Saturday, December 01, 2012

Are they deliberately locating these machines in places where the security cameras can't see them? That seems a bit suspicious...
By Dissent, November 30, 2012
Peter Hermann reports:
Fairfax County police are investigating skimmers that were found attached to two automated teller machines at Fairfax hospitals. The devices, discovered this week, are designed to copy personal bank card information and pass codes for thieves…. The devices were found Tuesday at an ATM near the lobby gift shop of the Inova Fairfax Hospital Cardiac Care Center and on Wednesday at an ATM next to the cafeteria at Inova Fair Oaks Hospital.
Read more on The Washington Post.
As Hermann reports, this is not the first time the ATM at the cardiac care center was tampered with. Another skimmer on the same ATM had been discovered in September.
As NBC reports, the ATMs are not maintained by the hospitals, raising the question of who is responsible for checking on them regularly? It appears that the skimmers were discovered by either hospital security or people walking through, but not by those who might actually be responsible for installing and maintaining them.
Actually, I’m surprised we don’t hear about this kind of thing more often. Other than this report, the September report involving Fairfax, and an April report about ATM skimmers found at 8 GTA hospitals in Toronto, Canada, I don’t recall reading other reports of skimmers attached to an ATM in a hospital. Yet as I’ve walked through a number of hospitals in the past year, I’ve repeatedly thought how easy it would be to do this, and how victims probably would have a tough time figuring out where the breach occurred.


An interesting read for my Ethical Hackers...
"The ACM has an article describing the history and present of the Great Firewall of China (GFW). 'Essentially, GFW is a government-controlled attacking system, launching attacks that interfere with legitimate communications and affecting many more victims than malicious actors. Using special techniques, it successfully blocks the majority of Chinese Internet users from accessing most of the Web sites or information that the government doesn't like. GFW is not perfect, however. Some Chinese technical professionals can bypass it with a variety of methods and/or tools. An arms race between censorship and circumvention has been going on for years, and GFW has caused collateral damage along the way.'"


Somehow I find this as unlikely as a Rube Goldberg device. But the judge concluded that the result was no 4th Amendment rights...
"This is a crazy story. An FBI agent put spyware on his kid's school-issued laptop in order to monitor his Internet use. Before returning the laptop to the school, he tried to wipe the program (SpectorSoft's eBlaster) by having FBI agents scrub the computer and by taking it to a computer repair shop to be re-imaged. It somehow survived and began sending him reports a week later about child porn searches. He winds up busting the school principal for child porn despite never getting a warrant, subpoena, etc. The case was a gift-wrapped present, thanks to spyware. A judge says the principal has no 4th Amendment protection because 1. FBI dad originally installed spyware as a private citizen not an officer and 2. he had no reasonable expectation of privacy on a computer he didn't own/obtained by fraud."


HBR Blogs! Who knew? (and why didn't they tell me...)
Big Data Is Not the New Oil
November 30, 2012 by Dissent
Jer Thorp writes:
Every 14 minutes, somewhere in the world, an ad exec strides on stage with the same breathless declaration:
“Data is the new oil!”
It’s exciting stuff for marketing types, and it’s an easy equation: big data equals big oil, equals big profits. It must be a helpful metaphor to frame something that is not very well understood; I’ve heard it over and over and over again in the last two years.
The comparison, at the level it’s usually made, is vapid. [...] Still, there are some ways in which the metaphor might be useful.
[From the Blog post:
First, people need to understand and experience data ownership.
Second, we need to have a more open conversation about data and ethics.
Finally, we need to change the way that we collectively think about data, so that it is not a new oil, but instead a new kind of resource entirely.


Let the metaphors flow...
Big Data Is Not the New Oil
November 30, 2012 by Dissent
Jer Thorp writes:
Every 14 minutes, somewhere in the world, an ad exec strides on stage with the same breathless declaration:
“Data is the new oil!”
It’s exciting stuff for marketing types, and it’s an easy equation: big data equals big oil, equals big profits. It must be a helpful metaphor to frame something that is not very well understood; I’ve heard it over and over and over again in the last two years.
The comparison, at the level it’s usually made, is vapid. [...] Still, there are some ways in which the metaphor might be useful.


Amazon has a deal with 7-11 stores. What am I missing here?
Why Did Google Buy BufferBox? Because The Entire Mail And Package Delivery System Is Broken
Today, Google bought an Ontario-based company called BufferBox. In a way, it kind of came out of left field. Since it’s a Google Ventures company, one can guess that those on Google’s campus were very familiar with the service, which provides an easy alternative to waiting around for packages at your house.
Not only is package delivery a bummer, because things get lost, hitting up your mailbox when you get home isn’t that much fun either. The worst is when you don’t even have a mailbox and you come home to twenty pieces of junkmail slipped under your door. The mail delivery system is broken and old. It’s ripe for…disruption. How broken? The US Post Office lost $15.9B in 2012. [and Amazon and Google can't wait to buy into that industry? Bob]


For the “Tools & Techniques” folder...
… The recently launched service gives users a WYSISWYG interface, so you can put together a professional looking newsletter, filled with images, videos and links, in a matter of minutes.
… With the free plan you can send out your newsletters to up to 500 subscribers, and up to 1,000 emails.


Tools I might use, ideas I might adapt.
Open Textbooks Project: openly licensed science textbooks, printed on demand for less than $5. utahopentextbooks.org/about/
Open High School of Utah, openhighschool.org/: public charter school, completely online! charter says: use only OER content.
Project Kaleidoscope project-kaleidoscope.org/: college level, gen ed courses, $0 textbooks. 10% increase for students who succeeded.

Friday, November 30, 2012

This could be huge! I read it as a requirement for banks to “adjust” their security based on current hacker “trends” and the amounts at risk. Very interesting.
Bank Agrees to Reimburse Hacking Victim $300K in Precedent-Setting Case
In a case watched closely by banks and their commercial customers, a financial institution in Maine has agreed to reimburse a construction company $345,000 that was lost to hackers after a court ruled that the bank’s security practices were “commercially unreasonable.” [What did they base that decision on? Bob]
People’s United Bank has agreed to pay Patco Construction Company all the money it lost to hackers in 2009, plus about $45,000 in interest, after intruders installed malware on Patco’s computers and stole its banking credentials to siphon money from its account.
Patco had argued that the bank’s authentication system was inadequate and that it failed to contact the customer after its automated system flagged the transactions as suspicious. But the bank maintained that it had done due diligence because it verified that the ID and password used for the transactions were authentic.
The case raised important questions about how much security banks and other financial institutions should be reasonably required to provide commercial customers.
Small and medium-sized businesses around the country have lost hundreds of millions of dollars in recent years to similar thefts, known as fraudulent ACH (Automated Clearing House) transfers, after their computers were infected with malware that swiped their bank account credentials. Some have been lucky to recover the money from banks that valued their business, but others, like Patco, were told by their banks that they were responsible for the loss.
Although the assets of customers with personal bank accounts are protected under federal law, commercial bank accounts are not. The only recourse such customers have when their bank refuses to assume responsibility for stolen funds is to try to pursue their money in state courts under the Uniform Commercial Code.
People’s United Bank agreed to the settlement only after an appellate court indicated that the bank’s security system and practices had been inadequate under the UCC.
“This case says to banks and to commercial customers … that there are circumstances in which the bank cannot shift the risk of loss back to the customer, and we’re not going to assume that security procedures are commercially reasonable just because the bank has a system that they say is state of the art,” says attorney Dan Mitchell, who represented Patco.
Last year, a U.S. District Court in Maine ruled that People’s United Bank wasn’t responsible for the lost money, and granted the bank’s motions for a summary dismissal of Patco’s complaint. A magistrate agreed with the ruling saying in part that although the bank’s security procedures “were not optimal,” it was comparable to that offered by other banks. [Strange standard... Bob]
But judges with the First Circuit Court of Appeals ruled last July that the bank’s security system wasn’t “commercially reasonable,” (.pdf) and advised the two parties to try to come to a settlement, which they did about a week ago. Patco will not be reimbursed attorneys fees in the settlement.


I would expect a very few frauds of this type to remain undetected for long, but it looks like “Is no my job, man.”
Total Extent of Refund Fraud Using Stolen Identities is Unknown
GAO-13-132T, Nov 29, 2012
… IRS officials told us that the agency does not systematically track characteristics of known identity theft returns, including the type of return preparation (e.g., paid preparer or software), whether the return is filed electronically or on paper, or how the individual claimed a refund (e.g., check, direct deposit, or debit card).
… As of September 30, 2012, IRS had identified almost 642,000 incidents of identity theft that impacted tax administration in 2012 alone, a large increase over prior years. A taxpayer may have his or her tax refund delayed if an identity thief files a fraudulent tax return seeking a refund using a legitimate taxpayer's identity information.


They can be taught. Who knew? Still, I don't see any real contrition or even much understanding of the security failure, but it is a start.
S.C. Gov. Nikki Haley takes blame for state’s data breach
November 29, 2012 by admin
I’ve been somewhat snarky about the Governor’s past statements on the massive breach in the state’s Dept. of Revenue agency, so I thought the least I can do is acknowledge when she steps up to the plate. James Rosen reports:
South Carolina Gov. Nikki Haley on Wednesday for the first time accepted personal blame for a massive cyber-attack that stole the Social Security and bank account numbers of millions of South Carolinians, saying she should have done more [impossible to do less Bob] to ensure the data’s security.
Read more on Star-Telegram.


An article my Ethical Hackers should read. Written by a Hacker who thought he was Ethical... Perhaps we can have him speak at a Privacy Foundation Seminar in 3-5 years...
Forget Disclosure — Hackers Should Keep Security Holes to Themselves
By Andrew Auernheimer 11.29.12 5:30 PM
Editor’s Note: The author of this opinion piece, aka “weev,” was found guilty last week of computer intrusion for obtaining the unprotected e-mail addresses of more than 100,000 iPad owners from AT&T’s website, and passing them to a journalist. His sentencing is set for February 25, 2013.
Right now there’s a hacker out there somewhere producing a zero-day attack. When he’s done, his “exploit” will enable whatever parties possess it to access thousands — even millions — of computer systems.
But the critical moment isn’t production — it’s distribution. What will the hacker do with his exploit? Here’s what could happen next:

(Related) Another interesting legal question...
"A Tor Exit node owner is being prosecuted in Austria. As part of the prosecution, all of his electronics have been held by the authorities, including over 20 computers, his cell phone and hard disks. 'During interview with police later on Wednesday, Weber said there was a "more friendly environment" once investigators understood the Polish server that transmitted the illegal images was used by Tor participants rather than by Weber himself. But he said he still faces the possibility of serious criminal penalties and the possibility of a precedent that Tor operators can be held liable if he's convicted.' This brings up the question: What backup plan, if any, should the average nerd have for something like this?"


This can't be good...
"Amidst the ongoing civil war, Syria has gone off the Internet as of a few hours ago, with all the 84 IP block within the country unreachable from the outside. Renesys, a research firm keeping tabs on the health of the Internet, reported at about 5:25 ET that Syria's Internet connectivity has been shut down. The internet traffic from outside to Syrian IP addresses is going undelivered, and anything coming from within the country is not reaching the Internet. Akamai has tweeted that its traffic data supports what Renesys has observed."
Reader trickstyhobbit adds a report from Slate that the connection "appear[s] to have been knocked off line by heavy fighting earlier this morning. They are also reporting that the shutdown may have been intentional to aid in a government operation."


Or you could register your readers under a completely false name, such as one selected (entirely at random) from the local Law School faculty.
Who’s Tracking Your Reading Habits? An E-Book Buyer’s Guide to Privacy, 2012 Edition
November 30, 2012 by Dissent
Cindy Cohn and Parker Higgins write:
The holiday shopping season is upon us, and once again e-book readers promise to be a very popular gift. Last year’s holiday season saw ownership of a dedicated e-reader device spike tonearly 1 in 5 Americans, and that number is poised to go even higher. But if you’re in the market for an e-reader this year, or for e-books to read on one that you already own, you might want to know who’s keeping an eye on your searching, shopping, and reading habits.
Read more on EFF.


(Locate your nearest defibrilator) Based on this summary, I think I agree with the Ninth. The camera is only recording what the agent saw with own eyes. It was not placed during a black bag operation nor was it left in place for day or months.
Ninth Circuit Gives the A-OK For Warrantless Home Video Surveillance
November 29, 2012 by Dissent
Hanni Fakhoury writes:
Can law enforcement enter your house and use a secret video camera to record the intimate details inside? On Tuesday, the Ninth Circuit Court of Appeals unfortunately answered that question with “yes.”
U.S. Fish and Wildlife agents suspected Ricky Wahchumwah of selling bald and gold eagle feathers and pelts in violation of federal law. Equipped with a small hidden video camera on his clothes, a Wildlife agent went to Wahchumwah’s house and feigned interest in buying feathers and pelts. Unsurprisingly, the agent did not have a search warrant. Wahchumwah moved to suppress the video as an unreasonable search under the Fourth Amendment, but the trial court denied his motion. On appeal before the Ninth Circuit, we filed an amicus brief in support of Wahchumwah. We highlighted the Supreme Court’s January 2012 decision in United States v. Joneswhich held that law enforcement’s installation of a GPS device onto a car was a “search” under the Fourth Amendment — and specifically focused on the concurring opinions of Justices Alito and Sotomayor, who were worried about the power of technology to eradicate privacy.
Read more on EFF.


Perspective Doesn't this make you want to run out and buy my book, “How Steve Jobs does it!” which takes 365 pages to conclude that I have no idea...
Report: Apple Gets $1 Out of Every $25 Spent on Gadgets
JPMorgan Chase took some heat a few months ago when analyst Michael Feroli predicted that the release of Apple's iPhone 5 could add as much as half a percentage point of fourth-quarter GDP growth in the United States, all on its own.
New data presented Thursday by Markco Media's CouponCodes4U.com suggests that if anything, Feroli might have understated the macroeconomic impact of Apple sales on a still sluggish recovery.
A recent survey of 1,901 U.S. consumers conducted by the discount and deals site turned up a pretty remarkable finding—over the past six months, $1 out of every $25 spent by CouponCodes4U users on tech products went to Apple.


“When the wascawe wabbits are winning, WETWEET!” E. Fudd Esq.
How to retweet without needing a lawyer
… Retweeting is so easy that many people hardly think about what it means, and barely recognize that what they're doing, quite literally, is republishing someone else's thoughts.
Most of the time, that's a totally benign action, but what if the original tweet was an attack on someone? Or worse, a malicious and dishonest accusation?


I'm always looking for ways to inspire my students. If I can talk Coors into doing something like this, Golden Colorado will become the home of the finest minds in the world!
"Niels Bohr is one of the greatest scientists who ever lived and a favorite of his fellow Danes when he lived in Copenhagen. Apparently, after he won the Nobel Prize in 1922, the Carlsberg brewery gave him a gift – a house located next to the brewery. And the best perk of the house? It had a direct pipeline to the brewery so that Bohr had free beer on tap whenever he wanted."


Perhaps we'll let our Ethical Hackers run with this one...
… The folks at CSEdWeek have put together a great list of resources for putting on an event at your school during the week of December 9th-15th. They’ve included templates, online banner ads, talking points, and outreach ideas (among other things) to help you get an event off the ground. So put their hard work to work in your own school!


Worth a peek?
Thursday, November 29, 2012
60 of the Best Websites and Apps for Teachers
Today, at the Christa McAuliffe Technology Conference in Manchester, New Hampshire I gave my Best of the Web presentation to a packed room. This is my most requested presentation wherever I go. Today, I rolled out my latest updates to the presentation. With the exception of seven or eight items everything shared in the slides is something that I used for the first time in 2012.


If I'm going to steal from evaluate an online class, I might as well find one that works.
CourseTalk Launches A Yelp For Open Online Courses And What This Means For Higher Education
… Whether or not you’re long or short on MOOCs, it’s clear that, in the near term at least, they’re here to stay. However, as colleges, universities and more begin toying with open online courses and an increasing number of students and learners take to their virtual lecture halls, the signal-to-noise ratio has the potential to get pretty unfavorable. It’s for this very reason that Jesse Spaulding decided to launch CourseTalk.
… Today, CourseTalk is what you might expect — an early stage Yelp for MOOCs — a place for students to share their experiences with these courses and a way to discover new courses they’d enjoy. Given that it’s still nascent, the platform’s design is simple and its user experience is straightforward: Visitors can use the general search bar which is front and center, or peruse through “Top Rated,” “Popular” and “Upcoming” verticals, or search by category, like Business, Computer Science, etc.


Because it amuses me...
… The European Commission released a statement this week about the EU’s strategy for “rethinking education.” Among the measures it suggests, an increase in the use of technology and OER.
Hacker High School, which offers security and privacy lessons for students, has just updated its content.

Thursday, November 29, 2012

Because you don't have enough to worry about...
"Fred Guterl is the executive editor of Scientific American, and in this piece he explores various threats posed by the technology that modern civilization relies on. He discusses West African and Indian monsoons, infectious diseases, and computer hacking. Here's a quote: 'Today the technologies that pose some of the biggest problems are not so much military as commercial. They come from biology, energy production, and the information sciences — and are the very technologies that have fueled our prodigious growth as a species. They are far more seductive than nuclear weapons, and more difficult to extricate ourselves from. The technologies we worry about today form the basis of our global civilization and are essential to our survival.'"


Interesting choice of words. “Can not” is obviously incorrect. “We aren't matching the MAC address to owners YET,” would be a much more accurate statement.
"The City of Calgary, AB has introduced a new traffic congestion/timing information platform for drivers. 'The system collects the publicly available data from Bluetooths to estimate the travel time and congestion between points along those roads and displays the information on overhead message boards to motorists.' Currently only available on the Deerfoot Trail (the city's main highway artery) but will be 'expanded in the future to include sections of Crowchild Trail and Glenmore Trail in the southwest.' As for privacy concerns the city says it cannot connect the MAC address collected to the device owner."


It's like the weather – everyone complains but no one does anything about it.
November 28, 2012
Survey - Americans believe higher education must innovate
"Although a majority of Americans believes higher education remains critical to the nation’s competitiveness and the best way for individuals to achieve the American Dream, 83 percent say that higher education must innovate for the United States to maintain its global leadership, according to a new Northeastern University survey. The national opinion poll, conducted for Northeastern by FTI Consulting, underscores the centrality of higher education to the country’s competitiveness and character, but also illustrates the belief of most Americans — particularly those under 30 — that the world’s preeminent higher education system must change."

(Related) The money is there if you can find the hoops and jump through...
Microsoft Puts $250M More Into Its Ed-Tech Program, Partners In Learning; Wants Provide 20M Teachers With “21st Century Skills”
Microsoft today added another $250 million to its Partners In Learning Project, a global professional development program it has created to equip teachers with the skills they need to teach IT and other future-looking subjects.

(Related) And the tools are there if you can find them and figure out how best to employ them.
1. Creating – In creating, students create projects that involve video editing, storytelling, video casting, podcasting, and animating. Digital tools to allow students to create include: Story Kit, Comic Life, iMovie, and GoAnimate.com, SonicPics, Fotobabble, and Sock Puppet.
2. Evaluating – In evaluating students show their understanding of a topic or participate in evaluating a peers understanding of a topic. Digital tools to allow students to evaluate include: Google Docs, Poll Everywhere, Socrative, BrainPOP, and Today’s Meet.
3. Analyzing – In analyzing students complete tasks that involves structuring, surveying, outlining, and organizing. Digital tools to allow students to analyze include: Corkboard.me, Poll Everywhere, SurveyMonkey.com, Study Blue, Keynote, and Stickyboard.
4. Applying – In applying students illustrate, present, demonstrate, and simulate. Digital tools that allow students to apply include: ScreenChomp, SonicPics, QuickVoice, Fotobabble, Keynote, Podomatic, and Skype.
5. Understanding – In understanding students explain, blog, subscribe, categorize, annotate, and tweet. Digital tools to allow students to understand include: PowerPoint, Google Blogs, Fotobabble, Bit.ly, Twitter, and neu.Annotate.
6. Remembering – In remembering students recall, bookmark, list, search, create mindmaps, and write. Digital tools to allow students to remember include: Pages, Google Docs, Study Blue, Bit.ly, and Wordle.

(Related)
November 28, 2012
Pew - The changing world of libraries
The changing world of libraries, Lee Rainie, November 28, 2012. "Nine takeaways for librarians:
  1. E-reading is taking off because e-reading gadgets are taking off
  2. The gadget doesn’t make the reader, but it may change the reader
  3. E-book readers are reading omnivores (and probably influencers)
  4. E-book readers are not platform snobs AND they like different platforms for different purposes
  5. Library users are not always the same as library fans
  6. E-book borrowing has foothold – and whopping upside
  7. Library users are book buyers
  8. Library borrowing patterns are changing
  9. Collections are changing"

Wednesday, November 28, 2012

Will Romania send a copy of the credit card data to someone (e.g. the credit card companies?) who can tell breach victims that the actors have been identified?
Romanian authorities dismantle cybercrime ring responsible for $25 million credit card fraud
November 27, 2012 by admin
I wonder how many breaches this bust clears up? For IDG News Service, Lucian Constantin reports:
Romanian law enforcement authorities have dismantled a criminal group that stole credit card data from foreign companies as part of an operation that resulted in fraudulent transactions totaling US$25 million.
[...]
According to DIICOT, the group’s members gained unauthorized access to computer systems belonging to foreign companies that operate gas stations and grocery stores, and installed computer applications designed to intercept credit card transaction data.
The applications were configured to store the captured data locally for later retrieval, upload it automatically to external servers or send it to email addresses controlled by the gang’s members, the agency said. The stolen credit card information was then sold or used to create counterfeit cards.
For example, between December 2011 and October 2012 members of the group sold 68,000 credit cards at $4 each through a specialized online shop, making a profit of $270,000, DIICOT revealed.


I wonder if this information sells for moer that $4? How big is an average refund check?
FL: Broward man pleads guilty in massive identity theft
November 27, 2012 by admin
Wayne K. Roustan reports that a former employee of an unnamed North Miami law firm was involved in an ID theft/tax refund scheme:
Rodney Saintfleur, 28, of West Park, plead to one count of conspiracy to defraud the government, one count of access device fraud, and one count of aggravated identity theft, prosecutors said.
Evidence showed that between April 2009 and July 2012, Saintfleur tapped into to the Lexis/Nexis online proprietary database where he worked.
He accessed the names, birth dates, and social security numbers of more than 26,000 people and gave this sensitive information to co-conspirators to file fraudulent income tax returns seeking refunds, according to court documents.
Read more on the Sun Sentinel. The law firm is not named in the court filings, as far as I can tell.
BrowardNet Online has a copy of the press release from the U.S. Attorney’s Office.
One question: how is that he accessed 26,000 SSN and LexisNexis didn’t flag this? Or did they detect it, but just not in a timely fashion? I’ve sent them an inquiry about that.


Who comes up with this stuff, Alfred E. Newman?
"A new flaw has been discovered in printers manufactured by Samsung whereby a backdoor in the form of an administrator account would enable attackers to not only take control of the flawed device, but will also allow them to attack other systems in the network. According to a warning on US-CERT the administrator account is hard-coded in the device in the form of an SNMP community string with full read-write access. The backdoor is not only present in Samsung printers but also in Dell printers that have been manufactured by Samsung. The administrator account remains active even if SNMP is disabled from the printer's administration interface."


Perhaps a site that offers the plans for “Do It Yourself” surveillance equipment? (I told you 3D printers were going to be fun!)
Want a Flying Drone? These Students 3D-Printed Their Own
… The “Wendy” aircraft — named for Turman and Easter’s mother — is the latest demonstration of the power of 3D prototyping. The project is the brainchild of Michael Balazs and Jonathan Rotner, two scientists at research and engineering firm MITRE’s Center for Integrated Intelligence Systems. Their mission, jointly funded by the Department of Defense and MITRE, is to develop cheaper and faster solutions to expensive government programs, such as building autonomous aircraft.
“[We're] trying to achieve 90 percent capabilities of what the big companies can do, but at 10 percent of the cost,” Balazs says. “So we leverage everything from open technologies to commercial off-the-shelf systems to agile advanced manufacturing, to show the government that they can meet their robotics goals of unmanned systems, whether they’re ground, aerial, underwater or whatever it is.”
Wendy is their best example so far. In addition to its 3D-printed body, it uses a common Android smartphone as the sophisticated on-board brain of the aircraft’s system.

(Related) It's a whole new type of war.
U.S. Buys Yemen a Fleet of Spy Planes for Growing Shadow War
It’s not enough for Yemen’s skies to fill up with armed U.S. drones. Now the Pentagon wants to buy its Yemeni ally small, piloted spy planes. It’s a sign that the U.S. is upgrading the hardware it gives the Yemeni military, and digging in for a long shadow war.

(Related)
China Unveils New Killer Drones, Aims Them at Russia
… This year, Beijing’s most prominent new drone is the dinosaur-named Wing Loong, or Pterodactyl, according to a round-up at Defense News. The drone is reportedly operational — China has previously shown only models of the drone — and closely resembles the U.S. MQ-9 Reaper, which the Pentagon uses to bomb insurgent hideouts in Pakistan. Few foreign journalists were reportedly allowed to see it, but photos and videos that appeared online prompted ace aviation journalist David Cenciotti to remark that the Wing Loong appeared “largely copied from the U.S. version.”
But a lot cheaper. The Wing Loong reportedly comes at a rather incredible bargain price of $1 million, compared to the Reaper’s varying price tags in the $30 million range.


So the next question is: How do you cover your tracks?
Should you cover your tracks from government snooping?
November 27, 2012 by Dissent
Peter Fleischer writes:
[…] Seen from a global perspective, it’s important to realize that most governments around the world are accessing user data. It’s not just one or two governments. I can’t count the number of times privacy advocates in Europe have warned users that the US government could potentially access their data in the cloud, without mentioning the risks that their own governments could do the same thing. In fact, to take the French example, the French government is trying to launch a “French cloud”, explicitly to try to evade US government surveillance, even though this taxpayer-funded initiative is based on “bad assumptions about cloud computing and the Patriot Act“, and even though France’s own anti-terrorism law “has been said to make the Patriot Act look “namby-pamby by comparison”, as reported on ZDNet. I think it’s fair to assume that most people would be far more uncomfortable with foreign governments, rather than their own governments, accessing their data. That points to one of the hardest issues in the cloud, namely, that multiple governments can (and do) have the power to demand access to user data, if they follow appropriate legal procedures.


Porn makes headlines! (Sex sells legal arguments?)
Verizon Sued For Defending Alleged BitTorrent Pirates
November 27, 2012 by Dissent
Ernesto writes:
A group of adult movie companies is suing Verizon for failing to hand over the personal details of alleged BitTorrent pirates. The provider systematically refuses to comply with court-ordered subpoenas and the copyright holders see these actions as more than just an attempt to protect its customers. According to the them, Verizon’s objections are in bad faith as the Internet provider is profiting from BitTorrent infringements at the expense of lower-tier ISPs.
Read more on TorrentFreak.
[From the article:
In many cases the person who pays for the account is not the person who shared the copyrighted material. However, this is the person who gets sued, something that can have all kinds of financial implications.
To shield their customers from this kind of outcome Verizon now objects to subpoenas granted by courts in these cases. Not in one case, but in dozens. One of the arguments cited by Verizon’s attorneys is that the requests breach the privacy rights of its customers.
“[The subpoena] seeks information that is protected from disclosure by third parties’ rights of privacy and protections guaranteed by the first amendment,” their counsel informed the copyright holders.
Verizon further cites arguments that have previously been successful in similar cases, including the notion that mass lawsuits are not proper as the defendants did not act in concert.

(Related) How to win friends and indict people?
"A forensic software company has collected files on a million Canadians who it says have downloaded pirated content. The company, which works for the motion picture and recording industries, says a recent court decision forcing Internet providers to release subscriber names and details is only the first step in a bid to crack down on illegal downloads. 'The door is closing. People should think twice about downloading content they know isn't proper,' said Barry Logan, managing director of Canipre, the Montreal-based forensic software company."


Sometimes. Ignorance is not bliss...
UK: PCC rejects complaint over Facebook injuries photo
November 27, 2012 by Dissent
Helen Lambourne reports:
A complaint against a weekly newspaper which published a story on an assault victim which included a photo of his injuries taken from Facebook has been rejected.
The Press Complaints Commission has published a ruling on a story by the Farnham Herald from 15 June with the headline “Assaulted after night out”.
Once again, it seems, users do not fully understand how their Facebook privacy controls work and how they are usually not as protected as they think they are:
The newspaper said one of its reporters, who had a mutual acquaintance with the complainant, had seen a comment – posted by this shared Facebook friend – identifying the complainant as the victim of the attack.
The reporter had then accessed the complainant’s Facebook page, which had no privacy settings, where the complainant had posted the photograph and had identified himself as the victim of an attack.


Facebook isn't the only one who can change policies without notice...
Ca: LCBO wants personal data of wine club members
November 28, 2012 by Dissent
CBC News reports:
An Ontario wine club says it’s being forced to hand its members’ personal information over to Ontario’s Liquor Control Board in what it calls a breach of privacy.
Warren Porter, the president of the Toronto-based Vin de Garde wine club, said he’s upset the Liquor Control Board of Ontario wants his members’ personal information including names, addresses, as well as the size of each order.
Porter said he has complained to Ann Cavoukian, the province’s privacy commissioner, because he believes the LCBO is breaching his members’ privacy.
Read more on CBC.
[From the article:
Since May, Porter said his members have had to reveal more personal information for each order. That has turned one large order into hundreds of separate orders due to the mandatory release of private information.
That is irritating some of his members, especially clubs, he said, and he worries the wine club could soon be put out of business.
"We have to take all of their data — name, address, quantities ordered — all on separate order forms," Porter said, adding it creates a large administrative burden.
"A member of our wine club should be afforded the same level of anonymity that someone walking into an LCBO is."
… LCBO spokeswoman Heather MacGregor said the policy requiring the release of personal information has been around for decades.
She could not explain why Vin de Garde was only obligated to follow the policy as of six months ago, but MacGregor did say the information prevents fraud, including illegal resale, and helps the LCBO locate any recalled products.


Just a quick review of this “Guidance” but the assumption seems to be that the holder of the data anonymizes and then gives the presumably anonymized dataset to someone else – the end user. This seems backwards. Why not have the analysis done by a trusted entity (business opportunity?) and give the results to the “someone else?” Far less likely to de-anonymize if they don't have individual records.
By Dissent, November 27, 2012
Yesterday, OCR released the guidance on de-identification of PHI:
Now I just need to find time to read it…


Clearly they are not valuable – no one stole them.
concealment writes with news of dissatisfaction with a pilot program for stoplight-monitoring cameras. The program ran for several years in New Jersey, and according to a new report, the number of car crashes actually increased while the cameras were present.
"[The program] appears to be changing drivers’ behavior, state officials said Monday, noting an overall decline in traffic citations and right-angle crashes. The Department of Transportation also said, however, that rear-end crashes have risen by 20 percent and total crashes are up by 0.9 percent at intersections where cameras have operated for at least a year. The agency recommended the program stay in place, calling for 'continued data collection and monitoring' of camera-monitored intersections. The department’s report drew immediate criticism from Assemblyman Declan O’Scanlon, R-Monmouth, who wants the cameras removed. He called the program 'a dismal failure,' saying DOT statistics show the net costs of accidents had climbed by more than $1 million at intersections with cameras."
Other cities are considering dumping the monitoring tech as well, citing similar cost and efficacy issues.


Illogic Alert! Let's not anthropomorphize. I will reprogram my car to protect me, not some random school bus that's blocking my way.
"If your driverless car is about to crash into a bus, should it veer off a bridge? NYU Prof. Gary Marcus has a good essay about the need to program ethics and morality into our future machines. Quoting: 'Within two or three decades the difference between automated driving and human driving will be so great you may not be legally allowed to drive your own car, and even if you are allowed, it would immoral of you to drive, because the risk of you hurting yourself or another person will be far greater than if you allowed a machine to do the work. That moment will be significant not just because it will signal the end of one more human niche, but because it will signal the beginning of another: the era in which it will no longer be optional for machines to have ethical systems.'"


I like it! Now I can have an open “Good Bob” system and a seperate, heavily encrypted “Evil Bob” system that I use “only to communicate with my lawyer” that is therefore immune from subpoena!
"Next year, smart phones will begin shipping with the ability to have dual identities: one for private use and the other for corporate. Hypervisor developers, such as VMware and Red Bend, are working with system manufacturers to embed their virtualization software in the phones, while IC makers, such as Intel, are developing more powerful and secure mobile device processors. The combination will enable mobile platforms that afford end users their own user interface, secure from IT's prying eyes, while in turn allowing a company to secure its data using mobile device management software. One of the biggest benefits dual-identity phones will offer is enabling admins to wipe corporate data from phones [That ain't gonna happen Bob] without erasing end users profiles and personal information."


Tools for electronic discovery
Escape From Babel: The Grossman-Cormack Glossary
… A glossary, which I was surprised to learn when researching for this blog is also called an idioticon, provides an alphabetical list of terms in a particular domain of knowledge with definitions for those terms.


Interesting. A tool for podcast fans...
Pod Bay is an online way to listen to your favourite podcasts, eliminating the need for desktop and iOS clients which download each episode. Search the directory to find great new podcasts to listen to.
… If you stop listening to the podcast you can return to the same spot later and pick up where you left off. If you’d like to share a clip of the podcast with friends, you can do so very easily.
Similar tools: Flapcast and Stitcher.

Tuesday, November 27, 2012

We don't use SCADA in our Ethical Hacker exams, it's too easy.
"It is open season on SCADA software right now. Last week, researchers at ReVuln, an Italian security firm, released a video showing off a number of zero-day vulnerabilities in SCADA applications from manufacturers such as Siemens, GE and Schneider Electric. And now a researcher at Exodus Intelligence says he has discovered more than 20 flaws in SCADA packages from some of the same vendors and other manufacturers, all after just a few hours' work."


I suspect that companies wishing to “punish” whistleblowers must tread carefully. I wonder what pushes them over the line? That's why we teach our Ethical Hackers (wait for it) Ethics!
AT&T iPad Hacker’s Real Crime Was Embarrassing the Wrong People
… How to best disclose a newly discovered vulnerability is a matter of some controversy, and highly dependent on where one happens to be sitting. Vendors want the chance to address problems before they become public. Users want to know immediately about the flaws in the systems they depend on. The security community wants to study and build on new discoveries. Researchers want credit for their discoveries, and worry they might be “scooped” by someone else: publish or perish.
And everyone thinks their moral high ground is superior to all the others’.


Nothing gives you that warm, fuzzy feeling like assurances from the Pentagon.
Isaac Asimov's "Three Laws of Robotics"
  1. A robot may not injure a human being or, through inaction, allow a human being to come to harm.
  2. A robot must obey orders given it by human beings except where such orders would conflict with the First Law.
  3. A robot must protect its own existence as long as such protection does not conflict with the First or Second Law.
Pentagon: A Human Will Always Decide When a Robot Kills You
… Here’s what happened while you were preparing for Thanksgiving: Deputy Defense Secretary Ashton Carter signed, on November 21, a series of instructions to “minimize the probability and consequences of failures” in autonomous or semi-autonomous armed robots “that could lead to unintended engagements,” starting at the design stage (.pdf, thanks to Cryptome.org). Translated from the bureaucrat, the Pentagon wants to make sure that there isn’t a circumstance when one of the military’s many Predators, Reapers, drone-like missiles or other deadly robots effectively automatizes the decision to harm a human being.


It's right there on page 92, paragraph C, line 4, microprint line 29: “...frequently assume the role of village idiot...”
November 26, 2012
CRS - Roles and Duties of a Member of Congress
Roles and Duties of a Member of Congress: Brief Overview, R. Eric Petersen, Specialist in American National Government, November 9, 2012
  • "The duties carried out by a Member of Congress are understood to include representation, legislation, and constituent service and education, as well as political and electoral activities. The expectations and duties of a Member of Congress are extensive, encompassing several roles that could be full-time jobs by themselves. Despite the acceptance of these roles and other activities as facets of the Member’s job, there is no formal set of requirements or official explanation of what roles might be played as Members carry out the duties of their offices. In the absence of formal authorities, many of the responsibilities that Members of Congress have assumed over the years have evolved from the expectations of Members and their constituents."


Note the assumption that the child has a cell phone. Also, there is no explanation of how Mom remotely loads cash into the system.
Palm scanners get thumbs up in schools, hospitals
November 26, 2012 by Dissent
Brian Shane reports:
At schools in Pinellas County, Fla., students aren’t paying for lunch with cash or a card, but with a wave of their hand over a palm scanner.
“It’s so quick that a child could be standing in line, call mom and say, ‘I forgot my lunch money today.’ She’s by her computer, runs her card, and by the time the child is at the front of the line, it’s already recorded,” says Art Dunham, director of food services for Pinellas County Schools.
[...]
A palm scan’s precision record-keeping also avoids possible confusion if patients have the same name. For instance, a hospital system in the Houston area with a database of 3.5 million patients has 2,488 women in it named Maria Garcia – and 231 of them have the same date of birth, Bertrams says.
HT Systems president David Wiener won’t reveal revenue but says that since 2007, they’ve got more than 160 hospitals for clients and have scanned more than 5 million patients.
Read more on USA Today.
I think we can probably all agree that preventing confusion in identifying and treating patients is a good thing. Is there a down side or risk here? If so, what is it?
[From the article, for my Statistics students:
A palm scan's precision record-keeping also avoids possible confusion if patients have the same name. For instance, a hospital system in the Houston area with a database of 3.5 million patients has 2,488 women in it named Maria Garcia – and 231 of them have the same date of birth, Bertrams says. [And all of them in the hospital (and unable to speak) on the same day? Bob]


Beyond cookies...
November 26, 2012
AVG - How to Choose How You’re Tracked
AVG Official Blog: "All the latest versions of the major browsers today include do-not-track user preference controls, but these merely express your wishes. Many third-party sites will honor your request, but many don’t. And they only let you decide whether you want to block online tracking or not. AVG offers a do-not-track feature in its AVG Anti-Virus Free Edition. AVG takes it a step further by allowing you to customize your blocking preferences at a granular level. Permanent Identifiers - One company to be aware of is BlueCava. Unlike cookies, which can be blocked or removed, BlueCava provides tracking technology that allows sites to permanently identify whatever device you’re using to connect to the web. The good news is, you can opt-out by going to http://www.bluecava.com/preferences, but you have to connect using each device you want to remove from their system."


Note the picture of the ultimate Copyright Lawyer in action!
Facebook Debunks Copyright Hoax
A silly copyright notice is sweeping Facebook today, with users attaching pseudo-legalese to their status updates in a misguided effort to prevent Facebook from owning or commercially exploiting their content. Facebook has issued a formal “fact check” statement refuting the legalese.
The viral copyright notice last spread on Facebook in May and June. Now it’s back and garnering lots of attention.

(Related)
Just last week, Facebook decided to make some big changes to how it deals with user feedback on privacy issues, but one of the changes in the updated privacy policy went slightly unnoticed. Facebook says that they can now use the data it has about your likes and dislikes to show you ads outside of Facebook. In other words, the social network giant can display catered ads to you when you’re not even browsing Facebook.


Perspective
We all know by now that Apple earns a lot of money, and the company’s profit margins are insane, but just how insane are they? If you put their fiscal 2012 profit numbers next to other big contenders in the tech industry, all other companies pale in comparison. Apple made more money than Microsoft, eBay, Google, Yahoo!, Facebook, and Amazon combined.
Apple just recently wrapped up its fiscal year 2012 with a record profit of $41.7 billion and $156.5 billion in revenue. In comparison, The six companies mentioned above combined for a total profit of $34.4 billion. Furthermore, Dell, Intel, Acer, ASUS, IBM, HP, and Lenovo — nearly the entire PC industry — profited a total of only $19.4 billion combined.


Perspective Interesting that Walmart is number 7 (2.3%)
"A report out this morning pegs Amazon with a whopping 14% share of all daily Internet users — almost twice the nearest competitor (Ebay). And this number does not include all shopping sites absorbed by the growing Amazon empire. The original report has interesting graphics comparing Amazon to other retailers like Best Buy."


For my Website class. Making Google work for you.
November 26, 2012
Google FAQ - Keywords and search queries
"One of the best ways to ensure that your site appears for particular user queries is to make sure that your article naturally contains the words, names, and figures that are central to a particular news story. If you create an information-rich site that clearly and accurately describes your topic, you will improve your chances of appearing in our search results for relevant queries. Our crawler also makes use of a Google-specific metatag to help determine how to best classify your content. By implementing the news_keywords metatag you can specify which keywords are most relevant to your articles."


For my Statistics students – sampling in (almost) real time! Very interesting data display.
US electoral compass: how do political priorities change from state to state?
Social media monitoring experts Brandwatch have designed a radial representation of the variation in US electoral priorities by state. Using data from Twitter and online news websites, Brandwatch measured the proportion of Tweets and press discussions concerning each of 30 policy areas. Every topic was then assigned a percentage score for news articles or Tweets about each presidential candidate, and all 30 were ranked according to the proportion of discussions they featured in. Select a state and date range to filter the data, and move your cursor over a figure for more information. Policy areas are ranked on the right.


If we were to teach this, which school would it be in? Psych? Business? Computer Science?
The Rising Science Of Social Influence — How Predictable Is Your Online Behaviour?
… Recent developments and interest in academic research confirm that the study of social influence is a well-posted scientific problem. As online social networks become mainstream, their data allows scientists and companies to gain previously unprecedented insights into social phenomena. Nine out of ScienceDirect’s top 25 academic papers in Computer Science study human behaviour on online social networks. This summer Science, one of the most prestigious and hardest-to-get-into academic journals featured an article on identifying influential and susceptible members in social networks. And in addition there is a growing number of scientific meetings devoted to the study of online influence.


I have a problem with labeling education materials as K-12 or Elementary School or College level. Should you stop reading Mark Twain when you hit 18?
Monday, November 26, 2012
200+ Free Video Lessons, Apps, and eBooks for K-12
One of my favorite blogs, Open Culture, has long cataloged free and open resources for post-secondary education. Today, they launched a new collection of more than 200 free video lessons, apps, ebooks, and websites for K-12 students and teachers. The collection includes some of the usual suspects like Khan Academy, the Library of Congress, and NASA. The collection also includes some items that were new to me like this Shakespeare app and this Google Earth for science teachers resource.
[Some examples:
Bartleby.com Gives you access to free online classics of reference, literature, and nonfiction, including Strunk & White’s Elements of Style, The World Factbook, The Oxford Shakespeare, and The King James Bible.
CK-12: This non-profit provides “open textbooks” for K-12 students all over the world.
OER Commons: Discover a meta collection of free textbooks that can be sorted by subject and grade level.
iTunesU: Apple provides hundreds of free courses, lectures and academic talks, mostly suitable for older students. The easiest way to access the courses available on iTunesU is to visit our collection of 550 Free Online Courses from Top Universities.

(Related)
"When it comes to programming, the classroom is moving online. A new wave of start-ups has burst onto the scene over the last year, bringing interactive lessons and gamification techniques to the subject to make coding trendy again. From Codecademy — and its incredibly successful Code Year initiative — to Khan Academy, Code School and Udacity, online learning is now sophisticated and high-tech — but is it good enough to replace the classroom? 'We are the first five or six chapters in a book,' says Code School's Gregg Pollack in this exploration of online code classes, but with the number of sites and lessons growing by the week that might not be the case for long."