Thursday, July 12, 2012

Your email and anything else you use that password on?
"Some 450,000 email addresses and associated unencrypted passwords have been dumped online by the hacking collective "D33Ds Company" following the compromise of a Yahoo subdomain. The attackers said that they managed to access the subdomain by leveraging a union-based SQL injection attack, which made the site return more information that in should have. According to Ars Technica, the dump also includes over 2,700 database table or column names and 298 MySQL variables retrieved during the attack."

Small breach but full password reset (all 28,000,000 users)
Formspring resets 28m passwords after development server hacked and passwords leaked
July 11, 2012 by admin
Kahla Preston reports:
Users of Formspring, a social question and answer website popular among young teenagers, today learned their passwords were disabled by site administrators following a security breach.
Read more on The Age.
In a message on their blog yesterday, Formspring writes:
Urgent: Change Your Formspring Password
We learned this morning that we had a security breach where some user passwords may have been accessed. In response to this, we have disabled all users passwords. We apologize for the inconvenience but prefer to play it safe and have asked all members to reset their passwords. Users will be prompted to change their passwords when they log back into Formspring. This is a good time to create a strong password.
Five hours ago, there was an update:
We wanted to give an update that the security breach was resolved today and provide background on what happened.
We were notified that approximately 420k password hashes were posted to a security forum, with suspicion from a user that they could be Formspring passwords. The post did not contain usernames or any other identifying information.
Once we were able to verify that the hashes were obtained from Formspring, we locked down our systems and began an investigation to determine the nature of the breach. We found that someone had broken into one of our development servers and was able to use that access to extract account information from a production database.
We were able to immediately fix the hole and upgraded our hashing mechanisms from sha-256 with random salts to bcrypt to fortify security. We take this matter very seriously and continue to review our internal security policies and practices to help ensure that this never happens again.

Will this all go away under the new Health Care rules?
By Dissent, July 11, 2012
Kelly Jackson Higgins writes:
If you are victimized by medical identity theft, chances are you will foot the bill for the fraudulent charges, a new survey finds.
The Ponemon Institute’s Third Annual National Study on Medical Identity Theft, which was commissioned by Experian, found that 45 percent of medical ID theft victims end up paying their healthcare provider or insurer for charges incurred by the thieves because victims don’t typically have any other recourse. Even worse, half of the victims say they know the person who victimized them, and 31 percent say they allow family members to use their IDs to get medical services.
Read more on Dark Reading.

Because a spur of the moment government plan is always better than a plan developed by the folks who designed, built and use the system...
Obama signs order outlining emergency Internet control
A new executive order addresses how the country deals with the Internet during natural disasters and security emergencies, but it also puts a lot of power in the government's hands.
… With the wordy title "Assignment of National Security and Emergency Preparedness Communications Functions," this order was designed to empower certain governmental agencies with control over telecommunications and the Web during natural disasters and security emergencies.

In an effort to improve our security, we're going to make your security fail.
"Starting next month, updated Windows operating systems will reject encryption keys smaller than 1024 bits, which could cause problems for customer applications accessing Web sites and email platforms that use the keys. The cryptographic policy change is part of Microsoft's response to security weaknesses that came to light after Windows Update became an unwitting party to Flame Malware attacks, and affects Windows XP, Windows Server 2003, Windows Server 2003 R2, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2 operating systems."

I want one! So will the paperazzi, so they can tell their readers what their favorite star-du-jour had for breakfast...
Hidden Government Scanners Will Instantly Know Everything About You From 164 Feet Away
July 12, 2012 by Dissent
Here’s another development we’ll likely be hearing more about. From Gizmodo:
Within the next year or two, the U.S. Department of Homeland Security will instantly know everything about your body, clothes, and luggage with a new laser-based molecular scanner fired from 164 feet (50 meters) away. From traces of drugs or gun powder on your clothes to what you had for breakfast to the adrenaline level in your body—agents will be able to get any information they want without even touching you.
And without you knowing it.
The technology is so incredibly effective that, in November 2011, its inventors were subcontracted by In-Q-Tel to work with the US Department of Homeland Security.
Read more on Gizmodo.
[From the article:
The machine is ten million times faster—and one million times more sensitive—than any currently available system. That means that it can be used systematically on everyone passing through airport security, not just suspect or randomly sampled people.
… But the machine can sniff out a lot more than just explosives, chemicals and bioweapons. The company that invented it, Genia Photonics, says that its laser scanner technology is able to "penetrate clothing and many other organic materials and offers spectroscopic information, especially for materials that impact safety such as explosives and pharmacological substances." [PDF]

(Related) Maybe they have stalled while waiting for the better scanner (above)
"About a year ago, the District of Columbia Circuit Court of Appeals ruled on EPIC v. DHS, a lawsuit that sought to end TSA's use of body scanners. The Court found that DHS violated federal law by not seeking public comment before using body scanners as a primary search method. They ordered TSA to take public comment on its body scanning policy but did not require TSA to suspend its use of the scanners during the comment period. Several months later nothing had been done yet. One year later TSA has still done nothing, and even EPIC, the original plaintiff, seems to have given up. Others have apparently picked up the torch, however. Jim Harper, director of information policy studies at the libertarian think tank the Cato Institute, has posted a piece on Ars Technica about TSA's violation of the court order. He also started a petition on asking TSA to comply with the order. An earlier petition ended with a non-response from TSA Administrator John Pistole. Will the latest petition fare any better, even in an election year?"

One time when a cloudy future is good?
July 11, 2012
Department of Defense Cloud Computing Strategy
  • "The DoD Enterprise Cloud Environment is a key component to enable the Department to achieve JIE [Joint Information Environment] goals. The DoD Cloud Computing Strategy introduces an approach to move the Department from the current state of a duplicative, cumbersome, and costly set of application silos to an end state which is an agile, secure, and cost effective service environment that can rapidly respond to changing mission needs. The DoD Chief Information Officer (CIO) is committed to accelerating the adoption of cloud computing within the Department and to providing a secure, resilient Enterprise Cloud Environment through an alignment with Department‐wide IT efficiency initiatives, federal data center consolidation and cloud computing efforts. Detailed cloud computing implementation planning has been ongoing and informs the JIE projected plan of actions and milestones in Capabilities Engineering, Operation and Governance efforts."
  • "DoD Cloud Computing Goal - Implement cloud computing as the means to deliver the most innovative, efficient, and secure information and IT services in support of the Department’s mission, anywhere, anytime, on any authorized device."

Could this be more confusing to us non-lawyers?
Megaupload and the twilight of copyright
Kim Dotcom's business facilitated more online piracy than the mind can conceive. Yet it might have been legal. How did we get here? Is there any way out?
… The lead attorney for Kim Dotcom and Megaupload, Ira Rothken of San Francisco, says that Megaupload was a "cloud storage" business whose technology was "nearly identical" to that used by such legitimate businesses as Dropbox, Microsoft (MSFT) SkyDrive, and Google Drive. "Megaupload appears to be the perfect example of something protected under the Sony doctrine," Rothken says, referring to the landmark 1984 U.S. Supreme Court case Sony Corp. of America v. Universal City Studios. In that case, the court found that Sony, in selling its Betamax videotape recorders, could not be held liable for the fact that some customers might use them to infringe copyrights.

(Related) Sounds interesting.
July 11, 2012
Commentaryy - Reforming Copyright Is Possible
  • "The failure of the Google Book settlement, however, has not killed the dream of a comprehensive digital library accessible to the public. Indeed, it has inspired an alternative that would avoid the risks of monopoly control. A coalition of nonprofit libraries, archives, and universities has formed to create a Digital Public Library of America, which is scheduled to launch its services in April 2013. The San Francisco Public Library recently sponsored a second major planning session for the DPLA, which drew 400 participants. Major foundations, as well as private donors, are providing financial support. The DPLA aims to be a portal through which the public can access vast stores of knowledge online. Free, forever."

Might be an interesting way for my students to share information...
Wednesday, July 11, 2012
Posterous Spaces was bought by Twitter earlier this year, but it appears to still be going strong and hasn't changed at all since it was acquired by Twitter. One of the things about Posterous that I have always liked is the ease with which you can create a group blog.
In Posterous Spaces you can allow people to make contributions to your blog by simply sending an email to "yourblog'sname" @ For example, if I created the blog "" I could allow others to contribute to the blog by simply sending an email to "" You can choose to moderate or not moderate those contributions. From an administrative standpoint, using the email method of contributing to a group blog is much easier than having to enter permissions for each person you want contributing to your group blog.
Accepting email contributions to your Posterous Spaces blog means that don't have to spend time walking students through creating log-in credentials for another service. Simply have students send an email to "yourblog'sname" and their posts can appear on the blog.

No comments: