Saturday, November 24, 2012

Yet I still fall victim to “The Wife Effect” – “Yeah, yeah. Now take out the garbage...”
The Haley Effect?”
November 22, 2012 by admin
In response to my post yesterday about Governor Haley’s repeated mis-statements, Centennial Man writes:
Perhaps we have a new meme to complement the Streisand Effect. The Haley Effect is the repeated attempt by politicians to convince voters that they know something when they clearly do not…
There’s always room for a good meme. The Haley Effect works for me.

Would you put this into the “Worst Practices” category? Machiavelli certainly would. In The Prince he says, “Hence it is to be remarked that, in seizing a state, [or becoming CEO Bob] the usurper ought to examine closely into all those injuries which it is necessary for him to inflict, and to do them all at one stroke so as not to have to repeat them daily; and thus by not unsettling men he will be able to reassure them, and win them to himself by benefits. ”
Numbers from Nationwide Insurance breach dribble out
November 22, 2012 by admin
I wish companies would heed my advice and get the bad news out at all once instead of staying in the news cycle as each new revelation hits the media.
We are starting to get numbers on the hack of Nationwide Insurance and Allied Insurance that I reported here on November 17:
and we know that California and Vermont also have affected residents, although we don’t those numbers yet.
So this looks to be a nationwide breach (no pun intended) and it may be a while before we know how many people were affected, total.

“I hack, therefore I am?” Most likely the semi-public face of a state actor or maybe a way for criminal types to advertise?
Hacking For The Sake Of It: ‘Eboz’ Downed Google, Apple, 300 Other Pakistani Sites, And Many More Just To Show It Can?
Pakistan’s internet-using population were slammed today with a systematic take-down of local versions of some of the world’s biggest names in tech, and several hours after first going down,,,,, still do not appear to be working. In all, it appears that 279 other sites in Pakistan were hacked by a group that appears to be Turkish and calls itself Eboz. Little else is known about Eboz, but it appears that Eboz has been hacking into many other sites, with Pakistan merely today’s target.
Here’s what else we have found:
A search in the Zone-h archive of defaced websites, notes hundreds of sites that have been defaced by Eboz — in all, the number totals 313, with 85 single IP and 228 “mass defacements.”. Many are Turkish but the full list covers a number of countries and top-level domains. This list doesn’t appear to contain today’s Pakistani list, meaning that Eboz is now linked to some 600 take-downs.

I do love a good catch phrase...
The Fourth Amendment and Faulty Originalism
November 24, 2012 by Dissent points us to an essay by Joseph R. Stromberg on the Foundation for Economic Education (FEE). Here’s how it begins:
“All arrests are at the peril of the party making them.”
—Alexander H. Stephens, August 27, 1863
These days the Fourth Amendment to the Constitution means next to nothing. Consider, for example, the choice offered a few years ago: surveillance under routine, easy “warrants” from the drive-through FISA Court or warrantless surveillance at the whim of George W. Bush and his allegedly boundless reserve of unitary-executive authority. A January 2006 Justice Department memo (“Legal Authorities Supporting the Activities of the National Security Agency . . .”) explained the executive’s claims in mind-numbing and unconvincing detail. But the memo at least suggested how far below any practical service to Americans’ liberty the Fourth Amendment has fallen, and did so by heaping up available (and rather bad) search-and-seizure precedents, many of which arose from the terminally futile war on drugs (pages 37–38). The result is something like “your Constitution on drugs”—with the searchers and seizers on steroids.
Read the full essay on FEE.

How do I stalk thee? Let me count the ways.
I stalk thee to the depth and breadth and height the Internet can reach
… Doxing is a term that describes the process of obtaining or deducing information about a person based on a limited set of initial information. Or in layman’s terms, doxing is the act of searching around on the Internet for someone’s personal details. Another way to view doxing is to see it as taking a piece of information (e.g., email address) and identifying someone based on that.
The term “doxing” derives from “document tracing” which means to gather documents on a particular person or company to learn more about them. In the age of the Internet, doxing is more like social engineering – gathering information on someone using publicly available sources.

If that doesn't work, I'm sure there are other things they could cut off...
"Pakistan's interior minister Friday said the government will suspend cell phone services in most parts of the country over the next two days to prevent attacks against Shia Muslims during a key religious commemoration. Militants often detonate bombs using cell phones and this is the first time the government has implemented such a wide-scale suspension. Saturday and Sunday are the most important days of Muharram, the first month of the Islamic calendar, especially important to Shias. Pakistani Shias Sunday observe Ashoura, commemorating the 7th century death of Imam Hussein, the Prophet Muhammad's grandson. Different parts of the Muslim world mark Ashoura on different days —neighbouring Afghanistan, for example, observes it on Saturday. 'The suspension of cell phone services will begin at 6 am Saturday and run through the next day,' Interior Minister Rehman Malik told reporters in Pakistan's capital, Islamabad. He said 90 per cent of the bombs set off by militants in Pakistan have been detonated using cell phones. Some criticized the government for suspending services, saying it was a huge inconvenience."

“Even if you can't know, we'll treat you as if you did know.”
Anonymous file-sharing is booming. Whether it’s BitTorrent through a VPN, proxy, or other anonymizing services, people are increasingly looking to hide their identities online.
One application that gained interest earlier this year is RetroShare.
… The RetroShare network allows people to create a private and encrypted file-sharing network. Users add friends by exchanging PGP certificates with people they trust. All the communication is encrypted using OpenSSL and files that are downloaded from strangers always go through a trusted friend.
… This week a Hamburg court ruled against a RetroShare user who passed on an encrypted transfer that turned out to be a copyrighted music file. The user in question was not aware of the transfer, and merely passed on the data in a way similar to how TOR works.
The court, however, ruled that the user in question, who was identified by the copyright holder, is responsible for passing on the encrypted song.
… “The defendant is liable for the infringement of troublemakers,” the court explained in its ruling.
… RetroShare derives its security from the fact that all transfers go through “trusted friends” who users themselves add. In this case, the defendant added the anti-piracy monitoring company as a friend, which allowed him to be “caught.” [This suggests that the “monitoring company” send the file to themselves. How else would they know what was inside the encrypted file? Bob]
More troubling is the precedent the ruling sets for people who run open wireless networks, as the same issues arise there. According to this ruling Internet subscribers are responsible for the transfers that take place on their networks, making them liable for the copyright infringements of others.
Update: Contrary to the U.S. and elsewhere, a previous ruling in Germany already makes wireless network operators liable for copyright infringements of others.

“We want to welcome y'all back to school and assure you that there will be no repercusions. We even got you this nifty T-shirt with a big red 'A' to ensure your 'Acceptance.'”
"A district court judge for Bexar County has granted a temporary restraining order (TRO) to ensure that Andrea Hernandez, a San Antonio high school student from John Jay High School's Science and Engineering Academy, can continue her studies pending an upcoming trial. The Northside Independent School District (NISD) in Texas recently informed the sophomore student that she would be suspended for refusing to wear a 'Smart' Student ID card embedded with a Radio Frequency Identification (RFID) tracking chip."

Perhaps their politicians are more thoughtful than our politicians? But clearly, this is going to happen in some form eventually.
Uzbekistan To Create National DNA Database
November 23, 2012 by Dissent
RIA Novosti reports:
Uzbekistan will create a national DNA database to help track and fight crime, a spokesperson for the country’s Legislative Chamber told RIA Novosti Friday.
The parliament is expected to formulate a law “on genetic registration,” which will establish a legal basis for the collection and storage of citizens’ biological samples, by 2013.
The plan, approved by the government last week, is sponsored by Uzbekistan’s Ministry of Justice, the spokesperson said, and will “serve as a deterrent against those convicted of crime and will have preventive value” on crime in Uzbekistan.
While the spokesman said DNA registration, which will be overseen by interior officials, will be voluntary, it will be required of those convicted of or currently serving a sentence for grave crimes.
Actually, that’s less Orwellian than what we have here in the U.S., where many states have enacted legislation authorizing collection of DNA samples from those simply arrested for crimes (not just following conviction).

This will never catch on as a legal specialty. How would you find a lawyer by word of mouth?
"Computerworld asks: What will happen if big advertisers declare AdBlock Plus a clear and present danger to online business models? Hint: it will probably involve lawyers. From the article: 'Could browser ad blocking one day become so prevalent that it jeopardises potentially billions of dollars of online ad revenue, and the primary business models of many online and new media businesses? If so, it will inevitably face legal attack.'"

This could get real messy but I 'm not sure there will be any useful precedents.
"A pretrial hearing in the case against accused LulzSec hacker Jeremy Hammond this week ended with the 27-year-old Chicago man being told he could be sentenced to life in prison for compromising the computers of Stratfor. Judge Loretta Preska told Hammond in a Manhattan courtroom on Tuesday that he could be sentenced to serve anywhere from 360 months-to-life if convicted on all charges relating to last year's hack of Strategic Forecasting, or Stratfor, a global intelligence company whose servers were infiltrated by an offshoot of the hacktivist collective Anonymous. Hammond is not likely to take the stand until next year, but so far has been imprisoned for eight months without trial. Legal proceedings in the case might soon be called into question, however, after it's been revealed that Judge Preska's husband was a victim of the Stratfor hack."

Take this course, solve the “problem,” win a prize. Interesting idea.
"UNSW professor Richard Buckland, lecturer of the famous Computing 1 course on YouTube, is now running a large scale open online Computer Science course for the world. UNSW Computing 1 — PuzzleQuest and the Art of Programming starts off with microprocessors and works it way through C with interactive activities while taking students on an adventure of hacking, cracking and problem solving. It's based around a three month long PuzzleQuest with grand and suspiciously unspecified prizes as well as fame and glory for the intrepid. The next class starts December 3rd 2012."

Hmmm. I already have several students with Top Secret Codeword clearance...
"The Los Angeles Times has a story about the two-year University of Tulsa Cyber Corps Program. About '85% of the 260 graduates since 2003 have gone to the NSA, which students call "the fraternity," or the CIA, which they call "the sorority."' 'Other graduates have taken positions with the FBI, NASA and the Department of Homeland Security.' According to the University of Tulsa website, two programs — the National Science Foundation's Federal Cyber Service: Scholarship for Service and the Department of Defense's (DOD's) Information Assurance Scholarship Program — provide scholarships to Cyber Corps students."

I have no artistic ability so it amuses me to watch those who do.
… If you are looking for a tool that helps you create patterns in an easier way, then you need to look for something made specifically with user friendliness in mind.
You need an app that offers intuitive controls and lets you work with patterns and images that you already have. All of this is offered by a web service called SymmetryMill.
Works well in Chrome, Firefox, and Internet Explorer.

The bits I find interesting...
… Another week, another round of MOOC-related news: This week, MassBay and Bunker Hill community colleges became the first community colleges to join edX, the Harvard-MIT-UT-UC Berkeley-MOOC platform. The two colleges will offer “MITx 6.00x Introduction to Computer Science and Programming” in a “blended” format — that is, with both virtual and face-to-face components. Students will pay the same for these classes as they would regular classes — yet another indication that this whole MOOC acronym doesn’t really work any more.
The City University of New York launched “Commons in a Box” this week, its open source platform to make it easier for groups to create and maintain online communities. Commons in a Box is built on WordPress and Buddy Press and is designed to be simple to install, as well as to make online communication and collaboration easier.

Friday, November 23, 2012

Interesting Blog, well worth reading.
Petraeus and Privacy: Did We Overreact?
November 22, 2012 by Dissent
For a different perspective on the Petraeus-Broadwell-Kelley-Allen case, read Derek Bambauer’s blog post on Info/Law. Here’s a snippet:
I’ll be candid: the privacy community has a growing tendency to cry wolf. That is fine for advocates, but it risks conflating real issues and threats (warrantless wiretapping, use of drones domestically, surveillance for national security purposes domestically) with sensational but meaningless media events. The privacy fears in the Petraeus case boil down to two objections. First, many (including Google and others) think that the current federal wiretapping statute (the Electronic Communications Privacy Act) is outdated. Consider its weird 6-month rule for access to e-mail: under 6 months, get a warrant; over 6 months, a subpoena is enough. ECPA reform is entirely sensible, but law enforcement can hardly be accused of violating privacy when they carefully follow the laws as written. If you want the laws changed, that’s an entirely different claim – it’s normative, not descriptive. Distinguish the world you want from the world you live in.

Ireland seems as confused as I am. Must be in my genes...
Ireland Pushes Facebook to Clarify Privacy Changes
November 22, 2012 by Dissent
Stephanie Bodoni reports:
Irish regulators are seeking “urgent” clarifications from Facebook Inc. (FB) after the social media company informed users of changes to its privacy policy overnight.
Facebook, which is overseen by Irish data protection regulators in the European Union, said that it recently proposed changes to its data-use policy and its statement of rights and responsibilities. The changes give users more detailed information about shared data including “reminders about what’s visible to other people on Facebook.”
“We will be seeking urgent further clarification from Facebook Ireland and if we consider that the proposed changes require a specific consent from EU users we will require Facebook to do this,” Gary Davis, Ireland’s deputy data- protection commissioner, said in an e-mail today.
Read more on Bloomberg Businessweek.
Kimber Streams of The Verge provides a description of the changes:
Facebook has proposed another set of updates to the documents that describe how it handles user data, and those changes reveal that it will be sharing data from other services it owns as well as removing the ability to block email messages from certain users outright. As part of the new Data Use Policy, Facebook wants to share user information across other Facebook-owned entities — such as Instagram — in order to “improve our own services and their own services.” The company also slipped in the ability to use that data to improve targeted advertising.
In addition, Facebook is removing the ability to control whether individuals can message you. However, in its proposal the company does state that it will be offering users new options — including filters — to help manage their inbox instead.
But wait, Facebook isn’t done messing with your privacy, as Salvador Rodriguez of the L.A. Times reports:
Facebook has proposed taking away users’ ability to vote on certain privacy policy changes and restructuring the social network’s governance process.
Currently, the Menlo Park-based social network allows users to vote if a proposed change to the policy receives more than 7,000 comments. Once a vote is triggered, if more than 30% of Facebook members participate, the results of the balloting stand.
In a post Wednesday, Facebook said the current system has become outdated because with 1 billion members, getting 7,000 comments is easy, but getting 300 million members to vote is a tough task.
“We’re proposing to end the voting component of the process in favor of a system that leads to more meaningful feedback and engagement,” Elliot Schrage, Facebook’s vice president of communications, public policy and marketing, said in the post.
Nice, huh?

I'm kind of surprised. Is this the reaction when your grab for power becomes too blatent?
"Today, the European Parliament passed a resolution that condemns the upcoming attempt from the International Telecommunications Union (ITU) to assert control over the Internet, and instructed its 27 Member States to act accordingly. This follows an attempt from the ITU to assert itself as the governing body and control the Internet. From the article: 'The resolution, which was passed with a large majority, included Members of European Parliament (MEPs) from all major party groups, and the Pirate Party’s Amelia Andersdotter had been playing a central role in its drafting, together with MEPs Marietje Schaake and Judith Sargentini from the Netherlands, Sabine Verheyen and Petra Kammerevert from Germany, Ivailo Kalfin from Bulgaria, and Catherine Trautmann from France.'"

Similar, but different? When global companies “avoid” taxes, is that automatically “tax evasion?” We're going to have to figure this out or everyone will incorporate is TinyTaxLand... Interesting arguments in the Comments...
"Looks like Google's habit of funneling billions of dollars in revenue through its Irish and Bermuda subsidiaries continues to attract unfavorable government attention globally. France has already announced plans to take on the search giant's tax evasion habits, and the Australian Government, to which Google paid just $74,000 in tax last year despite having Australian revenues close to $1 billion, has now confirmed plans to do the same."

A simple hack...
How To Enable 4G LTE On The Google Nexus 4
Reports surfaced this morning that the Nexus 4, Google’s latest flagship Android smartphone, supports LTE via a relatively easy software hack. After testing, it turns out that’s definitely true, so I’ll show you exactly how to enable it on your device.

For my students. A tool for keeping current.
UsenetStorm is an easy to use site which allows you to connect to any Usenet group that you like. After creating a free account, you can submit your nbz via a URL or by uploading your own from your hard drive and then begin downloading discussions. Downloads up to 500MB are allowed under a free account at speeds of up to 500 kb/s.
[From UsenetStorm's website:
The most simple method of searching for nzb files to download is using a nzb index site. There are many different index sites on the web. We recommend using as it is clean and free to use.
If you're looking for traditional Usenet access through a desktop client, we recommend trying the 10GB FREE trial from our partners at
[What is nzb?

Thursday, November 22, 2012

Perhaps we have a new meme to complement the Streisand Effect. The Haley Effect is the repeated attempt by politicians to convince voters that they know something when they clearly do not...
IRS says states must encrypt electronic tax records; Governor Haley attempts to extricate her feet from her mouth
November 21, 2012 by admin
Governor Nikki Haley of South Carolina should stop talking about the massive databreach at the Department of Revenue and let someone who actually knows something about data security speak for the state.
First, she claimed that there was no industry standard to encrypt Social Security numbers. That claim was roundly dismissed by, well, everyone, except, perhaps, by the state’s Inspector General Patrick Maley who had found the department “in substantial compliance with sound computer security practices.”
The Governor had also claimed that the breach probably couldn’t have been prevented. Yet more scorn was heaped upon her head, particularly after Mondiant’s forensic investigation indicated that the compromise likely occurred because an employee fell for a phishing attempt.
Still in “I really don’t know what I’m talking about but maybe this will help deflect blame” mode, the Governor then tried to blame the IRS for their lax standards, claiming that they don’t require states to encrypt data.
The IRS was having none of that, though. Jody Barr reports:
The IRS responded early Wednesday, refuting the governor’s claim.
In an e-mail, an IRS spokeswoman wrote: “We have many different systems with a variety of safeguards–including encryption–to protect taxpayer data. The IRS has in place a robust cyber security of technology, people and processes to monitor IRS systems and networks. We have a long list of requirements for states to handle and protect federal tax information.”
What was that quote about how it’s better to remain silent and be thought a fool than to speak out and remove all doubt? Enough said, Governor. Really.

I agree, this should be amusing...
Two Utah websites claim hacker attacks cost them $180K; @ItsKahuna challenges the price tag
November 21, 2012 by admin
Back at the beginning of the year, the Salt Lake City Police Department and Utah Chiefs of Police were among a number of law enforcement organizations hacked in #OpPiggyBank. A hacker whose Twitter handle is @ItsKahuna was subsequently charged in the incidents. Now John Anthony Borrell is challenging the organizations’ claims about what the hacks cost them.
Actually, a $180,000 price tag for two breached sites doesn’t sound that outrageous to me, but I look forward to seeing the organizations’ responses to discovery requests and clarification of the security protections they had in place prior to the hacks.

Gooder or badder?
If you’ve been a long-time Facebook user, then you know how controversial some of the privacy updates have been on the social networking site. The company launched its current site governance model in 2009, which gave users the right to vote on privacy policy issues. However, Facebook is now proposing to get rid of that system, saying that Facebook has outgrown the old model.
Facebook wants to replace the system with one that solicits high-quality feedback instead of just votes. This would also prevent votes from being triggered by copy-and-pasted comments from privacy activists. Currently, if a proposed change gets 7,000 “substantive comments,” Facebook users can vote on the change and the vote will be binding if more than 30% of all Facebook users vote.
Facebook says that it’s doing away with the voting system because it “resulted in a system that incentivized the quantity of comments over their quality.” Therefore, the social network is “proposing to end the voting component of the process in favor of a system that leads to more meaningful feedback and engagement.”

I'm sure there must be a perfectly logical reason...
"Back in September, a U.S. judge ruled that a school district violated the First Amendment (freedom of speech) and Fourth Amendment (unreasonable search and seizure) rights of a 12-year-old student by forcing her to hand over her Facebook password to school officials who in turn used it to search for messages they deemed inappropriate. This month, another U.S. judge has ordered that women suing their employer for sexual harassment must hand over cell phones, passwords to their email accounts, blogs, as well as to Facebook and other social networks."
[From The Next Web article:
Should the outcome be different because it is on one’s Facebook account? There is a strong argument that storing such information on Facebook and making it accessible to others presents an even stronger case for production, at least as it concerns any privacy objection. It was the claimants (or at least some of them) who, by their own volition, created relevant communications and shared them with others.
[Better citations on the Eric Goldman Blog:
EEOC v. Original Honeybaked Ham Co. of Georgia, Inc., 11 cv 02560 MSK MEH (D. Col. Nov. 7, 2012)

A look at some new toys for a cheaper safer way to wage war... (My picks)
Suicide Drones, Mini Blimps and 3D Printers: Inside the New Army Arsenal
… Flying Grenade
Don't call it a drone. Sure, it looks just like a small unmanned aerial vehicle -- right down to the little wings and the cameras. And yes, it's remotely flown. But the Lethal Miniature Aerial Munition System is more like a tiny, flying grenade. The 5.5-pound device contains just enough explosive material -- a little more than a shotgun shell's worth of tungsten pieces -- to make a single target's day unpleasant in a way no small drone can.
… Solar Drone
The Army and Marine Corps have bought thousands of hand-held drones, which can spy on a small piece of the battlefield. But the small eyes in the sky have a major weakness: they can only fly for about an hour before the batteries die. The REF believes it can double that endurance, by outfitting the drone's wings with these flexible solar cells.

I never like this tax either, since I don't pirate movies or music, it is a fine for someone else's crime. Or (worse) completely imaginary crimes.
An anonymous reader writes with news that hardware vendors aren't too happy about expanded levies on media. From the article:
"Hewlett-Packard, Acer, Dell, and Imation are suing the Dutch government over new levies on hard disks, smartphones, tablets, and MP3 players that are meant to compensate the music and movie industries for losses caused by home copying. The entertainment industry estimates lost income of €40 million, which is much too high, according to the hardware companies. 'That amount is excessive and completely unfounded,' they said. The €40 million also incorporates damages for illegally downloaded music and movies which, according to the companies, legally cannot be recovered by a levy on devices. Furthermore the Dutch government established a levy on all devices including devices for professional use that are not used for private copying, they said."

This could help fund the Privacy Foundation for example. I think with a few tweeks, this model would be quite useful.
Group-Funding Platform Crowdtilt Opens To Non-Profits, Now Offers Tax-Deductible Donations, Receipts
Since we first covered its launch back in February, Crowdtilt has been on a mission to become the easiest way for groups of people to collaborate around money, specifically fundraising, for any cause.
… As the startup has moved forward, however, it’s discovered that many of its users want to help raise funds for charitable causes, like Hurricane Sandy relief projects, for example. To support the growing number of individuals and organizations looking to raise money charity, Crowdtilt today announced that it has enabled tax-deductible donations for 501(c)(3), or non-profit, organizations. As part of this, Crowdtilt is now able to send tax-deductible receipts for donations made to campaigns automatically, and the company believes it’s the first crowdfunding platform to do so.

Wednesday, November 21, 2012

Welcome to the era of “Cheap War” No need for Bombers or Aircraft Carriers, just a few teenagers and a case of Jolt Cola... Once you have access, you can do some very interesting things: Que voulez-vous dire que nous avons perdu une arme nucléaire? (If the US didn't do this, would that be good news or bad news?)
U.S. Government Hacked Into French Presidential Office, Spied on Senior Officials, Says a French News Report
Using the sophisticated Flame malware first developed to spy on and sabotage Iran's nuclear program, U.S. spymasters were able to gain almost unlimited access to the computers of senior French officials in the last days of former president Nicholas Sarkozy's reign, alleges a story in French magazine l'Express.
The impact of this alleged attack is unknown, but experts on the Flame malware -- believed to be the most sophisticated cyberweapon ever developed -- say that compromised computers could have been used to record conversations via infected PCs' microphones. Screenshots may also have been captured, and files could have been copied. According to France's intelligence agency, quoted in the story, the resulting data was then routed through multiple servers on all five continents in order to hide the ultimate destination of the stolen data.
The initial incursion was an extremely simple, tried-and-true bit of social engineering. Staffers at the official residence of the President of France, the Palais de l'Élysée, were friended by hackers on Facebook, who were no doubt using fake identities. Later, those staffers were sent emails with a login to a fake copy of the login page for the intranet of the Élysée. Once they entered their credentials, hackers had usernames and passwords they could use to log in to the real system.

For my Windows 8 using Ethical Hackers. Maybe this wasn't deliberate?
Microsoft hands Windows 8 Pro to pirates by mistake
You want a copy of Windows 8 Pro? Go ahead and download it -- Microsoft is giving the keys away for free.
According to VentureBeat, an interesting exploit on Microsoft's download page allows users to pick up a free copy of Windows 8 Pro -- directly from the website, and at no cost.
If you attempt to download the free Microsoft Windows Media Center upgrade, which is being offered until January 31, a strange side effect takes hold. Windows 8 Pro will be permanently activated.

If you write parts of a bill, shouldn't your name be on it? Who is operating the Senator Leahy puppet? OR Are we seeing evidence that “certain agencies” can not only read your email they can rewrite your Bill...
Leahy scuttles his warrantless e-mail surveillance bill (UPDATED)
November 20, 2012 by Dissent
UPDATE: CNET has uploaded the amendments referred to in their prior posts today. They’re a far cry from what Senator Leahy proposed in September. So the question I have is: did the Senator actually draft these newer amendments to submit next week or is this a draft written by someone else who just wants the Senator to submit it under his name?
Earlier today, Declan McCullagh set off a firestorm on Twitter when CNET reported that Senator Leahy had not only backed off on his proposal to update ECPA by requiring warrants, but would be introducing a revised version that actually weakened our protections. As I noted in updates to my blog entry on the news, the Senator disputed Declan’s report and his office tweeted that he was still supporting a warrant requirement.
Declan has the update on CNET, and continues to stand by his earlier report:
Sen. Patrick Leahy has abandoned his controversial proposal that would grant government agencies more surveillance power — including warrantless access to Americans’ e-mail accounts — than they possess under current law.
The Vermont Democrat said today on Twitter that he would “not support such an exception” for warrantless access. The remarks came a few hours after a CNET article was published this morning that disclosed the existence of the measure.
A vote on the proposal in the Senate Judiciary committee, which Leahy chairs, is scheduled for next Thursday. The amendments were due to be glued onto a substitute (PDF) to H.R. 2471, which the House of Representatives already has approved.
Leahy’s about-face comes in response to a deluge of criticism today, including the American Civil Liberties Union saying that warrants should be required, and the conservative group FreedomWorks launching a petition to Congress — with more than 2,300 messages sent so far — titled: “Tell Congress: Stay Out of My Email!
Read more on CNET.

The phishing was good... Not real clear what was done or how it was done. I hope the state got a better report. (At least, more than four pages...)
Forensic report on SCDOR breach
November 20, 2012 by admin
Here’s Mandiant’s report on the breach at the South Carolina Department of Revenue. From the Executive Summary, a summary of the attack:
Summary of the Attack
A high level understanding of the most important aspects of the compromise are detailed below.
1. August 13, 2012: A malicious (phishing) email was sent to multiple Department of Revenue employees. At least one Department of Revenue user clicked on the embedded link, unwittingly executed malware, and became compromised. The malware likely stole the user’s username and password. This theory is based on other facts discovered during the investigation; however, Mandiant was unable to conclusively determine if this is how the user’s credentials were obtained by the attacker.
2. August 27, 2012: The attacker logged into the remote access service (Citrix) using legitimate Department of Revenue user credentials. The credentials used belonged to one of the users who had received and opened the malicious email on August 13, 2012. The attacker used the Citrix portal to log into the user’s workstation and then leveraged the user’s access rights to access other Department of Revenue systems and databases with the user’s credentials. [Not sure what they are saying here. Did they change access rights? The report does not say... Bob]
3. August 29, 2012: The attacker executed utilities designed to obtain user account passwords on six servers. [Copying unencrypted passwords? Bob]
4. September 1, 2012: The attacker executed a utility to obtain user account passwords for all Windows user accounts. The attacker also installed malicious software (“backdoor”) on one server.
5. September 2, 2012: The attacker interacted with twenty one servers using a compromised account and performed reconnaissance activities. The attacker also authenticated to a web server that handled payment maintenance information for the Department of Revenue, but was not able to accomplish anything malicious.
6. September 3, 2012: The attacker interacted with eight servers using a compromised account and performed reconnaissance activities. The attacker again authenticated to a web server that handled payment maintenance information for the Department of Revenue, but was not able to accomplish anything malicious.
7. September 4, 2012: The attacker interacted with six systems using a compromised account and performed reconnaissance activities.
8. September 5 – 10, 2012: No evidence of attacker activity was identified.
9. September 11, 2012: The attacker interacted with three systems using a compromised account and performed reconnaissance activities.
10. September 12, 2012: The attacker copied database backup files to a staging directory.
11. September 13 and 14, 2012: The attacker compressed the database backup files into fourteen (of the fifteen total) encrypted 7-zip1 archives. The attacker then moved the 7-zip archives from the database server to another server and sent the data to a system on the Internet. The attacker then deleted the backup files and 7-zip archives.
12. September 15, 2012: The attacker interacted with ten systems using a compromised account and performed reconnaissance activities.
13. September 16, 2012 – October 16, 2012: No evidence of attacker activity was identified.
14. October 17, 2012: The attacker checked connectivity to a server using the backdoor previously installed on September 1, 2012. No evidence of additional activity was discovered.
15. October 19 and 20, 2012: The Department of Revenue executed remediation activities based on short term recommendations provided by Mandiant. The intent of the remediation activities was to remove the attacker’s access to the environment and detect a re-compromise.
16. October 21, 2012 – Present: No evidence of related malicious activity post-remediation has been discovered.
Read the full report.

(Related) “We knew how to prevent this, but we didn't bother...”
Haley admits hacking errors; revenue chief resigns
November 20, 2012 by admin
Governor Haley has now walked back some of her more irritating claims about South Carolina’s massive data breach. Seanna Adcox of Associated Press reports:
A report on a massive security breach at the South Carolina tax collection agency shows the state could have done more to protect personal information for nearly 4 million taxpayers, Gov. Nikki Haley said Tuesday. She also said she accepted the resignation of Department of Revenue Director Jim Etter effective at the end of the year.
Haley said the report from computer security firm Mandiant found hackers may have 3.3 million bank account numbers from South Carolina taxpayers.
The state made two mistakes, according to the report. It didn’t require two different ways to verify when someone was trying to get into the system to look at tax returns and it did not encrypt Social Security numbers, Haley said.
Read more on Seattle PI.
[From the Seattle PI article:
the Republican governor blamed the debacle on antiquated state software and outdated IRS security guidelines.
"This is a new era in time," Haley said. "You can't work with 1970 equipment. You can't go with compliance standards of the federal government. Both are outdated."
Last week, Haley ordered all of her 16 Cabinet agencies to use computer monitoring by the state information technology division. The revenue department has been criticized for previously turning down its free services.
The cost of the state's response has exceeded $14 million. That includes $12 million to the Experian credit-monitoring agency to cover taxpayers who sign up — half of which is due next month — and nearly $800,000 for the extra security measures ordered last week.
The Revenue Department has estimated spending $500,000 for Mandiant, $100,000 for outside attorneys and $150,000 for a public relations firm. But those costs will depend on the total hours those firms eventually spend on the issue. The agency also expects to spend $740,000 to mail letters to an estimated 1.3 million out-of-state taxpayers.

No where near the largest in absolute numbers, but still a fair chunk of the population...
Man arrested over theft of 9 million Greek files
November 20, 2012 by admin
CNBC reports:
A Greek man has been arrested on suspicion of having stolen 9 million personal data files in what is believed to be the biggest breach of private information the country has ever seen.
Police said Tuesday that the 35-year-old, whose name was not released, was found in possession of the data files that included identity card details, tax numbers, vehicle license plate numbers and home addresses.
Read more on CNBC.
Greece now joins Israel in having almost its entire citizenry’s data stolen.
[From the CNBC article:
… The files appeared to include duplicate entries, meaning the number of actual individuals affected could be lower. Greece has a population of around 10 million.
… The investigation began Monday after an employee at the data protection authority notified police that someone appeared to have a large number of digital files containing personal data, the head of financial and electronic crimes police Dimitris Georgatzis said.
[Note: The DPA (,40911&_dad=portal&_schema=PORTAL ) may have been browsing through online storage records, since there is no indication thay know how (or even where) they data was obtained. Bob]

Be careful when you blow that whistle...
Jail Looms for Man Who Revealed AT&T Leaked iPad User E-Mails (updated)
November 20, 2012 by admin
Tom Simonite reports:
AT&T screwed up in 2010, serving up the e-mail addresses of over 110,000 of its iPad 3G customers online for anyone to find. But today Andrew Auernheimer, an online activist who pointed out AT&T’s blunder to Gawker Media, which went on to publicize the breach of private information, is the one in federal court this week.
His case highlights some potentially troubling disconnects between the practicalities of online life and the rule – and application – of the law.
Read more on MIT Technology Review. The jury has the case now as I post this and I’ll update later.
Update: He was found guilty. Kim Zetter provides background on the case and how chat logs may have helped convict them. Auernheimer tweeted after the verdict that he plans to appeal.

This is truly creapy...
The Mannequins Will Be Watching You
This holiday season, if you shop at Benetton, you may be under surveillance.
Of course, we are all pretty used to the idea of security cameras trained on the entrance of a store, or over a counter of particularly expensive goods, and we've become accustomed -- even if we don't like it, on a gut level -- to the tracking that comes with online shopping, populating the ad boxes from website to website of those sneakers you just looked at. But Benetton's surveillance looks a little different: The store has purchased mannequins from an Italian company which promises that "from now on the mannequins will not only display your collections ... [but will] make it possible to 'observe' who is attracted by your windows and reveal important details about [them]."

It probably isn't smart to ignore irate parents. And I don't think the Founding Fathers actually said, “We respect no religion...”
"Lawyers representing Andrea Hernandez, a science and engineering student at John Jay High School, are fighting an expulsion notice issued a week ago for refusing to wear a Smart ID badge. To represent her, lawyers filed a preliminary court injunction, seeking legal restraints on the school. She maintains stance of refusal to wear any badge containing an RFID tag for reasons of basic privacy and conflicts with her belief system. [RFID is the “Mark of the Beast” Bob] The controversial decision for her school to adopt the NFC badges is part of the Student Locator Project, tracking attendance. Local schools started issuing the lanyard badges this fall despite parental outcry at NISD school board meetings."

No doubt the “It's not fair!” whiners will be out in force. “Don't bother me with facts. Computers is magic!”
"Europe's proposed 'right to be forgotten' has been the subject of intense debate, with many people arguing it's simply not practical in the age of the internet for any data to be reliably expunged from history. Well, add another voice to that mix. The European Network and Information Security Agency (ENISA) has published its assessment of the proposals (PDF), and the tone is skeptical to say the least. And, interestingly, one of the biggest problems ENISA has found has to do with big data. They say, 'Removing forgotten information from all aggregated or derived forms may present a significant technical challenge. On the other hand, not removing such information from aggregated forms is risky, because it may be possible to infer the forgotten raw information by correlating different aggregated forms.'"

Cheap War: Compared to the Marine Expeditionary Force or the 101st Airborne, Drones are cheap. So we can start a whole bunch of “Drone Wars” for the cost of a single F22 Fighter!
Leon Panetta Has a Few More Drone Wars Ready to Go
There once was a time, just last year, when Defense Secretary Leon Panetta thought the U.S. was this close to wiping al-Qaida off the face of the earth, once and for all. That appears to have gone up in the flames of the U.S. consulate in Benghazi. Now, a more dour Panetta believes that it’s not enough to continue the drone strikes and commando raids in Pakistan, Yemen and Somalia; they’ve got to expand “outside declared combat zones” to places like Nigeria, Mali and even Libya.
That was Panetta’s message at Tuesday evening address to the Center for American Security, an influential Washington defense think tank. Panetta, a former director of the CIA, gave a strong defense of counterterrorism drone strikes and commando raids, calling them “the most precise campaign in the history of warfare,” and indicated strongly that they’re only going to intensify in the coming years.

Rattle the anti-trust saber before the election to gather the anti-business vote, then drop everything for the next four years to reward a major contributor? Nah. That only happens in the movies...
A couple weeks back, we heard the FTC may be close to making a decision on whether or not it wants to take Google to court over claims of anti-competitive behavior. If a new report from Bloomberg is to be believed, however, the FTC may have a problem actually hitting Google with antitrust charges due to a lack of evidence. If that’s true, then Google may just be able to get out of this whole thing without ending up in court.

e-Lawyer v. e-Lawyer Could be fun!
Online Legal Services Company LegalZoom Sues Rival RocketLawyer For Misleading Advertising, Trademark Infringement And More
This is going to get ugly. Online legal services company LegalZoom is suing rival Rocket Lawyer, according to a release issued by the LA-based LegalZoom today. The charges are false and misleading advertising, trademark infringement and unfair competition. The suit was filed in the United States District Court for the Central District of California.

Apparently the Naval Observatory clock re-booted...
"It seems a glitch of some sort wreaked havoc on some NTP servers yesterday, causing many machines to revert to the year 2000. It seems the Y2K bug that never happened is finally catching up with us in 2012."

If you fail one of my tests, “I really don't care why!” We could just change the law to: “Your driving looked 'funny' to the arresting officer.”
"A recent assessment by the National Highway Traffic Safety Administration, based on random roadside checks, found that 16.3% of all drivers nationwide at night were on various legal and illegal impairing drugs, half them high on marijuana. Now AP reports that with marijuana soon legal under state laws in Washington and Colorado, setting a standard comparable to blood-alcohol limits has sparked intense disagreement. Unlike portable breath tests for alcohol, there's no easily available way to determine whether someone is impaired from recent pot use. If scientists can't tell someone how much marijuana it will take for him or her to test over the threshold, how is the average pot user supposed to know? 'We've had decades of studies and experience with alcohol,' says Washington State Patrol spokesman Dan Coon. 'Marijuana is new, so it's going to take some time to figure out how the courts and prosecutors are going to handle it.' Driving within three hours of smoking pot is associated with a near doubling of the risk of fatal crashes. However, THC can remain in blood and saliva for highly variable times after the last use of the drug. Although the marijuana 'high' only lasts three to five hours, studies of heavy users in a locked hospital ward showed THC can be detected in the blood up to a week after they are abstinent, and the outer limit of detection time in saliva tests is not known. 'A lot of effort has gone into the study of drugged driving and marijuana, because that is the most prevalent drug, but we are not nearly to the point where we are with alcohol,' says Jeffrey P. Michael, the National Highway Traffic Safety Administration's impaired-driving director. 'We don't know what level of marijuana impairs a driver.'"

Hey! I know students who could do this!
"Last week, Nate Silver ranked Google Consumer Surveys as one of the most accurate polling firms of the 2012 US election. This week, Google has released the raw data that went into its election-day prediction, and is running a contest for interesting visualizations of that data. They provide a few examples of their own, including a WebGL globe view."

Tuesday, November 20, 2012

Someone has probably thought through the Security implications. I don't think there is a concensus on “Best Practices” yet, but it had better come soon!
November 19, 2012
Study identifies different perceptions of bring your own device to work "While BYOD is a known trend, its actual impact and adoption varies, depending on who you ask. According to a recent study from security vendor Blue Coat, IT staff and employees tend to view BYOD in different ways. While 71 percent of employees reported that they used their own devices to access corporate IT, IT staff in the same survey said they believed 37 percent of employees were accessing the network with non-corporate devices. A study from security vendor Webroot seems to confirm there are a large number of employee-owned devices. It reports that 73 percent of companies now have a mix of company- and employee-owned mobile devices."

(Related) There is already large area where organizations interface with client devices...
"While many mobile payments startups are using both traditional and nontraditional authentication methods, regulatory uncertainty still exists around liability for fraud attacks on customers using mobile payments. Although there haven't been any public attacks from fraudsters on alternative mobile payments providers such as Square, LevelUp or Dwolla, anecdotal stories are already circulating among security experts and regulators of such attacks. One thing that still has to be worked out in this area is regulatory oversight. 'The regulators are not yet clear who owns the regulatory oversight for these environments. These technologies tend to fall through the cracks even in terms of card-present or card-not-present.'"

Who speaks for the citizens, Mr. Brother sir?
Senate bill rewrite lets feds read your e-mail without warrants
A Senate proposal touted as protecting Americans' e-mail privacy has been quietly rewritten, giving government agencies more surveillance power than they possess under current law.
CNET has learned that Patrick Leahy, the influential Democratic chairman of the Senate Judiciary committee, has dramatically reshaped his legislation in response to law enforcement concerns. A vote on his bill, which now authorizes warrantless access to Americans' e-mail, is scheduled for next week.
Leahy's rewritten bill would allow more than 22 agencies -- including the Securities and Exchange Commission and the Federal Communications Commission -- to access Americans' e-mail, Google Docs files, Facebook wall posts, and Twitter direct messages without a search warrant. It also would give the FBI and Homeland Security more authority, in some circumstances, to gain full access to Internet accounts without notifying either the owner or a judge.

Drones in “private” hands. “If they fly within range, they are trespassing!” Interesting legal question?
"Photos provided by the animal rights group show the multicopter smoking on the ground, with its lithium polymer battery supply smoldering. Another photo shows the drone's video camera smashed. The drone, dubbed 'Angel,' was a Cinestar 8 octocopter estimated at $4,000. This wasn't the first time SHARK has been shot out of the sky. This is the fourth drone that the group has lost while investigating pigeon shootings. One drone landed on club property, and is the subject of an ongoing lawsuit.
[From the comments:
… What I find interesting about that figure is that the old tradition of defining 'national waters' was historically been the max range of the shore cannons of the day.
Thus, defining 'personal air space' as the max range of common arms* that a homeowner might have seems pretty traditional.
… Of course if the drone is camera equipped (almost guaranteed) you may be able to skip tresspassing rules and use peeping tom type laws against it at almost any altitude if it's filming parts of your property that would otherwise be private...

(Related) Drones for Swabbies. You don't have to fly to control remotely. Add a motor and you have a really smart torpedo.
Drone Boats Chase Targets, Titles in SailBot Regatta
… Why would we want sailing robots? Aside from the beneficial learning experience for everyone involved, there are applications for real-world use. The oceans are vast and it takes a lot of fuel to motor around them, plus life at sea is incredibly harsh. An autonomous vehicle could allow scientists — or spies — to monitor much larger swaths of the seascape, and a sail-powered drone could operate for much longer than a vehicle that needs to carry fuel. On top of that, all the benefits of sending machines instead of people into dangerous environments apply.

So, what can they do about it?
Parents, Teens, and Online Privacy
Most parents of teenagers are concerned about what their teenage children do online and how their behavior could be monitored by others. Some parents are taking steps to observe, discuss, and check up on their children’s digital footprints, according to a new survey by the Pew Research Center’s Internet & American Life Project.
  • 81% of parents of online teens say they are concerned about how much information advertisers can learn about their child’s online behavior, with some 46% being “very” concerned.
  • 72% of parents of online teens are concerned about how their child interacts online with people they do not know, with some 53% of parents being “very” concerned.
  • 69% of parents of online teens are concerned about how their child’s online activity might affect their future academic or employment opportunities, with some 44% being “very” concerned about that.

I think she makes several points...
FISA Amendments Act Is Way Worse for Privacy Than Title III
Advocates for renewal of the FISA Amendments Act (FAA) often argue that the statute poses no more harm to the privacy of innocent Americans than does the Wiretap Act, also known as Title III. After all, when FBI agents are tapping a suspected drug courier’s phones, his friends or mother may also call. How is the FAA any different?
Actually, there are many important differences between Title III, the FAA and even traditional FISA intercept orders. These differences mean that FAA is far more intrusive than Title III and poses a categorically different threat to the privacy of innocent Americans.

Might be better if they gave these folks a bit of time to think about their answers, but some useful points do come out...
Why privacy matters
November 19, 2012 by Dissent
Privacy International interviewed Cory Doctorow, Kade Crockford, Jameel Jaffer, Dan Kaminsky, Chris Soghoian, Marcia Hoffman, Moxie Marlinspike, Phil Zimmerman, Hanni Fakhoury and Eli O at Defcon 2012. They’ve uploaded the video:

As often as I point out Facebook's failures (a lot!) I suppose I should point to a good decision too. Since many simple hacks are avoided, their costs may go down...
"Facebook this week will begin turning on secure browsing be default for its millions of users in North America. The change will make HTTPS the default connection option for all Facebook sessions for those users, a shift that gives them a good baseline level of security and will help prevent some common attacks. Facebook users have had the option of turning on HTTPS since early 2011 when the company reacted to attention surrounding the Firesheep attacks. However, the technology was not enabled by default and users have had to opt-in and manually make the change in order to get the better protection of HTTPS."
[From the article:
HTTPS encrypts the connection between the user's machine and the server on the other end, obscuring it from attackers, even if they are able to sniff the traffic on the wire or on a wireless connection. The technology is by no means a cure-all for Web-based attacks, however, as there have been demonstrations of attacks that enable third parties to snoop on encrypted traffic and grab valuable data, such as usernames and passwords or financial information.

Because we don't really know what caused the DoJ to pick MegaUpload from the field of hundreds of potential targets, is everyone making changes? Would “Customer Controlled Encryption” change the game?
"On November 27, RapidShare will start putting a tight cap on outbound downloads for its free users. Paid members will still have 30 gigabytes in outbound downloads per day, but everybody else will be capped at one gigabyte. The change is expected to further deter pirates from using RapidShare to distribute copyright material on a large scale."

When “There's no App for that” there is a Business Opportunity. I find it surprising that the music sites don't know what their customers like and are paying for. Maybe they just don't want to give the artists a barganing chip?
"Most Slashdotters have been following the debate among the various players in the music industry about how much money artists (and their labels) get from traditional music outlets like radio and newer services like Pandora or Spotify. But Zoë Keating, a professional cellist who has a professional interest in the outcome of this argument, thinks there's one thing missing from all the proposals: more data on who her audience is. Even digital services can't tell her how many people heard her songs or where they're most popular. 'How can I grow my business on this information?' she asks. 'How do I reach them? Do they know I'm performing nearby next month? How can I tell them I have a new album coming out?'"
She proposes mandatory reporting of information on listeners as part of royalties.

For my Disaster Recovery students
"At the end of October, Hurricane Sandy struck the eastern seaboard of the United States, leaving massive amounts of property damage in its wake. Data center operators in Sandy's path were forced to take extreme measures to keep their systems up and running. While flooding and winds knocked some of them out of commission, others managed to keep their infrastructure online until the crisis passed. In our previous interview, we spoke with CoreSite, a Manhattan-based data center that endured even as much of New York City went without power. For this installment, Slashdot Datacenter sat down with executives from IPR, which operates two data centers—in Wilmington, Delaware and Reading, Pennsylvania—close to Sandy's track as it made landfall over New Jersey and pushed northwest."

(Related) Because too late come quickly!

Perspective It should be interesting to see if this is a true cost for monthly unlimited service or a short time promo...
… Of course, one of the big draws of Republic is its mobile plan. Republic charges a flat rate of $19 per month for unlimited talk, text, and data, which gained a lot of attention back when the service first launched. Today, however, is the day that Republic service becomes available for everyone, so you’re free to sign up whenever you like.
The Motorola DEFY XT will set you back $249 if you’re going through Republic, so the initial payment isn’t exactly going to be cheap. There’s also an extra $10 service fee on top of that, which includes shipping and handling for your phone. Your first $19 monthly fee will be charged once your phone ships next month, so by the time you get your phone in the mail, you’ll be out $278 – and that’s if you only order one phone.
Still, that hefty initial payment might be worth it when you consider that you’ll only be paying $19 per month from there on out. For unlimited talk, text, and data, that’s a pretty significant discount over the major carriers (most of which aren’t offering actual unlimited plans anymore), so Republic might be worth checking out.

Having a massive ego, I never had this problem.
"The recent anti-bullying survey conducted by ABA brings up some interesting findings. According to it, more than 90% of the 1,000 11-16 year-olds surveyed said they had been bullied or seen someone bullied for being too intelligent or talented. Almost half of children and young people (49.5%) have played down a talent for fear of being bullied, rising to 53% among girls. One in 10 (12%) said they had played down their ability in science and almost one in five girls (18.8%) and more than one in 10 boys (11.4%) are deliberately underachieving in maths – to evade bullying. Worryingly, this means our children and young people are shying away from academic achievement for fear of victimization."

I'm bad at computer games. I can't understand a word that Cricket lovers say (I swear it's no longer English) So I will definitely not be downloading this one!
… You may not understand cricket in all its nuances, but if you love hitting a ball out of the park with a bat, you just might love Stick Cricket. Stick Cricket is perhaps the most popular cricket game in the Google Play Store.
… It is a free game with lots of play options. If you want to go beyond that, there are in-app purchases available which extend the play. The free game comes with ads which really aren’t a bother at all.