Saturday, December 08, 2012

Following up on my post on November 5th about houses on the highway in New Jersey, John Soma found this article. After all my stories of growing up in New Jersey, I think he thought someone had simply stolen the house. Not true. Housing prices are still down. But the contents?
Man returns to Jersey shore to find home missing

This sounds wrong. This would have been considered as a possible intelligence gathering action prior to an attack. It would (should) not have been ignored.
Secret Service under investigation over loss of sensitive files on Metro
December 7, 2012 by admin
Jana Winter of Fox News reports that the Secret Service - the agency that is often involved in investigations of data breaches – had its own breach back in 2008 that is now (finally?) under investigation:
The Secret Service is the target of an investigation into an “immense breach” involving the loss of two backup computer tapes left on a Washington, D.C., Metro train that contained sensitive personal information about all agency employees, contacts and overseas informants, according to multiple law enforcement and congressional sources.
Sources said the tapes were lost on the Red Line of the Metro in 2008 by a young, low-level associate of a private contracting company that had been hired to transport them from Secret Service’s Investigative Resources Management division at the agency’s headquarters in the Penn Quarter section of Washington, D.C., to a secure vault in Olney, Md., where government agencies store contingency plans, documents and other backup material. The employee had volunteered to deliver the tapes because he lived near the location of the vault, but got off at the Glenmont, Md., Metro stop without the tapes, according to sources.
Sources said the “personally identifiable information” — or “PII,” in government-speak — on the tapes includes combinations of the following: Social Security Numbers; home addresses; information about family members; phone numbers; dates of birth; medical information; bank account numbers; employment information; driver’s license numbers; passport numbers; and any biometric information on file with the Secret Service.
Did the Secret Service handle this breach properly or did it fail to provide adequate disclosure and notice to those affected? It depends on whom you ask, as Fox reports, and hopefully the investigation by Department of Homeland Security Office of Inspector General will get to the bottom of this one.
Disturbingly, this breach might never had been made public were it not for the recent Secret Service scandal involving the conduct of agents. It was that investigation that led to the investigation of this other matter as part of looking into the culture of the Secret Service.

Not shocking to those of us who have been following this topic. I'll have to ask my students to get a more balanced perspective.
Which Websites Are Sharing Your Personal Details?
December 7, 2012 by Dissent
For an article coming out Saturday, the Wall Street Journal tested 71 popular websites that request a login and found that more than a quarter of the time, the sites passed along a user’s real name, email address or other personal details, such as username, to third-party companies.
[Don't miss the graphics:

Send in the drones! Any limitation on drones is likely to impact many groups. Not only manufacturers, but consider airspace limit impact on helicopters...
Aviation Industry to FAA: “Ignore Privacy”
December 7, 2012 by Dissent
Aviation groups have asked the Federal Aviation Administration to ignore the privacy implications of increased drone use in the United States. The letter follows the FAA statement that domestic drones “raises privacy issues [that] will need to be addressed.” Earlier this year, EPIC warned Congress, “there are substantial legal and constitutional issues involved in the deployment of aerial drones by federal agencies.” EPIC, joined by over 100 organizations, experts, and members of the public, has petitioned the FAA to to establish privacy safeguards. For more information, see EPIC: Unmanned Aerial Vehicles (UAVs) and Drones
And no, EPIC isn’t exaggerating. The letter says, in part:
It is our belief that for FAA to succeed, the agency must remain focused on safety rather than privacy issues, where the FAA has no statutory standing or technical expertise.
And if the FAA were foolishly thinking of restricting air space because of privacy-related or other concerns, the industry says fergeddaboutit: [How can you misspell a simple New Jersey word like “Fuhgeddaboudit?” Bob]
Additionally, as a goal the FAA should ensure that the introduction of UAS into the NAS not limit access to airspace or require modifications to the existing fleet of aircraft flying in the NAS beyond what is already currently anticipated to accommodate NextGen. The importance of airspace access cannot be overstated and FAA must aggressively protect its preeminent role as manager of the national airspace system.

I might work this into a Compouter Security or Homeland Security class...
Warrantless Surveillance 101: Introducing EFF’s New NSA Domestic Spying Guide
December 7, 2012 by Dissent
Mark M. Jaycox and Trevor Timm write:
On December 14th, EFF is back in federal court challenging the NSA’s domestic spying program in our long-running case Jewel v. NSA. In anticipation of our court appearance, we’ve launched a new section of our website to give everyone a clear understanding how the NSA warrantless wiretapping program works and why we’re challenging it as unconstitutional.
While the government claims the NSA’s infamous program is too secret to be litigated, it isn’t a secret—and we’ve catalogued the trove of information that has become public since it was first revealed by the New York Times in 2005. This including declarations under oath by an AT&T whistleblower and three NSA whistleblowers, sworn testimony before Congress, investigations by government Inspectors General and stories by major media organizations based on highly placed sources, along with public admissions by government officials.
You can now view our NSA domestic spying timeline, an explanation of how the NSA conducts the spying, a history of the controversial ‘state secrets’ privilege (which the government is invoking in an attempt to have our lawsuit dismissed), and a breakdown of how the government uses word games when talking about the program to hide what they’re doing.
Read more on EFF.

...and I'll need to check back every few months.
Deep Dive: ECPA and the Future of Electronic Privacy
December 7, 2012 by Dissent
From EFF:
In most issues of EFFector, we give an overview of all the work we’re doing at EFF right now. Today, we’re trying something new: doing a deep dive into a single issue. If our readers find this valuable, we’ll try to give you an EFFector Deep Dive every few months.
Yesterday was a watershed moment in the fight for electronic privacy: the Senate Judiciary Committee overwhelmingly passed an amendment that mandates the government get a probable cause warrant before reading our emails. The battle isn’t over — the reform, championed by Senator Patrick Leahy (D-VT), still needs to pass the rest of the Senate and the House, and be signed by the President to become a law. But yesterday, thanks to thousands of people speaking out, we were able to begin the process of overhauling our archaic privacy laws into alignment with modern technology.
It was a big win for us, even if it was only the first step in the process of reforming privacy law to keep the government out of our inboxes. So we’re dedicating this EFFector to the battle to reform outdated privacy law: what the government can get, what the law ought to be, and what we’re doing to fix the gaping loopholes that leave users vulnerable to government snooping.
The Fourth Amendment and Electronic Privacy
The Fourth Amendment protects us from unreasonable government searches and seizures. In practical terms, this means that law enforcement has to get a warrant — demonstrating to a judge that it has probable cause to believe it will find evidence of a crime — in order to search a place or seize an item. In deciding whether the Fourth Amendment applies, courts always look to see whether people have both a subjective expectation of privacy in the place to be searched, and whether society would recognize that expectation of privacy as reasonable. The Supreme Court made this point clear in a landmark 1967 case, Katz v. United States, when it ruled that a warrantless wiretap of a public payphone violated the Fourth Amendment.
The Third Party Doctrine, or How the Supreme Court Got Us Into This Mess
In 1979, the Supreme Court created a crack in our Fourth Amendment protections. In Smith v. Maryland, the Court ruled that the Fourth Amendment didn’t protect the privacy of the numbers we dialed on our phones because we had voluntarily shared those numbers with the phone company when we dialed them. This principle — known as the Third Party Doctrine — basically suggests that when we share data with a communications service provider like a telephone company or an email provider, we know our data is being handed to someone else and so we can’t reasonably expect it to be private anymore.
The government took this small opening created by Smith v. Maryland and blew it wide open. It argued that this narrow 1979 decision about phone dialing applied to the vast amount of data we now share with online service providers — everything from email to cell phone location records to social media. This is bogus and dangerous. When we hand an email message to Gmail to deliver on our behalf, we do so with an intention that our private communications will be respected and kept in strict confidence, and that no human being or computer will review the message other than the intended recipient. But the government argues that because we handed our communications to a service provider, the Fourth Amendment doesn’t require them to get a warrant before snooping around our inbox.
Luckily, the courts are beginning to agree with us. In a leading case where EFF participated as amicus, United States v. Warshak, the Sixth Circuit Court of Appeals agreed with us that people had a reasonable expectation of privacy in their email, even if it is stored with a service provider, and therefore the government needed a search warrant to access it. And in the recent Supreme Court case, United States v. Jones, Justice Sotomayor said that she thought the Third Party Doctrine was outdated, while she and four other Justices — including Justice Alito — raised concerns about the information gathered by our cellphones.
Read more on EFF.

It's like yelling “Failure” in a crowded Internet? Will courts have to stay current on the impact of each technology?
Yelp Reviewer Gets SLAPPed With 750K Lawsuit And Order To Alter Comments
A woman is facing a $750,000 defamation lawsuit and has been ordered to alter a negative Yelp review of a home contractor after police found that her claims didn’t add up.
Dietz Development is claiming that Jane Perez’s scathing review has cost them new customers and, on Wednesday, a judge ordered a preliminary injunction for her to edit the post. Yelp and legal critics are worried that Strategic Lawsuits Against Public Participation (SLAPP)-related lawsuits could chill free speech, but business owners say that legal intervention is necessary in an age when online reviews can make or break a company. As the Internet gives the average citizen a greater voice, courts appear to be willing to hold their exercise of free speech to higher standards.
… Yelp itself is protected by section 230 of the Communications Decency Act and cannot be held liable for any inane, slanderous, or downright mean things people say on the site.
Yet, all that could change as recent large-scale research finds that Yelp reviews can significantly impact businesses: A meager half-star increase on Yelp’s 5-star rating makes it 30 to 49 percent more likely that restaurants will sell out their evening seats.

For my Statistics (and Contingency Planning) students. Is the “Normal Curve” moving, flatening, or in need of replacement? What will be the impact on the Insurance industry?
2/3 of Sandy-Damaged Homes in N.Y. Were Outside the 100-Year Flood Zone
… Today, the Wall Street Journal reports that fully two-thirds of the houses damaged by Sandy were outside the 100-year flood zone. As their headline put it, "Sandy Alters 'Reality."
Which is a fascinating way to look at it: reality, for some intents and purposes, is a bureaucratic fiction based on the way things were, institutional necessity, and accepted statistical practices. That reality influences housing prices, guides maintenance spending, and sets the boundaries for emergency planning.

Freebies for my students.
BitDefender launched a new weapon for fighting viruses and malware on Wednesday with the release of their 60-second virus scanner for PCs. The software which comes in the form of a tiny 160KB Windows executable aims to scan your Windows machine for problems in record time while providing real-time cloud protection and alerts. According to the company the software can be run alongside users’ existing anti-virus software for added security.
… Download BitDefender 60-Second Scanner @

Ditto Also for my website students, since it can be integrated to fill fields on web pages... Chrome only, so far.
Online Dictation is a free to use web tool that converts your speech into text. All you have to do is visit the site and click on the microphone icon on the homepage, next to the page’s title. Next you speak a sentence into your microphone; the speech is processed, converted to text, and displayed. Any errors can be manually removed by clicking on the text and making it editable. You can also copy the text and use it somewhere else by pasting it.

Friday, December 07, 2012

How now, Darth Drone?
Army Works to Ensure Homemade Bombs Don’t Escape the Gaze of ‘Vader’
Three years ago, the U.S. military began testing a new drone-mounted sensor designed to auto-spot and track people from 25,000 feet, perfect for searching out insurgents planting improvised bombs in Afghanistan. It gave the sensor the most ominous of names: Vader. And now it looks like the Army has Vader poised to strike.
… It’s unclear if Vader has actually made his way to Afghanistan: The Army didn’t return Danger Room’s inquiry by deadline.
… It’s also interesting that the Army wants three years of maintenance and support for a man-hunting sensor explicitly designed for Afghanistan. If the sensor really is operating in Afghanistan right now, while the Army is looking at extending support for it, that’s not surprising. The Army is relying on its drones and their sensors — and weapons — more and more. The U.S. hit a record 447 drone strikes in 2012, even as the total number of air strikes declined.

(Related) “Common Civilians” Clearly that doesn't include us “Second Class” citizens.
Alameda County Sheriff promises no use of aerial drones for surveillance on common civilians
December 7, 2012 by Dissent
Associated Press reports:
A Northern California sheriff has vowed that his department won’t use an aerial drone to spy on ordinary people, but civil liberties groups say there still needs to be some guidelines to ensure privacy.
Alameda County Sheriff Greg Ahern said Tuesday that a drone his department is pursuing would be used for search and rescue missions, responding to wildfires and to capture fugitives, not for surveillance and intelligence gathering on civilians.
Read more on The Republic.
Sure, sure. How long before the mission creep starts?

(Related) I don't call them endangeres species, I call them “targets” – Oh, wait, you're not talking about al-Qaeda?
Warfare isn’t the only use for drones these days. It turns out that Google is giving the World Wildlife Fund $5 million to put drones in the sky to watch over endangered species in Africa and Asia, mostly to save them from poachers. Plus, the money will also cover software that will be able to map out where poachers strike most.

The latest flap, disinformation style?
"The European Commission has proposed a "right to be forgotten" online, which would allow users to remove personal data they had shared. The idea has had a lot of criticism, and now Facebook claims it would actually harm privacy. Facebook says the proposal would require social media sites to perform extra tracking to remove data which has been copied to other sites — but privacy advocates say Facebook has misunderstood what the proposal is all about."

I drive a car so old it still has the hitch for the horses. Maybe I'll keep it a while longer.
Concerns over privacy as NHTSA prepares to push for black boxes in cars
December 7, 2012 by Dissent
It’s a topic I’ve covered here before, but worth noting again. Associated Press reports:
Many motorists don’t know it, but it’s likely that every time they get behind the wheel, there’s a snitch along for the ride.
In the next few days, the National Highway Traffic Safety Administration is expected to propose long-delayed regulations requiring auto manufacturers to include event data recorders — better known as “black boxes” — in all new cars and light trucks. But the agency is behind the curve. [Nothing new there... Bob] Automakers have been quietly tucking the devices, which automatically record the actions of drivers and the responses of their vehicles in a continuous information loop, into most new cars for years.
Read more on Fox News.

As an Auditor, releasing the questions we would ask is familiar ground. Would a US version be very different?
AU: OAIC releases guide to protect personal information
December 7, 2012 by Dissent
Michael Lee reports:
The Office of the Australian Information Commissioner (OAIC) has released a draft of its guide to secure personal information.
Titled “Guide to Information Security: ‘Reasonable steps’ to protect personal information,” the consultation draft attempts to outlines what organisations should consider when moving to protect the personal information they are responsible for under the Privacy Act.
Read more on ZDNet.
[From the guide:
The OAIC has also published a Data breach notification guide, which outlines steps that entities should consider in preparing for and responding to information security breaches, including notifying affected individuals.

Another guide, but a different intended audience? My Criminal Justice majors will find this amusing... Interesting, but it could be much more detailed...
December 06, 2012
ProPublica Guide to Warrantless Access to Digital Data
"The U.S. government isn’t allowed to wiretap American citizens without a warrant from a judge. But there are plenty of legal ways for law enforcement, from the local sheriff to the FBI, to snoop on the digital trails you create every day. Authorities can often obtain your emails and texts by going to Google or AT&T with a simple subpoena. Usually you won’t even be notified. The Senate last week took a step toward updating privacy protection for emails, but it's likely the issue will be kicked to the next Congress. Meantime, here’s how police can track you without a warrant now..."

Someone is keeping score...
By Dissent, December 6, 2012 11:45 am
The Third Annual Benchmark Study on Patient Privacy & Data Security by Ponemon Institute, sponsored by ID Experts® was released today. Their findings are what we would expect, i.e., fairly discouraging, with entities reporting even more multiple breaches than previously. From their executive summary:
… healthcare organizations face an uphill battle in their efforts to stop data breaches. Ninety-four percent of healthcare organizations surveyed suffered at least one data breach; 45 percent of organizations experienced more than five data breaches during the past two years. Data breaches are an ongoing operational risk that could be costing the U.S. healthcare industry an average of $7 billion annually. A new finding indicates that 69 percent of organizations surveyed do not secure medical devices—such as mammogram imaging and insulin pumps—which hold patients’ protected health information (PHI). Overall, the research indicates that patients and their PHI are at increased risk for medical identity theft. Risks to patient privacy are expected to increase, as mobile and cloud technology become pervasive.
For the 80 organizations that participated in the survey, the results indicated that the top three causes for a data breach were lost or stolen computing devices, employee mistakes and third-party snafus:
Insider negligence continues to be at the root of the data breach. The primary cause of breaches in this study is a lost or stolen computing device (46 percent), which can be attributed in many cases to employee carelessness. This is followed by employee mistakes or unintentional actions (42 percent), and third-party snafus (42 percent). A major challenge for IT security is the increase in criminal attacks, which has seen an increase from 20 percent in 2010 to 33 percent this year.
Malicious insider breaches, which have been an increasing concern of mine, accounted for 14% of the breaches, a number that is comparable to their figures for 2011 and 2010 but is significantly lower than the 23% figure reported by HITRUST based on analysis of breaches in HHS’s breach tool for the past few years.
I really need to find some time to sit down with multiple reports and studies and see where they agree and where they don’t.

For my Ethical Hackers...
Tor and the Deepnet: What price does society pay for anonymity?
December 7, 2012 by Dissent
Julian Bhardwaj writes:
There is a lot more to the web than that which immediately meets the eye.
In fact, the “visible” layer of the web that you and I can easily access via popular search engines is only part of the story.
Hidden on the net is online content which is not so easily accessed, known as the Deepnet (also sometimes called Darknet, the Deep Web or Hidden Web).
Whilst a lot of this content consists merely of websites not indexed by search engines and only accessed by a handful of people, some parts of it are hidden a lot deeper.
Read more on Naked Security.
[From the article:
Deepnet pages such as "The Hidden Wiki" provide listings of these URLs to facilitate use of the Deepnet.

This is interesting. Can you always predict what information investors will find useful?
… The SEC sent Reed Hastings a Wells notice. A Wells notice is something the SEC sends to give a company notification that it’s likely to bring some sort of action against the firm.
The hubbub stems from a Facebook post that Hastings made in July when he posted the Netflix users had streamed 1 billion hours of content in June for the first time ever. Not only was that an interesting milestone for the company, but it was big news for shareholders and Netflix’s stock price jumped 6% after the post.
The SEC believes that the number of streaming hours was material information that should have been more formally announced. Hastings has 200,000 subscribers to his Facebook page and says that since he told all 200,000 people, it was a formal announcement and a press release wasn’t required. Hastings also notes that the company had already disclosed in investor letters that it was closing in on 1 billion hours of streaming so the Facebook post wasn’t news.

Potential for significant misuse of theachnology. “OMG Just drove by accident Send ambu...” Signal Lost
FCC fast tracks text-to-911 service

Thursday, December 06, 2012

Another moderate sized hack that sneaked past me?
Hackers steal customer info from insurance provider Nationwide
Hackers broke into insurance company Nationwide's network in October, stealing the personal information of more than a million customers across the country, the insurance company recently revealed.
The company said the compromised information included people's names and a combination of Social Security numbers, driver's license numbers, their date of birth, and possibly marital status, gender, and occupation, as well as the names and addresses of employers. Nationwide said it had no evidence that any medical information or credit card account data was stolen.
… Although the hack occurred on October 3, the company didn't launch an investigation until October 16. The company learned from the investigation that information had indeed been compromised and confirmed the identities of affected customers on November 2. The case has now been handed over to law enforcement.

Definately worth a read. Consider this in connection to the recent ruling that said Banks were responsible if their security was “unreasonable” – would that apply here?
"Check Point has revealed how a sophisticated malware attack was used to steal an estimated €36 million from over 30,000 customers of over 30 banks in Italy, Spain, Germany and Holland over summer this year. The theft used malware to target the PCs and mobile devices of banking customers. The attack also took advantage of SMS messages used by banks as part of customers' secure login and authentication process. The attack infected both corporate and private banking users, performing automatic transfers that varied from €500 to €250,000 each to accounts spread across Europe."
[From the article:
The attack worked by infecting victims’ PCs and mobiles with a modified version of the Zeus trojan. When victims attempted online bank transactions, the process was intercepted by the trojan.
Under the guise of upgrading the online banking software, victims were duped into giving additional information including their mobile phone number, infecting the mobile device. The mobile Trojan worked on both Blackberry and Android devices, giving attackers a wider reach.
With victims’ PCs and mobile devices compromised, the attackers could intercept and hijack all the victims’ banking transactions, including the key to completing the transaction: the bank’s SMS to the customer containing the ‘transaction authentication number’ (TAN). With the account number, password, and TAN, the attackers were able to stealthily transfer funds out of victims’ accounts while victims were left with the impression that their transaction had completed successfully.

Making survillance even more ubiquitous? Go to my website and I'll grab control of your webcam and snap photos of you...
Add an HTML5 Webcam to Your Site With Photobooth.js
The big web development news for 2013 is shaping up to be WebRTC, a set of APIs being developed by Mozilla, Google and others at the W3C that allows web developers to access device hardware — your camera, microphone, accelerometer and so on. Even now hardly a day goes by without a new demo showcasing WebRTC in some way.
The latest WebRTC hotness to catch our eye is developer Wolfram Hempel’s Photobooth.js, a JavaScript library for working with a device’s camera. Photobooth.js allows users to take pictures directly on your website, for example, to add an avatar. It also acts a bit like the OS X Photobooth app, offering real-time adjustments for hue, saturation and brightness (one word of warning, hue can really slow down Firefox).
Want to add a Photobooth-style camera app to your site? Just download Photobooth.js and add this code to your page:
myPhotobooth = new Photobooth( document.getElementById( "container" ) );
That’s it.

Another version of “Behavioral” tracking?
"Coursera announced its 'career services' feature yesterday for students who opt in. The company that works with elite colleges to offer free courses is sharing more than just academic scores — showing potential employers evidence of 'soft skills,' like how helpful students were in class discussion forums. 'Udacity, another company that provides free online courses, offers a similar service. ... Udacity's founder, Sebastian Thrun, said in an interview that 350 partner companies had signed up for its job program. While Mr. Thrun would not say how much employers pay, he characterized the fee as "significantly less than you'd pay for a headhunter, but significantly more than what you'd pay for access to LinkedIn," a popular social network for job hunters.'"

Three in Colorado...
Newly Released Drone Records Reveal Extensive Military Flights in US
December 5, 2012 by Dissent
Jennifer Lynch writes:
Today EFF posted several thousand pages of new drone license records and a new map that tracks the location of drone flights across the United States.
These records, received as a result of EFF’s Freedom of Information Act (FOIA) lawsuit against the Federal Aviation Administration (FAA), come from state and local law enforcement agencies, universities and—for the first time—three branches of the U.S. military: the Air Force, Marine Corps, and DARPA (Defense Advanced Research Projects Agency).
Read what EFF found and see their map, here.

(Related) Turning a Black Hawk into a drone is as easy as adding a few electronic components and an inflatable pilot...
"A specially equipped Black Hawk was recently used to demonstrate the helicopter's ability to operate on its own. In the first such test of its type, the U.S. Army Aviation and Missile Research's Development and Engineering Center, based at Redstone Arsenal, flew the Black Hawk over Diablo Mountain Range in San Jose, Calif. Pilots were aboard the aircraft for the tests, but all flight maneuvers were conducted autonomously: obstacle field navigation, safe landing area determination, terrain sensing, statistical processing, risk assessment, threat avoidance, trajectory generation and autonomous flight control were performed in real-time. 'This was the first time terrain-aware autonomy has been achieved on a Black Hawk,' said Lt. Col. Carl Ott, chief of the Flight Projects Office at AMRDEC's Aeroflightdynamics Directorate and one of the test's pilots."

(Related) Drigibles make great drones, since they can loiter for days. They will also make “death-by-drone” much cheaper, since with their huge lift capacity they just carry a bunch of really big rocks to drop on the bad guys...
"The dirigible airship, the oddball aircraft of another era, is making a comeback. California-based Aeros Corporation has created a prototype of its new breed of variable buoyancy aircraft and expects the vehicle to be finished before the end of 2012. With its new cargo handling technology, minimum fuel consumption, vertical take-off and landing features and point to point delivery, the Aeroscraft platform promises to revolutionize airship technology. The Aeroscraft ship uses a suite of new mechanical and aerospace technologies. It operates off a buoyancy management system which controls and adjusts the buoyancy of the vehicle, making it light or heavy for any stages of ground and flight operation. Automatic flight control systems give it equilibrium in all flight modes and allow it to adjust helium pressurized envelopes depending on the buoyancy requirements. It just needs one pilot and has an internal ballast control system, which allows it to offload cargo, without using ballast. Built with a rigid structure, the Aeroscraft can control lift at all stages with its Vertical Takeoff and Landing (VTOL) capabilities and carry maximum payload while in hover. What makes it different from other cargo vehicles is that it does not need a runway or ground infrastructure."

(Related) Speaking of “death-by-drone”
Death by Algorithm: West Point Code Shows Which Terrorists Should Disappear First
Paulo Shakarian has an algorithm that might one day help dismantle al-Qaida — or at least one of its lesser affiliates. It’s an algorithm that identifies which people in a terror network really matter, like the mid-level players, who connect smaller cells with the larger militant group. Remove those people, either by drone or by capture, and it concentrates power and authority in the hands of one man. Remove that man, and you’ve broken the organization.

How do I stalk thee...
FTC settles charges against Epic Marketplace over “history sniffing” to collect data from consumers
December 5, 2012 by Dissent
From the FTC’s press release:
An online advertising company agreed to settle Federal Trade Commission charges that it used “history sniffing” to secretly and illegally gather data from millions of consumers about their interest in sensitive medical and financial issues ranging from fertility and incontinence to debt relief and personal bankruptcy.
The FTC settlement order bars the company, Epic Marketplace Inc., from continuing to use history sniffing technology, which allows online operators to “sniff” a browser to see what sites consumers have visited in the past.
… Epic Marketplace is a large advertising network that has a presence on 45,000 websites. Consumers who visited any of the network’s sites received a cookie, which stored information about their online practices including sites they visited and the ads they viewed.
… In its privacy policy, Epic claimed that it would collect information only about consumers’ visits to sites in its network.
… The consent order bars Epic Marketplace, Inc., and Epic Media Group, LLC from using history sniffing, and requires that they delete and destroy all data collected using it. [That's a new one... Bob]
Documents on this case, including the complaint and proposed consent order, can be found here.

FTC to Host Comprehensive Collection of Web Data Workshop TODAY
December 6, 2012 by Dissent
The FTC reminds everyone:
The Federal Trade Commission will host a workshop exploring the practices and privacy implications of comprehensive data collection. FTC Commissioner Julie Brill will deliver the opening remarks, and Commissioner Maureen Ohlhausen will provide remarks after lunch. Consumer protection organizations, academics, business and industry representatives, privacy professionals, and others will join FTC staff to examine the technological landscape, benefits and risks, consumer knowledge and attitude, and the future of comprehensive data collection.
The workshop will be webcast live.
Submit questions online
FTC staff will live-tweet the day-long event using the hashtag #FTCpriv from the agency’s @FTC account. To submit questions for panelists online, tweet them with the hashtag, post them to the FTC’s Facebook page, or email them
More details on the FTC’s site.

Still room for my Computer Security students Also for my Statistics students...
The following is a press release from HITRUST, released today:
According to the Health Information Trust Alliance’s (HITRUST) analysis of U.S. healthcare data breaches from 2009 to the present, the healthcare industry has made little progress in reducing the number of breaches with troubling statistics seen from the same types of organizations, breaches and locations. The retrospective analysis of breaches affecting 500 or more individuals indicates a slight decline in the total number of breaches during the past three years, but overall the industry’s susceptibility to certain types of breaches has been largely unchanged since breach data became available from the U.S. Department of Health and Human Services (HHS) and the new HIPAA and HITECH Act regulations went into effect.
… A close look at the HHS data reveals that since 2009 the industry has experienced 495 breaches involving 21 million records at an estimated cost of $4 billion. With the annual number of total breaches remaining fairly consistent, hospitals and health systems is one of the few groups that can claim some improvements in protecting health information with the largest decline in reported breaches. This group experienced a decline of 71 percent from 2010 to 2011 in the number of breaches, and for the first two quarters of 2012 has only experienced 14 breaches (compared with a total of 48 for 2011). Health plans have also seen a steady decline in breaches since 2009 and have not had to post since the first quarter of 2012.
… The HITRUST report – “A Look Back: U.S. Healthcare Data Breach Trends” – is publically available for download at along with an infographic of the analysis.
I have not yet read their report, but already wonder about the fact that if this is based solely on breaches reported to HHS, the year-to-year comparisons may be valid, but overall, they may be underestimating breaches in the entire sector as many breaches that incorporate ID theft for Medicare fraud do not get reported on HHS/OCR’s breach tool, and well, frankly, I think there are a lot more insider breaches than the known numbers might suggest. This is apart from hacking/malware breaches that they recognize are also likely under-reported. Records breached is an important measure when it comes to calculating costs and the total number of patients affected, but insider breaches seem to do more harm and perhaps, need to be viewed or weighted differently. But let me try to read the report this weekend and then we’ll see…

I wonder how many taxpayers “Like” the Revenue Department?
December 05, 2012
State of North Carolina - Social Media Archive
"This free and open archive provides access to more than 55,000 social media records from selected North Carolina state agencies. It is currently in beta. Social media activity from these agencies is continually being captured and indexed, and additional agencies will be included in the future. The content in this archive has been captured because it was made or received pursuant to law or ordinance in connection with the transaction of public business by an agency of North Carolina government or its subdivisions (G.S. § 132-1). Enter a keyword to search across the entire archive of social media sites, or use the Advanced Search for more options."

How bad must this be if the judge is allowing their equivalent of the NSA to be sued?
Megaupload’s Kim Dotcom allowed to seek damages against spy agency
December 6, 2012 by Dissent
Jeremy Kirk reports:
New Zealand’s High Court ruled Wednesday that Kim Dotcom and a Megaupload colleague can pursue damages against police and one of the country’s spy services for illegally intercepting their communications.
In her judgment, Justice Helen Winkelmann also added the Government Communications Security Bureau (GCSB) as a defendant in the case, ordering the agency to turn over some details of the agency’s surveillance with respect to national security concerns. Another hearing is planned for next week.
New Zealand’s government admitted it illegally spied on Dotcom and Bram van der Kolk prior to a January raid on Dotcom’s mansion that coincided with the shutdown of their Megaupload file-sharing service.
Read more on Computerworld. Can you imagine a court here ever letting someone sue the government this way?

(Related) True, but not exactly as they might like us to believe. I also find it interesting that all of these “pirate movie sites” (thanks for the list) seem to be accessed heavily from the DU Law School. No doubt they are preparing cases against offenders. I'll ask them during one of their Free Movie Nights...
"The Motion Picture Association of America (MPAA) has declared that the Megaupload shutdown earlier this year has been a great success. In a filing to the Office of the U.S. Trade Representative, the group representing major movie studios says the file hosting and sharing industry has been massively disrupted. Yet the MPAA says there is still work to be done, identifying sites that make available to downloaders 'unauthorized copies of high-quality, recently-released content and in some cases, coordinate the actual upload and download of that content.' Here's the list of sites, including where they are hosted: Extratorrent (Ukraine), IsoHunt (Canada), Kickass Torrents (Canada), Rutracker (Russia), The Pirate Bay (Sweden), Torrentz (Canada), and Kankan (China)."

The Design students use it to manipulate photos, Criminal Justice students use it to generate evidence...
Photoshop is one insanely powerful program. It has so many features that it is honestly hard to wrap your head around it. Unfortunately, it also comes with a price tag and learning curve that reflect the load of features and options. After all, there are entire classes dedicated to just learning the program, and once you do, you will have to run out and drop hundreds of dollars to have it installed on your own computer.
… So what can you do to get some of the features of Photoshop without the price tag? You can download Sumo Paint for Chrome. It offers many of the high-end features you expect from Photoshop, but without the insane price tag. In fact, it runs right in your web browser and is available from the Chrome Webstore for the low cost of $0.

An Origami design tool! God I wish I had a drop of artistic talent...
Fold It Right There: New iPad App Makes Papercraft More Fun Than Ever
… Indie developer Pixle is releasing a tool for the iPad to make designing your own papercraft figures super easy.
The app, called Foldify, uses a mixture of pre-build patterns and finger painting tools to allow you to create designs while previewing them in 3-D on the fly. Once you’re done, print them out on card stock, cut and fold. As easy as that, more weird things for your desk.

For my Math students

Wednesday, December 05, 2012

Would a serf, watching the lord's knights ride by, understand that they were not an adequate defense?
"In the old days, traditional computer security centered around users. However, Bruce Schneier writes that now some of us have pledged our allegiance to Google (using Gmail, Google Calendar, Google Docs, and Android phones) while others have pledged allegiance to Apple (using Macintosh laptops, iPhones, iPads; and letting iCloud automatically synchronize and back up everything) while others of us let Microsoft do it all. 'These vendors are becoming our feudal lords, and we are becoming their vassals. We might refuse to pledge allegiance to all of them — or to a particular one we don't like. Or we can spread our allegiance around. But either way, it's becoming increasingly difficult to not pledge allegiance to at least one of them.' Classical medieval feudalism depended on overlapping, complex, hierarchical relationships. Today we users must trust the security of these hardware manufacturers, software vendors, and cloud providers and we choose to do it because of the convenience, redundancy, automation, and shareability. 'In this new world of computing, we give up a certain amount of control, and in exchange we trust that our lords will both treat us well and protect us from harm (PDF). Not only will our software be continually updated with the newest and coolest functionality, but we trust it will happen without our being overtaxed by fees and required upgrades.' In this system, we have no control over the security provided by our feudal lords. Like everything else in security, it's a trade-off. We need to balance that trade-off. 'In Europe, it was the rise of the centralized state and the rule of law that undermined the ad hoc feudal system; it provided more security and stability for both lords and vassals. But these days, government has largely abdicated its role in cyberspace, [Except for crying “Wolf!” (Cyber Pearl Harbor) Bob] and the result is a return to the feudal relationships of yore,' concludes Schneier, adding that perhaps it's time for government to create the regulatory environments that protect us vassals. 'Otherwise, we really are just serfs.'"
An anonymous reader provides a contrary opinion:
"The proposed analogy is wrong. Rather than feudal lords being replaced by a semi-accountable, presumably representative government, asking the government to take over would be going back to the having just AT&T as the sole provider of telecommunications, with private ownership of phones prohibited. It would be a reversion from an open and competitive market (where those who fail to provide security can be abandoned freely, the exact opposite of a feudal situation where serfs were forbidden to leave their masters and breaking oaths of obedience would lead to hit series on HBO) to a single "provider" which cannot be abandoned or ignored.
Monopolies, in general, suck, and without an external force to shore them up, they tend to be short lived. I remember when Lotus and WordPerfect and dBase were "unassailable", and people were wondering if the government should force these companies to be more "competitive" somehow. Then it was Windows, and particularly Explorer, that was going to control the world because "no one could compete". Now it's Google and Apple. Either these companies actually provide the security they promise, or they lose business to someone who will. The fear of the "feudal lords" failing to offer the security they promise is a false one, because they have no actual hold if they fail to deliver the goods.
The role of government in this arena is making sure that companies are held accountable for broken promises, that they pay the costs for data loss and security breaches. ... The government should not be determining what security is acceptable, because governments and regulations cannot possibly keep up with ever-changing realities."

Geeky stuff that means: Passwords are only useful for avoiding “accidental” access to data in certain limited circumstances.
"A presentation at the Passwords^12 Conference in Oslo, Norway (slides), has moved the goalposts on password cracking yet again. Speaking on Monday, researcher Jeremi Gosney (a.k.a epixoip) demonstrated a rig that leveraged the Open Computing Language (OpenCL) framework and a technology known as Virtual Open Cluster (VCL) to run the HashCat password cracking program across a cluster of five, 4U servers equipped with 25 AMD Radeon GPUs communicating at 10 Gbps and 20 Gbps over Infiniband switched fabric. Gosney's system elevates password cracking to the next level, and effectively renders even the strongest passwords protected with weaker encryption algorithms, like Microsoft's LM and NTLM, obsolete. In a test, the researcher's system was able to generate 348 billion NTLM password hash checks per second. That renders even the most secure password vulnerable to compute-intensive brute force and wordlist (or dictionary) attacks. A 14 character Windows XP password hashed using LM for example, would fall in just six minutes, said Per Thorsheim, organizer of the Passwords^12 Conference. For some context: In June, Poul-Henning Kamp, creator of the md5crypt() function used by FreeBSD and other, Linux-based operating systems, was forced to acknowledge that the hashing function is no longer suitable for production use — a victim of GPU-powered systems that could perform 'close to 1 million checks per second on COTS (commercial off the shelf) GPU hardware,' he wrote. Gosney's cluster cranks out more than 77 million brute force attempts per second against MD5crypt."

An update. Don't expect the delay to last long...
California Eyeing Drone Surveillance
Plans by the first California local government to deploy a surveillance drone were postponed Tuesday amid protests by rights groups who complained that Alameda County authorities were rushing the plan without public input.
“There has to be robust public engagement whether to deploy something like this,” said Will Matthews, a spokesman for the American Civil Liberties Union.
Alameda County is moving to become one of dozens of local law enforcement agencies nationwide to deploy the unmanned crafts. Some of the agencies include the Seattle Police Department, Miami-Dade Police Department and the Texas Department of Public Safety.

Suspicion and rumor are one thing, talking to the architect is quite another...
Everyone in US under virtual surveillance’ – NSA whistleblower
December 5, 2012 by Dissent
The FBI records the emails of nearly all US citizens, including members of congress, according to NSA whistleblower William Binney. In an interview with RT, he warned that the government can use this information against anyone.
Binney, one of the best mathematicians and code breakers in the history of the National Security Agency, resigned in 2001. He claimed he no longer wanted to be associated with alleged violations of the Constitution, such as how the FBI engages in widespread and pervasive surveillance through powerful devices called ‘Naris.’
This year, Binney received the Callaway award, an annual prize that recognizes those who champion constitutional rights and American values at great risk to their personal or professional lives.
Watch the interview with Binney on (the transcript below it has some errors, like “My line” for “Mark Klein”).

(Related) This came up Sunday, but I didn't have a link to the research paper.
"U.S. law enforcement and intelligence services can use the PATRIOT Act/FISA to 'obtain' EU-stored data for snooping, mining and analysis, despite strong EU data and privacy laws, according to a recent research paper. One of the paper's authors, Axel Arnbak, said, 'Most cloud providers, and certainly the market leaders, fall within the U.S. jurisdiction either because they are U.S. companies or conduct systematic business in the U.S. In particular, the Foreign Intelligence Surveillance Amendments (FISA) Act makes it easy for U.S. authorities to circumvent local government institutions and mandate direct and easy access to cloud data belonging to non-Americans living outside the U.S., with little or no transparency obligations for such practices -- not even the number of actual requests.' Arnback added, 'These laws, including the Patriot Act, apply as soon as a cloud service conducts systematic business in the United States. It's a widely held misconception that data actually has to be stored on servers physically located in the U.S.'"

(Related) A hint that the majority of UN member states want the ability to spy on their citizens too?
dsinc sends this quote from Techdirt about the International Telecommunications Union's ongoing conference in Dubai that will have an effect on the internet everywhere:
"One of the concerns is that decisions taken there may make the Internet less a medium that can be used to enhance personal freedom than a tool for state surveillance and oppression. The new Y.2770 standard is entitled 'Requirements for deep packet inspection in Next Generation Networks', and seeks to define an international standard for deep packet inspection (DPI). As the Center for Democracy & Technology points out, it is thoroughgoing in its desire to specify technologies that can be used to spy on people. One of the big issues surrounding WCIT and the ITU has been the lack of transparency — or even understanding what real transparency might be. So it will comes as no surprise that the new DPI standard was negotiated behind closed doors, with no drafts being made available."

Having grown up in New Jersey, I'd like to assure everyone that I am mostly cured. I haven't murdered anyone in weeks! For my Statistics students...
"With a homicide rate historically more than three times greater than the rest of the United States, Newark, N.J., isn't a great vacation spot. But it's a great place for a murder study (abstract). Led by April Zeoli, an assistant professor of criminal justice, a group of researchers at Michigan State University tracked homicides around Newark from 1982 to 2008, using analytic software typically used by medical researchers to track the spread of diseases. They found that "homicide clusters" in Newark, as researchers called them, spread and move throughout a city much the same way diseases do. Murders, in other words, did not surface randomly—they began in the city center and moved in 'diffusion-like processes' across the city." [Can you say, “vendetta?” Bob]

A few companion sites for After all what use is the music without the lyrics?

Tuesday, December 04, 2012

If the answer is “So what?” are they asking the wrong question?
Vibrant Seeks Dismissal Of Safari-Hack Lawsuit
December 3, 2012 by Dissent
Wendy Davis reports:
Arguing that consumers weren’t injured “in any legally recognizable way,” Vibrant Media has formally asked a federal judge to throw out a privacy lawsuit stemming from the so-called Safari hack.
Vibrant’s request came in response to a potential class-action lawsuit filed in May by Web users Daniel Mazzone and Michelle Kusanto. They alleged that the company circumvented Safari’s privacy settings, which block third-party tracking cookies by default.
Read more on MediaPost.

Not quite the ultimate training video, but I'll show it to all my classes anyway.

Doesn't “Your” health data give us a clue?
"The Wall Street Journal has an interesting article about how the data from Implanted health devices is managed and the limitations patients run into when they want to see the data. Companies like Medtronic plan to sell the data but won't provide it to the person who generated it. From the article: 'The U.S. has strict privacy laws guaranteeing people access to traditional health files. [No need to define “traditional” since everyone knows what that means... Bob] But implants and other new technologies—including smartphone apps and over-the-counter monitors—are testing the very definition of medical records.'"

Currently there ia a requierment to keep certain records (e.g. tax records) for a specified time in support of assertions made to the government. What justifies “keep this in case?”
Cops to Congress: We need logs of Americans’ text messages
December 4, 2012 by Dissent
Declan McCullagh reports:
AT&T, Verizon Wireless, Sprint, and other wireless providers would be required to record and store information about Americans’ private text messages for at least two years, according to a proposal that police have submitted to the U.S. Congress.
CNET has learned a constellation of law enforcement groups has asked the U.S. Senate to require that wireless companies retain that information, warning that the lack of a current federal requirement “can hinder law enforcement investigations.” [So could the lack of lots of other things, like a complete DNA database, RFID chips implanted at birth, tattooed numbers on wrists... Bob]
Read more on CNET.

Now I can find out what some of those drugs they advertise so heavily on TV are actually for...
December 03, 2012
Look up medications more quickly and easily on Google
Official Google Search Blog: "We get a lot of queries for medicine on Google. So to make it quick and easy for you to learn about medications, we’ll start showing key facts -- side effects, related medications, links to in-depth resources, and more -- right on the search results page. This data comes from the U.S. FDA, the National Library of Medicine, and the Department of Veterans Affairs, among others. It’s part of the Knowledge Graph -- our project to map out billions of real-world things, from famous artists to roller coasters to planets (and now medications). We hope you find this useful, but remember that these results do not act as medical advice."

'cause IP ain't confusing enough? If I hold the copyright on a work, dies Facebook's stripping of the metadata equate to modifying my work and passing it off as Facebook's version?
"Orphaned works legislation promises to open older forgotten works to new uses and audiences. Groups like ASMP think it's inevitable. But it comes with the risk of defanging protection for current work when the creator cannot be located. Photographer Mark Meyer wonders if orphaned works legislation also needs language to compel organizations like Facebook to stop their practice of stripping metadata from user content in order to keep new work from becoming orphans to begin with. Should we have laws to make stripping metadata illegal?"
The author notes that excessive copyright terms may be to blame; if that's the case why lobby for Orphaned Works legislation? On a related note, Rick Falkvinge asks if we should revisit the purpose of the copyright monopoly.

Could be a legitimate try gone bad, or an evil hack that did just what the hacker intended, or anything in between...
In what may end up becoming a legendary moment of public embarrassment, several movie studios have issued DMCA takedown notices to Google for legitimate content, including official Facebook pages, Wikipedia entries, and legal copies of their own movies. This is the by-product of automated takedown requests submitted on behalf of the studios by, which has since gone offline, indicating that perhaps the issue isn’t as straight-forward as it seems.

This week the folks at Nielsen have reported that their most recent findings in studying the web’s usage of social networks has yielded one thing clearer than all else: Facebook takes the cake. They’ve made it clear that in addition to Facebook continuing to bash up the charts by a significant margin, we’ve spent 37% more time this year in the month of July on social networks than we did last year at the same time. In just one year, we’ve tacked on nearly 40% more minutes in a month with Facebook, Twitter, Zynga, and the like.
This study in 2012 shows the top 10 social networks to be Facebook, Blogger, Twitter, WordPress, and Linedin to start, with Facebook equalling nearly three times the amount of unique PC visits over its first competitor, Blogger.

Toys for students
ThisNext Launches Glossi, Its Free Digital Magazine Builder
Glossi, the digital publishing platform from social commerce company ThisNext, is going into public beta today, which means that a much broader group of people can use Glossi’s tools to build and publish their own online magazines with Glossi’s tools (though you still need an invitation).
… I haven’t created a Zeen or a Glossi of my own, but Edelman did take me through the Glossi building process, and even though he may have skipped over some of the more time-intensive steps, it did seem like a pretty intuitive process. Users upload images from their computer or other website, organize those images (“clippings”) into folders, then use a drag-and-drop interface to lay them out in a magazine format, apply filters as desired, and then add text and video (the latter from YouTube or Vimeo).
To get a sense of how publishers are already using Glossi, here’s a sample from Lucky Magazine highlighting content from its January issue, another from RentTheRunway showcasing New Year’s fashion, and a third from Brit Morin’s Brit & Co. with DIY fashion and tips.

Tools for my website class.
… for a new webmaster, the process of finding the best web tool can be a bit difficult. If you have just started your own website and this is your first webmaster experience, then you will need to quickly find web tools that will help you analyze your website’s performance.
Additionally you will want tools that let you perform site functions easily or add to the features list of your own website. Finding the right tools for these tasks might take a lot of trial and error. But here to make matters much easier is a service called Top Alternatives.
The website basically offers a catalogue of the best online tools that will help you make your webmaster tasks easier. You do not need to register for any new accounts on the site to get started. To use the site, simply browse over to the category that you are interested in, such as SEO. You will find various sub-categories that are targeted at different functions.

For my fellow teachers...
Massive Open Online Courses. MOOCs. This was, without a doubt, the most important and talked-about trend in education technology this year.
… The Technology of xMOOCs
While a lot of the mainstream press’s attention to MOOCs has focused on the content, the class sizes, and the (potential) credentials, the technology that underpins these online courses is incredibly important — and something too that highlights the differences between xMOOCs and cMOOCs.
The cMOOCs rely on tools like Downes’ gRSShopper, which as he describes it, “is a personal web environment that combines resource aggregation, a personal dataspace, and personal publishing. It allows you to organize your online content any way you want to, to import content – your own or others’ – from remote sites, to remix and repurpose it, and to distribute it as RSS, web pages, JSON data, or RSS feeds.”
Rather than driving users to a course website or a learning platform for all their interactions, the users on gRSShopper “are assumed to be outside the system for the most part,” writes Downes, “inhabiting their own spaces, and not mine.” xMOOCs, on the other hand, look an awful lot like an LMS.
… The Pedagogy of MOOCs
The differences between xMOOCs and xMOOCs are also evident in their respective pedagogies. In June, George Siemens outlined the “theories that underpin our MOOCs,” highlighting some of these differences.
… Unbundling (and Rebundling) the University
… Indeed, much of the hullaballoo about MOOCs this year has very little to do with the individual learner and more to do with the future of the university, which according to the doomsayers “will not survive the next 10 to 15 years unless they radically overhaul their current business models.”
But what are the business models for MOOCs? (Other than raising venture capital, of course.) That’s still a little unclear. In an article in The Chronicle of Higher Education in July, Jeffrey Young points to a couple of possibilities: selling courses to community colleges, charging tuition, and offering “secure assessments.” Young’s article cites Coursera founder Daphne Koller who says that “Our VC’s keep telling us that if you build a Web site that is changing the lives of millions of people, then the money will follow.”