Saturday, October 27, 2012

I suspect an interesting definition of “substantial complaiance” since the breach wasn't noticed for two months, and the State didn't discover it. The article reads like the State had never done anything about computer security – since the breach they are implementing this or looking at that. Pathetic.
SC: 3.6 million Social Security numbers stolen from state Department of Revenue (update 1)
October 26, 2012 by admin
Ouch. Tim Smith reports:
A foreign hacker stole a vast database of the South Carolina Department of Revenue and investigators told that 387,000 credit card numbers and 3.6 million Social Security numbers have been exposed.
Read more on Greenville News.
Update 1: The paper also has a later article on the review of state agencies’ computer security. The Dept. of Revenue had been found to be “in substantial compliance” with sound security practices shortly before it was successfully hacked.
[From the first article:
The first intrusion began in August, unnoticed by any officials operating the Department of Revenue’s computer system …
By the time the computer crimes office of the U.S. Secret Service discovered a problem on Oct. 10,
None of the Social Security numbers were encrypted and officials said they are studying whether they can do that [Yes. Absolutely, positively yes Bob] — raising other questions about whether safeguards exist that weren’t used.
… The breach occurred, ironically, just as Haley’s inspector general, Patrick Maley, was finishing his review of the security for confidential information at Haley’s 16 cabinet agencies.
… In his September letter to Haley, Maley concluded that while the systems of cabinet agencies he had finished examining could be tweaked and there was a need for a statewide uniform security policy, the agencies were basically sound and the Revenue Department’s system was the “best” among them. [Perhaps a review by someone who actually knows what they are doing is in order? Bob]

This one goes beyond stupid to cruel..
Bald Beliebers Remind Us: Just Because You Read It On Twitter, Doesn’t Mean It’s True
… Truth can spread like wildfire, and so can lies.
Today, the Bieber nation has learned that lesson. Behold, dear readers, the horror.
The story goes that Entertainment Weekly’s verified Twitter account tweeted out the following:
“Pop Star Justin Bieber was diagnosed with cancer earlier this morning. Bieber fans are shaving their heads to show their support.”
… In reality, 4chan was trolling Beliebers. There were no tweets to begin with, and there definitely isn’t any cancer. 4chan peeps simply photoshopped together an image and sent it out into the world.
Unfortunately now, there are likely dozens of bald tweenage girls crying in their bathrooms. And it’s perhaps even more insane that most members of the Bieber nation still believe that Justin has cancer, and are pouring sympathy, condolences, and heartfelt love into the #baldforbeiber hashtag, despite the fact that the other half of that Twitter conversation is lawling over the hoax.
… In any case, this should serve as an excellent reminder to all of us. Just because you read it on Twitter, doesn’t mean it’s true.

Is this what the Air Force has come to?
U.S. Expands Secretive Drone Base for African Shadow War
The Pentagon’s secretive drone and commando base in the Horn of Africa is getting a lot bigger and a lot busier as the U.S. doubles down on its shadowy campaign of air strikes, robot surveillance and Special Operation Forces raids in the terror havens of Yemen and Somalia.
… According to an investigation by The Washington Post, the Pentagon is spending $1.4 billion to expand the base’s airplane parking and living facilities.
… The Djibouti base is just one of a constellation of hush-hush U.S. drone, commando or intelligence facilities in East Africa. Others are located in Ethiopia, Kenya, Somalia and the island nation of the Seychelles. But “those operations pale in comparison to what is unfolding in Djibouti,” the Post’s Craig Whitlock notes.

(Related) The article never says anything about drones. (Still my lawyer friends should recognize the potential for new clients...) But check out the picture!
Chris Anderson on the Maker Movement: 'We're Going to Get Sued'
Chris Anderson expects to be sued. Any day now.
In a talk last night to promote his new book Makers: The New Industrial Revolution, the Wired editor and Slate's David Plotz discussed -- among many other things -- the IP implications of the maker movement.
… So as far as patent law goes, he said, there are two approaches. "You can either do a patent search and find out whether you're going to violate a patent" -- and "you probably won't get a good answer." And then, "if you do then violate a patent, the fact that you did a search first actually increases your liability."
Or, Anderson continued, "you can do what we do, which is just: Do it. Wait for the [cease-and-desist] letter. When the letter comes, try to innovate around it. If the trolls come after us, one of us is going to be brave enough to fight back. And the courts will ultimately decide."

“You know Senator, you're right. We can't trust products made by foreigners”
"China Unicom, the country's second largest telecom operator, has replaced Cisco Systems routers in one of the country's most important backbone networks, citing security reasons [due to bugs and vulnerability.) The move came after a congressional report branded Huawei Technologies Co. Ltd. and ZTE Corp. security threats in the United States, citing bugs and vulnerability (rather than actual evidence of spying.) Surprising to us, up to now, Cisco occupies a large market share in China. It accounts for over a 70 percent share of China Telecom's 163 backbone network and over an 80 percent share of China Unicom's 169 backbone network. Let's wait to see who's the winner in this trade war disguised as national security."

So much for “Privacy by Design” Might be interesting to ask if they will honor ANY DNT flag.
"And so it begins... Yahoo has made it official: it won't honor the Do Not Track request issued by Internet Explorer 10. Their justification? '[T]he DNT signal from IE10 doesn't express user intent" and "DNT can be easily abused.'"
Wonder what percentage of users would rather be tracked by default.

This should be very interesting and likely quite confusing. (Is this likely to attract new competitors?)
"Canada's CRTC (like the FCC) has finally asked telecoms to provide information about how much their services actually cost. Quoting a Montreal Gazette story: 'In a report I wrote last year, I estimated the markup for Internet services was 6,452 per cent for Bell's Essential Plus plan, which provides a two-megabits-per-second speed for $28.95 (prices may have changed since last year).' The markup is likely similar in the U.S. It's about time that we consumers found out what it really costs to provide Internet service, and for that matter telephone and wireless services, so we can get a fair shake."

Report: Twitter hits half a billion tweets a day

Is this useful?
… To make sure that others can view your contact information if your phone is lost, you can make use of an app called misHaps.
… the application lets other people handling your phone view your contact information in case your phone is lost and the contact information of an emergency contact in case of an emergency.

Interesting. Now list the countries we buy these elements from...
"From calcium in cameras and germanium in CPUs to selenium in solar cells. Here's a look at how every single element in the periodic table is used in common tech products. For example: Scandium is used in the bulbs in metal halide lamps, which produce a white light source with a high color rendering index that resembles natural sunlight. These lights are often appropriate for the taping of television shows. ... Yttrium helps CRT televisions produce a red color. When used in a compound, it collects energy and passes it to the phosphor. ... Niobium: Lithium niobate is used in mobile phone production, incorporated into surface acoustic wave filters that convert acoustic waves into electrical signals and make smartphone touchscreens work. SAW filters also provide

There might be something here for my Math students...
Friday, October 26, 2012
MIT + K12 = Educational Videos for K-12 Students
MIT + K12 is a new MIT project that features MIT students explaining math and science concepts for K-12 students. The website isn't a collection of Khan Academy-style videos it's a place where you will find videos featuring real MIT students explaining concepts while showing them as hands-on demonstrations or experiments. Watch one of the featured videos below.
Applications for Education
MIT + K12 is new and so far they only have a couple of dozen videos, but the concept of the MIT + K12 is promising. If you have an idea for a video, you can suggest it on the site. The MIT + K12 videos are hosted on YouTube and on MIT Tech TV for people who cannot access YouTube in their schools.

A couple of interesting bits...
… In news I missed last week, SETDA (the State Educational Technology Directors Association) has released a database of state policies related to ed-tech. The site includes information about broadband policies and online student assessments.
Two great initiatives are teaming upGeneration YES and ObaWorld. The former helps empower students to be leaders in their schools’ technology efforts; the latter, a project by the University of Oregon’s Yong Zhao, is a global online learning platform. The partnership between the two organizations will help students will learn how to lead online learning efforts at their schools.

Friday, October 26, 2012

Oh sure. Now that the Privacy Foundation has broken the ice, all kinds of “Privacy Advocate wanna-bes” are following in our footsteps. I can't wait to examine the video my drone took to see how many of our panalists ideas they ripped off!
Lawmakers mull restrictions on domestic drones
October 25, 2012 by Dissent
Brendan Sasso reports:
House Judiciary Committee lawmakers discussed legislation to restrict the use of drones in domestic airspace during a field forum at Rice University in Texas on Thursday.
Rep. Ted Poe (R-Texas), who chaired the forum of the Subcommittee on Crime, urged Congress to take up his Preserving American Privacy Act, which would only allow police to use drones with a warrant and to investigate a felony.
Read more on The Hill.

(Related) Escalation! Arms Race! (Drones with ping pong paddles?) What's next? Paint balls to mark evil doers? (Bank robbers, illegal boarder crossers, j-walkers) We are slipping down that slope.
Drop Ping-Pong Balls on People With This iPhone-Controlled Copter
Here at Wired we’re big fans of office weaponry. And drones. So when we learned of the Kickstarter for the iStrike Shuttle, for the iStrike Shuttle, an iOS-controlled flying machine that can drop ping-pong balls onto your target of choice, we got pretty excited.

(Related) This is just a walking drone...
Watch this DARPA robot climb, leap, and walk past obstacles

Of course they do! Part of the “Ubiquitous Surveillance” paln. Let's hope it's not the same engineers NASA used on the Mars lander that confused Meters and Feet...
U.S. looks to replace human surveillance with computers
… The U.S. government has funded the development of so-called automatic video surveillance technology by a pair of Carnegie Mellon University researchers who disclosed details about their work this week -- including that it has an ultimate goal of predicting what people will do in the future.
… Their Army-funded research, Oltramari and Lebiere claim, can go further than merely recognizing whether any illicit activities are currently taking place. It will, they say, be capable of "eventually predicting" what's going to happen next. [Very like “Minority Report” but without the psychics Bob]

Not a lot of coast in Colorado, but we do have Coast Guard. (Including the crypto weenies at Buckley)
Coast Guard Boardings and Your Fourth Amendment Rights, Part 1
October 26, 2012 by Dissent points us to an article by Clark Beek that begins:
Sorry, but when it comes to Coast Guard boardings, you don’t have any rights.
I’m surprised how many boaters don’t know this. The US Coast Guard can board your boat any time they want, and look anywhere they want, without probable cause or a warrant. They can do this on the open sea, or while you’re asleep aboard in your marina at midnight. They can look through your bedsheets, in your lockers, in your bilges, in your jewelry box, or in your pockets. They can do it carrying just their sidearms, or they can do it carrying assault rifles. They can be polite about it or they can be rude, but mostly they’re polite.
Read more on SailFeed. The article really was an eye-opener for me. I’m filing this in my “I didn’t know that” file and looking forward to Part 2 of the article.

For my Ethical Hackers: Ride free! Drive E-470 toll-free!
How much do you know about RFID chips? Do you know how many you’re carrying at any given moment? Do you know what information is stored on them? Do you know how close a hacker needs to get to you in order to steal that information? Have you considered any form of RFID protection? And most importantly, do you know what RFID protection will be effective?
These days, RFID chips are present in all sorts of items, such as credit cards, library books, grocery goods, security tags, implanted pet details, implanted medical records, passports and more. Some schools now require their students wear RFID tags. The amount of information which could be learned about you from your RFID chips is quite a lot! Plus, you never know what those information thieves are planning on doing with your information, either. So, it’s best to understand the risks of RFID hacking and limit your exposure to harm. Here’s the basics of what you need to know.

Also for my Ethical Hackers. Tap both ends of the conversation easily. There's an App (Okay, a web service) for that!
If you follow two celebrities on Twitter and want to check out the conversations that have taken place between them, you might have to alternate between their streams and look for handles in their tweets. Here to make matters simpler is a web service called Conweets.
Similar tools: TweetsBetween and Bettween.

A recap, with sage advice...
Class Actions Adding to the Cost of Data Breaches
Big data yields big data breaches, and potentially produces large class sizes, making such lawsuits attractive to plaintiffs’ lawyers. Companies that store or process personal information face an increasing risk of class action lawsuits based not only on the company’s use of that information, but also on the theft or misuse of that personal information due to data breach. Many states, such as California and Delaware, which have liberal data breach laws that allow private rights of action for security incidents regardless of a likelihood of injury, have facilitated class action lawsuits. In one such case, plaintiffs sought damages of $5,000 per customer from the defendant, which could have resulted in possible damages totaling in the tens of billions of dollars – far more than the defendant company was worth. A recent survey of data breach litigation found that the average settlement award in these cases was approximately $2,500 per plaintiff, with mean attorneys’ fees reaching $1.2 million.1
The likelihood of a data breach or privacy issue occurring in any business has become a virtual certainty. Class action lawsuits stemming from such incidents have upped the ante with the potential of millions of dollars of attorneys’ fees if not damage recoveries. All companies would be prudent to increase their risk mitigation efforts to beef up administrative, technical, and physical security to prevent data breaches coupled with enforcing security and privacy policies and procedures and strengthened indemnification provisions with third parties who have access to a company’s data.

An interesting editorial on Open Access published in an Open Access Journal.
October 25, 2012
Editorial - Delivering on a Network-Enabled Literature
Neylon C (2012) More Than Just Access: Delivering on a Network-Enabled Literature. PLoS Biol 10(10): e1001417. doi:10.1371/journal.pbio.1001417
  • "By any measure it has been a huge year for the open-access movement. At the beginning of the year, it looked possible that the public access policy of the US National Institutes of Health (NIH) might be rolled back by the Research Works Act, a legislative attempt supported by Elsevier and the Association of American Publishers to make such policies illegal. But as we move towards year's end, the momentum behind open access looks unstoppable with the announcement of major policy initiatives in the United States, the European Union, Denmark, and the United Kingdom. Nevertheless, there is still much to be done and the challenges remain large, but the remaining questions are largely ones of implementation, not principle."

Part of the Economic history of the world. This is how money worked (until we dropped the gold standard)
October 25, 2012
Center for Financial Stability Publishes The Bretton Woods Transcripts
Kurt Schuler: "The transcripts of the Bretton Woods conference were never meant to be published, but we have them. Today the CFS releases The Bretton Woods Transcripts, an e-book edited by me and Andrew Rosenberg. It contains verbatim proceedings of many meetings from the 1944 Bretton Woods conference, which established the IMF and World Bank and began an era of international economic cooperation that endures today. The Web page for the book contains much more information about it, plus extensive background material that is being made readily available for the first time. Over the next few weeks I will comment here on elements of the book, and offer some details about the conference and its participants that are not in the book."

Just a comment. The US strategy is to treat any use of Weapons of Mass Destruction equally, meaning if Syria uses chemical weapons, we could nuke Damascus.
Exclusive: U.S. Rushes to Stop Syria from Expanding Chemical Weapon Stockpile
The regime of embattled Syrian dictator Bashar Assad is actively working to enlarge its arsenal of chemical weapons, U.S. officials tell Danger Room. Assad’s operatives have tried repeatedly in recent months to buy up the precursor chemicals for deadly nerve agents like sarin, even as his country plunges further and further into a civil war. The U.S. and its allies have been able to block many of these sales. But that still leaves Assad’s scientists with hundreds of metric tons of dangerous chemicals that could be turned into some of the world’s most gruesome weapons.

Amidst STEM Education Hype, NoRedInk Is On A Mission To Fix America’s Grammar Problem
… With STEM education reform now being touted as the key to America’s economic future, it’s easy to forget the other side. One recent national study, for example, found that only “one quarter of eighth and 12th graders are proficient in writing.” On top of that, College Board reported that reading and writing scores on the SAT hit record lows in the U.S. last year.
It’s this not-so-pretty picture of humanities education in the U.S. that led Jeff Scheur, a high school english teacher in Chicago, to create NoRedInk — an adaptive learning tool that aims to help students (and you) improve their writing and grammar skills. To help get students engaged, the startup works to personalize the learning process by generating custom curricula for students based on their interests, adapting feedback, tutorials and coaching to their particular abilities and allowing them to view problem areas in color-coded heat maps.
… Rather than casting a broad net, the startup’s lessons focus on what students are getting wrong, while offering them the opportunity to watch tutorials when they get stuck. NoRedInk eschews multiple choice (really, the enemy of writing), instead prompting students to input the correct answer themselves or drag-and-drop the right punctuation mark, for example. As they progress through lessons, students and teachers can track progress in NoRedInk’s dashboard, which is broken down into skill areas (and lets students view their analytics heat map-style).
… And so far, it seems to be working. With no marketing, NoRedInk has managed penetration into four percent of schools in the U.S., was one of the three winners of Citi and NBC’s Innovation Challenge and was accepted into Imagine K12′s current batch of startups. (Which launch at the accelerator’s Demo Day on Friday, October 26th.)
Today, the startup has 70,000 users and teachers and students have completed 3.5 million questions — two million of which were in the past month. Over 300 schools have applied to participate in “NoRedInk Premium,” a paid, suped-up version of the service built specifically for schools that launches this winter.
As the service is free for everyone else, the premium offering represents NoRedInk’s play at creating an up-selling opportunity (and business model, really), hooking teachers and students with the basics for free and charging schools if they want to integrate the service school-wide.

Thursday, October 25, 2012

What is it with banks not wanting to get rid of their 1950's technology? Moving data from a seucre location electronically and fully encrypted is faster, cheaper, and unlikely to be stolen from an employees car.
VSECU notifies consumers of missing backup tapes
October 24, 2012 by admin
TD Bank isn’t the only financial sector entity dealing with missing backup tapes these days. Vermont-based VSECU sent out notification letters yesterday after two unencrypted backup tapes created on August 27th were discovered missing on September 10.
The tapes contained names, addresses, Social Security numbers, driver’s license numbers, financial account information, and transaction records.
The credit union does not think the tapes were stolen. They believe they may have been accidentally discarded and wound up in a landfill.
There’s no explanation as to why the tapes were unencrypted.
You can read their notification letter here.

Cybercrime: Mobile Changes Everything — And No One’s Safe
The FBI recently put out a mobile malware alert, providing us with a sobering reminder of this “evil software” for phones and tablets. In this particular case, the FBI was warning against the Finfisher and Loofzon malware, which spies on our data and leaks GPS positions to track our movements. While these threats appear to have been developed for government surveillance purposes, they can of course be used by any organization.
And therein lies the problem. Mobile malware affects all of us.
Unfortunately, the advice the FBI alert shared was vague and maddeningly difficult to follow. For example: “Users should look at the reviews of the developer/company who published the application” and “Turn off features of the device not needed to minimize the attack surface of the device.” Heck, I’m a security researcher, and I’m fuzzy about what all that means. [Consistant with the inability of FBI agents and lawyers to explain their cell phone tapping tools, as I posted yesterday Bob]
… Users Don’t Get It – But Hackers Do
But the fact remains that users remain unaware of the mobile malware problem, complacent about it, or simply reluctant to take action. Mobile malware is a bit like a traffic accident. Until it happens to us – or we hear a vivid story out there of “it happened to…” – the threat feels very abstract and remote.

(Related) Ethical Hacking: There's an App for that!
Have you ever tried finding your phone by calling it, only to remember that your phone is on Silent? At times like these, one wishes to be able to perform numerous little functions on the phone remotely like exiting the phone from Silent mode. Here to let you do this and many other such tasks remotely on your phone is an app called Agastaya.
Agastaya is a free to use phone application that lets you perform numerous useful tasks on your phone remotely. The app helps you access and retrieve data from your phone. For example, you can get contact information, call logs, phone IMEI number, SIM number, and SMS logs from your phone remotely. You can also change your phone’s profile e.g. exit it from the Silent mode by sending a text on it so you can call the phone, hear it ring, and find it; conversely, you can set your phone to Silent mode.

(Related) Mobile, with money to burn?
Presidential Campaign Donations in the Digital Age
10% of 2012 presidential campaign donors have contributed via text message or cell phone app. Democrats are more likely to contribute online or directly from their cell phone, while Republicans are more likely to contribute in person, by phone call, or via regular mail.

We've had a couple of individual breaches (TJ Max and Heartland for example) that were nearly as large as this years totals.
174 million records compromised in 855 data breach incidents last year, says report
October 24, 2012 by admin has a recap of some of the main findings in the 2012 Verizon DBIR:
Verizon’s Data Breach Investigations Report (92-page / 3.47MB PDF) (DBIR) covering the year 2011 found that 174 million records were compromised in a total of 855 data breaches in what it called an “an all time low” for protection against data breaches.
The report outlined that 96% of firms that were required to comply with the Payment Card Industry Data Security Standard (PCI DSS) and that fell victim to data breaches recorded in Verizon’s own “caseload” from last year, were not compliant with the standards.
Read more on Not surprisingly, their figures differ from’s figures as DLDB uses somewhat different sources for our breach entries. Thus, where Verizon’s sample is based on 855 incidents, DLDB reported 1,041 incidents for 2011, and where Verizon shows 81% of incidents used some form of hacking, only 30% of DLDB’s entries involved hacking (or 32% if you include virus/malware). As always, interpret with caution/qualifiers.
[From the report:
79% of victims were targets of opportunity (-4%)
Findings from the past year continue to show that target selection is based more on opportunity than on choice. Most victims fell prey because they were found to possess an (often easily) exploitable weakness rather than because they were pre-identified for attack.
Whether targeted or not, the great majority of victims succumbed to attacks that cannot be described as highly difficult. Those that were on the more sophisticated side usually exhibited this trait in later stages of the attack after initial access was gained.

We did it so Terrorists can check to see if their cover is blown. That way they don't need to go all the way to the airport only to discover they have been “randomly selected” for a cavity search!”
"Flight enthusiasts, however, recently discovered that the bar codes printed on all boarding passes — which travelers can obtain up to 24 hours before arriving at the airport — contain information on which security screening a passenger is set to receive. Details about the vulnerability spread after John Butler, an aviation blogger, drew attention to it in a post late last week. Butler said he had discovered that information stored within the bar codes of boarding passes is unencrypted, and so can be read in advance by technically minded travelers. Simply by using a smartphone or similar device to check the bar code, travelers could determine whether they would pass through full security screening, or the expedited process." [Given that information, could they create their own “expedited process” boarding passes? Bob]

Nothing new, but a citeable authority?
GAO Study Gives Low Marks to Companies Regarding Transparency to Consumers of Use of Location Data
October 24, 2012 by Dissent
Nihar Shah has a nice recap of the recent GAO report:
The Government Accountability Office (“GAO”) released a study in September, 2012 analyzing the collection, use and disclosure practices of fourteen companies operating in the mobile field regarding location data collected from consumers. In the absence of laws or regulations regarding the collection of location data specifically, the GAO compared the policies of the fourteen companies to best practices regarding the collection and use of personal information generally, aggregated from federal agencies such as the Federal Trade Commission (“FTC”) and Federal Communications Commission (“FCC”) and from self-regulatory bodies such as the CTIA – The Wireless Association. The study found that the companies’ practices included several departures from established best practices. The agency also determined that inconsistencies in what the policies say companies will do with location data and what the companies actually do with that data are exposing consumers to serious privacy risks.
Read more on InfoLawGroup.

What causes this supervisor to ask good questions when so many in similar oversight positions don't bother?
Supervisor seeks more privacy for Clipper card users
October 25, 2012 by Dissent
Zusha Elinson reports:
San Francisco Supervisor John Avalos has introduced a resolution urging the Metropolitan Transportation Commission and state Legislature to strengthen privacy protections for Clipper card users.
The transportation commission, which administers the transit card, also has begun re-examining why personal data is stored for seven years after a Clipper card account is closed.
Read more on The Bay Citizen.

You might find something of interest here...
Future of Privacy Forum
Privacy Papers for Policy Makers 2012
Future of Privacy Forum is pleased to share the third annual “Privacy Papers for Policy Makers,” showcasing leading analytical thinking about current and emerging privacy issues.
Leading Privacy Papers:
Bridging the Gap Between Privacy and Design
Deirdre Mulligan and Jennifer King
Mobile Payments: Consumer Benefits & New Privacy Concerns
Chris Jay Hoofnagle, Jennifer M. Urban, and Su Li
Smart, Useful, Scary, Creepy: Perceptions of Online Behavioral Advertising
Blase Ur, Pedro G. Leon, Lorrie Faith Cranor, Richard Shay and Yang Wang
Will Johnny Facebook Get a Job? An Experiment in Hiring Discrimination via Online Social Networks (See digest for executive summary)
Alessandro Acquisti and Christina Fong
Privacy Papers of Notable Mention:
Why Johnny Can’t Opt Out: A Usability Evaluation of Tools to Limit Online Behavioral Advertising
Pedro G. Leon, Blase Ur, Rebecca Balebako, Lorrie Faith Cranor, Richard Shay, and Yang Wang
View the 2011 papers here.

One of my students is an NRA Master Firearms Instructor. She'll love this!
With ‘Safe Haven,’ Desktop Weaponeers Resume Work on 3D-Printed Guns
Three weeks after a group of desktop gunsmiths had its leaded 3D printer seized by the digital manufacturing firm that owned it, the weaponeers have quietly restarted plans to build a gun entirely of printed parts. The group has also begun expanding their operation with outside help, including space for ballistics testing provided by a mysterious firm involved in the defense industry.
Cody Wilson, founder of the Wiki Weapon project, tells Danger Room that the unnamed company’s owner “wanted to offer me a safe haven, basically.” Wilson describes the company as a “private defense firm” in San Antonio, Texas, but the company’s owner is wary of negative publicity and Wilson doesn’t want to reveal the firm’s name without consent.
“We’ve got basically a space where we can do experiments. Ballistics, basically. So it’s not quite a range — we’ve got a range — but we’ve got floor space where we can literally test the guns and set up instrumentation,” Wilson says.

Something to stock those e-stockings?
If you have an eBook reader, finding quality sources for your different eBooks may not always be easy. Either the eBooks are of bad quality, they’re relatively expensive, or the site simply don’t offer what you want. When you comes to your kids, you’ll also need to be able to trust that the site offers the right kinds of eBooks to them. With so many things you need to be aware of, you might need a recommendation or two.
ePubBud is a great place to download children’s eBooks. Althought the eBooks being offered aren’t the most popular in the world, it has plenty of quality books in numerous different categories. Those categories include Beginner, Kids, Tween, Teen, Fiction, Reference, and Nonfiction. There are also a couple safe books for adults, so while the book may be harder to read, the theme remains clean for everyone. From ePubBud you can download files to import into your favorite reader or you can also view the eBooks in your browser. If necessary, you can buy ISBNs for $5 or sell your own eBooks.
  • Also read related articles:

e-State planning. What we need is an e-Xecutor
October 24, 2012
Planning in the Digital Age
Planning in the Digital Age, Gerry W. Beyer - Texas Tech University School of Law, October 22, 2012
  • "Recently, a new subdivision of property has emerged that many people label as “digital assets” such as accounts used for e-mail, professional and personal data backups, banking, investment, and shopping, domain names and web-hosting accounts, social networking accounts, and avatars for online games. While estate planners have perfected techniques to transfer traditional types of property, many estate planners do not address digital assets when preparing their clients’ estates. This article aims to educate estate planning professionals on the importance of planning for the disposition of digital assets, provides those planning techniques, and discusses how to administer an estate containing digital assets.

Hacking for fun and profit (and cost savings)
"Choice, a prominent Australian consumer advocacy group, has urged Australians to obfuscate their IP address to avoid geo-blocking and use US forwarding addresses to beat high IT prices. Australia is currently in the middle of parliamentary inquiry into the country's disproportionately high prices for technology. Choice also suggested setting up US iTunes accounts and using surrogate US addresses for forwarding packages from American stores. Choice has noted previously that Australians pay 52 per cent more for digital music downloads on iTunes compared to US users."

Something for my Math students!
Wednesday, October 24, 2012
Symbolab - A Scientific Equation Search Engine
Symbolab is a new search engine designed for mathematicians and scientists. The search engine is a semantic search engine which means that rather than just searching the text of your query Symabolab attempts to interpret and search for the meaning of your query. What this means is that when you type in an equation you will get results as links and get results as graphs when appropriate. Think of it Symbolab as a cross between Google and Wolfram Alpha.
The Next Web has an extensive interview with Symbolab's founder that I recommend reading if you're interested in learning about the ideas behind the development of this search engine.
Applications for Education
Symbolab could be a useful search engine for mathematics students. The search results can be sorted to find explanations of how to solve an equation, what an equation is used for, as well as videos and examples of an equation in use.

Is this the future of music? (Something is, and I'm going to keep looking 'til I find it!)
Dhingana Raises $7M For Free, Streaming Indian Music
Dhingana, a startup with a free service for streaming Indian and Bollywood music, has raised $7 million in Series B funding.
The company’s catalog includes 500,000 songs in 35 languages, which it makes available on its website and through smartphone apps. Dhingana says it has built an audience of 15 million monthly active visitors, making it the most popular service of its kind. And 40 percent of those visitors are located outside of India.

Wednesday, October 24, 2012

How does this match with “Best Practices?”
Barnes & Noble discloses breach involving pin pads at dozens of stores
October 24, 2012 by admin
Remember when Michael’s Stores found that pin pads in some stores had been replaced? It looks like the same thing has happened to bookseller Barnes & Noble’s brick and mortar stores. According to the New York Times, the firm discovered the breach on September 14. As of now, it appears that pads at 63 stores were tampered with in the following states: California, Connecticut, Florida, New York, New Jersey, Rhode Island, Massachusetts, Illinois, and Pennsylvania. There have reportedly been some claims of fraudulent use of card numbers associated with the breach.
So when will B&N send notifications to consumers – or won’t they? They did notify card issuers, and if all B&N has is name and card number, they may leave it to the card issuers to notify customers. The chain does suggest changing your PIN number, but doesn’t indicate how far back this breach might go. They do say that most fraudulent charges occurred in September.
Although the breach was detected on September 14, initial disclosure was delayed so as not to interfere with the government investigation. That’s understandable and permissible, but consider this:
The company has received two letters from the United States attorney’s office for the Southern District of New York that said it did not have to report the attacks to its customers during the investigation, according to the official. At least one of the letters said that the company could wait until Dec. 24 to tell the customers.
Where did the USAO get that December 24th date? Were they asked specifically if they could delay that long so as not to interfere with holiday sales, or was the USAO guestimating how long the investigation would take or….?
There is no notice on B&N’s web site at the time of this posting.

Think of this as the keys to your home. Would you leave them just anywhere?
"PS3 security has been compromised again. The holy grail of the PS3 security encryption keys — LV0 keys — have been found and leaked into the wild. For the homebrew community, this means deeper access into the PS3: the possibility of custom (or modified) firmware up to the most recent version, the possibility of bypassing PS3 hypervisor for installing GNU/Linux with full hardware access, dual firmware booting, homebrew advanced recovery (on the molds of Bootmii on Wii), and more. It might lead to more rampant piracy too, because the LV0 keys could facilitate the discovering of the newer games' encryption keys, ones that require newer firmware."

(Related) But there is such a thing as “bad management decisions” – when do they rise to negligence?
Sony PSN hacking lawsuit dismissed by judge
A California district judge has dismissed a handful of charges that plaintiffs brought against Sony, including negligence, restitution, and unjust enrichment in its handling of a PlayStation Network data breach last year.
Several lawsuits were filed against Sony PlayStation Network in the wake of a major security breach of the personal data of more than 75 million customers in April 2011.
On Friday, Judge Anthony Battaglia of the U.S. District Court in Southern California ruled that one of those class action suits is invalid, according to Courthouse News.
Additionally, Battaglia said Sony couldn't be fully responsible for the hack. "There is no such thing as perfect security," he said, according to The Register. "We cannot ensure or warrant the security of any information transmitted to us.

Tools for the Cyber warrior... This could be mounted on a Hummer, but it would kill the engine too.
It’s perhaps every tech-lover’s nightmare, but it’s something everyone should be aware of: electronics-killing missiles. On October 16th, Boeing tested one such weapon named CHAMP, a non-lethal high-powered microwave missile that successfully snuffed the life out of a bunch of PCs, making history in the process. In fact, the test was so successful, the missile killed the cameras set up to record the event as well.

Interesting. Do you think Australia will fall for it? How will they check “push updates” in real time?
Huawei offers Australia 'unrestricted' access to hardware, source code
Huawei has offered to give the Australian government "unrestricted" access to the firm's software source code and hardware equipment in an effort to dispel security fears, months after the Chinese telecoms giant was barred from supplying infrastructure equipment for the country's national broadband network.
The Australian government barred Huawei from bidding on contracts for the network earlier this year, saying it had a "a responsibility to do our utmost to protect [the network's] integrity and that of the information carried on it".

For my Ethical Hackers (and my Math students)
How a Google Headhunter’s E-Mail Unraveled a Massive Net Security Hole
It was a strange e-mail, coming from a job recruiter at Google, asking Zachary Harris if he was interested in a position as a site-reliability engineer.
“You obviously have a passion for Linux and programming,” the e-mail from the Google recruiter read. “I wanted to see if you are open to confidentially exploring opportunities with Google?”
Harris was intrigued, but skeptical. The e-mail had come to him last December completely out of the blue, and as a mathematician, he didn’t seem the likeliest candidate for the job Google was pitching.
So he wondered if the e-mail might have been spoofed – something sent from a scammer to appear to come from the search giant. But when Harris examined the e-mail’s header information, it all seemed legitimate.
Then he noticed something strange. Google was using a weak cryptographic key to certify to recipients that its correspondence came from a legitimate Google corporate domain. Anyone who cracked the key could use it to impersonate an e-mail sender from Google, including Google founders Sergey Brin and Larry Page.
… “I love factoring numbers,” Harris says. “So I thought this was fun. I really wanted to solve their puzzle and prove I could do it.”

(Related) Future areas for my Ethical Hackers?
We’ve reached this strange moment in time when updates are released for our cars in the same manner they’re released for our gadgets. Thus is the case with the 2013 Chevy Volt, which GM has pushed a software update out for after reports of shutdowns. The manufacturer is not issuing a recall, however.

Sometimes the old hacks are the best hacks...
'Jesus,' 'welcome' join list of worst passwords
Despite the vulnerability presented by weak passwords, many Internet users continue to put their security at risk by using common words or number sequences that are easily guessable.
Unchanged from last year, the three most popular passwords for 2012 were "password," "123456," and "12345678," according to SplashData's annual "25 Worst Passwords of the Year" list. The list was compiled from files containing millions of stolen passwords posted online by hackers.
… A security breach revealed in July at Yahoo yielded nearly a half million login credentials stored in plain text. Other password thefts at LinkedIn, eHarmony, and contributed to approximately 8 million passwords posted in two separate lists to hacker sites in early June.

“Guilt by proximate geography”
Megaupload User Seeks to Unseal Documents Relating to Data Seizure
October 23, 2012 by Dissent
From EFF:
The Electronic Frontier Foundation (EFF), on behalf of its client Kyle Goodwin, asked a federal court yesterday to unseal warrant-related documents surrounding the loss of access to Mr. Goodwin’s data after the government shut down Goodwin used Megaupload’s cloud-based storage system for his small business reporting on high school sporting events in Ohio. The site’s servers housing Mr. Goodwin’s data were frozen as part of a government seizure in January of this year–since then, Mr. Goodwin and others like him have had no access to their data.
Mr. Goodwin has consistently asked the court for the return of his property. In response, the court recently asked Mr. Goodwin and the government to provide additional information on how such a hearing might proceed.
“The government engaged in a overbroad seizure, denying Mr. Goodwin access to his data, along with likely millions of others who have never been accused of wrongdoing,” said Julie Samuels, EFF Staff Attorney. “Access to the government’s warrant application and related materials can help us learn how this could have happened and provide assistance in our efforts to get Mr. Goodwin his property back.”
In running his small business, Goodwin stored video footage on Megaupload servers as a backup to his hard drive and so he could share those large files with his producers all over Ohio. Earlier this year, the FBI shut down and executed search warrants on the company’s servers, locking out all Megaupload customers in the process. When Goodwin’s hard drive crashed, he could not get access to any of his own video files, which he needed to conduct his business.
“Unsealing the court documents in this case is not only important to Mr. Goodwin, it is critical to the ongoing public and Congressional debate about the U.S. government’s increasing use of its seizure power in intellectual property cases,” added Cindy Cohn, EFF’s Legal Director. “A court in New Zealand recently upbraided the authorities who conducted similar seizures for failing to protect innocent people whose property was obviously likely to be swept up. The questions raised by the New Zealand court about overbroad seizures should also be asked, and answered, here in the U.S.”
EFF was assisted by co-counsel Abraham Sofaer of the Hoover Institution and John Davis of Williams Mullen.
For the full motion to unseal:
For more on the Megaupload Data Seizures:

Somehow I can't buy that they have no way to access the data they gather and store. That's like saying, “We so incompetent in so many areas, what make you think we can make those computer thingies work?”
October 23, 2012
TRAC Challenges ICE Claim That Data Are Off-Limits to the Public
for TRAC - Jeff Lamicela: "On October 22, 2012 the Transactional Records Access Clearinghouse (TRAC) filed suit in D.C. District Court under the Freedom of Information Act (FOIA) challenging a ruling by Immigration and Customs Enforcement (ICE) that its master repository of investigations and operations information is off-limits to the public... The material sought by TRAC is stored in the ICE-operated Enforcement Integrated Database (EID), which records and maintains information related to the investigations and operations of ICE as well as Customs and Border Protection (CBP) and that agency's Office of Field Operations. Despite this, ICE has stated that its office "does not have the means to extract the data or any other aspect of [TRAC's] request. For more on this matter, link to the complaint document and legal exhibits

(Related) Who would we be keeping this secret from? Countries who already do it to their citizens?
Feds Cite ‘State Secrets’ in Dragnet Surveillance Case — Again
The Obama administration is again arguing that a lawsuit accusing the National Security Agency of vacuuming up Americans’ electronic communications without warrants threatens national security and would expose state secrets if litigated.
“This case may be dismissed on the ground that its very subject matter constitutes a state secret,” the government said (.pdf) in a legal filing in San Francisco federal court.
Brought by the Electronic Frontier Foundation, the case is now four years old and its merits have never been litigated. The civil rights group claims that the major telecoms provided the NSA a warrantless backdoor to the nation’s communication backbone.

Is there really that much of a disconnect between technology and the law? Did no one even ask the privacy questions?
McDonald’s removes networking features in some online games
October 24, 2012 by Dissent
Cecilia Kang reports:
McDonald’s said it has removed social networking features in some of its online games after a privacy advocacy group complained to federal regulators that the restaurant chain was violating child online privacy laws.
In a complaint filed last August to the Federal Trade Commission, the Center for Digital Democracy said McDonald’s was using a “tell-a-friend” feature on games and other functions of and that asked children to upload photos and videos onto the site and then pass along that information to friends. McDonald’s also asked for children to list the e-mail addresses of friends, without gathering parental consent for that information.
Read more on Washington Post.

(Related) Would something like this help?
Navigating App Privacy Laws and Best Practices
October 24, 2012 by Dissent
Tim Kridel writes for Digital Innovation Gazette:
More than half of app users have uninstalled or decided to not install an app due to concerns about personal information, according to a recent Pew Internet Project survey. If that isn’t motivation enough to protect customer privacy, consider the growing number of federal and state laws penalizing breaches.
But how can developers determine which laws apply? And what about industry best practices such as those from the Mobile Marketing Association (MMA) and CTIA – The Wireless Association? We spoke with Alan Chapell, co-chair of the MMA’s privacy and advocacy committee, about what developers need to know to protect customer privacy — and, in the process, their app’s market potential.
Read the interview on

I'm shocked again!
Online Ad Survey: Most U.S. Consumers “Annoyed” By Online Ads; Prefer TV Ads To Online; Want Social Media Dislike Button; And Reckon Most Marketing Is “A Bunch Of B.S.”
… The survey makes amusing reading at times – almost half of the respondents agree ‘online advertising is creepy and stalks you’, and more than half agree that ‘most marketing is a bunch of B.S.’.

For my Intro to Computer Security students...
Facebook has basically made a business out of knowing as much as they can possibly find out about everyone. So, tracking your behaviour online and offline makes perfect sense to them. However, it might not seem that rosy to you. Sometimes, it’s nice to have a little privacy.
There are many ways Facebook is tracking you and it’s worth knowing how to block this tracking where possible and how to opt out when required. Sadly, it’s getting more and more complicated as time goes by. Here are the main ways Facebook keeps tabs on you and the best ways to stop them.

Do we need more (and better) technology or are there “some things man was not meant to know?” Is this a field crying out for entrepreneurs?
"Maryn McKenna writes in Scientific American that the standard autopsy is becoming increasingly rare for cost reasons, religious objections, and because autopsies reveal medical mistakes, making doctors and hospitals uncomfortable. Researchers in several countries have been exploring the possibility that medical imaging might substitute a 'virtual autopsy' for the more traditional variety. 'So few autopsies are being done now that many medical students get out of school never having seen one,' says Gregory Davis. 'And yet in medicine, autopsy is the most powerful quality-control technique that we have and the reason we know as much as we do about many diseases and injuries.' The process, dubbed 'virtopsy,' combines MRI and CT scanning with computer-aided 3-D reconstruction to prove causes of death for difficult cases, which included drownings, flaming car crashes, and severe injuries to the skull and face. Since 2004 the U.S. military has performed x-rays and CT scans on the bodies of every service member killed where the armed forces have exclusive jurisdiction — that is, not just on battlefields abroad but on U.S. bases as well. 'It allows us to identify any foreign bodies present, such as projectiles,' says Edward Mazuchowski. 'X-rays give you the edge detail of radio-opaque or metallic objects, so you can sort out what the object might be, and CT, because it is three-dimensional, shows you where the object is in the body.' A study conducted among intensive care unit patients in Germany compared diagnoses made before death with the results of both traditional and virtual autopsy in 47 patients and with only virtual autopsy in another 115 whose families refused standard autopsy. Virtual autopsies confirmed 88 percent of diagnoses made before death, not far behind the 93 percent rate for traditional postmortem exams. 'The findings so far are mixed,' says Elizabeth Burton of Johns Hopkins University. Virtual autopsy, she says, 'is better for examining trauma, for wartime injuries, for structural defects. But when you start getting into tumors, infections and chronic conditions, it's not as good, and I doubt it will ever be better.'"