a lot of the most interesting questions were never addressed because Juror One provided no argument or support for his claims, allowing the court to just dismiss them without consideration.
As @bmaz had suggested to me in our conversation on Twitter, the court noted that any privacy rights must fall to the Sixth Amendment rights of the defendants in the criminal trial. Having already demonstrated that juror misconduct definitely occurred, the court had a right – and duty – to determine if the Facebook posts indicated any bias or prejudice on Juror One’s part. While Juror One might think that simply denying any bias should satisfy the court, the judge had a right to compel production of the material to determine if there was indication of bias or prejudice.
Of interest to me was the concurring opinion by Judge Mauro, who expressed the concerns I had raised about compelled “consent:”
In essence, the trial court‟s order is an effort to compel indirectly (through Juror Number One) what the trial court might not be able to compel directly from Facebook. This is arguably inconsistent with the spirit and intent of the protections in the SCA. Compelled consent is not consent at all. (See, e.g., Schneckloth v. Bustamonte (1973) 412 U.S. 218, 228, 233 [36 L.Ed.2d 854, 863, 866] [coerced consent is merely a pretext for unjustified intrusion].)
The lead opinion explains that “[i]f the court can compel Juror Number One to produce the information, it can likewise compel Juror Number One to consent to the disclosure by Facebook.” (Maj. opn. at p. 14.) This may ultimately be true, but here the trial court bypassed a determination as to whether it could compel Juror Number One to produce the documents.
The take-home message seems to be that while courts cannot engage in fishing expeditions, if there’s evidence of juror misconduct, they may be able to compel the juror to provide the material, or in the alternative, to compel the juror to consent to the service provider turning over the material.
Update: Orin Kerr has also blogged about this case on The Volokh Conspiracy. We seem to have picked up on the same main points and issues, but Orin goes further:
My sense, then, is that the trial court’s order is quite inappropriate. In effect, the court is trying to trick Facebook into inadvertently violating the SCA by making Facebook think that there is consent that allows Facebook to disclose the updates lawfully. If Facebook’s lawyers catch on, they will realize that this consent is invalid and should refuse to disclose the status updates to the court. But depending on how this is presented to Facebook, the folks at Facebook may not realize that the consent is invalid. Under the good-faith exception to civil liability, Facebook would probably escape civil liability in that situation. But the trial court should not be putting Facebook in this position anyway: Assuming that executing a scheme to have a party unknowingly violate the SCA violates the statute, then this would seem to violate the SCA. And even if executing such a scheme does not technically violate the statute directly, surely it is inappropriate for a judge to do such a thing.
What other options does the court have? The most obvious possibility is that the court should allow the losing party to subpoena the juror for all of the status updates during the relevant period that are relevant to the trial. The solution isn’t perfect. The juror might not comply with the subpoena, for example. But the Stored Communications Act limits compelled access to contents of communications directly from providers, and there does not appear to be an exception that applies here.
Apparently this is going to stir some controversy.
Microsoft’s “Do Not Track” Move Angers Advertising Industry
Microsoft Corp. said it would enable “do not track” by default in the latest version of its Web browser, Internet Explorer 10, a move that angered the online advertising industry.
In a blog post, Microsoft Chief Privacy Officer Brendan Lynch wrote that the company made the decision because users should “make a conscious choice to share information in order to receive more personalized ad content.”
But the Digital Advertising Alliance, a coalition that counts Microsoft as a member, said that the decision ran counter to the industry’s agreement with the White House announced earlier this year to honor “do not track” as long as it is not a default setting.
(Related) A reaction to change?
How ‘Do Not Track’ May Cost You Money
Andy Serwin writes:
Giving consumers choices regarding seeing advertisements on websites, while recognizing existing business models, has been a focus for many stakeholders in the privacy debate. Many groups and companies have worked to create a ‘Do Not Track’ feature that would give consumers the choice of not seeing advertisements, but in the newest version of its Internet browser, Internet Explorer 10, Microsoft has reversed that trend by changing a default setting and turning on its ‘Do Not Track’ tool. The browser’s default setting, set without consumer input, will now preclude consumers from seeing advertisements [Not true Bob] on the websites they visit for free. This undermines long-term prospects of the ‘Do Not Track’ system which was designed to allow successful Internet business models to continue.
Read more on The Lares Institute.
Do Twits own their Tweets? (and their Facebook pages and their emails and and and )
Battle over Twitter subpoena heats up
Electronic privacy advocates on Thursday weighed in on a high-stakes legal fight over online communications, arguing that a subpoena seeking an Occupy Wall Street protester’s tweets violates his rights to free speech and privacy.
The filing from the American Civil Liberties Union, the Electronic Frontier Foundation and Public Citizen, Inc supports Twitter’s position that the individual, Occupy protestor Malcolm Harris and not Twitter itself, is the owner of the tweets and thus the proper target for any subpoena.
Manhattan Criminal Court Justice Matthew Sciarrino jr had earlier ruled that Harris did not have the standing to challenge the subpoena, which seeks personal information and all of Harris’ tweets from 15 September through 31 December 2011.
Read more on News24.
Perspective Just as I thought, there are more Twits every day...
A report coming from the Pew Internet and American Life Project shows that right around 15 percent of online adults use Twitter as of February 2012, with just about 8 percent of them using Twitter in November of 2010. Where the usage explosion really hits is in the amount of people who said they used Twitter daily, with 8% of adults saying they do here in 2012 and 4% of them saying they did in May of 2011.
[The survey is here:
My handouts keep get bigger – this might be a solution...
Booktype is open-source software that allows people to write, publish and print e-books within minutes.
… An easy drag-and-drop interface makes it plain and simple to make an e-book, while tools such as collaborative proofreaders, editors and contributors make it possible for organizations to hook up with other people and write an e-book in a teamwork environment.
The digital book can then be exported to popular e-book stores such as Amazon, iBooks, Lulu.com, etc. The e-books are also format-compatible with many e-book readers such as iPad, Kindle, Nook, and more. To make sure it’s suitable for you, you can try the online demo and see how Booktype works.
To make use of this amazing software, just download the code and follow the instructions given on the website to download the software on to your computer. To install the software, a person is required to have a web server and knowledge of how to install software for the web.
Also read related articles:
Could be fun for the Intro to Programming students...
Google Blockly Lets Kids Hack With No Keyboard
Google has released a completely visual programming language that lets you build software without typing a single character.
Now available on Google Code — the company’s site for hosting open source software — the new language is called Google Blockly, and it’s reminiscent of Scratch, a platform developed at MIT that seeks to turn even young children into programmers.
Like Scratch, Blockly lets you build applications by piecing together small graphical objects in much the same way you’d piece together Legos. Each visual object is also a code object — a variable or a counter or an “if-then” statement or the like — and as you piece them to together, you create simple functions. And as you piece the functions together, you create entire applications — say, a game where you guide a tiny figurine through a maze.
Something to share with my students and fellow teachers...
Starter Kit: How to Outfit Your iPad Like an Ivy League Scholar
According to Princeton University's library, here are the apps that the library has loaded onto its iPads. Think of it like a starter kit if you're buying a new iPad and you want to have it outfitted like an Ivy League researcher.
(Related) A different version of the list...
Web Tools to Enhance Learning
Well, I think it's interesting...
Techcrunch reports that Echo360 has raised $31 million in funding – “As the old school gives way to the new, technology has begun to play an increasingly active role in the learning process” is the story lede. Well, active up to a point, I guess, since Echo360 is a lecture-capture technology. But hey, throw the “flipped classroom” into your slide-deck and investors clearly eat that up.
InstaEDU has raised $1.1 million in seed funding, according to Techcrunch, for on-demand video tutoring.
Udacity has listed five new classes that’ll begin summer, all of which greatly expand the breadth of the startup’s offerings. These include physics, discrete math and statistics. It’s also made the official announcement of its partnership with Pearson testing centers where people will be able to take an optional final exam in order to be put into the Udacity job recruitment pipeline.