Saturday, July 28, 2012

You should forgive them. They're a tiny corporation with no resources to ensure they follow their legal obligations...
Google ‘in breach’ of UK data privacy agreement
July 27, 2012 by Dissent
From the BBC:
Google has admitted that it had not deleted users’ personal data gathered during surveys for its Street View service.
The data should have been wiped almost 18 months ago as part of a deal signed by the firm in November 2010.
Google has been told to give the data to the UK’s Information Commissioner (ICO) for forensic analysis.
The ICO said it was co-ordinating its response with other European privacy bodies.
Read more on BBC.
In a statement issued today by the Information Commissioner’s Office, a spokesperson said:
“Earlier today Google contacted the ICO to confirm that it still had in its possession some of the payload data collected by its Street View vehicles prior to May 2010. This data was supposed to have been deleted in December 2010. The fact that some of this information still exists appears to breach the undertaking to the ICO signed by Google in November 2010.
“In their letter to the ICO today, Google indicated that they wanted to delete the remaining data and asked for the ICO’s instructions on how to proceed. Our response, which has already been issued, makes clear that Google must supply the data to the ICO immediately, so that we can subject it to forensic analysis before deciding on the necessary course of action.
“We are also in touch with other data protection authorities in the EU and elsewhere through the Article 29 Working Party and the GPEN network to coordinate the response to this development.
“The ICO is clear that this information should never have been collected in the first place and the company’s failure to secure its deletion as promised is cause for concern.”

If it's good enough for revolutionaries, is it good enough for lawyer-client communications?
This Cute Chat Site Could Save Your Life and Help Overthrow Your Government
Twenty-one-year-old college student Nadim Kobeissi is from Canada, Lebanon and the internet.
He is the creator of Cryptocat, a project “to combine my love of cryptography and cats,” he explained to an overflowing audience of hackers at the HOPE conference on Saturday, July 14.
… Cryptocat is an encrypted web-based chat. It’s the first chat client in the browser to allow anyone to use end-to-end encryption to communicate without the problems of SSL, the standard way browsers do crypto, or mucking about with downloading and installing other software. For Kobeissi, that means non-technical people anywhere in the world can talk without fear of online snooping from corporations, criminals or governments.
… When he flies through the US, he’s generally had the notorious “SSSS” printed on his boarding pass, marking him for searches and interrogations — which Kobeissi says have focused on his development of the chat client.

(Related) If you can't be secure, you should at least try to detect eavesdroppers.
How To Bust Your Boss Or Loved One For Installing Spyware On Your Phone
July 28, 2012 by Dissent
Andy Greenberg reports:
… In a talk at the Defcon hacker conference this weekend, forensics expert and former Pentagon contractor Michael Robinson plans to give a talk on how to detect a range of commercial spyware, programs like MobileSpy and FlexiSpy that offer to let users manually install invisible software on targets’ phones to track their location, read their text messages and listen in on their calls, often for hundreds of dollars in service fees.
Robinson tested five commercial spying tools on five different devices–four Android devices and an iPhone. In most cases, he found that uncovering the presence of those spyware tools is often just a matter of digging through a few subdirectories to find a telltale file–one that often even specifies identifying details of the person doing the spying.
Read more on Forbes.

What are the implications of Apple-Twits?
The NY Times reports that Apple has internally discussed an investment into Twitter to the tune of hundreds of millions of dollars. From the article:
"There is no guarantee that the two companies, which are not in negotiations at the moment, will come to an agreement. But the earlier talks are a sign that they may form a stronger partnership amid intensifying competition from the likes of Google and Facebook. Apple has not made many friends in social media. Its relationship with Facebook, for example, has been strained since a deal to build Facebook features into Ping, Apple's music-centric social network, fell apart. Facebook is also aligned with Microsoft, which owns a small stake in it. And Google, an Apple rival in the phone market, has been pushing its own social network, Google Plus. 'Apple doesn't have to own a social network,' Timothy D. Cook, Apple’s chief executive, said at a recent technology conference. 'But does Apple need to be social? Yes.'"

Those are my tax dollars! (Well, maybe not all $8 Billion) Perhaps this is a case of “What's the worst they can do to us?” I still point to a HBR article that claimed no IT project that takes longer than six months should ever be funded.
"The Federal Times has the stunning (but not surprising) news that a new audit found six Defense Department modernization projects to be a combined $8 billion — or 110 percent — over budget. The projects are also suffering from years-long schedule delays. In 1998, work began on the Army's Logistics Modernization Program (LMP). In April 2010, the General Accounting Office issued a report titled 'Actions Needed to Improve Implementation of the Army Logistics Modernization Program' about the status of LMP. LMP is now scheduled to be fully deployed in September 2016, 12 years later than originally scheduled, and 18 years after development first began! (Development of the oft-maligned Duke Nukem Forever only took 15 years.)"

It is easier for the Judge to remind the witness than for Tony Soprano's soldiers to show up at your home and point out your failing memory. “Youse didn't see nothin!”
Science of Eyewitness Memory Enters Courtroom
Science has prevailed over injustice in the state of New Jersey, where all jurors will soon learn about memory’s unreliability and the limits of eyewitness testimony.
According to instructions issued July 19 by New Jersey’s Supreme Court, judges must tell jurors that “human memory is not foolproof,” and enumerate the many ways in which eyewitness recall can be distorted or mistaken.

“Look, we already own everything. We let you pretend you own it, but you only rent it (pay taxes) until we want it again.” Any Government
Feds: We Can Freeze Megaupload Assets Even if Case Dismissed
The United States government said Friday that even if the indictment of the Megaupload corporation is dismissed, it can continue its indefinite freeze on the corporation’s assets while it awaits the extradition of founder Kim Dotcom and his associates.
Judge Liam O’Grady is weighing a request to dismiss the indictment against Megaupload because (in Megaupload’s view) the federal rules of criminal procedure provide no way to serve notice on corporations with no U.S. Address. At a hearing in Alexandria, Virginia, he grilled both attorneys in the case but did not issue a ruling.
O’Grady speculated, with evident sarcasm, that Congress intended to allow foreign corporations like Megaupload to “be able to violate our laws indiscriminately from an island in the South Pacific.”
… But Judge O’Grady seemed skeptical of these argument. He noted that the “plain language” of the law required sending notice to the company’s address in the United States. “You don’t have a location in the United States to mail it to,” he said. “It’s never had an address” in the United States.
And Megaupload pointed out that the government hadn’t produced a single example in which the government had satisfied the rules of criminal procedure using one of the methods it was suggesting in this case. Most of the precedents the government has produced were in civil cases, which have different rules. And most involved serving a corporate parent via its subsidiary. That’s a very different relationship than, for example, the vendor-customer relationship between Megaupload and Carpathia.
… Hollywood, at least, seems nervous that Judge O’Grady might buy Megaupload’s argument. In a conference call held Wednesday in advance of today’s hearing, a senior vice president at the Motion Picture Association of America argued that the dismissal of the case against Megaupload would have little practical impact, since the company’s principals would still be facing indictment. And he rejected Kim Dotcom’s efforts to frame the case as a test of internet freedom, describing Dotcom as a “career criminal” who had grown wealthy stealing the work of others.

Looks like someone has figured out how to evolve from paper to digital...
Financial Times: Our Digital Subscribers Now Outnumber Print, And Digital Is Half Of The FT’s Revenue
A milestone reached as the world of old media continues its push in a digital direction: the storied, pink-sheeted daily newspaper the Financial Times, read by 2.1 million readers daily, today said digital subscribers now outnumber those in print, and that digital revenues now account for half of all sales in the FT Group. And what’s more, sales actually grew rather than declined.
… The positive numbers are a pointer to how the FT’s freemium model, mixing limited free content with tiers of wider content access for those willing to pay, can work (those tiers are here; in the UK they are £5.19 or £6.79 per week). The lowest tier in that model is, predictably, the most popular at the moment: registered site users — you can register on for a limited amount of free content monthly — were up by 26% to 4.8 million.

This is looking more 'do-able' every day. Still takes some analysis and geeky-ness
"More and more people are joining the ranks of 'cord-cutters' — those who cancel their cable TV subscriptions and get their televisied entertainment either for free over the airwaves or over the Internet. But, assuming you're going to do things legally, is this really a cheaper option? It depends on what you watch. Brian Proffitt contemplated this move, and he walks you through the calculations he made to figure out the prices of cutting the cord. He weighed the costs of various a la carte and all-you-can-eat Internet streaming services, and took into account the fact that Internet service on its own is often pricier than it would be if bundled with cable TV."

Friday, July 27, 2012

What was the price of “adequate security?” Is this a day's revenue? Perhaps a month's profit?
Global Payments Takes Charge of $84 Million for Data Breach
July 26, 2012 by admin
Andrew R. Johnson of Dow Jones Newswires reports:
Global Payments Inc. (GPN) said Thursday a security breach that exposed potentially millions of consumers’ payment cards to fraudsters will cost it $84.4 million.
The Atlanta-based company, which processes card transactions for banks and merchants, recorded a pre-tax charge for the amount, equal to 68 cents of diluted per-share earnings, in the fiscal fourth quarter. The amount reflects expected charges from payment networks such as Visa Inc. (V) and MasterCard Inc. (MA) and expenses related to its investigation and remediation of the matter.
Read more on NASDAQ.

UK: Man claims hard drive bought at car boot sale contained personal data from West Cheshire College
July 26, 2012 by admin
Carmella de Lucia reports:
A computer hard drive allegedly loaded with more than 50,000 personal details of students and tutors from West Cheshire College was sold at a hospital car boot sale.
The discovery was made by a shocked Pioneer reader who bought the second-hand computer tower and hard drive for £5 from a sale at the Countess of Chester Hospital on May 13.
Read more on Ellesmere Port Pioneer.
There seems to be a controversy over what was on the drive. According to the individual who found it, it contained “names, dates of birth, emails, course details, exam results, work timetables and even photographs of students.” But the college disputes the extent of the breach:
However, West Cheshire College have denied there was any sensitive information on the hard drive, and said in a statement: “We conducted an investigation as to the contents of the hard disk and test dates including names and dates of births of less than 60 students were found on the disk with no further relevant information.
The person who acquired the drive made a backup copy of it and is turning it over to the ICO for investigation. If the college turns out to be misrepresenting the scope of the breach, that shouldn’t sit well with the ICO.

No doubt the thought police will need to have a talk with the judge. (and another illustration that Churchill was right about the divisions of a common language)
U.K. judge nixes Twitter bomb 'joke' conviction
In January 2010, Paul Chambers sent a single, frustrated tweet to approximately 600 followers after Robin Hood Airport in South Yorkshire, England, was closed due to heavy snow.
The tweet in question read:
Crap! Robin Hood Airport is closed. You've got a week and a bit to get your shit together, otherwise I'm blowing the airport sky high!!
… According to the Guardian, the lord chief justice, Lord Judge, said:
We have concluded that, on an objective assessment, the decision of the crown court that this 'tweet' constituted or included a message of a menacing character was not open to it. On this basis, the appeal against conviction must be allowed.

Ethical Hackers: Security theater... That's all I'm saying.
"A key component of the FAA's emerging 'Next Gen' air traffic control system is fundamentally insecure and ripe for manipulation and attack, security researcher Andrei Costin said in a presentation Wednesday at Black Hat 2012. Costin outlined a series of issues related to the Automatic Dependent Surveillance-Broadcast (ADS-B) system, a replacement to the decades-old ground radar system used to guide airplanes through the sky and on the ground at airports. Among the threats to ADS-B: The system lacks a capability for message authentication. 'Any attacker can pretend to be an aircraft' by injecting a message into the system, Costin said. There's also no mechanism in ADS-B for encrypting messages. One example problem related to the lack of encryption: Costin showed a screen capture showing the location of Air Force One--or that someone had spoofed the system."

For my Data Analysis and Data Mining students. Also, some implications for the Privacy Foundation?
July 26, 2012
Pew - The Future of Big Data
Big Data: "Experts say new forms of information analysis will help people be more nimble and adaptive, but worry over humans’ capacity to understand and use these new tools well. Tech experts believe the vast quantities of data that humans and machines will be creating by the year 2020 could enhance productivity, improve organizational transparency, and expand the frontier of the “knowable future.” But they worry about “humanity’s dashboard” being in government and corporate hands and they are anxious about people’s ability to analyze it wisely." Janna Quitney Anderson, Elon University
Lee Rainie, Pew Research Center’s Internet & American Life Project July 20, 2012

How far can they push the “decadent west” before they cross the line? I don't find the line as clear as it once was.
Hot War’ Erupting With Iran, Top Terror-Watchers Warn
… The signs of escalating tension with Iran are everywhere: the sizable American armada building off of Iran’s shores; the American accusation that Iran tried to kill the Saudi ambassador to the U.S.; the deaths of Iranian nuclear scientists, widely blamed on the Israelis; and, of course, last week’s bombing in Bulgaria, which U.S. and Israeli officials have pinned on Hezbollah, the Shi’ite militant group backed by Iran.
“This is a hot war that has gotten hotter,” Michael Leiter, Olsen’s predecessor at the NCTC, told the Aspen Security Forum. “The Iranians have considered this a shooting war for some time.”

So, what will they ask and what will they offer?
"Google, Facebook, eBay and Amazon have apparently set up the Internet Association to lobby the US government on issues relating to online business. From the article: 'The Internet Association, which will open its doors in September, will act as a unified voice for major Internet companies, said President Michael Beckerman, a former adviser to the chairman of the U.S. House of Representatives' Energy and Commerce Committee.'"

One possible future. But, is the pricing right? And, is it good to be a guinea pig?
Google Attacks Cable and Telcos With New TV Service
After months of mystery, Kansas City residents learned today that the first high-speed citywide network built by Google will bring them not just super-fast internet but full-featured cable-style TV service. Google said in a live announcement Thursday morning that the neighborhoods that rally the most interest will be the first to get hooked up to Google’s fiber-optic lines, which the company says will offer 1 gigabit-per-second downloads and uploads — far faster (Google says 100 times) than the typical broadband connections now in most U.S. homes.

For my Math students
Google is always tweaking its bits and parts. In the latest little change, Google has added a very useful scientific calculator to its search engine. Google Search has always had a calculator. It is just that you had to type in the figures and Google would deduce the results for you and display it in bold above the search results. Now, Google has enhanced that same functionality and added a full-fledged scientific calculator to the search page.

Thursday, July 26, 2012

Did you expect anything less?
NSA whistleblowers: Government spying on every single American
July 25, 2012 by Dissent
Jason Reed reports:
The TSA, DHS and countless other security agencies have been established to keep America safe from terrorist attacks in post-9/11 America. How far beyond that does the feds’ reach really go, though?
The attacks September 11, 2001, were instrumental in enabling the US government to establish counterterrorism agencies to prevent future tragedies. Some officials say that they haven’t stopped there, though, and are spying on everyone in America — all in the name of national security.
Testimonies delivered in recent weeks by former employees of the National Security Agency suggest that the US government is granting itself surveillance powers far beyond what most Americans consider the proper role of the federal government.
Read more of this Reuters report on

(Related) What can they get from your cellphone? (Video)
Malte Spitz: Your phone company is watching

(Related) But second class citizens don't have that same ability. (Unless you have the better legal team?)
Ex-Wife Owes $20K for Spyware Divorce Scheme
July 25, 2012 by Dissent
Annie Youderian reports:
The ex-wife of a wealthy businessman must pay him $20,000 for installing spyware on his computers and using it to illegally intercept his emails to try to gain an upper hand in their divorce settlement, a federal judge in Tennessee ruled.
U.S. Magistrate Judge William Carter ordered Crystal Goan to pay ex-husband James Roy Klumb $20,000 for violating federal and state wiretap laws when she used Spectorsoft’s eBlaster spyware to intercept Klumb’s email.
Read more on Courthouse News.

Do we know when we give our rights away?
The Data Question: Should the Third-Party Records Doctrine Be Revisited?
July 25, 2012 by Dissent
Today’s recommended reading.
George Washington University law professor Orin Kerr and Greg Nojeim, senior counsel at the Center for Democracy & Technology, ponder how far the government can go in reading your email. Their essays can be found in Patriots Debate: Contemporary Issues in National Security Law, a book published by the ABA Standing Committee on Law and National Security and edited by Harvey Rishikof, Stewart Baker and Bernard Horowitz. The book can be ordered here.
Read their thoughtful point and counterpoint on ABA Journal.

Not uncommon. The first report from any new part of the bureaucracy should state that the job is nearly impossible (“Don't blame us if we can't do a decent job.”) but with more money (“We need a bigger bureaucracy.”) we might succeed.
July 25, 2012
First annual report of the Office of Financial Research
  • "This inaugural OFR Annual Report details the Office’s progress in meeting its mission and statutory requirements. The report must assess the state of the U.S. financial system, including: (1) An analysis of any threats to the financial stability of the United States; (2) The status of the efforts of the Office in meeting its mission; and (3) Key findings from the research and analysis of the financial system by the Office... The crisis revealed significant deficiencies in the data available to monitor the financial system. Financial data collected were too aggregated, too limited in scope, too out of date, or otherwise incomplete. The crisis demonstrated the need to reform the data collection and validation process and to strengthen data standards, to improve the utility of data both for regulators and for market participants."

Automating IP lawyers?
Tuesday, July 24, 2012
Creative Commons licensing can be a good way to explicitly state the terms by which people can use and re-use your creative written, audio, and visual works. But selecting the license that is right for you can be confusing. Thankfully, as I learned through a Tweet by Jen Deyenberg, the Creative Commons organization has a new tool to help you choose the best license for your situation.
The new interactive Creative Commons license chooser helps you select the right license for your work. To select the right license for your work just answer a few questions and a license will be recommended to you.
If you're not sure what Creative Commons is and or how it differs from Copyright, I recommend watching Copyright and Creative Commons Explained by Common Craft.

Stay current...
Software packagers like Ninite are at an uptick in popularity now that the old seek-and-download method is quickly drawing close towards extinction. Imagine what your kids will think when you tell them that you actually had to search for and manually update certain essential software in the future. Crazy, right?
… Soft2Base is a software manager for Windows that scans for over 60 of the most popular applications and ensures that your computer is running the very latest version. If not, Soft2Base can silently download and automatically install them for you.

Does this have a place in Computer Security education? I'll ask my Ethical Hackers to evaluate its potential.
Hacking, the card game, debuts at Black Hat
There's much more to hacking than just the Hollywood portrayal of a speed typing contest, say the computer security professionals who've developed a new hacking-themed card game called Control-Alt-Hack.
… Despite the emphasis on fun, the game goes to great lengths to be accurate. The learning objectives, obfuscated behind cute pop culture references like, "I find your lack of encryption disturbing," include promoting the accessibility of computer science and computer security; teaching that there's more to computer security than antivirus and the Web; and accurately depicting a diverse range of attack techniques and attacker goals.
SCADA and medical device hacking are more likely to show up than ransomware, and the techniques you can use include disinformation; exploiting weak passwords and unpatched software; and cross-correlating data sources, all in the name of the good guys.

Wednesday, July 25, 2012

Don't mess with the Swiss! They may be neutral in many areas, but they will hunt you down and use the “this is really going to hurt” blade on their Swiss Army Knife...
Swiss Confirm Falciani Arrest in Spain Over HSBC Data Theft
July 24, 2012 by admin
Neil MacLucas of Dow Jones Newswires reports:
Switzerland has confirmed the arrest in Spain of Herve Falciani and are now seeking extradition of the Italian-French citizen being sought by police in connection with the theft of customer data from the Geneva branch of HSBC Private Bank.
Copies of the HSBC data, which lists the names and account details of thousands of customers, is now in the hands of French tax authorities, who are using it to chase alleged tax dodgers with money stashed in Switzerland.
Mr. Falciani has denied preliminary allegations by the Swiss authorities of breaching banking secrecy and stealing banking records. His home in France was raided at the behest of Swiss authorities, who had launched a probe into allegations of violations of bank secrecy.
HSBC announced in 2009 that data on customers had been stolen in 2006 and 2007 by Mr. Falciani, who had worked at the bank as a computer specialist.
Read more on Fox Business.
Some of the previous coverage on this case can be found on this blog here.

Interesting. What did their contract allow? Did the school's auditors check?
OSU notifying individuals of data security breach
July 25, 2012 by admin
Joce DeWitt reports:
Oregon State Police currently are investigating a security breach by a vendor who, while under contract to Oregon State University, copied information from a check register data base without permission. The action could have compromised the private information of 21,000 students and employees who were associated with OSU between 1996 and 2009.
The 30,000 to 40,000 checks contained information such as names, OSU ID, date, check number and the amount of the check. Records after 2004 did not include Social Security numbers. [What percentage is that? Bob]

Interesting and somewhat unexpected.
"Washington D.C. Metropolitan Police Department Chief Cathy Lanier says, 'A bystander has the same right to take photographs or make recordings as a member of the media,' and backs it up with a General Order to her Department. Quoting: The Metropolitan Police Department (MPD) recognizes that members of the general public have a First Amendment right to video record, photograph, and/or audio record MPD members while MPD members are conducting official business or while acting in an official capacity in any public space, unless such recordings interfere with police activity.'"

We knew this was happening. This is just one measure...
Russia Is Stockpiling Drones to Spy on Street Protests
Small surveillance drones are starting to be part of police departments across America, and the FAA will soon open up the airspace for more to come. This drone invasion has already raised all kinds of privacy concerns. And if you think that’s bad, across the ocean, Russia seems hell-bent on outdoing its former Cold War enemy.
Russia’s leading manufacturer of unmanned aerial vehicles, Zala Aero, has provided the Russian government with more than 70 unmanned systems, each containing several aircraft. According to an article published yesterday on Open Democracy Russia, the Kremlin’s romance with drones started in 2006, when the Interior Ministry deployed a Zala 421-04M to monitor street protests at a G8 summit in St. Petersburg. The Russian government has also bought drones from Israel.

Oh, look at the evil Oxford Council – and not us.
UK: Council ordered to stop unlawful recording of taxi passengers’ conversations
July 25, 2012 by Dissent
I had covered a controversial plan in Oxford to record taxi passengers (audio and video). While media attention was focused on Oxford City Council, apparently another council had gone ahead with the plan. Until now. From the Information Commissioner’s Office:
Southampton City Council has been ordered to stop the mandatory recording of passengers’ and drivers’ conversations in the city’s taxis, the Information Commissioner’s Office (ICO) announced today.
Since August 2009, the council has required all taxis and private hire vehicles to install CCTV equipment to constantly record images and the conversations of both drivers and passengers.
The ICO has ruled the council’s policy breaches the Data Protection Act, concluding that the recording of all conversations is disproportionate given the very low number of incidents occurring compared to the number of trouble free taxi journeys. An enforcement notice has been issued to the council who now have until 1 November to comply.
A copy of today’s enforcement notice served to the council can be found on the ICO’s Taking action page.

Attention Ethical Hackers! Grabbing control of this tool is only worth 1% of your final project grade. Please do not send me the entire Tweet history of any Political Twits.
Twitter to release tool that exports users' tweet history
Following the path of Facebook, Twitter's CEO says the company is developing a new feature that will let users download all tweets they ever posted to the social network.

Behavioral Advertising: “We have determined that you are an idiot and therefore are likely to vote for our candidate.”
85% of Americans hate targeted political ads on Facebook
The majority of Americans are very much against the practice of tailored political ads, a specific market that is seeing tremendous growth as we get closer and closer to the 2012 election. In fact, most Americans dislike tailored political advertising so much they claim it decreases their chance of voting for a candidate they already support.
The new results come from a 20-minute questionnaire conducted by a team of researchers at the University of Pennsylvania's Annenberg School for Communication. The full findings based on the 1,503 respondents surveyed are in the 28-page document titled "Americans Roundly Reject Tailored Political Advertising" (PDF).

A working model? At least a start on that “Best Practices” checklist... (None of these steps are easy)
July 24, 2012
Using Electronic Health Records to Improve Quality and Efficiency: The Experiences of Leading Hospitals
S. Silow-Carroll, J. N. Edwards, and D. Rodin, Using Electronic Health Records to Improve Quality and Efficiency: The Experiences of Leading Hospitals, The Commonwealth Fund, July 2012
  • "An examination of nine hospitals that recently implemented a comprehensive electronic health record (EHR) system finds that clinical and administrative leaders built EHR adoption into their strategic plans to integrate inpatient and outpatient care and provide a continuum of coordinated services.
  • Successful implementation depended on:
  • strong leadership,
  • full involvement of clinical staff in design and implementation,
  • mandatory staff training, and
  • strict adherence to timeline and budget.
  • The EHR systems facilitate patient safety and quality improvement through: use of checklists, alerts, and predictive tools; embedded clinical guidelines that promote standardized, evidence-based practices; electronic prescribing and test-ordering that reduces errors and redundancy; and discrete data fields that foster use of performance dashboards and compliance reports. Faster, more accurate communication and streamlined processes have led to improved patient flow, fewer duplicative tests, faster responses to patient inquiries, redeployment of transcription and claims staff, more complete capture of charges, and federal incentive payments."

Ye Olde Law Library? Okay, not that old, but interesting.
July 24, 2012
Australasian Colonial Legal History Library is Launched
Via Graham Greenleaf: "AustLII will today launch the Australasian Colonial Legal History Library. This is the first version of the Library, containing over 220,000 searchable documents from before 1900, from the seven Australasian colonies (including New Zealand). It is being developed in conjunction with NZLII. Development of further databases is underway and will expand the Library's contents considerably over the next year. A paper that AustLII presented at the Australian Historical Association Conference to explain the Library, 'Digitising and Searching Australasian Colonial Legal History', is now available for download at SSRN."

Global Warming! Global Warming! It's good to know that Al Gore made Global Warming illegal! Or did he make mocking Global Warming illegal?
July 24, 2012
Climate Change and Existing Law: A Survey of Legal Issues Past, Present, and Future
CRS - Climate Change and Existing Law: A Survey of Legal Issues Past, Present, and Future, Robert Meltz, Legislative Attorney, July 2, 2012
  • "Efforts to mitigate climate change — that is, reduce greenhouse gas (GHG) emissions—have spawned a host of legal issues. The Supreme Court resolved a big one in 2007 — the Clean Air Act (CAA), it said, does authorize EPA to regulate GHG emissions. Quite recently, a host of issues raised by EPA’s efforts to carry out that authority were resolved in the agency’s favor by the D.C. Circuit. Another issue is whether EPA’s “endangerment finding” for GHG emissions from new motor vehicles will compel EPA to move against GHG emissions under other CAA authorities. Still other mitigation issues are (1) the role of the Endangered Species Act in addressing climate change; (2) how climate change must be considered under the National Environmental Policy Act; (3) liability and other questions raised by carbon capture and sequestration; (4) constitutional constraints on land use regulation and state actions against climate change; and (5) whether the public trust doctrine applies to the atmosphere."

Any sufficiently advanced technology is indistinguishable from magic.” A. C. Clarke Yet, it is only a tool... Question: Can you do better?
"With his Khan Academy: The Hype and the Reality screed in the Washington Post, Mathalicious founder Karim Kai Ani — a former middle school teacher and math coach — throws some cold water on the Summer of Khan Love hippies, starting with U.S. Secretary of Education Arne Duncan. From the article: 'When asked why so many teachers have such adverse reactions to Khan Academy, Khan suggests it's because they're jealous. "It'd piss me off, too, if I had been teaching for 30 years and suddenly this ex-hedge-fund guy is hailed as the world's teacher." Of course, teachers aren't "pissed off" because Sal Khan is the world's teacher. They're concerned that he's a bad teacher who people think is great; that the guy who's delivered over 170 million lessons to students around the world openly brags about being unprepared and considers the precise explanation of mathematical concepts to be mere "nitpicking." Experienced educators are concerned that when bad teaching happens in the classroom, it's a crisis; but that when it happens on YouTube, it's a "revolution."'"

I've been using LightShot in Firefox for some time and really like it. I can capture just the part of the screen I want to emphasize and paste it into my document (or save or edit online)
Lightshot Special Offer
You can get desktop Lightshot for free
Just click Install button bellow to accomplish installation process.
We recommend you to install the desktop module to make Lightshot work properly even without browser. This additional module allows you to screen Flash, Online video and anything on your screen even beyond your browser.
With desktop Lightshot you can start screenshot by pressing PrntScr hotkey in any Windows application.

Tuesday, July 24, 2012

Why we never use the same UserID and password on multiple sites.
Gamigo breach exposed 8.24 million passwords, and now they’re public
July 24, 2012 by admin
JR Brookwalter reports:
Gamigo, an online game publisher based in Germany, was the subject of a security breach back in late February – but apparently, the worse was yet to come.
After notifying its customers about the security breach back on March 1 via email, the email addresses and encrypted passwords of all 8.24 million accounts have finally been made public this week.
Read more on TechRadar.

Note that this was found during a “Privacy Commissioner's investigation.” Does anyone in the US conduct such investigations? Might ensure that organizations checked their own security...
By Dissent, July 24, 2012
Here’s a follow-up on a breach originally reported last year. Michael Lee reports:
Following a leak of client information, the Australian Privacy Commissioner has determined that Medvet Laboratories breached the Privacy Act, despite there being no client bank account details, customer names or test results exposed online.
The privacy bungle was first reported by The Australian on 16 July 2011, which stated that the South Australia Health-owned organisation had compromised the privacy of customers who had ordered kits to test for illicit drugs and alcohol.
Read more on ZDNet.
[From the Australian:
An investigation by The Weekend Australian has revealed that the complete home and work addresses of customers and others who ordered paternity test kits, drug and alcohol test kits and other products this year and last year are published and accessible on Google.
[From ZDNet:
According to the Privacy Commissioner's report, the source of the leak of information was Medvet's online web store, which was developed by Canadian software development company Iciniti Corporation. The Commissioner found that the software did not include appropriate security and that the development and quality management practices associated with it were deficient. In the Commissioner's investigation, the software was found to have multiple security flaws, and the Commissioner believed that very little security testing had been performed.

The dangers of Facebook...
Another group of malicious people have started a new Facebook scam that will spam your poor unsuspecting friends with wall posts and constant annoyances. Chances are, you will stumble across this scam via a friend who themselves fell for it. You may see a wall post or message that “tells” you how many people viewed your Facebook profile today. It will also give you the number of male and female viewers.
Of course, it is impossible for the app to grant you this information as Facebook does not allow developers to get access to any data on visitors to a specific profile. This does not prevent people from being interested in such a feature, and when an app like this comes along promising to deliver, people are far too quick to install.
… If you already installed this app, you can lessen any damage by uninstalling it as soon as possible. Click the triangle on the top right of any Facebook page, click account settings and then apps. From here, you will be able to uninstall this app, which will be called “profile viewer,” from your profile.

There is nothing like a firm “Maybe.” Should they have said “legally OR technically possible?”
Skype refuses to confirm or deny eavesdropping rumours
July 23, 2012 by Dissent
Liat Clark reports:
Video chat provider Skype has refused to deny that wiretaps can now be used to infiltrate its hosted conversations, according to a news report.
After repeatedly putting the question to Skype representatives, a Slate reporter’s inquiries were met with the vague response: “[Skype] co-operates with law enforcement agencies as much as is legally and technically possible.” The problem is, it looks as though interception is now a legal and technical possiblity.
Skype’s latest statement has raised a few eyebrows because it is so markedly different from the company’s previous public declarations that because of its “peer-to-peer architecture and encryption techniques,” wiretapping would be impossible.

I post these on occasion so we don't forget that many breaches go unreported in the “real” media. Also because my threshold is now somewhere north of a few hundred thousand.
By Dissent, July 23, 2012
HHS added another batch of reports to its breach tool last week. Here are the ones I hadn’t known about already from either the media or reports to state attorneys general:
Upper Valley Medical Center,OH,,”15,000″,10/01/2010-03/21/2012,Unauthorized Access/Disclosure,Other,7/3/2012,,
The breach went on for over one year? There doesn’t seem to be any media coverage of this breach, so I’ emailed UVMC last week to inquire and will update this entry when I get a response.
In researching this entry, though, I discovered that UVMC had a second, and more recent, breach involving a missing hard drive.
“Luz Colon, DPM Podiatry”,FL,,”1,137″,3/20/2012,”Theft, Loss”,Laptop,7/3/2012,,
Another one where there was no media coverage that I can find.
Independence Physical Therapy,CT,,925,8/1/2011,Theft,Desktop Computer,7/3/2012,,
The computer was stolen in August 2011 and we’re first learning of this now? I cannot find any archived news coverage of this one and there is nothing on IPT’s web site.
Titus Regional Medical Center,TX,,500, 3/29/2012, Theft,Other,7/3/2012,,
This appears to be TRMC’s second reported breach this year. On May 24th, they posted a notice on their web site that says, in part:
Public Notice 5/24/12 – EMS Laptop and X-Ray Storage Breach
In compliance with ARRA/HITECH provisions of HIPAA, the following is a public notification of lost and/or stolen patient information in two separate unrelated incidents:
On March 28, 2012, a laptop computer owned by Titus Regional Medical Center’s Emergency Medical Services was confirmed lost during a routine patient transportation. The laptop is not believed to have been stolen, rather inadvertently left on the fender of ambulance with subsequent fall and loss during route. The data was encrypted and password protected and the computer may have been damaged and rendered inoperable. There is a possibility that personal data, including name, address and social security number, as well as a limited amount of medical data related to the services provided by the EMS department could have been accessed in the unlikely event the computer was opened, running and undamaged.
Lutheran Community Services Northwest,WA,,756,03/29/2012-03/30/2012,Theft,”Desktop Computer, Other Portable Electronic Device”,7/3/2012,,
In an undated notice on their web site, they explain, in part:
On March 30, 2012, we became aware that there had been a break-in at our Bremerton office. Computers and electronic devices were taken, some of which contained sensitive information. A police report was immediately filed and every effort made to recover the information.
A thorough assessment was conducted to determine what sensitive information may have been compromised. Every effort has been made to contact people whose information may have been affected. A total of 3,040 LCSNW clients, volunteers and staff were sent letters notifying them of the situation.
The kinds of sensitive information involved differed a lot by program, but could include:
  • Name, Address, Phone Number or Email
  • Date of Birth
  • Social Security Number
  • Driver’s License or Washington ID Number
  • Income or payment information about services received
  • Information about client conditions, treatment and/or service information or diagnosis
West Dermatology,CA,,”1,900″,04/21/2012 – 04/22/2012,Theft,Other,7/3/2012,,
I could find no media coverage on this one nor any statement on their web site. Since they’re in California and the breach affected over 500, it’s not clear to me why this isn’t on California’s site.
Physician’s Automated Laboratory,CA,,745,03/23/2012 – 03/26/2012,Theft,Paper,7/3/2012,,
A notice dated May 23rd on their web site says, in part:
On March 26, 2012, we discovered that our Patient Service Center located at 2012 17th Street, Bakersfield California 93301 had been broken into and that, among other things, lab requisition forms which were kept in a locked cabinet were missing from the center. We were able to determine that the missing forms are related to certain laboratory services provided between February 1, 2012 and March 23, 2012. So, if you received services at this location during that timeframe, the confidential information taken may have contained your name, address, phone number, date of birth, insurance information, ordering practitioner’s name and laboratory tests ordered.
The Bakersfield Police Department was notified of the break-in for investigation and possible prosecution of the person(s) responsible. Since then, PAL has taken additional steps to ensure this type of information is more secure, as these documents are no longer kept at PAL patient service centers.
Volunteer State Health Plan, Inc.“,TN,,”1,102″,03/16/2012-04/20/2012,Loss,Paper,7/3/2012,,
VSHP posted a notice on their site that says, in part:
Damaged Mail Leads to VSHP Information Disclosure
CHATTANOOGA, Tenn. — Volunteer State Health Plan (VSHP) has notified approximately 1,100 of its BlueCare members that some of their protected health information was lost last month when envelopes mailed to a West Tennessee clinic were damaged in shipping through the U.S. Postal Service. No patient addresses or Social Security numbers were among the data.
VSHP, a Medicaid managed care organization, investigated the report immediately and discovered that the damaged mail had been sent to Comprehensive Counseling Network. Each envelope contained a check to pay for medical visits and a list of claims for those visits. The checks were not damaged, but the lists of claims were lost at the post office. The postal service has not found them.
The data contained on the missing lists includes:
* First and last name of member
* BlueCare ID number
* Date of service
* Procedure code
* Claim number
* Total charged
* Amount paid
* Provider name and address
In addition to notifying BlueCare members about the incident, VSHP has implemented a new procedure of sending payments and claims lists in reinforced envelopes. This process will continue until clinics are transitioned to electronic fund transfer, eliminating the need to mail checks.
So there you have it: the HHS breach tool serves a valuable function in alerting us to the occurrence of incidents, but it generally fails to provide us with sufficient information to understand the incidents. I continue to think that HHS should be posting more details about incidents.

I always try to relate technical capabilities back to their “pre Information Age” equivalents. Would that be possible here?
Notice and Opportunity to Challenge Evidence Collection Under ECPA: What’s the Best Rule?
July 24, 2012 by Dissent
Orin Kerr writes:
… As a matter of policy, when should targets of digital evidence investigations receive notice of the court orders? And when and how should they be allowed to challenge the orders as unlawful? In a traditional criminal case, suspects don’t receive notice that they are subjects of monitoring. When the government decides to “tail” a suspect around town, they don’t send them a letter letting them know. Suspects receive notice only in specific contexts, such as if their home is searched pursuant to a warrant. And they have to wait to bring challenges until late in the game. In the case of a warrant, for example, the defendant challenge the warrant until after it has been executed. [Should all warrants eventually be disclosed? Bob] The question is, if you were writing the statutory network surveillance laws, when would you impose a statutory notice requirement and when would you allow challenges to be brought? Would you try to match overall amount of notice in digital investigations to that of traditional physical investigations? Or would you aim for more or less notice in the electronic setting than in the physical setting? Would you allow challenges to surveillance practices as they were ongoing, or would you require challenges to wait until the order had been executed?
Read more on The Volokh Conspiracy.

How to make my Ethical Hackers jealous...
Stalkbook: Stalk anyone, even if you're not Facebook friends
MIT graduate Oliver Yeh recently built a service called Stalkbook that he claims allows you to stalk people on Facebook even if you're not friends with them on the social network. Yeh has a simple but malicious trick: he uses other Facebook users' credentials to view whichever profile you want to stalk.
When I went to the site, typed in "Mark Zuckerberg" and clicked "Stalk," I was greeted with the following message: "Stalking is considered to be morally wrong. Why don't you try talking to the person instead." Stalkbook hasn't been released publicly, but Yeh has demoed it to select individuals.
In an interview with IEEE, Yeh explained in further detail how Stalkbook works:

Ethical Hackers: I know your are saying, “Well, Duh!” But, not everything we teach is common knowledge. Use your skills for good, Grasshopper.
Hotel cardkey locks said to be vulnerable to bypass hack
Brocious, who is expected to present his findings at the Black Hat security conference tomorrow, showed Forbes how he is able to open hotel doors with a gadget he built with materials costing less than $50.

For my “Geeks with ideas” I wonder how many teachers have had this experience?
Noodlecrumbs Is A Crowd-Funding Platform For Thinkers, Not Doers
With successes like the Pebble smart watch, crowd-funding is becoming more and more attractive to startups. But maybe you aren’t even at the startup stage in your idea. Maybe all you have is an idea and a computer. That’s where Noodlecrumbs comes into the picture.
It’s a new type of crowd-funding for those of who don’t quite know how much we need to make the dream a reality. In fact, Noodecrumbs could be used by someone who doesn’t even want to build the actual product, but just wants it to be built. I have friends who pitch me ideas all the time, and I say, “sounds good, build it.” Most of the time, they say they don’t have time or don’t know how, but they’d love to use the product. That’s the perfect situation for Noodlecrumbs.

Monday, July 23, 2012

Unfortunately, I suspect this would work some small percentage every time...
"Many Aussies across New South Wales and South Australia had a bit of a shock this morning when they received an SMS threatening them with assassination. Although somewhat varied, the messages have typically read, 'Someone paid me to kill you. If you want me to spare you, I'll give you two days to pay $5000. If you inform the police or anybody, you will die, I am monitoring you', and signed with the e-mail address Police and the Australian Competition and Consumer Commission have warned that the messages are almost certainly fake, and that no dialogue should be entered into with scammers."
I hope "almost certainly" is droll understatement.

Always looking for cautionary tales for my Statistics students.
Lies, Damn Lies, And Statistics About Privacy Hysteria

We've only been providing public power for what, 150 years? About time we stopped guessing and started analyzing.
July 22, 2012
Big Data, Bigger Opportunities: Plans and Preparedness for the Data Deluge
News release: "Smart grid deployments are creating exponentially more data for utilities and giving them access to information they’ve never had before. Accessing, analyzing, managing, and delivering this information – to optimize business operations and enhance customer relationships – is proving to be a daunting task. Somewhere in this data deluge lies the path to greater efficiencies, but how will access to this new data change the way utilities drive their businesses? Will predictive analytics spur operational change? Oracle recently surveyed 151 North American senior-level executives at utilities with smart meter programs in place and gauged their perceptions on the business impact of “big data,” preparedness to handle data growth, and plans to extract optimal business value from this data to better target, engage with and serve customers. The "Big Data, Bigger Opportunities" report is the first in Oracle's “Utility Transformations” series, which will examine how utilities use information generated from smart grid deployments to drive greater organizational efficiency, more reliable service, and stronger customer relationships."

July 22, 2012
From Overload to Impact: An Industry Scorecard on Big Data Business Challenges
"IT powers today’s enterprises, which is particularly true for the world’s most data-intensive industries. Organizations in these highly specialized industries increasingly require focused IT solutions, including those developed specifically for their industry, to meet their most pressing business challenges, manage and extract insight from ever-growing data volumes, improve customer service, and, most importantly, capitalize on new business opportunities. The need for better data management is all too acute, but how are enterprises doing? Oracle surveyed 333 C-level executives from U.S. and Canadian enterprises spanning 11 industries to determine the pain points they face regarding managing the deluge of data coming into their organizations and how well they are able to use information to drive profit and growth.
  • 94% of C-level executives say their organization is collecting and managing more business information today than two years ago, by an average of 86% more
  • 29% of executives give their organization a “D” or “F” in preparedness to manage the data deluge
  • 93% of executives believe their organization is losing revenue – on average, 14% annually – as a result of not being able to fully leverage the information they collect.
  • Nearly all surveyed (97%) say their organization must make a change to improve information optimization over the next two years.
  • Industry-specific applications are an important part of the mix – 77% of organizations surveyed use them today to run their enterprises…and they are looking for more tailored options."

For my Students. Intros to many online tools including Facebook and Linkedin...
Index of Tools