Saturday, January 14, 2012

What benefit does this give a country? Fewer pesky comments on your failures? Fewer suggestions on how to improve your products and services? Fewer job offers?
"An Indian court given the green light for the prosecution of '21 social networking sites.' The list features 10 foreign-based companies, and could affect websites provided by Facebook, Google, Microsoft, Yahoo, and YouTube. The recent development is part of an ongoing argument between the companies and India over whether content should be regulated (read: censored) in the country. The approval was actually made on December 23, 2011, but was only revealed yesterday. India warned these websites it can block them just like China can."

Now that we have them addicted, let's charge them $1 a month...
Prediction: 1 billion Facebook users by August

Planning future classes...
"Every January, it is traditional to compare the state of programming language usage as indicated by the TIOBE index. So what's up and what's down this year? The top language is still Java, but it's slowly falling in the percentages. Objective-C experienced the most growth, followed by C# and C. JavaScript climbed back into the top 10, displacing Ruby. Python and PHP experienced the biggest drops. If you like outside runners, then cheer for Lua and R, which have just entered the top 20. However, I have to wonder why Logo is in the top 20 as well. I know programming education is becoming important, but Logo?"

Considering the tools for tomorrow? is a database of ebook reader devices that has quick filtering and comparison capabilities.
… This site offers you facts about ereaders and allows you to easily find the devices that match your parameters. Some of the information is being obtained from device manufacturers and reviews; some is being contributed by website users.
… Using the site is easy: narrow down your search by using the filter form on the home page and then compare the devices.

(Related) Want everything on your Kindle?
Kindle simplifies PC document transfers
Amazon released "Send to Kindle" today that let's users transfer personal documents from their PC to a Kindle. It seems that the divide between tablets and computers is ever shrinking.
Once downloaded and installed, the way the plug-in works is users can right-click on one or more documents, select print, then choose "Send to Kindle." The document will automatically be converted into a PDF. This plug-in can be used with any application that connects to a printer.
However, with Kindles having only between 2GB and 8GB of available storage, this plug-in isn't really intended for people to transfer their entire PC to their Kindle. So, part of the plug-in's capability is that it lets users archive documents in their Kindle Library, where they can re-download later if needed.

A worthwhile tool?
There are web highlighter tools and then there are citation tools. Both are different types of study aids. A new Firefox plug-in, or let’s accurately describe it as a Firefox toolbar combines the two and gives us a personal research organizer and citation recorder called Citelighter (Beta).

Will this be a quick win? Lots of geeky Star Trek fans have been thinking about this for years...
X PRIZE Foundation and Qualcomm Foundation Set to Revolutionize Healthcare with Launch of $10 Million Qualcomm Tricorder X PRIZE
… The $10 million top prize will be awarded to the team that develops a mobile platform that most accurately diagnoses a set of 15 diseases across 30 consumers in three days. Teams must also deliver this information in a way that provides a compelling consumer experience while capturing real time, critical health metrics such as blood pressure, respiratory rate and temperature.

Friday, January 13, 2012

I hope these guys don't offer a Computer Security degree...
CA: Viruses stole City College of San Francisco data for over a decade before being detected
January 13, 2012 by admin
Nanette Asimov reports:
Personal banking information and other data from perhaps tens of thousands of students, faculty and administrators at City College of San Francisco have been stolen in what is being called “an infestation” of computer viruses with origins in criminal networks in Russia, China and other countries, The Chronicle has learned.
At work for more than a decade, the viruses were detected a few days after Thanksgiving, when the college’s data security monitoring service detected an unusual pattern of computer traffic, flagging trouble.
[From the article:
For now, it's still going on. So far, no cases of identify theft have been linked to the breach. That may change as the investigation continues, and college officials said they might need to bring in the FBI.
The college's payroll, admissions and accounting systems have yet to be analyzed for the viruses.
… It's likely that personal computers belonging to anyone who used a flash drive during the past decade to carry information home were also affected.
"These viruses are shining a light on years of (security) neglect." [Ya think? I'd also be interested in determining what change finally caught this virus Bob]
… Places like City College of San Francisco, where officials have done little to protect against cyber attacks over the years, are especially vulnerable, Hotchkiss said. He arrived at City College in July 2010, and was astonished to learn how porous its computer systems have been.
"When I found out they hadn't changed passwords in over 10 years, I hit the roof," said the tech expert, who ordered them all changed last summer.

Interesting because it is local and because it is the B school that did the study. Someone is thinking! (I'm gonna guess that dating sites were studied because porn sites have been done too often.)
Some dating websites do not remove GPS data from photos
January 13, 2012 by Dissent
While the majority of dating websites do a good job of managing the privacy of their users, a class research project at the University of Colorado Boulder’s Leeds School of Business found that 21 of 90 dating websites the class examined did not properly remove location data from pictures uploaded by their users.
[From the article:
A complete list of all the websites examined by the class is available at

I suspect that someone, somewhere has done a study to determine how many cameras are required to cover a given area. On the other hand, if they could get cameras for free from the equivalent of DHS, why not?
UK: Use of CCTV in Welsh schools: FOI request shows lack of compliance with fair processing and FOI
January 12, 2012 by Dissent
It may have sneaked under the radar in and around Xmas but an FOI request in Wales to schools produced some alarming stats.
There are at least 2,840 cameras in schools across Wales, one school in Cardiff has 40 cameras for around 190 pupils. Just over a third of all the schools in Wales responded to the Freedom of Information Act request asking about CCTV use on their premises. That means that two thirds don’t do CCTV or worse than that they didn‘t realise they had to reply to FOI requests.
Read more on Act Now Training

Thursday, January 12, 2012

Darn! I wanted to see the school board explain this in court.
Ex-Student Drops ‘Spycam’ Case Against Lower Merion Schools
January 11, 2012 by Dissent
Eric Campbell and Danielle Vickery report:
Former Lower Merion School District student Paige Robbins on Wednesday morning withdrew her lawsuit that alleged a district laptop’s camera took photos of her undressed without her knowledge.
Robbins and her parents said after a hearing at U.S. District Court in Philadelphia they plan no further legal action against the district.

So the technology records street conversations? How is that useful in detecting and location gunfire? Was anyone (other than Big Brother's minions) aware of this “feature?” What else have the failed to mention?
Gunshot Sensor Sparks Privacy Concerns
January 11, 2012 by Dissent
Sacha Pfeiffer and Lynn Jolicoeur report:
A murder case in New Bedford is raising tough questions about what happens when technology, law enforcement and privacy rights collide.
At the center of all this is an acoustic sensor that’s meant to detect the sound of gunfire, but that ended up recording a street argument just before a fatal shooting. Prosecutors are now using that recording as evidence against two defendants, and that’s troubling to some civil liberties advocates.
Read more on WBUR.
[From the article:
Under Massachusetts law, you cannot secretly record someone’s oral communication — period. I think the police have violated the wiretapping statute and shouldn’t be allowed to use the tape recording.

Are you paranoid enough?
Are Drones Watching You?
January 12, 2012 by Dissent
Jennifer Lynch of EFF writes:
Today, EFF filed suit against the Federal Aviation Administration seeking information on drone flights in the United States. The FAA is the sole entity within the federal government capable of authorizing domestic drone flights, and for too long now, it has failed to release specific and detailed information on who is authorized to fly drones within US borders.
Many drones, by virtue of their design, their size, and how high they can fly, can operate undetected in urban and rural environments, allowing the government to spy on Americans without their knowledge. And even if Americans knew they were being spied on, it’s unclear what laws would protect against this. As Ryan Calo, the ACLU (pdf) and many others have noted, Supreme Court case law has not been friendly to privacy in the public sphere, or even to privacy in areas like your backyard or corporate facilities that are off-limits to the public but can be viewed from above. The Supreme Court has also held that the Fourth Amendment’s protections from unreasonable searches and seizures may not apply when it’s not a human that is doing the searching. None of these cases bodes well for any future review of the privacy implications of drone surveillance.
Read more on EFF.

Is it conceivable that they could win? Would that be “proof” that the US needs even more “copyright owner's control of congress?”
"The music industry has initiated a lawsuit against the Irish government for not having blocking laws on the books; on the theory that if blocking laws were in place then filesharing would go away. On Tuesday the music industry issued a plenary summons against the Irish government which is the first step towards making this litigation possible. This all began in October 2010 (EMI v. UPC), when an Irish judge ruled that Irish law did not permit an order to be made against an ISP requiring blocking of websites. Recently several ISPs across the European Union have been ordered by courts to block through legal maneuvers."

Did Facebook contribute as much to the Obama campaign as Google? (Just asking...)
Google And The Monopoly Paradox
With the deep inclusion of Google+ into Search, Google is tempting fate. We’ve been over this. A lot. And this story is going to continue for some time to come. It sure looks like Google is almost asking for an inquiry into potentially anti-competitive practices (and it’s coming). Which is insane. So the next logical question is why? Why is Google risking so much to do this?
My colleague Eric had a very interesting theory earlier. Maybe Google’s real motive is to get the government to also look into Facebook’s often-unfair practices with regard to their network ahead of their IPO. If social and not search is indeed the future, call this pre-subversion. And if there’s any shred of truth to this theory, more power to Google — it’s rather genius (though still extremely risky).

What names will be taken, what names will not. $185,000 for “.truth” but nothing for “.logical?”
Companies Prepare for Land Grab of New ‘Generic’ Top-Level Domains
From this Thursday (midnight UTC) companies can apply to the Internet Corporation for Assigned Names and Numbers (ICANN) for the domain name suffix of their choosing — from dot brand (.brand) or dot product (.camera, for example) through to generic terms like .food, .hotel or .pugs. They have until April 12 to get their applications, along with the $185,000 fee, to ICANN. After that date it is expected that further applications won’t be accepted for at least two or three years.

Perhaps a “Free Movie Night” at the U?
Wednesday, January 11, 2012
Here is some more evidence of why Open Culture is one of my favorite blogs to read. This morning they posted two great YouTube discoveries; full-length productions of George Orwell's 1984 and Animal Farm. I've embedded Animal Farm below.
Open Culture has included both works as free ebooks and audiobooks in their collections.
Applications for Education
If you use either 1984 or Animal Farm in your classroom (I had to read both in high school), you might want to show parts or all of these videos to your students after they have read the books. If you want to use just a part of one of the videos you might want to try using one of these tools to clip the section that you need.

I'm thinking of translating my Master's Thesis into “Super Bob Saves the World!”
… If you’re interested in creating and publishing your own comic or graphic novel and distributing it online, you will probably want to use these formats; they’re the most common, they’re easy to create and are recognized by most comic book readers.
[and when I'm done:
Comic Book Readers
For Windows, you might use ComicRack
Mac OS comic readers include Comical
On the iPhone you might try CloudReaders
Android users have the benefit of Droid Comic Viewer
Windows Phone users can run the Lindy Comics app
Ultimately it is easier to use a comic reader than use a standard PDF reader (although many comic readers will support PDFs); indeed, it is possible to convert PDFs directly to CBZ format files.

(Related) But then, maybe I'll have my students do it for me!
Amazon: Time to start programming your e-books
The dividing line between writing books and writing programs just got a big step blurrier.
That's because Amazon has now released tools for creating books using Web technologies. Those tools include Hypertext Markup Language (HTML), used to describe Web pages, and Cascading Style Sheets (CSS), used for formatting.

Wednesday, January 11, 2012

The first rule when making statements like this is: Don't be wrong. A banking relationship is built on trust. Lie to your customers, even unintentionally and you face doom. (If your systems are secure how about your vendors and consultants?)
Saudi denies bank info breach by Israeli hackers (updated)
January 10, 2012 by admin
Tarek El-Tablawy reports:
A top Saudi banking official on Tuesday denied an Israeli media report that hackers from Israel obtained credit card and bank account details of thousands of Saudi citizens, retaliating for an attack on Israeli accounts.
Talaat Hafez, secretary-general of the media office in the kingdom’s banking authority, denied a report by the Israeli daily Yediot Ahronot that Israeli hackers were threatening to release the financial information they obtained if hackers continue to publish Israeli credit details on line.
Hafez was quoted by the Saudi online newspaper as saying that Saudi bank customers’ financial information was safe and there was “no need for customers to be concerned” because Saudi banks’ information networks were very secure.
Read more on the San Francisco Examiner.
Didn’t the Israeli hackers say they accessed credit card numbers of shoppers? I saw no claim that they hacked any banks. The banks are denying that they were hacked, but that wasn’t the claim as far as I know. Do the banks in Saudi Arabia control the merchants’ networks’ security? Very confusing refutation….
Update: I just posts on Pastebin with what appear to be data dumps with 217 names, e-mail addresses, full credit card numbers, and expiry dates from Saudi citizens. All of the expiration dates are in the format mm/dd and are labeled with “expired,” so these may be old data (although a new hack), although I suspect the field should just read “expires” or “expiration date.” The dump was made by someone calling himself “0xOmer,” in response to the hack of Israeli sites by 0xOmar.

A classic “he said, she said” but with one side having the medical records. What did the patient have to disclose? The bill? How can you refute claims without disclosing details?
By Dissent, January 10, 2012
Karen M. Cheung has more on the Prime Healthcare case, reporting that the FBI has interviewed the patient who gave her records to California Watch.
While much of the report concerns the original focus of possible fraudulent billing of Medicare, some of the story concerns the privacy aspects.
Reading it, you can understand why Prime Healthcare wanted the paper to see the patient’s records, as there is material in there that reportedly contradicts or at least calls into question California Watch’s original reporting on the case. But even so, that doesn’t give them the right to disclose the patient’s records without consent.
For a more neutral perspective on the Medicare billing aspects than California Watch seems to have provided, see the Record Searchlight’s “Note from the Editor” today.

I have cousins who deserve their own zip code, but in this case the court has read up on how zip codes can be used to identify individuals...
Mass Ct: ZIP Code is Personal Identification Information Under Credit Card Statute But Plaintiff Must Still Allege Harm — Tyler v. Michaels Stores
January 10, 2012 by Dissent
Venkat Balasubramani writes:
Last year, the California Supreme Court held that a ZIP Code is personal identification information for purposes of a statute which restricted the type of information a retailer could collect: “California Supreme Court Rules That a ZIP Code is Personal Identification Information — Pineda v. Williams-Sonoma.” A federal court in Massachusetts recently construed a similar Massachusetts statute to reach the same conclusion, albeit for different reasons. But having found that the retailer in this case technically violated the statute, the court dismisses the case on the basis that the plaintiff failed to allege a cognizable injury.

Infographics: Some people swear by them, some people swear at them.
Piktochart is a web app that aims to make creation of infographics that deal with complex numbers or data easier to work with and produce. This tool really provide a good starting point to with data and present it in a clear and concise manner. With a robust and growing tool set, this is an interesting tool that will likely prove very useful for students and teachers alike. While this is a freemium offering, (More features available for a fee), this tools trial or free section of the site is worth playing with to see if it something that would be helpful in the classroom.

(Related) For the people who swear by...
… Luckily, for those of us with our résumés in LinkedIn, there are services available to do all of the visually creative stuff for you. All you need to do is sync your LinkedIn account and your visual résumé is ready for use.
Here’s two of the best visual résumé creators you can try for free.

(Related) Since I don't use Linkedin, here's where I'll create my resume...
The app is completely WYSIWYG and does not require any coding or actual designing.

Tuesday, January 10, 2012

Take it a step further, would compliance with PCI-DSS provide proof of the breach or is that security worthless? I suspect that would get settled quickly...
The merchant strikes back: Cisero’s sues processor and bank over pass-along fines following alleged breach
January 9, 2012 by admin
There’s an interesting lawsuit to watch in Utah. The owner of Cisero’s in Park City is suing their payment processor and bank for deducting money from their account after card issuers fined them over an alleged breach of the restaurant’s system.
The case stems from a March 2008 incident. According to Cisero’s, Visa had notified them that they appeared to be the common point of compromise in a situation involving credit card fraud and that they needed to bring in forensic investigators. Two independent forensic investigations found that the restaurant had unknowingly stored credit card numbers, but there was no clear evidence of any actual breach. Despite the absence of confirmation of any breach that could account for customers’ fraudulent charges elsewhere, Visa ultimately fined U.S. Bank, the acquiring bank. Elavon, the payment processor, is a unit of U.S. Bank.
Thom Weidlich provides the background on the case on Bloomberg.
At issue here is that the restauranteur’s claim that there was no evidence that they had been hacked, Visa didn’t prove that there had been a compromise of their system that resulted in fraud, and that although they had unknowingly stored over 8,000 card numbers, that number was below the contractual threshold to trigger fines. The owners had been sued by Elavon for over $82,000 in fines that Visa and MasterCard had levied. The owners countersued in August.
“At no time has Elavon, US Bank, Visa, MasterCard or any other entity proven that a data breach occurred at Cisero’s, that card issuers actually suffered fraud losses or that any such losses were caused by a data breach at Cisero’s,” the restaurant said in court papers.
The owners also allege that U.S. Bank never provided any information or support to assist them in staying secure and PCI-DSS compliant, and that rules were unilaterally changed without notice or consent over time.
Some of their suit seems strikes me as buyer’s remorse. They signed a contract that permitted some of these things to occur. Was it a lousy contract? Probably. Were there documents that they weren’t even provided before they signed the contract? It seems so. But what it may boil down to is that they did sign a contract. So what part of the contract did the bank and processor actually breach? Their strongest arguments appears to be that they were not notified of the fine, as required by the contract, in time for them to file a timely appeal and that Visa ascribed losses to a breach without justifying their numbers – particularly since there was no proof any breach had even occurred. I think their claim that the acquiring bank failed to provide them with information and support to remain compliant is also worth pursuing, but without the language of the contract to determine the bank’s contractual obligations to them, I’m not sure where that will go.
Visa is not a defendant in this law suit, but they are the elephant in the room.
You can read the payment processor’s lawsuit against the restaurant and the countersuit against the processor and acquiring bank, courtesy of Bloomberg. See what you think. Do you think they stand a chance of prevailing?

The problem with tit-for-tat is that it tends to escalate. Given time, either the Hatfields or the McCoys would have gone nuclear.
Israel’s hacker avengers: We’ve obtained Saudi credit card info
January 9, 2012 by admin
Aviel Magnezi reports:
The major credit card information leak, a by-product of the activities of the Saudi hacker who has been sneering over attempts to locate him, has not been ignored.
Israeli hackers who spoke to Ynet claimed on Monday that they have managed to lay their hands on the details of thousands of credit cards used on Saudi shopping websites. Ynet has confirmed the hackers’ reports. “If the leaks continue, we will cause severe damage to the privacy of Saudi citizens,” one of the Israeli hackers threatened.
Read more on ynet.
Yes, because we know two wrongs always make a right and turning innocent Saudi shoppers into potential fraud victims will really improve international relations, right?

Ubiquitous surveillance. Thank God I didn't have access to these when I was a kid...
App-Controlled RC Toys Make You Feel Like Ethan Hunt
… At CES Unveiled Sunday night, Interactive Toy Concepts showed off its new Wi-Spi line of video surveillance vehicles: an RC helicopter and RC race car that house a camera that delivers a live stream of video to your device. Both are controlled, as the name would imply, by Wi-Fi.

I don't see it as a big problem, but then I'm not getting $450 per hour...
By Dissent, January 9, 2012
Howard Anderson reports:
The federal government has issued streamlined standards for electronic funds transfers that a health plan uses to pay a claim, as well for related electronic remittance advice. But despite the issuance of a new rule enacting the standards, it remains unclear under what circumstances the HIPAA privacy and security rules might apply to banks handling transactions, one compliance expert says.
Read more on HealthcareInfoSecurity. Hopefully the final rule will clarify this. If not, a lot of lawyers are going to be pulling their hair out [Translation: are going to be making a lot of money Bob] trying to sort this out.

For my Ethical Hackers
Smart meter SSL screw-up exposes punters’ TV habits
January 9, 2012 by Dissent
John Leyden reports:
White-hat hackers have exposed the privacy shortcomings of smart meter technology.
The researchers said German firm Discovergy apparently allowed information gathered by its smart meters to travel over an insecure link to its servers. The information – which could be intercepted – apparently could be interpreted to reveal not only whether or not users happened to be at home and consuming electricity at the time but even what film they were watching, based on the fingerprint of power usage.
Read more on The Register.
[From the article:
During the talk, entitled, Smart Hacking for Privacy (YouTube video here), the researchers explained that they came across numerous security and privacy-related issues after signing up with the smart electricity meter service supplied by Discovergy.
… Because meter readings were sent in clear text, the researchers were able to intercept and send back forged (incorrect) meter readings back to Discovergy. [Cheap energy at last! Bob]
In addition, the researchers discovered that a complete historical record of users' meter usage was easily obtained from Discovergy's servers via an interface designed to provide access to usage for only the last three months. The meters supplied by the firm log power usage in two-second intervals. This fine-grained data was enough not only to determine what appliances a user was using over a period of time – thanks to the power signature of particular devices – but even which film they were watching.
They explained that the fluctuating brightness levels of a film or TV show when displayed on a plasma-screen or LCD TV created fluctuating power-consumption levels. This creates a power/consumption signature for a film that might be determined from the readings obtained by Discovergy's technology.
… More commentary on the presentation can be found in a blog post by Sophos here.

India Reports Completely Drug-Resistant TB

A list for my students (and fellow faculty) with a couple examples...
10 Free Software you should Download to have a Brilliant Year Online (Windows)
2. Backup Tool – Comodo Backup
Comodo Backup is a superior solution that lets you backup any files to a choice of destinations, including to CD or DVD, or online, and it can be easy or as advanced as you want it to be.
4. SanBoxing - SandBoxie
The software can sandbox any application, which means running it in a secure and disposable section of your hard drive to prevent it making any permanent changes to your PC. You can download and even run malware in the sandbox and it won’t be able to infect your system.

Another resource for students...
Recently, Google has launched a new site – Good to Know – which contains useful tips that can help users make their stay on the Internet secure.

A day for resources...
Tuesday, January 10, 2012
Over the last couple of months Evernote has become my favorite tool for bookmarking websites and saving files. Evernote allows me to access my bookmarks and files from all of my devices whenever I'm connected to the Internet. I also like the tagging and sorting options that I have available to me in Evernote. Before using Evernote I used Google Bookmarks. While Google Bookmarks is good, Evernote's tagging and sorting options are much better.
Recently, I learned that Evernote has an education section in which they provide examples of Evernote being used by teachers and students. Through the Evernote for Education page you can access an hour-long webinar explaining the how Evernote can be used by teachers and students.

For the students in my Modern Dance class...
Kinect Comes To Windows On February 1st
… They’ve been hinting at it, people have been hacking it, and they even released an SDK a little while back
… If you’re interested in contributing, check out the SDK, or if you just want to see what people have put together (there has really been some mind-blowing stuff over the last year), scroll through our Kinect tag.

Am I seeing money in Online Education?
Ampush Media Acquires One Of Bill Gates’ Favorite Education Startups, Academic Earth
Ampush Media, an online marketing startup, has acquired Academic Earth, an online education video site that’s sort of like a “Hulu for Education” and a Bill Gates-favorite. Financial terms of the deal were not disclosed.
As we’ve written in the past, Academic Earth is a user-friendly, curated platform for educational videos that allows anyone to freely access instruction from the scholars and guest lecturers at the leading academic universities. The site offers 350 full courses and over 5,000 total lectures from Yale, MIT, Harvard, Stanford, UC Berkeley, and Princeton that can be browsed by subject, university, or instructor through a user-friendly interface.
Additionally, editors have compiled lectures from different speakers into Playlists such as “Understanding the Financial Crisis” and “First Day Of Freshman Year.” Since the site’s launch in 2008, Academic Earth has grown to attract 400,000 unique visitors per month, primarily through word of mouth.

Monday, January 09, 2012

I have long since reached my frustration point. Increasingly I am seeing calm, rational security & privacy bloggers starting to lose it with those who should be responsible... This post is typical. If nothing else, a poor response will raise your negative profile.
Ca: Computers with personal info stolen from Waterloo Region District School Board
January 8, 2012 by admin
I wasn’t even going to mention this breach on this blog. I originally intended to just add it to DataLossDB, but when I read it, I was somewhat put off by the school board’s actions and statements so I decided to comment on it here.
Jeff Hicks reports:
Nine computers stolen from the Waterloo Region District School Board’s education centre in Kitchener on Dec. 1 contained personal information about individuals.
So, should parents and families be worried?
“If there are risks associated with the content, we will contact families directly,” said board chair Catherine Fife on Friday after the first media release was issued on the month-old break-in and theft.
So more than one month after the theft, the board still hasn’t determined if there are risks and hasn’t contacted anybody directly? Why not? Are they working round the clock on this or did they take the holidays off or..?
“I think, as a board, we are being responsible by sharing the information and letting the public know that a breach has occurred.”
No details on what type of personal information was contained on the laptops, used by staff, were released by the Board on Friday.
The number of people or families with information at risk was not released.
Families should be grateful that the board disclosed that there had been a breach a month after the fact and without any details? This is what the board considers being responsible? Seriously?
More than one month after a breach, the board should not only have notified employees or parents of students who might have been affected but they should have made a public disclosure that contains some actual… what’s that word I’m looking for…. oh, right: details.
The board says the computers conform to industry standards and highly specialized knowledge would be needed to bypass security to get at the information.
“They may not be able to access that information,” Fife said. “It’s a layered process.”
This has nothing to do with computers conforming to industry standards. It has everything to do with the school board having good security protocols in place and the employees complying with them. Are we to infer that the files or the drives weren’t actually encrypted?
Board staff are working on a list of individuals whose information was on the stolen computers.
Why isn’t that list compiled already? Were there thousands of individuals or students whose names needed to be compiled? Did the board have current backups of all of the nine laptops’ drives?
I know that Canada has different breach disclosure and breach notification requirements than U.S. states do, but I would hope that the Privacy Commissioner of Ontario, Dr. Ann Cavoukian, would open a sua sponte investigation into this incident to determine if Waterloo Region District School Board had adequate security and privacy protections in place and whether their breach response is reasonable or not. If I were a parent of a student in that district, I’d want to know why we hadn’t already been informed of the breach and what data was on it from our family.
This was the school board’s second disclosed breach in the past six months. The first, disclosed in August, involved two microfilm tapes containing data on over 2,250 students that went missing in the mail to them from a firm in Winnipeg. After that breach, the board changed to using a courier service. It was never disclosed when that loss actually occurred or what security was on the microfilm tapes.
Maybe the Waterloo Region District School Board has a reasonable explanation why notification has been delayed in its most recent breach. Maybe they don’t. But so far, their “disclosure” leaves this blogger with more questions than answers.

“...because parents don't know how to raise children.” Do you suppose the school would allow parents to see all the data on their children?
MO: Parkway’s use of fitness monitors raises privacy questions
January 9, 2012 by Dissent
Mary Shapiro:
When is the line crossed between better health and surveillance?
In early 2012, wristwatch-like devices called Polar active monitors will be used by older students in PE classes at all 18 Parkway elementary schools. District officials say the devices should help improve the students’ fitness and academic achievement.
Later this school year, the district plans to collect data about activity levels and even sleep patterns for a week at a time. It will have the students wear the devices round the clock.
Some parents and legal experts are raising privacy concerns about at least that aspect of the program.
[From the article:
Cara Bauer, PTO president at Shenandoah Valley and mother of a son in first grade and a daughter in fifth grade, said she's heard about the monitors from her daughter, Caroline. She said her daughter doesn't like wearing one and calls them "the funny watch."
"I wish Parkway would let parents know what's going on with the program," Bauer said.
… Neil Richards, a professor of law with Washington University in St. Louis who teaches privacy and civil liberties courses, said he feels the plan for the devices constitutes "a major privacy issue."
"The school district eventually will be engaging in surveillance of kids' sleep and exercise patterns outside the school day," he said.
… And wearing them voluntarily doesn't eliminate privacy concerns, Richards said.
"They'll create a record of medical information about children around the clock," he said. "Even if it serves laudable public health goals, it's a fairly Orwellian step for a school district to engage in."

We have seen this coming for years. Ever since accountants brought Apple II's with Visicalc into the office. After extensive legal research and with years of professional experience I can definitively state that the correct answer is “Is pendeo...” or perhaps “Il dépend... ” – in either case that translates to “it depends...”
"As companies increasingly enable employees to bring their own devices into business environments, significant legal questions remain regarding the data consumed and created on these employee-owned technologies. 'Strictly speaking, employees have no privacy rights for what's transmitted on company equipment, but employers don't necessarily have access rights to what's transmitted on employees' own devices, such as smartphones, tablets, and home PCs. Also unclear are the rights for information that moves between personal and corporate devices, such as between one employee who uses her own Android and an employee who uses the corporate-issued iPhone. ... This confusion extends to trade secrets and other confidential data, as well as to e-discovery. When employees store company data on their personal devices, that could invalidate the trade secrets, as they've left the employer's control. Given that email clients such as Outlook and Apple Mail store local copies (again, on smartphones, tablets, and home PCs) of server-based email, theoretically many companies' trade secrets are no longer secret.'"

Very interesting idea. Are you reading this RIAA? (Is this a return to the communication methods we used before Gutenberg locked us into text?)
An anonymous reader writes with this snippet from The Conversation:
"According to the Wall Street Journal, camera manufacturer Kodak is preparing to file for Chapter 11 bankruptcy, following a long struggle to maintain any sort of viable business. The announcement has prompted some commentators to claim that Kodak's near-demise has been brought on by: a failure to innovate, or a failure to anticipate the shift from analogue to digital cameras, or a failure to compete with the rise of cameras in mobile phones. Actually, none of these claims are true. Where Kodak did fail is in not understanding what people take photographs for, and what they do with photos once they have taken them."
Continues the reader:
"Looking at camera data from Flickr, of images uploaded in 2011, camera phones only make up 3% of the total. Dedicated cameras from Canon, Nikon and yes, Kodak were used to take 97% of the images. What Kodak failed to understand is that people have switched from taking photos for remembering and commemorative reasons to using photos for identity and communication. The shift changes the emphasis away from print to social media platforms and dedicated apps."

Another example of the “not invulnerable” Google?
Open Source Maps Gain Ground as Google Paywall Looms
Nestoria is one of those companies that was told it would have to start paying real money for Google Maps. When Google couldn’t tell it exactly how much, Nestoria kicked Mountain View to the curb and switched to OpenStreetMap, a free, collaborative effort to map the globe.
But that’s only part of the story. Nestoria’s “free and open” map data is actually served up by MapQuest, the once and future mapping outfit that ruled the web before Google Maps stole its thunder.
… OpenStreetMap, or OSM, is yet another example of a project that manages to compete with a massive tech company simply by crowdsourcing a problem. Much like Wikipedia challenged Encyclopedia Britannica and Linux took on Microsoft Windows, OpenStreetMap is battling Google Maps, and at least in some cases, it’s winning.

Your phone as guidebook?
January 08, 2012 - applications built by DC government
Via DC Apps - Users may Browse Categories: Education, Public Safety, Economic Development, Infrastructure, Government Operations, Health and Human Services, About DC. Also includes links to Best applications built by individuals/companies.
  • Apps include: DC Police Crime Mapping, Where is my Bus?, DC Wi-Fi Hot Spot Map, AreYouSafe DC, find a metro dc, DC Multimodal Crime Finder

Is this an example of “Book 2.0?” Writing as a collaborative act?
January 07, 2012
Government As a Platform
Government As a Platform Copyright © 2010 O’Reilly Media, Inc.
  • You are reading the text of an O’Reilly book that has been published (Open Government). However, the author of this piece—Tim O’Reilly—understands that the ideas in this chapter are evolving and changing. We’re putting it here to get feedback from you—what are your ideas? This chapter uses the Open Feedback Publishing System (OFPS), an O’Reilly experiment that tries to bridge the gap between manuscripts and public blogs."

Perspective: Perhaps Internet TV isn't ready for prime time? Or perhaps the couch is a more comfortable place to watch zombie movies?
How People Watch TV Online And Off
… Just in terms of audience reach, Nielsen estimates that almost 145 million people watch video online in the U.S., compared to about 290 million who watch traditional TV. So the penetration of online video is already about half of the overall TV-watching population.
Yet for all the video people watch on the web, it is still a tiny fraction of how much they watch on TV in terms of time spent. In a report put out yesterday on the State of the Media summarizing 2011 data, Nielsen estimates Americans spend an average of 32 hours and 47 minutes a week watching traditional TV. They only spend an average of 3 hours and 58 minutes a week on the Internet, and only 27 minutes a week watching video online. All those billions of videos watched online still only represent 1.4 percent of the time spent watching traditional TV.

Sunday, January 08, 2012

Update: Sounds like the arguments of a six year old...
By Dissent, January 7, 2012
Michael Hiltzik provides an update to his previous coverage:
Prime Healthcare has responded, with a letter and a public statement, to my January 4 column about the flouting of patient confidentiality by its corporate office and two executives at its Shasta Regional Medical Center. In the response, Prime states for the record that it believes its disclosure of medical information about the patient, Darlene Courtois, was legal because she “voluntarily disclosed her medical records” to the investigative reporting organization California Watch. The company’s statement is here.
Read more on The Los Angeles Times.
Having read their statement, all I can say is “wow” and they should probably shut up before they step in it even more. In their statement, they write:
SRMC has reviewed the facts and circumstances surrounding the claim made by Mr. Hiltzik and determined, in consultation with legal counsel, that there has been no violation of federal and state privacy laws.
Well, they don’t get to make that determination, despite their assertion. The federal and state agencies or the courts make that determination. All they can really say is that they didn’t think they were violating any state or federal law and still don’t think they are.
But it gets worse (from my perspective). They go on to say:
By publicly engaging in these activities, SRMC was informed and believed that the patient waived her HIPAA rights and that in fact she wanted her medical information to be disclosed and examined. In addition, among other things, SRMC had a good faith belief that the disclosure, if any, was necessary to prevent or lessen a threat to the health and safety of the public.
How do they figure that SRMC was “informed” that the patient waived their responsibilities under HIPAA? Are they mind readers? Of course not. Perhaps they drew an inference, but an inference does not negate any legal obligations.
I think it’s ridiculous that they now throw in a “good faith belief” that their disclosure was necessary to prevent a threat to the health and safety of the public. The only clear threat I can see in the situation is a threat to their reputation. Are they arguing that if people believed the previous statements by California Watch they might avoid necessary care at SRMC?
I really think they’ve dug themselves into a deep hole on this one and it would have been better to say that their understanding was that if she talked, they could, too. They still would have been wrong under HIPAA (as I understand it, anyway), but their repeated insistence that they did nothing wrong legally is only inviting a smackdown by HHS and the state.

Update: Given a full range of capability, what is an appropriate level of response? Would you break his thumbs or screw up his credit rating?
In the wake of the online theft of at least 6,000 credit card numbers belonging to Israelis, Israel's Deputy Foreign Minister Danny Ayalon said that "Israel has active capabilities for striking at those who are trying to harm it, and no agency or hacker will be immune from retaliatory action." Also at Reuters, with a few more details about the believed thief, known as OxOmar: "After Israeli media ran what they said were interviews conducted with OxOmar over email, the Haaretz newspaper said a blogger had tracked the hacker down and determined he was a 19-year-old citizen of the United Arab Emirates studying and working in Mexico."

What is the threshold for decertification? Are the vendors employing a Jedi mind trick? “These are not the failures you are looking for...”
E-ballot device for presidential vote has bugs, report confirms
The Formal Investigative Report issued late last month by the Electronic Assistance Commission (EAC), which certifies electronic voting equipment, issued a notice of noncompliance for the DS200 optical scanning device manufactured by Electronic Systems & Software (ES&S), but did not decertify the machine.
The report found three anomalies:
  1. Intermittent screen freezes, system lockups, and shutdowns that prevent the voting system from operating in the manner in which it was designed
  2. Failure to log all normal and abnormal voting system events
  3. Skewing of the ballot, resulting in a negative effect on system accuracy
Specifically, the DS200 failed in some cases to record when the touch screen was calibrated or the system was powered on or off, failed to read votes correctly when a ballot was inserted at an angle, and accepted a voted ballot without recording the ballot on its internal counter and without recording the marks, according to the report.

More likely an AT&T-like tap at the collection point. More efficient. Much simpler to enable.
"In a tweet early this morning, cybersecurity researcher Christopher Soghoian pointed to an internal memo of India's Military Intelligence that has been liberated by hackers and posted on the Net. The memo suggests that, "in exchange for the Indian market presence" mobile device manufacturers, including RIM, Nokia, and Apple (collectively defined in the document as "RINOA") have agreed to provide backdoor access on their devices. The Indian government then "utilized backdoors provided by RINOA" to intercept internal emails of the U.S.-China Economic and Security Review Commission, a U.S. government body with a mandate to monitor, investigate and report to Congress on 'the national security implications of the bilateral trade and economic relationship' between the U.S. and China. Manan Kakkar, an Indian blogger for ZDNet, has also picked up the story and writes that it may be the fruits of an earlier hack of Symantec. If Apple is providing governments with a backdoor to iOS, can we assume that they have also done so with Mac OS X?"

Something for the Criminal Justice students?
Document: ‘Black box’ data from Lt. Governor Murray’s crash
January 7, 2012 by Dissent
I’ve occasionally blogged about EDRs or “black box recorders” in cars. But have you ever seen their output or a report from one? I hadn’t. The Boston Globe published one such report after Massachusetts’ Lieutenant Governor Timothy P. Murray was in an accident in a state vehicle. The findings contradicted his previous statements about the accident.
Anyway, you can read the report here. And do note the disclaimer section about what the instruments record and don’t record – and how crash reconstructionists need to be aware of certain limitations.

Very interesting chart. After Healthcare and Lawyers comes computer geeks and educators – I suspect someone isn't reading the numbers correctly.
January 07, 2012
WSJ - 2011 Jobs Snapshot - Unemployment Rate by Job
"The national U.S. unemployment rate is 8.5%, but that varies widely by what profession you might be in. The below chart shows the size of select industries and their unemployment rates. The table below shows all the occupations within those industries and their unemployment rates. Search the list to find what the unemployment rate is for your job."

Another tool for the “We don't need no stinking lawyers” folder?
Usually the license agreements you agree to while signing up for a web service or installing software include many confusing portions that discourage you from reading everything. Here to make matters simpler is a desktop tool called EULAlyzer.
… When the app opens up you can either paste license agreements into it or click on an icon to indicate which window the agreement is open in.
Once the agreement has been detected, the app analyzes it and searches for ‘interesting’ words and terms that you should go over.

I know many instructors (you know who you are) that create brilliant, easy to read handouts on a wide variety of software and other topics just for the six or ten students in a class. Might as well get paid for the work you have already done...
On Whizzley, you can become a publishing author for free, and submit your own articles as regularly as you want. You won't have to create your very own blog, and you won't have to worry about running it either. That'll be taken care of for you. You'll be free to focus on your writing, and on saying what you want to say using the best words you could ever use. And you'll be paid for your efforts, you'll get a permanent 50% to 60% share of royalties.