Saturday, September 29, 2012

How to budget for Security...
The staggering cost of a data breach
September 28, 2012 by admin
Occasionally, I check Global Payments’ site for information on what their breach(es) last year cost them. Here’s what they reported in their SEC 10-K/A filing today:
For the year ended May 31, 2012, we have recorded $84.4 million of expense associated with this incident. Of this amount, $19.0 million represents the costs we have incurred through May 31, 2012 for legal fees, fees of consultants and other professional advisors engaged to conduct the investigation and various other costs associated with the investigation and remediation. An additional $67.4 million represents an accrual of our estimate of fraud losses, fines and other charges that will be imposed upon us by the card networks. We have also recorded $2.0 million of insurance recoveries based on claims submitted to date as discussed below. We based our estimate of fraud losses, fines and other charges on our understanding of the rules and operating regulations published by the networks and preliminary settlement discussions with the networks. As such, the final settlement amounts and our ultimate costs associated with fraud losses, fines and other charges that will be imposed by the networks could differ from the amount we have accrued as of May 31, 2012.
… Currently we do not have sufficient information to estimate the amount or range of additional possible loss.
… We expect to incur additional costs associated with investigation, remediation and demonstrating PCI DSS compliance and for the credit monitoring and identity protection insurance we are providing to potentially-affected individuals. We will expense such costs as they are incurred in accordance with our accounting policies for such costs. We currently anticipate that such additional costs may be $55 to $65 million in fiscal 2013. We anticipate that we may receive additional insurance recoveries of up to $28 million.
Realizing that their estimates may be off if they do not yet know what the fines will actually be, they’re talking about approximately $145 – $150 million for everything, with maybe $28 million reimbursed? That’s a lot of money….

Could a Secure third-party repository keep this data private until there is a eral need? i.e. avoiding concerns about police “browsing” the data without authorization...
Boston Police Store License Plate Data For “Intelligence” Purposes
September 28, 2012 by Dissent
Kade Crockford writes:
This summer ACLU affiliates all around the country filed open-records requests seeking information about how government agencies are using automated license plate readers. One set of records, released this week to the ACLU of Massachusetts by the police department here in Boston, provides a snapshot of the data-collection practices that are taking place around the nation.
The records reveal that the Boston police collect an average of 3,630 license plate reads per day and store the information for 90 days, unless officers decide they want to hold onto it forever, “for investigatory or intelligence purposes and for discovery/exculpatory evidence.”
Read more on the ACLU’s blog.

One of the downsides of automated Copyright checking? Also another example of the failure of “Torrents are for stealing copyrighted works” philosophy.
An anonymous reader points out the recent trouble of author Cody Jackson, who wrote a book called Learning to Program with Python. He offers the book for sale, but also gives it away for free, and he used the CC-BY license. In order to distribute the book, he posted links to his torrent of it. Unfortunately, this cause Google to suspect his AdSense account for his website. Even after removing the links, he was unable to get in contact with Google's AdSense team to get his accounts restored. After his story was picked up yesterday by Techdirt, somebody at Google "re-reviewed" his case and finally reinstated his account. Jackson had this to say: "One good thing about this is that it has helped raise awareness of the problems with corporate copyright policies and copyright regulation as a whole. When a person is unable to post his/her own products on the 'net because someone fears copyright infringement has occurred, there is a definite problem." This follows a few high-profile situations in which copyright enforcement bots have knocked down perfectly legitimate content.

Background. It could happen to you... Price Watterhouse Coopers did the review.
EPIC FOIA Uncovers Google’s Privacy Assessment for Consent Order Compliance
September 28, 2012 by Dissent
From EPIC:
Through a Freedom of Information Act request to the Federal Trade Commission, EPIC has obtained Google’s initial privacy assessment. The assessment was required by a settlement between Google and the FTC that followed from a 2010 complaint filed by EPIC over Google Buzz. The FTC has withheld from public disclosure information about the audit process, procedures to assess privacy controls, techniques to identify privacy risks, and the types of personal data Google collects from users. EPIC intends to challenge the agency withholdings. For more information, see EPIC: Federal Trade Commission, EPIC: Google Buzz, and EPIC: Open Government

The e-Sheriff knows best?
"The Lancaster County Sheriff’s Office has seen an increase in scammers using unsecured Wi-Fi connections to steal identities and mask their crimes during the past six months, Sheriff Terry Wagner said. ... So deputies spent the past few weeks finding unsecure connections and sending 40 to 50 letters to let people know about the potential dangers of strangers accessing their network connections. 'You're just opening yourself up for a series of potential pitfalls,' Chief Deputy Jeff Bliemeister said. ... Bliemeister said only businesses like coffee shops that offer Internet connections to customers need unsecured Internet connections. [And perhaps libraries? Or schools? Or other groups providing free access to the Internet? Bob]

A quick legal summary for Law School students with no time to read?

...and I am close to solving “Life, the Universe and Everything”
"A new paper from Professor Jason Mazzone at the University of Illinois calls for federal laws to regulate what happens to digital accounts after the account holder's death. Mazzone argues that Facebook and other online services have policies for deceased users' accounts that do not adequately protect the individual property and privacy interests at stake. The full text of the paper (called "Facebook's Afterlife") is also available: "

The world, she is a changing...
"California Governor Jerry Brown has signed SB 1052 and 1053, authored by state senator Darrell Steinberg, to create free textbooks for 50 core lower-division college courses. SB 1052 creates a California Open Education Resources Council, made up of faculty from the UC, Cal State, and community college systems. The council is supposed to pick 50 core courses. They are then to establish a 'competitive request-for-proposal process in which faculty members, publishers, and other interested parties would apply for funds to produce, in 2013, 50 high-quality, affordable, digital open source textbooks and related materials, meeting specified requirements.' The bill doesn't become operative unless the legislature funds it — a questionable process in California's current political situation. The books could be either newly produced (which seems unlikely, given the 1-year time frame stated) or existing ones that the state would buy or have free access to. Unlike former Gov. Schwarzenegger's failed K-12 free textbook program, this one specifically defines what it means by 'open source,' rather than using the term as a feel-good phrase; books have to be under a CC-BY (or CC-BY-SA?) license, in XML format. They're supposed to be modularized and conform to state and W3C accessibility guidelines. Faculty would not be required to use the free books."

(Related) Is this the way eBooks (eTextbooks in particular) should work?
Why a 17th-Century Text Is the Perfect Starting Point for Reinventing the Book
Good morning, class. I'd like you all to open your books to Act I, Scene 2, Line 398.
Pages rustle as everyone flips through their books in search of that spot.
"Usually there's a whole lot of shuffling," says Bryn Mawr professor Katharine Rowe. But not if the class is using an app she and Notre Dame professor Elliott Visconsi built. [A bit pricy at $9.99 but less than a textbook Bob] In their app of Shakespeare's Tempest students can just enter "1.2.398" and be transported there immediately. Or, alternatively, search for the words: "Full fathom five thy father lies."
… The features of their Tempest app go far, far beyond search. Readers can listen to actors perform the script (and the text will scroll along as they do). For key passages, they can compare a set of alternative theatrical interpretations. They can see expert commentaries embedded in the text's margins. Teachers can leave their own comments and questions for their students. Students can respond, ask questions, and chat about the text. It is a fully realized digital book, an embodiment of a pedagogy that values interaction between a reader and an author and among readers themselves.

Again, some bits and clips, just for my amusement...
Bret Victor has responded to Khan Academy’s new computer science curriculum with an amazing essay, Learnable Programming. This is a must-read. My favorite quote: “For fuck’s sake, read ‘Mindstorms’.” Indeed. I’m really really really hoping that, having claimed to have been so inspired by Victor’s Inventing on Principle talk, that everyone who’s now building a learn-to-program startup (whether it’s a for-profit like Codecademy or a not-for-profit like Khan Academy) actually reads some goddamn Seymour Papert. Please.
… Math teacher Dan Meyer has released some updates to 101questions, his math site that lets you explore and respond to videos and photos that in turn prompt math-related questions and, in Meyer’s words, “perplexity.” New features to 101questions include file uploading and downloading and better sharing.

Friday, September 28, 2012

Ontogeny replicates phylogeny” Each new generation of technology comes first with demonstrations of new capibilities. Each generation forgets that vulnerabilities persist, even if they would rather not be bothered...
Summer Camp for the Car-Virus Squad
Some of the world’s cyber security experts – and many antivirus software vendors – warn that the proliferation of the connected car will be a prime target for hackers. Several university researchers have already shown that it’s relatively easy to access a car’s defenseless electronics system. Some have been able to surreptitiously listen to occupants’ conversation, while others have gone so far as to deploy something dubbed “Self Destruct,” in which a 60-second timer appears on a car’s dashboard display, and when it reaches zero the virus turns off the car’s lights, locks the doors, shuts down the engine, and slams on the brakes.
Battelle, the self-described world’s largest nonprofit R&D organization, took a novel approach to confront such car-hacking scenarios, hosting a summer camp for students to solve car-security challenges – and enjoy some nighttime movies and s’mores in the process.

“We guarantee this is safe.. Except when we don't.”
Hackers Breached Adobe Server in Order to Sign Their Malware
The ongoing security saga involving digital certificates got a new and disturbing wrinkle on Thursday when software giant Adobe announced that attackers breached its code-signing system and used it to sign their malware with a valid digital certificate from Adobe.
Adobe said the attackers signed at least two malicious utility programs with the valid Adobe certificate. The company traced the problem to a compromised build server that had the ability get code approved from the company’s code-signing system.
Adobe said it was revoking the certificate and planned to issue new certificates for legitimate Adobe products that were also signed with the same certificate, wrote Brad Arkin, senior director of product security and privacy for Adobe, in a blog post.
… The company said it had good reason to believe the signed malware wasn’t a threat to the general population, and that the two malicious programs signed with the certificate are generally used for targeted, rather than broad-based, attacks. [“generally” Bob]
Arkin identified the two pieces of malware signed with the Adobe certificate as “pwdump7 v7.1″ and “myGeeksmail.dll.” He said that the company passed them on to anti-virus companies and other security firms so that they could write signatures to detect the malware and protect their customers, according to the post.
Adobe didn’t say when the breach occurred, but noted that it was re-issuing certificates for code that was signed with the compromised signing key after July 10, 2012. Also, a security advisory the company released with its announcement showed that the two malicious programs were signed on July 26 of this year. Adobe spokeswoman Liebke Lips told Wired that the company received the two malicious samples on the evening of Sept. 12 [Why didn't Adobe detect this? Bob] and immediately began the process of deactivating and revoking the certificate.
The company said the certificate will be re-issued on Oct. 4, but didn’t explain why it would take that long.

Continuing the quest to surveil everyone, anywhere...
US Department of Homeland Security looking for (more than) a few good drones
The US Department of Homeland Security this week issued a call for unmanned systems makers to participate in a program that will ultimately determine their safety and performance for use in first responder, law enforcement and border security situations.
In a twist that will certainly raise some eyebrows, the program's results of the ironically named program -- The Robotic Aircraft for Public Safety (RAPS) -- will remain unavailable to the public, which considering how involved the actual public may be with these drones is shall we say, unfortunate. Specifically the DHS says: "The information within each test report will be classified as For Official Use Only, and will not be shared with the general public. All company-restricted information will remain proprietary to the SUAS provider, and not shared publicly without explicit consent."

I'm shocked I tell you!
New Justice Department Documents Show Huge Increase in Warrantless Electronic Surveillance
September 27, 2012 by Dissent
Naomi Gilens writes:
Justice Department documents released today by the ACLU reveal that federal law enforcement agencies are increasingly monitoring Americans’ electronic communications, and doing so without warrants, sufficient oversight, or meaningful accountability.
The documents, handed over by the government only after months of litigation, are the attorney general’s 2010 and 2011 reports on the use of “pen register” and “trap and trace” surveillance powers. The reports show a dramatic increase in the use of these surveillance tools, which are used to gather information about telephone, email, and other Internet communications. The revelations underscore the importance of regulating and overseeing the government’s surveillance power. (Our original Freedom of Information Act request and our legal complaint are online.)
Read more on ACLU’s blog.

...not completely thought through?
Editorial: School computer rules would delete civil rights
September 27, 2012 by Dissent
An editorial in the Fairfield Citizen includes:
… in its stampede to secure federal money to protect students from both pornography and each other, the Fairfield Board of Education seems to have given little if any thought to the civil rights of students and their parents.
Proposed revisions to the schools’ Internet policy would include not only school equipment and networks, but personally owned equipment, too. The plan is so broad it raises alarming questions about rights of privacy, free speech — even freedom of religion.
Read more on Fairfield Citizen.
[From the article:
The revision states that personally owned equipment used for school purposes "will be treated as district technology resources."
Moreover, the policy states, students "should not have any expectation of personal privacy in the use of these resources."

An interesting exchange...
Fifth Circuit Cell-Site Case: Magistrate Judge Smith Responds and Defends His Decision
September 28, 2012 by Dissent
Orin Kerr writes:
Although I wasn’t planning to post any more on the Fifth Circuit cell-site case, I happened to notice that Magistrate Judge Smith recently posted a new essay on SSRN that is in significant part a response to my amicus brief and my criticisms of his decision. I thought it only fair to point readers to his paper and explore Smith’s argument in some detail. I’ll then offer my thoughts in response at the end.
In his essay, Standing Up for Mr. Nesbitt, forthcoming in the University of San Francisco Law Review, Smith argues that magistrate judges must “stand up” and protect ordinary citizens from “an increasingly surveillance-happy state” because “Congress and the Supreme Court have yet to do so.” None of the three branches of government are standing up to protect the ordinary citizen, Smith argues. The Executive Branch can’t regulate itself, and Congress has not addressed some important issues effectively. The Supreme Court has failed to step in, too, as it has hardly touched electronic privacy and it has expressed caution about its own role in recent decisions. With all three branches failing to protect the ordinary citizen, Smith argues, magistrate judges must step in and “play goalie for the missing side.” That is, magistrate judges must correct for the failures of the three branches by representing the side of the target of the investigation.
Read more on The Volokh Conspiracy.

Perspective A rather steep growth curve...
September 27, 2012
IBM - What is Big Data?
"What is big data? Every day, we create 2.5 quintillion bytes of data — so much that 90% of the data in the world today has been created in the last two years alone. This data comes from everywhere: sensors used to gather climate information, posts to social media sites, digital pictures and videos, purchase transaction records, and cell phone GPS signals to name a few. This data is big data."

Perspective Another interesting growth curve...
Instagram Use Is Exploding
In just six months, Instagram use has more than septupled, growing from around 900,000 people per day to around 7.3 million, according to ComScore. The photo-sharing app’s astonishing growth underscores the growing momentum of mobile-native apps, and the potential of said apps to open wide leads over traditional websites.
Instagram effectively has no website; though the social network’s photos live on the web, it can only be driven through mobile app. Like the popular check-in service Foursquare, Instagram is truly native to mobile and specifically to smartphones. Even before evidence of Instagram’s amazing six-month growth spurt, Silicon Valley entrepreneurs and venture capitalists were becoming obsessed with the mobile frontier and with the potential of mobile-first development. Much as bricks-and-mortar companies raced to develop web strategies in the mid 1990s, today’s web properties, including relative newcomers like Facebook, are racing to draw up aggressive attack plans for mobile.
Even Twitter, whose roots are in mobile phones, is being eclipsed by mobile-native Instagram. Comscore says that in the U.S., Instagram’s 7.3 million daily web and app users in August surpassed Twitter’s 6.9 million daily web and app users, the first time that’s happened (see chart). As Mike Isaac of All Things D wrote of the switch, “the massive shift in user traffic to mobile devices is a real thing.”

Tools for my geeks?
"News outlets are reporting that AMD has partnered with BlueStacks to bring Android apps to AppZone Player, something that will apparently allow the more than 500,000 mobile apps to run on your PC. From their announcement: 'What's special about the player on AMD-based products? There are many challenges with running apps that were originally designed for phones or tablets on a PC that in most cases has a larger screen and higher resolution display. To solve this, BlueStacks has designed and optimized the player for AMD Radeon graphics and in particular, our OpenGL drivers found in our APUs and GPUs so you get a great 'big-screen' experience. Additionally, the apps are integrated into AppZone, our online showcase and one-stop-shop for apps accelerated by AMD technology.' Unfortunately this appears to only work on AMD-based PCs (although nowhere does it say that it won't work on Intel CPUs or non-Radeon GPUs). Also no word on how they overcame the difference between a mouse and touchscreen (think pinch to zoom)."

Thursday, September 27, 2012

Because this has the potential to impact US infrastructure, shouldn't this be investigated as a potential act of war? At least preparation for a terrorist attack. (Or just to avoid me telling the world, “I told you so!”)
Maker of Smart-Grid Control Software Hacked
The maker of an industrial control system designed to be used with so-called smart grid networks disclosed to customers last week that hackers had breached its network and accessed project files related to a control system used in portions of the electrical grid.
Telvent, which is owned by Schneider Electric, told customers in a letter that on Sept. 10 it learned of the breach into its network. The attackers installed malicious software on the network and also accessed project files for its OASyS SCADA system, according to KrebsOnSecurity, which first reported the breach.
According to Telvent, its OASyS DNA system is designed to integrate a utility’s corporate network with the network of control systems that manage the distribution of electricity and to allow legacy systems and applications to communicate with new smart grid technologies. [And vice versa? Bob]
The breach raises concerns that hackers could embed malware in project files to infect the machines of program developers or other key people involved in a project. One of the ways that Stuxnet spread — the worm that was designed to target Iran’s uranium enrichment program — was to infect project files in an industrial control system made by Siemens, with the aim of passing the malware to the computers of developers.
Peterson says this would also be a good way to infect customers, since vendors pass project files to customers and have full rights to modify anything in a customer’s system through the project files.

(Related) I think...
September 26, 2012
US: CFIUS Review
US: CFIUS Review - Robert Schlossberg and Christine Laciak, Freshfields Bruckhaus Deringer US LLP
  • "The national security review process in the United States – often referred to as the Exon–Florio or CFIUS review process, after the relevant authorising statute and enforcement agency, respectively – has existed for decades. It originally focused, at least in practice, on the acquisition by foreign companies of US businesses directly or indirectly supplying the US Department of Defense, but especially after the 9/11 terrorist attacks, the concept of national security – and therefore the types of transactions subject to review under the regime – was broadened by statute and in practice. Today, the national security review process can be an important part of many transactions, even though it remains voluntary. Examples of industries in which notifications have been made include computers, network security, cyber systems, energy (development and transport), semiconductors, aerospace, telecommunications, optics, robotics, mining and natural resources, plastics and rubber, automotive, financial services, coatings and adhesives, chemicals, and steel."

Because everyone needs a “Personal Surveillance Tool” I think a helicopter would be most useful, since I could mount a shotgun for hunting and then swoop down to retrieve my kill. Duck soup anyone?
Everyone Who Wants a Drone Will Have One Soon
… Drones are not like the atomic bomb. There won't be a day when suddenly we realize that a horrible new weapon has changed the world forever. Instead, one day we'll wake up and there'll have been a terrorist attack by a swarm of drones launched by hand from a park across the Potomac from Washington, DC, and no one will know where they came from or who sent them. We'll wake up one day to a drone peering in our window as preparation for a common burglary.
The price of these unmanned aerial vehicles is plummeting from two sides. On the one hand, you've got the toys like the $70 iHelicopter you control with an iPhone. This little guy even has two plastic missiles you can fire!
There are already pretty good surveillance drones, too. Like this $300 Parrot AR.Drone.2.0, which can shoot HD video. You control it with an iPad.

Does this automatically make him a drone target?
"The U.S. military has designated Julian Assange and WikiLeaks as enemies of the United States — the same legal category as the al-Qaeda terrorist network and the Taliban insurgency. Declassified US Air Force counter-intelligence documents, released under US freedom-of-information laws, reveal that military personnel who contact WikiLeaks or WikiLeaks supporters may be at risk of being charged with 'communicating with the enemy.'"

How they do it?
September 26, 2012
EFF: Facebook and Datalogix - What's Actually Getting Shared and How You Can Opt Out
EFF: "We’ve been seeing a range of reports about Facebook partnering up with marketing company Datalogix to assess whether users go to stores in the physical world and buy the products they saw in Facebook advertisements. A lot of the reports aren’t getting into the nitty gritty of what data is actually shared between Facebook and Datalogix, so the goal of this blog post is to dive into the details. We’re glad to see that Facebook is taking a number of steps to avoid sharing sensitive data with Datalogix, but users who are uncomfortable with the program should opt out (directions). Hopefully, reporting on this issue will make more people aware of how our shopping data is being used for a lot more than offering us discounts on tomato soup. Datalogix is an advertising metrics company that describes its data set as including “almost every U.S. household and more than $1 trillion in consumer transactions.” It specifically relies on loyalty card data – cards anyone can get by filling out a form at a participating grocery store."

“Oops, we're sorry (for getting caught).”
"In the latest installment of the megaupload saga, an official study has determined that New Zealand's Government Communications and Security Bureau broke NZ law by spying on Megaupload founder Kim Dotcom. NZ Prime Minister John Key has apologised to Dotcom and all New Zealanders for this, saying they were entitled to be protected by the law but it had failed them. Link is to writeup in The Guardian."
Lots of outlets are reporting this, based on TorrentFreak's report.
[From the article:
The illegal surveillance may deal another blow to the US extradition case after a New Zealand court ruled in June that search warrants used in the raid on Dotcom's home were illegal.
… Dotcom maintains that the Megaupload site was merely an online storage facility, and has accused Hollywood of lobbying the US government to prosecute him.
American authorities are appealing against a New Zealand court decision that Dotcom should be allowed to see the evidence on which the extradition hearing will be based.

This is what happens when entry-level employees are in charge...
Microsoft is facing the unpleasant end of the European Commission antitrust blunderbuss, with the company now in line for a potentially huge fine over browser choice missteps. The EC confirmed it was investigating the software firm back in July, after an agreed-upon browser choice page failed to be shown to 28m PC users; now, Reuters reports, the EC will open a formal proceeding that will decide the extent of the penalty.

Perspective Remember, the US is around #39 on the list of Internet connection speeds. It's going to be hard to compete if we don't jump ahead a few generations of technology.
"Sorry, everybody: terabit Ethernet looks like it will have to wait a while longer. The IEEE 802.3 Industry Connections Higher Speed Ethernet Consensus group met this week in Geneva, Switzerland, with attendees concluding—almost to a man—that 400 Gbits/s should be the next step in the evolution of Ethernet. A straw poll at its conclusion found that 61 of the 62 attendees that voted supported 400 Gbits/s as the basis for the near term 'call for interest,' or CFI. The bandwidth call to arms was sounded by a July report by the IEEE, which concluded that, if current trends continue, networks will need to support capacity requirements of 1 terabit per second in 2015 and 10 terabits per second by 2020. In 2015 there will be nearly 15 billion fixed and mobile-networked devices and machine-to-machine connections."

(Related) Virtual networks for virtual servers. Tools for the Cloud...
Ex-Amazon Genius Joins Battle for the Future of Networking
Giuseppe de Candia is the first name listed on a document that remade the internet. And now he wants to remake it all over again.
Known as “Pino” among friends and colleagues, de Candia was part of a small team of computer scientists at who created Dynamo, a means of storing vast amounts of data across a sea of computer servers. The team originally built Dynamo to power the Amazon shopping cart, but after publishing a research paper describing the technology in 2007, they helped spawn a new breed of database that was soon running many of the net’s largest sites, including Facebook, Twitter, Netflix, and Reddit.
Together with a handful of engineers at Google — who published a paper on an equally massive database called BigTable — de Candia is one of the founding fathers of the NoSQL movement, whose influence now extends well beyond the big-name websites, stretching into the data center that underpin all sorts of businesses.
“If you look at every NoSQL solution out there, everyone goes back to the Amazon Dynamo paper or the Google BigTable paper,” says Jason Hoffman, the chief technology officer at the San Francisco-based cloud computing outfit Joyent. “What would the world be like if no one at Google or Amazon ever wrote an academic paper?”

A tool is just a tool. I have no further comment (I'm too busy with extensive testing)
"The company behind the .xxx top-level domain plans to launch a search engine in an effort to drive more traffic to .xxx websites and give pornography fans a more satisfying search experience. ICM Registry, which operates the 9-month-old .xxx TLD, is scheduled to launch this week, said Stuart Lawley, ICM's CEO. The new search engine will give users a more streamlined searching process, help protect them from viruses and malware and help guard their privacy, he said. The search engine has cataloged 21 million webpages from .xxx sites, he said. ' It's porn, only porn, all porn,' he said. 'There's as much porn there as anyone would need, I'd imagine.'"

A 'heads up!' for your Help Desk... LibreOffice is free
"Google today announced a huge change for Google Apps, including its Business, Education, and Government editions. As of October 1, users will no longer have the ability to download documents, spreadsheets, and presentations in old Microsoft Office formats (.doc, .xls, .ppt)."
The perils of cloud computing; LibreOffice will probably be the best conversion utility at that point. Apropos: Reader akumpf writes with an essay about the dangers of letting our data and our tools be hosted by the same provider.

Perspective Perhaps driving is not stimulating enough without Texting? My Math classes need to be augmented with “Angry Birds” and “Bad Piggies?”
"Doug Gross writes that thanks to technology, there's been a recent sea change in how people today kill time. 'Those dog-eared magazines in your doctor's office are going unread. Your fellow customers in line at the deli counter are being ignored. And simply gazing around at one's surroundings? Forget about it.' With their games, music, videos, social media and texting, smartphones 'superstimulate,' a desire humans have to play when things get dull, says anthropologist Christopher Lynn and he believes that modern society may be making that desire even stronger. 'When you're habituated to constant stimulation, when you lack it, you sort of don't know what to do with yourself ...,' says Lynn. 'When we aren't used to having down time, it results in anxiety. Oh my god, I should be doing something.' And we reach for the smartphone. It's our omnipresent relief from that.' Researchers say this all makes sense. Fiddling with our phones, they say, addresses a basic human need to cure boredom by any means necessary. But they also fear that by filling almost every second of down time by peering at our phones we are missing out on the creative and potentially rewarding ways we've dealt with boredom in days past. 'Informational overload from all quarters means that there can often be very little time for personal thought, reflection, or even just 'zoning out,'" researchers write. 'With a mobile (phone) that is constantly switched on and a plethora of entertainments available to distract the naked eye, it is understandable that some people find it difficult to actually get bored in that particular fidgety, introspective kind of way.'"

Bad Piggies Is A Hit, Taking Just 3 Hours To Hit The Top Spot In The U.S. App Store


For my Geeks...
… By heading to the Try Office Preview website you can download the software to your computer.
… After clicking Try and selecting your country, you’ll be prompted to sign in. I nstallation will require you to have a Microsoft account – namely, one ending in, or (local variants such as are also included). If you don’t have a Microsoft account, click the Sign up button and follow the steps to set one up.
… Microsoft Office 2013 Preview is a good upgrade to the previous releases, ideal for use on either a Windows 7 or a Windows 8 computer. The installation procedure is frustratingly streamlined, however, resulting in an inability to specify your preferred installation location. Similarly, removing the software relies on an Internet connection to deactivate. Given that Windows 8 also features an online activation and heavy use of the cloud, it is likely that this arrangement is here to stay.

Wednesday, September 26, 2012

You don't have to do anything to be a target. And there is nothing you can do to avoid being a target.
Wells Fargo is latest bank to be hit by cyberattacks
Wells Fargo is the most recent mega-bank to be hit by a distributed denial-of-service attack. According to the Wall Street Journal, roughly 220 customers filed complaints of outages on its Web site today saying they had problems logging on.
"The amount of bandwidth that is flooding the websites is very large, much larger than in other attacks, and in a sense unprecedented," chief executive of private security firm CrowdStrike Dmitri Alperovitch told the Wall Street Journal.
Last week, similar attacks happened on J.P. Morgan Chase and Bank of America's Web sites.

Not the first “professional” organization with unprofessional levels of security.
IEEE leaks 100,000 members’ usernames and plain-text passwords (updated)
September 25, 2012 by admin
Seen on Slashdot, Radu Dragusin writes:
IEEE suffered a data breach which I discovered on September 18. For a few days I was uncertain what to do with the information and the data. Yesterday I let them know, and they fixed (at least partially) the problem. The usernames and passwords kept in plaintext were publicly available on their FTP server for at least one month prior to my discovery.
Radu provides additional details about the leak and his analyses of exposed data on IEEElog.
This is not IEEE’s first breach involving members’ information. A November 2010 hack affecting 828 members was disclosed in February 2011. And in April 2011, some members who signed up for life insurance underwritten by NY Life Insurance were notified that a mailing error by Marsh U.S. Consumer exposed some of their information to other members.
Update: Oh hell…. I won’t post links, but it has been pointed out that IEEE’s log files have been mirrored in a number of places on the Internet. If you’re an IEEE member, you may want to search to see what information about you has been exposed.

Strange: This seems to be a “first” although I can't think of a good (or even a bad) reason to do it. (and I'm not sure what “force” is required...)
fermion writes with news of Windows computers being forcefully liberated:
"The campaign headquarters of Michael Grimm, a U.S. House of Representatives member from New York, were vandalized. What has not been reported everywhere is that Linux was installed on one of his computers, erasing data in the process. Is this a new attack on democracy by the open source radicals, or it is just a random occurrence?"
From the article: "'In fact, one officer said to me today they see this as a crime against the government, because I am a sitting United States congressman and they take it very seriously. [Unlike crimes against us 'second class' citizens Bob] You know, especially in light of what happened with Gabby Giffords, we're not in the world today where we can shrug things off,' Grimm said. ... [GNU/]Linux, an open-source operating system, was installed on Grimm's computers, erasing the hard drive contents, which included polling and voter identification data. But staff had backed up the hard drive contents hours beforehand. Grimm and his staffers said the vandalism — cement blocks were thrown through the office's windows — is a cover-up for the attacks on the computers."

I think I've linked to this report earlier...
Drones Subject to GPS Spoofing, Privacy ‘Abuses,’ GAO Report Warns
The Government Accountability Office is warning Congress that its push for drones to become commonplace in U.S. airspace fails to take into account concerns surrounding privacy, security and even GPS jamming and spoofing.
The GAO, Congress’ research arm, was responding to the FAA Modernization and Reform Act of 2012, signed by President Barack Obama in February, which among other things requires the Federal Aviation Administration to accelerate drone flights in U.S. airspace.
… But there’s a concerted push to expand the commercial use of drones for pipeline, utility, and farm fence inspections; vehicular traffic monitoring; real-estate and construction-site photography; relaying telecommunication signals; fishery protection and monitoring; and crop dusting, according to the report (.pdf), which was distributed to lawmakers earlier this month.
… Among other things, the report urged the Transportation Security Administration [God help us! Bob] to come up with a plan to secure operation centers for unmanned drones, recommended the government formulate privacy protections to head off “abuses” and also pointed out safety concerns that need to be addressed regarding GPS spoofing and jamming.
In a GPS jamming scenario, the UAS could potentially lose its ability to determine its location, altitude, and the direction in which it is traveling. Low-cost devices that jam GPS signals are prevalent. This problem can be mitigated by having a second or redundant navigation system onboard the UAS that is not reliant on GPS, which is the case with larger UAS typically operated by DOD and DHS.
… “Once the authentic (original) GPS signal is overpowered, the UAS is under the control of the ‘spoofer.’ This type of scenario was recently demonstrated by researchers at the University of Texas at Austin at the behest of DHS.”
The report comes three months after it was revealed that there are 64 drone bases on U.S. soil, with several private companies cleared to operate them. As for legal protections for citizens, “there is very little in American privacy law that prohibits drone surveillance within our borders,” points out Ryan Calo, the director for Privacy and Robotics at the Stanford Center for Internet and Society.
… According to the EFF:
The Seattle Police Department’s drone comes with four separate cameras, offering thermal infrared video, low light ‘dusk-dawn’ video, and a 1080p HD video camera attachment. The Miami-Dade Police Department and Texas Department of Public Safety have employed drones capable of both daytime and nighttime video cameras, and according to the Texas Department of Public Safety’s Certificate of Authorization (COA) paperwork, their drone was to be employed in support of ‘critical law enforcement operations.’
The report noted that commercial and government drone expenditures could top $89 billion over the next decade.

(Related) I think this one is new...
"In 'Living Under Drones,' investigators from Stanford and NYU Law Schools report on interviews with 130 people in Pakistan about U.S.-led drone attacks there, including 69 survivors and family members of victims. The report affirms Bureau of Investigative Journalism numbers that count '474 to 884 civilian deaths since 2004, including 176 children' while 'only about 2% of drone casualties are top militant leaders.' It also argues that the attacks violate international law and are counterproductive, stating: 'Evidence suggests that US strikes have facilitated recruitment to violent non-state armed groups, and motivated further violent attacks One major study shows that 74% of Pakistanis now consider the U.S. an enemy.'"
[From the report:
In the United States, the dominant narrative about the use of drones in Pakistan is of a surgically precise and effective tool that makes the US safer by enabling “targeted killing” of terrorists, with minimal downsides or collateral impacts.[1]
This narrative is false.

Appeals Court Caves to TSA Over Nude Body Scanners
A federal appeals court on Tuesday said it was giving the Transportation Security Administration until the end of March to comport with an already 14-month-old order to “promptly” hold public hearings and take public comment concerning the so-called nude body scanners installed in U.S. airport security checkpoints.
The public comments and the agency’s answers to them are reviewable by a court, which opens up a new avenue for a legal challenge to the agency’s decision to deploy the scanners. Critics maintain the scanners, which use radiation to peer through clothes, are threats to Americans’ privacy and health, which the TSA denies.

(Related) “First, you have to get the mule's attention...”
ACLU sues to get U.S. agencies' license plate tracking records
The American Civil Liberties Union today sued the U.S. government to get access to information about how authorities are using automated license plate readers to track people's movements and location.
The ACLU filed Freedom of Information Act requests on July 30 with the departments of Justice, Homeland Security, and Transportation to try to find out how much officials use the technology and how much it is paying to expand the program. Agencies are required by law to respond to FOIA requests within 20 working days, but more than a month later, only one DOJ office and a few DOT agencies have responded, according to the ACLU.

Surveillance down under...
"The Age reports on creeping Australian government surveillance, beginning with the first operation launched on a baseless rumor. Six decades later the still-unaware victim read five months of transcripts with deep distress. Two decades ago few Australians would have consented to carrying a government-accessible tracking device, but phone and tablet data accessible without a warrant includes historic and real-time location data. In 2010-2011 there were 250,000 warrantless accesses by Federal agencies including ASIO, AFP, the Tax Office, Defence, Immigration, Citizenship, Health, Ageing, and Medicare. This is 18 times the rate of similar requests in the U.S."

Do we get the Feds involved because there are no state laws making this illegal?
September 25, 2012
FTC Action Halts Computer Spying by Illinois Companies
News release: "Seven rent-to-own companies and a software design firm have agreed to settle Federal Trade Commission charges that they spied on consumers using computers that consumers rented from them, capturing screenshots of confidential and personal information, logging their computer keystrokes, and in some cases taking webcam pictures of people in their homes, all without notice to, or consent from, the consumers. The software design firm collected the data that enabled rent-to-own stores to track the location of rented computers without consumers’ knowledge according to the FTC complaint. The settlements bar the companies from any further illegal spying, from activating location-tracking software without the consent of computer renters and notice to computer users, and from deceptively collecting and disclosing information about consumers."

Interesting question.
"The Dutch Supreme Court has asked the European Court of Justice to decide whether downloading copyrighted material for personal use — even from illegal sources — is legal. At the heart of the debate is whether the European Copyright Directive requires that any new legal copy of material must have originated from a copy that is itself legal. The case tests the law in the Netherlands, where copyright holders are granted a levy on blank media in exchange for the legalization of private copying."
In the Netherlands, it is already legal to download from illegal sources. But EU law might conflict and trump that.

How to get the attention of a Global company?
"Judge Flavio Peren of Mato Grosso do Sul state in Brazil has ordered the arrest of the President of Google Brazil, as well as the 24-hour shutdown of Google and Youtube for not removing videos attacking a mayoral candidate. Google is appealing, but has recently also faced ordered fines of $500K/day in Parana and the ordered arrest of another executive in Paraiba in similar cases."
Early reports indicated that the judge also ordered the arrest of the Google Brazil President, but the story when this was written is that the police haven't received any such order (and an earlier such order was overuled recently). The video is in violation of their pre-election laws.

Sometimes laws make no sense to me...
"Microsoft's Quincy data center, physical home of Bing and Hotmail, was fined $210,000 last year because the data center used too little electricity. To avoid similar penalties for 'underconsumption of electricity' this year, the data center burned through $70,000 worth of electricity in three days."

Perspective Stay healthy people!
September 25, 2012
Kaiser - Visualizing Health Policy
"The latest infographic in the Visualizing Health Policy series examines health costs in the United States, including how costs have changed, how they compare to some other countries, and how they impact American families."

Since I'm surrounded by geeks...
It is an acronym that stands for Free Art and Technology and this is where Open Source and pop culture comes together.
This channel demonstrates the future of information and how it should be presented, because these days information is taking the visual route and statistics is no longer the dull science it used to be. [I beg your pardon? Bob]
There are loads of videos on animated infographics. If you are into visual design or image facilitation, this is inspiring stuff. I like the way the channel is described – Research findings in data visualization captured, streamed, animated… beautified!

Also a geek thing...
Binreader is designed for someone who wants a portable Usenet client that runs on anything. You can run it on Mac, Windows and Linux and it does not need any installation. It is incredibly easy to use and it uses almost no system resources.

This could be amusing. Perhaps I could have my students write a script for a commercial advertising their hacking skills (Hire me or else!)

(Related) ..and then they could make the video to complete the comemrcial...

Tuesday, September 25, 2012

A clever example of hacker misdirection or yet another example of “We don't need no stinking logs!”
Ah, less-than-sweet mysteries of life: when you can’t figure out if or how you were breached
September 24, 2012 by admin
How frustrating for everyone: St. Agnes Hospital in Baltimore learned that 40 of its physicians had become victims of ID theft. Hapless victims had their names and Social Security numbers used to create wireless telephone accounts that they knew nothing about until they started receiving overdue notices from creditors. [What? They sent the bills to some bogus address but the overdue notices to the doctors? Bob]
But despite its best efforts to identify any internal source of the breach, St. Agnes Hospital could not find any confirmation of a breach. [That's what happens when you don't log access Bob] In a letter to those affected, the text of which was submitted to the state last month, they write:
Once the reports were received, we reviewed all of the points of access and storage for this type of information in Saint Agnes systems. The only system that maintained the same information for all physicians making reports was the credentialing system. We conducted a careful access review and interviews and failed to detect unauthorized access, access after normal business hours, or any other suspicious activity in the system. We were unable to determine that there was a breach of any of our systems that allowed disclosure of the physicians’ personal data.
So what do you do when you suspect your organization has suffered a breach and you think you’ve narrowed it down to one part of your system, but you can’t find out how or when it happened? In this case, the hospital notified physicians that despite its inability to confirm any breach, given the seriousness of the problem, it intended to:
  • Review the list of users with access to sensitive personal data and minimize access where possible to only those who have a business need to access or review the information;
  • Refresh HIPAA privacy education in those departments routinely using physician information; and,
  • Investigate disguising or eliminating social security numbers in data systems where they are stored.
That’s nice, but shouldn’t they have been doing all of that already? [Yes! Bob] And how about running more extensive criminal background checks on employees who could be simply writing down names and SSNs as they access data for their routine job duties? We’ve seen too many insider breaches in hospitals. Usually it’s patient data being sold, but why not physicians, too? [Doctors have huge incomes, patients have huge debts – who do you think is the more attractive target? Bob]

“It's not a failure, it's a feature!” I can hear Dr. Evil laughing...
A single line of code can apparently trigger an unstoppable factory-reset of the Samsung Galaxy S III, security researchers have discovered, with the potential for malicious websites to wipe out users’ phones. The hack was detailed by Ravi Borgaonkar at the Ekoparty security conference, with a simple USSD code – that could be sent from a website, or pushed to the handset by NFC or triggered by a QR code – that can reset the Galaxy S III or indeed other Samsung handsets.

The sad part is, he probably didn't think it was creapy...
"Has Immigration Minister Jason Kenney been emailing you? Maybe it's because you're gay. The minister sent out an email on Sept 24 lauding the government's efforts to protect and promote queer rights abroad. It highlights the 'emphasis . . . on gay and lesbian refugee protection, which is without precedent in Canada's immigration history.' The Ottawa Citizen's Glen McGregor broke the story, complete with reaction over the 'creepy' letter. For many who received an email from Citizenship and Immigration Minister Jason Kenney about gay refugees on Friday, the message raised one important question: How did he know I'm gay? The Conservatives have targeted written messages at minority communities in the past, most notably using direct mail lists to send out greetings to Jewish voters on religious holidays. Some recipients were alarmed by the prospect of the government assembling lists based on ethnicity or religious beliefs. Surely creating such a list will become easier when your are forced to use your real identities on social sites."

It's not uncommon to make rediculous proposals with the assumption that they will be “corrected” before legislation is approved. History tells us otherwise...
Leak reveals EU surveillance of communications
September 24, 2012 by Dissent
Nerea Rial reports:
The CleanIT project was funded by the European Commission’s Home Affairs Directorate in order to reduce the impact of the terrorist use of internet, but a leaked document has shown that the initiative is not what it seems to be.
The main idea of the programme, in which participates among others the Dutch National Coordinator for Terrorism and Security, Spain, UK, Belgium and Europol, is to fight terrorism through voluntary self-regulatory measures under the law. However the document shows how they rapidly forgot about European democracy and legislation.
Read more on New Europe.
[From the article at
The proposals urge Internet companies to ban unwelcome activity through their terms of service, but advise that these “should not be very detailed”. This already widespread approach results, for example, in Microsoft (as a wholly typical example of current industry practice) having terms of service that would ban pictures of the always trouserless Donald Duck as potential pornography (“depicts nudity of any sort ... in non-human forms such as cartoons”).
… Moving still further into the realm of the absurd, the leaked document proposes the use of terms of service to remove content “which is fully legal”... although this is up to the “ethical or business” priorities of the company in question what they remove. In other words, if Donald Duck is displeasing to the police, they would welcome, but don't explicitly demand, ISPs banning his behaviour in their terms of service. Cooperative ISPs would then be rewarded by being prioritised in state-funded calls for tender.

“Sure you have rights. In most cases, we just choose to ignore them.”
Do Users of Wi-Fi Networks Have Fourth Amendment Rights Against Government Interception?
September 24, 2012 by Dissent
Orin Kerr writes:
My earlier post on how the Wiretap Act applies to wireless networks triggered a lot of comments on how the Fourth Amendment might apply, so I thought I would have a post specifically on the matter. Here’s the question: Does governmental interception and analysis of the contents of a person’s wi-fi traffic constitute a Fourth Amendment search? And does it depend on whether the traffic is encrypted or unencrypted?
The answer turns out to be surprisingly murky. Because the Wiretap Act has been thought to protect wireless networks, the Fourth Amendment issue has not come up: There’s a surprising lack of caselaw on it. Second, there are plausible arguments on either side of the debate both for encrypted and unencrypted transmissions. So I wanted to run through the arguments, starting with the case of unencrypted communications and then turning to encrypted communications, and then ask which side readers find more persuasive.
Read more on The Volokh Conspiracy.

Is an “Emergency” what I think it is or anything you say it is?
Maine likely to consider cell phone location law that mandates companies provide info in an emergency
September 24, 2012 by Dissent
Mal Leary reports:
A law that requires cellphone providers to give law enforcement agencies the location of a person’s cellhone in an emergency is expected to be considered in Maine next year.
Eight states have adopted a version of the law, known as Kelsey’s Law.
“I fully expect we will see some version of it introduced,” said Rep. Anne Haskell, D-Portland, the lead Democrat on the Legislature’s Criminal Justice Committee and a former-co-chair of the panel. “When we see other states passing a law, we usually see a Maine version introduced.”
Read more on the Portland Press Herald.

Boy, dat Facebook ting one great surveillance tool, aint' she?
Facebook Now Knows What You’re Buying at Drug Stores
September 24, 2012 by Dissent
Rebecca Greenfield writes:
In an attempt to give advertisers more information about the effectiveness of ads, Facebook has partnered with Datalogix, a company that “can track whether people who see ads on the social networking site end up buying those products in stores,” as The Financial Times‘s Emily Steel and April Dembosky explain. Advertisers have complained that Facebook doesn’t give them any way to see if ads lead to buying. This new partnership is their response, as it connects real-life buying with ads seen on the site. Specifically, the service links up the 70 million households worth of purchasing information that Datalogix has with these buyers’ Facebook profiles. Using that, they can compare the ads you see with the stuff you buy and tell advertisers whether their ads are working. Up until now, the social network has been limited to only tracking your Internet life (on and off with its ubiquitous “like” buttons, but as promised, the future of Facebook is more focused on data, including tracking our offline habits.
Specifically, Datalogix gets its information from retailers like grocery stores and drug stores who keep careful records of what its customers who use its loyalty discount programs are buying. Datalogix’s site doesn’t list its partners, but from a Google search, it looks like the company has worked with CVS’s ExtraCare card program. Datalogix matches the email addresses and other identifying information in those databases to Facebook accounts.
Read more on The Atlantic Wire.
So… do you find that scary, helpful, or neither?

FTC should examine Facebook-Datalogix partnership, privacy group says
September 25, 2012 by Dissent
Jeremy Kirk reports:
The U.S. Federal Trade Commission should analyze Facebook’s relationship with a data marketer to ensure it doesn’t violate the social networking site’s recently approved settlement, the Electronic Privacy Information Center said Monday.
Facebook is working with Datalogix, a company based in Colorado that specializes in collecting data from retailers using customer loyalty cards and linking those purchases to future advertising campaigns, The Financial Times reported. Datalogix links loyalty card holders to their Facebook accounts using shared information, such as email addresses, although the information is anonymized, the report said.
Facebook’s user guide say it only provides “data to our advertising partners or customers after we have removed your name or any other personally identifying information from it.”
Read more on CSO.

This confirms a lot of suspicions. Clearly the government is run by Twitts and apparently, not many people care what they Tweet. One person in 100 follows the Whit House and the readers of number 50's Tweets might not even include all the employees...
September 24, 2012
FCW - The 50 most-followed agencies on Twitter
Federal Computer Week: "Twitter has quickly evolved from social media novelty to critical communications channel. This list shows which federal agencies have built the biggest audiences, and where the growth has been fastest over the past year. The data [in this article] was compiled by OhMyGov, a media and technology firm that specializes in providing advanced media intelligence for government agencies, congressional offices, lobbyists, and businesses working with government. Please note that for many agencies, follower totals for multiple Twitter accounts were combined to provide a better sense of total reach. All counts are as of Aug. 31, 2012."

Stunning! Well done, India!
Over in India there’s an extremely cheap Android tablet being deployed by the government to families, schools and more. We’ve talked about the Aakash tablet more than a few times, but this new and improved Aakash 2 tablet for just $35 dollars is set to arrive throughout India starting next month.

For my Computer Forensics students?
"Today's handheld device is the mainframe of years past. An iPhone 5 with 64 GB of storage and the Apple A6 system-on-a-chip processor has more raw computing power entire data centers had some years ago. With billions of handheld devices in use worldwide, it is imperative that digital forensics investigators and others know how to ensure that the information contained in them, can be legally preserved if needed."
In Digital Forensics for Handheld Devices, author Eamon Doherty provides an invaluable resource on how one can obtain data, examine it and prepare it as evidence for court.
… Chapter 5 also has overviews of nearly 50 different forensic tools for every imaginable purpose.

I use LightShot to capture screen images both in the Firefox browser and on the destop. LightShot does not capture video. Here are a few others...
Monday, September 24, 2012
Here are some free tools that you can use to create screen capture videos and images.

Sometimes you just want to let your students watch the boob tube so you can take a nap...
Monday, September 24, 2012

At last! Something to do with all those cellphones I confiscate in class... (At least, that's what I'm going to tell my students)
You can visit the Recycle Through USPS page on the website and follow the four easy steps to find out how much your old cell phone is worth and to see if your items qualify for instant cash. Even if your device does not qualify for a buyback, you can use the free mail-back recycling envelopes at the locations to ship and dispose of the waste electronics.

...and all in less than 10 pages!
September 24, 2012
The Debunking Handbook - free download
"The Debunking Handbook, a guide to debunking misinformation, is now freely available to download. Although there is a great deal of psychological research on misinformation, there's no summary of the literature that offers practical guidelines on the most effective ways of reducing the influence of myths. The Debunking Handbook boils the research down into a short, simple summary, intended as a guide for communicators in all areas (not just climate) who encounter misinformation."

Perhaps it's not just a “New Jersey thing” I have no doubt that my students also get very creative when I make them do endless hours of homework.