Saturday, October 13, 2012

A couple of examples of companies who have given no thought to handling a security breach and spent no time researching “Best Practices” once it occurred.
Somehow I doubt their Marketing Department was involved in these decisions. Has no one read “The Prince?”
TD Bank: Data loss affects about 260,000 U.S. customers
October 12, 2012 by admin
Jessica Hall continues to update the TD Bank backup tapes breach:
In Maine, 34,907 residents were affected, according to a letter sent to the attorney general from TD Bank. In Massachusetts, the Attorney General’s Office said more than 73,000 residents were affected. In Connecticut, 35,000 residents were affected, while Rhode Island had 500 residents and Maryland had 398 residents affected, according to the state attorney general.
Read more on Morning Sentinel.
As I tweeted earlier today, TD Bank made a bad decision, in my opinion, not to release the total number all at once in their original statement. The story’s staying in the news cycle as each new state discloses their numbers. So now we have a breach that was 6-month delayed in notification and what looks like an attempt to not reveal how bad it may have been. Not a good post-incident response plan.

(Related) Another breach the victim is trying to cover up? Those of us who track security breach stories will follow up until we know how many people were impacted, when and how the breach occurred, and (probably) why the company wouldn't come clean immediately – lots of conspiracy speculation here....
Korn/Ferry breach details emerge
October 12, 2012 by admin
Thanks to the California Attorney General’s Office, we now have some of the details on the Korn/Ferry breach, reported yesterday on this blog. Korn/Ferry is an executive recruiting firm.
In their sample notification, Thom Steinoff, CTO, writes:
We are writing to inform you about a recent incident involving our data network. We recently learned that we were the victim of a sophisticated cyber attack. We deeply regret that this incident occurred and take very seriously the security of our network.
But when did this “recent” incident occur? They don’t say at this point, but they indicate later that it may have gone on for months before they learned of it in August.
We began investigating the incident as soon as we learned of it.
How did they learn of it? They don’t say. And why did it take them months to learn of it? They don’t tell us that, either.
While our investigation is ongoing, we have determined that, although the affected databases were not designed or structured to receive sensitive personal information, a small percentage of the files nevertheless included an individual’s name in combination with his or her driver’s license number, government-issued identification number, Social Security number, credit card numbers or health information. It is important to note that we have no evidence that access to personal information was the goal of the attack. [And none to suggest otherwise Bob]
Korn/Ferry has already taken a number of steps to enhance the security of the relevant computer network. In addition to these steps, we have been working with law enforcement in connection with their investigation of the incident. Korn/Ferry quickly secured its network against the attack, which appears to have been underway for a number of months, shortly after discovering it in August 2012. Korn/Ferry was asked by federal law enforcement officials, however, to delay disclosure of the existence of the attack until now.
Emphasis in the above added by me.
You can read the full letter here, which includes an offer of free credit monitoring protection.
In light of this explanation, their press release yesterday is even more problematic as their statement, “The databases that were impacted are not designed or structured to collect credit card, payment card, bank account, social security numbers, government identification numbers or health information. ” might have been interpreted by some to mean that those types of data were not in the impacted databases. To the contrary, while the databases were not supposed to have such data, they apparently did.
Korn/Ferry did not indicate how many clients or candidates were affected by this incident.

Should the government try to be “cutting edge?” I think their time and money would be better spent facilitating the work of consultants. If a consultant does not have the skill set you need, fire him and hire someone who does. The model here seems to be send the employee off for training. Not the most responsive reaction...
Task Force Tells DHS to Offer ‘Cool’ Cybersecurity Jobs to Gov. Workers and Test Them Like Pilots
… This means, in part, hiring at least 600 new cybersecurity professionals, including ones who have proven, hands-on experience to take on critical tasks, the task force recommended in its 41-page report (.pdf).
Furthermore, the government needs to focus less on professional certifications in making its hiring decisions and more on real-world experience and expertise. To do this, it needs to build a system for actively measuring these skills, such as one that is currently used for testing pilots, the group said.
The group noted that pilots undergo situational testing that becomes more complicated as their skills increase, such as placing them in conditions where the weather deteriorates or where systems malfunction, in order to test them under duress. [I think they mean “stress” but this would work too Bob]

Drones, Cyber weapons and more...
Darpa’s New Director Wants to Keep the Skies Under U.S. Control
The U.S. has total dominance of the skies above planet Earth, a defense budget five times as large as its nearest competitor, and a fleet of robotic aircraft and advanced manned planes. The newest leader of the Pentagon’s blue-sky researchers says the U.S. is more vulnerable than it thinks in the skies. Maintaining America’s air supremacy may be about to become a top priority for the agency that helped give the world the Predator drone.

(Related) “We need more because they are so cool! Don't worry, we'll talk the city into using them our way. After all J. Edgar isn't the only one with files on politicians...”
"The Seattle Police Department is seeking to buy more unmanned aerial vehicles (a.k.a. drones) even as the two it currently owns site warehoused until the city develops a policy for their use, documents released as part of the EFF and MuckRock's Drone Census show. More frightening than the $150,000 price tag? The fact that the drone vendors market the fact that these lease agreements do 'not require voter approval.'"
Does your city or town use drones?

When is electronic storage not electronic storage? When the court says, “Clouds are made of water vapor, so they can't be electronic...” (and I thought the only smoked tobacco in South Carolina)
"I leave my email stored online, as do many modern email users, particularly for services like Gmail with its ever-expanding storage limit. I don't bother downloading every email I receive. According to the South Carolina Supreme Court, this doesn't qualify as electronic storage. This means most email users are not protected by the Stored Communications Act. All your emails are fair game, so be careful what you write. From the article: 'This new decision creates a split with existing case law (Theofel v. Farey-Jones) as decided in a 2004 case decided by the Ninth Circuit Court of Appeals. That decision found that an e-mail message that was received, read, and left on a server (rather than being deleted) did constitute storage "for purposes of backup protection," and therefore was also defined as being kept in "electronic storage." Legal scholars point to this judicial split as yet another reason why the Supreme Court (and/or Congress) should take up the issue of the Stored Communications Act.'"

Very misleading title since “Do Not” does not mean Do Not...
"The Verge is carrying an accurate and accessible overview of the Do Not Track debate. Quoting: 'With the fate of our beloved internet economy allegedly at stake, perhaps it's a good time to examine what Do Not Track is. How did the standard come to be, what does it do, and how does it stand to change online advertising? Is it as innocuous as privacy advocates make it sound, or does it stand to jeopardize the free, ad-supported internet we've all come to rely on?' The issues surrounding Do Not Track can be difficult to understand, owing to rampant rhetoric and spin. This article unpacks the tracking technology, privacy concerns, economic questions, and political outlook. Full disclosure: I'm quoted."

“After a careful review of the law, we decided to do what the RIAA wanted instead.”
A leaked batch of AT&T training documents reveal an anti-piracy plan in the books, which includes sending warning notices to flagged accounts. In what seems to be a completely draconian measure, any subscriber who’s account is flagged multiple times for copyright infringement will have access to frequently-visited websites (Facebook? YouTube?) blocked until they complete an online course on copyright. The warning notices will begin on November 28th.

This should surprise no one. My guess is an announcement before the election, followed by a “thorough and complete” exoneration of a large campaign contributor. Note that the FTC is ready to sue before they investigate – your government in action...
According to multiple sources, it’s said that the Federal Trade Commission (FTC) is closer than ever to hitting Google with an antitrust lawsuit. The plan has been in the works for almost a year, and now four out of the five FTC commissioners are wanting to open up the doors to begin the process of investigating any wrongdoing by the search giant.

Perspective (Even if I find it hard to believe)
Smartphones and tablets are obviously taking the entire world by storm, but would it surprise you if you knew that nearly 85% of the world’s population is using mobile devices? [Not just phones Bob] According to the International Telecommunications Union (ITU), six billion people in the world use smartphones and/or tablets. [According to WolframAlpha, “6 billion / world population” = 88.4% Bob]

Among other things, the government now recognizes that meteors come from outer space...
"New regulations by the Federal government define asteroidal material to be an antiquity, like arrowheads and pottery, rather than a mineral — and, therefore, not subject to U.S. mining law or eligible for mining claims. At the moment, these regulations only apply to asteroidal materials that have fallen to Earth as meteorites. However, they create a precedent that could adversely affect the plans of companies such as Planetary Resources, who intend to mine asteroids in space."

Interesting. Is this how to replace Journals?
Academia.Edu Overhauls Profiles As The Onus Falls On Researchers To Manage Their Personal Brands
Even though it’s taken for granted that you have to manage your own personal brand on the web, that still isn’t necessarily the case in the slower-moving world of academia.
But it’s starting to happen, with individual brands beginning to eclipse the importance of being published in a well-known (and often exorbitantly expensive) journal., a social network for professors and researchers, is taking advantage of this by overhauling its profile pages.
The company’s CEO Richard Price says that academics are starting to want more of a direct connection with their audiences. So’s new profiles let researchers showcase their best work and track analytics on views and followers.
… “We’re shifting away from a world where the journal industry sits between the academic and the audience,” Price said. “We’re now moving to a world that’s more reflective of social media, where the academic is becoming the key node of distribution of research.”
As for the itself, the site is approaching 2 million users with 4,000 joining every day.

Friday, October 12, 2012

“Well, everyone else is doing it!”
Apple Has Quietly Started Tracking iPhone Users Again, And It’s Tricky To Opt Out (update1)
October 11, 2012 by Dissent
Jim Edwards reports:
Apple’s launch of the iPhone 5 in September came with a bunch of new commercials to promote the device.
But Apple didn’t shout quite so loud about an enhancement to its new mobile operating system, iOS 6, which also occurred in September: The company has started tracking users so that advertisers can target them again, through a new tracking technology called IFA or IDFA.
Read more on Business Insider.
Update: Tinfoil 2.0 comments that the preceding article is full of errors.

“It was only twenty eight times!”
Gazette sues city for records of employee discipline for Internet abuse
October 11, 2012 by Dissent
Do city employees have any expectation of privacy if using work computers to surf porn sites? And can the city shield the names of those employees from freedom of information requests? Those questions are being addressed in a Billings, Montana court. Ed Kemmick reports:
The Billings Gazette filed a lawsuit against the city of Billings on Thursday, asking for the release of public records dealing with city workers who were disciplined for viewing inappropriate websites on the job. [If they are “inappropriate” shouldn't the city block them? Bob]
In a letter dated Sept. 10, City Attorney Brent Brooks said the city would supply the information regarding the Internet searches. It has not yet provided that data.
As for the other two requests, Brooks said, “We cannot fulfill these requests because to do so would violate individual City employee’s right to privacy.”
Read more on Billings Gazette.

The sad part is, if the photos had been taken by Playboy the Copyright Cops would be much more aggressive than the Privacy Police... (Does plugging your phone into a company outlet make the contents of the phone subject to “inspection?”)
Boss Allegedly Downloaded Nude Photos From Employee’s Cell Phone, Showed Them Around The Office
October 11, 2012 by Dissent
Kashmir Hill writes:
This case could be filed under “Horrible Bosses” or “Stupid Employees.” Jonathan Bruns of Texas had a temp job working for Houston-based Deepwater Corrosion Services, a company which, as you might guess from the name and location, is involved in the offshore oil industry. Via Courthouse News Service:
Bruns claims a staffing agency assigned him to work for Deepwater and his supervisor Pete Offenhauser gave him permission to recharge his phone on an office outlet.
That seems nice enough, but then Offenhauser allegedly went snooping… and struck oil:
“Unbeknownst to Mr. Bruns, and after he had returned to his usual job duties and responsibilities, Mr. Offenhauser accessed certain private material on Mr. Bruns’ cell phone and displayed the same on his laptop computer, specifically pictures of Mr. Bruns’ fiancĂ©e … without any clothing,” the complaint states.
Read more on Forbes.

“Well look at that. Clearly the Ayes have it!” Typical Politician
"Open source writer Glyn Moody discusses the Draft Communications Bill (aka Snooper's Charter) in the UK and how the Joint Parliamentary Committee that had been considering the bill received almost 19,000 emails during its consultation period. He notes: 'Out of 19,000 emails received by the Committee on the subject of the proposed Draft Communications Bill, not a single one was in favor of it, or even agreed with its premise. Has there ever been a bill so universally rejected by the public in a consultation? Clearly, it must be thrown out completely.'" [Or added to the Official Secrets list Bob]

Absent a declaration of war by an enemy, what would it take to convince politicians that the public was behind them if they initiated cyberattacks? Would the average citizen recognize a “cyber Pearl Harbor” if it didn't directly impact them? (i.e. Facebook still works?)
Pre-emptive cyberattack defense possible, Panetta warns
The U.S. military has the ability to act pre-emptively when it detects an imminent cyberattack threat, Defense Secretary Leon Panetta said today.
During his first major policy speech on cybersecurity, Panetta echoed previous statements that the United States was facing the possibility of a "cyber-Pearl Harbor" perpetrated by foreign hackers, painting a grim portrait of the destructive power wielded by unnamed agents.
"A cyber attack perpetrated by nation states or violent extremist groups could be as destructive as the terrorist attack of 9/11," he said in prepared remarks during a speech at the Intrepid Sea, Air and Space Museum in New York. "Such a destructive cyber terrorist attack could paralyze the nation."

(Related) When someone does attack Facebook, should we nuke them? Grab them and send them to Guantanimo? Send them an angry tweet?
If you’re trying to get on Facebook at the moment and the site isn’t cooperating, you’re definitely not alone. The Next Web is reporting that throughout the day, Facebook has gone down in places like Austria, Norway, Germany, Greece, France, Italy, and Sweden. Making things much more interesting is Twitter user AnonymousOwn3r, who is claiming to be the one bringing Facebook to its knees.

(Related) Then when the radiation cools, we can appologize...
Facebook runs tests, knocks service off across Europe

Thursday, October 11, 2012

For the answer to this and everything you ever wanted to know about drones, come to the seminar next Friday.
If I Fly a UAV Over My Neighbor's House, Is It Trespassing?
… "Once upon a time, you had the rights to your property under the soil and to the sky. It went by the colorful, Latin label "ad coelum et ad inferos"---to the heavens and hell," Ryan Calo, a University of Washington law professor and former research director of Stanford's Center for Internet and Society, told me. "But subsequent case law recognized the limits imposed by commercial aviation and other realities of the modern world. Now you own the air and soil rights you might reasonably use and enjoy."
That original dictum -- ad coelum et ad inferos -- was never part of legislation, but rather passed to us from British common law. The process by which this notion of property was limited really began in the early twentieth century, when we began to regularly reach into the heavens and nominally closer to hell. Timothy Ravich is an aviation lawyer who contributed an article to the North Dakota Law Review (UND is a major hub of civilian aerospace training) on "the integration of unmanned aerial vehicles into the national airspace. [Actually, several articles Bob] " I figured if anyone knew the legal status of my neighborhood flights, it would be him.

Perhaps the IRS system for refunds is a bit too automatic? How many people does it take to file 88,724 returns? One, if they can use a computer...
Feds arrests dozens in ID theft-tax fraud takedown in South Florida
October 10, 2012 by admin
How big a problem is ID theft/tax refund fraud? Well, the government says it’s to the tune of $5.2 billion.
In human terms, here’s some interesting stats:
Among major U.S. cities with the most fraud-related tax filings: Tampa (88,724 returns, with refunds of $468,382,079); Miami (74,496 returns, with refunds of $280,509,449) and Atlanta (29,787 returns, with refunds of $77,113,392).
Read more on The Miami Herald.

Do I read this correctly? They compromised not only their students, but every Florida high school student eligible for this scholarship?
Almost 280,000 to be notified of hack at Northwest Florida State College; ID theft reported
October 10, 2012 by admin
Jim Turner reports:
An information security breach has been reported involving employee and student records at Northwest Florida State College in Niceville. [They should move... Bob]
According to the state Department of Education, the breach included more than 3,000 employee records and approximately 76,000 Northwest College student records containing personal identification information; and approximately 200,000 records with information including names, Social Security numbers, dates of birth, ethnicity, and gender for students across the state who were eligible for Bright Futures scholarships for the 2005-06 and 2006-07 school years.
Read more on Sunshine State News.
The college has set up a web site for the breach. According to their update today:
The NWFSC student information compromised in the security breach contains public directory information including name and address, as well as confidential student data including birth date and Social Security number. The Bright Futures scholars’ data file includes all State of Florida Bright Futures eligible students during the 2005-06 and 2006- 07 academic years. This data file contains student names, Social Security numbers, dates of birth, ethnicity and gender. No student academic files have been compromised. [Because they are not students! Bob]
The college reports that the breach was discovered following an internal review conducted between October 1 – 5 after the college started receiving reports from employees of fraud. Even the college’s president became a victim.
In a memo to employee sent on October 8 via e-mail, the college informed them:
We know from May 21, 2012 until September 24, 2012 one or more hackers accessed one folder on our main server. This folder had multiple files on it. No one file had a complete set of personal information regarding individuals. However, by working between files, the hacker(s) have been able to piece together enough information to be able to engage in the theft of identity of at least 50 employees.
We know by working between files data regarding Name, Social Security Number, Date of Birth, and Direct Deposit Account numbers were accessed. Additional directory information such as address, phone numbers, college email address, etc. was also likely compromised.
We know three specific mechanisms have been used to engage in identity theft. The first is to use PayDayMax, Inc. as a conduit for taking out a personal loan which is repaid by debiting your bank account. The second is the same process using Discount Advance Loans. The third is to apply for a Home Depot Credit Card in an employee’s name and then use that card.
We know current employees and all retirees/past employees since 2002 that have had direct deposit of their pay have the potential to have had their information compromised.
The college says that the system has now been secured.
Kudos to the college for doing a terrific job of notifying employees promptly and issuing timely updates as they learn more.

How to win friends and influence people, the online version...
Millions of PlaySpan user IDs and passwords leaked online
October 10, 2012 by admin
Craig Chapple reports:
World of Tanks, Guild Wars and Eve Online players hit by huge security breach
Hackers have breached and leaked the personal information of millions of PlaySpan Marketplace users online.
Private details compromised included user IDs, email addresses and encrypted passwords.
In a statement to Develop, a PlaySpan spokesperson insisted however that there is no evidence that credit, debit or pre-paid card data had been accessed. [Not the same as “There is evidence that they did not access the data.” Just suggests they didn't keep logs. Bob]
Read more on Develop.

Apparently, there is more to the plan than “keep the data for two years” Of course, this could never happen in the US
AU: Web snooping plan suppressed by government
October 10, 2012 by Dissent
Looks like Australia’s government has decided that transparency is not as important as, say…. everything else. It’s refusing to release details of its super-secret data retention plan. Philip Dorling reports:
National security bureaucrats are keeping secret the details of a plan to store the internet history of all Australians for at least two years.
The Prime Minister’s department has rejected a Freedom of Information application by Fairfax Media for release of its file on the proposed “third tranche” of national security laws on the grounds that declassification would “substantially and unreasonably divert the Department’s resources from its other operations”. [Translation: It's a bother... Bob]
Read more on The Age.
[From the article:
However Steve McFarlane, assistant secretary heading the Defence and Intelligence Branch of the Department of the Prime Minister and Cabinet has refused to process Fairfax Media's FOI application for access to papers relating to the data retention and other proposals on the grounds that reviewing 21 documents totalling 93 pages would result in a “substantial impairment” to the operations of the Department.
Mr McFarlane further insisted that most of the material would be withheld from public access anyway owing to the “sensitive nature of the subject matter”.

(Related) …Okay, maybe it can happen here. Are there no laws covering the collection of data by government agencies?
FBI Exempts Massive Database from Privacy Act Protections
October 11, 2012 by Dissent
The Federal Bureau of Investigation has exempted the FBI Data Warehouse System, from important Privacy Act safeguards. The database ingests troves of personally identifiable information including race, birthdate, biometric information, social security numbers, and financial information from various government agencies.
The database contains information on a surprisingly broad category of individuals, including
“subjects, suspects, victims, witnesses, complainants, informants, sources, bystanders, law enforcement personnel, intelligence personnel, other responders, administrative personnel, consultants, relatives, and associates who may be relevant to the investigation or intelligence operation; individuals who are identified in open source information or commercial databases, or who are associated, related, or have a nexus to the FBI’s missions; individuals whose information is collected and maintained for information system user auditing and security purposes.”
The Federal Bureau of Investigation has exempted these records from the notification, access, and amendment provisions of the Privacy Act. Earlier this year, EPIC opposed the Automated Targeting System, another massive government database that the Department of Homeland Security exempted from Privacy Act provisions. For more information, see EPIC: The Privacy Act of 1974 and EPIC: Automated Targeting System.
So less transparency and the oversight and protection is …. where?

I suppose it's because it's an election year (translation: Time of wildly increased spin by politicians) but I fail to see how privacy “ensures” benefits.
President’s bioethics panel urges new privacy protection to ensure benefits from DNA decoding
October 11, 2012 by Dissent
Lauran Neergaard of Associated Press reports:
It sounds like a scene from a TV show: Someone sends a discarded coffee cup to a laboratory where the unwitting drinker’s DNA is decoded, predicting what diseases lurk in his or her future.
A presidential commission found that’s legally possible in about half the states — and says new protections to ensure the privacy of people’s genetic information are critical if the nation is to realize the enormous medical potential of gene-mapping.
Such whole genome sequencing costs too much now for that extreme coffee-cup scenario to be likely. But the report being released Thursday says the price is dropping so rapidly that the technology could become common in doctors’ offices very soon — and there are lots of ethical issues surrounding how, when and with whom the results may be shared.
Read more on Chicago Tribune.

It's a start...
Government of Malta proposes inclusion of digital rights in Constitution
October 11, 2012 by Dissent
Francesca Vella reports:
The government has presented a White Paper proposing the inclusion of digital rights in the Constitution as a means of introducing new rights to internet access, accessing information online, online freedom of expression, and the right to informational self-determination
On the right to privacy, the White Paper refers to the introduction of a specific digital civil right to informational self-determination, which would remove any perceived doubts that the state would become a ‘Big Brother’ through online monitoring of its citizens’ participation in the information society.
Wow. Read more on The Malta Independent Online.
The White Paper can be accessed here (pdf). The government is seeking comments to be submitted to by November 30, 2012. From the White Paper:
The introduction of a specific digital civil right to informational self-determination would remove any perceived doubts that the State would become a Big Brother through online monitoring of its citizens’ participation in the information society.
A new digital right must confirm that the right to privacy refers both to: a) directly personally identifying information as well as to b) indirectly personally identifying information (such as cookies, users’ online behaviour and site visiting patterns).
Amongst others, Internet privacy involves the right to decide how personal information is being processed, stored, communicated and transmitted over the Internet by third parties including private entities as well as governments.
It is proposed that:
(i) The State should recognise, promote and safeguard a citizen’s right to Informational Self-Determination and Privacy, that is, the right of an individual to decide what information about himself should be communicated to others and under what circumstances, through any media, including on the Internet, regardless of frontiers.
(i) The State should undertake not to introduce restrictions which would hinder the right to Informational Self-Determination and Privacy and which are unjustifiable or unnecessary in a democratic society.

It must be irritating to discover that your lawyers didn't follow Best Practices but rather Mal Practices...
How Zappos’ User Agreement Failed In Court and Left Zappos Legally Naked
October 10, 2012 by admin
Eric Goldman writes:
In January, Zappos (part of $AMZN) announced a massive data security breach affecting 24 million consumers. As typically happens in these situations, plaintiffs’ class action lawyers swarmed over Zappos for the breach, filing dozens of lawsuits. Zappos tried to send the lawsuits to arbitration based on an arbitration clause in its user agreement. Recently, a federal court struck down’s user agreement, denying Zappos’ arbitration request. This is an unfortunate ruling for Zappos, because its contract–now dead–would have been quite helpful in combating this high-profile and potentially very expensive data security breach lawsuit. More importantly, the mistakes Zappos made in its user agreement–though common throughout the Internet–are completely and easily avoidable. This post will make some suggestions for how to avoid Zappos’ fate.
Read more on Forbes.

Towards a greater emptiness?
"Futurist and author Ray Kurzweil predicts the cloud will eventually do more than store our emails or feed us streaming movies on demand: it's going to help expand our brain capacity beyond its current limits. In a question-and-answer session following a speech to the DEMO technology conference in Santa Clara, California last week, Kurzweil described the human brain as impressive but limited in its capacity to hold information. 'By the time we're even 20, we've filled it up,' he said, adding that the only way to add information after that point is to 'repurpose our neocortex to learn something new.' (Computerworld has posted up the full video of the talk.) The solution to overcoming the brain's limitations, he added, involves 'basically expanding our brains into the cloud.'"
[The video:

According to a study released today by the research firm Gartner, Lenovo has overtaken HP (Hewlett-Packard) as the number one seller of PCs worldwide. This move comes at a time when overall PC sales have faltered due to the economy and competition from mobile gadgets. Still, Lenovo managed to grow during this downturn, increasing its sales by nearly 10%.

This was a bit of a kerfuffle until the school reconsidered their rethink...
Judge Says Fair Use Protects Universities in Book-Scanning Project
A federal judge on Wednesday threw out a copyright infringement lawsuit against universities that participated in a massive book-digitization project in conjunction with Google without permission from rights holders.
U.S. District Judge Harold Baer of New York dismissed an infringement lawsuit brought by the Authors Guild and other writers’ guilds, saying the universities had a fair use defense. The guild accused the University of California, University of Wisconsin, Indiana University, Cornell University and University of Michigan of wanton copyright infringement for scanning and placing the books into the so-called HathiTrust Digital Library.
The trust consists of 10 million digital volumes, 73 percent of which are protected by copyright. The trust provides full-text searches only with a rights holder’s permission, and gives full-text access for readers with “certified print disabilities,” Baer said.

You probably already know this by now, but there are a lot of people using Twitter. A new study conducted by Beevolve gives us an insane amount of statistics on these users, gauging everything from how many followers the average user has to which background color is used the most by females and males. The study – which surveyed a total of 36 million Twitter profiles – may confirm a lot of the stuff you already assumed about Twitter, but there are some surprises to be found in the results.

Perspective (for my Disaster Recovery students)
Europe suffered 51 'severe' communications outages in 2011, study shows
… The report, released today by the European Network and Information Security Agency (ENISA), said that 11 EU member states reported 51 "severe outages" in their countries' communications networks and services during 2011.
The report said that 60 percent of the incidents affected cellular networks or mobile Internet, with the remainder involving services such as fixed phone and internet, messaging and e-mail.
Only 6 percent of all reported incidents that led to outages were a result of malicious attacks. [But you have to approach each one as potential terrorist or cyberwar attacks until proven otherwise... Bob] The malicious attacks were often low-tech, such as vandalism or cable theft, rather than cybercrime, ENISA said.

(Related) If most of my students have SmartPhones...
$13 E-Reader Could Be Your Next Smartphone Accessory
It seems you can’t finish a book without a new e-reader being announced. The newest way to read books without killing a tree comes from Germany, and if the company, txtr, can get carriers on-board, it’ll cost as little at $13, or less that J.K. Rowling’s latest book.
… Engadget reports that txtr is currently in talks with AT&T and Sprint.
We’re waiting to hear back from txtr on how much the beagle would cost without a subsidy. Maybe a wallet-busting $25?

I have a few Artsie type students...
CreativeLIVE Is a Free Online School for Artists and Entrepreneurs
… If you’re looking for creative or entrepreneurial courses, you can turn to CreativeLIVE. The two-year-old startup just raised $7.5 million to live-stream workshops on how to start a business, photography basics, and web design, to name a few.
… Every course is live-streamed in real time and completely free.
What’s the catch? The courses are offered on a scheduled basis and last about two to three days. If you miss a class, you can’t watch again for free, but you can get your hands on the videos and lessons if you pay. Prices range from $50 to $300, and courses are often discounted. You can also pre-order a class that you know you want to take, but won’t have time to sit down and watch the live lecture.
The premise of free, live-streamed workshops has worked well for CreativeLIVE. The company says that since its launch in April 2010, more than 1 million students from 200 countries have taken a course. CreativeLIVE also isn’t having a hard time getting people to pay an average of $100 for a class.

For the Swiss Army folder...
A web based screen recorder.

Currently in public beta, RefSeek is a web search engine for students and researchers that aims to make academic information easily accessible to everyone. RefSeek searches more than one billion documents, including web pages, books, encyclopedias, journals, and newspapers.
[Check the Directory Bob]

(Ditto) Run it before your PC crashes and store it with your backups...
MyKeyFinder -- Finding Serial Numbers of Installed Apps in Windows Easily
… instead of buying the app again you can always use a user-friendly tool named MyKeyFinder which can help you find the serial numbers of all the apps installed in your PC! This handy tool for Windows is free of cost but can prove to be a blessing in such cases.

Wednesday, October 10, 2012

Wow, they still use tapes in Canada? (Impacts customers from Maine to Florida only?)
Missing backup tapes reported to TD Bank customers
October 9, 2012 by admin
A letter from TD Bank to affected customers reads, in part:
Some of your personal information was included on two data backup tapes that we shipped to another one of our locations in late March 2012. The tapes have been missing since then, and we have been unable to locate them despite diligent efforts. This isolated incident has been the subject of an internal investigation by our corporate security and information security teams. We have also notified law enforcement. Your personal information included on the tapes may have included your name or address, Social Security Number, and account, debit or credit card number.
We are not currently aware of any misuse of the personal information. However, because we are unable to locate the tapes or to account for their disappearance, we want to provide you with advice on ways to protect yourself.
The sample notification letter was not dated, so it’s not clear to me when customers were actually notified of this incident, but the letter was just posted to the California Attorney General’s web site this week. The letter also does not make clear whether the tapes ever arrived at the destination or were lost in transit, and if the latter, how they were shipped or transported.
Update: According to the Portland Press Herald, the letters are in the process of being sent out, and no, they couldn’t get an explanation of why the six-month delay in notification.

I would suspect this will be investigated as a potential 'dry run' by terrorists or nation state actors, at least until they find the Ethical Hacking class responsible...
"A single mysterious computer program that placed orders — and then subsequently canceled them — made up 4 percent of all quote traffic in the U.S. stock market last week, according to the top tracker of high-frequency trading activity. The motive of the algorithm is still unclear. The program placed orders in 25-millisecond bursts involving about 500 stocks, according to Nanex, a market data firm. The algorithm never executed a single trade, and it abruptly ended at about 10:30 a.m. ET Friday."

(Related) Of course, it might just be Gordon Geeko (Greed is good)
Unknown High-Frequency Trading Algorithm Detected
Market-data tracking firm Nanex said the algorithm behind the trades was routed from the Nasdaq, placing numerous orders and then canceling them repeatedly. In doing so, it managed to use 10% of available trading bandwidth.
High-frequency traders might use such a program to hog bandwidth, slowing down the system for other traders for arbitrage purposes. That sort of trading and market interference has caught the attention of regulators. Last month, a U.S. Senate committee held discussions on how to prevent such incidents.
Some industry experts called for a tax on “order-stuffing,” the deliberate placement of fake bids and offers that then get canceled, in order to discourage the practice.

Average insurance cost per data breach rises to $3.7M: Study
October 9, 2012 by admin
Mike Tsikoudakis reports:
The average insurance cost per data breach incident increased sharply from $2.4 million in 2010 to $3.7 million in 2011, according to a new NetDiligence study released Tuesday.
Based on insurance claims that were submitted in 2011 for incidents that occurred from 2009 to 2011, the average number of records exposed decreased 18% to 1.4 million, according to NetDiligence’s “Cyber Liability & Data Breach Insurance Claims — A Study of Actual Payouts for Covered Breaches.”
A typical breach ranged from $25,000 to $200,000 in insurance costs, according to the study.
Read more on Business Insurance.
If NetDiligence’s figures seem lower than Ponemon’s, they offer an explanation:
When compared with the Ponemon Institute’s Seventh Annual U.S. Cost of a Data Breach Study, our figures appear to be extremely low. The institute reported an average cost of $5.5 million per breach and $194 per record. However, Ponemon differs from our study in two distinct ways: the data they gather is from a consumer perspective and as such they consider a broader range of cost factors such as detection, investigation and administration expenses, customer defections, opportunity loss, etc1. Our study concentrates strictly on costs from the insurer’s perspective and therefore provides a more focused view of breach costs.
The NetDiligence study also focuses primarily on insured per-breach costs, rather than per-record costs.
You can find the study on NetDiligence.

It's not enough to know “There's an App for that...” You have to actually use it!
"Neal Ungerleider notes that cryptography pioneer and Pretty Good Privacy (PGP) creator Phil Zimmermann has launched a new startup that provides industrial-strength encryption for Android and iOS where users will have access to encrypted phone calls, emails, VoIP videoconferencing, SMS, and MMS. Text and multimedia messages are wiped from a phone's registry after a pre-determined amount of time, and communications within the network are allegedly completely secure. An 'off-shore' company with employees from many countries, Silent Circle's target market includes troops serving abroad, foreign businesspeople in countries known for surveillance of electronic communications, government employees, human rights activists, and foreign activists. For encryption tools, which are frequently used by dissidents living under repressive regimes and others with legitimate reasons to avoid government surveillance, the consequences of failed encryption can be deadly. 'Everyone has a solution [for security] inside your building and inside your network, but the big concern of the large multinational companies coming to us is when the employees are coming home from work, they're on their iPhone, Android, or iPad emailing and texting,' says Zimmermann. 'They're in a hotel in the Middle East. They're not using secure email. They're using Gmail to send PDFs.' Another high-profile encryption tool, Cryptocat, was at the center of controversy earlier this year after charges that Cryptocat had far too many structural flaws for safe use in a repressive environment."

This may be important.
another random user sends word of a case in Pennsylvania District Court in which Judge Michael Baylson has ordered a trial to resolve the issue of whether an IP address can identify a particular person. The plaintiff, Malibu Media, has filed 349 lawsuits against groups of alleged infringers, arguing that getting subscriber information from an ISP based on an IP address that participated in file-sharing was suitable for identification purposes. A motion filed by the defendants in this case explains "how computer-based technology would allow non-subscribers to access a particular IP address," leading Judge Baylson to rule that a trial is "necessary to find the truth."
"The Bellwether trial will be the first time that actual evidence against alleged BitTorrent infringers is tested in court. This is relevant because the main piece of evidence the copyright holders have is an IP-address, which by itself doesn't identify a person but merely a connection. ... Considering what's at stake, it would be no surprise if parties such as the Electronic Frontier Foundation (EFF) are willing to join in. They are known to get involved in crucial copyright troll cases, siding with the defendants. We asked the group for a comment, but have yet to receive a response. On the other side, Malibu Media may get help from other copyright holders who are engaged in mass-BitTorrent lawsuits. A ruling against the copyright holder may severely obstruct the thus far lucrative settlement business model, meaning that millions of dollars are at stake for these companies. Without a doubt, the trial is expected to set an important precedent for the future of mass-BitTorrent lawsuits in the U.S. One to watch for sure."

Really dumb? Perhaps it will stimulate some thought?
Judge: Takeover of employee LinkedIn account doesn’t violate hacking law
October 10, 2012 by Dissent
Timothy B. Lee writes:
A federal judge rejected a Pennsylvania woman’s argument that her employer violated a federal anti-hacking statute when it took control of her LinkedIn account after firing her. The court ruled the harms cited by the plaintiff were too speculative to pass muster under the Computer Fraud and Abuse Act (CFAA).
Linda Eagle was the head of a company called Edcomm when it was acquired in 2010. But relations soured and Eagle was fired the following year. Eagle had shared her LinkedIn password [Don't do that! Bob] with another Edcomm employee so that she could help Eagle manage the account. When Eagle was shown the door, her former assistant changed the password on her account, freezing Eagle out of it. Edcomm then replaced Eagle’s name and picture with the name and photograph of her successor.
Eagle sued in federal court, arguing among other things that the company’s actions violated the CFAA. But the court dismissed that argument last week.
Read more on Ars Technica. The decision can be found here.
[From Ars Technica:
Eagle had argued the loss of her LinkedIn account damaged her reputation, since she was unable to respond in a timely fashion to messages sent to her on the site. She also claimed that as a result, she lost business opportunities including one valued at more than $100,000.
But the court ruled those were not the kind of harms that triggered liability under the CFAA.
… Additionally, the court dismissed Eagle's argument that replacing her name with that of her successor violated trademark law. However, this case will go forward based on Pennsylvania state law charges.
The obvious lesson of this incident is employers and employees should be sure to establish, in writing, whether a social media account is a personal account or belongs to the employer. And if you have a personal account, it can be risky to share the password with coworkers.

And so the escalation begins...
Navy Lasers’ First Target: Enemy Drones
One of the first tasks the Navy expects to assign its forthcoming arsenal of laser guns: shooting down drones that menace its ships.
The Navy is confident that laser cannons will move out of science fiction and onto the decks of its surface ships by the end of the decade. Its futurists at the Office of Naval Research still have visions of scalable laser blasts that can fry an incoming missile at the rate of 20 feet of steel per second. But now that laser guns are approaching reality, Pentagon officials are starting to consider the practicalities of what they’ll be used for, and they’re not thinking missiles — yet. Among their initial missions will be the relatively easier task of tracking and destroying unmanned aerial vehicles, or UAVs, that fly too close to Navy ships.

Only fair. Proving you are dead should be harder than proving you are alive...
Social Security record limits hinder research
October 9, 2012 by Dissent
Kevin Sack of the New York Times reports:
A Social Security Administration shift last year to limit access to its death records amid identity-theft concerns is beginning to hamper a broad swath of research, including federal government assessments of hospital safety and financial industry efforts to spot consumer fraud.
For example, a research group that produces reports on organ-transplant survival rates is facing delays because of extra work required to determine whether patients are still alive. The federal agency that runs Medicare uses the data to determine whether some transplant programs have such poor track records that they should be cut off from government financing.

(Related) Which costs more? New IDs or dealing with thousands for bogus claims? Note that “Connected to SSANs” is not “the same as” a SSAN
Despite thefts, no new Medicare IDs
October 10, 2012 by Dissent
Kelly Kennedy reports:
More than a quarter-million Medicare beneficiaries are victims of identity theft and hampered in getting health care benefits because the government won’t issue new IDs, according to an investigation report released today.
Medicare officials say it’s too expensive and too many agencies are involved to reissue those numbers to patients victimized by identity theft — about 284,000 beneficiaries, according to a report by the Department of Health and Human Service’s inspector general.
Beneficiary numbers are directly connected to a patient’s Social Security number, and the government is unable to create a new Social Security number for a patient whose Medicare identity has been stolen, according to the report, which was obtained by USA TODAY.
And beneficiaries can do little more than report abuse of their beneficiary numbers because the government does not provide them with updates about investigations or amend their records with correct billing information. That, investigators say, slows down access to care.
Read more on PressConnects.

Perhaps sorting the wheat from the chaff takes more than 60 days?
Interesting Article on United States v. Collins, Case on Ex Ante Limitations on Computer Warrants
October 9, 2012 by Dissent
Orin Kerr comments on a situation discussed in a recent article on U.S. v. Collins (mentioned here). One of the issues raised by defense counsel concerns the prosecution hanging on to unnecessary and irrelevant computer files on seized computers when the warrants contained clauses saying that materials not needed for prosecution would be deleted or returned within 60 days.
Orin’s position seems to be that any such conditions included in warrants “are not permissible in the first place.” You can read his commentary on The Volokh Conspiracy, but it seems to me if such statements were included in the applications for the warrants, the prosecution should be bound by them. Otherwise, one could argue that the court might never have approved the warrant in the first place as it might seem overly broad. But then, I am not a lawyer and Orin is

The RIAA is gonna have a stroke. (Unless you think they can top these payouts?)
"Today in a blog post, Pandora has shared some details of the fees they pay to musical artists for playing songs over their music streaming service. Over 2,000 different artists will pull in $10,000 or more in the next year, and 800 will get paid over $50,000. They provided a few specific examples as well. Grupo Bryndis, who has a sales rank on Amazon of 183,187 (in other words, who is not at all a household name), is on track to receive $114,192. A few earners are getting over $1 million annually, such as Coldplay and Adele. 'Drake and Lil Wayne are fast approaching a $3 million annual rate each.' The post segues into a broader point about the age of internet radio: 'It's hard to look at these numbers and not see that internet radio presents an incredible opportunity to build a better future for artists. Not only is it bringing tens of millions of listeners back to music, across hundreds of genres, but it is also enabling musicians to earn a living. It's also hard to look at these numbers, knowing Pandora accounts for just 6.5% of radio listening in the U.S., and not come away thinking something is wrong. ... Congress must stop the discrimination against internet radio and allow it to operate on a level playing field, under the same rules as other forms of digital radio.'"

Following on the success of the various Humble Bundles for DRM-free video games, the organization has just launched its first Humble eBook Bundle. It includes Pirate Cinema by Cory Doctorow, Pump Six by Paolo Bacigalupi, Zoo City by Lauren Beukes, Invasion by Mercedes Lackey, Stranger Things Happen, and Magic for Beginners, both by Kelly Link. If you choose to pay more than the average [Statistics students, what does that do to the average? Bob] (about $11 at this writing), you also get Old Man's War by John Scalzi, and Signal to Noise, by Neil Gaiman and Dave McKean. The books are available in PDF, MOBI, and ePub formats, without DRM. As with all the Humble Bundles, you can choose how much you'd like to pay, and how the proceeds are split between any of the authors and/or among three charities.

Somehow I don't think they realize just how unstable statements like this make them sound.
North Korea claims US mainland within range of its missiles
Isolated North Korea claimed Tuesday that the U.S. mainland is "within the scope" of its missiles, two days after South Korea struck a deal with the United States to extend the range of its ballistic missiles.
… North Korea's National Defense Commission said in a statement that the North was prepared to counter any U.S. military threats, its KCNA news agency said.
"We do not hide (the fact) that the revolutionary armed forces ... including the strategic rocket forces are keeping within the scope of strike not only the bases of the puppet forces and the U.S. imperialist aggression forces' bases in the inviolable land of Korea, but also Japan, Guam and the U.S. mainland," KCNA said.

Didn't Madonna sing, “We live in a digital world and I am a digital girl”
October 09, 2012
Chronicle of Higher Education: Research Libraries Increase Spending on Digital Materials
Alisha Azevedo: "Spending by research libraries appears to be rising, especially for digital materials, according to new data from the Association of Research Libraries. The data are part of the association's Library Investment Index, which ranks the association's member libraries each year based on total library expenditures, salaries and wages of professional staff, spending on library materials, and the number of professional and support staff. The upward trend for the 2011 fiscal year was the first in several years. The economic downturn in 2008 and the tight budgets that followed caused a drop in spending on all of the index's categories, said Martha Kyrillidou, senior director of the association's statistics and service-quality programs, in an e-mail interview. She added that it "remains to be seen if this is a temporary reversal or a true shift to sustain itself more than a year."

Not all my students are uber geeks...