Saturday, August 04, 2012


My tax dollars at work?
"A new audit of the Internal Revenue Service has found the agency paid refunds to criminals who filed false tax returns, in some cases on behalf of people who had died, according to the Treasury Inspector General for Tax Administration (TIGTA), which is part of the U.S. Treasury. The IRS stands to lose as much as $21 billion in revenue over the next five years due to identity theft, according to TIGTA's audit (PDF), dated July 19 but publicized on Thursday. 'While the IRS does not have access to all third-party information documents at the time tax returns are filed, some third-party information is available. However, the IRS has not developed processes to obtain and use this third-party information."


Is “nothing has changed” the best they can say?
LinkedIn’s Jeff Weiner On Password Theft: With 174M Members, ‘Health Of Our Network’ Is Strong As Ever
The theft, as well as the flurry of negative publicity, may have caused some members to question the professional social network’s ability to keep their data safe. However, during today’s conference call on the company’s second quarter earnings, Weiner said “the health of our network” remains “as strong as it was prior to the incident.


Local unfortunately.
Memo to MSM: Please ask these questions about the Holmes case
August 3, 2012 by Dissent
Like many, I’ve been watching and reading the media for insights as to what happened and whether a tragedy could have been avoided. And as a privacy advocate, I’ve spent some time mulling over whether federal privacy laws such as FERPA and HIPAA may have become obstacles to the shooter’s psychiatrist preventing this tragedy.
Sadly, the level of interviews I’ve seen on TV has been pretty abysmal. The worse was a CNN interview involving Dr. Drew Pinsky who seemed to have no knowledge of relevant federal and state laws as they might interact in this case.
If you’re going to interview people, how about finding someone who actually has expertise on HIPAA, FERPA, Colorado law, and medical ethics? [I know where we could find someone like that... Bob] Or if you can’t find one professional with all those qualifications, bring two people together and let them interact.
In any event, here are the questions I wish the media would ask of knowledgeable experts:
1. Dr. Fenton reportedly referred her concerns to the university’s threat assessment team in June. Might she have been more likely to notify authorities, his parents, or arrange for an involuntary commitment if she hadn’t sought the opinions of others? And doesn’t the treating psychiatrist still have an ethical and legal obligation to pursue her concerns via notification and/or involuntary commitment even if the threat assessment team does not agree?
2. If the threat assessment team did not conclude there was a serious or imminent threat in June, did the psychiatrist contact them again in July?
3. Do we know if the psychiatrist attempted to persuade Holmes to admit himself for psychiatric treatment?
4. Do we know if the psychiatrist sought Holmes’ permission for her to talk to his parents?
5. Did the psychiatrist (incorrectly) believe that her obligations were moot because the student resigned from the university? Did she ever discuss termination or transfer of care with Holmes?
6. Many universities now have threat assessment teams. Is it possible that their use creates a “diffusion of responsibility” problem whereby the original referrer feels less pressure to take action to protect the patient and community?
7. Do we know if Holmes saw the psychiatrist in the week preceding the murders?
8. Did the psychiatrist consult with CU’s lawyer or her own attorney as to her ethical and legal obligations in this case?
Psychiatry is not a hard science, and practitioners will make mistakes. Was a mistake or mistakes made in this case? It is easy to conclude that they were, but without more facts and analysis, we really don’t know whether the relevant laws hampered the psychiatrist or whether the psychiatrist felt – correctly or incorrectly – constrained by the law(s) and wanted to take further steps consistent with her ethical obligations to protect the safety of the patient and the community.
I doubt we’ll get answers to most of these questions in the near future, but they are important questions to ask if we want to learn any lessons from this terrible situation.


How hard is it to locate you out of the millions surfing the net? This is worth a read.
… How does a search engine track you? It all starts with your search query. Perhaps you’re feeling down in the dumps and you want to hit up Google so you can search for some home flu remedies. As soon as you type that query into the search box and hit Enter, Google records it. If you’re logged into a Google account, it’ll be associated with that account. If not, it’ll be tied to your IP address.
After you’ve entered a search query, you’re presented with a big list of search results. Whenever you click on a search result, Google records that, too. But not only that, Google sends some of your information to that site as well: the search query that you used, your current browser, and some of your computer specifications.
That doesn’t seem so bad, right? After all, you might think that there’s no way that anyone could identify you as a person simply from the browser you use. But you’d be wrong to think that. The truth is that your browser configuration is likely to be unique, and thus trackable. See for yourself by using Panopticlick’s browser traceability test.

(Related) Ahhh, crap. Perhaps I could start an “I'll vote for you if you stop bugging me” site?
Google Takes Political Online Ads Local, Allows Campaigns To Target Congressional Districts
… Today, Google launched a new tool that allows political campaigns to simply select their district and ensure that their ads are shown only within their district. This tool, says Google, allows campaigns to “quickly and easily target their search, display, mobile and video ads solely within that particular district’s border.”


Reasonable based on Ethics?
Defining Reasonable Security
August 3, 2012 by admin
Tracy Kitten writes:
Last month, an appellate court in Boston reversed a lower court’s ruling that favored a bank in a legal dispute over a 2009 account takeover incident (see PATCO ACH Fraud Ruling Reversed.)
Was that appellate ruling fair? Based on the security practices that most banking institutions used in 2009, probably not. The case exemplifies the challenges courts – and the attorneys arguing both sides – face in resolving cases involving ACH and wire fraud. The key issue? How to define “reasonable” security – and how that definition changes over time.
Read more on BankInfoSecurity.
[From the article:
Regardless, the ruling marks the first time we've seen a federal court's review of a legal dispute involving fraud linked to account takeover. And that, on its own, makes this case special.


What a coincidence, just in time for the elections.
4 Confirmed (at last) for Privacy and Civil Liberties Oversight Board
August 3, 2012 by Dissent
Peter Swire informs us that on its way out the door, Congress confirmed 4 of 5 nominees for the Privacy and Civil Liberties Oversight Board:
Tonight the U.S. Senate confirmed four of the five nominees for the Privacy and Civil Liberties Oversight Board: Rachel Brand; Elizabeth Cook; Jim Dempsey (of the Center for Democracy and Technology); and Pat Wald (long-time judge on the DC Circuit).
This is good news. The PCLOB has not been up and running for several years, and now it will have a quorum. The importance of having the Board in place has been underscored recently by the Senate’s consideration of the cybersecurity bill. If there is lots of information sharing, then there should be effective oversight of that sharing.
The goods news is incomplete, though.
Read more on Concurring Opinions.
[From the article:
The lack of a chair matters. As discussed in my testimony this week in the Senate Homeland Security Committee, the statute allows only the Chairman to hire staff


Fodder for the Software Testing class...
Remember the computer glitch that caused market turmoil Wednesday morning?
As we told you, it was caused by a computer glitch that accidentally forced Knight Capital Group to buy a great number of stocks.
The Wall Street Journal reports that price of shares of the company took a beating yesterday, dropping 33 percent. At one point, today, they were down 52 percent to "$3.35, its lowest split-adjusted price since October 1998."


A new look at an old law... Perhaps Hollywood isn't in charge?
Embedding copyright-infringing video is not a crime, court rules
Embedding a copyright-infringing video on another Web site is not illegal, a court ruled yesterday.
Judge Richard Posner ruled at the U.S. Seventh Circuit Court of Appeals that MyVidster, a social video bookmarking site, did not infringe the copyright of Flava Works, a porn production company, when it embedded copyright-infringing versions of Flava Works content from third-party Web sites.
The decision overturned a preliminary injunction from 2011, imposed by a lower court after Flava Works filed suit against MyVidster in 2010.
According to the Appeals Court ruling, MyVidster "doesn't touch the data stream" and therefore doesn't host the infringing video, but links to versions hosted elsewhere on the Web.
MyVidster was "not encouraging swapping, which in turn encourages infringement," the ruling said:


It looks like China will colonize the moon, so India wants Mars. Godspeed to both. If we (the US) no longer has the will to explore, it's good that someone has.
New submitter susmit writes with news of India's new goal for launching a satellite to Mars in 2013. From the article:
"India plans to launch a mission to Mars next year, putting an orbital probe around the red planet to study its climate and geology, top space department officials said on Thursday. ... A 320-tonne Indian Polar Satellite Launch Vehicle rocket will be used to carry the orbiter spaceship, blasting off from the ISRO launch site at Sriharikota in the southern state of Andhra Pradesh. Another senior official at ISRO, requesting anonymity, estimated the cost of the mission at 4.0-5.0 billion rupees ($70-90 million dollars)."


Could this become a trend? (With so many similar experiments, is anyone tracking what works?)
Mexico’s new President proposes a national online university
Mexico’s President-Elect, Enrique Peña Nieto, who takes office on December 1, has pledged to create a National Digital University as one plank in a strategy to increase university enrollment by 50% by 2018, which would mean creating another 1.5 million places.
According to Nieto’s plan, ‘students will be able to access 13 majors through powerful technology platforms available in 135 access centres across the country.’


No doubt my students will want a wall sized picture of ME! (Scary, isn't it)
Print your own giant posters
If you have more time on your hands than money, there are some easy solutions for printing infinitely large posters from even the most modest printer.
… Once you have the image as a digital file on your computer, you're now ready to process it so that it's ready to print. The processing could be as simple as enlarging the image and segmenting it into separately printable sections. Sites such as Block Posters or Faster Poster specialize in this kind of basic scaling and chopping, and spit out a downloadable PDF that can be printed on any computer.
… If you're trying to print out a banner, or garage sale sign, it's fine. If you're going for something to hang on the wall that you will see every day, try this next technique.
Download a free program called Rasterbator. In spite of the name, there's really nothing salacious about this software. The official release is available only for Windows, but a ported version for Mac and Linux is also available, though it involves the additional installation of the Mono .NET development framework.

Friday, August 03, 2012


Breach by thoughtless... This was not an unknown bug. This was, “We didn't follow procedure.” Or (worse) “We ain't got no procedure.”
Wisconsin Department of Revenue Inadvertently Posts Home Sellers’ Social Security Numbers Online
August 2, 2012 by admin
Janine Anderson reports:
Personal, confidential information from more than 110,000 people who sold homes in 2011 was hidden inside a Wisconsin Department of Revenue report used by real estate and appraisal organizations.
The DOR has ask those organizations to destroy and replace the report, which was posted online for download from April 5 to July 23. The department said that while the information was in the file, it was not visible when the report was opened. However, someone who opened the specific file would have had access to the information, the DOR said.
Read more on Greendale Patch.


Perspective
OR: Hacking cases down, still a threat: by the numbers
August 2, 2012 by admin
Some interesting stats in a news report by Queenie Wong in the Statesman Journal:
Cybersecurity by the Numbers
Since 2009, state agencies have been required to report the number of suspicious information security incidents to the state’s Enterprise Security Office, which is part of the Department of Administrative Services. All incidents are not necessarily considered information breaches.
In 2009, state agencies reported 44 incidents. In 2010, that number increased to 49 incidents. In 2011, the number of reported incidents dropped to 21.
During the past three months, 60 percent of reported incidents involved malware or hacking, 30 percent involved lost documents or information breaches and 10 percent were attempted attacks that were not successful.
More than 855 million emails, about 73 percent, the state receives every year are spam or malicious software and blocked before delivery.
The state thwarts about 2.2 million network device attacks per year — or about 6,250 attacks per day.


It's called “Caving in” But even the 'clueless' part of a huge market is huge.
"BlackBerry maker Research in Motion's (RIM) four-year standoff with the Indian government over providing encryption keys for its secure corporate emails and popular messenger services is finally set to end. RIM recently demonstrated a solution that can intercept messages and emails exchanged between BlackBerry handsets, and make these encrypted communications available in a readable format to Indian security agencies. An amicable solution over the monitoring issue is important for the Canadian smartphone maker since India is one of the few bright spots for the company that has been battling falling sales in its primary markets of the US and Europe. In India, RIM has tripled its customer base close to 5 million over the last two years,"


The Privacy Foundation has been pondering this question for some time. Think the judge will get an honest answer?
Judge Skeptical of Facebook ‘Sponsored Stories’ Privacy Settlement
A San Francisco federal judge declined Thursday to approve a Facebook privacy settlement concerning the social networking site’s “Sponsored Stories” advertising program, saying he was concerned that the $10 million payout was not adequately explained, and might not be big enough.
The deal, which does little to bolster the privacy of Facebook’s approximately 150 million U.S.-based users, provides $10 million to the lawyers who sued the social-networking site and another $10 million to charity, in what is known as a cy pres award.
“Why shouldn’t the cy pres be $100 million?” U.S. District Judge Richard Seeborg asked attorneys on both sides.
He suggested he might order the parties to return to provide more information on how it reached that amount. He was concerned that Facebook said the deal might cost them $100 million in advertising revenues, but only $10 million is being paid out. And that doesn’t calculate the amount of damages for the 100 million Facebook users who have already appeared in Sponsored Stories, he said.
“I’m not suggesting there is anything wrong with $10 million,” he said. “My question is: Why is it $10 million?”


Was this a real 'plan' or just a 'want?'
EPIC Files Lawsuit for Details of ODNI Plan to Amass Data on Americans
August 2, 2012 by Dissent
From EPIC.org:
EPIC has filed a Freedom of Information Act lawsuit against the Office of the Director of National Intelligence for details of the agency’s plan to gather personal data from across the federal government. The ODNI is the top intelligence agency in the United States, coordinating the activities of the CIA, the FBI, the DHS, and others. Under revised guidelines, the ODNI plans to obtain and integrate databases containing detailed personal information from across the federal government. The data will be kept for up to five years without the legal safeguards typically in place for personal data held by government agencies. EPIC’s lawsuit asks the agencies to disclose the procedures it has established to safeguard privacy rights. For more information see: EPIC: Open Government


In case “online” becomes unavailable.
And then you have sites, like TED, that use their own web video formats. Finding an effective video downloader for TED that helps you build and maintain an offline library of educational talks can be difficult. There are few tools available, and those that are available tend to be lacking in some way.
… TED is an excellent source of videos that are both educational and entertaining – something that you can’t really guarantee with other video sites.
And if you want to download TED videos for offline use, you’re in luck. Obin from Scenario Solution has released TED Downloader v3.0.

Thursday, August 02, 2012


Yesterday this was a “mere” 2.4 million. Perhaps they stayed up all night for a “recount?”
Elections Ontario data loss victims could top four million
August 1, 2012 by admin
Howard Solomon reports:
The number of Canadians who could be victims of one of the country’s biggest losses of personal data could hit four million, according to a privacy official.
Ann Cavoukian, privacy commissioner for the province of Ontario, said Tuesday that is the number of records that might be compromised in the loss of two USB memory sticks earlier this year by the provincial elections agency.
The initial number of voter names, addresses and dates of birth on the sticks was thought to be 2.6 million. The exact number isn’t known. [Because if we had more votes than voters, we didn't want to know... Bob]
Read more on ITbusiness.ca


How do you tell a really dumb algorithm, from a really really smart algorithm?
Huh, Another Rogue Algorithm May Have Thrown Off Trading in 148 Stocks
Add another entry to the Encyclopedia of Weird Robot Trading Events. This morning, a poorly programmed algorithm unleashed by Knight Capital Group went haywire, disrupting the normal trading of up to 148 stocks including some of the most heavily traded names in the country, according to the New York Times.


Interesting that getting kicked off the “approved” list apparently isn't the same as being unapproved.
Global Payments Takes Charge of $84 Million for Data Breach
Global Payments Inc. (GPN) said Thursday a security breach that exposed potentially millions of consumers' payment cards to fraudsters will cost it $84.4 million.
The amount reflects expected charges from payment networks such as Visa Inc. (V) and MasterCard Inc. (MA) and expenses related to its investigation and remediation of the matter.
The company disclosed the breach in late March, saying it believed no more than 1.5 million card numbers were "exported" [Translation: stolen Bob] or taken from its processing network. Last month, though, it said it supplied a larger number of card numbers to the payment networks for monitoring.
Visa and MasterCard also booted Global Payments from lists they maintain of approved third-party vendors that meet the card companies' security standards. While this hasn't prevented Global Payments from processing transactions made with Visa and MasterCard cards, it can cause apprehension for merchants when deciding which company to hire for processing services.


A variation of the Streisand Effect illustrated. It may help explain why “Banned in Boston” was such a great marketing tool (before Boston became so liberal they fear it would be politically incorrect to ban anything)
The Power of Internet Censorship, in 1 Chart
Sometime late in the evening of July 28, Twitter suspended the account of journalist and NBC naysayer Guy Adams. Earlier today, with apologies from Twitter's lawyer to Adams, the service reinstated his account.
There are many lessons to be learned from this brief affair. But here is one of them: The suspension of Adams's account, ultimately, wasn't much of a suspension. It amplified Adams's message rather than minimizing it. Here is a Topsy chart of the discussion surrounding the account of journalist and NBC naysayer Guy Adams as it played out over the past week.


This should be generally accepted by now, but apparently it is “news” to some. The process is called “traffic analysis” and it goes back far before the invention of the Internet. (See: Army MOS 98C)
Your Web browsing history is totally unique, like fingerprints
… in a new study from the French public research institute Inria, (PDF) researchers themselves did the browser sniffing and discovered that most users have a completely distinctive history when it comes to Web sites they regularly visit. Their results show that users' browser history is akin to their fingerprints -- totally unique.
Titled "Why Johnny can't browse the Internet in Peace: On the uniqueness of Web browsing history patterns," the study's researchers examined the Web browsing history of 368,284 Internet users who visited a site that tracks their Web history and then looked at their search patterns and frequency.


Cause were the TSA and you are merely a court. And we like irradiating second class citizens. ”
Court Orders TSA to Explain Why It is Defying ‘Nude’ Body Scanner Order
August 1, 2012 by Dissent
David Kravets reports:
A federal appeals court Wednesday ordered the Transportation Security Administration to explain why it hasn’t complied with the court’s year-old decision demanding the agency hold public hearings concerning the rules and regulations pertaining to the so-called nude body scanners installed in U.S. airport security checkpoints.
The U.S. Circuit Court of Appeals for the District of Columbia Circuit’s brief order came in response to the third request by the Electronic Information Privacy Center for the court to enforce its order.
Read more on Threat Level.


“We are not 'forgiving' people.”
Whistleblower, Suspected of Leaking Warrantless Spying Program, Sues NSA
A former congressional staffer and NSA whistleblower who the authorities suspected of exposing the George W. Bush administration’s warrantless wiretapping program is suing the government, saying her constitutional rights are being violated because her computer seized five years ago has never been returned, and the feds have refused to clear her name.
In a Wednesday telephone interview, Diane Roark, 63, a former senior staffer at the House Intelligence Committee, said she was privy to the warrantless wiretapping the administration adopted in the wake of the Sept. 11, 2001 terror attacks.
“I found about it. I knew about it. They knew I knew about it. I told everybody they needed to put civil liberties protections on it or eliminate it,” she said from her home outside Salem, Oregon.
But she emphatically denied she divulged it to the press. “I have absolutely no idea who did that,” said Roark, who retired in 2002. “My reputation has been completely smeared.”


I always liked building model airplanes. Anyone want to start a drone rental business? It's pretty clear there will be a huge market.
Markey Releases Discussion Draft of Drone Privacy and Transparency Legislation
August 1, 2012 by Dissent
With the Secretary of Transportation scheduled to develop a comprehensive plan for non-government drones as soon as November 2012, Congressman Edward J. Markey (D-Mass.) today released a discussion draft of legislation that would ensure that privacy considerations are included in the rulemaking process for licenses for “unmanned aircraft systems”, commonly known as drones, and that the public is made aware of drone licenses and times and locations of commercial drone flights. Entitled the “Drone Aircraft Privacy and Transparency Act of 2012”, the draft bill amends the Federal Aviation Administration (FAA) Modernization and Reform Act to include provisions on FAA rulemaking, data collection and minimization, enforcement, and disclosure.
The FAA estimates that by 2020, there could be 30,00 drones in use over American skies. Many drones are designed to carry surveillance equipment, [Strange wording. Are other designed for weapons only? Bob] including video cameras, infrared thermal imagers, radar, and wireless network sniffers, with the capability of collecting sensitive information from the skies above. The FAA has already begun issuing limited drone certifications for government entities.
“When it comes to privacy protections for the American people, drones are flying blind,” said Rep. Markey, senior member of the Energy and Commerce Committee and co-Chair of the Congressional Bi-Partisan Privacy Caucus. “Drones are already flying in U.S. airspace – with thousands more to come – but with no privacy protections or transparency measures in place. We are entering a brave new world, and just because a company soon will be able to register a drone license shouldn’t mean that company can turn it into a cash register by selling consumer information. Currently, there are no privacy protections or guidelines and no way for the public to know who is flying drones, where, and why. The time to implement privacy protections is now. This discussion draft will help ensure that pilotless aircraft isn’t privacy-less aircraft and the strongest safeguards are put into place for Americans.”
A copy of the discussion draft can be found HERE.
Specifically, Rep. Markey’s legislation amends the FAA Modernization and Reform Act, adding the following provisions:
  • The Secretary of Transportation must conduct a study of privacy impacts of drone use in consultation with the Department of Commerce, the Federal Trade Commission, and the Department of Homeland Security Privacy Office. A report must be issued to Congress.
  • The FAA must include privacy considerations in its overall rulemaking process for drone licenses, using as the Federal Trade Commission report titled ‘Protecting Consumer Privacy in an Era of Rapid Change: Recommendations for Businesses and Policymakers’ as the standard.
  • The FAA may not issue licenses unless the application includes a data collection statement that explains exactly what kind of data will be collected, how that data will be used, and how the licensee will protect privacy.
  • Law enforcement agencies and their contractors and subcontractors must include an additional data minimization statement that explains how they will minimize the collection and retention of data unrelated to the investigation of a crime.
  • The FAA must create a publicly available website that lists all approved licenses and includes the data collection and data minimization statements, any data security breaches suffered by a licensee, and the times and locations of drone flights.
[ ]
In April, Reps. Markey and Joe Barton (R-Texas) sent a letter querying about the potential privacy implications of non-military drone use. The lawmakers are awaiting response from the agency.


Is it the word “consent?” Wouldn't that data be available to the court without consent?
EFF Asks Supreme Court to Reverse “Forced Consent” to Facebook Disclosure
August 1, 2012 by Dissent
Cindy Cohn and Jon Eisenberg write:
When a judge forces you to “consent” to a disclosure of your private electronic communications, have you really consented? No.
EFF today asked the California Supreme Court to review a decision of a lower court that forced a juror to “consent” to allow the content of his Facebook postings to be turned over to the parties to the case, after it was discovered that he had been improperly posting about the case on his Facebook wall during a trial. The case is called Juror Number One v. Superior Court
Read more and the amicus letter on EFF.


A reminder for my gifted geeks – this Kickstarter thing might be useful.
Virtual reality headsets have historically been very disappointing. While the concept has been fun and interesting, the technological realities never quite lived up to expectations, and hardware developers largely gave up on research into this kind of device. However, it's been long enough that display technology has caught up to our ambitions. So, where are our VR headsets? Well, hobbyist Palmer Luckey asked that same question, and when he couldn't find a good answer, he decided to build one himself. He and his team have built a prototype, and they just launched a Kickstarter campaign to distribute developer kits. The campaign blew past its $250,000 goal in hours. [As I post this, they are over $800,000 Bob] What's interesting about this particular campaign is that Palmer took the Oculus Rift to various development studios and managed to get enthusiastic endorsements from some big names, including Cliff Bleszinski, Gabe Newell, and John Carmack.


I wonder if our Graphic Design students would be interested?
NASA Wants Your Infographics
NASA’s Jet Propulsion Laboratory has a lot of information, acquired from telescopes, satellites, rovers, spacecraft, and pretty much anything you can point at space. They have so much, it’s almost unmanageable. So the lab collaborated with CalTech to start JPL Infographics, a crowd-sourced data-visualization challenge. They’ll supply the info, you create the graphic.


It's coming, ready or not.
Microsoft is finally looking to put Hotmail to rest with the introduction of their new email service called Outlook.com.


'cause Free is good!
Google Docs (AKA Google Drive)


The future of education?
Daphne Koller: What we're learning from online education

Wednesday, August 01, 2012


We don't need no stinking badges!”
We don't need no unpredictable elections!”
Privacy commissioner ‘deeply disturbed’ by Election Ontario’s handling of voter data
July 31, 2012 by admin
Caroline Alphonso reports:
Elections Ontario ignored security measures and went right back to using memory sticks without enabling the encryption software just days after personal information of as many as 2.4 million voters – contained on two USB keys without the necessary safeguards – vanished from one of its warehouses, the province’s privacy commissioner charged.
Read more on The Globe and Mail.
The Commissioner’s formal statement on the investigation can be found here.

(Related) We may need to follow “Best Practices” just like we require second class citizens to do.
TSP head expresses regret over cyberattack
July 31, 2012 by admin
Kellie Lunney reports that the recent TSP breach has inspired at least one Senator to try to require all federal agencies to have a breach notification policy in place. You’d have thought they would have one already, wouldn’t you, but apparently not….
The head of the Thrift Savings Plan expressed regret on Tuesday over not having a policy in place earlier to notify participants of security breaches to their retirement accounts.
The Federal Retirement Thrift Investment Board implemented a breach notification plan in June, Gregory Long, the board’s executive director, said during a hearing on Capitol Hill. That was about two months after the board learned of a 2011 cyberattack that led to the unauthorized access to the accounts of as many as 123,000 plan participants and other recipients of TSP plan payments.
Long blamed “a lack of resources” for the board’s inability to develop a plan to inform TSP participants of security breaches when they occur. [“We had enough budget to do part of our job, just not the important stuff.” Bob]
[...]
Sen. Daniel Akaka, D-Hawaii, said he was concerned the board did not have a breach notification policy when the agency learned about the cyberattack in April. Akaka, who chairs the Senate Homeland Security and Governmental Affairs federal workforce subcommittee has asked the Government Accountability Office to determine how many other agencies have failed to incorporate OMB’s guidance and whether sufficient oversight of compliance exists. Akaka was one of 43 members of Congress who was affected by the security breach. He has offered an amendment to the 2012 Cybersecurity Act, which the Senate is considering Tuesday evening, that would make it mandatory for every federal agency to have a breach notification policy in place.
Read more on GovExec

(Related) “Apparently we need more security than we thought.”
Dropbox Reports User Accounts Were Hijacked, Adds New Security Features
July 31, 2012 by admin
Rip Empson reports:
Several weeks ago, reports started to trickle out that a number of Dropbox users were under attack from spam. Since then, Dropbox has been investigating those attacks (with some help from a third-party) and today gave the first update on the progress, saying that some accounts were indeed accessed by hackers, but that it is now adding two-factor authentication and other security features to prevent further problems.
Read more on TechCrunch.

(Related) Will this too be ignored?
GAO: Federal Law Should Be Updated to Address Changing Technology Landscape
July 31, 2012 by Dissent
GAO-12-961T, Jul 31, 2012
What GAO Found
Technological developments since the Privacy Act became law in 1974 have changed the way information is organized and shared among organizations and individuals. Such advances have rendered some of the provisions of the Privacy Act and the E-Government Act of 2002 inadequate to fully protect all personally identifiable information collected, used, and maintained by the federal government. For example, GAO has reported on challenges in protecting the privacy of personal information relative to agencies’ use of Web 2.0 and data- mining technologies.
While laws and guidance set minimum requirements for agencies, they may not protect personal information in all circumstances in which it is collected and used throughout the government and may not fully adhere to key privacy principles. GAO has identified issues in three major areas:
Applying privacy protections consistently to all federal collection and use of personal information. The Privacy Act’s protections only apply to personal information when it is considered part of a “system of records” as defined by the act. However, agencies routinely access such information in ways that may not fall under this definition.
Ensuring that use of personally identifiable information is limited to a stated purpose. Current law and guidance impose only modest requirements for describing the purposes for collecting personal information and how it will be used. This could allow for unnecessarily broad ranges of uses of the information.
Establishing effective mechanisms for informing the public about privacy protections. Agencies are required to provide notices in the Federal Register of information collected, categories of individuals about whom information is collected, and the intended use of the information, among other things. However, concerns have been raised whether this is an effective mechanism for informing the public.
The potential for data breaches at federal agencies also pose a serious risk to the privacy of individuals’ personal information. OMB has specified actions agencies should take to prevent and respond to such breaches. In addition, GAO has previously reported that agencies can take steps that include
• assessing the privacy implications of a planned information system or data collection prior to implementation;
• ensuring the implementation of a robust information security program; and • limiting the collection of personal information, the time it is retained, and who has access to it, as well as implementing encryption.
Read the full GAO testimony.


As the private sector gets better (still not good) at security, the remaining “low hanging fruit” may just be those huge government databases.
Data breaches up 19 percent, GAO reports
July 31, 2012 by admin
Federal data breaches jumped 19 percent last year, the Government Accountability Office said Tuesday.
There were roughly 13,000 incidents reported by agencies in 2010 involving unauthorized disclosures of personally identifiable information — last year, that figure shot up to 15,500, Greg Wilshusen, GAO’s director of information security issues, told the Senate subcommittee on government management oversight Tuesday at a hearing.
Read more on Federal Times. The GAO testimony being cited can be found here.


Interesting question.
On email privacy, Twitter’s ToS and owning your own platform
July 31, 2012 by Dissent
Alex Howard discusses the recent uproar on Twitter after journalist Guy Adams’ account was suspended for tweeting the email of an NBC executive to whom viewers could complain about NBC’s Olympic coverage. The account has been reinstated, and Twitter broke its usual silence on individual cases to discuss what had happened and why. But that’s not the end of the conversation. Alex writes:
I see at least three different important issues here related to electronic privacy, Twitter’s terms of service, censorship and how many people think about social media and the Web.
Is a corporate email address private?
Washington Post media critic Erik Wemple is at a loss to explain how tweeting this corporate email address qualifies public (sic) rises to the level of disclosing private information.
Can a corporate email address based upon a known nomenclature used by tens of thousands of people “private?”
Read Alex’s thoughtful discussion on O’Reilly Radar.


More on Privacy
By Dissent, August 1, 2012
The Health Privacy Summit has made materials and videos available online for its recent conference, “Is There an American Health Privacy Crisis?” Check them out at http://www.healthprivacysummit.org/d/3cq92g/6X
Video Highlights:
  • Patient Story about Privacy Loss: “Julie” bravely tells how she was harmed when her sensitive mental health information was used by staff members of a Boston health care system without her consent.
  • Louis D. Brandeis Privacy Awards: You can watch as we honor Ross Anderson, Congressmen Joe Barton and Ed Markey and Professor Alan Westin with the first-ever Louis D. Brandeis Privacy Awards.
  • Best Privacy Technologies of 2012: You can also watch us present IDExperts, Jericho Systems, and TrendMicro with awards for the Best Privacy Technologies of 2012.
  • theDataMap™: Seeing Latanya Sweeney present theDataMap™ is a real eye-opener as she explains this critical project to map the hidden flows of health data.
  • All Keynotes and Panels: The keynotes and panels include national and international academics, advocates, government officials, health care providers, industry executives, technology experts, and more, discussing the major technical, legal, and cultural threats and solutions to privacy and patient control over personal health information in electronic health systems and data exchanges.
You can also visit the agenda and click on any session to see more about the panel and the live video.
“Is There An American Health Privacy Crisis”, was jointly hosted by The O’Neill Institute for National and Global Health Law and the Patient Privacy Rights Foundation.


Perspective
Aug. 1, 1949: FCC Gets in on Cable TV


Perspective The Digital Universe?


For my Math students


For all my techies...
Do you have a Word document that you quickly and painlessly need converted into an Excel document? Well then, you should consider taking a look at Convert Word To Excel.
Before you can begin using it, you need Microsoft Silverlight installed and enabled. Then just click on “File” and then “Open”

Tuesday, July 31, 2012


The electronic equivalent of a “Paid” stamp?
Credit Card Roulette: Payment Terminals Pwned in Vegas
At least three widely used credit and debit card purchasing terminals in the U.S. and U.K. have vulnerabilities that would allow attackers to install malware on them and sniff card data and PINs.
The vulnerabilities can also be used to make a fraudulent card transaction look like it’s been accepted when it hasn’t been, printing out a receipt to fool a salesclerk into thinking items have been successfully purchased.
Or an attacker can design a hack that would invalidate the chip-and-PIN card system, a security feature that is standard in Europe but only nascent in the U.S. It uses cards embedded with a chip and requires cardholders to enter a PIN to validate a transaction.


Most managers recognize that logging makes it easy to determine who accessed what, when. Do they fully consider the implications of saving some money by turning off the logs?
Oops x 2: lack of logs confounds thorough breach investigation
July 30, 2012 by admin
The Depository Trust and Clearing Corporation realized that employee information – including SSN and financial information – was improperly accessible to other employees on its intranet. But its lack of adequate logging procedures made it impossible for them to determine who may have accessed the data, they report to the New Hampshire Attorney General.

(Related) Auditors look for changes in the volume of transactions as an indication that something has started or stopped. Best Practice then suggests you do something about it! Well done, mystery processor!
When security works: payroll processor prevent$ transactions
July 30, 2012 by admin
Neurocare, Inc. has been notifying some employees after one of their systems was infected by malware and the criminals acquired the firm’s login credentials to its payroll processor account. The credentials were then used to re-route direct deposits for some employees to other accounts.
The scheme was foiled because Neurocare’s unnamed payment processor detected an unusual number (17) of change requests and notified Neurocare promptly. The processor was able to reverse any transactions before they went through, so no money was lost. The IPs of the attackers were provided to the firm by the processor.
Payment processors have gotten bad press at times over their failures. It’s a shame that Neurocare didn’t name this payment processor in their report to the New Hampshire Attorney General’s Office so that they could get some positive coverage. [Agreed Bob]


For your Security manager
Free Android apps could hijack your phone
Those annoying pop-up ads are back. This time, they're on your smartphone, and they're badder than ever. Here's how you can avoid aggressive adware on your mobile device.


For by Business Continuity students. It could happen here...
"BBC reports that a massive power breakdown has hit India for a second day running, leaving more than half the country without power as the northern and eastern grids have both collapsed. The breakdown has hit a large swathe of the country including Delhi, Punjab, Haryana, Uttar Pradesh, Himachal Pradesh and Rajasthan states in the north, and West Bengal, Bihar, Orissa and Jharkhand in the east. Power cuts are a common occurrence in Indian cities because of a fundamental shortage of power and an aging grid. The chaos caused by such cuts has led to protests and unrest on the streets but the collapse of an entire grid is rare — the last time the northern grid failed was in 2001. India's demand for electricity has soared in recent years as its economy has grown but its power infrastructure has been unable to meet the growing needs. In the weeks leading up to the failure, extreme heat had caused power use to reach record levels in New Delhi and on July 30 a line feeding into the Agra-Bareilly transmission section, the 400-kV Bina-Gwalior line, tripped, triggering the collapse. The second grid collapse occurred on 31 July as the Northern, Eastern and North-Eastern power grids of India tripped/failed causing power blackout in 19 states across India. The crisis was allegedly triggered after four states — Rajasthan, Haryana, Punjab and UP — drew much more than their assigned share of power."


Welcome to Behavioral Advertising, the political version.
Dark Money Political Groups Target Voters Based on Their Internet Habits
Lauren Berns was browsing Talking Points Memo when he saw an ad with President Obama’s face. “Stop the Reckless Spending,” the ad read, and in smaller print, Paid for by Crossroads GPS. Berns was surprised. Why was Crossroads GPS, a group that powerful Republican strategist Karl Rove helped found,advertising on a liberal-leaning political website? Looking closely at the ad, Berns saw a small blue triangle in the upper-left hand corner. He knew what that meant: this ad wasn’t being shown to every person who read that page. It was being targeted to him in particular. Tax-exempt groups like Crossroads GPS have become among the biggest players in this year’s election. They’re often called “dark money” groups, because they can raise accept unlimited amounts of money and never have to disclose their donors.
These groups are spending massively on television spots attacking different candidates. These ads are often highly publicized and get plenty of media attention.
But these same dark money groups are also quietly expanding their online advertising efforts, using sophisticated targeting tactics to send their ads to specific kinds of people.
Who they’re targeting, and what data they’re using, is secret.


We have these on tollways. “We know where you get on, we know where you get off, that tells us how much you owe.” But, how long do they keep that information? Who gets to see it? Could be the start of an interesting dialog.
Automatic License Plate Readers: A Threat To Americans’ Privacy
July 31, 2012 by Dissent
The ACLU’s Nationwide Public Records Request
In July 2012, American Civil Liberties Union affiliates in 38 states sent requests to local police departments and state agencies that demand information on how they use automatic license plate readers (ALPR) to track and record Americans’ movements.
On the same day, the ACLU and the ACLU of Massachusetts filed federal Freedom of Information Act requests with the Departments of Justice, Homeland Security, and Transportation to learn how the federal government funds ALPR expansion nationwide and uses the technology itself.
Read more on ACLU’s blog.


I wonder if Colorado would be interested in following this model here? I know just the guy to run it...
By Dissent, July 30, 2012
From PRC, a new resource for California residents:
Many people consider their health information to be highly sensitive, deserving the strongest protection under the law. Medical records often contain not only personal health-related information – considered by most to be strictly confidential — but also Social Security numbers and dates of birth — the keys to identity theft.
Over the years, the Privacy Rights Clearinghouse has heard from thousands of individuals who feel their medical privacy rights have been violated. There is a great deal of misunderstanding about medical privacy laws and regulations. Most individuals think they have far more legal protection than they actually have.
What are your rights to medical privacy? As it turns out, that is not a simple question to answer. Chances are, you’ve heard of HIPAA, the Health Insurance Portability and Accountability Act. It is a federal law that sets a national baseline standard for the privacy of individually identifiable health information.
But HIPAA only applies to health care providers that conduct certain transactions electronically, health plans, and health care clearinghouses. A great deal of personal medical information exists that is not maintained by HIPAA “covered entities.” An example would be personal medical information provided voluntarily when one participates in an online chat forum for individuals with a specific ailment.
Fortunately for individuals who live in California, state law provides additional medical privacy protections. Today, the PRC has launched a microsite dedicated solely to medical privacy in California. It is available athttps://www.privacyrights.org/california-medical-privacy.
The Fact Sheets posted on the microsite are:
Over time, we will expand the site to include additional Fact Sheets.
For information about health privacy issues not specifically related to California, read these guides on our website:
Do you have a medical privacy question that our Fact Sheets don’t address? Use our Online Complaint Center to get a personalized response from our staff.


“The only constant is change.” Heraclitus (Or maybe Issac Asimov)
Recent Developments — Both in the Courts and in Congress — on the Scope of the Computer Fraud and Abuse Act
July 31, 2012 by admin
Orin Kerr writes:
I’ve blogged a lot on the scope of the Computer Fraud and Abuse Act, and specifically on whether using a computer in violation of a computer use policy or Terms of Service is a federal crime. I’ve been banging the drum urging courts to adopt a narrow interpretations of the Act for a decade, and the question has recently reached several courts of appeals. A lot has been happening on this front recently, so I thought I would bring readers up to speed. To follow this issue, you need to watch all three branches. So let’s start with the pairing of Judiciary/Executive, and then cover the pairing of Legislature/Executive.
Read his commentary on The Volokh Conspiracy.


The future, now that Amazon has given up the fight (which they were never going to win).
July 30, 2012
"Amazon" Laws and Taxation of Internet Sales: Constitutional Analysis
CRS - "Amazon" Laws and Taxation of Internet Sales: Constitutional Analysis, Erika K. Lunder - Legislative Attorney; John R. Luckey - Legislative Attorney, July 26, 2012
  • "As more and more purchases are made over the Internet, states are looking for new ways to collect taxes on these sales. While there is a common misperception that states cannot tax Internet sales, the reality is that they may impose sales and use taxes on such transactions, even when the retailer is outside of the state. However, if the seller does not have a constitutionally sufficient connection (“nexus”) to the state, then the seller is under no enforceable obligation to collect a use tax. While the purchaser is still generally responsible for paying the use tax, the rate of compliance is low. Recent laws, often called “Amazon” laws in reference to the large Internet retailer, represent fresh attempts by the states to capture taxes on Internet sales. States enacting these laws have used two basic approaches. The first is to impose use tax collection responsibilities on retailers who compensate state residents for placing links on the state residents’ websites to the retailer’s website (i.e., online referrals or “click-throughs”). The other is to require remote sellers to provide sales and tax-related information to the state and/or the in-state customers. New York was the first state to enact click-through legislation, and Colorado was the first to pass a notification law. These laws have received significant publicity, in part due to questions about whether they impermissibly impose duties on remote sellers who do not have a sufficient nexus to the state."


Could this be the “baseline” against which other plans are measured?
Republic Wireless reopens $19 service, sells Motorola Defy XT
The heavily hyped service, which promises an all-you-can-eat plan for just $19.99 a month, is finally adding more customers again.


Tools & Techniques for tired eyes...
Most of us spend hours reading on the computer every day, but our computers probably aren’t optimized for reading. The text on our monitors may not be sharp enough or may be too small, especially if we have high-resolution monitors. Websites usually aren’t optimized for reading long-form articles either – they’re cluttered with too many navigation elements, flashing advertisements, and often use text that’s too small.
These tips will help you read text more comfortably everywhere on your Windows computer, from the text in all your programs to articles in your web browser.


Resources: 'cause having your students watch old movies is (sometimes) useful...
At the time of writing there are 3,207 items in the Prelinger Archives, all of which are open to being remixed, sampled and used in any way you see fit.
… There are also collections of films made from Prelinger footage, titled Prelinger Mashups. If nothing more they serve as inspiration as to what can be done with footage like this.


Tools There are bazillions of websites. Find one you like and let these services find the others...
Are you bored of the same old websites? Do you not know what to look at next? Well if that’s the case, then try out a neat web app called Websites Like, which recommends other sites to you, based on a URL or a keyword that you type into their search engine.