Saturday, January 07, 2012

As knight follows day? (or as shark follows blood?)
By Dissent, January 6, 2012
Bob Brewin reports:
TRICARE contractor Science Applications International Corp. was hit with a second class action lawsuit filed in a California state court seeking unspecified monetary damages related to the theft of computer tapes containing the records of 4.9 million health care beneficiaries.
The latest suit seeks certification as a class action for all TRICARE beneficiaries in California whose personal identity and health care information were compromised by the theft of the tapes, which occurred in September 2011 in San Antonio. The suit was filed in December on behalf of retired Marine Col. Mark Losack in the Superior Court of California in San Diego by the law firms of Robbins Umeda LLP and Blood Hurst, & O’Reardon LLP.
Read more on NextGov.

News of my favorite agency... “We've been denying that radiation levels are high enough for concern, perhaps we should actually measure radiation levels?”
"TSA recently announced that it is looking for vendors of 'radiation measurement devices'. According to the agency's Request for Information, these devices 'will assist the TSA in determining if the Transportation Security Officers (TSO) at selected federalized airports are exposed to ionizing radiation above minimum detectable levels, and whether any measured radiation doses approach or exceed the threshold where personnel dosimetry monitoring is required by DHS/TSA policy.' A TSA spokeman claims that their RFI 'did not reflect any heightened concern by the agency about radiation levels that might be excessive or pose a risk to either TSA screeners or members of the traveling public.' Concern outside the agency, however, has always been high. TSA has long been criticized for its apparent lack of understanding of radiological safety, even for its own employees. There has been speculation of a cancer cluster, possibly caused by poor safety practices in baggage screening."

(Related) Think of this as justifying a bigger bureaucracy. Never think of it as assisting terrorist planning...
"I live in Boston, and I have noticed the TSA performs random security checks at the Copley T (subway station) and other locations. I routinely travel with a laptop, iPhone, and other gadgetry. What are my rights when asked by one of the TSA agents to 'come over here'? Can I say no and proceed with my private business? What if a police officer says that I 'must go over there and cooperate'? Can I decline or ask for a warrant? Like the majority of the population, I turn into an absolute shrinking violet when pressured by intimidating authority, but I struggle with what I see to be blatant social devolution. Has anybody out there actually responded rationally, without complying? What were your experiences?"
[From the comments:
The best part of your linked article:
"There are notices posted at the entrance to the station that the inspection is in progress."
Terrorist in Boston: "Well, I guess we should bring our bombs to Downtown Crossing instead of Park St!"
I mean, the way they're doing this, they're absolutely guaranteeing they won't actually catch a reasonably non-stupid terrorist.

Apparently, the surveillance cameras are normally not monitored in real time. A $1.5 million loss must be cheaper than real time monitoring.
Romanian Man Charged in $1.5 Million ATM Skimming Scam
… Between May 2010 and this week Laurentiu Iulian Bulat and others allegedly installed card-skimming devices that stole card numbers and PINs on HSBC ATMs in Manhattan, Long Island and Westchester.
The devices recorded information embedded in the magnetic stripe of bank cards as customers inserted them into the ATMs. Pin-hole cameras the hackers installed in the ATMs recorded the PINs as customers typed them on the keypad. The thieves would return to the ATMs within a day or two to collect the stored data and subsequently embed it on blank cards. Then using the videotaped PINs, they withdrew about $1.5 million from customer accounts over about seven months, authorities say.
According to an affidavit filed by U.S. Secret Service Agent Eric Friedman (.pdf), Bulat was caught on bank surveillance cameras on Thursday morning – and on prior occasions – installing the skimmers and pin-hole cameras and made no attempt to hide his face.

Another year end list...
Privacy Litigation — 2011 Year in Review
January 6, 2012 by Dissent
Craig Hoffman writes:
There were no bombshells or truly groundbreaking decisions in 2011. Courts continued to dismiss claims filed in the wake of data breaches based on findings that the plaintiffs had failed to identify any cognizable harm sufficient to achieve Article III standing or to demonstrate actual damages. A few decisions, however, show an evolution in the theories of harm alleged by plaintiffs that are getting plaintiffs closer to advancing past the initial pleading stage. Plaintiffs also continued to rely on statutory claims to obtain standing and recover statutory damages, both in cases involving data breaches and social media.
Read more on Baker Hostetler Data Privacy Monitor. In addition to recapping 2011 cases, Craig identifies a few cases to watch in 2012.

The wife is following this. Since the doberman turned out to be a wimp not to like the attack portion of Schutzhund training (a role taken over by the border collie) he has been shifted to tracking (AKA finding food dropped by the trainer)
Supreme Court will hear dog drug-sniffing case
January 6, 2012 by Dissent
The Supreme Court granted certiorari in Florida v. Jardines, a case that presented two questions:
1. Whether a dog sniff at the front door of a suspected grow house by a trained narcotics detection dog is a Fourth Amendment search requiring probable cause?
2. Whether the officers’ conduct during the investigation of the grow house, including remaining outside the house awaiting a search warrant is, itself, a Fourth Amendment search?
Certiorari was granted only for the first question.
Background materials on the case can be found on SCOTUSblog. Lyle Dennison provides a helpful summary of the issues:
The Supreme Court on Friday agreed to clarify when police may use a drug-sniffing dog at the front door of a house, when police believe the house is being used in drug trafficking.
… In the drug detection case, Florida v. Jardines (docket 11-564), the Court agreed to decide one of the two questions raised. The constitutional issue at stake is whether police must have probable cause — a belief that evidence of a crime will be found — before they may use a dog sniff at the front door of a suspected “grow house,” or a site where marijuana is being grown. The case grows out of a Miami police officer’s use of a drug-detecting dog, “Franky,” in December 2006 to follow up on a “crime stoppers” tip that the house was being used to grow marijuana plants. The Florida Supreme Court ruled that police needed to have probable cause belief in wrongdoing before they could use the dog at the home, on the premise that the drug sniff was a “search” under the Fourth Amendment.
The state of Florida told the Supreme Court that the state ruling conflicts with Supreme Court precedent that a dog sniff is a search (sic) under the Fourth Amendment. “This Court,” the state said, “has explained that a dog sniff is not a search because the sole knowledge that the dog obtains by sniffing is the presence of contraband, which a person does not have a reasonable expectation of privacy in possessing in the first place.” The petition cited the Court’s 2005 decision in Illinois v. Caballes, and argued that the Florida courts “are now alone in refusing to follow” that ruling.
In granting review of the probable cause issue, the Court opted not to hear a second question, testing whether police had engaged in a search simply by remaining outside the house while awaiting a search warrant. As is customary, the Court on Friday did not explain the refusal to hear that issue.
Read more on SCOTUSblog.

Another handy dandy math tool? Could be much better, but compared to my student's math skills, it's wonderful.
This new website lets you both learn and solve percentage problems. The site works in a way which means that while you're typing your numbers down, both your own sentences and related sentences will be solved simultaneously before your eyes. This is done as a way to let you understand how percentages work in a broader sense.
This online calculator is completely free to use, and an embeddable widget is also provided.

Think of this as free code examples (Python and C++ so far)
If you’d like to work on software projects that might one day send your code to Mars or on a deep space mission, NASA has some code for you to hack on. The Space Agency recently unveiled a new website,, to provide a home for NASA’s various open source software projects.
… Not all of the projects involve space, but if you’d like to try your hand at some code that tweaks images from Mars rovers or creates 3D interactive worlds, head on over to Github and grab a copy of NASA’s code.

Once upon a time, this was the role of “night school”
Website Gives Coding Lessons to Rogue Employees
Codecademy is a website that gives you programming lessons. Its Code Year program sends weekly coding exercises straight to your email inbox. … Since New Year’s Day, over 200,000 people have made similar resolutions. And according to co-founder Zach Sims, even businesses are taking notice.
Right now, Codecademy focuses on three standard web languages: JavaScript, Ruby, and Python.

Stanford University has increased the amount of courses it offers for free online and anyone can participate by enrolling in the January 2012 intake. The courses are run with all the benefits of an online university course, except you do not receive any credit for completion. [Figure a good way to give credit (or increasingly, certification) and you win the “New School Model” lottery! Bob]

Friday, January 06, 2012

Is this the latest hacking trend? Dumping data on entire countries? Interesting that VietNamese securities companies have millions of customers...
Personal information of millions of Vietnamese offered for sale
January 5, 2012 by admin
VietNam reportedly has its first case of prosecuting individuals for selling personal information:
Three men in HCM City, including Duong Hong Le, Le Minh Trung and Hua Van Tuan, are accused of illegally collecting phone numbers and personal information of millions of people who are clients at securities and real estate trading companies–to sale, earning tens of thousands of USD.
Police recently found out that these men offered for sale personal information of millions of people on the Internet.
These people said that they used to work at many securities and real estate companies so they had information about many clients. After leaving these firms, they exchanged data and offered for sale the information on the net.
Police said that this is the first time they deal with such a case. As the three people sincerely declared information and their act did not cause serious consequence, they would be fined only.
Police are investigating many websites that perform similar act.
Source: VietNamNet.

(Update) This makes the story much more believable...
VN: 3 men identified as illegal sellers of private info
January 6, 2012 by admin
I just came across a more detailed news report on the VietNam breach I mentioned yesterday. Tuoi Tre reports:
In October 2010, [Duong Hong] Le set up the company’s official website at, but the site has focused only on offering to sell lists of information on individuals, companies and organizations.
The website… contains the names of 30,000 prepaid mobile phone subscribers of MobiFone in HCMC, 1,200 chairmen of management boards of companies, 850 members of the Entrepreneurs’ Club 2030, 780 stock investors at the Vien Dong Company, 1,100 TVSI stock investors, 700 customers of the VGB gold trading floor, 2,230 owners of real estate in the Phu My Hung New Urban Area, 800 owners of properties from Him Lam , 1,200 customers of the Saigon Pearl Project, 1,300 Mercedes owners, 750 BMW owners, 1,300 members of the FV Hospital, 10,000 customers of Nguyen Kim Shopping Center, and 500 architects at various companies in HCMC.
According to investigators, Le has 51 lists of information for sale at a price of VND500,000-600,000 per list.
Le told investigators that he had earned about VND21 million (US$1,000) from the illegal business.
He said he had halted his business operations on January 1, 2011 after Tuoi Tre published an article about his illegal trading of private information, but six months later, he continued his activities, since he found that many other websites did the same and thought that such activities would not be banned.
Le said he had bought all of the lists from a man named Le Minh Trung, owner of the website, and Hua Van Tuan, who owns the website
As of December 2011, [Le Minh] Trung had about 230 lists of customers in the fields of economics, finance, investment, and real estate. Each list contains detailed personal information such as names, telephone numbers, and workplaces of customers.
Read more on Tuoi Tre. This seems to be a fairly widespread problem in VietNam, and while the information may not be hugely sensitive, if they’re not careful, they’ll wind up with data being sold and re-sold, and re-sold… and before you know it, their databases will be as inaccurate and as annoying as ours.

This now looks like one hacker trying to become famous.
Update: Saudi hacker warns he is in possession of one million Israeli credit card numbers
January 5, 2012 by admin
Oded Yaron reports:
The Saudi hacker who managed to steal 15 thousand Israeli credit cards revealed another 11 thousand stolen numbers on Thursday, and threatened to release one million total stolen numbers.
According to a message left on the Saudi hacking group Group-XP’s message board, the hacker, who goes by the name of 0xOmar, was able to hack “much more than one can imagine.”
Update: Ynet has more details on the latest developments.
In a statement on Pastebin, the hacker reveals more details, including some of the names of businesses whose servers were hacked:
It’s 0xOmar from group-xp, greatest Saudi Arabian hacker team.
We have leaked 400,000+ Israeli people details, including credit cards, but we have seen some stuff which needs attention:
- An Israeli stupid student says it was only 14,000 cards, while only A SIGNLE FILE we uploaded contains 27000 working credit cards, right now I’m sending this data from VPS server I have purchased with those cards. It was so bad media failure. Fake Jewish and Zionist lobby media started writing what a stupid student says. This made me a little unhappy. So I’ve started thinking of sending all Israeli credit cards I own which reaches 1M data. I’ll do it soon!
- Some other Jewish lobby fake media sites wrote that it was only which is hacked, who says that? Another stupid Israeli student? No, it’s wrong. I’ve hacked more than 80 Israeli servers to gather those data. Each of them are so big and high profile, just some of them is, bizmakebiz (Israeli business site), ezpay, Judaism, etc.
- Israeli online lobby was able to delete all my pages from Pastebin, Pastebay, Multiupload, Hotfile, etc. etc. This time you’ll not be able to do so. Pastebay says it’s uncensored text hosting, but it seems censoring have different meaning for Zionist lobby
Because of the above issues, I’ll send Israeli details some often, for now I have added another 11,000 credit cards which contains IsraCards and DinnerDash cards. This database contains 60,000 credit cards which also has MasterCard and Visa cards, but I’ll send them later among with a lot of others.
I’ve hacked much more than you can imagine, but I hate fake media and Zionist lobby in media and internet.
If needed maybe in next time I start sharing all data I have downloaded from Israeli military contractor companies and let the world have their all documents, I’m thinking to start doing it from an Israeli company which creates jammers and eavesdropping devices.
For now, you can download Israeli credit cards from below URLs which includes torrent, just search Credit Cards.rar.torrent in torrent sharing sites.
Saudi Arabia for ever! Saudi Arabia rules, long life King Abdullah!
assalamu alaikum wa rahmatullah
While most of the sites to which the data had been uploaded quickly deleted the files, copies of the latest upload are still available on the web.

Ubiquitous surveillance. Or maybe drones over Mile High stadium? Coverage of weddings and bar mitzvahs? Should I start a “Drone Fund?”
Livestreaming Journalists Want to Occupy the Skies With Cheap Drones
It may not sound like much: A video blogger bought a toy helicopter.
But the blogger is 25-year-old Tim Pool — an internationally known journalist who attracts tens of thousands of viewers to his live-stream broadcasts from Occupy Wall Street protests in New York, DC, LA and other cities. (His feeds and archival footage are also aired on mainstream networks such as NBC.) He and his partners hope that the toy chopper — the $300 Parrot AR Drone — will be one step toward a citizen-driven alternative to mainstream news.
… Having thoroughly figured out how to cover giant events from ground level, they are now exploring ultra-cheap alternatives to the hundreds of thousands of dollar news choppers used for aerial reporting of big events like protest marches and police clashes. In the process, the video bloggers are discovering both how far low-cost consumer technology has come and how much farther it needs to go.
Like the HD video cameras now included in the live-streamers’ cellphones, aerial surveillance drones have progressed from ultra-expensive professional gear to impulse-buy items. What was once in the Pentagon budget is now at Toys ‘R Us – in a simple form, at least.

(Related) maybe I should just get into the drone business?
Obama’s New Defense Plan: Drones, Spec Ops and Cyber War

Local Lots of interesting questions here. Clearly encrypting your data suggests you had an expectation of privacy but since there was a warrant can that force you to incriminate yourself? The Feds are looking at this as “We searched and found a safe, the stolen money is there!”
Feds Want Judge to Force Suspect to Give Up Laptop Password
January 5, 2012 by Dissent
David Kravets reports that a ruling is expected soon on a case previously mentioned on this blog:
Federal prosecutors want a judge to order a Colorado woman to provide the password to decrypt her laptop which the government seized with a search warrant.
With back-up from digital rights groups, the woman is fighting the feds, arguing that being forced to provide her password violates the 5th Amendment’s protection against self-incrimination.
Colorado U.S. District Judge Robert Blackburn is expected to rule any day on whether to force defendant Ramona Fricosu to decrypt her Toshiba Satellite M305, which authorities seized from her in 2010 with a court warrant while investigating financial fraud.
Read more on Threat Level.

Attention all you lawyers who missed out on the Y2K disaster (because it never happened) This one has real potential!
Ready Your Watch: The Leap Second Is Coming
The International Earth Rotation and Reference Systems Service (IERS) in Paris — the grand arbiters of time on our big blue marble — has declared that a leap second will be introduced on 30 June, 2012.

When Draino is outlawed only outlaws will have Draino! Fortunately, they have not heard of Dihydrous Monoxide (See: or )
IL: ‘Drano’ law an invasion of privacy
January 6, 2012 by Dissent
Have we reached the point as a society where our grandmothers have to show ID and sign a log book to buy a bottle of Drano?
Apparently, lawmakers in Springfield, including Marengo Democrat Jack Franks, thought the answer was yes.
They passed a new law that requires anyone who buys caustic and noxious substances, which include everyday items such as drain cleaners and pool chemicals, have their name, address and amount of purchase entered into a log at the store.
The law came in response to a couple of incidents where people in Chicago were disfigured for life after they were burned with acid. The enormity of such attacks is unquestionable – but the state’s method of fighting this problem is questionable.
Read more on Northwest Herald.

Fortunately, my students never read my blog...

Sometimes I wonder if I'm the only one who recognizes stupidity when it appears... I guess they could have texted drivers during rush hour...
National Phone Survey on Distracted Driving Attitudes and Behaviors

Geeky stuff
For the first time since it sprang onto the web in 2004, Nginx (pronounced “engine-ex”), the lightweight open source web server that could, has overtaken Microsoft IIS to become the second most used server on the web.

This could be very handy...
BenchPrep Is Codecademy For Any Subject, High School To Med School
Books are not the best way to learn. To retain knowledge you have to interact with it, and that’s where BenchPrep comes in. The startup licenses textbooks from big publishers like McGraw Hill and converts them into interactive web and mobile learning courses. Today, BenchPrep announces its expansion beyond college admission test prep. It will now offer courses to assist with high school, university, law, medicine, professional certifications, army, and more. It’s also releasing a new evaluation tool that determines a student’s weaknesses in a given subject. BenchPrep is the future of the ‘education anywhere’ movement. [Worth investigating? Bob]
… In about 7 days, BenchPrep can convert any textbook, say one on Calculus that sells for $50, into an interactive course it can sell for $100. That’s still much cheaper than taking a class in person. The publisher gets paid royalties on each course sale, and Rangnekar says BenchPrep plans to be cash-flow positive by June. New partnerships with more publishers will add 50 more courses to its library in the coming months.

Thursday, January 05, 2012

I wonder how you would value the damages? If a violating search results in a conviction, what was that privacy worth to the defendant? (Better, how much would the government be willing to pay?)
Originalism and Civil Damages for Fourth Amendment Violations
January 4, 2012 by Dissent
One of my favorite deep thinkers, Yogi Berra, once said, “If you don’t know where you’re going, you may wind up someplace else.”
With that in mind, I recommend reading Orin Kerr’s commentary on the history of civil damages for violations of search and seizure protections. If, like me, you are not a lawyer nor constitutional scholar, you may be surprised to learn that back in the day, if evidence was obtained illegally, the remedy was not to exclude it but to admit it and apply civil remedies on the violators. Orin introduces the question:
Originalists are often opposed to the exclusionary rule, the rule that evidence obtained in violation of the Fourth Amendment cannot be used in court. The exclusionary rule was made up by 19th and 20th century judges, the argument runs. At common law, the remedies for violations of search and seizure law were civil damages against the officers, not exclusion of evidence. Because the Fourth Amendment is widely recognized to have adopted and endorsed those cases, such as Entick v. Carrington (1765), the exclusionary rule must be abolished. It simply is not part of the original Fourth Amendment remedies observed in cases like Entick.
I’m not entirely sure that’s correct, but let’s assume it is. Here’s my question: If you’re an originalist, does that mean that you think the Constitution guarantees the civil remedies that existed at common law for search and seizure violations? Put another way, can modern judges change the civil remedies that were available at common law for constitutional violations? Or is there a civil remedies scheme that must be available under an originalist understanding of the Fourth Amendment?
Read more on The Volokh Conspiracy.
Of course, there are those of us who might want both the exclusionary rule and civil penalties for egregious breaches of our rights to be free from unreasonable search and seizure. Many of us – ignorant of the full history of court decisions on the issue – interpret the language of the Fourth Amendment to mean that any search or seizure conducted without a warrant is inherently unreasonable and that the courts have meandered off the reservation by permitting what we consider erosions of what we would maintain are Fourth Amendment protections. We have urged Congress to update ECPA to recognize that government requests for our information should require a probable cause standard or judicial oversight. But as Orin points out, if you’re an originalist, then do you have to argue that government “transgressions” should not result in exclusion of any evidence improperly obtained and that a civil remedy scheme must be available? His commentary is certainly thought-provoking.
We’ve traveled a long road since the Fourth Amendment became one of our core protections. As the Supreme Court grapples with Jones and the use of warrantless GPS surveillance and considers whether to take on the question of whether a drug-sniffing dog on your porch is a search under the Fourth Amendment, we might all be wise to ask, “Do we know where we’re going?”

Perhaps this was not the best way to do this?
"This morning's NY Times highlights the issue of learning in our public schools and the proper role of technology. The Idaho governor and his state school superintendent are advocating a legislative bill for a massive infusion of computers and on-line technology in schools and is meeting resistance from state teachers, particularly the part of the bill that requires high school students to take online courses for two of their 47 graduation credits. Superintendent Luna is quoted as saying, the computer 'becomes the textbook for every class, the research device, the advanced math calculator, the word processor and the portal to a world of information.' The article notes that the governor had received campaign contributions from technology companies and that Apple and Intel had played a part in drafting the bill."
[Is this why they are upset?
To help pay for these programs, the state may have to shift tens of millions of dollars away from salaries for teachers and administrators.

Is the government learning about large data centers from the Cloud providers or are they just cutting funding? i.e. Do they have a plan?
"The U.S. government now expects to shutter at least 1,200 data centers by the end of 2015 in its data center consolidation project. That's about 40 percent of the IT facilities identified in the latest update from federal CIO Steven VanRoekel. The number of government data centers has grown steadily — jumping from 1,100 to 2,094 and now to 3,133 — as the Obama administration has identified more facilities than expected, and expanded the initiative to target telecom closets. The CIO's office says it is on track to close 525 facilities by the end of this year, and has published a list of data centers targeted for closure."

For my Math students (zipdecode is interesting by itself)
The Fractal Dimension of ZIP Codes
… One quick way to look at ZIP codes is by seeing how each part of a ZIP code defines a part of our country. Ben Fry, of Fathom, created a simple visualization called zipdecode to do just this.
… using the wonderful images created by Robert Kosara called ZIPScribbles, which connect the coordinates of sequential ZIP codes (02445 is connected to 02446, 02446 is connected to 02447, and so forth). As you can see below, there is a geographically hierarchical nature to it. ZIP codes divide the population first into states, and then divide into little scribble regions even further, in a self-similar fashion.
So, I set out to measure the fractal nature of the ZIP code system. I used one of the simplest methods, called the box-counting method, which estimates the self-similarity of a shape by looking to see how many boxes in a series of ever-smaller grids are required to cover a shape. Doing this, I was able to calculate the fractal dimension of the ZIP Code system, using the ZIPScribble: 1.78.

(Related) For me!
Welcome to Social Dimension
Welcome to Social Dimension, a blog devoted to the math behind understanding society and civilization. Mathematics can be used to understand all aspects of our society: sports, movies, history, and even how ideas spread around the world. From the highbrow, such as the evolution of ancient manuscripts, to the somewhat lower brow, such as the social networks of superheroes, our society is suffused with topics than can be understood using math.

An alternative to the simple class handout?
Themeefy is a wonderful web service that lets you create online magazines. After creating an account on the site you can sign into the service and drag its bookmarklet to your browser bookmarks toolbar. Through this bookmarklet you can add any webpage to your online magazine by a single mouse click. You can also upload your own images, take notes, and personalize your magazine in numerous ways. With all this done you can begin sharing the magazine with friends on various social networks. [Also share the link directly Bob]
Similar tools: OpenZine, MagMe and YouTellYou.

Wednesday, January 04, 2012

Very misleading headline. Making it legal for them to violate privacy is not the same as avoiding the violation.
USPS acts to avoid customer privacy violations
January 3, 2012 by Dissent
Jim McElhatton reports:
The U.S. Postal Service has quietly sought to “immunize” itself from Privacy Act challenges to its address-correction service, a program that gives credit, marketing and data-service providers access to updated name and address information for tens of millions of Americans.
Postal officials say the program helps reduce costly undeliverable mail that can clog up the mail stream, but its failure to obtain consent to sell customers’ information is raising alarm bells from within and outside the agency.
Read more on The Washington Times.

An older article (Oct 2011) Pointing to articles like this helps to sell the security budget.
"Kevin Mandia has spent his entire career cleaning up problems much like the recent breach at Stratfor where Anonymous defaced Stratfor's Web site, published over 50,000 of its customers' credit card numbers online and have threatened to release a trove of 3.3 million e-mails, putting Stratfor is in the position of trying to recover from a potentially devastating attack without knowing whether the worst is over. Mandia, who has responded to breaches, extortion attacks and economic espionage campaigns at 22 companies in the Fortune 100 in the last two years and has told Congress that if an advanced attacker targets your company then a breach is inevitable (PDF), calls the first hour he spends with companies 'upchuck hour' as he asks for firewall logs, web logs, and emails to quickly determine the 'fingerprint' of the intrusion and its scope. The first thing a forensics team will do is try to get the hackers off the company's network, which entails simultaneously plugging any security holes, removing any back doors into the company's network that the intruders might have installed, and changing all the company's passwords. 'This is something most people fail at. It's like removing cancer. Y ou have to remove it all at once. If you only remove the cancer in your leg, but you have it in your arm, you might as well have not had the operation on your leg.' In the case of Stratfor, hackers have taken to Twitter to announce that they plan to release more Stratfor data over the next several days, offering a ray of hope — experts say the most dangerous breaches are the quiet ones that leave no trace." [It just takes a bit of training... Bob]

Was he at least frisked? Is this the new (low) TSA standard?
Man says he popped into U.S. with iPad passport
… The rules state that Canadian visitors need to have an enhanced driver's license--which are special documents that are compliant with the Western Hemisphere Travel Initiative. Or they need to be part of something delightfully called the Trusted Traveler Program. Or they need to have, well, a passport.
… U.S. Customs and Border Protection hasn't commented on this tale of an apparently indulgent representative of the USA.
Many will believe the very notion of an electronic passport seems to represent an obvious future. If people can fling their iPhones beneath the tired eyes of baristas to pay for a mocha, they can surely fling them in front of the suspicious nose of a border control officer in order to prove who they are.

There's logic and then there's politics... “Computer viruses are evil, therefore we must develop a computer virus!” A fine example of “government knows best.”
"Japanese Defense Ministry has awarded Fujitsu a contract to develop a vigilante computer virus, which will track down and eliminate other viruses, or rather — their sources of origin. Are 'good' viruses a bad idea? Sophos seems to think so, saying, 'When you're trying to gather digital forensic evidence as to what has broken into your network, and what data it may have stolen, it's probably not wise to let loose a program that starts to trample over your hard drives, making changes.'"

Not sure I understand this at all. If a child “12 or older” is pregnant, shouldn't someone tell the police? And under what circumstances would it be safe for a 12 year old to contract for an abortion?
CA: School Counselor Need Not Tell Parent of Child’s Pregnancy
January 3, 2012 by Dissent
Kenneth Ofgan reports:
A school counselor may inform a parent or principal that a student is pregnant or has had an abortion, in order to prevent a clear and present health or safety danger, but is not required to do so and cannot be held liable for not doing so, California Attorney General Kamala D. Harris has opined.
The attorney general Thursday released her opinion regarding Education Code Sec. 49602(c), which was requested by Sen. Mark Wyland, R-Carlsbad.
[From the article:
To read it as requiring school counselors to disclose confidential information in every case of perceived danger to a student would seriously undermine counselors’ ability to exercise their best judgment under the most difficult circumstances,” Harris wrote.

Part of the “Art of Lawyering” is the secret knowledge required to find the law you have no excuse for violating...
January 03, 2012
Updated edition of Locating the Law: A Handbook for Non-law Librarians
"The Southern California Association of Law Libraries (SCALL) Public Access to Legal Information (PALI) Committee has just posted the updated edition of Locating the Law: A Handbook for Non-law Librarians. We've corrected links, added a few more sources, and moved the "Common Abbreviations in the Law" from the end of Chapter 2 to Appendix B. You can view individual chapters or the entire publication in one large PDF (274 pages)." [June Kim, Senior Reference Librarian, UCLA Law Library]

File this in your “Swiss Army Folder”
January 03, 2012
LLRX - Competitive Intelligence - A Selective Resource Guide - Completely Updated
Competitive Intelligence - A Selective Resource Guide - Completely Updated - December 2011: Sabrina I. Pacifici's comprehensive, current awareness guide focuses on leveraging a wide but selected range of reliable, focused, predominantly free websites and resources to effectively track, monitor, analyze, background and review current and historical data, news, reports, and profiles on companies, markets, countries, people, and issues, from a global perspective. Sabrina's guide is a "best of" web resource that encompasses search engines, databases, alerts, publisher specific services and tools, along with links to content targeted sources produced by leading media organizations, governments, academia, NGOs and independent researchers.

Geeky stuff.

Tuesday, January 03, 2012

Doesn't the IRS always blame the taxpayer? The process to correct this should be rather straightforward...
Tax fraud victims sue IRS for refund
January 3, 2012 by Dissent
Elaine Silvestrini reports that some victims of ID theft/tax refund fraud are mad as hell – at the IRS – and they’re not going to take it any more:
As far as Jay Gordon is concerned, the Internal Revenue Service was the victim of someone who used Gordon’s identity to commit tax fraud, and now Gordon and his wife are victims of the IRS.
“I know we’re not the only ones,” said Gordon, who described his predicament as “ridiculous, asinine, whatever you want to call it.”
The Gordons have filed what they hope will be a class-action lawsuit against the U.S. government on behalf of a growing number of Florida residents who are having trouble getting their tax refunds because someone else filed tax returns to obtain fraudulent refunds in their names.
Read more on Tampa Bay Online.

War by other means? Isn't an attack on citizens an act of war? That was our 9/11 argument, right?
Saudi Hackers claim to post personal information of 400 thousand Israelis (updated)
January 2, 2012 by admin
Sefi Krupsky and Oded Yaron report:
A hacker claiming to be a member of a group of Saudi hackers called Group-XP, hacked into Israel’s leading sports website – One, and posted what he claims is the personal information – including credit card numbers – of hundreds of thousands of Israelis.
People who visited One’s website, on Monday, were redirected to a page on, where a message by a hacker who identified himself as xOmar 0 suggesting visitors download a linked file containing a database of Israelis and their personal information, including names, addresses, and credit card, telephone, and ID numbers.
Ynet reports that a student who analyzed the data claims that although there are 400k entries, only 18,000 of them are unique.
Update Jan. 3: The Jerusalem Post reports:
The details of some 15,000 Israeli credit cards were posted on the One sports website by an international group of hackers. The group targeted three credit card companies: Isracard, Leumi Card and Cal. The Bank of Israel clarified that victims of the incident would be protected under the Debit Card Law.
Additional coverage from The Jerusalem Post can be found here.
Globes, an Israeli site, adds:
The hacking of the ONE website has already been rectified and it is functioning normally. ONE CEO Udi Milner said, “One of our servers was broken into tonight. Our IT team identified the breach and neutralized it within minutes. The matter is being dealt with.”
The Saudi hacker, who calls himself OxOmar, announced online that he succeeded in stealing information including names, addresses, id numbers, telephone numbers, and of course, credit card details including expiration dates and security numbers listed on the back of the card.
The hacking of the ONE website was carried out in order to publicize the theft of Israeli information and the download link. The ONE website does not store Israeli credit card details. Visitors to ONE’s website are transferred to a free uncensored text hosting site called PasteBay which is where the information is located.
Additional coverage can be found on The Los Angeles Times.

Mandatory “Opt Out!” Well, not exactly...
California’s Privacy Class Action Litigation Du Jour: “Shine the Light” Law
January 3, 2012 by Dissent
Theodore J. Kobus III reminds businesses that trolling lawyers are looking for opportunities to file class-action lawsuits where statutory damages are available without any showing of harm:
Privacy class action litigation is hot in California and a new wave of lawsuits are being filed under California’s 2003 “Shine the Light” law, codified in Cal. Civ. Code Section 1798.83.
This privacy law affects most businesses with as few as 20 employees and allows individuals to learn about how a business sells and shares their personal information. Companies that do business with California residents must either allow their customers an opportunity to opt out (without charge) of having their information shared, or the company must make a detailed disclosure of how personal information was shared in the past calendar year for direct marketing purposes. For businesses without a storefront operation, there may be additional requirements for disclosing the business’s privacy policy, including a detailed posting on its website.
Read more on Baker Hostetler Data Privacy Monitor.

No “Arab Spring” in Belarus? (Want to bet?)
"A new law in Belarus prohibits people from using 'foreign' websites. The law requires that all companies and individuals who are registered as entrepreneurs in Belarus use only domestic Internet domains for providing online services, conducting sales, or exchanging email messages. The tax authorities and the secret police are authorized to investigate violations."

(Related) Is this the same thing but designed to look like it has popular (if not democratic) support?
"Web surfers in Europe might soon be asked to 'flag' for law enforcement follow-up any web content they suspect incites terrorism, under an plan a group of EU governments has put to the internet industry. The plan asks for ISPs, search engines, web hosts and everyday users to play a larger role in identifying suspect content. Google already has a similar feature on YouTube — will we see it in the browser?"

I can see increased demand for a new Law School class: “Finding Dirt on Facebook: for fun and profit”
"A recent survey conducted by a UK based divorce website disclosed that 33 percent of behavior divorce petitions filed cite Facebook as a cause for filing for divorce in 2011. In 2009 this figure was 20 per cent. 5000 people were surveyed by Divorce-Online, the UK divorce website, during 2009 and 2011 covering Facebook as a means to check behavior of spouse with the opposite sex and spouses using the social networking platform to comment about their exes post the separation. Three reasons that came out on the top for listing Facebook in divorce petition were
inappropriate messages sent to the opposite sex,
posting nasty comments about exes, and
friends on Facebook reporting about spouse's behavior."

An exciting new way to get out of jury duty?
Man tries to Facebook friend defendant, removed from jury
… It seems, though, that Jock might not have found jury duty exciting. He had reportedly already been posting to his Facebook page that it was actually a little on the tedious side. Even more touchingly, his friends were reportedly offering him advice on that very same Facebook page on how to get himself removed from the jury.
Still, what appears to be fact is that Jock tried to friend Victoria Milerman, a defendant in a personal injury civil case.
Jock explained that this had nothing to do with her pulchritudinous nature. Instead, he told the Herald-Tribune: "I accidentally friend requested her. I didn't think it was a big deal. I didn't think I would get picked for the jury."

Just another time waster?
January 01, 2012
Google Adds Elections Hub to News Portal "From the nineteenth century’s pamphlets to the twentieth century’s TV ad revolution, our elections have always been shaped by how we communicate and consume information. There’s no question that the Internet is set to deliver more political information, opinion and news than any other medium throughout the 2012 U.S. elections. The web offers candidate and issue info to voters; networking and fundraising platforms for campaigns; and research and productivity tools for journalists. Today, just in time for the Iowa Caucuses, we’re launching, an election hub where citizens can study, watch, discuss, learn about, participate in and perhaps even make an impact on the digital campaign trail as it blazes forward to Tuesday, November 6, 2012."

Did you miss any of these?
HBR's Best Videos, Infographics, Podcasts, and Slideshows of 2011
… Our most-watched video was "Rethinking Capitalism" with Harvard Business School professor Michael Porter.

'cause sometimes these are handy...
Monday, January 2, 2012
… sometimes you might want to actually capture and draw on a webpage to point out to others specific elements of that webpage. Here are three free tools for doing just that.
Awesome Screenshot is a great Chrome and Safari browser extension for capturing, annotating, and sharing screenshots
Bounce is a neat application that not only allows you to make annotated screen captures of websites but also allows you to instantly share those screen captures with others. is a free service that enables you to quickly draw and write on any webpage.

Monday, January 02, 2012

I know there are many lawyers who have been waiting for a Y2K problem for at least 15 years, and this is all we could deliver?
Chaos as guests locked out of rooms at Denver hotel
… Room keys malfunctioned with the transition to the new year.
Denver Police say they were called to the hotel as fights broke out among frustrated guests.
One 9NEWS viewer says people were getting sick in the halls, and the elevators were not working.
Denver Police say there were no serious injuries.
The lock-out ended around 3 a.m. According to Marriott, they have comped the rooms for all of the guests due to the inconvenience.
9NEWS has also heard from one person in Hawaii who is staying at a Marriott. She says their entire hotel was also locked out around the same time.
Two other Denver Marriott hotels say they did not have those problems.

There should be a law...
Update on Care2 breach: how to delete the account(s) you didn’t know you had
January 1, 2012 by admin
The more some of us delve into the Care2 breach, the more it becomes clear that the only reason the social networking site can claim almost 18 million members is because many “members” never knowingly signed up as members and had their “membership” created for them without their knowledge or direct consent.
Following my post the other day, the individual who sent me the e-mail notification of the breach used the password retrieval mechanism to see what password Care2 showed for the account she had no recollection of creating. The password they sent her was one they had created for her “account.” Using that, she attempted to retrieve her profile. After being forced to do a password reset, she explored her profile and learned that the account must have been created after she had used the site several years ago to sign a petition. Her “profile” reflected the information she had provided in signing the petition.
At the same time that she was trying to figure out how she wound up with an account she never requested or explicitly authorized, Lee from was sending Care2 public relations an e-mail asking them to comment on numerous complaints from people who also stated they had never knowingly created accounts. In response, they sent him a boilerplate reply, which he kindly forwarded to
From: Randy Paynter
Date: Sun, Jan 1, 2012 at 3:30 AM
Subject: Re: Care2 Public Relations
Please forgive the nature of this automated response. We are working to help everyone as quickly as we can. The best way we can do this is to help you help yourselves using some tools we have made available. These will get you quicker service, and enable us to personally assist those of you who have outstanding requests.
*Unaware that you had an account at
*We sent a warning email about our recent hacking incident to everybody who had at some point in the past 12 years created an account on or You might not recall having ever done this, which would make our warning email confusing, however at some point in the past you or someone (not us!) created an account with the email address we sent the message to.
It would seem that people who used the site to sign a petition had a durable account created for them, without their knowledge or explicit consent. If they had consented, they would have created a password instead of what the site shows as the password.
So what did the site’s privacy policy say about use of The Petition Site? According to their privacy policy (archived in the Wayback Machine):
PetitionSite: Care2 owns and maintains the nonpartisan Petition and Public Comment signers are required to provide certain personal information such as name, email address and often street address. This information is required to validate the petition / public comment. Care2 uses cookies and a signature database to provide data integrity and ease of use.
For petitions and surveys you’ve signed or completed, we treat your name, city, state, country and comments as public information—for example, we may provide compilations of petitions, with your comments, to the President and legislators, other targets, or to the press. Unless you have requested to be shown as ‘anonymous,’ this information will also be visible on the website. We will not make your street address publicly available, but we may transmit it to members of Congress, to other public officials, or to other targets as part of a petition to validate your signature. We may also make your comments, along with your first name, city, state and country, available to the press and public online.
Care2 hosts two kinds of petitions: free petitions sponsored by individuals and petitions sponsored by nonprofits.
For the free petitions, only the public information listed above is made available to the petition sponsors or targets.
For many of the petitions sponsored by nonprofits, we provide an advocacy service allowing individuals to send individual e-mails to public officials, legislators, and other targets as well as public comments to government agencies, through our website. These messages are sent in your name, with your e-mail address as the return address and your full name and contact information is provided as part of the submission. These messages will only be sent out under your name as you approve them on an individual basis by signing an action. You are solely responsible for the specific message(s) you send using our email tool. Optional comments will be included in the body of the email message delivered to the petition target.
During the signing process, you may opt to receive certain email newsletters and online memberships, in which case Care2 will send required contact information to those 3rd party providers. However, unless you specifically opt to receive such online offers or send your contact information to 3rd parties during the signing process, Care2 will keep your email address information confidential.
Is that what they view as creating an account because nowhere does it mention that an account is created for the individual or that they are now a “member.” They do note that the site was TRUSTe certified at the time. Big help that was, huh?
If you got caught up in this mess, you can cancel the account you never knew you had. Here’s how:
1. Login to Use the e-mail address that received the e-mailed breach notification. Click “forgot password” and have them send you a password. Login with that password and
2- Go to: Click the button to confirm deletion.
The person who contacted was fortunate in that the e-mail address used in signing the petition was still a working e-mail address. Others, who no longer have access to the e-mail addresses they had used are posting messages on seeking help in getting back into the accounts so that they can see what information was stored about them in their public profile or so that they can delete their account.
I’ve had numerous discussions over the years with others about the need for explicit opt-in consent. This is just one more example of how people can wind up with their information in databases because they visited or used a site years ago, never knowing what they were getting themselves into.

What was the thinking (if any) that concluded they were not a significant target?
California Statewide Law Enforcement Association (CSLEA) hacked
January 1, 2012 by admin
I don’t know how you partied last night (if you did), but it looks like the AntiSec folks thoroughly enjoyed themselves by releasing data they acquired from the California Statewide Law Enforcement Association (CSLEA).
In a statement on the defaced site earlier in the evening, the hackers referred to the hack as being part of “pr0j3kt m4yh3m,” a response to local governments and law enforcement attacking the #Occupy protesters in cities and parks. But the hackers also offered a broader political justification:
From the murder of Oscar Grant, the repression of the occupation movement, the assassination of George Jackson in San Quinten prison, the prosecution of our anonymous comrades in San Jose, and the dehumanizing conditions in California jails and prisons today, California police have a notorious history of brutality and therefore have been on our hitlist for a good minute now.
Will there be some embarrassed members of CSLEA this morning? It’s likely, as the hackers read and then dumped personal e-mails. But perhaps the greatest embarrassment will be over the fact that even when they could reasonably anticipate an attack, CSLEA failed to prevent it and left too much sensitive information seemingly unencrypted and available:
Interestingly, CSLEA members have discussed some of our previous hacks against police targets, raising concern for the security of their own systems. However Ken [Ken Fair is the Computer & Networks Systems Technician for CSLEA -Dissent] deliberately made some rather amusing lies as to their security. He repeatedly denied having been hacked up until web hosts at showed him some of the backdoors and other evidence of having dumped their databases. We were reading their entire email exchange including when they realized that credit card and password information was stored in cleartext. This is about the time Ken changed his email password, but not before receiving a copy of the ‘shopper’ table which contained all the CCs. Too late, Ken.
In all fairness, they did make an effort to secure their systems after discovery of the breach. They changed a few admin passwords and deleted a few backdoors. Shut mail down for a few days. They also finally decided to set a root mysql password, but we got the new one: “vanguard”. We noticed that you got rid of the credit card table, and most of the users in your database. Still haven’t figured out how to safely hash passwords though: we really loved your change from ‘redd555′ to ‘blu444′. Clever.
But we still had shell on their servers, and were stealthily checking out the many other websites on the server, while also helping ourselves to thousands of police usernames and passwords (it’s how Special Agent Fred Baclagan at the California DOJ Cybercrimes Unit got humiliated last month). For two months, we passed around their private password list amongst our black hat comrades like it was a fat blunt of the dank shit, and now it’s time to dump that shit for the world to use and abuse. Did you see that there were hundreds of passwords? Happy new years!!
All told, there were 1,076 e-mail addresses and clear-text passwords of people in California government (, 321 of which were addresses.
I won’t reproduce everything that was posted in the defacement, but note that they produced an internal exchange of e-mails about the security of the site and members’ information that was, with the clarity of hindsight, overly optimistic at best, and downright wrong at worst.
The hackers also revealed the “shoppers table” that was removed back in November after they discovered that there had been an intrusion. That table included first and last names, e-mail addresses, company and address, phone and fax numbers, and other information on purchases – including dozens of entries with credit card type, full credit card number, and credit card expiration date. The credit card data were in clear text.
The passwords roster, uploaded to the web as part of the CSLEA data dump, includes 2,519 first and last names, usernames, clear-text passwords, e-mail addresses, and in some cases zipcodes.
In light of the security concerns law enforcement had after earlier attacks on other law enforcement agencies, AntiSec’s ability to get into CSLEA’s databases should be a source of embarrassment and concern to the organization. That AntiSec was able to continue to traipse around on their server after they became aware of the previous breach is well, bad.
I haven’t waded through the entire e-mail spool that was dumped, and will leave it to others to search to see if there are any “smoking guns.”
In the meantime, CSLEA is down and all you see if you try to connect to the home page is:
No web site is configured at this address

Because sometimes a Tweet is not enough?
Our favorite tech long reads of 2011

English, as she is spoke on the Internet?
An article in The New York Times highlights two growing collections of words online that effectively bypass the traditional dictionary publishing system of slow aggregation and curation. Wordnik is a private venture that has already raised more than $12 million in capital, while the Corpus of Contemporary American English is a project started by Brigham Young professor Mark Davies. These sources differ from both conventional dictionary publishers and crowd-sourced efforts like the excellent Wiktionary for their emphasis on avoiding human intervention rather than fostering it. Says founder Erin McKean in the linked article, 'Language changes every day, and the lexicographer should get out of the way. ... You can type in anything, and we'll show you what data we have.'
[From the Times article:
No modern-day Samuel Johnson or Noah Webster ponders each prospective entry there. Instead, automatic programs search the Internet, combing the texts of news feeds, archived broadcasts, the blogosphere, Twitter posts and dozens of other sources for the raw material of Wordnik citations, says Erin McKean, a founder of the company.

Might make those pesky 'word problems' easier...
… OpalCalc is an excellent calculation app for Windows computers with .NET 3.5 or higher installed. The app lets you type in your calculations as you normally would on a piece of paper – by indicating which value belongs to which item/expense. Your total is then easily calculated using the dedicated word ‘total.’ You can also assign values to variables and use those variables to calculate formulas.
… OpalCalc offers a free version with a “5 line per calculation” limit. The Pro version removes this limit and can be obtained by donating the app any amount through PayPal.