Saturday, September 15, 2012

A tiny breach, but with all the “Worst Practices”
By Dissent, September 14, 2012
A press release from the Feinstein Institute for Medical Research:
After learning that a laptop containing research study information was stolen from an employee’s car, the Feinstein Institute for Medical Research announced today it is sending letters to some research participants, advising of the possible disclosure of some personal and health information.
“Although both the computer and the health information contained on the laptop were password protected, we cannot rule out the possibility that such information could be accessed,” Kevin Tracey, MD, president and chief executive officer of the Feinstein Institute, wrote in a letter to approximately 13,000 current and past participants in about 50 different research studies, which represent about two percent of the 2,100 clinical trials coordinated by the Manhasset, NY-based research enterprise, part of the North Shore-LIJ Health System.
The Feinstein Institute is offering one year of free credit monitoring for the much smaller number of participants whose social security numbers were included with information contained in the stolen laptop.[That's below the more common two years... Bob]
… “Although we are not aware of any improper use of your information, [Other than by our employees... Bob] our priority is to help protect you against potential fraudulent activities,” Dr. Tracey said.
The laptop was stolen from the car of a computer programmer involved in organizing research data at the Feinstein Institute. [Why would a programmer have live data? Bob]
The theft has been reported to law enforcement authorities and extensive efforts were pursued to retrieve the laptop. [I would love to know what “extensive efforts” are. Bob]
… To reduce the risk of future breaches, the Feinstein Institute is pursuing aggressive steps to strengthen its IT security and will engage a leading digital risk management and investigation firm to develop recommendations. [Now that the horse is gone, we're considering shuting the barn door.. Bob]
… To view a sample of the notification letter sent to research participants, click here.
[Just for amusement, Google the phrase “forensic disk copy” or “bypass passwords” Bob]


...for the record. And a bit of perspective. Also a challenge for my Data Miners.
By Dissent, September 14, 2012
Erin McCann has an article on data breaches in the healthcare sector:
So who are the biggest offenders by state?
Generally, states with the highest population have the highest number of data breaches. For instance, California and Texas top the list, banking the highest number of data breaches in the nation. However, when population is taken into consideration, the numbers change substantially.
Using data from the HHS, here are the best and the worst states in terms of number of records breach per 1,000 people.
You can see her listing of “Blacklisted: Top 5 states with the highest number of data breaches” on Healthcare IT News, but I would say that the list is significantly flawed.
Using HHS’s breach tool as a basis may seem like a reasonable way to determine “worst states” when population differences are taken into account, but it’s not the best way, in my opinion.
Indeed, if you had simply asked me what state I think is the worst for breaches involving healthcare sector data, I’d have mentioned a state that’s not her list – Florida.
Why Florida, you ask? Because they have had a number of breaches involving insider theft or copying of data for misuse or fraud. Those breaches are worse than many other breaches that may have higher numbers but did not result in any harm. Also, Florida has had a number of cases of Medicare fraud prosecutions that involve patients’ Medicare numbers. Those incidents do not generally show up in HHS’s breach tool at all. Texas has also had a number of Medicare fraud prosecutions and has had some insider theft cases, but not as many reports of hospital employees stealing and misusing patient data. At least, that’s my impression as someone who has been tracking and reporting on breaches. Some mainstream media journalist might wish to attempt to verify or disconfirm my impressions.
But the bottom line is this: when we talk about “worst” states in terms of breaches, yes, the number of breaches per capita should be considered, but shouldn’t we take harm into account? I think we should.


No doubt the “We gotta do something!” crowd will be in high gear...
How a 14-Minute Video Can Trigger Violence Abroad
A perceived cozy relationship between the U.S. government and Internet companies doesn't help.

(Related) Idiots got rights too!
"BBC reports that Google officials have rejected the notion of removing a video that depicts the prophet as a fraud and philanderer and has been blamed for sparking violence at U.S. embassies in Cairo and Benghazi. Google says the video does not violate YouTube's policies, but they did restrict viewers in Egypt and Libya from loading it due to the special circumstances in the country. Google's response to the crisis highlighted the struggle faced by the company, and others like it, to balance free speech with legal and ethical concerns in an age when social media can impact world events. 'This video – which is widely available on the Web – is clearly within our guidelines and so will stay on YouTube,' Google said in a statement. 'However, given the very difficult situation in Libya and Egypt, we have temporarily restricted access in both countries.' Underscoring Google's quandary, some digital free expression groups have criticized YouTube for censoring the video. Eva Galperin of the Electronic Frontier Foundation says given Google' s strong track record of protecting free speech, she was surprised the company gave in to pressure to selectively block the video. 'It is extremely unusual for YouTube to block a video in any country without it being a violation of their terms of service or in response to a valid legal complaint,' says Galperin. 'I'm not sure they did the right thing.'"

(Related)
Muslims’ Movie Producer Was Arrested for PCP, Snitched for Feds


Continuing the theme of “We don't need no stinking lawyers!”
Disrupt Hackathon Winner Docracy Adds Collaborative Editing And Signing Capabilities To Github For Legal Documents
There are a number of websites that offer form legal documents to users. But it can be difficult to complete the next step of the process of establishing a will, or forming a company, when it comes to actually editing and signing these documents online. Docracy, which won the Disrupt NYC Hackathon more than a year ago, is a repository for legal and business documents, such as NDAs and term sheets. Anyone can upload a document, which will be translated into native HTML5, and become available to other users.
The startup’s free and community-curated library of templates now includes the ability to edit and sign legal documents. Once you find the document you want to edit, you can negotiate the whole thing online and edit the document directly within your private account. In terms of signage, Docracy now offers e-signatures with a typeset PDF result that links back to the executed version online.


For my Ethical Hackers...
"A recent study (PDF) conducted by UCLA professor Chunyi Peng shows that carriers generally count data usage correctly, but those customers who commonly use their device in areas with weak signal strength or to stream audio or video are often overcharged. Peng and three other researchers used data gleaned from an app installed on Android smartphones on two different carriers. The issue appears to be in how the system is set up to count data usage. Under the current scenario, data is charged as it is sent from the carrier's network to the end user. What does not exist is a system to confirm whether the packets are received, and thus preventing charges for unreceived data. Peng demonstrated this in two extreme circumstances. In one case, 450 megabytes of data was charged to an account where not a single bit of it had been received. On the flipside, Peng's group was able to construct an app which disguised data transfers as DNS requests, which are not counted by the carriers as data usage. Here they were able to transfer 200 megabytes of data without being charged. Overall, the average overcharge is about 5-7% for most users. While that does not seem like much, with unlimited plans gone and data caps in style that could pose potential problems for some heavy data users. Could you be going over your data allotment based on data you never received? It's quite possible."


For my Math Class... Because you asked for some real-world applications of math. (Those folks a Google have way too much time on their hands)
Google introduces 'Bacon number' -- What's the largest degree of separation you can find?
Google wants to make playing “Six Degrees of Kevin Bacon” easier.
The search engine has launched a new tool known as the Bacon number. By typing in any actor’s name followed by the words “Bacon number,” Google will tell you the degree of separation between that actor and Mr. Bacon.
… we challenge you to find the largest degree of separation between Kevin Bacon and a famous person of your choosing. Be warned: this is surprisingly hard. For example, you’d think Kim Kardashian would have a high Bacon number, but there’s actually only a two degree separation between the two. (Thanks, Denise Richards.)
So, the largest degree of separation I could find was three. Pathetic, I know — especially given that as of June 2011 there are 32 people in the IMDb database with a Bacon number of eight. Can you find any of the 32, PopWatchers?


For my football fan / geeks Is this how you adict even more fans? (It ain't cheap!)
Channel Your Inner John Madden With ‘Game Rewind’
… the NFL now offers Game Rewind, which allows fans to watch replays of every game from the last two years via tablet or PC. It not only offers the standard broadcast feed, but the ability to toggle to an end zone camera or the “All 22” feed — so named because it covers all 22 players on the field at once — that coaches use to study film.
This is a football fan’s dream come true, but the NFL and the company behind the product, NeuLion, are positioning it as even more than that.
… Other features include condensed games, which offer up every play, minus whatever happens between the time the whistle blows a play dead and the time the next ball is snapped (not including penalties, coach’s challenges and plays under review). An entire game can be watched this way in about a half-hour.
They also have something called Big Play Marker, which is essentially a timeline of the game at the bottom of the screen, with markers denoting significant plays, for which one can click to receive pertinent stats and video review.


The bits I find interesting...
Google released Course-Builder this week, an open source platform that it utilized for its “Power Searching with Google” online course. I haven’t had a chance to dive into the code, but I really do like the analysis offered by Phil Hill who argues that this is less about open-sourcing a MOOC platform and more about offering a competitive service (that is, Google App Engine) to Amazon Web Services, the cloud infrastructure that most ed-tech is currently being built upon.
… OER site Curriki has launched a free Algebra 1 course. I had a demo of the site last week, and wow, I’m really behind on writing up my OER research, huh.
… Job openings are good news. Universities looking to hire tenure track faculty in English, also good news. But bad news out of Colorado State University: Old PhDs Need Not Apply. Rather, if you’ve received your degree before 2010, you’re sorta a has-been, your smarts have expired, or something. More on this in Inside Higher Ed.
… A recent survey by the LEAD Commission has found that parents and teachers believe we should spend more money on classroom technology. Some 60% said they felt that the U.S. was “behind the curve” when it came to technology integration in the classroom.
… Never one to pass up on anything trendy in education, the Gates Foundation has announced that it’ll be offering grants of up to $50,000 for institutions that offer MOOCs in “high-enrollment, low-success introductory-level courses.” [Consistant with their support of Khan Academy Bob] Because clearly the way you tackle low-success introductory courses is throw students into a scenario where the going rate of completion is about 10%.
Stanford University announced 16 new online classes that it’s offering this fall. Interesting to note: they’re spread across a couple of platforms — Coursera, the startup founded by Stanford professors Daphne Koller and Andrew Ng, and Class2Go, a platform created by some other Stanford engineers (and open-sourced this week), and Venture Lab, a third Stanford-created platform, this one focused on students working in teams.

Friday, September 14, 2012

Worth a close read. Is this the state of modern journalism or am I just overly suspicious?
30-plus laptop computers stolen from Jacksonville’s Wounded Warrior project HQ
September 14, 2012 by admin
Dan Scanlan reports:
At least 33 laptop computers and iPads were stolen in late July from the Wounded Warrior Project’s third-floor office at 4899 Belfort Road in Jacksonville.
They may contain personal information on “some, but not all of our former employees,” [No risk to “clients?” Bob] according to a letter sent out Sept. 7 by Wounded Warrior Executive Director Steve Nardizzi. So he has offered victims free credit monitoring in case someone hacks into them.
Read more on the Florida Times-Union.
[From the article:
Spokeswoman Ayla Jay said the agency has been told whoever did this wanted to wipe out the hard drive and sell the computers. [I doubt it. Without a mind reader on staff this would be impossible, wouldn't it? Bob]
There’s no evidence any information was taken. [Except what was on the computers? Bob]
Our IT team was able to lock all of the stolen equipment [Makes it sound like this was done 'after the thefts' but it is also impossible to confirm Bob] so if anyone tried to get in, they could not have.”
Alarm records show someone pried open an office door seven times between 9:10 p.m. July 25 and 6:20 a.m. the next day, according to the police report. [Great alarm system guys... Bob] Each time they scooped up silver/gray Elite Books laptops as well as one iPad — about $27,000 worth. More missing computers will be added as serial numbers are obtained, the report said.


Unfortunate
Twitter to surrender Occupy protester’s tweets – lawyer
September 14, 2012 by Dissent
Joseph Ax reports:
Twitter is expected to hand over tweets from an Occupy Wall Street protester to a New York criminal judge on Friday after months of unsuccessfully fighting a subpoena from prosecutors, the protester’s lawyer said on Thursday.
Manhattan Criminal Court Judge Matthew Sciarrino ordered Twitter earlier this week to comply with the subpoena by Friday or face contempt and a substantial fine.
Read more on Reuters.


Very interesting idea. Something security consulting firms could adapt?
By Dissent, September 14, 2012
The Office of the National Coordinator for Health Information Technology’s (ONC) Office of the Chief Privacy Officer (OCPO) has released its first web-based security training module, CyberSecure: Your Medical Practice. Play the Game Now.
The security training module, which was developed with the assistance of the Regional Extension Center Program’s Privacy and Security Community of Practice, uses a game format that requires users to respond to privacy and security challenges often faced in a typical small medical practice. Users choosing the right response earn points and see their virtual medical practices flourish. But users making the wrong security decisions can hurt their virtual practices.
The use of gamification by ONC is an innovative approach aimed at educating health care providers to make more informed decisions regarding privacy and security of health information.


Is that what he meant?
Presentations on the Obama Administration’s “Privacy Bill of Rights” and the Proposed Amendments to the EU Data Privacy Directive
September 13, 2012 by Dissent
Eric Goldman has a blog post on his presentations on the Obama Administration’s “Privacy Bill of Rights” and the Proposed Amendments to the EU Data Privacy Directive. You can read his blog entry and access copies of his presentations on Technology & Marketing Law Blog.


Stronger, always stronger...
Where would a constitutional challenge to FERPA leave us?
September 13, 2012 by Dissent
Frank D. LoMonte has a commentary on Inside Higher Ed, “Why FERPA Is Unconstitutional.” In his commentary, he suggests that the Supreme Court’s ruling in National Federation of Independent Businesses v. Sebelius (the “Obamacare” ruling) could also be applied to FERPA (the Family Educational Rights Privacy Act). You can read his analysis and argument on Inside Higher Ed.
While LoMonte, a lawyer who is executive director of the Student Press Law Center, sees the demise of FERPA as a good thing, I fear we’d be throwing the baby out with the bath water. That FERPA has been misused is indisputable. But it is equally indisputable that state education agencies and local education agencies (school districts) need some clear bright line on what information they may not disclose or share without parental consent (or the student’s consent when the student comes of age). Absent such firm prohibitions backed up by meaningful and severe consequences, nothing really stops schools from unfettered data sharing. Mr. LoMonte writes:
To be clear, striking down FERPA will not throw open genuinely private records that everyone agrees should be kept confidential. Grades, minor disciplinary scrapes and other non-newsworthy information still may be kept secret, because open-records statutes exclude information that clearly invades personal privacy.
“Still may be” is not “will be.” We have already seen the Oklahoma State Education Department decide that their open records laws required them to reveal personally identifiable information about students and their families, including grades. With FERPA off the books, we would be more likely to see such outrageous trampling of the privacy of education records.
With FERPA off the books, what would stop school districts from selling lists of their top 20 seniors’ SAT scores or grades to college recruiters?
LoMonte writes:
With FERPA off the books, schools and courts will be free to make common-sense judgments as to when privacy has been waived – for instance, when a nationally known athlete admits committing a crime – and secrecy serves no rational purpose.
Why should schools make the decision as to whether privacy has been waived? The schools will decide whatever is convenient to them or best serves their purpose – not the privacy interests of the students and parents.
And what will give parents or students the right to sue in court? As LoMonte notes, FERPA does not include a private cause of action. What state law provides for that? And do all states have that kind of law?
No, I fear that with FERPA gone, there will be no strong inducement for schools to even attempt to secure and protect students’ educational records.
This balancing test – weighing, case-by-case, personal privacy against the community’s interest in disclosure – is the right way to protect legitimate confidences while giving the public the information essential to evaluating how its schools are being managed.
Accountability and transparency are important, of course. We agree on that. But eliminating a federal law that protects privacy is not a solution. Would LoMonte suggest we get rid of HIPAA, too, because sometimes that’s used as a basis for denying the public and press information that it deems essential in evaluating situations?
If LoMonte would care to outline or propose a better federal protection law for student privacy, I’m all ears. I think FERPA started out with the best of intentions, but the current situation on data security and privacy of student education records leaves much to be desired. But just declaring FERPA unconstitutional without replacing it with a better law serves the press and community at the expense of student privacy.

Thursday, September 13, 2012

What could possibly go wrong? (Ethical Hackers, consider that the topic for this week's short paper...)
Data protector ‘cannot check police spyware’
September 12, 2012 by Dissent
Germany’s top data protection official has complained he cannot test how a spy computer program used by the police works – because the firm that made it will not help him examine it and the police do not have the source code.
Read more on The Local (Germany).
So if the DPC cannot evaluate the software to determine whether it violates constitutional protections because DigiTask will not provide the source code without fees and conditions that the DPC finds unacceptable, what should Germany do? Will they continue to permit its use by police or will they halt its use?


Evidence suggest you can organize, equip and deliver a terrorist group without the drones noticing. So what are they looking for?
U.S. Drones Never Left Libya; Will Hunt Benghazi Thugs
The skies over Libya were clogged with U.S. Predator drones during last year’s war. But just because the war officially ended in October didn’t mean the drones went home.
A Defense Department official tells Danger Room that the U.S. has kept drone flights flying over Libya, despite the conflict that initially brought them to Libyan airspace ending nearly a year ago.
“Yes, we have been flying CAPs since the war ended,” says Army Lt. Col. Steve Warren, a Pentagon spokesman. (CAPs is a military acronym for “combat air patrols,” a term of art that typically refers to several planes flying at once for a particular mission.) The drone flights, done for surveillance purposes, occur with the consent of the new Libyan government. [So we probably share the “take.” I wonder what other countries have an arrangement like this? Bob]


Using social media for anti-social purposes? Perhaps not the smartest faces in the book.
Facebook becomes gang's stomping ground -- and demise
… The commissioner said that the rival gangs would "friend" each other and then post threats on each other's walls. One of the key Facebook posts that helped bring down the gangs was when a member of the Rockstarz posted "Rockstarz are up 3-0," referencing the body count of gang members, according to the Village Voice.
In another incident, after one VCG member was beaten to death, a Rockstarz member posted a photo of himself wearing the victim's belt and watch with the caption, "I can't give it back to you -- you can't walk no more," according to WNYC. This boastful gang member was shot in both legs just five months later.
"Because of these individuals' insatiable desire to brag about their murderous acts these investigators were able to draw a virtual map of their activities," Kelly said, according to WNYC.


Biosurveillance is not just an FBI thing...
DHS Should Reevaluate Mission Need and Alternatives before Proceeding with BioWatch Generation-3 Acquisition
GAO-12-810, Sep 10, 2012


Interesting questions if you have never considered the pros and cons before...
Domestic surveillance during divorce results in federal lawsuits concerning privacy
September 12, 2012 by Dissent
Dan Horn reports on a case of domestic surveillance that is noteworthy for the issues it raises. If you have a right to install surveillance systems – including audio recording and monitoring online activity – in your own home and on your own devices, what rights do your spouse and visitors to your home have with respect to their privacy?
Although a Cincinnati couple’s divorce is finalized, the surveillance uncovered during their divorce proceedings resulted in two federal court lawsuits involving friends and relatives, the husband’s defense attorney, and a company that manufactures the computer monitoring software. One of those suing is a Javier Luis, a Tampa man whose e-mail communications with the wife were recorded without his knowledge or consent.
Catherine Zang’s suit lists several friends and relatives who claim their privacy was violated while they were in the home. Luis’ suit claims Awareness Technologies, which makes the software that copied the emails, knew its product could be used to violate privacy.
Both suits say Joe Zang violated not only the law but the unspoken moral and ethical rules husbands and wives should follow even when they don’t entirely trust one another.
No criminal charges were filed as a result of the revelations during the divorce proceedings, but one of the issues in the civil lawsuits is whether the husband’s divorce attorney engaged in improper, if not illegal, conduct:
According to her lawsuit, Joe Zang’s divorce lawyer, Mary Jill Donovan, revealed she had obtained evidence that portrayed Catherine Zang in “unflattering, embarrassing and private settings.”
The objective was clear, the lawsuit says. Donovan hoped to use the surveillance to strong-arm Catherine Zang into a favorable settlement.
Donovan, who is a defendant in both lawsuits, is a well-known Cincinnati defense lawyer and wife of a Hamilton County sheriff candidate. Both she and her lawyer declined comment.
In her response to the lawsuit by Luis, Donovan either denies all allegations or claims she has insufficient knowledge to respond. In some cases, she asserts that to respond would be a violation of attorney-client privilege, but she also claims that even if some of these things happened, they were legal under federal and Ohio laws.
To complicate what is already a complex case to begin with, Catherine Zang’s lawyer, Donald Roberts, was removed as her counsel in the lawsuits because he might be a witness if the case goes to trial. Donald Roberts is married to Catherine Zang’s sister and represented Zang in the divorce. But Joe Zang claims that Roberts advised him in 2009 to install the surveillance system to keep an eye on his wife.
“Joe took Donald’s advice,” Joe Zang’s lawyer wrote in a recent legal brief. “The software worked as intended. It captured inappropriate Internet and email communications by Catherine Zang.”
Roberts, who did not return calls, has said in court he gave no such advice.
The crux of the legal issue is that both federal and Ohio wiretapping laws are based on single-party consent. Joe Zang didn’t need his wife’s or guests’ or anyone’s permission to record conversations in his own home using concealed audio recording. But did he need consent to intercept or copy e-mail communications?
And does constant surveillance raise this to a new level and different set of rules? Does your right to install monitoring devices in your own home or on your own equipment trump your spouse’s expectation of privacy in their own home and on a shared computer? And what about the privacy of those who communicate with the spouse via shared computer or phones?
Read more on USA Today.
These are two cases I’ll be watching. One is Zang v. Zang, in U.S. District Court Southern District of Ohio, Case #: 1:11-cv-00884-SJD. The related case is Luis v. Zang: 1:12-cv-00629-SJD-KLL.


“$1,000,000,000 – it's the new normal.” Apple sets the bar or we really don't like these guys.
Feds demand $1B from LCD maker for price-fixing
The U.S. Department of Justice has reined down hard on a Taiwanese LCD screen maker in court, demanding $1 billion in fines and significant jail time for two former executives.


Since I only join anti-social networks, I should be immune...
"Brace yourself for a tidal wave of Facebook campaigning before November's U.S. presidential election. A study of 61 million Facebook users finds that using online social networks to urge people to vote has a much stronger effect on their voting behavior than spamming them with information via television ads or phone calls."


If we don't tell you what we're doing, you can't criticize...
September 12, 2012
OpenTheGovernment.org - Secrecy 2012 Report
News release: "The 2012 Secrecy Report released today by OpenTheGovernment.org — a coalition of more than 80 groups advocating for open and accountable government — reveals that positive changes from the Obama administration’s open government policies nevertheless appear diminished in the shadow of the President’s bold promise of unprecedented transparency. Ultimately, though, the public needs more information to judge the size, shape, and legitimacy of the government’s secrecy... Efforts to open the government continue to be frustrated by a governmental predisposition towards secrecy, especially in the national security bureaucracy. Among the troubling trends: the National Declassification Center will not meet its goal for declassifying old records on time; the government continues to use the state secrets privilege in the same way it did prior to release of a new procedural policy; and the volume of documents marked “Classified” continues to grow, with little assurance or reason offered for the decision that the information properly needs such protection. The report also indicates some of the Administration’s openness policies are having a positive effect. The federal government received and processed significantly more public requests for information than in previous years. The Office of Special Counsel is also on track to deliver an all-time high number of favorable actions for federal employees who have been victims of reprisal, or other prohibited personnel practices, for blowing the whistle on waste, fraud, abuse, or illegality. Even in the national security field, there is some progress: most notably, the total amount of money requested for intelligence for the coming year was formally disclosed. This is a tremendous success because such disclosure was resisted by government officials for so long. Additionally, the number of people with the authority to create new secrets continued to drop." [Huh? Bob]


(Soon to be Dr.) Peralez suggests this one. Lots of useful information and free code!
Database Answers
We Answer Database Questions.
We have developed a Libary of free Kick-Start Database designs. These take the form of Data Models


For my literate friends...
OpenCulture, an online website committed to curating free media, has recently compiled a collection of 375 free eBooks — in formats that can be read on Apple’s iBooks and Kindle apps for the iPad/iPhone, the Kindle and Nook readers, and on your PC. Open Culture also collects audio books, free online courses, free movies, and free language lessons.
The book list also contains an embedded YouTube video on how to load these ebooks on to the Amazon Kindle.

(Related)


Worth a look. It might be a place for my handouts...
Clipboard Is Digital Scrapbooking for Your Life
Between Pinterest, Evernote, Dropbox, and Basecamp you might think that all our social-bookmarking, note-saving, and collaboration prayers have been answered. Clipboard, a 5-month-old bookmarking tool, is making the argument that they haven’t. The company, founded by Microsoft veteran Gary Flake, is fusing some of the most useful things about Evernote, Pinterest, and Basecamp with additional features of its own, in an attempt to create the only collaborative content-saving tool you’ll ever need.
Boards can have four types of members: an owner, administrators, writers, and readers. Owners and administrators have control over who can contribute to a board, writers can add content, and readers can simply view the clips. Owners and admins can also tweak the privacy of a board, hiding it from anyone who isn’t a member, or making it visible to any Clipboard user.


For my students
… Power Searching is a free program from Google designed to teach users how to use its advanced features to become better at finding things on the Internet. This is especially useful for people who need to search for things for school projects and the like. In these situations, not just any results will do, and advanced tactics are required.
Power Searching starts on September 24th. Interested users can sign up for the free classes right now. It is a community-based course that features six 50-minute classes and plenty of interactive activities designed to improve overall Google searching prowess. The classes are available over a two-week period and upon completion, all students will receive a certificate.

Wednesday, September 12, 2012

Intel is intel, no matter the source...
Taliban said to use Facebook to gather info on soldiers
… According to Australia's Department of Defense's new report on social media (PDF), "the Taliban have used pictures of attractive women as the front of their Facebook profiles and have befriended soldiers" as a way to gather information.
These fake profiles are a cause for concern, notes the report. The goal of the report is to be a training guide and review for Australia's military in teaching its soldiers how and when to use social media.


Can a neighborhood restrict parking on public, city maintained streets? Can I declare you a second class citizen because you don't live in my neighborhood?
TX: Officials: Parking plan a ‘shot in the dark’
September 11, 2012 by Dissent
From the same state that is chipping kids while complaining about smart meters, there is a new parking plan that raises serious privacy concerns. Whitney Hodgin reports on the Galveston plan. Here’s the part of her report that raised @Privacyactivism’s eyebrows and mine:
Seawall businesses that choose to participate can choose to include a kiosk that allows visitors to complete the same process, as well as pay cash, or store employees can enter the customers’ information online themselves.
Parking will cost $1 per hour for up to 8 hours. Unlike downtown public parking, there will be no kiosks involved — just a phone and a credit card — because visitors will register their license plate numbers and pay for parking exclusively on a website.
That’s the only option you have — to enter your license number,” Maxwell said.
Four Galveston police cruisers will be outfitted with Automatic License Plate Recognition equipment similar to the technology used to identify license plates on interstate highways, and can read plates even if the vehicles are parked end-to-end, Maxwell said.
In addition to determining the parking status of each vehicle on the Seawall, police will also use the Automatic License Plate Recognition technology to see if there is an outstanding warrant on a vehicle, if the vehicle is stolen or an Amber Alert connected to the owner, he said.
Police will use the same approach to ensure that seawall visitors don’t beat the system by parking for free in adjacent neighborhoods, Maxwell said.
“What makes this system really great for neighborhood enforcement is that residents will register their license plates and the plates of their guests,” so police can identify and fine vehicles that do not belong, he said.
Wow. Talk about Big Brother. So even if you’re not using the parking but just live in the neighborhood, the police will have your license plate number and your guests’ license plate numbers? For how long will they retain these data? Can they be used as evidence in criminal prosecutions? What if a resident doesn’t want to provide their guests’ info? Will the guests then be ticketed even if they’re there legitimately?
And entering credit cards on a web site? What could possibly go wrong there?
*Sigh.*


Win friends and influence people! No attempt to encrypt or otherwise protect the user?
Activision Blizzard Secretly Watermarking World of Warcraft Users
September 11, 2012 by Dissent
This is not a security breach per se but I’m treating it as a privacy breach because WoW is revealing users’ IDs and server IP addresses without their knowledge or consent. On Slashdot, kgkoutzis writes:
“A few days ago I noticed some weird artifacts covering the screenshots I captured using the WoW game client application. I sharpened the images and found a repeating pattern secretly embedded inside. I posted this information on the OwnedCore forum and after an amazing three-day cooperation marathon, we managed to prove that all our WoW screenshots, since at least 2008, contain a custom watermark. This watermark includes our user IDs, the time the screenshot was captured and the IP address of the server we were on at the time. It can be used to track down activities which are against Blizzard’s Terms of Service, like hacking the game or running a private server. The users were never notified by the ToS that this watermarking was going on so, for four years now, we have all been publicly sharing our account and realm information for hackers to decode and exploit. You can find more information on how to access the watermark in the aforementioned forum post which is still quite active.”
Read more on Slashdot.


Ah, the mighty enforcer of goodness strikes again. “Let this be a warning. If you violate user privacy we might insist that you promise not to do it again! You have been warned!”
FTC Finalizes Privacy Settlement with Myspace
September 11, 2012 by Dissent
From the FTC:
Following a public comment period, the Federal Trade Commission has approved a final order settling FTC charges that Myspace misrepresented its protection of users’ personal information. The settlement bars Myspace from future misrepresentations about its privacy practices, requires the company to implement a comprehensive privacy program, and calls for regular, independent privacy assessments for the next 20 years.
The Commission vote approving the final order and letter to the public commenters was 4-0-1, with Commissioner Maureen K. Ohlhausen not participating.
The FTC’s responses to commenters can be found here.


Not much detail with the listed sites, but lots and lots of sites!
September 11, 2012
New on LLRX - Privacy Resources and Sites on the Internet
Via LLRX.com, Privacy Resources and Sites on the Internet - Marcus P. Zillman's guide is a comprehensive listing of both free and low cost privacy resources currently available on the Internet. It includes associations, indexes and search engines, as well as websites and programs that provide the latest technology and information on Web privacy. This guide will help facilitate a safer interactive environment for your email, your internet browsing, your health records, your data storage and file sharing exchanges, and internet telephony.


Perspective
"China's largest e-commerce firm, Alibaba Group, expects to sell merchandise this year worth more than that sold by Amazon Inc and eBay combined. The company is aiming for 3 trillion yuan ($473 billion) in annual transaction value from its Taobao e-commerce units in the next 5 to 7 years, rising from the 1 trillion yuan of sales expected for 2012. 'From their annual reports we did a rough calculation and we were similar last year but we are growing faster than them this year, so this year we are probably larger than them,' Zeng Ming, Chief Strategy Officer of Alibaba, said of Amazon and eBay."


For my students...
September 11, 2012
New on LLRX - Tutorial Resources on the Internet
Via LLRX.com - Tutorial Resources on the Internet - Marcus P. Zillman's guide is a wide ranging and immediately useful listing of tutorial resources and sites on the Internet. This guide will assist you to discover, review and select the most relevant and reliable sources for your requirements, on topics that include: e-training, health sciences and biomedical research, educational opportunities for unemployed workers, effective web searching, statistical data mining, free college and university courses, programming in various open source applications, and technical support, user guides and repair services too!

Tuesday, September 11, 2012

I doubt any (both?) of my readers would fall for this, but my Computer Security students should find it amusing that the Democrats haven't noticed a similar problem. And it's legal?
"Shane Goldmacher writes that a network of look-alike campaign websites have netted hundreds of thousands of dollars this year in what some are calling a sophisticated political phishing scheme. The doppelgänger websites have the trappings of official campaign pages: smiling candidate photos and videos, issue pages, and a large red "donate" button at the top and exist for nearly three-dozen prominent GOP figures, including presidential nominee Mitt Romney, House Speaker John Boehner, House Majority Leader Eric Cantor, and donation magnets such as Reps. Michele Bachmann of Minnesota and Allen West of Florida. The only difference is that proceeds from the shadow sites go not to the candidates pictured, but to an obscure conservative group called CAPE PAC run by activist Jeff Loyd, a former chairman of the Gila County GOP in Arizona. 'The only thing they are doing is lining their pockets and funding their own operation,' says Republican political strategist Chris LaCivita. CAPE PAC has a strong Web presence, with over 100,000 followers on Twitter and 50,000 on Facebook and its business model is to buy Google ads — about $290,000 worth, as of the end of June — to promote its network of candidate sites whenever people search for prominent GOP officials. A search for 'Mitt Romney,' for instance, often leads to two sponsored results: Romney's official site and CAPE PAC's mittromneyin2012.com. Once on a CAPE PAC site, users would have to notice fine print at either the top or bottom of the page revealing that they were not on the official page of their favored politician. A dozen donors, including some experienced Washington hands such as Neusner, had no idea they had contributed to the group before National Journal Daily contacted them. 'It confused me, and I do this for a living,' says Washington lobbyist Patrick Raffaniello. 'That's pretty sophisticated phishing.'"


A look at what information is collected but not much on haow it is being used. Another “we had no idea” security breach.
EXCLUSIVE: The real source of Apple device IDs leaked by Anonymous last week
A small Florida publishing company says the million-record database of Apple gadget identifiers released last week by the hacker group Anonymous was stolen from its servers two weeks ago. The admission, delivered by the company’s CEO exclusively to NBC News, contradicts Anonymous' claim that the hacker group stole the data from an FBI agent's laptop in March.
Anonymous’ accusations garnered attention because they suggested that the FBI was using the unique gadget identifiers -- called UDIDs -- to engage in high-level spying on American citizens via their iPhones, iPads, and iPod Touch devices. The FBI denied the claim, last week, and when asked to comment for this story, referred to last week’s denial.
Paul DeHart, CEO of the Blue Toad publishing company, told NBC News that technicians at his firm downloaded the data released by Anonymous and compared it to the company's own database. The analysis found a 98 percent correlation between the two datasets.
DeHart said an outside researcher named David Schuetz contacted his company last week and suggested the data might have come from Blue Toad. The company's forensic analysis then showed it had been stolen "in the past two weeks." He declined to provide further details, citing an ongoing investigation.
DeHart said he could not rule out the possibility that the data stolen from his company’s servers was shared with others, and eventually made its way onto an FBI computer. He also said that he doesn’t know who took the data.
The discovery of the theft casts serious doubt on Anonymous’ claims that the data came from the FBI, and was pilfered in March.
… "As an app developer, BlueToad would have access to a user's device information such as UDID, device name and type," Apple spokeswoman Trudy Mullter told NBC News on Monday. "Developers do not have access to users' account information, passwords or credit card information, unless a user specifically elects to provide that information to the developer." [For instance, to register or to purchase something... Bob]
… DeHart said his firm would not be contacting individual consumers to notify them that their information had been compromised, instead leaving it up to individual publishers to contact readers as they see fit.
… The UDID -- which stands for Unique Device Identifier -- is present on Apple iPads, iPods and iPhones, and is similar to a serial number. During the past year, researchers have found that many app developers have used the UDID to help keep track of their users, storing the data in various databases and often associating it with other personal information. When matched with other information, the UDID can be used to track users' app usage, social media usage or location. It could also be used to "push" potentially dangerous applications onto users' Apple gadgets.
… There is no way for users to check to see if their UDID information has been collected by Blue Toad, DeHart said. He recommended that concerned Apple users visit websites that have created search engines where users can see if their UDID is in the data dump, such as this one. But he said consumers should not overreact to news of the leak.
… Updating is important because, seeing the potential privacy issues, Apple earlier this year advised developers to discontinue use of the UDID to track users. Blue Toad no longer uses UDIDs [Yet these are still available online? Bob] in its software, DeHart said, and updated versions of its software don’t collect it.
Aldo Cortesi, a security researcher who has been crusading against use of UDIDs for some time, disagreed with DeHart and said the release of the data represents a great risk to users. Cortesi has previously used UDIDs to log into consumers’ gaming accounts, access contact lists, and connect the ID numbers to real identities. He was then able to hijack device owners’ Twitter and Facebook accounts.


I guess they don't like the Superbowl ads? Interesting what Go Daddy does and does not know...
Go Daddy says client Web sites back up
Web sites serviced by Web hosting and domain registrar Go Daddy were back online early this evening after being down for much of the work day, a company spokeswoman told CNET.
"All services are restored and at no time was sensitive customer information, such as credit card data, passwords, names, addresses, ever compromised," Go Daddy spokeswoman Elizabeth Driscoll said in a phone interview just before 5 p.m. PT. She said the company does not know at this time exactly what caused the outage and she couldn't say exactly how many sites were affected.


No security? Quite possible as many naming conventions use easily “guessed” names, like the docket number, to organize their web pages.
Hacker suspected of stealing scores of court documents claims no hacking required to access files
September 10, 2012 by admin
Eli Senyor and Maor Buchnik report:
The police have arrested Moshe Halevi, 40, from Acre, for allegedly hacking into one of the Israeli courts’ databases and accessing thousands of case files, some of which contain classified information.
Two additional suspects were arrested as well. One of the suspects, Attorney Boaz Guttman, is a former high-ranking police officer with the National Fraud Unit.
Read more on ynet.
But was it really hacking or just sloppy security on the court’s web site? The reporters note:
Halevi, who was in trouble with the law in the past over similar offences, denied being involved in any illegal hacking and was quick to blame the courts’ website administrator:
“I didn’t hack any database. All I did was go on the website. I accessed the files with my ID number – I didn’t uses anything.
“Documents from the Anat Kam and the Holyland cases were open and the court records had the full name of the State witness,” he said.


Interesting comments. Probably enough here for a Privacy article...
"I'm a mobile developer at a startup. My experience is in building user-facing applications, but in this case, a component of an app I'm building involves observing and collecting certain pieces of user information and then storing them in a web service. This is for purposes of analysis and ultimately functionality, not persistence. This would include some obvious items like names and e-mail addresses, and some less obvious items involving user behavior. We aim to be completely transparent and honest about what it is we're collecting by way of our privacy disclosure. I'm an experienced developer, and I'm aware of a handful of considerations (e.g., the need to hash personal identifiers stored remotely), but I've seen quite a few startups caught with their pants down on security/privacy of what they've collected — and I'd like to avoid it to the degree reasonably possible given we can't afford to hire an expert on the topic. I'm seeking input from the community on best-practices for data collection and the remote storage of personal (not social security numbers, but names and birthdays) information. How would you like information collected about you to be stored? If you could write your own privacy policy, what would it contain? To be clear, I'm not requesting stack or infrastructural recommendations."


I will be interested in hearing their “justification” for this one...
Judge won’t dismiss lawsuit accusing Minnesota school of demanding sixth-grader’s Facebook password
September 11, 2012 by Dissent
A lawsuit filed in March against Minnewaska Area Schools has survived a motion to dismiss. Bailey McGowan of the Student Press Law Center reports:
Judge Michael Davis’ Thursday decision lets the student, identified in court documents as R.S., continue with her complaint arguing that the school violated her First Amendment right to free speech and Fourth Amendment right to be free from unreasonable search and seizure.

(Related) It's not wrong, but it sure is sneaky.
Why is Georgia Secretly Giving Student Test Scores to Military Recruiters?
September 10, 2012 by Dissent
Azaden Shahshahani reports:
In 2006, Marlyn, a mother who lives in Gwinnett County with her children, was surprised to hear that her son Kyle, a senior at Brookwood High School, had taken the ASVAB test. ASVAB or the Armed Services Vocational Aptitude Battery test is the military’s entrance exam, given to recruits to determine their aptitude for military occupations. Marlyn does not recall consenting to her son’s taking of the test or for the results to be sent to military recruiters. Her son did not know either that the results will be sent to recruiters. Kyle was subsequently contacted by recruiters and Marlyn had a tough time getting them to stop once Kyle had made a college selection.
Marlyn and Kyle are certainly not alone. In fact, Georgia’s record in terms of protecting the privacy of students who take the ASVAB test has gotten even worse over the years.
Read more on CounterPunch.


Can they make a tactical nuke that small? (Have they asked the CIA?)
Army Wants Tiny Suicidal Drone to Kill From 6 Miles Away
Killer drones just keep getting smaller. The Army wants to know how prepared its defense-industry partners are to build what it calls a “Lethal Miniature Aerial Munition System.” It’s for when the Army needs someone dead from up to six miles away in 30 minutes or less.
How small will the new mini-drone be? The Army’s less concerned about size than it is about the drone’s weight, according to a recent pre-solicitation for businesses potentially interested in building the thing. The whole system — drone, warhead and launch device — has to weigh under five pounds. An operator should be able to carry the future Lethal Miniature Aerial Munition System, already given the acronym LMAMS in a backpack and be able to set it up to fly within two minutes.


Because a picture is worth 1000 bytes...

Monday, September 10, 2012

Hacking is easy, apparently subtlety is not.
Phony Al-Jazeera text messages sent by pro-Syrian gov't hackers
Al-Jazeera has become the second news agency in a little more than a month to be targeted by pro-Syrian government hackers.
The Qatar-based satellite TV station revealed in a tweet this morning that its short messaging service had been compromised and used to send false news reports, including a report that Qatar's prime minister had been assassinated:
A group calling itself the Syrian Electronic Army reportedly claimed responsibility for the hack, the second attack on the satellite network in less than a week. The broadcaster reported Wednesday that several of its Web sites had been hacked and defaced with pro-Syrian government slogans.
The group also claimed responsibility for a sophisticated attack on Harvard University's home page last year that briefly defaced the page with a message accusing the U.S. of supporting the uprising against Syria's president.
Pro-Syrian government hackers have stepped up their attacks on news agencies in recent weeks. In early August, Reuters suffered two security breaches in two days when hackers managed to gain control of one of its Twitter accounts and defaced with pro-Syrian government tweets. Earlier that week, hackers broke in to the Reuters.com Web site and added a phony post purporting to be an interview with the head of the Free Syrian Army.


Only 53%? I'm impressed!
AU: Schools clueless about IT security, reveals study
September 10, 2012 by admin
Byron Connolly reports:
Almost one in two Australian secondary and tertiary schools do not have an IT security awareness program in place and alarmingly, 53 per cent didn’t know what information was taken during a data breach, according to a study commissioned by Symantec.cloud.
The study asked around 500 teachers and administration staff at 168 private and public secondary and tertiary schools across Australia about their IT security landscape and what precautions they had in place to protect students.
Read more on CIO.
And what would we find here in the U.S. if the same study were run?


Okay, I'll need someone to interpret. I see this as “Yes but No”
By Dissent, September 9, 2012
FourthAmendment.com quotes from a new opinion from U.S. District Court in Maryland holding that there is Fourth Amendment reasonable expectation of privacy in medical records held by a doctor. The case is United States v. Mitchell.
[From the article:
There is no Fourth Amendment reasonable expectation of privacy in medical records held by a doctor. The third-party doctrine and consent also must apply. United States v. Mitchell, 2012 U.S. Dist. LEXIS 126651 (D. Md. September 5, 2012):


September 09, 2012
Paper - The Perils of Learning and Sharing Everything' from a Criminal Information Sharing Perspective
Sliter, John R., 'Techno-Risk - the Perils of Learning and Sharing Everything' from a Criminal Information Sharing Perspective (September 9, 2012). 30th Symposium on Economic Crime in Cambridge, England on September 5th, 2012. Available at SSRN.
  • "The author has extensive law enforcement experience and the paper is intended to provoke thought on the use of technology as it pertains to information sharing between the police and the private sector. As the world edges closer and closer to the convergence of man and machine, the human capacity to retrieve information is increasing by leaps and bounds. We are on the verge of knowing everything and anything there is to know...and this means that police will have the capacity to learn everything about everyone with the only restriction being privacy legislation. But it also means that those involved in immoral, unlawful or illegal activity will have that same capacity and with no such restriction... The global community requires a secure and credible system to retrieve and assess all of the information ‘generally available to the public.' A system that will strive to keep ‘Big Brother’ in check and ‘Bad Brother’ out, all the while providing a means of alerting citizens to genuine risks or to dangerous people. Such as system would help diffuse the systemic inaccurate and harmful profiling that is often based on rumours and innuendo. There is an identified public-private partnership opportunity. A chance to work with privacy advocate groups and background checking private companies to define, design and deliver on something that will be of immense benefit to citizens around the globe."


Mostly medical, so far...
September 09, 2012
Pubget - search engine for life science PDFs
"Pubget develops cloud-based content access tools for scientists, researchers and libraries. The company’s core product, pubget.com, is a free site for legally finding and directly retrieving research papers. [It is] the comprehensive source for science PDFs, including everything you'd find in Medline. We add 10,000 new papers each day... Pubget was purchased by Copyright Clearance Center, Inc. (CCC), a not-for-profit organization and leading source of licensing solutions."