Saturday, March 31, 2012


If this is correct, we just went from possibly huge to probably trivial.
Sources: Global Payments breached – Wall Street Journal
March 30, 2012 by admin
Robin Sidel and Andrew R. Johnson report:
Global Payments Inc., which processes credit cards and debit cards for banks and merchants, has been hit by a security breach that has put some 50,000 cardholders at risk, according to people with knowledge of the situation.
Read more on the Wall Street Journal. Global Payments has not confirmed as of the time of this posting.
But 50,000? That’s a far cry from possibly 10 million. Is this the same breach that was reported earlier today by Brian Krebs or another breach?
Both Heartland Payment Systems and First Data Corp. have denied being involved in any of the breach reports from today.

(Related)
Global Payments confirms data breach
March 30, 2012 by admin
After being named by the Wall Street Journal earlier today, Global Payments Inc. has issued a press release about their breach:
Global Payments Inc, a leader in payment processing services, announced it identified and self-reported unauthorized access into a portion of its processing system. In early March 2012, the company determined card data may have been accessed. It immediately engaged external experts in information technology forensics and contacted federal law enforcement. The company promptly notified appropriate industry parties to allow them to minimize potential cardholder impact. The company is continuing its investigation into this matter.
“It is reassuring that our security processes detected an intrusion. It is crucial to understand that this incident does not involve our merchants or their relationships with their customers,” said Chairman and CEO Paul R. Garcia.
Global Payments will hold a conference call Monday, April 2, 2012 at 8:00 AM EDT.
[...]
And that’s all they wrote in the way of details. For now, anyway.


It's not fair! (But it is amusing.) Bruce is using real facts!
"A nice summary at TechDirt brings word that Bruce Schneier has been debating Kip Hawley, former boss of the TSA, over at the Economist. Bruce has been providing facts, analysis and some amazing statistics throughout the debate, and it makes for very educational reading. Because of the format, the former TSA administrator is compelled to respond. Quoting: 'He wants us to trust that a 400-ml bottle of liquid is dangerous, but transferring it to four 100-ml bottles magically makes it safe. He wants us to trust that the butter knives given to first-class passengers are nevertheless too dangerous to be taken through a security checkpoint. He wants us to trust that there's a reason to confiscate a cupcake (Las Vegas), a 3-inch plastic toy gun (London Gatwick), a purse with an embroidered gun on it (Norfolk, VA), a T-shirt with a picture of a gun on it (London Heathrow) and a plastic lightsaber that's really a flashlight with a long cone on top (Dallas/Fort Worth).""


Maybe you can gather information, but you can't make it public?
Judge Allows Actress Suing IMDb Over Age Revelation to Go Forward on Lawsuit
March 30, 2012 by Dissent
Eriq Gardner reports:
Huang Hoang, the actress who sued IMDb for revealing her real age, got a small boost Friday in Washington federal court. The judge overseeing the case has decided that Hoang’s allegations that IMDb breached contract and violated laws on consumer protection are plausible enough to continue. But the judge also offered some relief to the Amazon.com subsidiary by dismissing two of Hoang’s core claims and striking her wish to collect $1 million in punitive damages.
Read more on Hollywood Reporter. The claim about what the privacy policy meant in terms of use of her data is an issue privacy advocates will want to watch – if the case doesn’t settle before trial.


If you are an honest user caught up in this RIAA mandated lawsuit(?) do you have any rights? Or is this one of those extreme cases of “caveat emptor that chills commerce – “Don't do anything that the RIAA or MPAA finds objectionable...”
Megaupload User Demands Return of Seized Content
An Ohio man is asking a federal judge to preserve data of the 66.6 million users of Megaupload, the file-sharing service that was shuttered in January following federal criminal copyright-infringement indictments that targeted its operators.
Represented by civil rights group Electronic Frontier Foundation, Kyle Goodwin wants U.S. District Judge Liam O’Grady, the judge overseeing the Megaupload prosecution, to order the preservation of the 25 petabytes of data the authorities seized in January. Goodwin, the operator of OhioSportsNet, which films and streams high school sports, wants to access his copyrighted footage that he stored on the file-sharing network. His hard drive crashed days before the government shuttered the site Jan. 19.
“What is clear is that Mr. Goodwin, the rightful owner of the data he stored on Megaupload, has been denied access to his property. It is also clear that this court has equitable power to fashion a remedy to make Mr. Goodwin — an innocent third party — whole again,” the group wrote the judge in a Friday legal filing.

(Related) The Big Chill goes on... Apparently what the did to MegaUpload wasn't sufficient? Or the MPAA wasn't able to use nukes?
White House calls for new law targeting 'offshore' Web sites
Only weeks after protests over two digital copyright bills demonstrated the political muscle of Internet users, the White House is publicly endorsing new copyright legislation that also would target suspected pirate Web sites.
After the unprecedented outcry against the Stop Online Piracy Act and the Protect IP Act -- designed to target offshore copyright-infringing Web sites -- supporters of the bills on Capitol Hill backed down and moved on to other topics.
But the White House today reignited the congressional debate by throwing its weight behind legislation targeting offshore Web sites. "We believe that new legislative and non-legislative tools are needed to address offshore infringement," today's report (PDF) says.


“Gee, someone doesn't like our stalking app?”
Report: Foursquare shuts off API for Girls Around Me app
An app that employed Foursquare and Facebook data to show the real-time location of women has raised an uproar and is making people think about how social media exposes them.
The tagline is "In the mood for love, or just after a one-night stand? Girls Around Me puts you in control! Reveal the hottest nightspots, who's in them, and how to reach them..."


I'm afraid this is accurate and everyone is looking for ways to summarize all your activity online and that means accessing everything! Why would this be considered good?
The Search for the Google of the Social Graph
Search is the great triumph of computer science and mathematics. A multi-billion dollar industry was built from a highly technical paper about random walks on the web, which was becoming more obtuse as it grew exponentially.
Google’s search breakthrough ensured that the web would not be a victim of its own success.
Now, the social web faces a similar problem. It is enormous, and growing, and central to our lives. There are many successful companies in the social space, just as there were search leaders before Google emerged. Yet so far there is no Google for the social graph.
… It won’t be easy. I’d like to offer up four challenges that I find important, though undoubtedly there are more:
2. A person is the sum of all of their profiles: Identity across social networks must be solved. Linking Facebook, Twitter, Google Reader, LinkedIn, etc. would be invaluable to researchers. Actions across social networks are similar (liking, following/friending, sharing, etc.), so to have a complete list of actions from a single individual across networks would vastly increase the amount of data available from looking at a single social network.
4. Let data be free: Many types of social data are not public or are difficult to get. All Twitter data is only accessible to the select few members of the firehose club. Facebook data is available for only a select few users. Search was made possible by web crawlers and a similar accessibility of data must be in place for the social graph. Of course, accessibility of data brings up lots of privacy concerns.


Perspective. This is good, because we wouldn't want just anyone to know about [Deleted by the Copyright/Trademark Nazis] or the cure for [Deleted by the Copyright/Trademark Nazis] or how to make [Deleted by the Copyright/Trademark Nazis]
The Missing 20th Century: How Copyright Protection Makes Books Vanish
The above chart shows a distribution of 2500 newly printed fiction books selected at random from Amazon's warehouses. What's so crazy is that there are just as many from the last decade as from the decade between 1910 and 1920. Why? Because beginning in 1923, most titles are copyrighted. Books from before 1923 tend to be in the public domain, and the result is that Amazon carries them -- lots of them. The chart comes from University of Illinois law professor Paul Heald. In a talk at the University of Canterbury in March 16, he explained how he made it and what it shows.
… Heald says that the numbers would be even more dramatic if you controlled for the number of books published in those years, because there are likely far more books published in 1950 than in 1850.
You can watch Heald's whole talk, "Do Bad Things Happen When Works Fall Into the Public Domain?" below.


Thank god I teach Math...
"American high school students are terrible writers, and one education reform group thinks it has an answer: robots. Or, more accurately, robo-readers — computers programmed to scan student essays and spit out a grade. The theory is that teachers would assign more writing if they didn't have to read it. [Amen! Bob] And the more writing students do, the better at it they'll become — even if the primary audience for their prose is a string of algorithms. ... Take, for instance, the Intelligent Essay Assessor, a web-based tool marketed by Pearson Education, Inc. Within seconds, it can analyze an essay for spelling, grammar, organization and other traits and prompt students to make revisions. The program scans for key words and analyzes semantic patterns, and Pearson boasts it 'can "understand" the meaning of text much the same as a human reader.' Jehn, the Harvard writing instructor, isn't so sure. He argues that the best way to teach good writing is to help students wrestle with ideas; misspellings and syntax errors in early drafts should be ignored in favor of talking through the thesis."


Just a reminder...
Have you backed up your data today?
It's World Backup Day.

Friday, March 30, 2012


Possible this breach could set a new record? Stand by for news...
MasterCard, VISA Warn of Processor Breach
March 30, 2012 by admin
Brian Krebs reports:
VISA and MasterCard are alerting banks across the country about a recent major breach at a U.S.-based credit card processor. Sources in the financial sector are calling the breach “massive,” and say it may involve more than 10 million compromised card numbers. [If so, the record is safe Bob]
Read more on KrebsonSecurity. As always, Brian is all over this story and has gotten some leads from sources and interviews:
Sources at two different major financial institutions said the transactions that most of the cards they analyzed seem to have in common are that they were used in parking garages in and around the New York City area.
Ever since Heartland’s breach, numerous breach reports in the media have (erroneously) mentioned a payment processor. This time, it sounds like we really do have another processor breach. Brian reports that “PSCU — a provider of online financial services to credit unions — said it alerted 482 credit unions that appear to have had cards impacted by the breach.”
ELGA , a credit union in Michigan, was one of the credit unions that received notification, although it’s not clear whether they were notified by PSCU or by VISA or MasterCard; 450 of their members were reportedly affected.


The missing information will eventually come out. Why are they holding it back? It makes them look either ignorant or secretive – or both.
By Dissent, March 29, 2012
Steven Harmon reports:
In a puzzling breach of security, computer storage devices containing identification information of 800,000 Californians using the state’s child support services have gone missing.
The Department of Child Support Service reported on Thursday the data devices were lost March 12 en route to California from the Colorado facilities of IBM, one of the contractors in charge of the storage devices.
Read more on Mercury News.
1. What happened?
… The devices were in transit from IBM’s facility in Colorado to California. Upon arrival, several devices were missing.
2. When did it happen?
We were notified on March 12th that the storage devices were missing. It was confirmed on March 20th that the devices contained personal information.
Okay, but you didn’t answer your own question: WHEN did it happen? And while we’re at it, what transit system was being used to transport the devices? – Dissent


Win friends and influence people... NOT!
Shouldn’t they be hearing this from you instead of me?
March 29, 2012 by admin
As if we needed another reason to disclose breaches in a timely fashion:
Some nuclear workers are really upset that the Office of Workers’ Compensation Programs didn’t inform them of the Impairment Resources breach. It seems that they first learned about it from a recent post on this blog.
Yeah, that’s no way to find out your data were stolen months earlier.


Will Homeland Security be in charge of voting security? A TSA agent at every polling place?
DHS: Cybersecurity plays into online voting
As the 2012 presidential election revs up, 33 states now permit some form of Internet ballot casting. However, a senior cybersecurity adviser at the U.S. Department of Homeland Security warned today that online voting programs make the country's election process vulnerable to cyberattacks. [Actually, no. It's crappy security that makes it vulnerable. Bob]
… "Because we vote by secret ballot there is no way to confirm that a digital ballot cast over the Internet is received as it was sent, making detection difficult if not impossible." [Horsefeathers! Bob]

...but how do you get your name off the “Harass this uppity second class citizen” list?
Judge: Bradley Manning supporter can sue government over border search
David Maurice House, an MIT researcher, was granted the right to pursue a case against the government on Wednesday after a federal judge denied the government’s motion to dismiss.
The American Civil Liberties Union filed a federal lawsuit in May 2011 on House’s behalf, charging that he had been targeted solely for his lawful association with the Bradley Manning Support Network.
… “Despite the government’s broad assertions that it can take and search any laptop, diary or smartphone without any reasonable suspicion, the court said the government cannot use that power to target political speech.”
US customs agents met and briefly detained House as he deplaned at Chicago’s O’Hare Airport in November 2010. The agents searched House’s bags, then took him to a detention room and questioned him for 90 minutes about his relationship to Manning (the former Army intelligence analyst currently facing a court martial for leaking classified documents to the secret-spilling site WikiLeaks). [Why would TSA even know about this? Is there that much background on every traveler? Bob] The agents confiscated a laptop computer, a thumb drive, and a digital camera from House and reportedly demanded, but did not receive, his encryption keys.
DHS held onto House’s equipment for 49 days and returned it only after the ACLU sent a strongly worded letter.


Perhaps this is how you get on some of those government lists?
The Perils of Social Reading
March 30, 2012 by Dissent
Back in January, Neil Richards had commented on attempts to amend the Video Privacy Protection Act (VPPA), suggesting that allowing “seamless” sharing could be cutting back on important privacy protections that we should not weaken. Neil’s argument didn’t convince me that we shouldn’t allow those who want to share, to share, and I posed some questions to him.
I am pleased to point readers to Neil’s fuller article on this topic, which will be published in the Georgetown Law Journal, “The Perils of Social Reading.” Here’s the abstract:
Our law currently treats records of our reading habits under two contradictory rules – rules mandating confidentiality, and rules permitting disclosure. Recently, the rise of the social Internet has created more of these records and more pressures on when and how they should be shared. Companies like Facebook, in collaboration with many newspapers, have ushered in the era of “social reading,” in which what we read may be “frictionlessly shared” with our friends and acquaintances. Disclosure and sharing are on the rise.
This Article sounds a cautionary note about social reading and frictionless sharing. Social reading can be good, but the ways in which we set up the defaults for sharing matter a great deal. Our reader records implicate our intellectual privacy – the protection of reading from surveillance and interference so that we can read freely, widely, and without inhibition. I argue that the choices we make about how to share have real consequences, and that “frictionless sharing” is not frictionless, nor it is really sharing. Although sharing is important, the sharing of our reading habits is special. Such sharing should be conscious and only occur after meaningful notice.
The stakes in this debate are immense. We are quite literally rewiring the public and private spheres for a new century. Choices we make now about the boundaries between our individual and social selves, between consumers and companies, between citizens and the state, will have unforeseeable ramifications for the societies our children and grandchildren inherit. We should make choices that preserve our intellectual privacy, not destroy it. This Article suggests practical ways to do just that.
You can download the full article from SSRN.


I try to avoid using words like “Philosophy” in my classes, it tends to frighten the students...
The Philosopher Whose Fingerprints Are All Over the FTC's New Approach to Privacy
… The standard explanation for privacy freakouts is that people get upset because they've "lost control" of data about themselves or there is simply too much data available. Nissenbaum argues that the real problem "is the inappropriateness of the flow of information due to the mediation of technology." In her scheme, there are senders and receivers of messages, who communicate different types of information with very specific expectations of how it will be used. Privacy violations occur not when too much data accumulates or people can't direct it, but when one of the receivers or transmission principles change. The key academic term is "context-relative informational norms." Bust a norm and people get upset.


The Google Feature-du-jour. Also see the “Play” link on the Google Home page.
Google Would Like Your Thoughts on This Gluten-Free Brownie Mix
Google has rolled out a new feature: Consumer Surveys, a scheme that takes a series of marketer-to-consumer surveys and puts them to work on the sites of media publications. The new feature is the official version of the "surveywall" that Nieman Lab's Justin Ellis reported on when he came across an experimental version of it back in October. It's "basically a substitute for a paywall," Consumer Surveys product manager Paul McDonald says.
… Google pays publishers for hosting the surveys (the equivalent of a $15 CPM); marketers, in turn, pay Google for the demographic-targetable data the publisher-hosted surveys provide; and users, in turn -- provided they don't find the pop-up microsurveys too annoying to complete -- get an alternate way of accessing publisher content that they might otherwise be made to pay for.


I capture lots of videos for my classes. I'm always looking at new tools...
Web Video Fetcher is an online tool that allows users to convert any audio or video URL from YouTube, Myspace, Google, Facebook or any other site into much more common formats such as Mp3, Mp4, FLV in a few simple clicks.
The very first thing you should do is find the video/audio which you want to convert and save in your computer. Once you find it, just copy the link and paste it into the text-box provided and click the “Search” icon. The website will automatically figure out the format of the audio/video and provide you with the options to download the video/audio in the common file formats.
List of suported websites: https://docs.google.com/viewer?url=http://webvideofetcher.com/docs/webvideofetcher_com_supportedsites.pdf

Thursday, March 29, 2012


Voluntary – I don't think that word means what you think it means...
Teacher’s aide wouldn’t let school district access her Facebook page, now in legal battle
March 29, 2012 by Dissent
Kelli Stopczynski reports on a case in Michigan where a teacher’s aide refused to allow her employer to view her Facebook postings and was suspended. In this case, the district had been alerted by a parent to a photo that the aide had uploaded to her account.
Lewis Cass ISD superintendent Robert Colby called her into his office.
“He asked me three times if he could view my Facebook and I repeatedly said I was not OK with that,” Hester told WSBT.
In a letter to Hester from the Lewis Cass ISD Special Education Director, he wrote “…in the absence of you voluntarily granting Lewis Cass ISD administration access to you[r] Facebook page, we will assume the worst and act accordingly.”
Hester keeps that letter in her stack of documents related to the case. She provided the letter to WSBT.
Hester said Colby put her on paid administrative leave and eventually suspended her.
Read more on South Bend Tribune. The case is scheduled to go to arbitration in May.
There are some who might argue that the aide used poor judgement in uploading a silly or unprofessional photo to her account. But it was her personal account and on her own time and it was not publicly available. Could her employer rightfully claim that such conduct or images hurts the image of the district? Perhaps. In this case, a parent was the one who reported the matter – a parent who had friended the aide on Facebook.
But where is the line here? I don’t like an employer assuming the worst or that an employee who asserts their right to privacy has “something to hide.” But laws do not protect employees from this type of demand in many states.
The lines have been blurred between our professional lives and our online, but still personal, lives. Employers can certainly see what’s publicly available. But should they be allowed to demand access to what an employee takes pains to protect as private? And should such material be used to terminate their employment?
Back in the day, if an employee conducted himself or herself somewhat inappropriately (liking being a drunken spectacle at a party), there might be talk and gossip at work the next week, but their job wasn’t generally in jeopardy. Even if someone were to come in with a photo of drunken behavior, it would not lead to job termination. So why is a photo on a private page now the basis for job termination?
This is not a brave new world. It’s a confused new world that shrinks our private lives each day unless we draw a line in the cybersand and say, “This is mine, and no, you can’t have it.”

(Related) Nobody gets this “Privacy stuff”
House votes down plan to block employers from Facebook snooping

(Related) “We merely point out that once again Congress did a terrible job writing a law...” Somewhere there must be a law that puts a value on privacy beyond 'actual damages'
Supreme court limits damages under 1974 Privacy Act to actual damages
March 28, 2012 by Dissent
James Vicini reports on a somewhat disappointing but unsurprising verdict by the Supreme Court:
The U.S. Supreme Court ruled on Wednesday that a pilot from San Francisco, whose status as HIV-infected was disclosed by one federal agency to another one in violation of a privacy law, cannot sue for damages for mental and emotional distress.
By a 5-3 vote with conservative justices holding sway, the court overturned a ruling by a U.S. appeals court in California and held that violations of a 1974 federal privacy law allowed only for actual damages such as out-of-pocket financial losses.
Read more on Reuters. Barbara Leonard of Courthouse News provides additional background on the case. You can find the Supreme Court’s decision here (pdf), but the heart of it (for me) concerns whether the Privacy Act limited damages to actual damages as in incurred economic loss or includes emotional harm or distress. The court held that the law restricted damages to actual damages, noting:
We do not claim that the contrary reading of the statute accepted by the Court of Appeals and advanced now by respondent is inconceivable. But because the Privacy Act waives the Federal Government’s sovereign immunity, the question we must answer is whether it is plausible to read the statute, as the Government does, to authorize only damages for economic loss. Nordic Village, 503 U. S., at 34, 37. When waiving the Government’s sovereign immunity, Congress must speak unequivocally. Lane, 518 U. S., at 192. Here, we conclude that it did not. As a consequence, we adopt an interpretation of “actual damages” limited to proven pecuniary or economic harm. To do otherwise would expand the scope of Congress’ sovereign immunity waiver beyond what the statutory text clearly requires.


How closely have you been monitored?
Google has just launched a new service called Account Activity, allowing users to produce periodical reports showing their usage patterns of Google products. Google’s activity reports mean you can now get a report that shows you how much Gmail you’ve received over the past month, how much you’ve sent, what were your top Google searches, where you were located during the month, and more.


A summary. Mentions DHS privacy concern...
March 28, 2012
Cybersecurity: Selected Legal Issues
  • "The federal government’s role in protecting U.S. citizens and critical infrastructure from cyber attacks has been the subject of recent congressional interest. Critical infrastructure commonly refers to those entities that are so vital that their incapacitation or destruction would have a debilitating impact on national security, economic security, or the public health and safety. This report discusses selected legal issues that frequently arise in the context of recent legislation to address vulnerabilities of critical infrastructure to cyber threats, efforts to protect government networks from cyber threats, and proposals to facilitate and encourage sharing of cyber threat information amongst private sector and government entities. This report also discusses the degree to which federal law may preempt state law."


Hoover-esque? Why would any “law enforcement” agency not accurately train it's personnel in the law? Because it is easier to enforce the law without all those silly legal restrictions!
Read the FBI Memo: Agents Can ‘Suspend the Law’
The FBI once taught its agents that they can “bend or suspend the law” as they wiretap suspects. But the bureau says it didn’t really mean it, and has now removed the document from its counterterrorism training curriculum, calling it an “imprecise” instruction.

(Related) This suggests why the FBI feels they need to “cheat” a bit to “catch up” with crooks and terrorists.
"Shawn Henry, who is preparing to leave the FBI after more than two decades with the bureau, said in an interview that the current public and private approach to fending off hackers is 'unsustainable.' 'I don't see how we ever come out of this without changes in technology or changes in behavior, because with the status quo, it's an unsustainable model. Unsustainable in that you never get ahead, never become secure, never have a reasonable expectation of privacy or security,' Mr. Henry said."


Google e-Discovery. No doubt they're good at it by now. Should be of interest to those who have switched to Gmail...
Google Apps Debuts Archiving And Records Management System For Businesses, Vault
Today, Google is debuting a new archiving, records management and e-discovery solution for Google Apps for businesses called Vault.
Google Apps Vault, which is priced at $5 per-user, per-month, allows businesses to reduce risks and costs associated with litigation, investigation, and compliance audits by providing an in-depth archiving system in the cloud. So all emails, documents and chat messages from Gmail can be accessed in one place. Businesses can define what needs to be retained for Gmail and on-the-record chat messages based on content, labels, and metadata.
As Google says, governance policies are applied directly to the native data store, eliminating the need to duplicate data in a separate archive and helping to reduce the risks associated with data movement and from spoliation.
Search is also a part of Vault, and via the new service users can search across large amounts of email in an archive, and define and manage collections of message search results and collaborate with others to manage them. Email can also be exported for further review and processing.


It is good to know that on occasion, cost saving claims are true.
"Mayor Ude reported today that the city of Munich has saved €4 million so far (Google translation of German original) by switching its IT infrastructure from Windows NT and Office to Linux and OpenOffice. At the same time, the number of trouble tickets decreased from 70 to 46 per month. [If I recall, they actually trained people to use the new software Bob] Savings were €2.8M from software licensing and €1.2M from hardware because demands are lower for Linux compared to Windows 7."


This is a joke, right? Something to make the “politically correct” extremists look ridiculous? They sure made the article look real...
"New York educators banned references to 'dinosaurs,' 'birthdays,' 'Halloween' and dozens of other topics on city-issued tests. That is because they fear such topics 'could evoke unpleasant emotions in the students.' Dinosaurs, for example, call to mind evolution, which might upset fundamentalists; birthdays are not celebrated by Jehovah's Witnesses; and Halloween suggests paganism. Homes with swimming pools and home computers are also unmentionables — because of economic sensitivities. The city asks test companies to exclude 'creatures from outer space' as well — for unspecified reasons."


For my fellow Trekies...
"Another example of Star Trek technology becoming a reality. In light of the recent Tricorder X-Prize announcement, Dr. Peter Jansen has openly released the designs for a series of Science Tricorders that he developed while a graduate student at McMaster University. The Science Tricorders are capable of sensing a variety of atmospheric, electromagnetic, and spatial phenomena. Where the Science Tricorder Mark 1 is a relatively easy-to-build proof of concept, the Science Tricorder Mark 2 runs Linux and resembles a cross between a Nintendo DS and scientific instrument with dual OLED touch displays. An exciting video shows them in action, and describes the project goal of creating general scientific tools for learning about and visualizing the world, as well as their importance for science education by helping kids understand abstract concepts like magnetism or polarization visually. The hardware schematics, board layouts, and firmware source are freely available on the Tricorder project website under various open licenses."


I use my RSS reader every morning to produce my Blog. There are MANY free RSS readers. Find one that is intuitive...
I still remember the first time I saw Google Reader in action. I was instantly in love it! Without a doubt RSS feeds and Google Reader are the most important tool that I use on a daily basis. Sure I could subscribe via email to all 300+ of my favorite websites, but who wants more email? And I certainly don't want to open 300+ sites individually. Subscribing to RSS feeds in Google Reader lets me keep up with my favorite sites. So while tech blogs like to make claims that Twitter, Google+, and other platforms will make RSS feeds redundant, I still love my RSS feeds.
What is Google Reader?
More and more I'm consuming RSS feeds through Feedly instead of Google Reader, learn more about Feedly in the video below.

Wednesday, March 28, 2012

Trivial, but ties in nicely with the next article...
By Dissent, March 27, 2012
*sigh*
Howard University Hospital this week sent notification to patients of a potential disclosure of their protected health information in late January. A former contractor’s personal laptop containing patient information was stolen, according to a statement by the hospital.
The laptop, taken from the former contractor’s vehicle, was password protected.
[...]
The hospital has sent letters to 34,503 patients affected by the breach. The records contained the Social Security numbers for a number of those patients.
Read more on WUSA9.com, although you can probably write the story by now yourself. [...while napping Bob]
A link on the hospital’s homepage says:
Howard University Hospital this week sent notification to patients of a potential disclosure of their protected health information that occurred in late January when a former contractor’s personal laptop containing patient information was stolen.

(Related)
By Dissent, March 27, 2012
ID Experts points us to a post by Pamela Lewis Dolan:
Physicians who own mobile devices should make the following assumption: If they lose a smartphone or tablet, someone is going to try to see what’s on it.
With an estimated 80% of physicians using a mobile device on the job, a lot of patient data is vulnerable to breaches unless steps are taken to protect it. Data encryption is the one thing that protects physicians from having to report a breach if data go missing. But ensuring data encryption on a mobile device can be a little tricky. At the least, there are other ways to help ensure that data aren’t accessed if you happen to leave your phone behind in a taxi or at a restaurant.
Read more on amednews.com


What kind of lawyering is this?
Proposed lawsuit settlement includes free soft drinks
March 28, 2012 by Dissent
Jeff Eckhoff and James Heggen report:
The failure of a Des Moines restaurant chain to fully comply with a federal anti-identity theft law will soon lead to free soft drinks for some of its former patrons, assuming a federal judge approves.
Lawyers in a complicated class-action lawsuit have submitted a proposed settlement that will, if it is approved by U.S. District Judge James Gritzner, eventually lead to $170,000 for the plaintiffs’ attorneys and coupons for people who can prove they used a credit card or debit card during a three-year period at Palmer’s Deli & Market.
The lawsuit, filed initially on June 1, 2011, accused Palmer’s of willfully violating a 2003 federal law that requires the truncation of credit card numbers and expiration dates on printed store receipts.
Read more in the Des Moines Register.
This is not the first time we’ve seen a settlement like this. Olive Garden had a similar one in May 2009, but the members of that class got coupons for $9.00 worth of appetizers. And members of a class action lawsuit against Primanti Brothers got coupons for free sandwiches in October 2010. Although it doesn’t seem like members of this class benefit significantly in the usual sense of “significantly,” the settlement may say save Palmer’s from being bankrupt should they have to pay statutory damages. The firm’s insurance company is also suing them, claiming they should not be liable for any costs or expenses from this incident.

(Related) Shouldn't the settlement reach at least a penny a victim?
FTC releases proposed settlement order in RockYou breach; $250k fine for breaching COPPA
March 27, 2012 by admin
The RockYou breach, disclosed in December 2009, stands as the 10th largest breach on DataLossDB’s counter after 32 million login credentials were compromised. A civil suit, Claridge v. RockYou, is still unsettled, although a proposed settlement was submitted to the court in November 2011. Previous coverage on this breach can be found here. Now the FTC has issued a statement on a proposed settlement of its charges against the firm:
The operator of a social game site has agreed to settle charges that, while touting its security features, it failed to protect the privacy of its users, allowing hackers to access the personal information of 32 million users. The Federal Trade Commission also alleged in its complaint against RockYou that RockYou violated the Children’s Online Privacy Protection Act Rule (COPPA Rule) in collecting information from approximately 179,000 children. The proposed FTC settlement order with the company bars future deceptive claims by the company regarding privacy and data security, requires it to implement and maintain a data security program, bars future violations of the COPPA Rule, and requires it to pay a $250,000 civil penalty to settle the COPPA charges.
According to the FTC complaint, RockYou operated a website that allowed consumers to play games and use other applications. Many consumers used the site to assemble slide shows from their photos, using a caption capability and music supplied by the site. To save their slide shows, consumers had to enter their email address and email password. [email is an identifier, what purpose does sharing the password serve? Bob]
The FTC’s COPPA Rule requires that website operators notify parents and obtain their consent before they collect, use, or disclose personal information from children under 13. The Rule also requires that website operators post a privacy policy that is clear, understandable, and complete.
The FTC alleged that RockYou knowingly collected approximately 179,000 children’s email addresses and associated passwords during registration – without their parents’ consent – and enabled children to create personal profiles and post personal information on slide shows that could be shared online. The company asked for kids’ date of birth, and so accepted registrations from kids under 13. In addition, the company’s security failures put users’ including children’s personal information at risk, according to the FTC. The FTC charged that RockYou violated the COPPA Rule by:
  • not spelling out its collection, use and disclosure policy for children’s information;
  • not obtaining verifiable parental consent before collecting children’s personal information; and
  • not maintaining reasonable procedures, such as encryption to protect the confidentiality, security, and integrity of personal information collected from children.
The proposed settlement order bars deceptive claims regarding privacy and data security and requires RockYou to implement a data security program and submit to security audits by independent third-party auditors every other year for 20 years. [Ask any accounting firm to do this – it will probably save you more than $250,000 Bob] It also requires RockYou to delete information collected from children under age 13 and bars violations of COPPA. Finally, RockYou will pay a $250,000 civil penalty for its alleged COPPA violations.
The FTC has a new publication, Living Life Online, to help tweens and teens navigate the internet safely.
The Commission vote to authorize the staff to refer the complaint to the Department of Justice and to approve the proposed consent decree was 4-0. The DOJ filed the complaint and proposed consent decree on behalf of the Commission in U.S. District Court for the Northern District of California on March 26, 2012. The proposed consent decree is subject to court approval.
So… if it wasn’t for the children’s data, would the FTC have gone after RockYou or fined them? The passwords were stored plain-text, but the only reference to encryption in this release applies to children’s data, not the adults’.
Update: I see that in his coverage of the proposed order, Jaikumar Vijayan reports that the civil suit against RockYou settled in December. If he’s referring to Claridge v. RockYou, the motion for settlement is due to be heard tomorrow (March 28).


Now Perry Mason doesn't need to ask, “Where were you on the night of the crime?”
Want to know where your teen is? Ask OnStar
If you're nervous about giving your teen driver the keys to the family car, you may be able to buy peace of mind from OnStar. The telematics company now offers the ability to tell you where your vehicles, and possibly the drivers, are at any time.
Family Link is an optional add-on service to the operator assisted emergency response and navigation services offered by OnStar. Subscribers can log on to OnStar's Family Link Web site to view a map with the vehicle's location at any time. They can also schedule email or text alerts to update them periodically on the location of the automobile on specific days or times.


If they had trained their officers in a misinterpretation of the law, I can't see how they could be disciplined for following their training. So it appears they had no training in that area.
"The City of Boston has reached a $170,000 settlement with Simon Glik, who was arrested by Boston Police in 2007 after using his mobile phone to record police arresting another man on Boston Common. Police claimed that Glik had violated state wiretapping laws, but later dropped the charges and admitted the officers were wrong to arrest him. Glik had brought a lawsuit against the city (aided by the ACLU) because he claimed his civil rights were violated. According to today's ACLU statement: 'As part of the settlement, Glik agreed to withdraw his appeal to the Community Ombudsman Oversight Panel. He had complained about the Internal Affairs Division's investigation of his complaint and the way they treated him. IAD officers made fun of Glik for filing the complaint, telling him his only remedy was filing a civil lawsuit. After the City spent years in court defending the officers' arrest of Glik as constitutional and reasonable, IAD reversed course after the First Circuit ruling and disciplined two of the officers for using "unreasonable judgment" in arresting Glik.'"


The downside of building your own country to avoid the laws of other countries is...
"Ars has a great article about the history of Sealand, a data haven — a place where you can host almost anything, as long as it follows the very bare laws of Sealand Government. Quoting: 'HavenCo's failure — and make no mistake about it, HavenCo did fail — shows how hard it is to get out from under government's thumb. HavenCo built it, but no one came. For a host of reasons, ranging from its physical vulnerability to the fact that The Man doesn't care where you store your data if he can get his hands on you, Sealand was never able to offer the kind of immunity from law that digital rebels sought. And, paradoxically, by seeking to avoid government, HavenCo made itself exquisitely vulnerable (PDF) to one government in particular: Sealand's.'"


This is as old as the “razors and blades” model – probably older (Og give you fire. You give Og mastodon steaks!)
Temple Run and the Rise of the Free, Profitable Videogame
… When Apple launched its digital game store in 2008, most games cost a few dollars. The success of 99-cent apps drove prices down. Then in 2009, Apple changed its store to allow free downloads to feature in-app purchases, for the first time making it possible to give away a game and make money later.
Now free is the most lucrative price point. From kids’ games like Smurfs’ Village to puzzles like Bejeweled Blitz, 15 of the first 20 games on Apple’s Top-Grossing Apps list are free. The analyst group Distimo estimates that half of the revenue for the 200 top-grossing apps comes from the freemium model. Everyone from indie game developers to established companies is jumping on the freemium bandwagon.
… The released Temple Run on the App Store in August for 99 cents.
It did well, at first. “It got a ton of critical acclaim, it got featured [on the App Store menu], people loved it,” says Luckyanova. Temple Run was one of the top 50 paid apps. The couple sold about 40,000 copies at 99 cents a pop. But then it started sliding down the list. With little to lose, Shepherd and Luckyanova abruptly changed the price to zero, hoping to make money by getting players to trade real-life cash for virtual currency.
Revenue immediately increased. People told their friends — hey, play this game. It’s free. You can grab it right now. By Christmas, it was the top-grossing app on the store. “It snowballed into a viral effect,” says Shepherd. The game is now at 46 million free downloads — and Shepherd and Luckyanova estimate that 1 to 3 percent of players wind up spending money on the game.


My Ethical Hackers can hack your phone in 1 minute 50 seconds! I mean, a “four digit passcode?”
"Micro Systemation, a Stockholm-based company, has released a video showing that its software can easily bypass the iPhone's four-digit passcode in a matter of seconds. It can also crack Android phones, and is designed to dump the devices' data to a PC for easy browsing, including messages, GPS locations, web history, calls, contacts and keystroke logs. The company's director of marketing says it uses an undisclosed vulnerability in the devices it targets to run a program on the phone that brute-forces its passcode. He says the company's business is 'booming' and that it's sold the devices to law enforcement and military customers in 60 countries. He says Micro Systemation's biggest customer is the U.S. military."


Since China is in flux (to the point where civil war is possible?) are stories like these just a way for the government to admit publicly what we kind of knew anyway but no one wanted to say for fear of “offending” the Chinese government?
China nabbing 'great deal' of U.S. military secrets
Testifying before the Senate Armed Services Committee yesterday, Gen. Alexander said that China is stealing a "great deal" of the U.S. military's intellectual property, adding that the NSA sees "thefts from defense industrial base companies." According to a story in Information Week, he declined to provide any information on those attacks. However, he did confirm speculation swirling around the security space that China was behind last year's attacks on RSA.


The world is changing, again...
Harry Potter And The Great Sideloading Gamble. A ‘Dark Day’ For Publishers?
A milestone today in the world of publishing, as Pottermore.com, the site dedicated to all digital things Harry Potter, opened for business as the exclusive distributor of Harry Potter e-books and audiobooks. This marks the first time that a major author has ventured forth to offer e-books directly to the public, bypassing publishers’ sites and online bookstores in the process, to allow readers to buy the content direct and then sideload it to their reading platform of choice.


...let's change it even more. Something for all my students.
Regina Dugan: From mach-20 glider to humming bird drone


Perspective An Infographic
What Happens In An Internet Minute?


Something for my geeks? (No RSS feed yet)
You may have noticed that we've posted quite a few original videos on Slashdot in the past few months. Rather than being the work of a few rogue editors with newly-acquired Christmas cameras, this was part of the groundwork for a new site we're launching today. SlashdotTV, found at http://tv.slashdot.org, will let you easily find and watch all of our videos in one convenient location. In addition to Slashdot content, you also can watch videos from our sister sites, SourceForge and ThinkGeek. The site is brand new, and we're interested in hearing your feedback -- what you think about it, and what kind of videos you'd like to see. Currently, you can embed our videos on your own site or show them to your friends with our share feature. Commenting is coming soon. Check back often for new videos, and keep watching!
[Learn fun things like:


An interesting start-up...
Skillshare Says Anyone Can Be A Teacher And Wants To Connect You To Students [TCTV]


Arthur C. Clarke wrote, “Any sufficiently advanced technology is indistinguishable from magic.” This video show what can happen when you combine technology with magic...


Tuesday, March 27, 2012


“Be vewy vewy careful.” E. Fudd
You can do everything right, but sill incur penalties – lessons learned from BCBS of Tennessee
… BCBSTN had many security measures in place. The hard drives were stored in a closet that was secured by biometric and keycard scan security with a magnetic lock and an additional door with a keyed lock. The office space was in a building that had security. Nevertheless, HHS alleged that BCBSTN had failed to perform a security risk evaluation and had failed to implement appropriate physical safeguards because it did not have adequate facility access safeguards as required by the HIPAA Security Rule. Commenting on the settlement, the Office of Civil Rights at HHS, emphasized the need for providers who are moving locations to update their risk assessment and keep track of their data during the transition. Without any admission of a HIPAA/HITECH violation, BCBSTN agreed to pay a $1.5m as a part of the settlement – the maximum amount payable in civil penalties for each disclosure under the HITECH Act.
Would the result have been different if BCBSTN had secured the vacated office space where the hard drives were stored? What if they had posted a security guard at the office entrance? These measures may have saved BCBSTN from the $1.5m settlement with HHS, but if a determined thief had overcome the security guard and stolen the hard drives, it would not have saved them from the costs of investigation, notification and remediation resulting from the breach. Those costs are reported to be nearly $17 million, an amount that dwarfs the $1.5million settlement.
This lesson was clearly illustrated in the recent report from the American National Standards Institute – "The Financial Impact of Breached Protected Health Information: A Business Case for Enhanced PHI Security". [ http://webstore.ansi.org/phi/ Bob] The Report provides a tool that allows organizations to estimate the overall potential costs of a data breach and provides a methodology for determining an appropriate level of investment to reduce the probability of a breach.


True or not, a lot of people will “assume” it is true because of past acts Murdoch has admitted to.
"Neil Chenoweth, of the Australian Financial Review, reports that the BBC program Panorama is making new allegations against News Corp of serious misconduct. This time it involves the NDS division of News Corp, which makes conditional access cards for pay TV. It seems that NDS also ran a sabotage operation, hiring pirates to crack the cards of rival companies and posting the code on The House of Ill Compute (thoic.com), a web site hosted by NDS. 'ITV Digital collapsed in March 2002 with losses of more than £1 billion, overwhelmed by mass piracy, as well as technical restrictions and expensive sports contracts. Its collapse left Murdoch-controlled BSkyB the dominant pay TV provider in the UK.' Chenoweth reports that James Murdoch has been an advocate for tougher penalties for pirates, 'These are property rights, these are basic property rights,' he said. 'There is no difference from going into a store and stealing a packet of Pringles or a handbag, and stealing something online. Right?'"


No doubt Bruce keep posting “Security Theater” to his blog...
"Following up on an earlier Slashdot story, earlier today, the U.S. House of Representatives Committee on Oversight and Government Reform and the Committee on Transportation and Infrastructure held a hearing titled 'TSA Oversight Part III: Effective Security or Security Theater?' ... In a blog update, Bruce Schneier says that 'at the request of the TSA' he was removed from the witness list. Bruce also said 'it's pretty clear that the TSA is afraid of public testimony on the topic, and especially of being challenged in front of Congress. They want to control the story, and it's easier for them to do that if I'm not sitting next to them pointing out all the holes in their position. Unfortunately, the committee went along with them.'"


“The right to be forgotten” extended to “the right to keep you from knowing?”
It's not just Japan that wants to regulate how Google displays search results: judgecorp writes
"A committee of British MPs and peers has asked Google to censor search results to protect privacy and threatened to put forward new laws that would force it to do so, if Google fails to comply. The case relates to events such as former Formula One boss Max Mosley's legal bid to prevent Google linking to illegally obtained images of himself."


...and here I thought that he said “flunk!” If we allow this in schools, won't it eventually spread everywhere?
High school expels student for tweeting f-word
… Well, now. The principal of Garrett High School told INC that regardless of whether it was sent from home--or, indeed, whether a school computer was used--the school may track students' tweets.
Fort Wayne's Journal Gazette does report that Carroll is something of an eccentric. He fought to be allowed to wear a kilt on Irish holidays. He had also been warned before about sending ribald tweets using school-issued computers.
This time, though, there seems ample evidence that he tweeted at 2:30 a.m. Still, the school reportedly maintained that the tweets were adorned with its IP address. [Given the facts, that is impossible. Bob]
… The school appears no longer to be speaking publicly, on the advice of its attorney. Meanwhile, some of the students threatened a protest on Friday, so much so that police were called.
It may well be that Carroll's tweet didn't represent the highest type of wit. Some might conclude, though, that the principal of Garrett High School is a very particular type of wit indeed.


Interesting categories.
Tech Highlights of the FTC Privacy Report
March 26, 2012 by Dissent
Ed Felton writes:
Today the FTC is releasing a major report on privacy. Privacy geeks will read the whole thing–and should, because it represents a lot of careful thinking by folks in the agency.
But if you’re a techie who doesn’t have time to read it all, let me point you to a few of the parts you’ll probably find most interesting.
When you’re reading, keep in mind that the report does not by itself establish any new laws or regulations. It summarizes current law and asks Congress to consider new laws in certain areas, but most of the discussion is about best practices that the FTC thinks well-intentioned companies will want to follow. These best practices are organized in a three-part framework: privacy by design, which means building privacy into your products and practices from the beginning; simplified choice for consumers; and greater transparency about data practices.
Read more on Tech@FTC. I’ll add other links/coverage later today.


Are we so terrified by protestors?
Occupy Tracking
March 26, 2012 by Dissent
A disturbing analysis and report by Tim Libert:
Major advertisers and corporations have been quietly tracking the online movements of those visiting “Occupy Wall Street” related sites for months. They have have used this data to create detailed portraits of the lives and interests of potential protestors. This data is then sold in unregulated markets and retained indefinitely in databases that may be subject to secret government subpoena. The most shocking thing about this is who is ultimately responsible: the self-proclaimed revolutionaries who run the sites.
However, this is not an act of malice: most likely website operators have no idea they are allowing their visitors to be tagged and tracked. [Except those created and run by law enforce,ent Bob]
Read more on TimLibert.me


I doubt this shutdown was the MPAA's idea of a bargaining position, but you never know.
"In a recent story that is beating around the nets, Kim Doctcom has fired back at studios with emails that make for some interesting reading: 'A Disney executive e-mailed Megaupload in 2008. He said he was interested in having Megaupload host Disney content, but said he would need Megaupload to tweak its terms of service to make it clear Disney retained ownership of files uploaded to the site. He sent Megaupload a proposed alternative to the standard Megaupload TOS. Fox emailed "Please let me know if you have some time to chat this week about how we can work together to better monetize your inventory," in an attempt to promote their newly launched ad network. And finally, this gem: a Warner Brothers executive e-mailed Megaupload seeking to expedite the process of uploading Warner content to Megaupload. "I would like to know if your site can take a Media RSS feed for our syndications," he wrote. "We would like to upload our content all at once instead of one video at a time."' Pot calling the kettle black anyone?"
Torrentfreak is running the full interview with Kim Dotcom.


Does this come as a surprise to anyone (aside from a few very out of touch academics at Oxford?) Why would anyone assume that the availability of knowledge automatically results in free academic journal articles generated by the self-educated?
Confirmed: The Internet Does Not Solve Global Inequality
… the Anglophone world dominates with the United States doing the lion's share of academic and user-generated publishing.
Those are the messages of the Oxford Internet Institute's new e-book, Geographies of the World's Knowledge, [Free for the iPad Bob] from which these two graphics were drawn. In the book's foreword, Corinne Flick of the Convoco Foundation reluctantly concludes that the Internet has not delivered on the hopes that it would make knowledge "more accessible."
… We're not only talking about publishing in academic journals or Wikipedia. The book's authors sampled user-generated content on Google and found that rich countries, especially the United States, dominate the production of user content.
The fact of the matter is that people without money can't afford to get the education necessary to publish in academic journals, Internet-enabled or not. The other fact of the matter is that the vast majority of people in very poor countries don't spend their time producing content for free. Hope as we might, [Hope is not a plan. What have you done. Bob] the Internet isn't a magic wand that makes the world more equal.


For my Data Mining / Data Analytics students: See, I told ya! (Also note that the “don't know what to do with it” can apply to governments.)
Study: Enterprises Want More Marketing Data, But They Don’t Know What To Do With It
Online marketers and advertising are getting access to more and more data, but that’s not enough, according to the 2012 Digital Marketing 2.0 Study commissioned by ad company DataXu.
More than 350 “enterprise decision makers” in management, marketing, communications, digital, IT and social media were surveyed, and 75 percent of them said that data will help them improve their businesses. However, 58 percent said they didn’t have the skills and technology needed to analyze marketing data, while more than 70 percent said the same about customer data.


For my students – looks like they've added a couple languages...
If you are looking to get into web-based programming, or you are already knowledgeable and are looking for a way to experiment with some code without downloading a compiler, than Codecademy is the website for you. They allow you write and test code in three of the most popular web-based languages; Java, Ruby and Python.
For the new coder, they offer classes. They start with the basics and move up to more advanced stuff. If you have been looking for a way to break into writing code this website is great. It starts slowly and doesn’t push you into the advanced stuff too quickly.


Student research tool
If you need an all-in-one search portal for downloads, you should check out Foofind. This search engine lets you find audio, video, documents, and images through direct downloads, torrents, gnutella, and streams.


Any backup is better than no backup. Automatic backup is useful if you forget even rarely...
… SurDoc is a web service that offers people a free backup option for their digital documents. You start by creating an account on the site and then downloading its desktop client for Windows. Through the desktop client you can figure out the document syncing options and set up automatic synchronization. Your documents are uploaded to your account and can be read anywhere you have access to your SurDoc account in the site’s own reading interface. The ability to create folders and sort documents into them helps you keep things organized.
The service offers 10GB of free storage to its users and accepts all document file formats.
Similar tools: Humyo, TagMyDoc.