Saturday, June 02, 2012
Interesting how security breaches seem to grow beyond the initial size reported...
U. Nebraska breach also affected state colleges
June 1, 2012 by admin
Oh ho… so it wasn’t just U. of Nebraska affected by the hack reported May 23. The Lincoln Journal Star reports:
Nebraska State College System officials have been notified that their records were included in a security breach reported last week by the University of Nebraska in late May.
The State College System and NU began using a shared student information system known as NeSIS in 2009.
Investigation into the May 23 breach initially indicated it affected only the NU system, but State College Chancellor Stan Carpenter said he was notified Wednesday it also included data for the Chadron State, Peru State and Wayne State colleges.
Read more on Lincoln Journal Star.
“We noticed that your answer did not actually contain an answer...”
Congress critical of TRICARE’s response; requests detailed answers while criticizing TRICARE and SAIC
By Dissent, June 1, 2012
At least some members of Congress are not happy with the response to a letter they sent TRICARE following the theft of backup tapes from the unattended vehicle of an employee of their contractor, SAIC. The tapes contained information on approximately 5 million military beneficiaries and their dependents.
Although TRICARE’s response was not disclosed publicly, Rep. Ed Markey and colleagues from the bipartisan privacy caucus quoted portions of the response in a follow-up letter they sent to TRICARE on May 7.
Citing SAIC’s “history of serious security failures,” the members note that “it is disturbing that TRICARE engaged this contractor for such sensitive work.” They also note that it was not clear from TRICARE’s response whether TRICARE actually spot-checked SAIC or verified that it was implementing its Business Associate Agreement.
The members also criticized TRICARE for failure to deploy encryption even after this latest breach and for continuing to use unsafe methods of physically transmitting data instead of switching to secure virtual private networks. Although VPN is reportedly under consideration by TRICARE, no decision has as yet been made.
The congressmen called on TRICARE to provide more details about their security measures and to deploy encryption and better security measures to protect data. They also point out that at least some people have been paying for medical identity protection out of pocket because TRICARE and SAIC refused to provide such coverage.
Related: 5-7-12 Response to TRICARE (pdf)
What are the ethics of CyberWar?
"U.S. officials have acknowledged playing a role in the development and deployment of Stuxnet, Duqu and other cyberweapons against Iran. The acknowledgement makes cyberattacks more legitimate as a tool of not-quite-lethal international diplomacy. It also legitimizes them as more-combative tools for political conflict over social issues, in the same way Tasers gave police less-than-lethal alternatives to shooting suspects [There is an assertion that needs to be challenged. Bob] and gave those who abuse their power something other than a club to hit a suspect with. Political parties and single-issue political organizations already use 'opposition research' to name-and-shame their opponents with real or exaggerated revelations from a checkered past, jerrymander districts to ensure their candidates a victory and vote-suppression or get-out-the-vote efforts to skew vote tallies. Imagine what they'll do with custom malware, the ability to DDOS an opponent's web site or redirect donations from an opponent's site to their own. Cyberweapons may give nations a way to attack enemies without killing anyone. They'll definitely give domestic political groups a whole new world of dirty tricks to play."
(Related) CyberWar uses undetectable weapons?
Why Antivirus Companies Like Mine Failed to Catch Flame and Stuxnet
A couple of days ago, I received an e-mail from Iran. It was sent by an analyst from the Iranian Computer Emergency Response Team, and it was informing me about a piece of malware their team had found infecting a variety of Iranian computers. This turned out to be Flame: the malware that has now been front-page news worldwide.
When we went digging through our archive for related samples of malware, we were surprised to find that we already had samples of Flame, dating back to 2010 and 2011, that we were unaware we possessed. They had come through automated reporting mechanisms, but had never been flagged by the system as something we should examine closely. Researchers at other antivirus firms have found evidence that they received samples of the malware even earlier than this, indicating that the malware was older than 2010.
What this means is that all of us had missed detecting this malware for two years, or more. That’s a spectacular failure for our company, and for the antivirus industry in general.
… The truth is, consumer-grade antivirus products can’t protect against targeted malware created by well-resourced nation-states with bulging budgets.
… This story does not end with Flame. It’s highly likely there are other similar attacks already underway that we haven’t detected yet. Put simply, attacks like these work.
(Related) How vulnerable is our infrastructure?
Study: Yesterday’s Facebook Outage Also Slowed Down Major Media And Retail Sites
It’s a testament to how important Facebook has become in the web ecosystem that the social network’s performance issues yesterday didn’t just affect the site itself (and its 900 million users) but also a wide variety of other sites as well. Performance monitoring company Compuware APM, which analyses the performance of thousands of top sites, just sent us some interesting data about how Facebook’s problems yesterday correlated with significant slowdowns across major U.S. media and retail sites.
As our friends over at GigaOm pointed out today, “Facebook’s faltering didn’t lead to any noticeable traffic dip.” According to Compuware’s data, however, it did affect sites in other ways because of how tightly many media and retail sites integrate with services like Facebook’s “like” button, which was also affected by yesterday’s outage.
“Laws are the opiate of the people.”
Court Wary of Overturning Warrantless Spy Case Victory, But Might Have To
David Kravets reports:
A federal appeals court appeared troubled Friday by the Obama administration’s arguments that the government could break domestic spying laws without fear of being sued — and that the government’s argument might be correct, due to an oversight by Congress.
A two-judge panel of the 9th U.S. Circuit Court of Appeals heard an hour of oral arguments here by the government and a lawyer for two attorneys whom a federal judge concluded had been wiretapped illegally without warrants by the government.
Read more on Threat Level
[From the article:
Justice Department attorney Douglas Letter told Judge Michael Daly Hawkins and M. Margaret McKeown, both President Bill Clinton appointees, that they should dismiss the case outright because the government is immune from being sued for breaching the Foreign Intelligence Surveillance Act under a concept known as sovereign immunity.
“We think the simplest way here is the sovereign immunity argument,” Letter told the panel. He added that the aggrieved lawyers could sue individual government officials. But under that scenario, the government would declare the issue a state secret and effectively foreclose litigation.
“I’m trying to understand the government’s overall position,” Hawkins said. “The government’s position is you can’t sue the government, you can sue anybody else, but who those people are might be a state secret.”
“Correct, your honor,” Letter said moments later.
Can there be anonymous libel?
Idaho judge considers anonymous comments lawsuit
Nicholas K. Geranios of Associated Press reports:
A lawyer for The Spokesman-Review newspaper’s website argued today that people should be allowed to post anonymous comments on its blogs without fear of being identified and then sued.
But a Republican political leader in North Idaho, who is seeking the identities of three individuals who commented anonymously about her, argued that she was libeled by a comment and has the right to sue for damages.
Read more on The Spokesman-Review.
[From the article:
In late April, Jacobson filed a lawsuit against “John and/or Jane Doe” after an anonymous reader posted a comment on Huckleberries Online questioning whether $10,000 allegedly missing from the Kootenai County Central Committee might be “stuffed inside Tina’s blouse.” [Sounds like humor to me Bob] Two other anonymous readers posted follow-up comments.
“You can’t call someone a thief and expect to get away with it,” Andersen said in court Friday.
[Is it libel? She admits to being a Politician. Bob]
The opposite of anonymous?
“Juror One” revisited: Court holds that SCA does not apply
You may not remember his name, but regular readers of this blog will likely remember the case of “Juror Number One,” a juror who made some comments on Facebook during a criminal trial. Not surprisingly, the judge investigated the juror misconduct – or tried to – but hit a snag when it came to actually seeing the Facebook comments. And that’s when things got interesting because the judge ordered the juror to consent to Facebook turning over his material. Juror One objected that it violated his rights under the Stored Communications Act (SCA), the Fourth and Fifth Amendments to the Constitution, and his state and federal privacy rights.
I blogged about my concerns as the case wound its way through the California courts.
Yesterday, Venkat Balasubramani alerted me to a ruling by the California Court of Appeal in Sacramento.
Of note, the court held that the SCA did not apply to this situation because Juror One didn’t offer any rationale to support that claim:
Juror Number One has provided this court with nothing, either by way of the petition or the supporting documentation, as to the general nature or specific operations of Facebook. Without such facts, we are unable to determine whether or to what extent the SCA is applicable to the information at issue in this case. For example, we have no information as to the terms of any agreement between Facebook and Juror Number One that might provide for a waiver of privacy rights in exchange for free social networking services. Nor do we have any information about how widely Juror Number One‟s posts are available to the public.
As significantly, they note that even if the SCA did apply to Facebook postings that were only available to a select group of individuals, it would not apply in this case because it was not Facebook being ordered to provide the material. The compulsion was on Juror One to consent, thereby waiving any rights under the SCA:
… the question here is not whether respondent court can compel Facebook to disclose the contents of Juror Number One‟s wall postings but whether the court can compel Juror Number One to do so. If the court can compel Juror Number One to produce the information, it can likewise compel Juror Number One to consent to the disclosure by Facebook. The SCA has no bearing on this issue.
Sadly, a lot of the most interesting questions were never addressed because Juror One provided no argument or support for his claims, allowing the court to just dismiss them without consideration.
As @bmaz had suggested to me in our conversation on Twitter, the court noted that any privacy rights must fall to the Sixth Amendment rights of the defendants in the criminal trial. Having already demonstrated that juror misconduct definitely occurred, the court had a right – and duty – to determine if the Facebook posts indicated any bias or prejudice on Juror One’s part. While Juror One might think that simply denying any bias should satisfy the court, the judge had a right to compel production of the material to determine if there was indication of bias or prejudice.
Of interest to me was the concurring opinion by Judge Mauro, who expressed the concerns I had raised about compelled “consent:”
In essence, the trial court‟s order is an effort to compel indirectly (through Juror Number One) what the trial court might not be able to compel directly from Facebook. This is arguably inconsistent with the spirit and intent of the protections in the SCA. Compelled consent is not consent at all. (See, e.g., Schneckloth v. Bustamonte (1973) 412 U.S. 218, 228, 233 [36 L.Ed.2d 854, 863, 866] [coerced consent is merely a pretext for unjustified intrusion].)
The lead opinion explains that “[i]f the court can compel Juror Number One to produce the information, it can likewise compel Juror Number One to consent to the disclosure by Facebook.” (Maj. opn. at p. 14.) This may ultimately be true, but here the trial court bypassed a determination as to whether it could compel Juror Number One to produce the documents.
The take-home message seems to be that while courts cannot engage in fishing expeditions, if there’s evidence of juror misconduct, they may be able to compel the juror to provide the material, or in the alternative, to compel the juror to consent to the service provider turning over the material.
Update: Orin Kerr has also blogged about this case on The Volokh Conspiracy. We seem to have picked up on the same main points and issues, but Orin goes further:
My sense, then, is that the trial court’s order is quite inappropriate. In effect, the court is trying to trick Facebook into inadvertently violating the SCA by making Facebook think that there is consent that allows Facebook to disclose the updates lawfully. If Facebook’s lawyers catch on, they will realize that this consent is invalid and should refuse to disclose the status updates to the court. But depending on how this is presented to Facebook, the folks at Facebook may not realize that the consent is invalid. Under the good-faith exception to civil liability, Facebook would probably escape civil liability in that situation. But the trial court should not be putting Facebook in this position anyway: Assuming that executing a scheme to have a party unknowingly violate the SCA violates the statute, then this would seem to violate the SCA. And even if executing such a scheme does not technically violate the statute directly, surely it is inappropriate for a judge to do such a thing.
What other options does the court have? The most obvious possibility is that the court should allow the losing party to subpoena the juror for all of the status updates during the relevant period that are relevant to the trial. The solution isn’t perfect. The juror might not comply with the subpoena, for example. But the Stored Communications Act limits compelled access to contents of communications directly from providers, and there does not appear to be an exception that applies here.
Apparently this is going to stir some controversy.
Microsoft’s “Do Not Track” Move Angers Advertising Industry
Microsoft Corp. said it would enable “do not track” by default in the latest version of its Web browser, Internet Explorer 10, a move that angered the online advertising industry.
In a blog post, Microsoft Chief Privacy Officer Brendan Lynch wrote that the company made the decision because users should “make a conscious choice to share information in order to receive more personalized ad content.”
But the Digital Advertising Alliance, a coalition that counts Microsoft as a member, said that the decision ran counter to the industry’s agreement with the White House announced earlier this year to honor “do not track” as long as it is not a default setting.
(Related) A reaction to change?
How ‘Do Not Track’ May Cost You Money
Andy Serwin writes:
Giving consumers choices regarding seeing advertisements on websites, while recognizing existing business models, has been a focus for many stakeholders in the privacy debate. Many groups and companies have worked to create a ‘Do Not Track’ feature that would give consumers the choice of not seeing advertisements, but in the newest version of its Internet browser, Internet Explorer 10, Microsoft has reversed that trend by changing a default setting and turning on its ‘Do Not Track’ tool. The browser’s default setting, set without consumer input, will now preclude consumers from seeing advertisements [Not true Bob] on the websites they visit for free. This undermines long-term prospects of the ‘Do Not Track’ system which was designed to allow successful Internet business models to continue.
Read more on The Lares Institute.
Do Twits own their Tweets? (and their Facebook pages and their emails and and and )
Battle over Twitter subpoena heats up
Electronic privacy advocates on Thursday weighed in on a high-stakes legal fight over online communications, arguing that a subpoena seeking an Occupy Wall Street protester’s tweets violates his rights to free speech and privacy.
The filing from the American Civil Liberties Union, the Electronic Frontier Foundation and Public Citizen, Inc supports Twitter’s position that the individual, Occupy protestor Malcolm Harris and not Twitter itself, is the owner of the tweets and thus the proper target for any subpoena.
Manhattan Criminal Court Justice Matthew Sciarrino jr had earlier ruled that Harris did not have the standing to challenge the subpoena, which seeks personal information and all of Harris’ tweets from 15 September through 31 December 2011.
Read more on News24.
Perspective Just as I thought, there are more Twits every day...
A report coming from the Pew Internet and American Life Project shows that right around 15 percent of online adults use Twitter as of February 2012, with just about 8 percent of them using Twitter in November of 2010. Where the usage explosion really hits is in the amount of people who said they used Twitter daily, with 8% of adults saying they do here in 2012 and 4% of them saying they did in May of 2011.
[The survey is here:
My handouts keep get bigger – this might be a solution...
Booktype is open-source software that allows people to write, publish and print e-books within minutes.
… An easy drag-and-drop interface makes it plain and simple to make an e-book, while tools such as collaborative proofreaders, editors and contributors make it possible for organizations to hook up with other people and write an e-book in a teamwork environment.
The digital book can then be exported to popular e-book stores such as Amazon, iBooks, Lulu.com, etc. The e-books are also format-compatible with many e-book readers such as iPad, Kindle, Nook, and more. To make sure it’s suitable for you, you can try the online demo and see how Booktype works.
To make use of this amazing software, just download the code and follow the instructions given on the website to download the software on to your computer. To install the software, a person is required to have a web server and knowledge of how to install software for the web.
Also read related articles:
Could be fun for the Intro to Programming students...
Google Blockly Lets Kids Hack With No Keyboard
Google has released a completely visual programming language that lets you build software without typing a single character.
Now available on Google Code — the company’s site for hosting open source software — the new language is called Google Blockly, and it’s reminiscent of Scratch, a platform developed at MIT that seeks to turn even young children into programmers.
Like Scratch, Blockly lets you build applications by piecing together small graphical objects in much the same way you’d piece together Legos. Each visual object is also a code object — a variable or a counter or an “if-then” statement or the like — and as you piece them to together, you create simple functions. And as you piece the functions together, you create entire applications — say, a game where you guide a tiny figurine through a maze.
Something to share with my students and fellow teachers...
Starter Kit: How to Outfit Your iPad Like an Ivy League Scholar
According to Princeton University's library, here are the apps that the library has loaded onto its iPads. Think of it like a starter kit if you're buying a new iPad and you want to have it outfitted like an Ivy League researcher.
(Related) A different version of the list...
Web Tools to Enhance Learning
Well, I think it's interesting...
Techcrunch reports that Echo360 has raised $31 million in funding – “As the old school gives way to the new, technology has begun to play an increasingly active role in the learning process” is the story lede. Well, active up to a point, I guess, since Echo360 is a lecture-capture technology. But hey, throw the “flipped classroom” into your slide-deck and investors clearly eat that up.
InstaEDU has raised $1.1 million in seed funding, according to Techcrunch, for on-demand video tutoring.
Udacity has listed five new classes that’ll begin summer, all of which greatly expand the breadth of the startup’s offerings. These include physics, discrete math and statistics. It’s also made the official announcement of its partnership with Pearson testing centers where people will be able to take an optional final exam in order to be put into the Udacity job recruitment pipeline.
Friday, June 01, 2012
For my Ethical Hackers. An “excerpt” timed to help promote his book? Something to consider in light of “A Just CyberWar”
Obama Order Sped Up Wave of Cyberattacks Against Iran
… Mr. Obama decided to accelerate the attacks — begun in the Bush administration and code-named Olympic Games — even after an element of the program accidentally became public in the summer of 2010 because of a programming error that allowed it to escape Iran’s Natanz plant and sent it around the world on the Internet. Computer security experts who began studying the worm, which had been developed by the United States and Israel, gave it a name: Stuxnet.
Did the breach occur at all four locations simultaneously, or at some third-party processor? Will the state even bother to follow up and find out?
A Six-Figure Credit Breach at Five Guys
June 1, 2012 by admin
I hate it when we only find out about data breaches from lawsuits, but at least we find out. Marlene Kennedy of Courthouse News reports:
Five Guys burger joints failed to safeguard their data, giving hackers access to the accounts of debit-card-paying customers, a bank claims in court.
Trustco Bank says the hackers racked up more than $89,800 in charges on the accounts of clients who visited Five Guys restaurants in Albany, Schenectady, Warren and Saratoga counties.
The defendants in the complaint, filed in Schenectady County Supreme Court, are RSVT Glenmont LLC, RSVT Niskayuna LLC, RSVT Queensbury LLC and RSVT Saratoga Springs LLC. Each operates a Five Guys restaurant in the communities listed in their names.
The unauthorized transactions – Trustco counted 376 – occurred in November and December 2011, according to the complaint.
Read more on Courthouse News. Kennedy reports that according to the complaint, the affected restaurants “never provided notification to … customers of the security breach,” as required by New York law.
So what will NYS do, if it even knows about this lawsuit?
“It's not that we dislike “public debate,” we just don't see any reason to help it along.”
"The House Appropriations Committee is considering a draft report that would forbid the Library of Congress to allow bulk downloads of bills pending before Congress. The Library of Congress currently has an online database called THOMAS (for Thomas Jefferson) that allows people to look up bills pending before Congress. The problem is that THOMAS is somewhat clunky and it is difficult to extract data from it. This draft report would forbid the Library of Congress from modernizing THOMAS until a task force reports back. I am pretty sure that the majority of people on slashdot agree that being able to better understand how the various bills being considered by Congress interact would be good for this country."
“We don't want them screwing up the Internet, that's our job!”
"In a rare show of bipartisan agreement, lawmakers from both sides of the aisle warned this morning that a United Nations summit in December will lead to a virtual takeover of the Internet if proposals from China, Russia, Iran, and Saudi Arabia are adopted. Called the World Conference on International Telecommunications, the summit would consider proposals including '[using] international mandates to charge certain Web destinations on a "per-click" basis to fund the build-out of broadband infrastructure across the globe' and allowing 'governments to monitor and restrict content or impose economic costs upon international data flows.' Concerns regarding the possible proposals were both aired at a congressional hearing this morning and drafted in a congressional resolution (PDF)."
What does it take to convince Congress? (Nothing. Their mind are already made up.)
May 31, 2012
EFF - Review House Hearing on Warrantless Wiretapping and the FISA Amendments Act
News release: "This morning, the House Judiciary Committee held an important hearing on the FISA Amendments Act (FAA) and the scope of the NSA’s warrantless wiretapping program. The FAA, which gutted privacy protections governing the interception international phone calls and e-mail to and from the United States, is set to expire at the end of the year, and Attorney General Eric Holder says it is his “top priority” to see it renewed."
This does not extend to inconsequential Blogs... Also, Just because they are in the minority makes no difference?
Judge says authors can sue Google
A judge filed a ruling today that gives authors, photographers, and illustrators the green light to sue Google.
The ruling allows the drawn-out court case -- over Google Books' practice of scanning book out of print and copyrighted content for Web searches -- to move forward. The suit will now determine if Google's argument that it has a fair-use defense has any merit.
… Google had tried to argue that the Authors Guild and an illustrators and photographers' group should be taken off the suit. According to the suit, Google said a class action suit is not justified because many authors wanted their books scanned. The company points to a survey in which over 500 authors, or 58 percent of those surveyed, "approve" of Google scanning their work for search purposes.
"Google's argument is without merit," Chin wrote. "The lead plaintiffs are adequate representatives of the class."
Read the entire ruling, posted by the Public Index, here.
The problem with “We don't like you” lawsuits...
Judge Frees Google’s Android From Oracle Copyrights
The federal judge refereeing the billion-dollar fight between Oracle and Google over the Android operating system has dismissed Oracle’s claim that the Java APIs used by Android are subject to copyright.
The APIs are application program interfaces, code that lets one piece of software talk to another. The general assumption has long been that APIs aren’t subject to copyright. But in suing Google over Android, Oracle insisted that they were, and after a six-week trial, the company’s efforts to win serious damages from Google came down to this single point.
But on Thursday, Judge William Alsup ruled that Oracle does not have the exclusive rights to the structure, sequence, and organization the 37 Java APIS in question.
“To accept Oracle’s claim would be to allow anyone to copyright one version of code to carry out a system of commands and thereby bar all others from writing their own different versions to carry out all or part of the same commands,” read the ruling from Alsup. “No holding has ever endorsed such a sweeping proposition.”
(Related) Watch out when a judge does his homework! (I just love these little 'smack downs.')
Judge William Alsup: Master of the court and Java
… Alsup acknowledged during the trial that he had learned about Java coding to better prepare for the case, and it showed. On a daily basis, he would deftly query the lawyers and expert witnesses on the structure, sequence, and organizations of APIs to assist the jury in understanding the key facets of the copyright phase of the trial.
In one episode, Oracle's star lawyer, David Boies, who bested Bill Gates in U.S. v. Microsoft case and represented Vice President Al Gore in Bush v. Gore in front of the Supreme Court, was arguing that Google copied the nine lines of rangeCheck code to accelerate development to gain faster entry into the mobile phone market.
Alsup told Boies, "I have done, and still do, a significant amount of programming in other languages. I've written blocks of code like rangeCheck a hundred times before. I could do it, you could do it. The idea that someone would copy that when they could do it themselves just as fast, it was an accident. There's no way you could say that was speeding them along to the marketplace. You're one of the best lawyers in America --how could you even make that kind of argument?"
Oracle plans to appeal Alsup's ruling. The company faces an uphill battle given the judge's ruling is rich in context, with detailed deconstructions of the Java language and APIs, as well as the expected legal citations and examples. It will likely serve as a textbook for future cases involving intellectual property rights and computer programming languages.
Something like the Nature Conservancy for music?
"Following Tuesday's story about MuseScore releasing its open source recording of the Goldberg Variations, the Musopen project has released ProTools files from its open source recording project. The final edited recordings are still being worked on but it seems we're living in very interesting times regarding open source classical music."
Musopen is a non-profit dedicated to providing copyright free music content: music recordings, sheet music and a music textbook. This project will use your donations to purchase and release music to the public domain. Right now, if you were to buy a CD of Beethoven's 9th symphony, you would not be legally allowed to do anything but listen to it. You wouldn't be able to share it, upload it, or use it as a soundtrack to your indie film- yet Beethoven has been dead for 183 years and his music is no longer copyrighted. There is a lifetime of music out there, legally in the public domain, but it has yet to be recorded and released to the public.
For my Ethical Hackers...
"Apple has released a detailed security guide for its iOS operating system, an unprecedented move for a company known for not discussing the technical details of its products, let alone the security architecture. The document lays out the system architecture, data protection capabilities and network security features in iOS, most of which had been known before but hadn't been publicly discussed by Apple. The iOS Security guide (PDF), released within the last week, represents Apple's first real public documentation of the security architecture and feature set in iOS, the operating system that runs on iPhones, iPads and iPod Touch devices. Security researchers have been doing their best to reverse engineer the operating system for several years and much of what's in the new Apple guide has been discussed in presentations and talks by researchers. 'Apple doesn't really talk about their security mechanisms in detail. When they introduced ASLR, they didn't tell anybody. They didn't ever explain how codesigning worked,' security researcher Charlie Miller said."
Might be just what I need to have my computer up and running each morning when I start my Blogging... (How's your German?)
Sleep Timer … allows you to have your computer turn off, restart or go to sleep whenever you need it to.
The program is super easy to use, and it takes up almost no memory. The application requires no installation, so you can run it from a flash drive and take it with you. You can set it to make your computer restart, go into hibernation mode or shut down completely, and they are all easy to set up.
Thursday, May 31, 2012
Is this why some breach victims keep silent?
If There is Credit Card Fraud, There Must Have Been a Breach
May 31, 2012 by admin
Craig Hoffman writes:
As we reported in December 2010, after an online merchant suffered chargeback losses of almost $12,000 on nine fraudulent orders, it sued the bank that issued the nine cards that were fraudulently used alleging that the most likely cause of the fraud was a data security breach at the bank that the bank ignored.
E-Shops Corp. v. U.S. Bank National Association worked its way through the courts, but the merchant found no joy. Read Hoffman’s discussion of the case and ruling on Data Privacy Monitor.
[From the article:
Rather, the court stated that the merchant was required to describe the circumstances surrounding the breach—“the who, what, when, where and how U.S. Bank’s conduct amounted to false, deceptive, or misleading conduct.”
An exploration of the failure of Universities to practice what they teach. Points to a few million student victims to make the point...
New Math, data breaches version
Wait till he finds out they can carry weapons! (Is there such a thing as “manned drones?”
"During a radio interview, Virginia governor Bob McDonnell suggested that using unmanned drones to assist police would be 'great' and 'the right thing to do.' 'Increased safety and reduced manpower are among the reasons the U.S. military and intelligence community use drones on the battlefield, which is why it should be considered in Virginia, he says. ... McDonnell added Tuesday it will prove important to ensure the state maintains Americans' civil liberties, such as privacy, if it adds drones to its law enforcement arsenal.' Is this the next step toward militarizing our law enforcement agencies? How exactly can they ensure our privacy, when even the Air Force can't?"
Amazing what the founding fathers foretold...
Sex offenders battle state courts for Facebook accounts
Tens of thousands of registered sex offenders have been purged from social networks like Facebook and MySpace over the past several years -- banned by state laws prohibiting them from using chat rooms, social networks, or instant messaging.
However, some of these registered sex offenders are now trying to turn the tables in state courts. Legal battles over the right to use social networks have ensued across the U.S., from Indiana to Nebraska to Louisiana, according to the Associated Press.
The position of the registered sex offenders and civil liberties groups is that the state bans violate free speech and the individual right to join in online discussions, according to the Associated Press. Civil liberties advocates argue that the Internet and social networking is now so widespread that using it has become necessary for free speech. [Blogs ain't speech? Bob]
Rather than assume I want no data collection, how about letting me decide how much to collect, how long to keep it, and where I want it stored?
Consumer group says self-driving cars pose privacy risk
May 30, 2012 by Dissent
Jerry Hirsch reports:
A consumer group says a bill that would allow self-driving cars on California’s roads does not do enough to protect privacy.
The bill, SB 1298, sponsored by Sen. Alex Padilla (D-Pacoima), has passed the California Senate and is awaiting Assembly consideration in June. It establishes guidelines for “autonomous vehicles” to be tested and operated in California.
It has flown through the Legislature, passing the Senate unanimously.
Read more on The Los Angeles Times.
[From the article:
“Without appropriate regulations, Google’s vehicles will be able to gather unprecedented amounts of information about the use of those vehicles. How will it be used? Just as Google tracks us around the Information Superhighway, it will now be looking over our shoulders on every highway and byway,” Court said in a letter to Assembly Speaker John A. Perez (D-Los Angeles).
“Clearly laws don't work. Let's pass another law.” What's wrong with this logic?
By Dissent, May 30, 2012
Associated Press reports:
U.S. Sen. Al Franken said Wednesday he plans to pursue legislation or federal regulations requiring encryption of all laptops containing private medical information, after presiding over a hearing on aggressive debt collection practices in several Minnesota hospitals.
Read more on Washington Examiner.
Why stop at laptops? What about other mobile devices? Security should be based on the type and sensitivity of the data, not the type of mobile device.
If everyone agrees this is a problem, why don't we have a national law?
Bill banning warrantless cellphone tracking clears California Senate
May 30, 2012 by Dissent
Michelle Maltais reports:
California is one step closer to banning law enforcement from tapping the data from the tracking device in your palm, pocket or purse without a warrant.
The state Senate passed a bill Wednesday that requires a warrant to seek access from wireless carriers to the near-constant data stream coming from our cellphones.
Read more on The Los Angeles Times.
Bringing IP law into the 3D world...
Clive Thompson on 3-D Printing’s Legal Morass
Last winter, Thomas Valenty bought a MakerBot — an inexpensive 3-D printer that lets you quickly create plastic objects. His brother had some Imperial Guards from the tabletop game Warhammer, so Valenty decided to design a couple of his own Warhammer-style figurines: a two-legged war mecha and a tank.
He tweaked the designs for a week until he was happy. “I put a lot of work into them,” he says. Then he posted the files for free downloading on Thingiverse, a site that lets you share instructions for printing 3-D objects. Soon other fans were outputting their own copies.
Until the lawyers showed up.
(Related) Extending IP law into the Outer Limits
"Simply giving your mother an e-book for her birthday could constitute patent infringement now that the USPTO's gone and awarded Amazon.com a patent on the 'Electronic Gifting' of items such as music, movies, television programs, games, or books. BusinessInsider speculates that the patent may be of concern to Facebook, which just dropped a reported $80 million on social gift-giving app maker Karma Science."
For my overwhelmed students. (Worth reading just for the quotable numbers.)
Information Overload Is Not a New Problem
There is a wonderful essay in The Hedgehog Review about the promise and perils of information overload. Titled Why Google Isn’t Making Us Stupid…or Smart, this essay written by Chad Ellmon explores the history of information overload and explores its implications. But Ellmon also spends some time demonstrating that information overload is far from a new problem:
These complaints have their biblical antecedents: Ecclesiastes 12:12, “Of making books there is no end”; their classical ones: Seneca, “the abundance of books is a distraction”; and their early modern ones: Leibniz, the “horrible mass of books keeps growing.”
Why students should bathe... Indication of a new tool for biometrics?
Age can be detected by smell, study finds
Catching a whiff of someone's body odour is enough to tell you whether they are young, middle aged or elderly without having seen them, researchers found.
Elderly people's smell was the most distinctive but contrary but was also judged by volunteers to be less intense and unpleasant than that of younger people.
What to do if your thumbs are in a cast?
Twitter Voice is a handy Android application for Twitter users who want to tweet quickly without having to type anything. A great application for people on the move, for example, people who want to tweet as they drive the car. [“I'm driving” “I'm turning right” “I'm Okay, but the other guy may need an ambulance” Bob]
I wonder what the equivalent was in my day...
… For those of you who don’t know what this is (but it’s pretty obvious from the word itself), it’s when you send a text message to someone with either sexually explicit text, a sexually explicit picture, or both.
… According to today’s infographic, two-thirds of US students have sent sexually suggestive messages via their mobile phone.
Might make an interesting project for my Intro to Computing class...
Windows PCs are notoriously junk-filled out-of-the-box. Buy a Microsoft Signature PC from a Microsoft Store (yes, Microsoft has a handful of stores across the US) and you’ll find it free of the usual junk. Soon, Microsoft will offer to turn any PC into a Microsoft Signature PC with its “Signature Upgrade” service – as long as you pay $99.
A typical PC might come with a pile of additional desktop shortcuts, system tray applications, and other bloatware. Software developers pay computer manufacturers to preload their software, reducing the price of the computer by a few dollars. Microsoft realizes that this makes Windows look bad and their response is Microsoft Signature, a fancy name for PCs without the junk. But there are steps you can take yourself that will save you from paying that $99.
Free is good. Granted the target audience is K-12 students, but there are many useful thingies here. Blank Music sheets, Free e-Books, create your own comics (useful for presentations to the CEO), etc.
One of the common obstacles to using many Web 2.0 tools in elementary school and middle school classrooms is the registration requirement that those tools have. Fortunately, there are many good Web 2.0 tools that do not require registration. Nathan Hall has started to put together a Diigo list of Web 2.0 tools that do not require registration. When I saw the list yesterday it had 60 items. When I looked at the list this morning there were 101 items on the list. Take a look at Nathan's list and I think you'll find some new-to-you tools, I did.
Wednesday, May 30, 2012
Perhaps DoJ should hire some lawyers?
"A judge in New Zealand has ordered the U.S. government to hand over evidence seized in the Megaupload raid so Kim Dotcom and his co-defendants can use it to prepare a defense for an extradition hearing. The judge wrote, 'Actions by and on behalf of the requesting State have deprived Mr. Dotcom and his associates of access to records and information. ... United States is attempting to utilize concepts from the civil copyright context as a basis for the application of criminal copyright liability [which] necessitates a consideration of principles such as the dual use of technology and what they be described as significant non-infringing uses.' Once the defense attorneys have gathered and presented their evidence, the judge must decide whether the U.S. can make a reasonable case against Dotcom."
Cloud computing: Something we clearly need to address.
Is the Cloud Too Risky for Some Purposes?
“Forrester says that sometime this year we will have reached the point where 50 percent of companies are using some form of SaaS. The Yankee Group says that 41 percent of large companies already have or will deploy Platform as a Service technology in the next 12 months. VMWare and the Cloud Industry Forum (CIF) estimates cloud adoption to be at 48 percent of businesses in the UK.”
But Weisinger notes in his post for the enterprise content management (ECM) firm Formtek too a Wisegate report that found “50 percent of organizations think that the cloud is still too risky for handling most data and are only comfortable with using it for ‘commodity’ applications like CRM and email.”
PCI DSS Compliance in the Cloud: Challenges and Tactics
Perhaps the largest point of confusion with regards to the Payment Card Industry Data Security Standard (PCI DSS) and cloud computing is the question of upon whose shoulders does compliance fall? In 2011, several cloud providers began asserting that their clouds were validated as PCI DSS compliant. That’s all well and good, but unfortunately this validation does not trickle down to the providers’ customers who deploy servers within the provider’s infrastructure. If your organization wants to migrate PCI DSS in-scope systems to public cloud, there are several things to consider.
First and foremost, a cloud provider’s platform is just that – a platform. Physical servers are not certified PCI compliant by the hardware manufactures; just as operating system vendors are not. The platform and software employed serves as a medium upon which businesses can operate. It should be noted, however, that PCI certification for a provider does not just cover material, but process as well.
Apparently, “Ignorance of the Constitution” is a defense.
No Constitutional Issue in Shared Autopsy Photos
May 29, 2012 by Dissent
Tim Hull reports:
Despite a clear constitutional right to control death images of relatives, a district attorney is not liable for sending an autopsy photograph to the press, the 9th Circuit ruled Tuesday.
In the first decision of its kind, the federal appeals court in San Francisco found that “the common law right to non-interference with a family’s remembrance of a decedent is so ingrained in our traditions that it is constitutionally protected.”
Read more on Courthouse News.
Related: Opinion in Marsh v. County of San Diego (via Venkat Balasubramani).
[From the Courthouse News article:
The panel found that Brenda Marsh had a clear right to control her son's death images, but since that right was not clearly established when Coulter released the photographs, he has qualified immunity.
… This intrusion into the grief of a mother over her dead son-without any legitimate governmental purpose-'shocks the conscience' and therefore violates Marsh's substantive due process right."
A bit of a follow up... “Papers, student!” I assume the students will be required to have their IDs on them at all times. What happens if the ID is in school but the student isn't?
Arphid Watch: schoolkids in Houston and San Antonio TX
A school district in San Antonio, Texas, plans to put RFID chips in student ID cards. A spokesperson for the Northside Independent School District said, “We want to harness the power of technology to make schools safer, know where our students are all the time in a school, and increase revenues.”
… The RFID chips will reportedly work only while the students are on school property. [Want to bet? Bob]
Texas school district to track kids through RFID tags
It does seem a shame that money is mentioned in all of this. One might have been able to understand it if this was purely a safety issue, but clearly it isn't. Indeed, in Houston, two school districts already enjoy this technology and it has reportedly brought them hundreds of thousands of extra dollars.
The Northside district, Kens 5 News says, loses $175,000 a day because of late or absent kids.
… However, after cases such as the one in Philadelphia were a school was sued for allegedly spying on a student off-campus (the school settled for around $600,000), some parents will surely be concerned that the kids will be snooped upon.
It's not as if this sort of tagging offers absolute security. What if an ID is stolen? What if the system is hacked and someone with evil purpose can quite literally track the movements of all the kids?
Students will be tracked via chips in IDs
… Chip readers on campuses and on school buses [Which do leave school property Bob] can detect a student's location but can't track them once they leave school property. Only authorized administrative officials will have access to the information, Gonzalez said.
… He said officials understand that students could leave the card somewhere, throwing off the system. They cost $15 each, and if lost, a student will have to pay for a new one.
… The district plans to spend $525,065 to implement the pilot program and $136,005 per year to run it, but it will more than pay for itself, predicted Steve Bassett, Northside's assistant superintendent for budget and finance. If successful, Northside would get $1.7 million next year from both higher attendance and Medicaid reimbursements for busing special education students, he said.
Incontrovertible proof that Economists live in a world of fiction?
Economist Paul Krugman Is a Hard-Core Science Fiction Fan
If you follow the news at all, you’ve probably seen Paul Krugman — Princeton professor, New York Times columnist, and Nobel Prize-winning economist — championing the idea that government spending can lift us out of the economic crisis. What you may not know is that Krugman is also a huge science fiction fan.
“I read [Isaac Asimov’s] Foundation back when I was in high school, when I was a teenager,” says Krugman in this week’s episode of the Geek’s Guide to the Galaxy podcast, “and thought about the psychohistorians, who save galactic civilization through their understanding of the laws of society, and I said ‘I want to be one of those guys.’ And economics was as close as I could get.”
… “If you read Ender’s Game, his brother and sister actually end up shaping planetary debate through their online aliases, and the debates they have with each other under assumed names,” Krugman says. “So all of this was prefigured, which is why science fiction is good for your ability to think about possibilities.”
For my Statistics students Still a long way from a true “Reality Test.”
"The Global Economic Intersection reports on a project to statistically measure political bias on Wikipedia. The team first identified 1,000 political phrases based on the number of times these phrases appeared in the text of the 2005 Congressional Record and applied statistical methods to identify the phrases that separated Democratic representatives from Republican representatives, under the model that each group speaks to its respective constituents with a distinct set of coded language. Then the team identified 111,000 Wikipedia articles that include 'republican' or 'democrat' as keywords, and analyzed them to determine whether a given Wikipedia article used phrases favored more by Republican members or by Democratic members of Congress. The results may surprise you. 'The average old political article in Wikipedia leans Democratic' but gradually, Wikipedia's articles have lost the disproportionate use of Democratic phrases and moved to nearly equivalent use of words from both parties (PDF), akin to an NPOV [neutral point of view] on average. Interestingly, some articles have the expected political slant (civil rights tends Democrat; trade tends Republican), but at the same time many seemingly controversial topics, such as foreign policy, war and peace, and abortion have no net slant. 'Most articles arrive with a slant, and most articles change only mildly from their initial slant. The overall slant changes due to the entry of articles with opposite slants, leading toward neutrality for many topics, not necessarily within specific articles.'"
(Related) Think of it as “Behavioral Advertising” The candidates are “products”
"The Romney and Obama campaigns are spending heavily on television ads and other traditional tools to convey their messages. But strategists say the most important breakthrough this year is the campaigns' use of online data to raise money, share information and persuade supporters to vote. The practice, known as 'microtargeting,' has been a staple of product marketing. Now it's facing the greatest test of its political impact in the race for the White House. ... The Romney team spent nearly $1 million on digital consulting in April and Obama at least $300,000. ... Campaigns use microtargeting to identify potential supporters or donors using data gleaned from a range of sources, especially their Internet browsing history. A digital profile of each person is then created, allowing the campaigns to find them online and solicit them for money and support."
(Related) Toward an “automated congress?” True democracy? Politics by and for the Internet connected?
"Having read pretty heavily on the topic, weighed the pros and cons, and seen a few relevant slashdot articles, I wondered why an elected representative couldn't use online and in-person polling of constituents to decide the way he or she votes. Though we are living in the 'information age' and have rich communications media and opportunities for deep and accessible deliberation, we are getting by (poorly) with horse-and-buggy-era representation. In the spirit of science and because I think it's legitimately a better way of doing things, I recently announced my candidacy for Vermont's State Senate in Washington County."
How do you think such polling could be best accomplished? Do you think it's worth trying? Whether or not you buy into it, it's something that's only been made feasible in recent times with modern technology.
Rise Of The Machines: IP Traffic Is Poised To Quadruple By 2016, Driven By An Influx Of New Devices
The latest VNI forecast shows a massive uptick in data usage, from the 369 Exabytes of IP traffic used worldwide in 2011 to approximately 1.3 zettabytes in 2016. According to Cisco, that rapid growth in data traffic will be driven by a proliferation of connected devices, ever-increasing broadband connectivity, and greater adoption of IP video worldwide.
‘Walking Around Naked On The Internet’: McAfee Says 17% Of PCs Globally Lack Malware Protection
Some eye-opening stats out today from McAfee, the Intel-owned IT security company: a study of 28 million computers in 24 countries has found that 17 percent of all PCs do not have any form of security at all on them against viruses, worms, spyware and other Internet malware – a transgression that McAfee compares to “walking around naked on the Internet.”
But McAfee notes that while the average worldwide figure for unsecured PCs works out to one out of every six users, some countries are taking their security more seriously than others…
For my Infograph loving friends...
Infogram is an amazing new web tool platform for creating infographics quickly and easily. The tool is very simple to use and offers a whole host of unique WYSIWYG editing options from dragging content around to in-tool data table formatting.
… The site is free, robust, and going to be getting some more customized features and more templates soon. Looks like a great place for teachers and students to play with the art of visual explanation.
e-Textbooks are coming – deal with it.
iPad Only No More: Inkling Debuts HTML5-Powered E-Book App For The Web
Inkling, the San Francisco-based startup that’s known for making super slick interactive digital versions of college textbooks and other educational titles for the iPad, has debuted its first ever platform for the web browser.
Something for my website students
Learn to Code With Mozilla’s ‘Thimble’ Editor
Mozilla Thimble is a new web-based code editor, part of the company’s recently unveiled “Webmakers” project. Thimble is designed to give novice webmakers an easy-to-use online tool to quickly build and share webpages.
You can check out Thimble over at the new Mozilla Thimble website. Keep in mind that Mozilla hasn’t formally launched Thimble; the company is still testing, fixing bugs and iterating the app.
Thimble is slightly different than other online code editors you may have tried, putting the emphasis on teaching HTML to newcomers rather than catering to advanced users. Thimble offers side-by-side code editor and code output panels which help new users see immediate results.
… Thimble can also load pre-made project templates to help users get started with some content that’s ready to build on. Currently the featured projects section of the Thimble homepage is still awaiting content, but among the coming projects is a tutorial on editing and creating your own Tumblr theme, as well as others from Mozilla’s various Webmaker partners.
To help new users get their Thimble-created projects on the web Mozilla has also bundled a publishing function directly into the editor. Once you’ve got your Thimble page looking the way you’d like it, just hit the “Publish” button and Thimble will output and host your page, offering up a URL to share with friends and another to edit your page if there’s something you need to change.