Saturday, August 11, 2012

The economics of security (another way to view risk)
Why It Pays to Submit to Hackers
Every big online security breach seems to end in a big lecture. Use strong passwords, users are told. Make fresh logins for every website. Back up your data. Encrypt all your stuff.
… The lectures clearly aren’t working and that, behavioral economists say, is because we already know how we should protect ourselves online, we just choose not to do so. Hardening your internet identity, whether through new passwords, a backup regimen, or other means, costs time and energy in the present, and pays dividends only in some far-off hypothetical future. Humans are already hard-wired to prefer small near-term pleasures over big long-term benefits; throw in the possibility you might not ever actually need a strong password or a computer backup, and it’s no wonder people are so lax about security.
… It’s not only individuals who are susceptible to this kind of negative feedback loop around low-probability events. Dan Ariely, the Duke behavioral economist we interviewed in June, says that organizations are lulled into complacency as well. Apple and Amazon, for example, appear to have routinely allowed customer-support callers to authenticate using minimal information and in some cases without knowing the answers to their own security questions. Ariely likens this to the driver who learns to run stop signs.

“Most reported” does not equal “convicted” but When you want to make a movie deal... (Should my Ethical Hackers claim they hold the Copyright on all the IRS tax forms?)
An anonymous reader sends word of a change Google will be making to its search algorithms. Beginning next week, the company will penalize the search rankings of websites who are the target of many copyright infringement notices from rightsholders. Quoting The Verge:
"Google says the move is designed to 'help users find legitimate, quality sources of content more easily' — meaning that it's trying to direct people who search for movies, TV shows, and music to sites like Hulu and Spotify, not torrent sites or data lockers like the infamous MegaUpload. It's a clear concession to the movie and music industries, who have long complained that Google facilitates piracy — and Google needs to curry favor with media companies as it tries to build an ecosystem around Google Play. Google says it feels confident making the change because because its existing copyright infringement reporting system generates a massive amount of data about which sites are most frequently reported — the company received and processed over 4.3 million URL removal requests in the past 30 days alone, more than all of 2009 combined. Importantly, Google says the search tweaks will not remove sites from search results entirely, just rank them lower in listings."

Look up the license plate registration information and you have a complete dossier. How long before something like it comes to the US?
"Brazil's National Traffic Council (CNT) published Friday a resolution that institutes the National System of Automatic Vehicle Identification (Siniav). According to the Q&A published (Google translation from Portuguese), only 'visible and public' information will be available (vehicle year or fabrication, make, model, combustible, engine power and license plate number), without any personal information about the owner or registration data. This system will be mandatory for all vehicles (cars, trucks, motorcycles, etc) and should cost vehicle owners approximately R$5 (less than US$3)."

(Related) Trick question...
"The Minneapolis Star-Tribune reports that Minneapolis police used automated scanning technology to log location data for over 800,000 license plates in June alone, with 4.9 million scans having taken place this year. The data includes the date, time, and location where the plate was seen. Worse, it appears this data is compiled and stored for up to a year and is disclosed to anyone who asks for it."

Perhaps Google is too large for the FCC to comprehend. Or perhaps too large a fine would reduce the PAC contribution?
Google $22.5 Million FTC Fine Has No Teeth
The Federal Trade Commission on Thursday revealed that Google has agreed to pay $22.5 million to settle charges that the company misrepresented its claim that it would not place cookie tracking files on the computers of users of Apple's Safari browser.
… For the FTC, the main issue is that Google's actions violated an earlier privacy settlement. Thus the fine is largely about saving face. Agency chairman Jon Leibowitz notes that the penalty is "record-setting."
However, FTC Commissioner J. Thomas Rosch in a dissenting statement said the amount is a pittance as far as Google is concerned. "$22.5 million represents a de minimis amount of Google's profit or revenues," he said, using the legal term for too small to matter in a given context.
… The settlement is a win for Google. The "record-setting" fine is less than Google's average daily profit in 2011 (about $32 million).

(Related) No money mentioned in the settlement.
August 10, 2012
FTC Approves Final Settlement With Facebook
News release: "Following a public comment period, the FTC has accepted as final a settlement with Facebook resolving charges that Facebook deceived consumers by telling them they could keep their information on Facebook private, and then repeatedly allowing it to be shared and made public. The settlement requires Facebook to take several steps to make sure it lives up to its promises in the future, including by giving consumers clear and prominent notice and obtaining their express consent before sharing their information beyond their privacy settings, by maintaining a comprehensive privacy program to protect consumers' information, and by obtaining biennial privacy audits from an independent third party.

(Related) Has the government deliberately reduced their responsibilities?
By Dissent, August 10, 2012
An interesting federal case in the Southern District of Ohio Eastern Division reminds us that the HIPAA statute does not provide for a private cause of action. And so, when the Ohio Hospital for Psychiatry sought to compel a former employee to return patient information she had allegedly removed improperly, the court had to deny their request. On the other hand, though, the court held that it did have the authority to bar the nurse from using the information in her court case.

It sometimes amazes me that people (Congress-people in particular) don't seems to understand the stock market. If you won't allow me to hedge by short selling, I'll dump my stock now, signaling that I have no faith in the future of that company. If short selling does result in “artificially low stock prices” I'll buy. Still Econ 101...
August 11, 2012
Short-Selling Bans Failed to Prevent U.S. Stock Price Declines
"Bans on short-selling imposed during the financial crisis in the belief that short sales were driving United States stock prices below fundamental values did little to stabilize those prices, according to a new study by New York Fed economists. In addition, the bans had the unwanted effects of lowering market liquidity and boosting trading costs. In Market Declines: What Is Accomplished by Banning Short-Selling? New York Fed economist Hamid Mehran and Notre Dame finance professors Robert Battalio and Paul Schultz investigate the link between short-selling and market downturns. The authors first evaluate evidence on the bans’ effectiveness in limiting share price declines in 2008. To provide additional evidence, the three then consider the market effects of short-selling in August 2011, when the debt-rating agency Standard and Poor’s lowered the U.S. sovereign long-term credit rating, prompting the S&P 500 to fall 6.66 percent on the next trading day. At the time, there was no short-selling ban in place in the U.S."

My tax dollars at work? An old Schwinn and a 9-volt Duracell gets me $2500? Or does that put me in the Manufacturer category where the potential to make campaign contributions qualifies me for really big tax credits?
$2,500 Tax Break for Electric Bicycles, Motorcycles Approved by Feds
Electric-vehicle production just got another boost from Uncle Sam. The Senate Finance Committee has approved a $2,500 tax credit for electric bicycles and electric motorcycles. The goal of the bill, backers say, is to create and keep U.S. jobs by encouraging growth of American manufacturers like BRD and Zero through consumer incentives.
Under the bill, electric bicycles and motorcycles will be eligible for a 10 percent federal tax credit of up to $2,500.


Do people still have VHS players?
Transfer VHS tapes to your computer
In this CNET How To video, and in the gallery below, I'll walk you through the process of transferring those VHS home movies over to your computer using a simple, relatively inexpensive method.

Still not exactly Emily Post, but my friend Dr. Post might be interested...
For more information on annoying your Facebook friends, check out Dave Parrack’s article,

Another indication of the future of education? (Note that they must have figured out how to confirm understanding and award a grade, right?)
High school offers credit for Udacity classes; Challenge expands winning teams
Fueled by student momentum, the STEMx network of high schools and Ohio's eSTEM Academy in Reynoldsburg have announced that they will be enrolling 41 students in Udacity's Intro to Statistics class and 49 students in Udacity's Intro to Physics class for fall semester credit. This will allow eSTEM to tap into off-site teaching talent and help drive high school students to excel in college-level courses.

Friday, August 10, 2012

Even gaming has a serious side... hacked
August 9, 2012 by admin
From their official statement:
Even when you are in the business of fun, not every week ends up being fun. This week, our security team found an unauthorized and illegal [Is it just me or does that seem redundant? Bob] access into our internal network here at Blizzard. We quickly took steps to close off this access and began working with law enforcement and security experts to investigate what happened.
… We also know that cryptographically scrambled versions of passwords (not actual passwords) for players on North American servers were taken. We use Secure Remote Password protocol (SRP) to protect these passwords, which is designed to make it extremely difficult to extract the actual password, and also means that each password would have to be deciphered individually. As a precaution, however, we recommend that players on North American servers change their password. Please click this link to change your password. Moreover, if you have used the same or similar passwords for other purposes, you may want to consider changing those passwords as well.
… As a reminder, phishing emails will ask you for password or login information. Blizzard Entertainment emails will never ask for your password.
… Please find additional information here.

Ubiquitous surveillance – Surveillance at any cost? Sounds like a database of video with location and time stamps to make it searchable. Unclear if they have other data matching tools.
Stratfor emails reveal secret, widespread TrapWire surveillance system
Former senior intelligence officials have created a detailed surveillance system more accurate than modern facial recognition technology — and have installed it across the US under the radar of most Americans, according to emails hacked by Anonymous.
Every few seconds, data picked up at surveillance points in major cities and landmarks across the United States are recorded digitally on the spot, then encrypted and instantaneously delivered to a fortified central database center at an undisclosed location to be aggregated with other intelligence. It’s part of a program called TrapWire and it's the brainchild of the Abraxas, a Northern Virginia company staffed with elite from America’s intelligence community. The employee roster at Arbaxas reads like a who’s who of agents once with the Pentagon, CIA and other government entities according to their public LinkedIn profiles, and the corporation's ties are assumed to go deeper than even documented.
… According to a press release (pdf) dated June 6, 2012, TrapWire is “designed to provide a simple yet powerful means of collecting and recording suspicious activity reports.” A system of interconnected nodes spot anything considered suspect and then input it into the system to be "analyzed and compared with data entered from other areas within a network for the purpose of identifying patterns of behavior that are indicative of pre-attack planning.”
… In a 2005 interview with The Entrepreneur Center, Abraxas founder Richard “Hollis” Helms said his signature product “can collect information about people and vehicles that is more accurate than facial recognition, draw patterns, and do threat assessments of areas that may be under observation from terrorists.” He calls it “a proprietary technology designed to protect critical national infrastructure from a terrorist attack by detecting the pre-attack activities of the terrorist and enabling law enforcement to investigate and engage the terrorist long before an attack is executed,” and that, “The beauty of it is that we can protect an infinite number of facilities just as efficiently as we can one and we push information out to local law authorities automatically.”
… Since its inception, TrapWire has been implemented in most major American cities at selected high value targets (HVTs) and has appeared abroad as well. The iWatch monitoring system adopted by the Los Angeles Police Department (pdf) works in conjunction with TrapWire, as does the District of Columbia and the "See Something, Say Something" program conducted by law enforcement in New York City, which had 500 surveillance cameras linked to the system in 2010. Private properties including Las Vegas, Nevada casinos have subscribed to the system. The State of Texas reportedly spent half a million dollars with an additional annual licensing fee of $150,000 to employ TrapWire, and the Pentagon and other military facilities have allegedly signed on as well.

If my boss asked me to get your records, is that sufficient for me to “believe” they are relevant?
Court Grants Feds Warrantless Access to Utility Records
August 10, 2012 by Dissent
David Kravets reports:
Utilities must hand over customer records — which include credit card numbers, phone numbers and power consumption data — to the authorities without court warrants if drug agents believe they are “relevant” to an investigation, a federal appeals court says.
The Comprehensive Drug Abuse Prevention and Control Act of 1970 allows the authorities to make demands for that data in the form of an administrative subpoena, with no judicial oversight. [Even after the fact? Bob] In this instance, the Drug Enforcement Administration sought the records of three Golden Valley Electric Association customers in Fairbanks, Alaska suspected of growing marijuana indoors.
Read more on ThreatLevel.

Another “Lawyer Automation” project?
Finally, Someone Read the Terms of Service So You Don't Have To
I've yet to find anyone who reads the terms-of-service contracts that we "agree" to on the various websites of the world. But now, a group of technologists, lawyers, and interested parties have created TOS;DR, a project to create peer-reviewed summaries of all those documents you will never actually read.
Launched in June, it's a kind of brilliant and already-useful tool for some of the more heavily trafficked sites on the web. For example, if you're uploading photos to TwitPic, you might want to reconsider. They give the site their worst grade, a "Class E." Why? Well, they have an easy-to-understand summary right here. If you click on "Read the Details," you get an extended explanation of these warnings and can also link back (almost like a Wikipedia page) to the TOS;DR discussion that led to the thumbs-down.

Red: Stop
Green: Go
Yellow: Go very fast Jeff Bridges in Starman
New Technology Means You’ll Never Run Another Yellow Light
There’s a name for that panic-inducing split second when a traffic light turns yellow and you have to choose whether to hit the gas or the brake. It’s called the “dilemma zone,” and a new radar system promises to make it a thing of the past.
TrafiRadar is a new technology from Belgium-based Traficon. It combines video and radar vehicle detection that can control a traffic light, holding a yellow until a car has crossed an intersection.
While towns that rely on revenue from red light cameras might be loath to install the new technology, it could make intersections safer for all. Currently, drivers in the dilemma zone can either slam on the brakes and risk a rear-end collision, or run a red light. TrafiRadar can determine whether a vehicle needs more time to get through an intersection before the yellow light turns red, and keep all other traffic stopped until that car has crossed.

To a hacker, everything is Open Source...
"Hacker Highschool is an after school program that teaches students the best practices of responsible hacking. The program is open source, and high schools across the country have begun offering the free program to students. Hacker Highschool recognized that teens are constantly taught that hacking is bad, and they realized that teens' amature understanding of hacking was the cause of the biggest issues. The program aims to reverse this negative stereotype of hacking by encouraging teens to embrace ethical, responsible hacking."

Online Education Degrees Now Dwarf Traditional Universities
Education degrees earned at online universities now dwarf those of traditional universities. USA Today analyzed recent Department of Education data and found that online education behemoth, the University of Phoenix, awarded more than twice as many education degrees as its closest traditional competitor, Arizona State University (5,976 vs. 2,075).
… While ASU still awards the most bachelor degrees, the other top 4 online universities, 3 of which are for-profit, hand out far more advanced degrees, which are increasingly important for hiring and promotion. This, of course, says nothing about the quality of online degrees.

Thursday, August 09, 2012

Something for all students (and parents) Trivial numbers, unless you happen to be included.
University of Arizona server exposes personal data on 7,700
August 8, 2012 by admin
Yes, right, sure we’ll let universities amass oodles of personal info on students…
Carol Ann Alaimo reports:
Thousands who received payments from the University of Arizona last school year are at risk of identity theft after their personal data was mistakenly put online for more than a month during an upgrade of UA’s financial systems.
About 7,700 vendors, consultants, guest speakers and UA students had their names and Social Security numbers compromised in the incident that occurred in February and early March, a school official said.
The problem came to light when a UA student Googled herself and her private information popped up on a UA computer server accessible to the public, said Cathy Bates, the university’s information security officer.
Read more on Arizona Daily Star. I cannot find any statement on the university’s web site at the time of this posting.

Wasn't this inevitable? After all, war is an economic event.
Flame and Stuxnet Cousin Targets Lebanese Bank Customers, Carries Mysterious Payload
A newly uncovered espionage tool, apparently designed by the same people behind the state-sponsored Flame malware that infiltrated machines in Iran, has been found infecting systems in other countries in the Middle East, according to researchers.
The malware, which steals system information but also has a mysterious payload that could be destructive, has been found infecting at least 2,500 machines, most of them in Lebanon, according to Russia-based security firm Kaspersky Lab, which discovered the malware in June and published an extensive analysis of it on Thursday.
The spyware, dubbed Gauss after a name found in one of its main files, also has a module that targets bank accounts in order to capture login credentials. The malware targets accounts at several banks in Lebanon, including the Bank of Beirut, EBLF, BlomBank, ByblosBank, FransaBank and Credit Libanais. It also targets customers of Citibank and PayPal.

Can this be significant if the vast majority of people (even victims) have never heard of it?
"Over the past three years, about 21 million patients have had their unencrypted medical records exposed in data security breaches that were big enough to require they be reported to the federal government. Each of the 477 breaches that were reported to the Office for Civil Rights (OCR) involved 500 or more patients, which the government posts on what the industry calls 'The Wall of Shame.' About 55,000 other breach reports involving fewer than 500 records where also reported to the OCR. Among the largest breaches reported was TRICARE Management Activity, the Department of Defense's health care program, which reported 4.9 million records lost when backup tapes went missing. Another five breaches involved 1 million or more records each. Yet, only two of the organizations involved in the breaches have been fined by the federal government."

What a concept!
ABA: Lawyers Must Implement Reasonable Data Security for Client Information
August 8, 2012 by admin
Back on August 2, in response to yet another breach involving a law firm’s records, I wrote to the American Bar Association to ask what the ABA advised members in terms of disposal of records. I got a pro forma response that was totally non-responsive to the question I had posed to them. I wrote back and tried again. This time I got no answer at all. Way to go, ABA.
Thankfully, Jim Brashear has blogged about this very issue. He writes, in part:
This week, the American Bar Association (ABA) House of Delegates adopted changes to Model Rule 1.6 of the ABA Model Rules of Professional Conduct. New subsection (c) adds the following sentence to the model rule:
“A lawyer shall make reasonable efforts to prevent the inadvertent disclosure of, or unauthorized access to, information relating to the representation of a client.”
In comments to the revised model rule, the ABA provides a non-exclusive list of factors to be considered in determining the reasonableness of the lawyer’s data security efforts. They include:
  • the sensitivity of the information,
  • the likelihood of disclosure if additional safeguards are not employed,
  • the cost of employing additional safeguards,
  • the difficulty of implementing the safeguards, and
  • the extent to which the safeguards adversely affect the lawyer’s ability to represent clients (e.g., by making a device or important piece of software excessively difficult to use).
Read more on ZixCorp Insight.
So… if most of the records are part of court records that are publicly available, does the lawyer have a duty to shred/securely dispose of the records or not? It almost sounds like they wouldn’t, but I hope that’s not the case.
Update: I put the question to Jim Brashear, who answered me in a series of tweets:
@pogowasright Exsting rules say client files belong to the client; lawyers must keep information related to the representation confidential.
— Jim Brashear (@JFBrashear) August 8, 2012
@pogowasright New ABA rule clarifies existing ethics obligations. No lawyer should dispose of client files before making them unreadable.
— Jim Brashear (@JFBrashear) August 8, 2012
@pogowasright Ethics rules and opinions are set by state bars, not the ABA, but dumping unshredded client files clearly is an ethics breach.
— Jim Brashear (@JFBrashear) August 8, 2012
Well, I think they are an ethics breach, too, if not a violation of state law, but I wonder how often such breaches involving lawyers or law firms are brought to state bar associations.

Privacy or “automatic criminal?”
App for disposable phone numbers launches
August 8, 2012 by Dissent
Meghan Kelly reports on disposable mobile phone number app that launched today:
Burner launched today, an app that gives you one-off numbers that go dark after you’re done using them. But what happens when those numbers are used by criminals? The privacy-focused company says it is ready to deal with illicit behavior, and will comply with U.S. court orders.
“Burner is a very focused product around anonymity and privacy,” said Burner chief executive Greg Cohn in an interview with VentureBeat. “Part of the reason we’re doing this company is because we’re privacy advocates.”
Burner lets you buy a number to use for a certain amount of time before it is “burned” or goes inactive. Think of Craigslist transactions. You don’t want that guy who tried to sell you a crappy TV to have your real number sitting around. A Burner number allows you to cut off ties from that person quickly, and keeps you identifying information out of their hands.
Read more on VentureBeat.
I checked out the app’s privacy policy and noted this section:
Our Deletion of Your Personal Data and other information:
One of the features of the Services allows you to “burn”, or delete, individual phone numbers from your phone at any time, as well as automatically upon the expiry of a number that you elect not to renew. If you delete a number via this feature, we delete all of its history and message content from the application on your phone and from our primary working server. Backup copies of this data are not immediately deleted, however, and some aspects of user history are maintained for longer periods of time so that we can reconcile our records and manage our business. Please be advised that we have no control over data that may be captured by third parties through your use of the Services, including but not limited to your carrier, internet service provider, Apple, and third-party vendors we may rely on to perform the services, except that we will not disclose Personal Data to third parties other than as permitted in this Privacy Policy.
If you would like to delete your entire account history, please contact us via email at
It would be helpful if that statement were more specific about for how long user data are retained following non-renewal or deletion, and what types of user data are retained for them to “reconcile their records” or manage their business.
Depending on your motives for using a disposable number, this might be a useful app, but if you’re doing anything illegal or worried about repressive regimes, it will probably not afford you the protection you might want.

Oh, that's what they meant...
Disclosing (unnecessary) personal info on parking ticket violates DPPA – Court
August 8, 2012 by Dissent
In September 2010, I blogged about a case in Palatine, Illinois after Jason Senne sued the village for the amount of personal information it needlessly exposed in a parking ticket left on his windshield. Some of the original court filings were linked from that blog entry. In August 2011, the district court ruled that the practice did not violate the Driver’s Privacy Protection Act. Mr. Senne appealed, but a panel of the appellate court affirmed.
Not giving up, Mr. Senne requested re-hearing en banc and the full court agreed with him:
Mr. Senne’s appeal requires that we examine the scope of the DPPA’s protection of personal information contained in motor vehicle records and the reach of its statutory exceptions. We now conclude that the parking ticket at issue here did constitute a disclosure regulated by the DPPA, and we further agree with Mr. Senne that, at this stage of the litigation, the facts as alleged are sufficient to state a claim that the disclosure on his parking ticket exceeded that permitted by the statute. Accordingly, we reverse the judgment of the district court and remand for further proceedings consistent with this opinion.
On appeal, the Village contends that the placement of the citation on Mr. Senne’s windshield was permitted under the statute either because the disclosure was “[f]or use by a[] . . . law enforcement agency[] in carrying out its functions,” id. § 2721(b)(1), or “[f]or use in connection with any civil[] . . . [or] administrative[] . . . proceeding . . ., including the service of process,” id. § 2721(b)(4).11 The Village does not describe in any length how all the information printed on the ticket served either purpose; instead, it maintains, in effect, that the statute does not require that analysis. In the Village’s view, as long as it can identify a subsection of the law under which some disclosure is permitted, any disclosure of information otherwise protected by the statute is exempt, whether it serves an identified pur pose or not.
We cannot accept the Village’s position.
You can read the Seventh Circuit Court of Appeals opinion in full here. It’s a privacy-protecting interpretation of DPPA that affirms that unnecessary disclosures of personal information are not permitted by the statute.

Will the RIAA and MPAA find a way to nuke this?
An anonymous reader writes with news that The Internet Archive has started seeding about 1,400,000 torrents. In addition to over a million books, the Archive is seeding thousands and thousands of films, music tracks, and live concerts. John Gilmore of the EFF said, "The Archive is helping people to understand that BitTorrent isn't just for ephemeral or dodgy items that disappear from view in a short time. BitTorrent is a great way to get and share large files that are permanently available from libraries like the Internet Archive." Brewster Kahle, founder of the Archive, told TorrentFreak, "I hope this is greeted by the BitTorrent community, as we are loving what they have built and are very glad we can populate the BitTorrent universe with library and archive materials. There is a great opportunity for symbiosis between the Libraries and Archives world and the BitTorrent communities."

Another case of “We can, therefore we must” or maybe too much Homeland Security money? I too have trouble explaining the banking interest.
NYPD, Microsoft Launch All-Seeing “Domain Awareness System” With Real-Time CCTV, License Plate Monitoring
August 8, 2012 by Dissent
Neal Ungerleider reports:
The New York Police Department is embracing online surveillance in a wide-eyed way. Representatives from Microsoft and the NYPD announced the launch of their new Domain Awareness System (DAS) at a Lower Manhattan press conference today. Using DAS, police are able to monitor thousands of CCTV cameras around the five boroughs, scan license plates, find out the kind of radiation cars are emitting, and extrapolate info on criminal and terrorism suspects from dozens of criminal databases … all in near-real time.
According to publicly available documents, the system will collect and archive data from thousands of NYPD- and private-operated CCTV cameras in New York City, integrate license plate readers, and instantly compare data from multiple non-NYPD intelligence databases. Facial recognition technology is not utilized and only public areas will be monitored, officials say. Monitoring will take place 24 hours a day, seven days a week at a specialized location in Lower Manhattan. Video will be held for 30 days and then deleted unless the NYPD chooses to archive it. Metadata and license plate info collected by DAS will be retained for five years, and unspecified “environmental data” will be stored indefinitely.
Read more on FastCompany and then explain to me how/why Pfizer is involved. And why would banks or stock brokerage firms really want to spend their time sitting in the control center watching?
The DAS system is headquartered in a lower Manhattan office tower in a command-and-control center staffed around the clock by both New York police and “private stakeholders.” When this reporter visited, seats were clearly designated with signs for organizations such as the Federal Reserve, the Bank of New York, Goldman Sachs, Pfizer, and CitiGroup.

Legislation by implication – not worth the paper it's written on?
Article: The Life, Death, and Revival of Implied Confidentiality
August 8, 2012 by Dissent
Woodrow Hertzog has uploaded a new paper to SSRN. Here’s the abstract:
The concept of implied confidentiality has deep legal roots, but it has been largely ignored by the law in online-related disputes. A closer look reveals that implied confidentiality has not been developed enough to be consistently applied in environments that often lack obvious physical or contextual cues of confidence, such as the Internet. This absence is significant because implied confidentiality could be one of the missing pieces that help users, courts, and lawmakers meaningfully address the vexing privacy problems inherent in the use of the social web.
This article explores the curious diminishment of implied confidentiality and proposes a revitalization of the concept based on a thorough analysis of its former, offline life. This article demonstrates that courts regularly consider numerous factors in deciding claims for implied confidentiality; they have simply failed to organize or canonize them. To that end, this article proposes a unifying and technology-neutral decision-making framework to help courts ascertain the two most common and important traditional judicial considerations in implied obligations of confidentiality – party perception and party inequality. This framework is offered to demonstrate that the Internet need not spell the end of implied agreements and relationships of trust.
You can download the full article from SSRN.

Cooler heads prevail?
Justice Dept. won't appeal computer fraud dismissal
… The decision means the 9th U.S. Circuit Court of Appeals' rejection of the case against David Nosal, who was accused of illegally misappropriating trade secrets from his employer, will stand. In a 9-2 ruling, the court found in April that the 1984 federal Computer Fraud and Abuse Act was being interpreted too broadly and warned that millions of Americans could be subjected to prosecution for harmless Web surfing at work under the prosecutors' reading of the law.

Interesting video from local news. Apparently New Zealand sees this as a big story – why else a 10 nimute news report?
New Zealand Police Try to Justify Paramilitary Raid on Kim Dotcom
A New Zealand court is looking into the paramilitary raid on filesharing kingpin Kim Dotcom’s mansion in January, having already found that the warrant justifying it was illegal.
Dotcom’s mansion was raided at dawn by helicopter, which dropped off four heavily armed agents to launch the assault. They were followed by even more agents and dog handlers. The raid on the founder of Megaupload was coordinated, the government admits, with help from the FBI.
… Agents said the concern was that Dotcom would delete evidence, though as Dotcom pointed out in court, speaking directly to the government, there was little chance of that.
“You knew the FBI was in the data center, prior to you arriving,” he said. “There was no chance for anyone to do anything with that evidence.”

(Related) At least there were no 'black helicopters' involved.
"LendInk, a community for people interesting in using the lending features of the Kindle and Nook, has been shut down after some authors mistakenly thought the site was hosting pirated ebooks. The site brought together people who wanted to loan or borrow specific titles that are eligible for lending, and then sent them to Amazon or to make the loans. Authors and publishers who were unaware of this feature of the Kindle and Nook, and/or mistakenly assumed the site was handing out pirated copies, were infuriated. LendInk's hosting company received hundreds of complaints and shut the site down. LendInk's owner says: 'The hosting company has offered to reinstate on the condition that I personally respond to all of the complaints individually. I have to say, I really do not know if it is worth the effort at this point. I have read the comments many of these people have posted and I don't think any form of communication will resolve the issues in their eyes. Most are only interested in getting money from me and others are only in in for the kill. They have no intentions of talking to me or working this out. So much for trying to start a business and live the American Dream.'"

I will be following to see which candidate proposes something like this for the US. A new currency for buying votes?
"The Indian government is finalizing a $1.2 billion plan to hand out free mobile phones to the poorest Indian families (around six million households, according to some estimates). The Times of India reports: 'Top government managers involved in formulating the scheme want to sell it as a major empowerment initiative... While the move will ensure contact with the beneficiaries of welfare programmes (sic) ..., there is also a view the scheme will provide an opportunity for the (government) to open a direct line of communication [Vote for ___TBD___ Bob] with a sizable population that plays an active role in polls.'"

For the non-iPhone crowd.
"Some time ago, Google admitted that the biggest threat was not other search engines but services like Siri. However, Google just bridged that gap with Google Voice Search, already available in Jelly Bean, but also available via downloadable app. [So I should be able to run it on my PC Bob] Google also submitted this app to the iOS App Store and is currently waiting approval. However, Slashdotters are no doubt recalling to mind the 'Google Voice' fiasco, in which Apple refused to allow it to appear, saying that it replaces a native function. It wasn't until Apple was brought before Congress to answer questions on how it approves or rejects apps that Google Voice was brought in."

The running joke continues?
Linux Copyright Troll SCO Files for Double Secret Bankruptcy
SCO Group — the company behind a number of lawsuits relating Linux — has filed for Chapter 7 bankruptcy, a step beyond the more common Chapter 11 bankruptcy status. It’s not the end of the road for the much-hated company, but it’s close.
SCO Group already filed for Chapter 11 bankruptcy in 2007. Chapter 7 is like double secret bankruptcy. As explained by tech law site Groklaw: “Chapter 11 means you are trying to reorganize and survive as a corporate entity. Chapter 7 means you’ve given up the ghost and are shutting down.”

For my geeks...
"Employment research firm Foote Partners says U.S. labor statistics from last month reveal an increase of some 18,200 jobs in IT, which represents the largest such monthly jump since 2008. 'The overall employment situation in the U.S. is lackluster, in fact this is the fifth consecutive month of subpar results,' says David Foote. 'But the fact that more than 18,000 new jobs were created last month for people with significant IT skills and experience — and nearly 57,000 new jobs added in the past three months — is incredibly good news.'"

Perspective Think it's just a geek thing?
Viewers opted for the Web over TV to watch Curiosity's landing

The future is certification of skills, not classroom lectures...
"Back in the day, getting traction for a new programming language was next to impossible. First, one needed a textbook publishing deal. Then, one needed a critical mass of CS profs across the country to convince their departments that your language was worth teaching at the university level. And after that, one still needed a critical mass of students to agree it was worth spending their time and tuition to learn your language. Which probably meant that one needed a critical mass of corporations to agree they wanted their employees to use your language. It was a tall order that took years if one was lucky, and only some languages — FORTRAN, PL/I, C, Java, and Python come to mind — managed to succeed on all of these fronts. But that was then, this is now. Whip up some online materials, and you can kiss your textbook publishing worries goodbye. Manage to convince just one of the new Super Profs at Udacity or Coursera to teach your programming language, and they can reach 160,000 students with just one free, not-for-credit course. And even if the elite Profs turn up their nose at your creation, upstarts like Khan Academy or Code Academy can also deliver staggering numbers of students in a short time. In theory, widespread adoption of a new programming language could be achieved in weeks instead of years or decades, piquing employers' interest. So, could we be on the verge of a programming language renaissance? Or will the status quo somehow manage to triumph?"

About time...
Pinterest lets users sign up without an invite
One of the Internet's most popular social networks pushed its doors wide open today -- Pinterest has started open registration.

Still waiting for an 'Emily Post' article...
We Read the Stanford Encyclopedia of Philosophy's New Article on Social Media Ethics
As far as online encyclopedias go, the Stanford Encyclopedia of Philosophy may be the best. Created in 1995 by Stanford Professor Edward Zalta, it took one of the first stabs at creating a truthful, rigorous reference resource that could thrive on the web. Experts write and edit and update its articles. College professors use it in their syllabi throughout the world.
So when it publishes a new article, it's a signal: This thing is an increasingly big deal in the philosophical world.
And last Friday, the Stanford Encyclopedia published an article explicitly on the ethics of social networking, by Santa Clara University* professor Shannon Vallor.

Wednesday, August 08, 2012

There's nothing as good as a bad example...
How Not to Become Mat Honan: A Short Primer on Online Security
By now, you’ve probably read or heard about Wired staff writer Mat Honan’s journey through digital hell, in which hackers social-engineered Apple into giving them the keys to his digital life, allowing them to scrub his laptop, iPhone and iPad, hijack his and Gizmodo’s Twitter accounts and delete eight-years-worth of email from his Gmail account.
Honan admits to making a number of mistakes — such as failing to enable two-factor authentication and not backing up his data — that allowed the hack to escalate to the point from which there was no return.
In the hope of preventing you from experiencing a similar fate, we’ve listed a number of steps you can take to protect your data and your identity online. While nothing is foolproof — if hackers install a keystroke logging Trojan horse on your computer, all bets are off — these steps will help protect you from the tactics that Honan’s hackers used, and other ones out there.

A perspective on security? 86 / 50000 = 0.00172 or 0.172 percent. Clearly, we need a class on target selection!
August 07, 2012
Cyber Security Task Force: Public-Private Information Sharing
Cyber Security Task Force: Public-Private Information Sharing. This report is the product of the Bipartisan Policy Center’s Homeland Security Project, July 2012
  • "The attacks on information technology systems from a wide range of adversaries – including hacktivists, criminals, and nation-states – continue to grow.1 From October 2011 through February 2012, over 50,000 cyber attacks on private and government networks were reported to the Department of Homeland Security (DHS), with 86 of those attacks taking place on critical infrastructure networks. The incidents reported to DHS represent only a small fraction of cyber attacks carried out in the United States. [I always wonder how they “know” something no one will tell them about. Bob] The financial losses resulting from the theft of intellectual property and other sensitive information continue to increase dramatically, to say nothing of the loss of state secrets [Are they saying that 'state secrets' were lost to hackers? Bob] and damage to our national security."

This should be interesting...
Java Judge Orders Google and Oracle to Reveal Paid Bloggers
As the epic court battle over the Android operating system rolls on, the judge overseeing the case has ordered Google and Oracle to disclose who they paid to comment on the case.
In an unusual order, issued Wednesday, Judge William Alsup said that he was concerned that the parties in the case “may have retained or paid print or internet authors, journalists, commentators or bloggers who have and/or may publish comments on this issues in the case.”

An interesting approach...
By Dissent, August 7, 2012
The frustrating saga of Eric Drew, a cancer patient who had his identity stolen by a hospital worker, continues. Annie Youderian of Courthouse News reports:
A cancer survivor whose identity was stolen by a hospital worker can sue Chase Bank and a credit service company for reporting false information to credit-rating agencies, the 9th Circuit ruled Tuesday.
“This case lends credence to the old adage that bad things come in threes,” Judge Margaret McKeown wrote for the three-judge panel in San Francisco.
“Eric Drew is a cancer survivor, who required experimental leukemia treatment,” the ruling states. “During his treatment, Drew’s identity was stolen by a hospital worker. Finally, when Drew attempted to remedy the identity theft, the banks and credit rating agencies were allegedly uncooperative, and continued to report the fraudulently opened accounts, and in the case of one bank, the thief address was tagged as Drew’s.”
Drew’s ordeal prompted him to sue Chase Bank and FIA Card Services, among others, in 2006 for reporting false items to the credit-rating agencies.
Read more on Courthouse News.

“Only the government can ignore the need for a warrant. But if we do, we're immune from any downside.”
Ninth Circuit Court of Appeals Reverses Al-Haramain
August 7, 2012 by Dissent
Sadly, the Ninth Circuit Court of Appeals has reversed the decision in Al-Haramain, the only suit against the government’s Terrorist Surveillance Program that had prevailed. The reversal was based on the government’s claim that FISA’s civil remedies language did not trump sovereign immunity.
In their opinion, the court took special pains to respond to the government’s claims that the plaintiffs had engaged in ‘game-playing.’ It was a nice tribute to the plaintiffs’ attorneys and a gentle smackdown of the government’s counsel, but small consolation, indeed.
Given how Congress has gone with respect to FISA, I harbor no hope that Congress will remedy by this problem by amending FISA to provide stronger civil remedies for those whose rights may be infringed. After all, why hold the government truly accountable for warrantless surveillance, right?
Update: for a more detailed explanation of the case and ruling, see EFF”s post on the opinion and its implications.

“It could have been worse. We were gonna test for 'virginity' and force those who failed to change their Facebook status.”
Get Tested Or Get Out: School Forces Pregnancy Tests on Girls, Kicks out Students Who Refuse or are Pregnant
August 7, 2012 by Dissent
Tiseme Zegeye writes:
In a Louisiana public school, female students who are suspected of being pregnant are told that they must take a pregnancy test. Under school policy, those who are pregnant or refuse to take the test are kicked out and forced to undergo home schooling.
Welcome to Delhi Charter School, in Delhi, Louisiana, a school of 600 students that does not believe its female students have a right to education free from discrimination. According to its Student Pregnancy Policy, the school has a right to not only force testing upon girls, but to send them to a physician of the school administration’s choice. A positive test result, or failure to take the test at all, means administrators can forbid a girl from taking classes and force her to pursue a course of home study if she wishes to continue her education with the school.
Read more on ACLU’s blog.

We call it “The Mathematics of Ambiguity.”
August 07, 2012
A Primer on Mathematical Modelling in Economics
Rai, Birendra K., So, Chiu Ki and Nicholas, Aaron, A Primer on Mathematical Modelling in Economics (September 2012). Journal of Economic Surveys, Vol. 26, Issue 4, pp. 594-615, 2012. Available at SSRN
  • "The Commission on Graduate Education in Economics had raised several concerns regarding the role of mathematics in graduate training in economics (Krueger, 1991; Colander, 1998, 2005). This paper undertakes a detailed scrutiny of the notion of a utility function to motivate and describe the common patterns across mathematical concepts and results that are used by economists. In the process one arrives at a classification of mathematical terms which is used to state mathematical results in economics. The usefulness of the classification scheme is illustrated with the help of a discussion of Arrow's impossibility theorem. Common knowledge of the patterns in mathematical concepts and results could be effective in enhancing communication between students, teachers and researchers specializing in different sub‐fields of economics."

Tuesday, August 07, 2012

Interesting legal (and privacy) questions.
"'I think it's going to be horrendous,' said Apple co-founder Steve Wozniak when asked about the shift away from hard disks towards uploading data into the cloud in a post-performance dialogue with audience members after a performance in Washington of The Agony and the Ecstasy of Steve Jobs, monologist Mike Daisey's controversial two-hour expose of Apple's labor conditions in China. 'I think there are going to be a lot of horrible problems in the next five years.' The engineering wizard behind the progenitor of today's personal computer, the Apple II, expanded on what really worried him about the cloud. 'With the cloud, you don't own anything. You already signed it away through the legalistic terms of service with a cloud provider that computer users must agree to. I want to feel that I own things,' Wozniak said. 'A lot of people feel, 'Oh, everything is really on my computer," but I say the more we transfer everything onto the web, onto the cloud, the less we're going to have control over it.'"

(Related) Another tool with a few legal implications.
"Siri can send texts and emails, set alarms and reminders, surf the Web, ask questions, place calls, play music, and get directions. But would you trust Siri, or any of her similar rivals out there for Android, to pay your bank bill? Or report a lost card? Or set up an auto-payments for your bills? Even if you wanted to do these things, how does Siri even know you are who you say you are? Nuance has clearly thought about what's missing from the voice recognition department, and unveiled its own solution on Monday, called 'Nina.' The Nuance Interactive Natural Assistant, or NINA, is a cloud-based AI that can be enabled in most business and enterprise applications thanks to a set of APIs and an open SDK for iOS and Android. Nuance calls Nina 'a watershed of firsts for virtual assistants,' mainly because she is the 'first [VA] to understand what is said and who said it' using voice-ID authentication software. Unlike Siri, Nina can help users manage their bank accounts, book flights and hotels, oversee and manage their investments, and more."

Lone Ranger (or running this year?)
Lone Senator Is Fighting Widespread And Illegal Government Surveillance Of US Citizens
August 6, 2012 by Dissent
WhoWhatWhy writes:
During the Bush administration, it seemed that nary a Republican—and just a handful of Democrats in Congress—spoke out about the government’s crackdown on civil liberties. Since a Democrat took power, the silence has spread.
One notable exception is Senator Ron Wyden (D-OR), a member of the Senate Intelligence Committee. Wyden continues a lonely battle to generate discussion and accountability where there is virtually none.
Read more on BusinessInsider.
[From the article:
Wyden discussed his views on the subject at a forum held at the Libertarian-oriented Cato Institute in Washington in mid-July. Because neither the event nor Wyden’s crusade have received much media attention, we thought we’d provide it. (You may also watch a video of the session here.)

But not in the future?
Bad News On Warrantless GPS Tracking
August 6, 2012 by Dissent
Catherine Crump writes:
Today the U.S. Court of Appeals for the Ninth Circuit issued a disappointing but fortunately narrow decision in a case involving warrantless tracking of a vehicle with a GPS device. The three-judge panel refused to exclude GPS tracking evidence under what’s known as the “good faith” exception, ruling that when the tracking took place, law enforcement agents reasonably relied on binding circuit court precedent in concluding that no warrant was necessary. The tracking happened before the Supreme Court issued its decision in United States v. Jones that GPS device tracking triggers Fourth Amendment protections.
In the case, United States v. Pineda-Moreno, law enforcement agents attached GPS tracking devices to Mr. Pineda-Moreno’s vehicle.
Read more on ACLU’s blog.

For my Data Analysis students. How does this predict drop outs?
Invasion of Privacy: Arizona State to Use ID Cards to Track Students
August 6, 2012 by Dissent
Amy Stoller writes:
Colleges are intensifying their search for new ways to identify struggling students, because 42% of American college students drop out before finishing their degree. Arizona State university professor Matt Pittinsky believes that tracking students’ movements and purchases on campus through their student ID card could show which students are disengaging from college. However, this data-gathering raises major concerns about privacy and the role of college administrators in students’ lives.
Read more on PolicyMic.
I suppose this was predictable. The road to Hell and all…. but equally troubling to me is that under FERPA, the university can decide that their data will be used in the study and does not need to seek or obtain opt-in consent.

August 06, 2012
Office of Director of National Intelligence Launches New Website
"The Office of the Director of National Intelligence debuted the redesign of — enhancing the U.S. Intelligence Community’s web presence, increasing transparency and providing accurate, up-to-date information to the public. Through a complete overhaul of its front-end design, the new site provides a look and feel that better enables the ODNI to deliver well-organized information in a timely manner to the public. With content reorganized to better reflect ODNI’s mission to lead intelligence integration and role as the leader of the Intelligence Community, the revamped site includes a number of new features including links to all IC members, intelligence-related news stories, video, photographs, podcasts and subscription content from throughout the IC. The website also reflects the ODNI’s increased emphasis on web 2.0 tools such as Facebook, which allow greater reach and transparency as well as broader opportunities to highlight the efforts of our federal, state, local, territorial, tribal, private sector, and international partners."

Perspective Significant? Ego (We're not a commodity)
LinkedIn? Not for us, CEOs say in survey
The world's largest online professional network LinkedIn may claim to have over 160 million members globally, but it has yet to convince the majority of chief executives to get on its bandwagon -- with 93 percent of them absent from the platform.
Recruitment firm CTPartners Executive Search released a study today stating that 93 percent of CEOs from the world's largest companies choose not to post their profiles on LinkedIn. In Asia, only 3 percent are on the network, it noted.

"Book lovers are increasingly turning to e-books, and in the UK Amazon has announced it now sells more e-books than physical copies on Kindle books surpassed sales of hardbacks in the UK back in May 2011 at a rate of two to one and now they have leapfrogged the combined totals of both hardbacks and paperbacks."

For my students. Does this also suggest how to write e-books?
Monday, August 6, 2012
Wes Fryer just published a blog post about a Google Search tips presentation given by Lucy Gray. Included in Wes's post he included this seven minute video of a conversation between Dan Russell (Google's Search Anthropologist) and Udi Manbar (VP of Engineering at Google) about strategies for formulating better Google searches.