Saturday, June 16, 2012

What didn't Heartland learn from their “Top 10” breach? Why can't victims pin down the scope of their breach? Why can't they even determine they have been breached?
Penn Station breach mushrooms to 80 locations; Heartland Payment and Secret Service investigating
June 15, 2012 by admin
Ruh oh. Tracy Kitten reports:
Restaurant chain Penn Station Inc. has upped the number of franchise locations affected by a payments breach to 80, almost double what it originally reported.
The breach, which Penn Station says it’s still investigating, is connected to a point-of-sale processing hack that may have exposed credit and debit details, but not PINs, [Not sure how you grab some data but not all... Bob] at restaurants in Illinois, Indiana, Kentucky, West Virginia, Michigan, Missouri, Ohio, Pennsylvania, Virginia, North Carolina and Tennessee.
Penn Station says its investigation into the breach, which is being overseen by its processor, Heartland Payment Systems, and the Secret Service, is ongoing and that results, to date, have been inconclusive.
[From the article:
On its list of frequently asked questions, the chain says the exposure was limited to cardholder names and card numbers because Penn Station only accepts signature-based transactions. [That answers my question. Bob]
… "We did not learn of the possibility of unauthorized access until late April," the company says in its updated FAQ. "Our first step after learning such information was to change the method for processing credit and debit card transactions. [Does this suggest the process had known flaws? Bob]
… Dunaway told BankInfoSecurity that Penn Station learned of the breach from a customer. The patron connected the dots after swapping stories with others who had suffered fraud following dining at a local Penn Station restaurant.
… Based on what Penn Station has revealed so far, industry experts suggest the breach could be linked to one or both of two possible scenarios - a processing hack, like the one that targeted 100 Subway locations between 2008 and May 2011, or a point-of-sale scheme, similar to the one discovered by the Michaels crafts store chain in May 2011. [Yep. Known flaws Bob]

A new flaw or a “backdoor” that US Cyber Command no longer requires? Since the US is now in the Cyber Attack business, we have to consider that they may “draft” some vendors for the “war effort.”
"The U.S. Computer Emergency Readiness Team (US-CERT) has disclosed a flaw in Intel chips that could allow hackers to gain control of Windows and other operating systems, security experts say. The flaw was disclosed the vulnerability in a security advisory released this week. Hackers could exploit the flaw to execute malicious code with kernel privileges, said a report in the Bitdefender blog. 'Some 64-bit operating systems and virtualization software running on Intel CPU hardware are vulnerable to a local privilege escalation attack,' the US-CERT advisory says. 'The vulnerability may be exploited for local privilege escalation or a guest-to-host virtual machine escape.'"
According to the article, exposed OSes include "Windows 7, Windows Server 2008 R2, 64-bit versions of FreeBSD and NetBSD, as well as systems that include the Xen hypervisor."

How our infrastructure may die. Imagine similar security failures at a site that updates financial systems (or controllers for centrifuges...)
"A web site used to distribute software updates for a wide range medical equipment, including ventilators has been blocked by Google after it was found to be riddled with malware and serving up attacks. The U.S. Department of Homeland Security is looking into the compromise. The site belongs to San Diego-based CareFusion Inc., a hospital equipment supplier. The infected Web sites, which use a number of different domains, distribute firmware updates for a range of ventilators and respiratory products. Scans by Google's Safe Browsing program in May and June found the sites were rife with malware. For example, about six percent of the 347 Web pages hosted at, a CareFusion Web site that is used to distribute software updates for the company's AVEA brand ventilators, were found to be infected and pushing malicious software to visitors' systems."

Be more private than the next guy...
June 15, 2012
EFF - How to Turn on Do Not Track in Your Browser
"In recent years, online tracking companies have begun to monitor our clicks, searches and reading habits as we move around the Internet. If you are concerned about pervasive online web tracking by behavioral advertisers, then you may want to enable Do Not Track on your web browser. Do Not Track is unique in that it combines both technology (a signal transmitted from a user) as well as a policy framework for how companies that receive the signal should respond. As more and more websites respect the Do Not Track signal from your browser, it becomes a more effective tool for protecting your privacy. EFF is working with privacy advocates and industry representatives through the W3C Tracking Protection Working Group to define standards for how websites that receive the Do Not Track signal ought to response in order to best respect consumer's choices. The following tutorial walks you through the enabling Do Not Track in the four most popular browsers: Safari, Internet Explorer 9, Firefox, and Chrome."

Ubiquitous surveillance. Perhaps there will be a market for my Rent-a-Drone idea?
June 15, 2012
UK Mail reports Google and Apple deploying advanced satellite surveillance
Mail Online: "Spy planes able to photograph sunbathers in their back gardens are being deployed by Google and Apple. The U.S. technology giants are racing to produce aerial maps so detailed they can show up objects just four inches wide. But campaigners say the technology is a sinister development that brings the surveillance society a step closer. Google admits it has already sent planes over cities while Apple has acquired a firm using spy-in-the-sky technology that has been tested on at least 20 locations, including London. Apple’s military-grade cameras are understood to be so powerful they could potentially see into homes through skylights and windows. The technology is similar to that used by intelligence agencies in identifying terrorist targets in Afghanistan."

Oh boy, the MPAA's Justice Department isn't going to like this... I doubt that DoJ has had time to look at all the data they seized.
U.S. ordered to prepare for handover of MegaUpload data
A New Zealand court has ordered the U.S. government to get ready to give MegaUpload founder Kim Dotcom and his co-defendants copies of the data from servers seized by federal agents, ComputerWorld reported today.
The data includes over 10 million intercepted emails, financial records and more than 150 terabytes of data stored on servers seized in New Zealand.
The same court told the U.S. in May that it had three weeks to show the evidence that supports its indictment against MegaUpload managers. [Wow! They won't take the MPAA's word for it? Bob]

The “Ban” didn't last long – unfortunately, stupid is forever...
World gets second helpings of girl's school dinner blog as ban is overturned
When nine-year-old Martha Payne set up a blog six weeks ago, to show pictures of her daily school lunch – sometimes meagre, often fried – it was meant as a writing project that would be seen by few others than her close relatives.
But word spread over social media, and in just over a week more than 100,000 people had viewed Martha's stark photos of her food, sitting on a white, prison-style tray.
Still, she could have been little prepared for the deluge of publicity on Friday, when Argyll and Bute council was forced into a humiliating climbdown over a decision to effectively close the blog, by banning photography in the school dining hall.
By 11pm, her blog, NeverSeconds, which has drawn the support of Jamie Oliver, had attracted more than 4m page views and she had managed to raise more than £52,000 for the charity Mary's Meals.
… Argyll and Bute came up with a response likely to be immortalised on public relations curriculums under "how not to do it".
A statement accused a girl of "unwarranted attacks" on local school meals "which have led catering staff to fear for their jobs".

The competition...
"In an interview with Udacity founder Sebastian Thrun, it was revealed that he hopes to offer a Masters degree for only $100, and is close to offering a full computer science degree. 'There are unfortunately some rough edges between our fundamental class CS101 and the next class up, when this is done I believe we can get an entire computer science education completely online and free and I think this is the first time this has happened in the history of humanity.' The latest course from Udacity is on statistics, and he is hoping to top the 160,000 sign up for his first online class on AI. It is also hoped to be the first class where students can visit a testing center to get their achievments formally certified."

For my Ethical Hackers... (Great illustration that should be a poster.)
"In the wake of confirmation that the U.S. government was involved in the creation of Stuxnet and likely Flame, a look over job listings on defense contractor sites shows just how explicitly the Pentagon and the firms that service it are recruiting offense-oriented hackers. Northrop Grumman, Raytheon, Lockheed Martin, SAIC, and Booz Allen have all posted job ads that require skills like 'exploit development,' have titles like 'Windows Attack Developer,' or asks them to 'plan, execute, and assess an Offensive Cyberspace Operation.'"

(Related) Start 'em young!
Huge (unofficial) rise in AP CS Test Takers
Last week was the AP CS Reading, where over 100 computing teachers read over students’ programs and graded them. Several readers (including Barbara) have come back saying that the unofficial count for the number of tests this year was 26,000. Compare that to 21,139 last year, and 19,390 the year before that. We probably won’t have the official numbers until January, and we’ll get the demographic breakdown then, too. A 20+% increase in a single year is remarkable!

Friday, June 15, 2012

The ethics of surveillance? What a concept to ponder!
An Eye Without an 'I': Justice and the Rise of Automated Surveillance
Over the past decade, video surveillance has exploded. In many cities, we might as well have drones hovering overhead, given how closely we're being watched, perpetually, by the thousands of cameras perched on buildings. So far, people's inability to watch the millions of hours of video had limited its uses. But video is data and computers are being set to work mining that information on behalf of governments and anyone else who can afford the software. And this kind of automated surveillance is only going to get more sophisticated as a result of new technologies like iris scanners and gait analysis.
Yet little thought has been given to the ethics of perpetually recording vast swaths of the world. What, exactly, are we getting ourselves into?
… In a new paper called The Unblinking Eye: The Ethics of Automating Surveillance, philosopher Kevin Macnish argues that the political and cultural costs of excessive surveillance could be so great that we ought to be as hesitant about using it as as we are about warfare. That is to say, we ought to limit automated surveillance to those circumstances where we know it to be extremely effective.

Not convinced the FBI has been totally incompetent so far or that this new unit will suddenly solve all their problems. So what is really going on here?
With FBI snooping on social media, how to protect privacy
To say that the FBI had its work cut out for it after 9/11 is an understatement. As part of its anti-terrorism efforts, the agency cozied up to telecom companies, like Verizon and AT&T. The relationship was so tight that some telecom employees actually had offices at the FBI.
This convenient arrangement paved the way for FBI agents to ultimately hand post-it notes with phone numbers to their telecom pals to find out if those accounts were worth investigating. It's the sort of stuff that makes privacy advocates shudder. And it's what Jennifer Lynch, staff attorney at the Electronic Frontier Foundation, says we don't want to see repeated now that the FBI has created a new surveillance unit.
The recently established Domestic Communications Assistance Center (DCAC) will develop new ways to eavesdrop on our communications.
… Right now, Lynch and her colleagues at EFF are finding there's a scant amount of information about this new department of the FBI. Learn what action EFF plans to take in my report above

Google does the same. Connecting your Facebook account to your smartphone my allow more data gathering. Or it may be a way to introduce the new Facebook Fone...
Facebook wants users' cell numbers in bid to bolster security
The social network has begun adding a message at the top of every member's news feed that suggests they "Stay in control of your account by following these simple security tips." The message includes a link to Facebook's security page, where users are tutored on how to identify a scam and choose a unique password, and are asked to provide a cell phone number where replacement passwords can be sent.

Quotes from Field of Legal Dreams “If you build it, they will sue.”
Apple Must Face Privacy Class Action, Judge Rules
June 14, 2012 by Dissent
Chris Marshall reports:
Apple may be liable for sending unauthorized iPhone user information to the third parties behind applications, but the application developers are in the clear, a federal judge ruled.
The plaintiffs in the consolidated class action have sufficiently showed that Apple was responsible for transmitting the personal information of iPhone, iPad and iPod Touch users to the application companies, U.S. District Judge Lucy Koh found.
Apple and the developers faced claims of having violated consumers’ privacy rights by letting third-party applications that run on Apple devices collect and profit from users’ personal information without their knowledge. The class alleges computer fraud, invasion of privacy, conversion and many other statutory violations.
Read more on Courthouse News. MediaPost and are also among the many sites covering the lawsuit.
Related: Judge Koh’s opinion (44 pp.)

Another in the never ending string of incomprehensible political decisions.
9-Year-Old Who Changed School Lunches Silenced By Politicians
For the past two months, one of my favorite reads has been Never Seconds, a blog started by 9-year-old Martha Payne of western Scotland to document the unappealing, non-nutritious lunches she was being served in her public primary school. Payne, whose mother is a doctor and father has a small farming property, started blogging in early May and went viral in days. She had a million viewers within a few weeks and 2 million this morning; was written up in Time, the Telegraph, the Daily Mail, and a number of food blogs; and got support from TV cheflebrity Jamie Oliver, whose series “Jamie’s School Dinners” kicked off school-food reform in England.
Well, goodbye to all that.
This afternoon, Martha (who goes by “Veg” on the blog) posted that she will have to shut down her blog, because she has been forbidden to take a camera into school.

I make no claim for the quality of the book, but you IP lawyers might find the video amusing...
Book Excerpt: Aliens Go Crazy for Rock ‘n’ Roll in Year Zero

Thursday, June 14, 2012

A little out of the ordinary.
PA: Security breach exposes student data
June 14, 2012 by admin
Jason A. Kahl reports:
The personal information of all students in the Fleetwood School District was stolen and posted online, district officials and Fleetwood police said Wednesday.
The security breach was discovered by parents of students in the district who notified school officials Tuesday. The school contacted borough police and the website, Wikispaces, where it was posted, and had it taken down within hours, Dr. Paul B. Eaken, superintendent, said Wednesday night.
The stolen information included the name, date of birth, school identification number, address, parents’ names, teacher’s name and grade level of each of the approximately 2,700 students from kindergarten through 12th grade, Eaken said.
He said the information came from a digital spreadsheet file stored in the administrative section of the district.
Read more on Reading Eagle.
Hopefully their ID number isn’t their SSN.
[From the article:
They stated that families should be watchful for unknown visitors [I've never seen a warning like that. Do they have reason to suspect stalkers stole their data? Bob] and unwanted mail."
… It was unclear when the information was stolen and how long it had been online before the parents found it. [The school district didn't know it was missing, someone had to tell them. They were unable to see who accessed the data? Bob]
Eaken said the data was taken electronically from the school's computer system, either by a virus, someone with a password or someone hacking into the system. [So, someone inside, someone outside or something else entirely? That pretty much covers it. Bob]

For my “Business Continuity” students... My Ethical Hackers already know...
Cyberrisks to U.S. electric grid a matter of timing
Security technology used by U.S. electric utilities is flawed and could increase the odds of computer intrusions or sabotage, the chairman of an industry standards group warns.
Jesse Hurley, co-chair of the North American Energy Standards Board's Critical Infrastructure Committee, says the mechanism for creating digital signatures for authentication is insufficiently secure because not enough is being done to verify identities and some companies are attempting to weaken standards to fit their business models.
… This debate over critical infrastructure security comes as the U.S. Senate prepares to debate a Democrat-backed bill that would give Homeland Security additional authority to regulate cybersecurity practices for critical infrastructure [Making Infrastructure as secure as TSA makes flying? Why does that not give me the warm fuzzies? Bob]

This is an interesting change... Think the court will quash?
New submitter nbacon writes with news that Comcast, apparently tired of the endless BitTorrent-related piracy lawsuits, has stopped complying with subpoena requests, much to the chagrin of rightsholders. From the article:
"Initially Comcast complied with these subpoenas, but an ongoing battle in the Illinois District Court shows that the company changed its tune recently. Instead of handing over subscriber info, Comcast asked the court to quash the subpoenas. Among other things, the ISP argued that the court doesn’t have jurisdiction over all defendants, because many don’t live in the district in which they are being sued. The company also argues that the copyright holders have no grounds to join this many defendants in one lawsuit. The real kicker, however, comes with the third argument. Here, Comcast accuses the copyright holders of a copyright shakedown, exploiting the court to coerce defendants into paying settlements."

Perhaps I wasn't wrong in thinking “Innocent” was a possible defense?
Retired Judge Joins Fight Against DOJ’s ‘Outrageous’ Seizures in Megaupload Case
Abraham David Sofaer, a former New York federal judge, recently was presenting a paper at the National Academy of Sciences about deterring cyberattacks when he learned the feds had shut down Megaupload, seizing its domain names, in a criminal copyright infringement case.
Troubling him more than his paper on global cybersecurity (.pdf) was learning that the government had seized the files of 66.6 million customers as part of its prosecution of the file-sharing site’s top officers, and was refusing to give any of the data back to its owners.
“It’s really quite outrageous, frankly,” the 74-year-old President Jimmy Carter appointee said in a recent telephone interview. “I was thinking the government hadn’t learned to be discreet in its conduct in the digital world. This is a perfect example on how they are failing to apply traditional standards in the new context.”
A former State Department legal adviser, Sofaer has teamed up — free of charge — with the Electronic Frontier Foundation in urging a federal court to set up a system to allow Megaupload users to get back their legal content.
His entry into the high-profile case comes as users increasingly turn to online storage systems and services, including Dropbox, Gmail, YouTube, ReadItLater, iCloud, and Google Drive, among others, to share and store their data — despite the fact that legal protections for cloud services are weak and servers can be shut down at any time by an aggressive prosecutor. In an unrelated copyright infringement seizure, the feds confiscated the domain of a hip-hop music blog at the behest of the recording industry, only to return it, without apology or recompense, a year later for lack of evidence.
… The government copied 25 petabytes of the data, and said the rest can be erased. The Department of Justice told the federal judge overseeing the prosecution that the government has no obligation to assist anybody getting back their data, even if it’s non-infringing material.
… But in a recent court filing, the authorities wrote that assisting an Ohio man in getting back his company’s high school sports footage “would create a new and practically unlimited cause of action on behalf of any third party who can claim that the government’s execution of a search warrant adversely impacted a commercial relationship between the target of the search and the third party.”
Sofaer, also a former clerk to then-Supreme Court Justice William Brennan Jr. and now a Hoover Institution fellow, claims the government’s response is hogwash. All legal files could easily be retrieved, just like they were before the service was shuttered in January.

If you had access to all this data, what could you determine? What voters look for in a Presidential candidate? What stocks to buy or sell? The answer to life, the universe and everything?
"Technology Review has an in depth profile of the team at Facebook tasked with figuring out what can be learned from all our data. The Data Science Team mine that information trove both in the name of scientific research into the patterns of human behavior and to advance Facebook's understanding of its users. Facebook's ad business gets the most public attention, but the company's data mining technology may have a greater effect on its destiny — and users lives."

What new degree should my young whippersnappers be looking for? Cloud Management?
"Young whippersnappers might imagine that Computer Science degrees — and the term "computer science" — have been around forever. But they were invented, after all, and early programmers couldn't earn a college degree in something that hadn't been created yet. In The Evolution of the Computer Science Degree, Karen Heyman traces the history of the term and the degree, and challenges you on a geek trivia question: Which U.S. college offered the first CS degree? (It's not an obvious answer.)"

So let's all publish a book!
Self-publishing a book: 25 things you need to know

Returned many short papers on topics I searched...
Wednesday, June 13, 2012
Through a recent blog post by Angela Maiers I discovered a nice service for finding and sharing ebooks. The service is called ebook browse and it's similar to services like Scribd and DocStoc. On ebook browse you can browse for documents, upload and share your own documents, and download the documents that other people make available. If you want to make your documents available online for others to read, just upload them to ebook browse and share the link or embed them into your blog or website using the embed code provided by ebook browse.
… Students can upload to ebook browse then use the embed code provided to display their documents in their digital portfolios.

Wednesday, June 13, 2012

Have I mentioned that management seems unable to accurately determine the scope of a security breach prior to the first announcement? If I was a true cynic, I would suspect they wanted to keep the really bad stuff hidden at first, hoping that no one would notice when they finally disclosed it. Apparently, they store data for some customers that goes beyond that needed to complete the credit card transaction.
Global Payments: Consumer data may also have been stolen
Credit card processor Global Payments said today that in the course of investigating the theft of 1.5 million credit card numbers, it has discovered that hackers may also have stolen consumer data from servers.
"Our ongoing investigation recently revealed potential unauthorized access [Does that mean they may have accessed the data or that they may have been authorized to access the data? Bob] to personal information collected from a subset of merchant applicants," the company said in a statement on its Web site.
"It is unclear whether the intruders looked at or took any personal information from the company's systems [You have no log of activity on your system? Bob]

I don't see much new...
June 12, 2012
IC3 2011 Internet Crime Report Released
[May 10, 2012] - The Internet Crime Complaint Center (IC3) released the 2011 Internet Crime Report — an overview of the latest data and trends of online criminal activity. According to the report, 2011 marked the third year in a row that the IC3 received more than 300,000 complaints. The 314,246 complaints represent a 3.4 percent increase over 2010. The reported dollar loss was $485.3 million. As more Internet crimes are reported, IC3 can better assist law enforcement in the apprehension and prosecution of those responsible for perpetrating Internet crime."

Sounds fair to me, but also suggests an ever increasing “war” of video recordings... (Is someone tracking who is using video to lie?)
"Posting videos to YouTube allegedly showing police misconduct has become commonplace these days. Now police themselves are posting their own videos to refute misconduct claims. 'After a dozen Occupy Minnesota protesters were arrested at a downtown demonstration, the group quickly took to the Internet, posting video that activists said showed police treating them roughly and never warning them to leave. But Minneapolis police knew warnings had been given. And they had their own video to prove it. So they posted the footage on YouTube, an example of how law enforcement agencies nationwide are embracing online video to cast doubt on false claims and offer their own perspective to the public.'"

On June 4th I posted this article: “UK: Google was allowed to destroy data haul after ICO spent less than three hours examining information collected by Street Cars ” Looks like several people found that inadequate.
UK reopens probe into Google’s Street View data capture
June 13, 2012 by Dissent
BBC reports:
Google is back under investigation after gathering personal data while cameras on its cars took pictures for its UK Street View service.
The Information Commissioner’s Office previously dropped a probe into the affair after being told limited data had been “mistakenly collected”.
However, it said it had since become aware of reports that a Google engineer had deliberately written software to obtain a wider range of material.
The ICO has asked for more information.
Specifically it wants to know what type of data was captured; when Google managers became aware of the issue; how the news was managed and why the full range of gathered data was not represented in a sample the firm presented to it in 2010.
Furthermore it has requested a certificate to show that the data had since been destroyed.
Read more on BBC.
It’s hard not to view this as anything more than “Data Protection Theater.” I don’t recall ever seeing anyone use that phrase before, but it seems like a useful generalization from “security theater” to describe things governments do that are supposed to protect our data and privacy but don’t.
In this case, the ICO had an opportunity to really investigate the Street View mess but did only minimal investigation. Now it’s embarrassed after the FCC report was released and is making a show of looking into this more. Did the ICO ever ask Google to sign an affidavit attesting that the sample presented represented the full range of data types gathered? According to the ICO’s letter to Google, Google misled them. Now they’re asking to see design documents and a whole lot more.
That said, I don’t expect anything really useful to come out of this investigation other than to accomplish some egg-removing from the ICO’s face.

(Related) “Oops! Looks like we accidentally designed our software to work like Google Street View...”
Virgin Media denies intention to monitor commuters’ emails
June 12, 2012 by Dissent
Sophie Curtis reports that Virgin Media has clarified its Terms & Conditions to make clear that they never intended to snoop on communications, even though their T&C appeared to reserve that right unrestrictedly:
Virgin Media has amended a clause in the terms and conditions for users of its London Underground Wi-Fi service, which went live last week, in response to complaints from privacy campaigners.
Originally, the T&Cs stated that Virgin Media “may monitor email and internet communications, including without limitation, any content or material transmitted over the services”.
The suggestion that Virgin Media could be snooping on customers’ communications raised the ire of MPs and privacy campaigners alike, with conservative MP Robert Halfon suggesting that “a surveillance society is being created on the Underground”.
Read more on TechWorld.
Thank goodness at least some people read privacy policies and T&C.

I mat ask my IT Management students to do a statistical study of “settlements.” I suspect there is a dollar amount that indicates the settlement was to avoid the hassle of extended legal wrangling that would wind up with no resolution and another (much?) higher level that suggests “Okay, you got us. Here's the basic settlement plus a reasonable amount to match a future fine.”
Spokeo to Pay $800,000 to Settle FTC Charges Company Allegedly Marketed Information to Employers and Recruiters in Violation of FCRA
June 12, 2012 by Dissent
From the FTC:
Spokeo, Inc., a data broker that compiles and sells detailed information profiles on millions of consumers, will pay $800,000 to settle Federal Trade Commission charges that it marketed the profiles to companies in the human resources, background screening, and recruiting industries without taking steps to protect consumers required under the Fair Credit Reporting Act. This is the first Commission case to address the sale of Internet and social media data in the employment screening context.
The FTC alleged that Spokeo operated as a consumer reporting agency and violated the FCRA by failing to make sure that the information it sold would be used only for legally permissible purposes; failing to ensure the information was accurate; and failing to tell users of its consumer reports about their obligation under the FCRA, including the requirement to notify consumers if the user took an adverse action against the consumer based on information contained in the consumer report.
… According to the FTC, Spokeo collects personal information about consumers from hundreds of online and offline data sources, including social networks. It merges the data to create detailed personal profiles of consumers. The profiles contain such information as name, address, age range, and email address. They also might include hobbies, ethnicity, religion, participation on social networking sites, and photos.
The FTC alleges that from 2008 until 2010, Spokeo marketed the profiles on a subscription basis to human resources professionals, job recruiters, and others as an employment screening tool. [“It takes us a few years to notice this stuff...” Bob]
Note that this may not be the end of Spokeo’s problems, as the plaintiff in a lawsuit in the Ninth Circuit has appealed the court’s dismissal of his case.

It couldn't hurt...
"Rep. Darrell Issa (R-CA) has published a first-draft Internet Bill of Rights, and it's open for feedback. He wrote, 'While I do not have all the answers, the remarkable cooperation we witnessed in defense of an open Internet showed me three things. First, government is flying blind, interfering and regulating without understanding even the basics. Second, we have a rare opportunity to give government marching orders on how to treat the Internet, those who use it and the innovation it supports. And third, we must get to work immediately because our opponents are not giving up.' Given the value of taking an active approach agains prospective laws such as SOPA, PIPA, and ACTA, I think it's very important to try to spread awareness, participation, and encourage elected officials to support such things."

So do we live in a digital world or not?
Facebook isn't the place to serve legal papers, says judge
Facebook is the normal way to communicate with people. It may not yet be a fine place to slap legal papers upon an adversary, however.
In an intriguing case involving a mother, a daughter, and a bank, a federal judge decided that it's not yet time for Facebook to become a fine substitute for chasing someone down a street in order to serve them with papers.
Paid Content reports the contents of his ruling as being highly nuanced.

Language evolves (sorry creationists) so it is useful to have a translation tool.

Alternatives to paying an extra $99 to get a clean copy...
… The problem with buying a new Windows PC from a big manufacturer such as HP, Lenovo, Dell, or Acer is the amount of pre-installed software bundled on the machines. Most of it is useless, and none of it was requested by the buyer, hence why we refer to it as crapware.

Tuesday, June 12, 2012

Security breach perspective As the value of a single credit card goes down, you can make up for it by increasing your volume...
Theft of 44K credit cards is tip of the iceberg, police say
… David Benjamin Schrooten, aka "Fortezza," is being targeted by federal prosecutors for allegedly hacking into computers and stealing massive amounts of credit card numbers. Once he obtained the numbers, he allegedly sold them in bulk quantities via different Web sites. The 44,000 is reportedly from just one sale.
Police caught onto Schrooten's alleged heist last November after a Seattle restaurant owner contacted the police. According to the Associated Press, several customers who ate at the restaurant got suspicious charges on their cards. Some were even getting charged $70 to $80 in as little as 10 minutes after using their cards at the restaurant.

For my Disaster Recovery class. “Sorry, we have no record of your account.” Many articles, no real information.
IN: Fire in Pathankot bank, data destroyed
June 11, 2012 by admin
Hope they had an off-site backup:
Pathankot: A fire broke out in a branch of State Bank of Patiala here, destroying a large amount of data, police said today.
According to preliminary inquiry, the fire was caused by short circuit in the computer room last night and was controlled after two hours of fire fighting operations assisted by police.
No loss of life was reported due to the fire.
The data loss due to the fire in the computer room could be huge, Pathankot DSP Rajit Singh said.

Perhaps the Privacy Foundation should invite Phil back. This is how lawyers should talk to their clients...
Phil Zimmermann's post-PGP project: privacy for a price
… Zimmermann's new company, Silent Circle, plans to release a beta version of an iPhone and Android app in late July that encrypts phone calls and other communications. A final version is scheduled to follow in late September.

If everyone (NSA, TSA, DHS, NYPD, MOUSE) starts flying these things over cities, we might see more crashes in places normal air traffic avoids.
Navy Loses Giant Drone in Maryland Crash

Somehow this doesn't make sense.
"Documents released by the FBI provide an unusual inside look at how the agency is struggling to penetrate 'darknet' Onion sites routed through Tor, the online privacy tool funded in part by government grants to help global activists. In this case, agents were unable to pursue specific leads about an easily available child pornography site, while files withheld indicate that the FBI has ongoing investigations tied to the Silk Road marketplace, a popular, anonymous Tor site for buying and selling drugs and other illegal materials."
Sounds similar to the problems that plagued freenet.
[From the MuckRock article:
In this particular case, a citizen reported stumbling upon [i.e the files were not hidden Bob] a cache of child pornography while browsing the anonymous Tor network's hidden sites, which are viewable with specialized, but readily available, tools and the special .onion domain. [How could they be “readily available” to everyone but the FBI? Bob]

We're doomed!
June 11, 2012
Report - "When the Government Comes Knocking, Who Has Your Back?"
  • "When you use the Internet, you entrust your online conversations, thoughts, experiences, locations, photos, and more to companies like Google, AT&T and Facebook. But what happens when the government demands that these companies to hand over your private information? Will the company stand with you? Will it tell you that the government is looking for your data so that you can take steps to protect yourself? The Electronic Frontier Foundation examined the policies of 18 major Internet companies — including email providers, ISPs, cloud storage providers, and social networking sites — to assess whether they publicly commit to standing with users when the government seeks access to user data. We looked at their terms of service, privacy policies, and published law enforcement guides, if any. We also examined their track record of fighting for user privacy in the courts and whether they’re members of the Digital Due Process coalition, which works to improve outdated communications law. Finally, we contacted each of the companies with our conclusions and gave them an opportunity to respond and provide us evidence of improved policies and practices. These categories are not the only ways that a company can stand up for users, of course, but they are important and publicly verifiable."

Worth skimming theough?
UK: #Intelligence
Source: Demos (UK)
The growth of social media poses a dilemma for security and law enforcement agencies. On the one hand, social media could provide a new form of intelligence – SOCMINT – that could contribute decisively to keeping the public safe. On the other, national security is dependent on public understanding and support for the measures being taken to keep us safe.
Social media challenges current conceptions about privacy, consent and personal data, and new forms of technology allow for more invisible and widespread intrusive surveillance than ever before. Furthermore, analysis of social media for intelligence purposes does not fit easily into the policy and legal frameworks that guarantee that such activity is proportionate, necessary and accountable.
This paper is the first effort to examine the ethical, legal and operational challenges involved in using social media for intelligence and insight purposes. It argues that social media should become a permanent part of the intelligence framework but that it must be based on a publicly argued, legal footing, with clarity and transparency over use, storage, purpose, regulation and accountability. #Intelligence lays out six ethical principles that can help government agencies approach these challenges and argues for major changes to the current regulatory and legal framework in the long-term, including a review of the current Regulation of Investigatory Powers Act 2000.
+ Direct link to document (PDF; 405 KB)

We like this standard best: “It's off by default (because that's best for us) and even when you turn it on, we can keep acting like it's off.”
Do not track’ privacy options should not be activated by default, standards body proposes
June 12, 2012 by Dissent
The World Wide Web Consortium (W3C), which is responsible for ensuring that web technology is based on an agreed set of technical standards, has been working on developing a new ‘do not track’ (DNT) controls system for operation within web browser settings. It has said that the controls should not to be set by default. Instead, internet users would have to provide their “explicit consent” to activate them.
Jonathan Mayer of Stanford University, who has been working on the new standard, said that W3C had worked on a “compromise proposal” which would prohibit online publishers using cookies to track their users’ online activity once those users had enabled the DNT option. However, “affiliate information sharing” about users can continue even once DNT controls have been activated, Mayer said.

Just out of curiosity, does State actually have anyone on staff who understands technology?
State Department offers Amazon up to $16.5M to hand out Kindles
The only e-reader fit enough to meet the U.S. State Department's needs is the Kindle Touch. The iPad and Nook simply won't do. The government has asked Amazon to negotiate a no-bid contract of up to $16.5 million to pass out Kindles to the country's embassies overseas. This was first reported by Nextgov.
If Amazon proposes a contract based on the State Department's needs, it would theoretically provide at least 2,500 Kindle Touches preloaded with 50 titles each to the State Department; but this number could grow because the government is looking to negotiate a contract that could last up to five years.

Job opportunities for my Ethical Hackers...
"In this TED Talk, Rory Sutherland discusses the need for every company to have a staff member with the power to do big things but no budget to spend: these are the kinds of individuals who are not afraid to recommend cheap and effective ways to solve big company problems. This article argues that, in the IT world, this person is none other than a highly-skilled hacker. From the article: 'To the media, the term “hacker” refers to a user who breaks into a computer system. To a programmer, “hacker” simply means a great programmer. In the corporate IT field, hackers are both revered as individuals who get a lot done without a lot of resources but feared as individuals who may be a little more “loose cannon” than your stock IT employee. Telling your CEO you want to hire a hacker may not be the best decision for an IT manager, but actually hiring one may be the best decision you can make.'"

Fortunately, we no longer bother with “ye olde textbooks” – each learning objective is a separate collection of lectures, videos, websites and Apps...
First time accepted submitter discussM tipped us to a story about a recently granted patent in which "a system and method preventing unauthorized access to copyrighted academic texts is provided in which trademark licenses, discussion boards, and grade content are integrated into a web-based system that aligns the interests of teaching professionals, students, and publishers while also enhancing the overarching academic mission to create and disseminate knowledge." Quoting Torrent Freak: "As part of a course, students will have to participate in a web-based discussion board, an activity which counts towards their final grade. To gain access to the board students need a special code, which they get by buying the associated textbook." But don't worry too much, from Ars: "Beyond the legal questions, other experts suggested forcing students to buy texts through such a system is unlikely to be implemented. Professors have few incentives to make it more difficult and to compel students even more than they already are to buy textbooks, digital or analog. (A 2011 survey from UC Riverside found that 78 percent of undergraduates 'bought fewer books, bought cheaper books or read books on reserve to help meet expenses.')"

(Related) For my students. Lots more out there like these.
… We have published a number of articles with links to programming video tutorials, interactive learning modules, and even our own programming lessons, but sometimes, you might just need a good book to immerse yourself in. Lucky for you, up next I’ve gathered a list of legally free programming books that can get you started with learning how to program, scripting and even making your own websites.
Thinking in C++ by Bruce Eckel
The author of the book also has written various books on Java, Python and more, many of which are available for free from his site.
Dive Into HTML5 by Mark Pilgrim
Eloquent Javascript by Marijn Haverbeke
Another resource to note is the Non-Programmer’s Tutorial for Python 3 from Wikibooks, which indicates that it’s meant for individuals with no previous programming experience, though I’m sure intermediate programmers could also find the tutorial useful. There’s even a print-friendly version for those that want a physical copy of the tutorial.
For additional resources to learn Python, check out a more complete list of Python-teaching sites.

Monday, June 11, 2012
If you're looking to learn something new or brush-up on your content area knowledge, Open Culture probably has a course listing for you. The latest update to their list of free and open online courses brought the total offerings up to 500. The course content is hosted on a variety of platforms including iTunes, YouTube, and Vimeo. The courses come from notable universities including Stanford, Harvard, and Yale. And thankfully, the list is organized by subject area.

Monday, June 11, 2012

Security looks too expensive until you find out what it costs to skimp...
Lax Security at LinkedIn Is Laid Bare
Last week, hackers breached the site and stole more than six million of its customers’ passwords, which had been only lightly encrypted. They were posted to a Russian hacker forum for all to see.
That LinkedIn was attacked did not surprise anyone.
… What has surprised customers and security experts alike is that a company that collects and profits from vast amounts of data had taken a bare-bones approach to protecting it. The breach highlights a disturbing truth about LinkedIn’s computer security: there isn’t much. Companies with customer data continue to gamble on their own computer security, even as the break-ins increase.

How long ago did the security breach happen?'s security breach that left user passwords open on a Russian hacker site last week might have shown its ugly face months ago, according to a new report.
Back in May, several users took to the company's forums, saying that they had been receiving massive amounts of spam on e-mail addresses they created solely for Soon after, customer support manager Matt Knapman said that his company was "investigating this matter urgently, running a security audit, and looking at alternative ways the spamming of users might have occurred." [Translation: Looking for an excuse... Bob]
According to GigaOm, reporting today on that event, the audit apparently yielded no evidence of a major security breach.
… However, GigaOm's Bobbie Johnson also said today, citing a source, that the security breach that left passwords open occurred in February or March. That followed a claim made by a Reddit poster, named "mingaminga," who said over the weekend that the password list "has been out there for a long time," adding that there were discussions about it at Defcon last year. So, Johnson argues, if a security audit was, in fact, conducted, it failed to discover a breach that had already occurred.

Is this a criminal prosecution or “sending a message to anyone who uses a service that MPAA doesn't like?”
DOJ tries to block return of data to MegaUpload user
Returning videos to Kyle Goodwin, a former MegaUpload user, would set a bad precedent, [Translation: There might be legal uses of this service... Bob] the U.S. said in documents, copies of which were obtained by CNET.
The fate of "legitimate" user data that was locked up following the shut down of MegaUpload, one of the world's most popular cloud-storage services, continues to vex the court overseeing the case. Negotiations between the stakeholders involved, including MegaUpload, the Motion Picture Association of America, the Electronic Frontier Foundation (the advocacy group representing Goodwin) and the U.S. Attorney's office, can't agree on what should be done with the information former users stored on MegaUpload's servers.
… "Mr. Goodwin's proposed solution is to have the government bear the financial cost of restoring his data," the U.S. Attorney's office wrote in its filing, "even if that means releasing assets of the defendants which are subject to mandatory forfeiture. Twenty-three years ago, the Supreme Court made clear that a criminal defendant does not have a right to use someone else's money to finance his defense." [No clue what this means. Goodwin is not charged (presumed innocent?) If MegaUpload was holding stolen goods, would they be returned to the victims? Bob]

(Related) The DA “didn't know” the deadline had passed? Doesn't care if the guy is innocent?
Oregon judge orders Google searches by alleged rape victim turned over to accused man
June 10, 2012 by Dissent
Aimee Green reports on a case in Oregon that got complicated in a hurry when a prosecutor failed to appeal a judge’s order in a timely fashion:
In a first of its kind ruling in Oregon, a Deschutes County judge has ordered that a young woman’s Google searches must be turned over to the man accused of beating and raping her.
The Oregon Supreme Court this week refused to rule on the constitutionality of the order, saying the alleged victim waited too long to appeal Circuit Judge A. Michael Adler’s decision.
And so Adler’s order stands — though the district attorney says he can’t comply with it.
In brief, the defense wants the records of her searches before and after the alleged rape. They also wanted her emails and her hard drive. The judge refused to order her to turn over her hard drive, and when the defense attorney subpoenaed Google for her search records and emails, Google refused to comply without a warrant, citing ECPA. So the defense counsel went back to the judge, who ordered the prosecutor to obtain the search records from Google and turn them over to the defense.
The prosecutor refused to do that, saying that he would need a warrant and couldn’t justify seeking a warrant as the records were not necessary to his prosecution. Unfortunately, he didn’t appeal the judge’s order within the 7-day period allowed to file appeals.
Why the judge didn’t order Google directly to produce the records to the court is unclear to me, and maybe some kind lawyer can explain whether that is even an option.
In any event, Google won’t produce the records without a warrant, the prosecutor says it’s problematic and he can’t seek a warrant, and I have no idea where this will go.
You can read more about the case on The Oregonian.
[From the article:
The judge's broad ruling is "hugely disturbing" -- unprecedented in Oregon and extremely rare in the nation, said Meg Garvin, director of the National Crime Victim Law Institute.
Victim advocates worry about the standard it could set. Such orders, they said, could discourage rape victims from pressing charges out of fear that their attackers will gain an invasive window into their thoughts via all the information they've queried on their personal computers.
Deschutes County District Attorney Patrick Flaherty said he can't legally abide by the judge's order. He said he would need a search warrant to do so, and he can do that only if he believes it would further his office's criminal investigation into the case. He doesn't.

Do you suppose people even recognize this as surveillance?
"GeekWire reports on a newly-surfaced Microsoft patent application for 'Targeting Advertisements Based on Emotion', [I'm angry! Show me gun ads! Bob] which describes how information gleaned from Kinects, webcams, online games, IMs, email, searches, webpage content, and browsers could be used to build an 'Emotional State Database' of individuals' emotions over time for advertisers to tap into. From the patent application: 'Weight-loss product advertisers may not want their advertisement to appear to users that are very happy. Because, a person that is really happy, is less likely to purchase a self-investment product that leverages on his or her shortcomings. But a really happy person may purchase electronic products or vacation packages. No club or party advertisers want to appear when the user is sad or crying. When the user is emotionally sad, advertisements about club parties would not be appropriate and may seem annoying or negative to the user. Online help or technical support advertisers want their advertisements to appear when the user is demonstrating a confused or frustrated emotional state.'"

No doubt they are shocked to finally discover that this has been going on since the time of the founding fathers. I doubt it will cause them to stop.
Pelosi to McCain: ‘Really sad’ to say security leaks were ‘politically motivated’ by White House [VIDEO]
House Minority Leader Nancy Pelosi fired back at Arizona Republican Sen. John McCain for claiming that the “highest levels” of the Obama administration leaked sensitive national security information.
“The fact that this administration would aggressively pursue leaks by a 22-year-old Army private in the Wikileaks matter and former CIA employees in other leaks cases, but apparently sanction leaks made by senior administration officials for political purposes is simply unacceptable,” McCain said on Wednesday.

Because they've always been smarter?
Parent company Conde Nast may still think the web is not that important, but The New Yorker does.
The 87-year-old magazine decided to make a “big investment” in its website six to eight months ago, Nicholas Thompson, editor of, says.
… Within the last year, has streamlined its navigation and launched a politics vertical, a “healthcare hub” and Page-Turner, a blog for literary criticism. The latest addition, Jonah Lerer’s Frontal Cortex blog, was imported from sister website earlier this week.
Traffic has grown as a result. The website brought in 5 million unique visitors in May, up “about 50% from last year,” says Thompson, who pulled the numbers from Omniture. Between 12 and 15 pieces of original content are posted per day on average. About a quarter to a third of the magazine’s content is made available freely on the website each week.
There have also been efforts to boost traction on social networks. The publication offered access to a Jonathan Franzen story in exchange for Facebook Likes in April 2011. Its Tumblr, one of the first to be launched by a major media brand, is updated several times per day during the week. More recently, the magazine tweeted a short sequel to Jennifer Egan’s Pulitzer Prize-winning novel, A Visit from the Goon Squad, through 140-character installments on Twitter.

The trick will be to find a politician willing to look past re-election...
"While the official target of NASA's space exploration program remains exploring Earth approaching asteroids, the case for a return to the moon has been made from a variety of quarters. The most recent attempt to make a case for the moon is in a paper, titled Back to the Moon: The Scientific Rationale for Resuming Lunar Surface Exploration, soon to be published in the journal Planetary and Space Science."