Saturday, August 18, 2012

Travel” is easy with a global Internet... And there is always someone somewhere who makes stealing personal information easy.
500K Credit Cards Stolen in Australian Point-of-Sale Hack
Police in Australia are investigating a breach of half a million credit card numbers that reports say was conducted by the same gang that struck the Subway restaurant chain in the United States.
The intrusion occurred at an unidentified merchant in Australia and is being blamed on Eastern European hackers who installed keystroke-logging software on point-of-sale terminals (POS) and siphoned card data from the terminals remotely, according to SC Magazine.
The company’s network used default passwords and stored unsecured transactional data. The gang allegedly used an unsecured Microsoft Remote Desktop Protocol (RDP) connection to transmit the data.
“The network was setup by some local suppliers who didn’t understand IT security,” Det. Sup. Marden told the magazine. “It was a disaster waiting to happen.”
The hackers are believed to be members of the same Romanian group that was responsible for hacking 150 Subway sandwich shops and other unnamed retailers in the U.S.

Script kiddies, but nasty ones.
Shamoon virus targets energy sector infrastructure
The attack, known as Shamoon, is said to have hit "at least one organisation" in the sector.
Shamoon is capable of wiping files and rendering several computers on a network unusable.
… Experts said the threat was known to have had hit "at least one organisation" in the energy sector.
"It is a destructive malware that corrupts files on a compromised computer and overwrites the MBR (Master Boot Record) [Now that's just rude Bob] in an effort to render a computer unusable," wrote security firm Symantec.
The attack was designed to penetrate a computer through the internet, before targeting other machines on the same network that were not directly connected to the internet.
Once infected, the machines' data is wiped. A list of the wiped files then sent back to the initially infected computer, and in turn passed on to the attacker's command-and-control centre.
During this process, the attack replaces the deleted files with JPEG images - obstructing any potential file recovery by the victim. [Nothing special about this, just overwriting to ensure deletion? Bob]

Because workers who follow law, regulation and proper procedure may still have negative political implications for the current incumbent?
Stepped-up computer monitoring of federal workers worries privacy advocates
… Government workers have long known their bosses can look over their shoulder to monitor their computer activity. But now, prompted by the WikiLeaks scandal and concerns over unauthorized disclosures, the government is secretly capturing a far richer, more granular picture of their communications, in real time.
Federal workers’ personal computers are also increasingly seen as fair game, experts said.
… “It used to be, to get all of an agency’s records out you needed a truck,” said Jason Radgowsky, director of information security and privacy for District-based Tantus Technologies, which evaluates monitoring systems for the Federal Aviation Administration, the Export-Import Bank and the National Institutes of Health. “Now you can put everything on a little USB thumb drive.”
The stepped-up monitoring is raising red flags for privacy advocates, who have cited the potential for abuse. Among other concerns, they say they are alarmed that the government has monitored federal workers — including the FDA scientists, starting in 2010 — when they use Gmail, Yahoo or other personal e-mail accounts on government computers.

In my (admittedly biased) opinion, a good chunk of any settlement should go to an independent entity who analyzes what went wrong technically and legally and publishes a “Lessons Learned” (actually a “Don't make this stupid mistake”) article.
Facebook privacy settlement rejected in “sponsored stories” lawsuit
August 18, 2012 by Dissent
Dan Levine of Reuters reports:
A U.S. judge rejected Facebook Inc’s proposed legal settlement to resolve allegations that the social networking company violated its members’ rights through the its ‘Sponsored Stories’ advertising feature.
In an order on Friday, U.S. District Judge Richard Seeborg in San Francisco listed several concerns with the proposed settlement, including a request for more information on why the agreement does not award any money to members.
Read more on The Los Angeles Times.
David Kravets of Threat Level blogs about the order and has uploaded a copy of it.
Amazing what can happen when a judge actually thinks about whether a deal worked out by attorneys really benefits the consumers. This settlement had seemed like a “done deal” and then it blew up. It will be interesting to see what the attorneys come back with in response.

This is new to me, is this occurring anywhere else? When everyone has a cell phone, you could start a panic this way.
"Following mass exodus of people belonging to north-east states India from southern states of India, specially Bangalore, allegedly due to the threatening messages, the government has asked relevant agencies to scan all social media platforms to check for inflammatory and offensive content, following which, the Department of Electronics and Information Technology (DIT) has issued an advisory to all intermediaries in terms of provisions of IT Act and Rules to take action for disabling all such content on priority. Cellphone operators have been told to block all bulk SMSs and videosso nobody can send a message to more than five people at a time."

Nothing chills rational debate faster than playing the religion card.
Are biometric ID tools evil?
August 18, 2012 by Dissent
Mike Elgan writes:
Moss Bluff Elementary School in Lake Charles, La., wanted to speed up the cafeteria line and reduce errors in lunch accounting. So the school bought a Fujitsu PalmSecure biometric ID system, which has a scanner that reads the unique patterns of blood vessels in a human palm, enabling a positive ID, much like a fingerprint would.
When school officials sent out a letter announcing the program, some parents freaked out.
The parents had concerns centering around the belief that all forms of biometric ID constitute what the Christian Bible calls “the mark of the beast.”
Wait, what?
Read more on Computerworld.

Is “crack use” spreading or is there real substance here?
Google Files New Patent Lawsuit Against Apple, Seeks To Block iPhone, iPad & Mac Imports To U.S.

Perhaps not fully backed by irrefutable scientific evidence, but a very useful conceptual approach that all geeks and managers should understand.
If you're sick of the term "cloud" to refer to pretty much anything on "the internet" and consider that phrase a symptom of useless MBA, PHB, PowerPoint talking points oozing where they don't belong, sorry — you'll probably have to endure it for a while yet. Nerval's Lobster writes that Gartner's 2012 Hype Cycle of Emerging Technologies says that "Cloud computing" (along with a few other terms, such as "Near Field Communication" and "media tablets") is not just alive but growing.
"Gartner uses the report to monitor the rise, maturity and decline of certain terms and concepts, the better for corporate strategists and planners to predict how things will trend over the next few months or years. As part of the report, Gartner's analysts have built a Hype Cycle which positions technologies on a graph tracing their rise, overexposure, inevitable fall, and eventual rehabilitation as quiet, productive, well-integrated, thoroughly un-buzz-worthy technologies. Right now, Gartner views hybrid cloud computing, Big Data, crowdsourcing, and the 'Internet of Things' as on the rise, while private cloud computing, social analytics and the Bring Your Own Device (BYOD) phenomenon are coasting at the Peak of Inflated Expectations."

Sure to be over-analyzed...
Marissa Mayer’s First 30 Days
… As a former Yahoo myself, it will be interesting to see what happens to the beleaguered company when a product-driven, consumer-focused CEO is running the show. I, for one, can’t wait to meet her at Disrupt SF. I also look forward to the day when Marissa finally resolves the decade-old question – “Is Yahoo a technology or a media company?” Because she’s already banned, “What is Yahoo?”

A cautionary tale for my Computer Security students.
Mat Honan: How I Resurrected My Digital Life After an Epic Hacking

Just in case I don't confuse my students enough...
August 17, 2012
Google "I'm Feeling Lucky Search" Expands to Include New Functions
Hover your cursor over the I'm Feeling Lucky button on the Google search engine, and watch the revolving set of choices - and choose, and choose from among one of the following destinations/functions/features that spin by: I’m feeling Doodly; I’m feeling Lucky; I’m feeling Playful; I’m feeling Artistic; I’m feeling Hungry; I’m feeling Puzzled; I’m feeling Trendy; I’m Feeling Stellar; I’m Feeling Wonderful.

As a fan of “hard” Science Fiction rather than the Swords & Sorcerer stuff, I find this reassuring.
The Hunger Games’ Trumps ‘Harry Potter’ As Amazon’s Best Selling Series Inc announced Friday that the bow-and-arrow-wielding Katniss Everdeen has defeated the boy wizard Harry Potter, with “The Hunger Games” trilogy outselling the seven-book Harry Potter series.
… This achievement includes e-book formats as well as print sales.
“Interestingly, this series is only three books versus Harry Potter’s seven, and to achieve this result in just four years is a great testament to both the popularity of the work and, we think, the growth in reading digitally during that time,” she said.
… In July, Scholastic, who publishes both series, announced that they have more than 50 million copies of the original three books in The Hunger Games trilogy in print and digital formats in the U.S. Amazon declined to comment on how many copies it has sold.
Surpassing J.K. Rowling, the author of the Harry Potter series, Amazon UK announced last week that E.L. James, author of the “Fifty Shades” erotic trilogy, has become the best-selling author in history on British [That pretty much defines the fall of the British Empire... Bob]

(Related) Is there hope for future generations?
August 16, 2012
Report - 2012 U.S. Book Consumer Demographics & Buying Behaviors
Via GOOD Education - Generation Read: Millennials Buy More Books Than Everybody Else: "Forget the stereotype of the tweeting, texting, YouTube-watching millennial with a short attention span. According to the 2012 U.S. Book Consumer Demographics and Buying Behaviors Annual Review, if you were born between 1979 and 1989, you spent more money on books in 2011 than older Americans. The survey found that millennials now buy 30 percent of books. In comparison, baby boomers, who have far more disposable income than most millennials, only made 24 percent of book purchases."
  • 2012 U.S. Book Consumer Demographics & Buying Behaviors - from the Summary - "Publishers, online bookstores, and companies that manufacture e-readers have high expectations for the ‘digital book’ industry. A new generation of digital reading devices may, at last, be achieving the long-awaited breakthrough that lures book consumers away from print books. It is now easy for book consumers to purchase a wide variety of books whenever they want and at competitive prices. While some herald the advent of e-books as an opportunity to open new target markets and create customers, others mourn the end of traditional books and doubt the industry will be able to retain control over pricing and content. The digitizing of the printed word further allows authors to map out their own route to publication, bypassing the traditional publisher and instead choosing to self-publish, self-manage and self-promote."

It's like an epidemic of crazed shoppers...
See How Quickly Walmart Took Over America
Take a look at this animated GIF map by Excel Hero that illustrates the wildfire-like spread of Walmart stores that led to its domination of the United States.

One of those, “I wonder what that means” articles...
Fewer and Fewer People Want to Know About Computers, Says Google
Bouncing around Google's trend data, I came across what to me is a very sad looking chart. It's the search volume for a basket of computer and electronics related terms (e.g. "windows, mac, hp, ipod, google, dell, sony, xbox").
We see some seasonality around the holidays, as you would expect, but the dominant trend is DOWN. Every year since Google started tracking this information in 2004, the number of people trying to find information about computers has marched ever downwards. Of course, that could just mean that people understand their machines better or that the machines themselves are good enough that people don't need to look things up about them as often. Or perhaps people have settled into their brand preferences and don't comparison shop like we used to in the old Computer Shopper days.
But whatever the reasons -- and with a trend this big and long, it's almost certainly many reasons -- the number of people interested enough to Google things about desktops, laptops, and other electronics has been halved since 2004.

Well, I find it interesting...
...New digital textbooks, many of which are free and openly-licensed, are on store shelves (app shelves?) and/or coming soon from Garden Valley State University (calculus), Kansas State University (nutrition), 20MM and Highlighter (sociology), and Georgia College (ed-tech).
...The state of Nebraska is building its own virtual library system for schools.
...An animation teacher at the Art Institute of California is facing firing due to his refusal to make his students buy a textbook.
...Georgetown University’s Center on Education and the Workforce has released a new report detailing the relationship between job gains and education level immediately before and after this recent recession, and the differences between those with and without college degrees are pretty stark. According to a headline in The Atlantic this proves “beyond a doubt the value of a college degree.”

Friday, August 17, 2012

Catching up to the 9 year old script kiddies...
"The DHS and ICS-CERT are warning users of some popular Tridium Niagara AX industrial control system software about a series of major vulnerabilities in the applications that are remotely exploitable and could be used to take over vulnerable systems. The bugs, discovered by researchers Billy Rios and Terry McCorkle, are just the latest in a series of vulnerabilities found in the esoteric ICS software packages that control utilities and other critical systems. The string of bugs reported by Rios and McCorkle include a directory traversal issue that gives an attacker the ability to access files that should be restricted. The researchers also discovered that the Niagara software stores user credentials in an insecure manner. There are publicly available exploits for some of the vulnerabilities."

“Download our 'surveil yourself' App!”
"Motorists are being invited to help develop a new driving app that could earn them a discount of 'up to 20%' on their motor insurance. British insurer Aviva is using smartphone technology to create individual driver profiles that will be used to calculate tailored pay-how-you-drive premiums. The driver behavioral app, Aviva RateMyDrive, will monitor motorists taking part in the test for 200 miles, including acceleration, braking and cornering. This data is then turned into an individual score which helps determine the motorist's premium, with 'safer' drivers earning up to 20% off their deal."

Don't worry, it's just that DHS worker bees don't know what policy DHS executive leadership has implemented.
EPIC FOIA – Documents Shed Further Light on Homeland Security Pursuit of Crowd Surveillance
August 17, 2012 by Dissent
New documents obtained by EPIC under the Freedom of Information Act provide further details on a DHS plan to use an multiples surveillance technologies to search people in public spaces. Previous EPIC FOIA work produced records about a similar DHS program, which the government agency subsequently claimed it had cancelled. However, the new documents obtained by EPIC show that the DHS was still pursuing mobile crowd surveillance as recently as 2011. The technologies include “intelligent video,” backscatter x-ray, Millimeter Wave Radar, and Terahertz Wave, and could be deployed at subway platforms, sidewalks, sports arenas, and shopping malls. For more information, see EPIC: EPIC v. DHS (Mobile Body Scanners FOIA Lawsuit) and EPIC: Electronic Frisking

So if you ask to see an image, that's okay but we don't store the image so you can't see it unless we think it's related to a crime in which case you can't see it because it's evidence...” So what actually changes?
Nation’s police chiefs adopt drone code of conduct (updated)
August 16, 2012 by Dissent
Stephen Dinan reports:
The nation’s police chiefs have adopted a code of conduct for their use of drones, including letting any images captured by unmanned aerial vehicles, or UAVs, be open to inspection by the public, and that the images not be stored unless they are evidence of a crime or part of an ongoing investigation.
The chiefs also said that if they plan to fly drones over an area where they are likely to spot criminal activity and where they would be intruding on someone’s “reasonable expectations of privacy,” they should seek to get a search warrant first.
Read more on Washington Times.
Update: Thanks to Ryan Calo, who pointed me to the full code of conduct. The full code contains a statement on image retention that was omitted in the media report:
1. Unless required as evidence of a crime, as part of an on-going investigation, for training, or required by law, images captured by a UA should not be retained by the agency.
2. Unless exempt by law, retained images should be open for public inspection.
The “for training” in (1) seems like a pretty permissive standard, and it would be better if that were limited.

That does it. I'm creating “None of the above” to accept donations.
Text Message Donations Good for Democracy, Risky for Privacy
In June, the Federal Election Commission announced that political campaigns will soon be able to accept donations via text message. This new option will empower thousands of citizens, especially young and low-income people who have less money to give but tend to use cellphones at a greater rate, to participate more actively in the political process.
… But this proposal also has a potential downside: a loss of privacy.
An outdated patchwork of statutes has created a complex web of standards governing law enforcement’s access to communications handled by third-party providers. This includes differential treatment for the content of communications and for the “metadata” about those communications.

Actually, this would explain a lot about the RIAA and MPAA.

Tools to torture students? “Dude! No electric guitars? No window shattering bass? No cursing? You call this music?”
"Just under two years ago Musopen launched a Kickstarter campaign covered here on Slashdot. Today that project is complete with the release of a large amount of classical recordings into the public domain. This brings an extensive collection of high quality classical music into the public domain. The project music is hosted on the Musopen site, and on"

'cause you never know when you might need a “∑” or a “μ” or a “∛”
… what if you want to type something that is not readily available on the keyboard? If that’s the case you need to check out PiliApp Symbol. It has hundreds of symbols available for you to use however you wish.

Of course this come out right at the end of my Statistics class. I would like my students to give this a try.
How Statwing Makes It Easier To Ask Questions About Data So You Don’t Have To Hire a Statistical Wizard
Statwing is a Y-Combinator startup that translates the arcane technical terminology into plain english so you can do data analysis on your own.

So many students don't know how to do this...

Thursday, August 16, 2012

Gaming the gamers...
"Anonymous has claimed a new attack on Sony PlayStation Network and this time around it seems that it has managed to hack nearly 10 million user accounts and and as a proof of the hack dumped more than 3000 credentials online in the form of a pastebin post. The notorious hacktivist group is claiming that the entire set of hacked credentials contains over 10 million PSN accounts and that the file is of around 50GB."

Some still in it for the money...
… According to press reports from Australia, an Eastern European criminal syndicate targeted a small Australian business enterprise and hacked their way to details of half a million credit cards from the company’s network.
Losses from fraudulent purchases made with the stolen credit card details could total up to $25 million. To pre-empt the use of these credit cards, Australian banks have placed the cards on a high-alert watch list.

States can sponsor some serious hacking for “chump change” Is that what's happening here?
Reuters hacked (again) with fake story of Saudi minister's death
Someone must have it out for Reuters. For the second time in two weeks, the blogging platform for the news source's Web site has been hacked into and false stories have been illicitly published.
Today's sham article reported that Saudi Arabia's Foreign Minister Prince Saud al-Faisal had died, according to Reuters. The first bogus story, posted earlier this month, was about the rebel Free Syrian Army suffering setbacks in their battle against Syrian President Bashar al-Assad's regime.
"Reuters did not report the false story and the post was immediately deleted," Reuters News' director of global communications Barb Burg said in a statement. "We are working to address the problem."
In addition to the Web site's blogging platform, Reuters' Twitter account was also hacked in the past two weeks. Hackers got into the Reuters Tech account, renaming it TechMe, and false tweets were posted about the Syrian rebels being defeated in a major battle.
It's still unclear who is behind these news hacks. But Reuters hints that it may have been pro-government forces in Syria. In its article today it writes, "Saudi Arabia has emerged as a staunch opponent of Assad."

(Related) Hacking as CyberWar?
Syrian dissidents besieged by malware attacks
As the Syrian civil war continues to escalate, pro-government forces are allegedly carrying out a cyberwar against local dissidents.
Syrian activists, journalists, and government opposition groups are under a barrage of targeted malware attacks, according to the watchdog group Electronic Frontier Foundation. What this malware does is deceptively install surveillance software into a computer under the guise of protecting the computer from viruses. Its name is AntiHacker.

Think they'll be available in Walmart soon?
"Today, tens of thousands of license plate readers (LPRs) are being used by law enforcement agencies all over the country—practically every week, local media around the country report on some LPR expansion. But the system's unchecked and largely unmonitored use raises significant privacy concerns. License plates, dates, times, and locations of all cars seen are kept in law enforcement databases for months or even years at a time. In the worst case, the New York State Police keeps all of its LPR data indefinitely. No universal standard governs how long data can or should be retained."

Is Facebook making its own global law? (Might be an interesting title for a research paper)
Germans reopen Facebook privacy inquiry, but what can they really do?
August 15, 2012 by Dissent
Kevin J. O’Brien reports:
Data protection officials in Germany reopened an investigation into Facebook’s facial recognition technology Wednesday, saying the social networking giant was illegally compiling a vast photo database of users without their consent.
The data protection commissioner in Hamburg, Johannes Caspar, said he had reopened his investigation, which he had suspended in June, after repeated attempts to persuade Facebook to change its policies had failed.
Read more on NY Times, where O’Brien discusses the possible outcomes or consequences. Overall, this case illustrates how difficult it may be for countries to compel compliance with EU privacy laws when the company is headquartered in the U.S. In this case, Facebook also has a headquarters in Ireland, but the Irish Data Protection Commissioner had previously concluded that notice, not consent, was required. The Irish DPC came under pressure when the EU privacy panel indicated that consent – and not just notice – was required.
During the comment period for the FTC’s proposed settlement with Facebook, EPIC wrote to the FTC about the issue of photo tagging and compilation of biometric data. The FTC responded:
(2) You urge the Commission to prohibit Facebook from creating facial recognition profiles without users’ express consent.
The comprehensive privacy program described above will require Facebook to implement practices that are appropriate to the sensitivity of the “covered information” in question, which is very broadly defined in the order and would include biometric data. Moreover, the biennial audits of its privacy practices will help ensure that Facebook lives up to these obligations. Although the order does not specifically require that Facebook obtain a user’s consent for the creation of facial recognition data, the order’s broad prohibition on deception is designed to ensure that Facebook will be truthful with users about such practices. Likewise, the affirmative express consent requirement, described above, is designed to ensure that Facebook upholds privacy settings that it offers to users to protect such information.
So there’s no help there in closing the gap between EU privacy and U.S. privacy law.

This sounds interesting...
August 15, 2012
Paper - A Technology-Centered Approach to Quantitative Privacy
Gray, David C. and Citron, Danielle Keats, A Technology-Centered Approach to Quantitative Privacy (August 14, 2012). Available at SSRN
  • "Our analysis and proposal draw upon insights from information privacy law. Although information privacy law and Fourth Amendment jurisprudence share a fundamental interest in protecting privacy interests, these conversations have been treated as theoretically and practically discrete. This Article ends that isolation and the mutual exceptionalism that it implies. As information privacy scholarship suggests, technology can permit government to know us in unprecedented and totalizing ways at great cost to personal development and democratic institutions. We argue that these concerns about panoptic surveillance lie at the heart of the Fourth Amendment as well. We therefore propose a technology-centered approach to measuring and protecting Fourth Amendment interests in quantitative privacy. As opposed to proposals for case-by-case assessments of information “mosaics,” which have so far dominated the debate, we argue that government access to technologies capable of facilitating broad programs of continuous and indiscriminate monitoring should be subject to the same Fourth Amendment limitations applied to physical searches."

What's to hide? We know what the technology can do, so it must be a legal maneuver?
ACLU Sues FBI to Get GPS-Tracking Memos
In the wake of the Supreme Court’s decision earlier this year striking down the use of a GPS tracker on a suspect’s car without a warrant, the FBI issued two memos to agents with new guidelines for the use of the surveillance technology.
But the agency is withholding those memos from the public and has failed to respond to a records request submitted by the American Civil Liberties Union in July to obtain the documents.
On Tuesday, the ACLU filed a lawsuit against the FBI (.pdf), seeking the immediate release of the documents on the grounds that the public has a strong interest in knowing how the FBI is complying with the ruling.

If you want to work for me, you must love me.” How Victorian.
Virginia deputy fights his firing over a Facebook 'like'
A Virginia sheriff's deputy has been fired for liking his boss's political opponent -- on Facebook.
Now Daniel Ray Carter Jr. is fighting back in court, arguing that a "like" should be protected by his First Amendment right to free speech. It's a case that could settle a significant question at a time when hundreds of millions of people express themselves on Facebook, sometimes merging their personal, professional and political lives in the process.
According to court documents, the case began when Sheriff B.J. Roberts of Hampton, Virginia, fired Carter and five other employees for supporting his rival in a 2009 election.

Possibly related?
August 15, 2012
The State of the First Amendment: 2012
"The First Amendment Center has supported an annual national survey of American attitudes about the First Amendment since 1997. The State of the First Amendment: 2012 is the 16th survey in this series. This year’s annual survey repeats some of the questions that have been administered since 1997 and includes new questions on the role of religion in the presidential election, attitudes about government’s control of the Internet, and opinions about the use of copyrighted material on the Internet. This report summarizes the findings from the 2012 survey, and where appropriate, depicts how attitudes have changed over time. The first section of this report presents the survey methodology used to conduct the State of the First Amendment research. The second section highlights the key findings from the 2012 project. The final section presents the complete survey results including question wording and trend data."

What do you bet that schools won't read this...
August 15, 2012
FTC Advises Parents How to Protect Kids' Personal Information at School
News release: "A new school year usually means filling out paperwork like registration forms, health forms, and emergency contact forms, to name a few. The Federal Trade Commission wants parents to know that many school forms require personal and sensitive information that, in the wrong hands, could be used to commit fraud in their child’s name. A criminal can use a child’s Social Security number to get government benefits, open bank and credit card accounts, or rent a place to live. Most parents and guardians don’t expect their child to have a credit file, and rarely order or monitor a child’s credit report. Child identity theft may go undetected for years – until the child applies for a job or loan and discovers problems in a credit report. To help limit the risks of child identity theft, the Federal Trade Commission offers Protecting Your Child’s Personal Information at School. It explains how the federal Family Educational Rights and Privacy Act protects the privacy of student records and gives parents of school-age children the right to opt out of sharing contact information with third parties. It also suggests that parents ask their child’s school about its directory information policy, learn about privacy policies of sports or music activities that are not school-sponsored, and find out what to do if their child’s school experiences a data breach. The second publication, Safeguarding Your Child’s Future, offers tips on how to keep your child’s data safe at home and online, and explains the warning signs of child identity theft. It also explains how parents and guardians can check whether their child has a credit report, and what to do if the report has errors."

How trivial can $340 million be? (It's good to be a banker!)
Standard Chartered agrees $340m settlement with US regulator over Iran
Standard Chartered has fended off threats by a New York regulator to revoke its banking licence for alleged breaches of US sanctions. Chief executive Peter Sands is however under intense pressure after the bank agreed to pay $340m (£220m) despite insisting that it had committed only minor breaches of the rules.
Barely 24 hours before the bank was due to attend a hearing with the New York department of financial services (DFS), the regulator announced the surprise settlementwhich also includes the installation a monitor for at least two years to evaluate the bank's risk controls. Inspectors from the DFS will be installed at the bank's office in New York and the bank will "permanently install personnel" in New York solely to ensure that it adheres to money laundering laws.

This should be interesting. (Silly me, I thought they would have had to do this when they asked for extradition)
New Zealand court says FBI must disclose MegaUpload evidence
The lawyers for Kim DotCom and MegaUpload continue to rack up court victories in New Zealand.
One of the country's courts has ordered the United States to turn over evidence it says it has that proves DotCom committed criminal acts of piracy. The U.S. Attorney's office has accused DotCom, founder of the cloud-storage service, of operating MegaUpload as a criminal enterprise.
U.S. officials say that MegaUpload made over $175 million by enabling users to store pirated digital media, including movies, music and software, on the company's servers. They accuse him of encouraging the looting and wish to extradite him to this country to stand trial.
But New Zealand doesn't appear ready to take the word of the FBI that DotCom and six other MegaUpload managers committed crimes. They want to see the proof.

For my Data Mining / Data Analysis students: Drool baby, drool!
Google’s Dremel Makes Big Data Look Small
… Since the rise of Hadoop, Google has published three particularly interesting papers on the infrastructure that underpins its massive web operation. One details Caffeine, the software platform that builds the index for Google’s web search engine. Another shows off Pregel, a “graph database” designed to map the relationships between vast amounts of online information. But the most intriguing paper is the one that describes a tool called Dremel.
… “You have a SQL-like language that makes it very easy to formulate ad hoc queries or recurring queries — and you don’t have to do any programming. You just type the query into a command line,” says Urs Hölzle, the man who oversees the Google infrastructure.
The difference is that Dremel can handle web-sized amounts of data at blazing fast speed. According to Google’s paper, you can run queries on multiple petabytes — millions of gigabytes — in a matter of seconds.

If the US ever gets people to Mars, we're going to have to rent space... Go India!
neo12 writes in with the news that India plans on being the 6th country to launch a mission to mars.
"Making the first formal announcement on the country's Mars mission, Prime Minister Manmohan Singh on Wednesday said India will send a mission to the Red Planet that will mark a huge step in the area of science and technology. 'Recently, the Cabinet has approved the Mars Orbiter Mission. Under this Mission, our spaceship will go near Mars and collect important scientific information,' he said addressing the nation from the ramparts of the Red Fort on the occasion of the 66th Independence Day."

For my “Intro” classes. I like a bit of reiteration with my redundant repetition...

For my Computer Security students

Wednesday, August 15, 2012

Hey, maybe we don't need no stinking badges!
Location, location, location: two warrantless surveillance cases in the courts
August 14, 2012 by Dissent
EFF has issued a press release about U.S. v. Jones, a case in the District Court for the District of Columbia:
A federal district court is poised to determine whether the government can use cell phone data obtained without a warrant to establish an individual’s location. In an amicus brief filed Monday, the Electronic Frontier Foundation (EFF) and the Center for Democracy & Technology (CDT) argue that this form of surveillance is just as unconstitutional as the warrantless GPS tracking the U.S. Supreme Court already shot down in this case.
“Location data is extraordinarily sensitive. It can reveal where you worship, where your family and friends live, what sort of doctors you visit, and what meetings and activities you attend,” said EFF Senior Staff Attorney Marcia Hofmann. “Whether this information is collected by a GPS device or a mobile phone company, the government should only be able to get it with a warrant based on probable cause that’s approved by a judge.”
Read more on EFF.
Meanwhile, in the Sixth Circuit, the Court of Appeals has issued its opinion in U.S. v. Skinner , and it’s not good news for privacy advocates. Unlike Jones, law enforcement did not attach a GPS to a suspect’s car, but did ping his cellphone to discover his location. Here’s the beginning of the opinion:
When criminals use modern technological devices to carry out criminal acts [If the cell phone was just “along for the ride” would the decision have been different? Bob] and to reduce the possibility of detection, they can hardly complain when the police take advantage of the inherent characteristics of those very devices to catch them. This is not a case in which the government secretly placed a tracking device in someone’s car. The drug runners in this case used pay-as-you-go (and thus presumably more difficult to trace) cell phones to communicate during the cross- country shipment of drugs. Unfortunately for the drug runners, the phones were trackable in a way they may not have suspected. The Constitution, however, does not protect their erroneous expectations regarding the undetectability of their modern tools.
The government used data emanating from Melvin Skinner’s pay-as-you-go cell phone to determine its real-time location. This information was used to establish Skinner’s location as he transported drugs along public thoroughfares between Arizona and Tennessee. As a result of tracking the cell phone, DEA agents located Skinner and his son at a rest stop near Abilene, Texas, with a motorhome filled with over 1,100 pounds of marijuana. The district court denied Skinner’s motion to suppress all evidence obtained as a result of the search of his vehicle, and Skinner was later convicted of two counts related to drug trafficking and one count of conspiracy to commit money laundering. The convictions must be upheld as there was no Fourth Amendment violation, and Skinner’s other arguments on appeal lack merit. In short, Skinner did not have a reasonable expectation of privacy in the data emanating from his cell phone that showed its location.
Citing Knotts, the opinion explains:
There is no Fourth Amendment violation because Skinner did not have a reasonable expectation of privacy in the data given off by his voluntarily procured pay- as-you-go cell phone. If a tool used to transport contraband gives off a signal that can be tracked for location, certainly the police can track the signal. The law cannot be that a criminal is entitled to rely on the expected untrackability of his tools. Otherwise,dogs could not be used to track a fugitive if the fugitive did not know that the dog hounds had his scent. A getaway car could not be identified and followed based on the license plate number if the driver reasonably thought he had gotten away unseen. The recent nature of cell phone location technology does not change this. If it did, then technology would help criminals but not the police. It follows that Skinner had no expectation of privacy in the context of this case, just as the driver of a getaway car has no expectation of privacy in the particular combination of colors of the car’s paint.
Lest you think this just applies to criminals, the court hastens to assure that the lack of expectation of privacy from government pings applies to us all. In a footnote, they write:
We do not mean to suggest that there was no reasonable expectation of privacy because Skinner’s phone was used in the commission of a crime, or that the cell phone was illegally possessed. On the contrary, an innocent actor would similarly lack a reasonable expectation of privacy in the inherent external locatability of a tool that he or she bought.
You can read the full opinion here.

(Related) Who was confused?
Sixth Circuit Rules That Pinging a Cell Phone to Determine Its Location is Not a Fourth Amendment “Search”
August 15, 2012 by Dissent
Orin Kerr offered some comments on yesterday’s opinion in U.S. v. Skinner, previously mentioned on this blog. Here’s part of his commentary:
1) Unless I’m just missing something obvious, the opinion seems pretty vague on the technological facts. The majority opinion initially says that the government obtained a court order ordering the cell phone company to release “cell site information, GPS real-time location, and ‘ping’ data” for the phone used by the suspect. It then says that the government tracked the suspect’s location by “pinging” the cell phone over three days. Later on, the majority opinion (and the concurrence) refers to the location information as “GPS location information.” But cell-cite information and GPS information are different, and “pinging” the cell phone could mean actively sending a request for cell-site data, actively sending a request for GPS data, or something else. So I’m a bit murky on the facts of what happened, which makes it hard to know what to make of the court’s analysis.
2) The murkiness of the facts are particularly unfortunate because the reasoning of the majority opinion relies heavily on cell phones broadcasting location information as just part of the way that they work. But if pinging the cell phone means actively sending a request to the phone to return its current GPS location, that’s not just how cell phones work: That’s the product of the cell phone provider setting up a mechanism by which the government can manipulate the phone into revealing its location. That seems to be a very different category of Fourth Amendment problem than a problem of how a technology “naturally” works.
Read more on The Volokh Conspiracy.

Beware who you “Friend?”
No Fourth Amendment violation when government looked at Facebook profile using friend’s account
August 14, 2012 by Dissent
Evan Brown writes:
U.S. v. Meregildon, — F.Supp.2d —, 2012 WL 3264501 (S.D.N.Y. August 10, 2012)
The government suspected defendant was involved in illegal gang activity and secured the assistance of a cooperating witness who was a Facebook friend of defendant. Viewing defendant’s profile using the friend’s account, the government gathered evidence of probable cause (discussion of past violence, threats, and gang loyalty maintenance) which it used to swear out a search warrant.
Read more about the case on Internet Cases.

Will the EU follow?
"The German Federal Court of Justice has ruled that ISPs have to turn over to rights-holders the names and addresses of illegal file sharers, but only 'if a judge rules that the file sharer indeed infringed on copyright,' said the court's spokeswoman, Dietlind Weinland. The ruling overturns two previous rulings by regional courts and is significant because the violation doesn't have to happen on a commercial scale, but applies whenever 'it is possible to know who was using an IP address at the time of the infringement,' the court said."

Is this another “all parties must consent” issue?
Former ACORN Worker Can Sue Right-Winger on Privacy Claim
August 14, 2012 by Dissent
Matt Reynolds reports:
A federal judge refused to throw out claims that a right-wing activist violated the privacy of an ACORN worker who was taped counseling defendant James O’Keefe, who sought advice on how to fill his house with underage prostitutes.
Juan Carlos Vera sued O’Keefe and his associate Hanna Giles in Federal Court on privacy claims, after O’Keefe secretly filmed Vera at an ACORN office in National City in 2009.
Read more on Courthouse News.

A little anti-social might be called for here... Similar to: “Attention all burglars: We're going to be out of town starting...”
Dell CEO’s Kid Overshares on Social Media
The twitter account for Alexa Dell, daughter of Dell founder Michael Dell, has been deactivated following security concerns prompted by her detailed account of the family’s whereabouts.
The security of the CEO, who expects to spend $2.7 million in 2012 t0 keep his family safe, came under question after an photo of Zachary Dell was posted by his sister Alexa on photo-sharing app Instragram, according to Bloomberg Businessweek
The teenager shared a photo of Zachary devouring cuisine in a private plane on a trip to Fiji. But, that’s not all, the magazine reported. Like millions of others who use social network sites, she would often-times detail the time, date and location of many events attended by the family, including trips to New York City and a high school graduation dinner, according to Bloomberg Businessweek.

Testing software should mean you test all of it. (This somewhat conflicts with earlier reports) And running new or old software, you should always know what is happening and which program does what.
New submitter alexander_686 points out a Bloomberg article about the cause of Knight Capital Group's $440 million algorithmic trading disaster from a couple weeks ago. The report says a dormant software system was accidentally activated on August 1, which immediately began increasing stock trade volumes by a factor of 1,000. The Wall Street Journal has further details:
"Knight Capital Group Inc.'s accidental trades earlier this month were triggered by a flawed upgrade of trading software that caused an older trading system connected to the computer code to inadvertently go 'live' on the market, according to people familiar with the matter. The errors at Knight on Aug. 1 involved new code the Jersey City, N.J.-based brokerage designed to take advantage of the launch of a New York Stock Exchange trading program, which was introduced that day to attract more retail-trading business to the Big Board, the people say. ... When NYSE Euronext trading floor officials called Knight at about 9:35 a.m. to try to pinpoint the cause of unusual swings in dozens of stocks, just after the Big Board opened for trading, Knight traders and their supervisors had a difficult time detecting where in its systems the problem was located, say people familiar with the morning's events. The NYSE had to call Knight several times before deciding to shut the firm off, the people say."

Tuesday, August 14, 2012

Phil does good software. Adding the Seals is interesting, but probably not significant. Perhaps they could market to law firms for client communications?
Email Privacy Pioneer Launches Silent Circle To Protect Mobile, Internet Calls
August 14, 2012 by Dissent
An Internet privacy veteran and inventor of a popular email encryption scheme is launching a suite of new products next month that will allow people to scramble their mobile phone calls, e-mails, text messages and Internet voice and video calls.
Phil Zimmermann, creator of the standard email encryption known as PGP, which stands for ‘Pretty Good Privacy’, will roll out the private, encrypted communications tools on September 17 through his company, Silent Circle.
The software will be available for download to iPhones, Androids, desktops and laptops worldwide, and will give customers the ability to scramble their mobile and Internet voice calls and messages, including those conducted via Skype and FaceTime.
Read more on RedOrbit.

No mention of the resolution of the 'excessive force' claim. If the quotes were published in a newspaper article there would have been no violation (and everyone could claim they were mis-quoted) Would this also apply to a live TV interviewer asking the same questions? (Perhaps answering with a camera in your face is “consent?”)
Anatomy of a Privacy Victim
August 14, 2012 by Dissent
Stewart Baker writes:
Adam Mueller, a police-the-police campaigner, has been convicted and sentenced to three months in jail for recording and posting telephone conversations with a police captain, a high school principal and a school secretary in Manchester, NH. Mueller was calling for comment on a student’s cell phone video allegedly showing a Manchester officer using excessive force. The conviction has led to sympathetic coverage in both the left and right blogospheres.
But one point hasn’t gotten much coverage. It turns out that Mueller was convicted of violating a privacy law.
He had recorded a conversation “without the consent of all parties to the communication,” a violation of NH 570-A:2. New Hampshire is one of about a dozen “all party consent” states.
Read more on The Volokh Conspiracy

(Related) Another pesky Privacy law
By Dissent, August 14, 2012
Rich Daly reports:
Strong state privacy laws continue to complicate health information exchanges’ efforts to ease health-data sharing, a senior federal health technology official said Monday. And a key to overcoming such obstacles may be greater use of meta tags.
Joy Pritts, chief privacy officer in the Office of the National Coordinator for Health Information Technology, told a Washington health policy gathering that some health information exchanges are not accepting electronic health records containing mental health or substance-abuse data. Their refusal stems from concerns that certain state medical privacy laws that are more strict than federal law and require individual patient agreement before their data is shared preclude exchanges’ use of the information.
The proposed solution – meta-tagging sensitive elements and requiring patient permission to open the protected elements – may not be an adequate solution, however. In the last few years, we have seen all too many hacks of data that custodians may have believed were secure. As long as the sensitive data are embedded, they will be at some level of risk of acquisition and viewing by unauthorized individuals.
Read more on Modern Healthcare (free subscription required)

Perhaps the law does apply to Hulu
Hulu’s attempt to dismiss privacy lawsuit fails
August 13, 2012 by Dissent
Hulu’s attempt to dismiss a consolidated class action complaint alleging violations of the Video Privacy Protection Act (VPPA) failed when federal Magistrate Judge Laurel Beeler denied their motion on Friday.
The lawsuit (previous coverage) is one of a few that were filed over the use of re-spawning cookies (“supercookies”). In this case, the plaintiffs allege that their personally identifiable information was shared, without their knowledge or consent, with third parties that included online ad networks, metrics companies,and social networks such as Scorecard Research (“Scorecard”), Facebook, DoubleClick, GoogleAnalytics, and QuantCast.
Hulu’s arguments – all of which were rejected by the court – claimed that the plaintiffs did not have standing, a streaming service was not covered by the VPPA, and even if it was, the sharing of data was part of the firm’s “usual course of business,” and hence, did not violate the Act.
Their motion to dismiss also argued that the plaintiffs were not paid “subscribers” to their service. The VPPA talks about “consumers,” defined as renters, purchasers, or subscribers. Hulu argued – unsuccessfully – that the term “subscriber” should involve some payment, and since the plaintiffs hadn’t paid anything, they had no standing. The court disagreed.
In September 2011, Congressmen Markey and Barton asked the FTC to investigate the use of re-spawning cookies as a deceptive and unfair practice under the FTC Act. The FTC, however, has not taken any action that has been made public as of this date. .
In light of Hulu’s failure to get a dismissal of the lawsuit, can a settlement be far behind?

The tools of Big Brother
Big Brother is watching UAE’s kids: National ID cards roll-out
August 13, 2012 by Dissent
Emirati and expatriate children under the age of 15 across the country have to register for a national ID card by September 30 to avoid fines. There is however an exception for expatriate children whose visa is set to expire later this year…. Except the two exempted categories, most UAE residents have already registered for national ID cards, Al Khoury said. “About 95 per cent of the population has already registered as the deadline for all other categories has ended,” he said.
Read more on Albawaba.

We can, therefore we must?
Scottish police have snooped on emails and calls 85,000 times in the last five years
August 13, 2012 by Dissent
Mark Aitken reports:
Scots police have secretly accessed people’s private email and phone records more than 85,000 times in the last five years.
But each application to telecom firms for the information can contain requests for several different individuals, so the true scale of the scrutiny is far greater.
Northern Constabulary, who serve a population of 300,000, made more than 20,000 snooping applications – roughly one for every 15 people in the area.
Yesterday, one civil liberties campaigner warned Scotland was moving towards the same levels of surveillance as China and Iran.
Read more on Daily Record.

An argument we will have here in the US
Australian Privacy Foundation slams privacy amendments
August 13, 2012 by Dissent
Chris Jager reports:
The Australian Privacy Foundation (APF) has slammed the Federal Government’s proposed amendments to privacy legislation as a “lost opportunity” in improving areas such as credit reporting practices and protection from data off-shoring.
APF board member Nigel Waters told a Senate inquiry late last week that the proposed bill would “significantly weaken” privacy protections for Australians.
The amendments would introduce a new set of privacy principles aimed at improving practices within both Government and the private sector, while providing the Privacy Commissioner with new powers, and the ability to fine companies up to $1.1 million for repeated breaches of the law.
However, Waters criticised the proposed amendments for further complicating aspects of the privacy regime, stating the act would fail to meet current international best practice standards.
Read more on ITnews.

“Can't tell your claims without a scorecard!” (I still don't get it.)
All of Apple's patent claims against Samsung in one chart

Problems are inevitable, so we might as well create a few “I told ya so” articles
FAA Documents Raise Questions About Safety of Drones in U.S. Airspace

Good managers find enabling lawyers – the other kind are a dime a dozen. (It's much easier to say, “You can't do that!” than it is to say, “Here's what you must do before you do that.”)
"In the documentary Scared Straight! a group of inmates terrify young offenders in an attempt to 'scare them straight'" (hence the show's title) so that those teenagers will avoid prison life. A 2002 meta-analysis of the results of a number of scared straight and similar intervention programs found that they actively increased crime rates, leading to higher re-offense rates than in control groups that did not receive the intervention. For those considering the use of social media in their business, it is quite easy to read Navigating Social Media Legal Risks: Safeguarding Your Business as a scared straight type of reference. Author Robert McHale provides so many legal horror stories, that most people would simply be too afraid of the legal and regulatory risks to every consider using social media."
Keep reading for the rest of Ben's review.

Perspective (and it's not like they have just one) What other industries will need data centers of this scale?
"JPMorgan Chase spends $500 million to build a data center, according to CEO Jamie Dimon. That figure places the firm's facilities among the most expensive in the industry, on a par with investments by Google and Microsoft in their largest data centers. Dimon discussed the firm's IT spending in an interview in which he asserts that huge data centers are among the advantages of ginormous banks. Dimon also offered a vigorous defense of the U.S. banking industry. 'Most bankers are decent, honorable people,' Dimon says. 'We're wrapped up in all this crap right now. We made a mistake. We're sorry. It doesn't detract from all the good things we've done. I am not responsible for the financial crisis.'"

The strait is a mere 21 miles wide, the channel much narrower, but you would think that a 333meter long tanker would be noticed even at night. The Porter at 154 meters should be agile enough to avoid the tanker. So what really happened?
US Navy ship collides with oil tanker in Gulf
DUBAI, United Arab Emirates — A U.S. Navy guided missile destroyer was left with a gaping hole on one side after it collided with an oil tanker early Sunday just outside the strategic Strait of Hormuz.
The collision left a breach about 10 feet by 10 feet (three by three meters) in the starboard side of USS Porter. No one was injured on either vessel, the U.S. Navy said in a statement.
The collision with the Panamanian-flagged and Japanese-owned bulk oil tanker M/V Otowasan happened about 1 a.m. local time.

For my Ethical Hackers.
"NASA's Curiosity rover has now been on the surface of Mars for just over a week. It hasn't moved an inch after landing, instead focusing on orienting itself (and NASA's scientists) by taking instrument readings and snapping images of its surroundings. The first beautiful full-color images of Gale Crater are starting to trickle in, and NASA has already picked out some interesting rock formations that it will investigate further in the next few days. Over the weekend and continuing throughout today, however, Curiosity is attempting something very risky indeed: A firmware upgrade. This got me thinking: If NASA can transmit new software to a Mars rover that's hundreds of millions of miles away... why can't a hacker do the same thing? In short, there's no reason a hacker couldn't take control of Curiosity, or lock NASA out. All you would need is your own massive 230-foot dish antenna and a 400-kilowatt transmitter — or, perhaps more realistically, you could hack into NASA's computer systems, which is exactly what Chinese hackers did 13 times in 2011."

Perspective and a case study for my Business Continuity students. Be careful who you annoy..
WikiLeaks endures a lengthy DDoS attack
… "The attack is well over 10Gbits/second sustained on the main WikiLeaks domains," read one of several tweets the organization posted on Friday. "The bandwidth used is so huge it is impossible to filter without specialized hardware, however... the DDoS is not simple bulk UDP or ICMP packet flooding, so most hardware filters won't work either. The range of IPs used is huge. Whoever is running it controls thousands of machines or is able to simulate them."

It's no longer a few wax cylinders... With a Google account (and audio & video gear) I could stream seminars to a global audience.
Google Nerds Request Entry to Your Rock Concert
The internet has revolutionized the distribution of music over the past 15 years, but the staging of big concerts and smaller live shows has remained steadfastly analog. Musicians who worried that tools like Napster and BitTorrent undermined their livelihoods could take solace in the notion that they’d still make money off ticket sales.
But today Google launched a feature that could be hugely disruptive to the concert business. You wouldn’t necessarily know it from its complicated title — Google+ Hangouts On Air Studio Mode — but the new feature finally takes live concert streaming from an occasional internet curiosity requiring big-company expertise to something any band can do.
By making it easier to stage live shows for far-flung fans, Google will change the music business in ways that are hard to predict. Clearly, established artists will still be able to charge for live, face-to-face shows — a video conference might be better than no concert, but it’s not yet a substitute for the real thing. At the same time, Google’s mass video conferences can open doors. At least one artist is already saying she’s found stardom through a precursor to Google+ Hangouts On Air Studio Mode that launched four months ago.

Is this the new Yahoo?
Yahoo unveils #HashOut, a social media talk show
As a slew of Internet companies have started creating their own content, Yahoo is also getting in the game.
The Web pioneer announced today that it is working on a social media talk show called #HashOut with some big-hitter names like Arnold Schwarzenegger's ex-wife and journalist Maria Shriver, Princeton professor Anne-Marie Slaughter, "Lost" co-creator Damon Lindelof, and more.
Yahoo is deeming the show as "a new way to talk about the news," and says that it is also "the first talk show conducted over social media."