- "I will...explain why the confluence of at least four circumstances – (1) digital ubiquity, (2) the increasing number of parties that take part in our daily transactions, (3) the commodification and monetization of data, (4) and woefully out-of-date privacy laws – creates something of a perfect storm, leaving us as a nation poorly equipped, in our present state, to preserve any measure of a right to privacy. That is to say, I will be arguing that technology and policy both play powerful roles in framing what is possible and how we live our lives, and that changes in technology must be accompanied by changes to policy."
Saturday, May 26, 2012
Compromise of a contractor's computer system almost a year ago. What do you bet there will be no consequences to the contractor...
Computer security breach at Serco affects 123,000 Thrift Savings Plan participants
May 25, 2012 by admin
Hazel Bradford reports:
A cyber attack on a computer of a contractor for the $313 billion Thrift Savings Plan, Washington, could have compromised account information for about 123,000 plan participants, the Federal Retirement Thrift Investment Board, which oversees the plan, announced Friday.
The attack was made on a computer at Serco Inc., a contractor helping to update TSP’s disbursement system software, and was first detected by the FBI in April. [See below Bob]
Serco and the board performed a forensic analysis to see which TSP account holders were affected, concluding that 43,587 participants had personal information including Social Security numbers potentially compromised, and another 80,000 may have had their Social Security numbers accessed from the Serco computer. Those participants are being notified in letters mailed on Friday.
Read more on Pensions & Investments.
A statement posted on Serco’s site today says:
Serco Inc., a provider of professional, technology, and management services, announced today that one of its computers used in support of the Federal Retirement Thrift Investment Board (FRTIB) was subjected to a sophisticated cyber attack.
There is no evidence of any funds being diverted or identity theft resulting from the incident. An extensive forensic analysis of the data also shows no indication that the TSP network, which supports TSP’s 4.5 million participants, was subjected to unauthorized access.
In April 2012, the Federal Bureau of Investigation (FBI) informed Serco that one of its computers used in support of the FRTIB was subjected to unauthorized access. The FRTIB and Serco acted quickly and decisively to further investigate the incident, take additional steps to protect the integrity of FRTIB’s data, and ensure that FRTIB’s TSP continues to be a safe and secure retirement plan for federal employees.
FRTIB and Serco performed forensic analysis to determine which TSP participants and payees were possibly affected and the extent of the possible compromise of data. Steps taken included an immediate shut down of the compromised computer, launch of a task force involving both Serco and FRTIB senior executives to focus all capabilities and resources in a coordinated system-wide review of the protection of data, and fortification of the security systems.
… The FBI supplied data to Serco and the FRTIB that required extensive IT security expert analysis in order to determine which TSP members were potentially affected. [Suggests they had no record of the data stored on that computer? Bob] The analysis required opening and reviewing thousands of files in order to determine what personal information might be at risk and the identity of the potentially affected individuals, as well as taking further actions to determine the scope of the incident.
This incident fits with the increasing number of cyber attacks in which the goal of those seeking unauthorized access does not appear to include identity theft or financial misappropriation. [They have no idea what the hacker's motivation was Bob]
Not surprisingly, it doesn’t really say anything about the attack itself, nor when the attack occurred. At some point, Serco will need to explain why it didn’t detect the attack via its own measures or audits if it didn’t prevent it.
Update: MyFox Detroit has some additional details, including a statement that the attack occurred last July.
Another “third party” compromise? If it was the VISA network, this is gonna be HUGE!
Was it or wasn’t it hacked: conflicting reports on a possible bank hack
May 25, 2012 by admin
The accounts of hundreds of Community Bank customers may have been compromised in an apparent identity theft attempt involving debit cards.
State police investigators tell 7 News that a data base used by the bank was apparently hacked into earlier this month with personal account information of numerous north country customer accounts obtained.
The bank’s public relations firm denies that Community Bank’s computer systems were compromised.
Read more on WNYF.
Guess we’ll have to wait for more info on this one as they both can’t be right, can they?
[From the article:
Pat Spadafore of Eric Mower & Associates, acting as a spokesman for Community Bank, tells 7 News in an e-mail that the VISA debit card network was apparently compromised.
I have absolutely no pity for managers who can't even get the basics right.
"A fortnight ago the Bitcoin financial website Bitcoinica was hacked and the hacker stole $87,000 worth of Bitcoins. At the time the owner promised that all users would have their Bitcoins and US dollars returned in full, but one of the site developers has just confirmed that they have no database backups and are having difficulty figuring out what everyone's account balance should actually be. A failure of epic proportions for a site holding such large amounts of money."
May 24, 2012
Disappearing Phone Booths - Privacy in the Digital Age
Tools for Privacy advocates?
CloudFlare To Launch Service For Sites Dealing With Tortuous EU Cookie Law
Before you build a huge national biometric database...
"The iris scanners that are used to police immigration in some countries, like the UK, are based on the premise that your irises don't change over your lifetime. But it seems that assumption is wrong. Researchers from the University of Notre Dame have found that irises do indeed change over time, enough so that the failure rate jumps by 153% over three years. While that means a rise from just 1 in 2 million to 2.5 in two million, imagine how that will affect a system like India's — which already has 200 million people enrolled — over 10 years."
Is this an indication that teachers are unable to accurately record attendance? More likely, they hope students give their “chips” to classmates when they are going to miss school so the school can count them for “attendance related funds.” See, it's not about the students, it's about the money!
Texas schools expand RFID chipping of students
May 25, 2012 by Dissent
Back in October 2010, I commented on a news report out of Houston on the use of RFID tags with students. Yesterday, Francisco Vara-Orta reported on the situation in San Antonio.
As I anticipated when I wrote, ” the student’s’ RFID tag will register them as “in school” and track their location throughout the day so that the district can get all of its attendance-related funds from the state.,” that appears to be precisely the motivation in San Antonio.
Here’s the kicker:
Texas Education Agency spokeswoman DeEtta Culbertson said no state law or policy regulates the use of such devices and the decision is up to local districts.
It might behoove the state to come up with some guidelines or regulations about where such tracking cannot be used and for how long data can be retained…. or whether it can be shared.
And if RFID tagging is used for attendance monitoring, does that make it part of the student’s education record subject to FERPA??
An interesting expansion of liability. Would a smarter lawyer tried for “conspiracy?”
"After mowing down a motorcycling couple while distracted by texting, Kyle Best received a slap on the wrist. The couple's attorney then sued Best's girlfriend, Shannon Colonna, for exchanging messages with him when he was driving. They argued that while she was not physically present, she was 'electronically present.' In good news for anyone who sends server-status, account-alerts or originates a call, text or email of any type that could be received by a mobile device, the judge dismissed the plantiff's claims against the woman."
Interesting. I wonder if Colorado has a secret court? (Should we really believe that defense lawyers have never heard of this?)
Washington lawyers challenge secret court proceedings
May 25, 2012 by Dissent
Gene Johnson reports:
A defense lawyer in Eastern Washington was reading a detective’s statement in his client’s drug case when he came across a curious line. In asking to search the man’s house and cars, the detective revealed that he had already seen the defendant’s bank records.
That’s odd, thought the lawyer, Robert Thompson of Pasco. There’s no search warrant for the bank records. How’d he get them?
The answer — with a subpoena secretly issued by a judge — provides a window into the little-known use of “special inquiry judge proceedings” in Benton County and across the state. Prosecutors who use them say the proceedings are authorized by state law, make for more efficient investigations and have plenty of judicial oversight, but Thompson and other defense attorneys say they raise questions about privacy, accountability and the open administration of justice.
Read more on Seattle PI.
[From the article:
The proceedings, created by the Legislature in 1971, function as grand juries without the grand jury: At the request of a prosecutor, a judge can secretly hear from witnesses, review evidence or issue subpoenas based on a reasonable belief that someone "may be able" to provide testimony or evidence.
… Witnesses can be compelled to testify, but are immune from prosecution for what they say — important in complex public corruption or organized crime investigations. If no charges are ever filed, no one aside from those involved ever learns the proceedings occurred.
Managers: monitor your IT environment!
Spiceworks Eyes Skunkworks, Keeps Tabs on Cloud
Bring-your-own-device (BYOD) may be the concern du jour — what with employees’ devices running any old app they please — but what about the cloud creep into the workplace via that skunkworks project?
… With Spiceworks 6.0, IT pros can automatically scan their networks more than 40 popular cloud services “to see exactly which cloud services are in use and by whom, providing an extra layer of control over sensitive resources,” the company said in a press release on Thursday.
For my Computer Security students
… Sure, your files may be encrypted in transit and on the cloud provider’s servers, but the cloud storage company can decrypt them — and anyone that gets access to your account can view the files. Client-side encryption is an essential way to protect your important data without giving up on cloud storage.
For my “smartphone enabled” students which as it happens are most of them.
TinyVox takes a retro tape recorder and turns it into a digital format app for the very popular devices, iOS and Android. The app can be quickly used to make notes, record quotes from a friend or just make an audio log to share and promote with your friends.
A techno-sea change?
"Dallas Mavericks owner and media entrepreneur Mark Cuban thinks he knows the reason for Facebook's disappointing IPO; smart money has realized that 'mobile is going to crush Facebook', as the world's population increasingly accesses the Internet mostly through smartphones and tablets. Cuban notes that the limited screen real estate hampers the branding and ad placement that Google and Facebook are accustomed to when serving to desktop browsers, while phone plans typically have strict data limits, so subscribers won't necessarily take kindly to YouTube or other video ads. Forbes' Eric Jackson likewise sees a generational shift to mobile that will produce a new set of winners at the expense of Facebook and Google."
I want one!
Microsoft to Offer 80-Inch Windows 8 Tablets for Offices
“Steve Ballmer has an 80-inch Windows 8 tablet in his office. He’s got rid of his phone, he’s got rid of his note paper. It’s touch-enabled and it’s hung on his wall.”
Friday, May 25, 2012
Never contradict the Attorney General...
By Dissent, May 24, 2012
It started with an announcement in July 2010 that computer backup tapes with data on 800,000 were missing. It proceeded to confusion as to what business associates or vendors were involved and the sequence of events. But things started getting really ugly over a dispute between South Shore Hospital and the Massachusetts Attorney General’s Office, who objected to the hospital’s position that it did not have to provide individual notice. Today, the Attorney General’s Office announced that the hospital would pay $750,000 to settle charges against it under HIPAA and state laws over the data breach:
South Shore Hospital has agreed to pay $750,000 to resolve allegations that it failed to protect the personal and confidential health information of more than 800,000 consumers, Attorney General Martha Coakley announced today. The investigation and settlement resulted from a data breach reported to the AG’s Office in July 2010 that included individual’s names, Social Security numbers, financial account numbers, and medical diagnoses.
“Hospitals and other entities that handle personal and protected health information have an obligation to properly protect this sensitive data, whether it is in paper or electronic form,” AG Coakley said. “It is their responsibility to understand and comply with the laws of our Commonwealth and to take the necessary actions to ensure that all affected consumers are aware of a data breach.”
The consent judgment approved today in Suffolk Superior Court includes a $250,000 civil penalty and a payment of $225,000 for an education fund [Never contradict the Attorney General... Bob] to be used by the Attorney General’s Office to promote education concerning the protection of personal information and protected health information. In addition to these payments, the consent judgment credits South Shore Hospital for $275,000 to reflect security measures it has taken subsequent to the breach.
The lawsuit was filed under the Massachusetts Consumer Protection Act and the federal Health Insurance Portability and Accountability Act.
In February 2010, South Shore Hospital shipped three boxes containing 473 unencrypted back-up computer tapes with 800,000 individuals’ personal information and protected health information off-site to be erased. [This part could be done on-site Bob] The hospital contracted with Archive Data Solutions to erase the back-up tapes and resell them.
The hospital did not inform Archive Data, however, that personal information and protected health information was on the back-up computer tapes nor did South Shore Hospital determine whether Archive Data had sufficient safeguards in place to protect this sensitive information. Multiple companies handled the shipping of the boxes containing the tapes.
In June 2010 South Shore Hospital learned that only one of the boxes arrived at its destination in Texas. The missing boxes have not been recovered although there have been no reports of unauthorized use of the personal information or protected health information of affected individuals to date.
The allegations against South Shore Hospital in the lawsuit are based on both federal and state law violations, including failing to implement appropriate safeguards, policies, and procedures to protect consumers’ information, failing to have a Business Associate Agreement in place [That is required by law? Bob] with Archive Data, and failing to properly train its workforce with respect to health data privacy.
According to the consent judgment, South Shore Hospital has also agreed to take a variety of steps in order to ensure compliance with state and federal data security laws and regulations, including requirements regarding its contracts with business associates and third-party service providers engaged for data destruction purposes. The hospital also agreed to undergo a review and audit of certain security measures and to report the results and any corrective actions to the Attorney General.
If you want to make a “world class security screw-up” this is the model to follow...
"Yahoo on Wednesday launched a new browser called Axis and researchers immediately discovered that the company had mistakenly included its private signing key in the source file, a serious error that would allow an attacker to create a malicious, signed extension for a browser that the browser will then treat as authentic. The mistake was discovered on Wednesday, soon after Yahoo had launched Axis, which is both a standalone browser for mobile devices as well as an extension for Firefox, Chrome, Safari and Internet Explorer. ... Within hours of the Axis launch, a writer and hacker named Nik Cubrilovic had noticed that the source file for the Axis Chrome extension included the private PGP key that Yahoo used to sign the file. That key is what the Chrome browser would look for in order to ensure that the extension is legitimate and authentic, and so it should never be disclosed publicly."
This screw-up is merely “New Jersey class” It points out how easy it is to start hacking, but omits the warning that much of this could have been spoofed.
"The mayor of West New York, New Jersey was arrested by the FBI after he and his son illegally took down a website that was calling for the recall of mayor Felix Roque (the site is currently down). From the article: 'According to the account of FBI Special Agent Ignace Ertilus, Felix and Joseph Roque took a keen interest in the recall site as early as February. In an attempt to learn the identity of the person behind the site, the younger Roque set up an e-mail account under a fictitious name and contacted an address listed on the website. He offered some "very good leads" if the person would agree to meet him. When the requests were repeatedly rebuffed, Joseph Rogue allegedly tried another route. He pointed his browser to Google and typed the search strings "hacking a Go Daddy Site," "recallroque log-in," and "html hacking tutorial."'" [Be careful what you Google... Bob]
(Related) I think it's safe to assume that “Hillary's Hackers” are more sophisticated than “some guy from Jersey” but think of the minimum required to join the Jihad...
"In the growing Al-Qaeda activity in Yemen, Secretary of State Hillary Clinton revealed today that 'cyber experts' had recently hacked into web sites being used by an Al-Qaeda affiliate, substituting the group's anti-American rhetoric with information about civilians killed in terrorist strikes. Also this week, a statement from the Senate Committee on Homeland Security and Governmental Affairs revealed the presence an Al-Qaeda video calling for 'Electronic Jihad.'"
Can you imagine what the people who run China think of 1,000,000,000 people who can communicate in real time? How does that change the political dynamic? (Does democracy start with the Tweet: “I'm not going to take this any more. Who is with me?”
China rules the mobile world with 1 billion users
According to The Next Web, the Chinese government has officially announced that it now has more than 1 billion mobile phone users.
For comparison, the U.S. looks measly with just more than 330 million users, according to numbers from the CTIA wireless association.
Google Says It Removes 1 Million Infringing Links Monthly
Each month, Google removes more than 1 million links to infringing content such as movies, video games, music and software from its search results — with about half of those requests for removal last month coming from Microsoft.
The search and advertising giant revealed the data Thursday as it released sortable analytics on the massive number of copyright takedown requests it receives — adding to its already existing data on the number of times governments ask for users’ personal data.
The Mountain View, California-based company removes links to comply with the Digital Millennium Copyright Act. The DMCA requires search engines to remove links to infringing content at a rights holder’s request or else face liability for copyright infringement itself. Google said it complies with about 97 percent of requests, which are submitted via an online form and usually approved via a Google algorithm.
… Google rejected some of the requests, Fred von Lohmann, Google’s senior copyright attorney said, because “the form is incomplete, the web page doesn’t exist or we look at it and say we don’t think it is infringing.”
The top rights holders demanding removal of links were Microsoft, at 543,000 last month, the British Recorded Music Industry at 162,000 and NBC at 145,000. The top targeted sites hosting allegedly infringing content were filestube.com at more than 43,000, torrents.eu at more than 23,000, and 4shared.com at more than 22,000.
The Pirate Bay, the most notorious online haven for copyrighted content, came in at an unimpressive 13th place, with 10,245 requests for takedowns of links to the site.
… Overall, Google received 1.24 million requests from 1,296 copyright owners for removal the past month. They targeted 24,129 domains.
… But before the removal process became automated, Google said in a blog post that it removed less than 250,000 links in all of 2009. [Indication that the requester's end is also automated? Bob]
Something to think about...
The Future of Scholarship: Easier, Harder, and With More Charlatans
… Fifteen years ago my laptop was surrounded by books, some of which I owned, some I had checked out from my college's library or from the local public library, some I had ordered from other libraries. And then there were the photocopied articles, so many that I had organized them roughly by subject and gathered them into three-ring binders.
… Now I still have books around, but in far smaller stacks, and no photocopies at all. Instead, I have thirty or more browser tabs open, containing articles from JSTOR or Project Muse, full-length texts on Google Books and Project Gutenberg, Amazon.com pages containing all the notes I've made in the Kindle books I've used for research, plus a number of "Look Inside!" pages from Amazon. I even have Amazon pages open for books sitting on my desk. There's no Kindle edition of Diarmaid MacCulloch's magisterial biography of Thomas Cranmer, but if I'm looking for a particular passage in it, looking through my underlined and annotated paper copy is just too slow: I type a keyword or two into the "Look Inside" search box and get the relevant page number instantly. Often I type in a quotation from the webpage instead of from the book because it's faster and easier than trying to find a way to prop the book open. Probably half of the sources I draw on in my research are still from print, but I spend 80 percent or more of my working time looking at my laptop screen. I still use a lot of books, but I spend less and less time in them, and more and more time with digital text (even when I have hard copies of the books).
… So how do these changes matter? How do they affect the work of writing, and how we think about the work of writing? I think there are three major ways.
1) They make research -- and getting the research into my documents -- much easier and faster.
2) They make it less defensible to cut corners. If I read in a modern book or article a quotation from an old book or article, chances are I can find that original source online: if it's a book, it's likely to be in Google Books or some other site, and if it's an article, the digital archives of periodicals are increasingly complete. There's really no good excuse for failing to track down that original source to make sure it hasn't been quoted inaccurately or out of context, and to see if it contains other useful material.
3) They make it easier to fake erudition. It has never been nearly so easy to give yourself the appearance of learning you do not really have. … Instead of citing one source for a given idea I can cite five. If I have gotten information from a commonly-used source I can often track down a much older and more obscure citation for it.
Thursday, May 24, 2012
If it's evidence, shouldn't he already have access? If not, what crime are we talking about? Another look at “self-incrimination by password” (Lot's of comments suggest this is being followed closely...)
"On Wednesday, Kim 'Dotcom' Schmitz and his legal team visited the High Court in Auckland, New Zealand, to demand access to the data stored on his computers and hard drives that were confiscated during the police raid, and also requested a judicial review of the general legality of the search warrants police used to raid his mansion. Dotcom's lawyer, Paul Davison, argued that his client needs the data for a few reasons: To mount a 'proper defense' case, to fight possibly being extradited to the U.S., and also to show that 'excessive police action' was used during the raid. Dotcom could prove this in court because the entire raid was recorded by CCTV data, which is stored on Dotcom's confiscated computers. Even though the FBI demanded Dotcom turn over the passwords for Megaupload's encrypted data, he refuses to give up any passwords until he can regain access to his seized property."
Quick question: If they can't locate the phone, how can they claim to be “following” someone using GPS?
"The Oakland Tribune reports that when Berkeley police Chief Michael Meehan's son's cell phone was stolen from a school locker in January, ten police officers were sent to track down the stolen iPhone, with some working overtime at taxpayer expense. 'If your cell phone was stolen or my cell phone was stolen, I don't think any officer would be investigating it,' says Michael Sherman, vice chairman of the Berkeley Police Review Commission, a city watchdog group. 'They have more important things to do. We have crime in the streets.' But the kicker is that even with all those cops swarming around, looking for an iPhone equipped with the Find My iPhone tracking software, police were not able to locate the phone. 'If 10 cops who know a neighborhood can't find an iPhone that's broadcasting its location, that shouldn't give you a lot of confidence in your own vigilante recovery of a stolen iProduct,' writes Alexis Madrigal. 'Just saying. Consider this a PSA: just buy a new phone.'"
The service tracks more than 1,400 websites, including popular websites like Google, Facebook and many others. Each website gets a rating out of 100, the highest being the most secure and the lowest being the website most likely to share your information with their advertisers, marketing partners or any third party company. The score given to websites is based on how their policies protect your personal information, and how many companies track users when they visit any website.
One of the modern joys of parenting?
MN: Undisclosed Number of Century Middle School Students Suspended
Derrick Williams reports:
An unidentified number of Century Middle School students have been suspended due to a May 22 incident in which an inappropriate photo was digitally disseminated around the school’s student community.
Lakeville Area Public School officials have acknowledged the incident and also said the Lakeville Police Department and Dakota County Attorneys Office are investigating the matter.
Read more on Lakeville Patch and then explain to me why the school district couldn’t just handle this without police involvement.
(Related) Told ya! Any self-respecting caveman wanted an iPhone...
The Urge to Sext Naked Self-Portraits Is Primal
Over the past two years, more photographs of bare-naked celebrity anatomy have been leaked to the public eye than over the previous two centuries: Scarlett Johansson snapping a blurry self-portrait while sprawled on her bed, Vanessa Hudgens posing for a cellphone in a bracelet and a smile, Congressman Wiener touting a Blackberry and a mirror in the House Members Gym, Jessica Alba, Christina Aguilera, Miley Cyrus, Ron Artest, Charlize Theron, Chris Brown, Bret Favre, Rihanna, Pete Wentz, Ke$ha, and dozens more.
This flood of celebrity skin has prompted folks to wonder, ‘Why are so many famous people exhibitionists?’ The source of all this au naturel flaunting lies not in the culture of fame, but in the design of our sexual brains. In fact, research has unveiled two distinct explanations: Female exhibitionism appears to be primarily cortical, while male exhibitionism is mainly subcortical.
“The desire of the man is for the woman,” Madame de Stael famously penned, “The desire of the woman is for the desire of the man.” Being the center of sexual attention is a fundamental female turn-on dramatized in women’s fantasies, female-authored erotica, and in the cross-cultural gush of sultry self-portraits.
What a shock! (EU-wide numbers are due soon)
IE: Invasion of privacy
May 24, 2012 by Dissent
Conor Ryan reports:
Gardaí, the Defence Forces, and Revenue Commissioners are accessing record levels of private landline, mobile phone, and internet records.
The latest available figures show authorities accessed more than 40 private communications each day in 2010 — compared with 31 per day a year earlier.
Read more on Irish Examiner. The report is replete with statistics from a government report and will be of interest to privacy advocates.
This is but one of many “ills” that would be cured if the municipality owned the “cable” and allowed anyone to use it for a fee.
Digital Rights Groups Defend Antenna-Based Internet TV Service
Public Knowledge and the Electronic Frontier Foundation, in a friend-of-the-court brief, said the courts should not shutter Aereo, as broadcasters are asking, simply because there is no federal licensing scheme yet for internet streaming of over-the-air broadcasts (one exists for cable companies).
Aereo’s New York customers basically rent two tiny antennas, each about the size of a dime. Tens of thousands of the antennas are housed in a Brooklyn data center. One antenna — unique to a customer — is used when a customer wants to watch a program in real time from a computer, tablet or mobile phone. The other works with a DVR service to record programs for later online viewing.
Aereo, which offers the service free but plans to charge about $12 monthly, does not divulge the number of its customers.
Do I care?
For my students. For example, I carry a thumb drive with my favorite browser (configured the way I like it) to every place I access the Internet.
Portable apps have a huge place in my geeky heart simply because they are quite numerous (if you don’t believe me, check out the Best Portable Apps here). They don’t modify the registry, and can be used in different Windows machines (though there are portable apps for Linux as well).
“We don't need no stinking classrooms!” What is still needed is a way to “certify” that we have learned something.
… Education and learning should be a lifelong process and the Internet is your chance to get a university level education for free, regardless of where you are in life. This article introduces you to the three best websites to get started.
Fans of YouTube, check out these articles:
Wednesday, May 23, 2012
Anyone up for some light Summer reading? Justice Statistics reports things like crime studies, not details of ongoing investigations.
Hackers associated with well known hacker-activist group “Anonymous Operations” have released a massive cache of data they say was obtained when they hacked a website belonging to the United States Department of Justice. “Today we are releasing 1.7GB of data that used to belong to the United States Bureau of Justice, until now,” Anonymous wrote in a statement on its website. The hackers claim the file contains emails as well as “the entire database dump” from the DOJ website.
… The Justice Department confirmed the breach in a statement given to ZDNet. “The department is looking into the unauthorized access of a website server operated by the Bureau of Justice Statistics that contained data from their public website,” a DOJ spokesperson said. “The Bureau of Justice Statistics website has remained operational throughout this time. The department’s main website, justice.gov, was not affected.”
The 1.7GB file containing data Anonymous says it obtained during the DOJ breach is available for download as a torrent.
Food for thought. Will customers agree that there is a difference in outcome between hacking and social engineering? What kind of hacker deletes the data on the victims database, but publishes it elsewhere? (How good are their backups?)
WHMCS victim of social engineering; over 500,000 client records stolen, deleted from server, and dumped publicly
May 22, 2012 by admin
Why hack when you can socially engineer employees into giving you the keys to the kingdom?
Client management billing platform WHMCS reports that hacker group UGNazi successfully socially engineered their web hosting firm into providing the hackers with admin credentials. The hackers then proceeded to acquire their data, delete it, and dump it.
The attack took place yesterday, and within hours, WHMCS had reported the problem on their blog. Later in the day, developer Matt Pugh posted an update:
The person was able to impersonate myself with our web hosting company, and provide correct answers to their verification questions. And thereby gain access to our client account with the host, and ultimately change the email and then request a mailing of the access details.
This means that there was no actual hacking of our server. They were ultimately given the access details.
This is obviously a terrible situation, and very unfortunate, but rest assured that this was no issue or vulnerability with the WHMCS software itself.
According to John Leyden of The Register:
UGNazi also gained access to WHMCS’s Twitter account, which it used to publicise a series of posts on Pastebin that contained links to locations from which the billing firm’s customer records and other sensitive data might be downloaded. A total of 500,000 records, including customer credit card details, were leaked as a result of the hack.
In an email to their clients today, WHCMS wrote:
Date: 22 May 2012 01:40:03 GMT-03:00
Subject: Urgent Security Alert – Please Do Not Ignore
Date: 22 May 2012 01:40:03 GMT-03:00
Subject: Urgent Security Alert – Please Do Not Ignore
Unfortunately today we were the victim of a malicious social engineering attack which has resulted in our server being accessed, and our database being compromised.
To clarify, this was no hack of the WHMCS software itself, nor a hack of our server. It was through social engineering that the login details were obtained.
As a result of this, we recommend that everybody change any passwords that they have ever used for our client area, or provided via support ticket to us, immediately. Regrettably as this was our billing system database, if you pay us by credit card (excluding PayPal) then your card details may also be at risk.
This is just a very brief email to alert you of the situation, as we are currently working very hard to ensure everything is back online & functioning correctly, and I will be writing to you again shortly.
We would like to offer our sincere apologies for any inconvenience caused. We appreciate your support, now more than ever in this challenging time.
But UGNazi was not done interfering with WHMCS’s business. In an update to their blog today, Matt writes:
Right now to compound matters, we are experiencing a large scale DDOS attack, which started at around 1am last night, and continues to this moment, so accessing the site may be intermittent for the time being due to the protection hardware that has been put in place for that.
According to Ted Samson of InfoWorld, client passwords:
were stored in a hash format, and the credit card information was encrypted — but evidently not PCI-compliant, a point raised by WHMCS clients on the company’s forum. “Any support ticket content may be at risk — so if you’ve recently submitted any login details in tickets to us, and have not yet changed them again following resolution of the ticket, [so] we recommend changing them now,” Pugh cautioned.
Reportedly, WHMCS lost the previous 17 hours’ worth of support tickets and new orders from the attack.
There has been no statement from the hosting firm.
Is there a government somewhere that doesn't think they have the right to intrude on their citizens?
White Paper on Governmental Access to Data in the Cloud Debunks Faulty Assumption That US Access is Unique
Hogan Lovells has published a White Paper with the results of a study about governmental access to data in the cloud. The paper was written by Christopher Wolf, co-director of Hogan Lovells’ Privacy and Information Management practice, and Paris Office partner Winston Maxwell. It was released today at a program presented by the Openforum Academy in Brussels at which both Wolf and Maxwell spoke.
The paper examines governmental authority to access data in the Cloud in the following countries: Australia, Canada, Denmark, France, Germany, Ireland, Japan, Spain, United Kingdom, and the United States. Experienced counsel in each of those jurisdictions provided input on the scope and effect of their respective national laws.
The White Paper debunks the frequently-expressed assumption that the United States is alone in permitting governmental access to data for law enforcement or national security reasons. It examines the laws of the ten countries, including the United States, with respect to governmental authorities’ ability to access data stored in or transmitted through the Cloud, and documents the similarities and differences among the various legal regimes. The findings are set forth in the text of the White Paper and in a chart contained in the document.
Read more on Hogan Lovells Chronicle of Data Protection.
(Related) Since the answer to my question is most likely “No!”
FBI quietly forms secretive Net-surveillance unit
Declan McCullagh reports:
The FBI has recently formed a secretive surveillance unit with an ambitious goal: to invent technology that will let police more readily eavesdrop on Internet and wireless communications.
The establishment of the Quantico, Va.-based unit, which is also staffed by agents from the U.S. Marshals Service and the Drug Enforcement Agency, is a response to technological developments that FBI officials believe outpace law enforcement’s ability to listen in on private communications.
Read more on CNET.
Is this also related? Does the outline come with 17 pages of “or else?”
"Canada's proposed Internet surveillance was back in the news last week after speculation grew that government intends to keep the bill in legislative limbo until it dies on the order paper. This morning, Michael Geist reports that nearly all of the major Canadian telecom and cable companies have been secretly working with the government for months on the Internet surveillance bill. The secret group has been given access to a 17-page outline (PDF) of planned regulations and raised questions of surveillance of social networks and cloud computing facilities."
Hummm. How important is “Opt Out” to Facebook? If there was a chance the judge would have requied “Opt In,” Facenpbook may have settled at almost any cost.
Facebook Settling ‘Sponsored Stories’ Privacy Lawsuit
Facebook is agreeing in “principle” to settle allegations that its “Sponsored Stories” advertising platform breached its users’ privacy.
Terms of the deal (.pdf) were not immediately disclosed. The suit, (.pdf) filed in April 2011, claimed that the social-networking site did not adequately provide a way to opt out of the advertising program that began in January 2011.
Sponsored stories work like this: If a Facebook user “likes” an advertiser, that user’s profile and picture may appear on some of their friends’ Facebook pages — in ads — stating that the person, indeed, “likes” that advertiser. Facebook also reserves the right to do this on ads that appear on sites other than Facebook, though it has not done that.
What does IBM know that we should know?
IBM Outlaws Siri, Worried She Has Loose Lips
If you work for IBM, you can bring your iPhone to work, but forget about using the phone’s voice-activated digital assistant. Siri isn’t welcome on Big Blue’s networks.
The reason? Siri ships everything you say to her to a big data center in Maiden, North Carolina. And the story of what really happens to all of your Siri-launched searches, e-mail messages and inappropriate jokes is a bit of a black box.
IBM CIO Jeanette Horan told MIT’s Technology Review this week that her company has banned Siri outright because, according to the magazine, “The company worries that the spoken queries might be stored somewhere.”
Does the FCC's job include “approving” certain business strategies? Will they ban “I'm so cost efficient, I can lower my rates and make those other guys look like the price gougers they are.”
"FCC Chairman Julius Genachowski has publicly backed usage-based pricing for wired internet access at the cable industry's annual NCTA Show. He makes the claim that it would drive network efficiency. Currently most internet service providers charge a flat fee and price their packages based on the speed of the service, while wireless providers are reaping record profits by charging based on usage, similar to the way utilities charge for electricity. By switching to this model, the cable companies can increase their profitibility while at the same time blocking consumers from cutting the cord and getting their TV services online."
Oops? I kind of doubt it.
"After losing another 8.9% of its IPO value in its third day of trading, SEC Chairman Mary Schapiro has called for a review of the circumstances surrounding Facebook's IPO on the NASDAQ late last week. Unable to sell Facebook short, investors have instead taken to short-selling funds that owned pre-IPO shares as revelations come out that the underwriters involved revised their Facebook profit forecasts downward in the days before the offering without similarly revising the opening share price. Meanwhile, Thomson Reuters Starmine has come out with a post-party Facebook estimate of a meager 10.8 per cent annual growth rate, valuing the stock at a paltry $US9.59 a share, a 72 per cent discount on its IPO price, signaling that the battered stock may not have found the bottom yet."
Nasdaq expresses regret over Facebook IPO
Nasdaq would have delayed Facebook's IPO to address technical problems had it known the extent they would affect its trading system, a senior official for the exchange told customers today.
For my Website students.
"Mozilla has announced Webmaker, a web development initiative aimed at teaching the average user the building blocks of the web. Users can join a 'code party' and learn web development with provided authoring tools, and existing developers can volunteer to run their own events. To kick it off, Mozilla is announcing the Summer Code Party starting June 23."
Psst. Don't tell anyone.
NSA Teams Up With Colleges to Train Students for Secret Cyber-Ops Jobs
The National Security Agency is partnering with select universities to train students in cyber operations for intelligence, military and law enforcement jobs, work that will remain secret to all but a select group of students and faculty who pass clearance requirements, according to Reuters.
The cyber-operations curriculum is part of the Obama administration’s national initiative to improve cybersecurity through education, and is designed to prepare students for jobs with the U.S. Cyber Command, the NSA’s signals intelligence operations, the Federal Bureau of Investigation and other law enforcement agencies that investigate cyber crimes.
Perhaps my Psych students could create an App for that?
"Researchers led by Sriram Chellappan from the Missouri University of Science and Technology, collected internet usage data from 216 college students enrolled at the university. The usage data was collected anonymously without interfering with the student’s normal internet usage for a month. The students were tested to see if they had symptoms of depression and analyzed internet usage based on the results . Depressed students tended to use the internet in much different ways than their non-depressed classmates. Depressed students used file-sharing programs, like torrents or online sharing sites, more than non-depressed students (PDF). Depressed students also chatted more and sent more emails out. Online video viewing and game playing were also more popular for depressed students."
For all my students...
May 22, 2012
Google Search Education
Help your students become better searchers: "Web search can be a remarkable tool for students, and a bit of instruction in how to search for academic sources will help your students become critical thinkers and independent learners. With the materials on this site, you can help your students become skilled searchers- whether they're just starting out with search, or ready for more advanced training."
Is this why so many of my fellow teachers are Luddites? Who do they think teaches the machines?
"A study at six universities found that students taught statistics mainly through software learned as much as peers taught primarily by humans. And the robots got the job done more quickly. '... our results indicate that hybrid-format students took about one-quarter less time to achieve essentially the same learning outcomes as traditional-format students.' They add, 'There is every reason to expect these systems to improve over time, perhaps dramatically, and thus it is not foolish to believe that learning outcomes will also improve.'"
I have a few dozen lists of resources specific to the classes I teach, so this looks very interesting to me.
Learnist is a new site (still in beta) that aims to be like Pinterest but for sharing learning resources. On Learnist you can create pinboards of materials organized around a topic. You can create multiple boards within your account and make your boards collaborative. You can pin images, videos, and text to your boards by using the Leanist bookmarklet, by manually entering the URL of a resource, or by uploading materials to your boards. Take a look at the video below for a brief introduction to Learnist.
Learnist is still in a closed beta period so you will have to apply for an invitation (I got mine in a few days). Once you're in you can start following members of your professional learning community and collaborating on the collation of resources that are beneficial to you and your students.
Not to be confused with...
College students can use all the educational resources they can get their hands on. While books and notes go a long way, sometimes having somebody visually explain the material uniquely helps.
LearnersTV is a free to use web service that offers video lectures on a variety of subjects and topics. Covered subjects include biology, chemistry, physics, mathematics, statistics, computer science, medicine, dentistry, engineering, accounting, and management. You simply click on a subject and then a topic; you are shown a list of lectures that are appropriately ordered and labeled. Click on a lecture title to start viewing it.
Tuesday, May 22, 2012
Local boy goes east... Will he be able to explain Privacy to the FCC? OR will he fall victim to Potomac Phever? Stay tuned!
Paul Ohm to Join FTC Targeting Web, Mobile
Julia Angwin breaks the great news:
Paul Ohm, a law professor and privacy expert at the University of Colorado, is expected to join the Federal Trade Commission in August as a senior policy adviser focusing on Internet and mobile markets, according to people familiar with the situation.
The appointment signals the agency’s continued commitment to bringing privacy and technology related cases. In the past year, the FTC has forged 20-year privacy agreements with Internet giants Google, Facebook and MySpace.
Ohm is a former federal computer crimes prosecutor and an expert in information privacy. His 2010 paper, “Broken Promises: Responding to the Surprising Failure of Anonymization” sparked a global reassessment of privacy standards.
Read more on WSJ.
[From the article:
You only need to read a few of these articles to become an expert on BYOD (more knowledgeable than 0.00001 percent of all computer security managers)
...and when we're not arresting all those Mormon drug dealers, we can look for guys driving down the highway followed by six cars full of wives.
"Everyone driving on Interstate 15 in southwest Utah may soon have their license plate scanned by the U.S. Drug Enforcement Administration. The DEA and two sheriffs are asking permission to install stationary license plate scanners on the freeway in Beaver and Washington counties. The primary purpose would be to catch or build cases against drug traffickers, but at a Utah Legislature committee meeting Wednesday, the sheriffs and a DEA representative described how the scanners also could be used to catch kidnappers and violent criminals. That, however, wasn't the concern of skeptical legislators on the Law Enforcement and Criminal Justice Interim Committee. They were worried about the DEA storing the data for two years and who would be able to access it."
It seems everyone thinks of Privacy only in passing (if at all)
Our privacy may be worth more to Facebook than the courts
If you thought your privacy didn’t mean much to businesses, wait until you hear what a court thinks it’s worth.
Today was the sentencing hearing for Dharun Ravi, the former Rutgers student who was convicted of invading Tyler Clementi’s privacy via web cam and then letting others know via tweets. Clementi was humiliated and a few days later, committed suicide. Ravi was not charged with causing Clementi’s death, but the elephant in the room throughout the entire trial was that if Ravi had not done what he did, Clementi would not have killed himself.
There may be more to that part of the story than came out in court, however, as today, both the defense counsel and Ravi’s father alluded to non-public information that would presumably call into question any causal relationship between Ravi’s actions and Clementi’s suicide.
In any event, the sentencing was to be for the counts on which Ravi was convicted, which included invasion of privacy, bias intimidation, and attempting to destroy evidence and tamper with witnesses to cover up the crimes.
So what’s all that worth in terms of serious jail time? Well it seems that:
If you criminally invade someone’s privacy – and even attempt to do it again…. and
If you’re found guilty of invasion of privacy… and
If you not only invade privacy but broadcast what you’ve learned to others…. and
If the person whose privacy you invaded is in a protected class and you are convicted of a bias crime… and
If you lie to prosecutors and attempt to cover up your crime….
Then you get 30 days in jail, 300 hours of community service, and a $10,000 fine to be used to assist victims of bias crimes.
So if we extrapolate from Judge Berman’s sentence today, you can commit a whole bunch of crimes and the grand total of jail time will be 30 days. Note that you could have gotten up to 10 years and possible deportation.
In explaining himself, Judge Berman didn’t even spend that much time discussing the privacy invasion aspect. He focused more on the bias aspect, the attempt to cover up the crime, and Dharun Ravi’s failure to offer satisfactory apologies to the people who were hurt by his actions. .
Indeed, the judge’s lack of emphasis on privacy may have led Danielle Citron to claim that
For his conviction on witness- and evidence-tampering and lying to the police, Ravi will serve 30 days in jail. For the hate crimes charge and sentence enhancement, Ravi was sentenced to three years’ probation, 300 hours of community service, counseling on cyber bullying and alternative lifestyles, and payment of $11,000 to a group that helps victims of bias crimes.
In her entire blog post on the sentencing, Danielle didn’t mention privacy once. And that’s somewhat understandable because Judge Berman did not seem to focus on it, either.
Judge Berman had a chance to send a strong message about privacy. And if he wanted to temper justice with mercy, he could have sentenced Ravi to taking a course on privacy and not just one on cyberbullying or bias. His failure to fully address the implications of privacy violations was disappointing, to say the least.
What a shame privacy was the poor cousin in the court today.
Companies may not be willing to fight to a subpoena to protect customer privacy, but do they need to be so eager to comply?
"In one of the mass 'John Doe' cases based on single BitTorrent downloads of films, Malibu Media v. Does 1-13, a pro se litigant made a motion to quash the subpoena. The Court granted a stay of the subpoena, pending its decision on the motion to quash. Unfortunately for John Doe, Verizon had turned over its subscribers' identities 5 days BEFORE the response was due, thus possibly mooting both the stay and the motion to quash. Fortunately for John Doe, the Judge wasn't too happy about this, ordered the information sealed, directed plaintiff's lawyers to destroy any copies, and ruled that they can't use the information unless and until the Court denies the motion to quash."
Not a surprise, is it? They have to keep trying until they get a law that covers what they are already doing.
Wyden: White House-backed cybersecurity bill sacrifices privacy
Brendan Sasso and Andrew Feinberg report:
Sen. Ron Wyden (D-Ore.) warned on Monday that the Senate’s cybersecurity legislation is an “overreaction” that would undermine Americans’ right to privacy.
He said the legislation, which is supported by the White House, shares some of the same “defects” as the House’s Cyber Intelligence Sharing and Protection Act (CISPA).
He said both the House and Senate bills “subordinate all existing privacy rules and constitutional principles to the poorly defined interest of ‘cybersecurity.’”
Read more on The Hill.
Google to respond in a few weeks...
May 21, 2012
EU Announces Preliminary Conclusions on Google Antitrust Investigation
News release, Joaquín Almunia Vice President of the European Commission responsible for Competition Policy: "In November 2010, the Commission launched an antitrust investigation into allegations that Google had abused a dominant market position. This followed a number of complaints. We have looked at those complaints and at others we received since the opening. And we have conducted a large-scale market investigation... Our investigation has led us to identify four concerns where Google business practices may be considered as abuses of dominance...[snipped]
- first, in its general search results on the web, Google displays links to its own vertical search services.
- Our second concern relates to the way Google copies content from competing vertical search services and uses it in its own offerings. Google may be copying original material from the websites of its competitors such as user reviews and using that material on its own sites without their prior authorisation.
- Our third concern relates to agreements between Google and partners on the websites of which Google delivers search advertisements.
- Our fourth concern relates to restrictions that Google puts to the portability of online search advertising campaigns from its platform AdWords to the platforms of competitors."
YouTube Users Now Uploading 72 Hours of Video Per Minute
Perspective (For my lecture on unbiased statistics)
"Despite continued pressure on business users to buy legitimate software, the Business Software Alliance (BSA) reports that the campaign seems to be failing. Well over half (57%) of users surveyed in a global survey admit to using pirated software. That's a big increase from the same survey last year — when 43% admitted to using pirated software. The BSA surveyed 15,000 people in 33 countries."
As I get older, I think about living for a long time. (Or the alternative) This article suggests I can do that by burying my head in the sand and avoiding all human activity, therefore I announce my intention to run for Congress!
Ancient life, potentially millions of years old and barely alive, found beneath ocean floor
Call it survival of the slowest: Extraordinarily old, bizarrely low-key bacteria have been found in sediments 100 feet below the sea floor of the Pacific Ocean, far removed from sunlight, fresh nutrients and what humans would consider anything interesting to do.
Improvements suggested by the 'legal search' experts?
May 21, 2012
Google Scholar Gets a New Look
Google Scholar Blog: "We've recently been experimenting with a new modern look for Scholar search results. Many of you have already tried the new look and have offered valuable suggestions, which we've done our best to incorporate. Thank you for your time and patience! It is time...to launch the new modern look of our search pages and retire the old venerable look that has served researchers worldwide since our first release in 2004. Tried and true as the old look might be, it's time for a refresh. The new modern look brings you improved aesthetics and easier access to frequently used search features. You can now search for recent papers with a single click in the sidebar. You can access advanced search features (for example: search by author) without leaving the search results page by clicking the arrow in the right of the search box. Here's a quick overview of the changes..."
A few interesting twists...
While it touts itself as an online e-book publisher, Booktango also offers a well-optimized e-book editor for the iPad and other tablet devices.
Booktango generates different formats of your book so that you can sell them online. You can sell directly through the Booktango platform and get 100% of the sale, or sell to Amazon and other online bookstores to get 90% of the sale.
While you can get by using the free version, Booktango offers one-time fees for premium features like the choice of cover design, and U.S copyright registration.
- Integrates selling with Amazon, Barnes & Noble, and Kobo.
- Also read related articles:
Start-ups and KickStarter. Makes me want to actually do some of the things I've thought of over the years...
The Power Of Disrupt: gTar Raises $30,000 On Kickstarter In Two Hours
The startup wowed the crowd with their iPhone-powered teaching guitar. The judges loved it. The crowd loved it. And most importantly, fans turned to the startup’s Kickstarter campaign where funding took off like a rocket. Prior to hitting the stage, the gTar had raised just a touch above $10,000. Now, almost exactly two hours after their Disrupt debut, their Kickstarter funding (a.k.a. pre-orders) is north of $42,000 and rising fast. [$136,000+ as I write this Bob]
Saturday they “Successfully stopped” the launch, today they sent their capsule into space. Hot diggity damn!
NASA hails SpaceX launch as 'a new era' for spaceflight