Saturday, March 10, 2012

How not to win friends and influence people, OR Welcome to the anti-social network! A few Comments suggest this lack of investigation is common. Would it be correct to call it “lying to the AG?”
AT&T Says One Of Its Service Providers Hacked Illegally Into Connecticut Customers’ Accounts
March 9, 2012 by admin
George Gombossy reports:
AT&T is now admitting that one of its service providers hacked illegally into at least five Connecticut customers’ accounts.
The admission, in a letter Thursday to the Connecticut Attorney General’s office, comes after months of denial by AT&T that it could have had anything to do with two security breaches of a Winsted woman’s AT&T account, which was used to purchase five iPhones through fraud.
Read more on The service provider was not named in the news story.
[From the article:
Not only did AT&T officials – including members of its fraud division – deny that possibility, they attempted to blame Apple employees for the breaches and then treated the customer rudely, telling Denise Jones to stop raising questions about her fraud and to stop asking for copies of its internal investigation report, which had apparently been completed weeks ago.
… MacKinnon told me I would have to write a retraction if I wrote a story insinuating that AT&T was to blame, hinting that it was someone close to Jones who hacked her account.
… Fitzgerald conceded that someone associated with AT&T did access Jones’ account, not only once but even after she had complained about the hacking and had set up a secret password.
“Unfortunately, the misconduct of this service provider’s employee has impacted many more AT&T customers other than Mrs. Jones,” the letter said.
… AT&T has proactively gone into the impacted accounts to reverse any fraudulent charges and to correct account information [Interesting. They have a crystal ball to determine which transactions are fraudulent (or are they just covering up evidence?) Bob]
“To the extent any external credit inquiries were made by AT&T against a customer’s credit report in connection with the misconduct, AT&T is requesting that the credit reporting agencies remove the improper inquiry. [More than an “inquiry”... Bob]

Think of this as a bit more dangerous that starkers or burglars...
Army Warns Of Danger Of Geotagging
… n 2007, geotagged photos of a new fleet of helicopters allowed enemy forces to mortar the base and destroy several of them; it could just as easily have been a field hospital or barracks.

My question: Would you hire this student, give him a scholarship to a Tech school, to ban him for life from ever holding a tech job? (Second question: Is this really bad reporting or a really poor school security system?)
Europe’s ‘youngest app designer’ expelled from school for hacking its IT system
March 9, 2012 by admin
ANI reports:
A “computer whizzkid”, who was crowned Europe’s youngest application designer, has been expelled for hacking into his school’s computer system.
Aaron Bond, 14, was expelled from King Edward VI College in Totnes, Devon for trying to access confidential information about staff and students and even the vice-principal’s financial information.
He managed to access details about his peers and edited the IT room booking system and school newsletter before the security breach came to school management’s knowledge.
Read more on Newstrack India. This is South Devon and The Telegraph provide additional details.
[From the Telegraph:
Using passwords, he managed to look at details about his peers and was able to edit the IT room booking system and school newsletter before the security breach was spotted.
He has now been visited by police, who took DNA samples and fingerprints before giving him a formal reprimand.
His school, King Edward VI College in Totnes, Devon has permanently expelled him and maintains no student should have had access to passwords.
Aaron, who is predicted A*, A and B grades in his GCSEs, said: "I am very sorry and if I had known the consequences I never would have done it."
[From This is South Devon:
Aaron Bond (pictured), 14, is the managing director of his own web design firm and has designed six apps used on smartphones.
He was among hand-picked delegates at the Apple conference last year, and was even being considered for university courses because he is so advanced with computers.
… Aaron said he became curious after a list of passwords was displayed on a white board in the school's IT room.
… The school insists the passwords were 'examples' and that no one has access to passwords within the school.
… The system was locked down when staff realised there had been a breach, but Aaron was still able to access the site when he tried to log in again.

That didn't take long. I blogged about this yesterday!
How to Get Windows on the iPad (With Microsoft’s Blessing)
Microsoft has sicced its lawyers on the OnLive Desktop — an internet service that streams Windows onto the iPad — but this won’t stop another free-thinking startup from sending Microsoft’s flagship operating system onto Apple’s tablet by way of the proverbial cloud.
The Palo Alto-based Nivio offers an internet service — the nDesktop — that streams Windows onto all sorts of machines, including Macs, PCs, and Google Chromebooks as well as the same devices targeted by the OnLive Desktop: iPads and Android tablets. Microsoft just told the world that the OnLive Desktop violates its licensing terms for Windows, but Nivio president and “chief wizard” Sachin Dev Duggal says this isn’t a problem for his company’s service, which delivers Windows in a very different way.

Interesting slide show for explaining the Cloud?
March 09, 2012
SLA Presentation on Cloud Computing
A New Way to Compute or: How I Learned to Stop Worrying and Love the Cloud - Robert Bohn, NIST, March 7, 2012 - DC/SLA Washington, DC Chapter
"NIST Cloud Computing Program Goal - Accelerate the federal government’s adoption of cloud computing*
  • Build a USG Cloud Computing Technology Roadmap which focuses on the highest priority USG cloud computing security, interoperability and portability requirements
  • Lead efforts to develop standards and guidelines in close consultation and collaboration with standards bodies, the private sector, and other stakeholders"

Warren Buffet does not invest in technology companies. Here's a guy who does...
Where Asia’s richest man is putting his money now
… Of late Li has become particularly fascinated by the sweeping potential of artificial intelligence across all his businesses. In addition to his $7.5-million investment in Siri, the now ubiquitous iPhone virtual assistant, he gave $300,000 last December to a startup that uses AI in its summarization search engine, Summly, run by a 16-year-old. One of the biggest AI impacts, he believes, will come in education, where customized learning will become “closely knitted” to individual devices. “AI has reached an inflection point,” he says. “Combined with the high-speed mobile network, disruption in several industries will be unavoidable.”

A short-term business model? A way to ween users off paper/introduce them to digital?
Marvel Touts New Deal: Buy A Comic Book, Get The Digital Version Free

Perhaps only because I like food, but this looks like an interesting start-up. May Be Feeding Your Favorite Startup
Startup is trying to answer one of the rarely-discussed challenges facing any company that wants to keep a large workforce happy — feeding them meals that aren’t boring.
… Office managers, or whoever else is in charge of a company’s meals, can just go to the website and enter their needs — for example, if they need to feed 50 people every Monday, Wednesday, and Friday, and five of them are vegetarians. Then handles all of the logistics, bringing in a rotating menu of food from a network of small restaurants and carts — businesses that probably don’t have the time or resources to do large office catering on their own.

For my Ethical Hackers
Teen Exploits Three Zero-Day Vulns for $60K Win in Google Chrome Hack Contest
Just hours before the end of Google’s $1 million hack challenge, a teenager who once applied to work at Google without getting a response, hacked the company’s Chrome browser using three zero-day vulnerabilities, one of which allowed him to escape the browser’s security sandbox.

For my Management of IT students... In one CTO, data for behavioral advertisers and outsourcing health care to India?
"On Friday, President Barack Obama appointed Todd Park, a 39-year-old former entrepreneur and data scientist, to be the new Chief Technology Officer of the United States. Park takes over for Aneesh Chopra, the first U.S. CTO, who resigned earlier this year. Park was formerly the CTO of the U.S. Department of Health and Human Services since 2009, where he helped bring 'big data' to healthcare by helping create an open health care data platform similar to the National Weather Service, which could feed data to commercial websites and applications. Before joining the Obama administration, Park helped co-found AthenaHealth and Castlight Health, and also served as a senior adviser to Ashoka, a global incubator for social entrepreneurs. One of his ventures, Healthpoint Services, won the 2011 Sankalp Award for the 'most innovative and promising health-oriented social enterprise in India.'"

Sort of a Meta-Pinterest?

Another Meta application for Social Networks
Storify lets you curate social networks to build social stories, bringing together media scattered across the Web into a coherent narrative. We are building the story layer above social networks, to amplify the voices that matter and create a new media format that is interactive, dynamic and social.
Create your own stories social media networks to find media elements about the topic you want to Storify.
Curate the elements — Drag and drop status updates, photos or videos to bring together the social media elements that will best illustrate your story.
Write your own narrative

This looks cool! This might be just the thing for encouraging (forcing?) student participation. It might also be the tool I'm looking for to have my students write their own textbook!
A Better Live Wiki: HackPad Could Be Your SXSW Backchannel
HackPad has a more serious idea: actually taking notes about the panels and keynotes you go to, with other people who care.
It sounds dangerously productive for the fun-oriented event. And it is — this is one of the better live group word-processing products I’ve seen in a while.
… The interface is nice and simple. You log in with Facebook, or with Google or by creating a new account. Then you can just start creating and editing docs. Participating users appear on the right side of each page, and each person gets a unique color bar on the left side of where they’re typing. Live edits are in real-time, so you can watch other users pounding out their own notes while you’re busy sharing yours.
The top menu includes a simple set of actions for all the main things you need to do. There’s a plus button for creating new docs, a search bar, and basic WYSIWYG commands including a big button for creating links to other docs or the web (something a lot of editors don’t show off well in their interfaces).

(Related) Similar but not as useful for groups?
Magzinr gives you the chance to organize and manage all the links you have stored on sites like Delicious, and split the content within as many different categories as you need. You can also tag this content, and then have everything arranged into a sort of magazine that can be easily accessed online. This magazine (which looks a lot like a RSS feed) can be publicly shared, which means that other people can subscribe to your magazine.

Friday, March 09, 2012

Henceforth ye shall be called “The Oxymoronic Database!” Because of course, the URL is neither nor, it is actually: and there is no record of me staying in the Lincoln bedroom... Oh wait, that would be accurate.
March 08, 2012
White House Launches with searchable datasets
" brings together datasets from across the government to help citizens easily access this information, empowering Americans to hold government accountable.
  • Enter a name and see every record of that person across the entire collection of ethics data - including campaign finance, lobbying, and White House visitor records.
  • brings together datasets from across the government to help citizens easily access this information, empowering Americans to hold government accountable."

What better indication of the truth of an article? (By reporting this, my airline ticket price just went up by the cost of a colonoscopy.)
"When anti-TSA activist Jonathan Corbett exposed a severe weakness in TSA's body scanners, one would expect the story to attract a lot of media attention. Apparently TSA is attempting to stop reporters from covering the story. According to Corbett, at least one reporter has been 'strongly cautioned' by TSA spokeswoman Sari Koshetz not to cover the story. If TSA is worried that this is new information they need to suppress to keep it away from terrorists, that horse may have left the barn years ago. Corbett's demonstration may just be confirmation of a 2010 paper in the Journal of Transportation Security that concluded that 'an object such as a wire or a boxcutter blade, taped to the side of the body, or even a small gun in the same location, will be invisible' to X-ray scanners."

The FBI finally grasps the obvious? Or is this just another request for a bigger budget?
"Robert S. Mueller III, Director of the Federal Bureau of Investigation (FBI), yesterday warned Congress of terrorist hacking. He believes that while terrorists haven't hacked their way into the U.S. government yet, it's an imminent threat. Mueller said, 'To date, terrorists have not used the Internet to launch a full-scale cyber attack, but we cannot underestimate their intent. Terrorists have shown interest in pursuing hacking skills. And they may seek to train their own recruits or hire outsiders, with an eye toward pursuing cyber attacks.'"

(Related) And the power companies would like a tax break (or outright grant) too...
NYC goes dark: Secret demo for senators simulated cyberattack on power grid
… The FBI, NSA, DOJ, DHS Secretary Janet Napolitano and White House counterterrorism adviser John Brennan all took part in the simulated New York City power grid attack which was undoubtedly meant to scare the stuffing out of senators and win support for cybersecurity legislation. In fact Senator Susan Collins told Bloomberg, "The mock attack on the city during a summer heat wave was 'very compelling.' It illustrated the problem and why legislation is desperately needed." [Because laws will work where failure to implement Computer Security Best Practices has not? Bob]

Perhaps because I teach math, but sometimes the numbers just jump out at you. Do we have innumerate reporting or did this bust frighten off some small guys?
After Megaupload Bust, Putlocker and RapidShare Pick Up Slack
The Feds shut down Megaupload two months ago, but browser-based filesharing hasn’t slowed down. It has just moved to other websites.
Before the takedown, Megaupload was the most popular web-based filesharing service — by far. In a recent study of 1,600 networks, Palo Alto Networks — a company that makes its living scanning corporate networks for unauthorized software — found that it accounted for about a quarter of all filesharing traffic [“about a quarter” is about 25% Bob] on these networks. That was about 10 percent more than its nearest competitor.
… Putlocker seems to be the big winner. It went from being the source of about 6 percent of web-based filesharing to 28 percent, when measured by the amount of networking bandwidth used. To put that in perspective, Megaupload accounted for about 25 percent of bandwidth before it was shut down. “Putlocker is on the rise,” King said.
Rapidshare got a boost too, jumping from 8 percent to 15 percent, according to Palo Alto’s latest data, which is based on a survey of 241 networks, conducted after the Megaupload takedown.
[So, Putlocker grabbed (28-6=) 22% and Rapidshare grabbed 15-8=) 7% for a combined grab of 29% More than Meagupload had in total. Bob]

We can, therefore we must! We knew that, right?
Drones, Dogs and the Future of Privacy
… Under a fresh mandate from Congress, the Federal Aviation Administration will begin to relax its restrictions around the domestic use of “unmanned aerial systems,” leading to greater use of drones by public agencies and, eventually, the private sector.

(Related) When all of the technology is “off the shelf,” “We can” actually becomes “Anyone can.” The next question is “What is the difference between a Drone and a really slow Cruise Missile with a limited payload? No doubt DHS will need to get into the Barrage Balloon business to protect our boarders.
Don’t Freak Out, But Iran Is Helping Venezuela Build Drones

Does this smack of Monopoly Power? Or is it just the cost of access?
"Google has been pressuring applications and mobile game developers to use its costlier in-house payment service, Google Wallet for quite some time. Now Google warned several developers in recent months that if they continued to use other payment methods — such as PayPal, Zong and Boku — their apps would be removed from Google Play. The move is seen as a way to cut costs for Google by using their own system."

...and one for the IP lawyers.
"When Onlive, the network gaming company, started offering not just Microsoft Windows but Microsoft Office for free on the iPad, and now on Android, it certainly seemed too good to be true. Speculation abounded on what type of license they could be using to accomplish this magical feat. From sifting through Microsoft's licenses and speaking with sources very familiar with them, the ugly truth may be that they can't."

Haven't I been saying this for years? (Yes, you have Bob, we just didn't care.)
"We've frequently discussed the growing trend among video game publishers to adopt a business model in which downloading and playing the game is free, but part of the gameplay is supported by microtransactions. There have been a number of success stories, such as Dungeons & Dragons Online and Lord of the Rings Online. During a talk at the Game Developers Conference this week, Valve's Joe Ludwig officially added Team Fortress 2 to that list, revealing that the game has seen a 12-fold increase in revenue since the switch. He said, 'The trouble is, when you're a AAA box game, the only people who can earn you new revenue are the people who haven't bought your game. This drives you to build new content to attract new people. There's a fundamental tension between building the game to satisfy existing players and attract new players.' He also explained how they tried to do right by their existing playerbase: 'We dealt with the pay-to-win concern in a few ways. The first was to make items involve tradeoffs, so there's no clear winner between two items. But by far the biggest thing we did to change this perception was to make all the items that change the game free. You can get them from item drops, or from the crafting system. It might be a little easier to buy them in the store, but you can get them without paying.'"

A much clearer way to look at “post PC?” Similar to the “Internet of Things?”
"Speaking at a tech conference in Seattle this week, former Microsoft Chief Software Architect Ray Ozzie had some interesting things to say about the state of the computing industry. 'People argue about "are we in a post-PC world?" Why are we arguing? Of course we are in a post-PC world. That doesn't mean the PC dies, that just means that the scenarios that we use them in, we stop referring to them as PCs, we refer to them as other things.' Ozzie also thinks Microsoft's future as a company is strongly tied to Windows 8's reception. 'If Windows 8 shifts in a form that people really want to buy the product, the company will have a great future. ... It's a world of phones and pads and devices of all kinds, and our interests in general purpose computing — or desktop computing — starts to wane and people start doing the same things and more in other scenarios.'"

(Related) I drove my PC... (Also a business opportunity here)
"This month, Ford is borrowing something from the software industry: updates. With a fleet of new cars using the sophisticated infotainment system they developed with Microsoft called SYNC, Ford has the need to update those vehicles — for both features and security reasons. But how do you update the software in thousands of cars? Traditionally, the automotive industry has resorted to automotive recalls. But now, Ford will be releasing thirty thousand USB sticks to Ford owners with the new SYNC infotainment system, although the update will also be available for online download. In preparing to update your car, Ford encourages users to have a unique USB for each Ford they own, and to have the USB drive empty and not password protected. In the future, updating our gadgets, large and small, will become routine. But for now, it's going to be really cumbersome and a little weird. [Sounds like a job for a geek! Bob] Play this forward a bit. Image taking Patch Tuesday to a logical extreme, where you walk around your house or office to apply patches to many of the offline gadgets you own."

Attention Ethical Hackers: I told you we started too late. But it's not over yet.
Chrome Owned by Exploits in Hacker Contests, But Google’s $1M Purse Still Safe
A $1 million purse that Google has offered to hackers who can produce zero-day exploits against its Chrome browser appears to be safe after the first day of its three-day Pwnium hacking contest, which yielded just one contestant and one successful zero-day attack.
The absence of competitors has made for a very quiet contest, particularly since the sole competitor in the Google competition so far didn’t even show up for the event. The successful attack code, which actually exploited two vulnerabilities in Chrome, was developed by Russian university student Sergey Glazunov, who lives somewhere outside Siberia and sent in his code via a proxy who was present at the contest event.
Glazunov earned $60,000 from Google for his exploit. The remaining $940,000 in the purse, which Google has promised to pay out in increments of $60,000, $40,000 and $20,000 – depending on the severity and characteristics of the exploits – is awaiting other challengers who so far have yet to join the contest.

For my Data Mining and Data Analytics students. Even if you don't have as much information as Steven Wolfram, “you can observe a lot just by looking” as Yogi Berra said.
The Personal Analytics of My Life
One day I’m sure everyone will routinely collect all sorts of data about themselves. But because I’ve been interested in data for a very long time, I started doing this long ago. I actually assumed lots of other people were doing it too, but apparently they were not. And so now I have what is probably one of the world’s largest collections of personal data.
Every day — in an effort at “self awareness” — I have automated systems send me a few e-mails about the day before. I’ve been accumulating data for years and though I always meant to analyze it I never actually did. But with Mathematica and the automated data analysis capabilities we just released in Wolfram|Alpha Pro, I thought now would be a good time to finally try taking a look — and to use myself as an experimental subject for studying what one might call “personal analytics.”
Let’s start off talking about e-mail. I have a complete archive of all my e-mail going back to 1989 — a year after Mathematica was released, and two years after I founded Wolfram Research. Here’s a plot with a dot showing the time of each of the third of a million e-mails I’ve sent since 1989:

Strangely enough, these work for students too
This afternoon at NCTIES I gave my popular best of the web presentation to a packed room. The presentation covers 70 resources in 60 minutes. You can view all of the resources in the slides below.

(Related) and these work for non-students

Thursday, March 08, 2012

Amazing what can be justified by the claim “It's to protect the children!”
ACLU-MN files lawsuit against Minnewaska Area Schools
March 7, 2012 by Dissent
If the allegations in this complaint are true, this is a truly egregious over-reach by a school district that simultaneously invaded a student’s privacy and punished her for protected speech. Here’s the press release from the ACLU of Minnesota:
St. Paul, Minn. – Today, the American Civil Liberties Union of Minnesota filed a lawsuit in Federal District Court against Minnewaska Area Schools and the Pope County Sheriff’s office for violating the constitutional rights of a minor student. R.S’s free speech and privacy rights were violated by the school district in two separate instances involving Facebook. (To protect the privacy of the minor defendant, she will be referred to as R.S.)
In early 2011 R.S. posted a comment, while at home, on her Facebook page about her dislike of a school staff member. The school learned about the comment, and R.S. received a detention and was forced to write an apology to the staff member. She was disciplined again when she cursed on her Facebook page, complaining that someone reported her to the school. This time she was given an in-school suspension and was prohibited from attending a school field trip. The ACLU-MN contends that these sanctions violate her First Amendment right to freedom of speech.
In a second incident R.S. was brought into a school administrator’s office where she was coerced to turn over (against her will) login information to her Facebook and email accounts because of allegations that she had online conversations about sex with another student off-campus. Present at the search was a local deputy along with two school officials. During this process, R.S. was called a liar and told she would be given detentions if she did not give the adults access to her accounts. R.S.’s mother was not informed about the search until after it happened. The Deputy and school officials did not have a warrant to search R.S.’s private accounts. The ACLU-MN alleges in their suit that this violated R.S.’s Fourth Amendment right to be free from unreasonable search and seizure.
The lawsuit seeks damages, declaratory and injunctive relief for the violations of R.S.’s constitutional rights.
“The trauma that these incidents have put R.S. through is completely uncalled for: She was intimidated, frightened, humiliated and sobbing while school administrators were scouring her private communications,” stated cooperating attorney Wally Hilke. “These adults traumatized this minor without any regard for her rights.”
“Students do not shed their First Amendment rights at the school house gate,” stated Charles Samuelson, Executive Director for the ACLU-MN. “The Supreme Court ruled on that in the 1970s, yet schools like Minnewaska seem to have no regard for the standard.”
Cooperating attorneys working on the case are: Wallace Hilke and Bryan Freeman of Lindquist & Vennum PLLP and Professor Raleigh Hannah Levine, William Mitchell College of Law.
To coincide with the lawsuit the ACLU-MN produced a handout for students outlining their privacy rights when using social netoworking sites.

Amazing what can be justified by the claim “It will catch terrorists!” (This will definitely get you on the “Fly? No, Colonoscopy? Yes” list.)
TSA Pooh-Poohs Video Purporting to Defeat Airport Body Scanners
The government responded angrily Wednesday to a YouTube video allegedly showing a 27-year-old Florida man sneaking a metallic object through two different body scanner devices at American airports. [No doubt the Emperor did as well when it was pointed out that his 'new clothes' left something to be desired (if nothing to the imagination) Bob]
… “These machines are safe,” Lorie Dankers, a TSA spokeswoman, said in a telephone interview. [But do they work? Bob]

Not unexpected. Facebook has made some changes since the lawsuit began, but it isn't clear if that resolves everything...
Facebook Loses Privacy Case in German Court Over Email
March 7, 2012 by Dissent
Shayndi Rice and Friedrich Geiger report:
A German court ruled against Facebook Inc. Tuesday for the way it uses members’ email addresses to solicit new users, in an ongoing battle between the Menlo Park, Calif.-based social network and European privacy groups.
The Berlin regional court said on its website that some of Facebook’s terms of service are invalid, but didn’t provide specifics and couldn’t be reached for comment.
It also ruled Facebook can’t force users to grant the social network a comprehensive license to their content.
[From the article:
The court held that users remain the owners of intellectual-property rights of their Facebook posts, pictures and other content posted on the site,

For my Ethical Hackers. Here (in not too much detail) is something you should not do. (That's not a wink, I have something in my eye...)
Read E-Books On Multiple Devices

A case study for my Ethical Hackers...
Stakeout: how the FBI tracked and busted a Chicago Anon

For my students
Instapaper lets you easily save various web pages so you can get back on reading it later.
… What’s more, you can now read offline and even on the go.
Get started by creating a free account so you can start saving web pages that interest you. Everything is customizable based on your preference so you surely wouldn’t have any problem reading too small texts or too bright backgrounds – it’s all in your hands!
NOTE: Instapaper is optimized for the iPhone, since that’s what I (and most Instapaper users) have, but I’ll do my best to broaden compatibility whenever possible.

Think of the fun I could have by asking my students to teach parts of my class! (Think of the naps I could take instead of researching and writing my lectures)
Coursekit is a free to use web service for teachers and students. The site lets teachers manage any course they are teaching online. If you are the teacher, you can start by creating an account on the site. Next you fill in the details of your course such as the syllabus, calendars, resources, etc. You can invite students by providing them with an online course code that can be used by them to enroll.
You can also share grades of the course with students to keep them updated about their scores.
Similar tools: Udemy.

This has some potential for sending video to answer student questions. (Some email systems don't like large video attachments.)
Givit is the first service to make it easy to share video privately. With Givit families, friends and coworkers can share videos from any camera, Smartphone or camcorder.
In just a few clicks, you can upload a video, add recipients and a personal message, then click Send! Viewers can watch your videos and respond privately from any computer, Smartphone or tablet. Givit is free, safe and secure, and it’s the ideal way for friends and families to share life’s important moments.

Wednesday, March 07, 2012

A long release by (and for) the US Attorney in New York. (I've cut out quite a bit) I guess these guys have never heard of the prisoner's dilemma...
Members of LulzSec Charged for Crimes Affecting Over One Million Victims; “Sabu” Turned on Fellow Hackers
March 6, 2012 by admin
Press release:
Five computer hackers in the United States and abroad were charged today, and a sixth pled guilty, for computer hacking and other crimes. The six hackers identified themselves as aligned with the group Anonymous, which is a loose confederation of computer hackers and others, and/or offshoot groups related to Anonymous, including “Internet Feds,” “LulzSec,” and “AntiSec.”
… were charged in an indictment unsealed today in Manhattan federal court with computer hacking conspiracy involving the hacks of Fox Broadcasting Company, Sony Pictures Entertainment, and the Public Broadcasting Service (“PBS”).
HECTOR XAVIER MONSEGUR, a/k/a “Sabu,” … also pled guilty to the following charges: a substantive hacking charge initially filed by the U.S. Attorney’s Office in the Eastern District of California related to the hacks of HBGary, Inc. and HBGary Federal LLC; a substantive hacking charge initially filed by the U.S. Attorney’s Office in the Central District of California related to the hack of Sony Pictures Entertainment and Fox Broadcasting Company; a substantive hacking charge initially filed by the U.S. Attorney’s Office in the Northern District of Georgia related to the hack of Infragard Members Alliance; and a substantive hacking charge initially filed by the U.S. Attorney’s Office in the Eastern District of Virginia related to the hack of PBS, all of which were transferred to the Southern District of New York,...
Late yesterday, JEREMY HAMMOND, … was arrested in Chicago, Illinois and charged in a criminal complaint with crimes relating to the December 2011 hack of Strategic Forecasting, Inc. (“Stratfor”), a global intelligence firm in Austin, Texas, which may have affected approximately 860,000 victims.
Source: U.S. Attorney’s Office, Southern District of New York

(Related) Told ya...
Anonymous Rocked By News That Top Hacker Snitched to Feds

Probably not true (since they rotate the image, don't they?) but amusing... However this does match other reports.
TheNextCorner points out a video that lays bare a glaring flaw in the TSA body scanners used in airports to detect weapons and explosives. In such scans, citizens are depicted in light colors, while metallic objects show as very dark. The problem comes when you consider that the images are taken with a dark background. From the transcript:
"Yes that’s right, if you have a metallic object on your side, it will be the same color as the background and therefore completely invisible to both visual and automated inspection. It can’t possibly be that easy to beat the TSA’s billion dollar fleet of nude body scanners, right? The TSA can’t be that stupid, can they? Unfortunately, they can, and they are. To put it to the test, I bought a sewing kit from the dollar store, broke out my 8th grade home ec skills, and sewed a pocket directly on the side of a shirt. Then I took a random metallic object, in this case a heavy metal carrying case that would easily alarm any of the “old” metal detectors, and walked through a backscatter x-ray at Fort Lauderdale-Hollywood International Airport. On video, of course. While I’m not about to win any videography awards for my hidden camera footage, you can watch as I walk through the security line with the metal object in my new side pocket."

Not sure what criteria is used for this...
March 06, 2012
United Nations E-Government Survey 2012
  • "According to the 2012 United Nations E-government Survey rankings, the Republic of Korea is the world leader (0.9283) followed by the Netherlands (0.9125), the United Kingdom (0.8960) and Denmark (0.8889), with the United States, Canada, France, Norway, Singapore and Sweden close behind. The steady improvement in all the indicators of the e-government development index has led to a world average of 0.4877 as compared to 0.4406 in 2010. This reflects that countries in general have improved their online service delivery to cater to citizens’ needs. On a regional level, Europe (0.7188) and Eastern Asia (0.6344) lead, followed by Northern America (0.8559), [Mistake or some evil secret agenda? Bob] South Asia (0.3464) and Africa (0.2762). Despite progress, there remains an imbalance in the digital divide between developed and the developing countries, especially in Africa. The latter region had a mean e-government development index of about 30 per cent of Northern America and about half of the world average. The digital divide is rooted in the lack of e-infrastructure, [a large part of which is a lack of ANY infrastructure Bob] which has hindered information-use and knowledge-creation. The tremendous difference of broadband width and subscriptions between the developing and the developed world proves that there are yet many milestones to be reached in order to close the gap of the digital divide."

The first stat alone says it all – all the online information we consume on a daily basis can fill up 168 million DVD’s

I should be able to work this into my website class...
This afternoon the Google Docs and Sites team announced some very useful enhancements to both products. To me, the most exciting news in the announcement is that you can now use custom HTML and Javascript in your Google Sites pages. I have long be frustrated by how difficult, impossible actually without a lot of work arounds, it is to use many custom widgets like some of these survey tools in Google Sites. Now if you want to use custom HTML, Javascript, or CSS in Google Sites all you have to do is select the "HTML box" from the "insert menu" then paste your code. Read Google's directions here.
In the same announcement I learned that you can now search for, highlight, and copy text in the scanned PDFs that you have stored in your Google Docs account.
The comments feature in Google Docs is great for collaboration on documents and presentations. Now you can find all of the comments for a document or presentation in one column by clicking the new "discussions" button which is located just to the left of the "share" button on your documents and presentations.
Applications for Education
I am most excited about the custom html and Javascript option in Google Sites. That removes a major limitation to customizing the pages in websites built in Google Sites. Now you can add things like educational games, custom flashcard applications, survey tools and more to your Google Sites website.

Tuesday, March 06, 2012

Small in terms of the number of credit cards stolen but it does have some blackmail potential...
Digital Playground becomes hackers’ playground (update 1)
March 5, 2012 by admin
The Digital Playground porn site has reportedly been hacked. Big time. The site that advertises “Porn worth paying for” may find itself paying dearly for a security breach that may have exposed over 72,000 customers’ details and over 44,000 credit card numbers.
In what they claim as their first release, a group calling themselves The Consortium (@Th3Consortium on Twitter) described the hack:
You see for a while now we have had access to, one of the five biggest porn sites in the world. But it doesn’t need any introduction from us.
This company has security, that if we didn’t know it was a real business, we would have thought to be a joke – a joke that we found much more amusing than they will.
“This site has so many freaking holes that if I didn’t know it was a porn site, I would have mistaken it for a honeypot” – [Redacted]
We did not set out to destroy them but they made it too enticing to resist. So now our humble crew leave lulz and mayhem in our path. We not only have the 72k users of this site but also over 40k plaintext credit cards including ccvs, names and expiry dates. If you want to hear more about those plaintext credit cards scroll through the MySql info further down. And of course as this is a porn site there was no shortage of .mil and .gov emails in their user list.
We also went on and rooted four of their servers, as well as gaining access to their mail boxes. Using credentials from emails we tapped into their conference call. “Is anyone besides David on the line ?” – We were. Did we win? Sure looks that way.
Digital Playground game over.
Thankfully for the 72,794 users whose usernames, e-mail addresses and plaintext passwords were reportedly acquired, the hackers did not dump all of the data they claim to have acquired, but if they are possession of the data, that alone is cause for concern. They posted a smattering of the personally identifiable information they acquired:
  • 27 admins’ names, usernames, e-mail addresses, and encrypted passwords
  • 28 admins’ names, usernames, e-mail addresses, and encrypted passwords (some overlap with previous table)
  • 85 affiliates’ usernames, plaintext passwords, and in some cases, IP addresses
  • 100 users’ e-mail addresses, usernames (same as e-mail addresses) and plaintext passwords, and
  • 82 .gov and .mil e-mail addresses with corresponding plaintext passwords
They did not dump the 44,663 credit card numbers that they claim to have acquired, but note that card numbers, card expiration date, cvv and all customer billing address and contact info were in plain text. They provided two redacted versions of named customers as proof of that.
Clearly, if their claims are true (and I have no reason to disbelieve based on what they posted), this is bad. Really bad. So much personal information stored in clear text? Seriously? From Digital Playground’s Privacy Policy:
1. Information Security
Digital Playground, Inc. is dedicated to the protection of Site users’ information. To prevent unauthorized access to information provided to us, the Company uses a number of generally accepted industry standard procedures designed to effectively safeguard the confidentiality of your personal information. These procedures include secure server location, controlled access to data and equipment, robust redundant firewall software, network monitoring, adaptive analysis of network traffic to track and prevent attempted network intrusions and other network abuse and appropriate employee training in the area of data security. We shall continue to take reasonable steps to provide effective data protection at all times, however, because no security technology can provide invulnerability to information compromise, the Company cannot, and does not, guarantee the security of any information that you transmit to us or to any third party affiliated with the Site.
Apparently their dedication doesn’t extend to encrypting customer data or PCI DSS compliance.
At the time of this posting, DP’s homepage returns an error message. They have not yet responded to an inquiry I sent them this morning about the claimed hack.
Update: The web site is back up with no notice and I’ve received no response to my inquiry yet. Interestingly, Digital Playground is operated by Manwin – the same firm that operates the Brazzers and YouPorn web sites that were recently in the news when they were hacked. According to Manwin’s statement in the previous reports, this site appears to have had less security than Brazzers, as in that case, user passwords were reportedly encrypted and credit card data were not compromised.

Think this is (Related?) Just saying...
Larry Flynt Wants to Out Sex Lives of More Politicians: $1 Million For Dirt
Yes, Larry Flynt of Hustler and The People vs. Larry Flynt fame has put up another $1 million bounty on the closeted skeletons of prominent U.S. leaders.
He did so over the weekend via a full-page ad in Sunday's Washington Post.

“Let's see if we find it as amusing as you did...” If an applicant doesn't have a Facebook page, are they automatically rejected as “lying Luddites?”
State agencies, colleges demand applicants’ Facebook passwords
March 6, 2012 by Dissent
Bob Sullivan reports:
If you think privacy settings on your Facebook and Twitter accounts guarantee future employers or schools can’t see your private posts, guess again.
Employers and colleges find the treasure-trove of personal information hiding behind password-protected accounts and privacy walls just too tempting, and increasingly, they are demanding full access from applicants and students.
Student-athletes in colleges around the country also are finding out they can no longer maintain privacy in Facebook communications because schools are requiring them to “friend” a coach or compliance officer, giving that person access to their “friends-only” posts. Schools are also turning to social media monitoring companies with names like UDilligence and Varsity Monitor for software packages that automate the task. [There's big money in surveillance Bob]
Read more on MSNBC. Google can read your browser history. You knew that, right?
Google saves searches across devices with 'recent' icon
… "We provide this new convenience feature for users who have Web History enabled and are logged into Google when doing their search," Google software engineer Junichi Uekawa wrote in a blog post today.

Winning hearts & minds. If I own a site administered in Switzerland, am I safe?
Uncle Sam: If It Ends in .Com, It’s .Seizable
When U.S. authorities shuttered sports-wagering site last week, it raised eyebrows across the net because the domain name was registered with a Canadian company, ostensibly putting it beyond the reach of the U.S. government. Working around that, the feds went directly to VeriSign, a U.S.-based internet backbone company that has the contract to manage the coveted .com and other “generic” top-level domains.
EasyDNS, an internet infrastructure company, protested that the “ramifications of this are no less than chilling and every single organization branded or operating under .com, .net, .org, .biz etc. needs to ask themselves about their vulnerability to the whims of U.S. federal and state lawmakers.”
But despite EasyDNS and others’ outrage, the U.S. government says it’s gone that route hundreds of times. Furthermore, it says it has the right to seize any .com, .net and .org domain name because the companies that have the contracts to administer them are based on United States soil, according to Nicole Navas, an Immigration and Customs Enforcement spokeswoman.

“of the people, by the people, for the people” except when they are out of town... I don't have the full text yet...
Here’s Why the Government Thinks It Can Kill You Overseas
… Attorney General Eric Holder explained the administration’s reasoning for killing American citizens overseas — and only overseas — with drone strikes and other means during a Monday speech at Northwestern University. Holder claimed that the government can kill “a U.S. citizen who is a senior operational leader of al-Qaida or associated forces” provided the government — unilaterally — determines that citizen poses “an imminent threat of violent attack”; he can’t be captured; and “law of war principles,” like the use of proportional force and the minimization of collateral damage, apply.
This is an indicator of our times,” [Sounds suspiciously like 'situational ethics' Bob] Holder argued, “not a departure from our laws and our values.”

Creating confidence in DHS? What do they do well? (Okay, beside spend our tax dollars)
March 05, 2012
IG Audit - Department of Energy's Implementation of Homeland Security Presidential Directive 12
  • "Homeland Security Presidential Directive 12 (HSPD-12), Policies for a Common Identification Standard for Federal Employees and Contractors, was established in August 2004 to enhance national security and mandate the use of a Federal government-wide standard for secure and reliable forms of identification for Federal employees and contractors. HSPD-12 required that the identification be issued based on sound criteria for verifying an employee's identity; strongly resistant to identity fraud, tampering, counterfeiting and terrorist exploitation; able to be rapidly authenticated electronically; and, issued only by providers with reliability established by an official accreditation process... We found that, despite 7 years of effort and expenditures of more than $15 million, the Department had yet to meet all HSPD-12 requirements. In particular, the Department had not fully implemented physical and logical access controls in accordance with HSPD-12. Furthermore, the Department had not issued HSPD-12 credentials to many uncleared contractor personnel at its field sites. Specifically: None of the 5 field sites reviewed had fully implemented physical access controls in accordance with HSPD-12 for the more than 40,000 employees requiring access to those facilities."
[From the report:
When it created DHS, Congress authorized the Department to engage in data mining and other analytical tools in furtherance of Departmental goals and objectives.

The whole truth...
March 05, 2012
DHS Privacy Office 2011 Data Mining Report to Congress, February 2012
  • "The Department of Homeland Security Privacy Office (DHS Privacy Office or Office) is providing this report to Congress pursuant to the Department’s obligations under section 804 of the Implementing the Recommendations of the 9/11 Commission Act of 2007 (9/11 Commission Act), entitled the Federal Agency Data Mining Reporting Act of 2007 (Data Mining Reporting Act or the Act). This report discusses activities currently deployed or under development in the Department that meet the Data Mining Reporting Act’s definition of data mining, and provides the information set out in the Act’s reporting requirements for data mining activities."

There's money to be made here...
March 05, 2012
The Search for a New Business Model: in-depth look at how newspapers are faring trying to build digital revenue
  • "A new study, which combines detailed proprietary data from individual newspapers with in-depth interviews at more than a dozen major media companies, finds that the search for a new revenue model to revive the newspaper industry is making only halting progress but that some individual newspapers are faring much better than the industry overall and may provide signs of a path forward. In general, the shift to replace losses in print ad revenue with new digital revenue is taking longer and proving more difficult than executives want and at the current rate most newspapers continue to contract with alarming speed, according to the study by the Pew Research Center's Project for Excellence in Journalism. Cultural inertia is a major factor. [Always has been. The solution has always been “start a new organization. When it is running the way you want, close the old organization.” Bob] Most papers are not putting significant effort into the new digital revenue categories that, while small now, are expected to provide most the growth in the future. To different degrees, executives predict newsrooms will continue to shrink, more papers will close and many surviving papers will deliver a print edition only a few days a week. But some papers are performing quite differently than the norm, some much better and some far worse. These variances suggest that the future of newspapers, rather than being determined entirely by sweeping trends, can be significantly affected by company culture and management-even at papers of quite different sizes."

Would the same hold for college students?
March 05, 2012
Studies - Telecommuting Creates Happier and More Productive Employees
Diann Daniel: "The arguments for allowing your workforce to have more telecommuting options are many. There's the environmental argument, to begin with: Telecommuting raises your company's green profile; it keeps cars off the road and reduces traffic congestion. Telecommuting already saves 10 million barrels of oil per year, according to a 2011 study (PDF) from the Mobility Choice coalition. (See this infographic for more connections between telecommuting and green practices.) Environmental sustainability and greater work business continuity are valid reasons to create more flexibility in your company's work arrangements. Another, arguably more pressing one? Your employees want it. Also see A Manager’s Guide to Telecommuting for mentoring advice.
  • Telecommuting programs can increase employee productivity and satisfaction. According to the Telework Research Network, a public-private partnership focused on demonstrating the tangible value of telework and serving the emerging educational and communication requirements of the Federal teleworker community, telecommuting can make employees more productive, not less—despite what many managers fear. It points to heavy hitters like Best Buy, Dow Chemical, and American Express as just a few companies that have found teleworkers are more productive by 35% to 40%."

Cloud to Deliver 14M New Jobs (Half in China, India)
… The U.S. and Canada get 1.2 million of those new jobs, according to the new IDC report (PDF), which Julie Bort at Business Insider says is “nothing to sneeze at.”

Once again, Dilbert brilliantly summarizes a current trend – the patent troll.