Saturday, December 15, 2012

Unfortunately, this happens a lot. And you can go back as far as you want. Texas Tower? St. Valentines day?
A Guide to Mass Shootings in America

(Related) It always starts a debate about guns, but that's far too simple. If we were talking automobiles, we know the really dangerous part is the nut that holds the wheel. Why aren't we talking about mental illness?
Knife attack at Chinese school wounds 22 children

One simple way manufacturers test radar guns is by checking the speed of a tuning fork. Perhaps there was something vibrating at 38 mph? I want a tuning fork that vibrates a 250 mph, that should be unbelievable enough to get me out of speeding tickets...
"The Baltimore City speed camera ticket alleged that the four-door Mazda wagon was going 38 miles per hour in a 25-mph zone — and that owner Daniel Doty owed $40 for the infraction. But the Mazda wasn't speeding. It wasn't even moving. The two photos printed on the citation as evidence of speeding show the car was idling at a red light with its brake lights illuminated. A three-second video clip also offered as evidence shows the car motionless, as traffic flows by on a cross street. Since the articles' publication, several lawmakers have called for changes to the state law that governs the way the city and other jurisdictions operate speed camera programs. Gov. Martin O'Malley said Tuesday that state law bars contractors from being paid based on the number of citations issued or paid —an approach used by Baltimore City, Baltimore County, Howard County and elsewhere. 'The law says you're not supposed to charge by volume . I don't think we should charge by volume,' O'Malley said. "If any county is, they need to change their program.'"

(Related) Bad headline. The “Perfect Storm” comes down to, “the camera might be bad or the officer reviewing the camera might have screwed up” How many errors do they catch?
'Perfect storm' of errors caused speeding ticket to stopped car, police say
A "perfect storm of errors" caused the city of Baltimore to issue a speed camera citation to a stationary vehicle, the Police Department's chief spokesman said Thursday.
Spokesman Anthony Guglielmi acknowledged that Officer Christopher Izquierdo should not have validated the citation, which alleged that a Mazda wagon was going 38 mph even though a video clip from the camera and two time-stamped photos given as evidence clearly show the car stopped at a red light.
State law requires every citation to be approved by a sworn law enforcement officer, and in the city that is the final step before a ticket is mailed out to the vehicle's owner.
… The Sun recently published an investigation focusing on the city's speed camera program, which found that citations can be inaccurate and that judges routinely throw out tickets for a variety of problems. The Sun also showed that drivers cannot verify the alleged speeds with the information printed on tickets from Baltimore County, Howard County and the State Highway Administration.
… The Police Department has previously said a single officer can be called on to review up to 1,200 citations per day, leaving little time to scrutinize each one.
"It's no secret the volume of citations that have to be reviewed as authentic is a lot," Guglielmi said. "You rely almost exclusively on the equipment, the validity of the equipment. That's all you have. You have the photographs, the time stamps. You authenticate based on the equipment.

Which of these statements are true:
“We can break any law as long as we keep it secret.”
“Admitting that we didn't break a perticular law might reduce our ability to intimidate someone who thinks we did.”
“Everyone who has resolved this paradox is dead.”
State Secrets Defense Corners Judge in ‘Catch-22′ Predicament
A federal judge said Friday that the Obama administration has pinned him in an inescapable, paradoxical situation when it comes to whether he should dismiss a lawsuit accusing the government of siphoning Americans’ electronic communications from telecoms and funneling them to the National Security Agency without warrants.
During a three-hour and highly nuanced and esoteric hearing before U.S. District Judge Jeffrey White of San Francisco, Justice Department lawyers invoked the state secrets privilege and demanded White dismiss the case on grounds that it threatened to expose national-security secrets.
The state secrets doctrine was first recognized by the Supreme Court in the McCarthy era, and is asserted when the government claims litigation threatens national security. Judges routinely dismiss cases on that assertion alone.

Perhaps they looked at the Megaupload case in New Zealand and thought, “maybe there is less here than meets the eye.” Fortunately, the extradition agreement was written in the Queen's English, so she gets to determine exactly what that means...
"Computer hacker Gary McKinnon, who is wanted in the U.S., will not face charges in the U.K., the Crown Prosecution Service has said. Director of Public Prosecutions Keir Starmer QC said the chances of a successful conviction were 'not high.' He announced the decision some three months after Home Secretary Theresa May stopped the extradition. Mr. McKinnon, 46, admits accessing U.S. government computers but says he was looking for evidence of UFOs. The U.S. authorities tried to extradite him to face charges of causing $800,000 (£487,000) to military computer systems and he would have faced up to 60 years in prison if convicted."

Is this restrictive enough? If the police had the address of a 20 unit apartment building, could they search 19 innocent apartments looking for bad guy? Could they even search two apartments, knowing one was completely uninvolved?
Vermont Supreme Court Addresses Electronic Search Limits
December 14, 2012 by Dissent
Dan Barrett writes:
The Vermont Supreme Court gave electronic privacy a big boost this morning when it approved restrictions placed upon police when conducting searches of electronic devices.
The case originated when police in Burlington, Vermont were investigating a report of a person applying for credit cards online using someone else’s identity. Once the police narrowed the investigation to a street address where they thought the perpetrator might live, they asked a judge to issue a search warrant for “all computers or electronic media” located in the house—even though the house had multiple residents.
The judge issued the search warrant, but was wary about approving such a broad search of computers, iPads, and other devices. So he imposed a number of restrictions on the search, including that the police could only look for evidence relating to the alleged identity theft, had to turn the devices over to a third party to conduct the search, and would not be permitted to prosecute a suspect based upon evidence of other crimes found on the devices.
Read more on ACLU-Vermont.

Can you claim ignorance twice? Here, they “guessed(?)” they didn't need a warrant, and they were slapped on the wrist and allowed to continue as if they had acted appropriately. What happens the next time they do this?
District Court for the District of Columbia sidesteps 4th Amendment issues in Antoine Jones case
December 14, 2012 by Dissent
Readers will recall that the Supreme Court sent the Antoine Jones warrantless GPS surveillance case back to the District Court for the District of Columbia after ruling that 28 days of GPS surveillance and use of cell-site data held by a third party provider was a search under the Fourth Amendment. Unfortunately for privacy advocates, the district court just handed the Department of Justice a win by side-stepping the issue of whether a warrant was required and declaring that even if it was, the good faith exception to the exclusionary rule would apply:
On January 23, 2012, the Supreme Court vacated Antoine Jones’ conviction under 21 U.S.C. § 846 for Conspiracy to Distribute and Possess with Intent to Distribute Five Kilograms or more of Cocaine and Fifty Grams or more of Cocaine Base. United States v. Jones, 132 S. Ct. 945 (2012). In that opinion, the Supreme Court unanimously ruled that the government’s installation of a GPS device on Jones’ car and use of the device to track the car’s movement for a period of twenty-eight days constituted a Fourth Amendment search. Relying on that decision, as well as the D.C. Circuit’s opinion in this case in United States v. Maynard, 615 F.3d 544 (D.C. Cir. 2010), aff’d on other grounds sub nom. United States v. Jones, 132 S. Ct. 945 (2012), defendant now moves to suppress cell-site data covering a four-month period that was obtained pursuant to three orders issued by United States Magistrate Judges of this Court in June, August, and September of 2005. (Defendant’s Motion to Suppress Cell Site Data, Mar. 29, 2012 [ECF No. 606] (“Mot.”).)
Defendant, with the support of an amici curiae brief filed by Electronic Frontier Foundation and Center for Democracy & Technology (Brief Amici Curiae in Support of Defendant Jones’ Motion to Suppress, Aug. 13, 2012 [ECF No. 644] (“Amicus Br.”)), argues that under the Fourth Amendment, the government was required to obtain a warrant based on probable cause prior to tracking Jones’ location based on cell-site data provided by a third party provider for a four-month period of time. The Court, however, need not resolve this vexing question of Fourth Amendment jurisprudence, since it concludes that the good-faith exception to the exclusionary rule applies. [I wonder if that had come up before? Bob]
The court also held that even if law enforcement had violated the Stored Communications Act, the evidence could still be used because there is no suppression remedy in the SCA:
However, this Court need not weigh in on this debate because even if a defendant could argue that the government did not comply with the SCA, all courts that have addressed the issue have held that the SCA does not provide for a suppression remedy. See, e.g., United States v. Ferguson, 508 F. Supp. 2d 7, 10 (D.D.C. 2007); United States v. Hardrick, 2012 WL 4883666, at *8 n.44 (E.D. La. Oct. 15, 2012) (collecting cases). Section 2708 of the SCA provides that “[t]he remedies and sanctions described in this chapter are the only judicial remedies and sanctions for nonconstitutional violations of this chapter.” 18 U.S.C. § 2708 (emphasis added). Elsewhere, the Act provides for civil damages, see id. §2707, and criminal penalties, see id. § 2701(b), but nowhere does it provide for the suppression of evidence. See United States v. Smith, 155 F.3d 1051, 1056 (9th Cir. 1998) (“[T]he Stored Communications Act does not provide an exclusion remedy.”)
You can read the opinion here.

For all my techies. One hour video...
Meeting the Cyber Risk Challenge
In this HBR webinar, panelists focus on the best practices in information security and privacy programs.

For my students who read...
Mamas, Don’t Let Your Babies Grow Up To Be Writers
So this is awkward. Ownshelf is a new service that lets people store and share ebooks online. Pretty nifty, huh? They reached out to me in part because I’ve released several of my own books for free under a Creative Commons license. (For those of you new to this column, I write fiction when not writing code, and have had a bunch of novels published by HarperCollins, Hachette, etc., over the years; see picture.) What they didn’t know is that for fun, all by my lonesome, I recently created — and open-sourced — a service called ePubHost which, er, lets people store, search, and share quotes from their ebooks online. Sound familiar? Um.

Friday, December 14, 2012

A truly great “Bad Example.” See if you can find even more “Worst Practices” in the article.
FBI Memo: Hackers Breached Heating System via Backdoor
… The company used the Niagara system not only for its own HVAC system, but also installed it for customers, which included banking institutions and other commercial entities, the memo noted. An IT contractor who worked for the company told the FBI that the company had installed its own control system directly connected to the internet with no firewall in place to protect it.
Although the system was password protected in general, the backdoor through the IP address apparently required no password and allowed direct access to the control system. “[Th]e published backdoor URL provided the same level of access to the company’s control system as the password-protected administrator login,” said the memo.
The backdoor URL gave access to a Graphical User Interface (GUI), “which provided a floor plan layout of the office, with control fields and feedback for each office and shop area,” according to the FBI. “All areas of the office were clearly labeled with employee names or area names.”

Preparing for a “false flag” attack? Or just trying to find information on how to stabalize satellites?
"A new targeted attack campaign with apparent Korean ties has been stealing email and Facebook credentials and other user-profile information from Russian telecommunications, IT, and space research organizations. The attackers are grabbing email user accounts and passwords from Outlook, as well as information about the victims' email server."
[From the DarkReading article:
Researchers didn't specify whether it's either North or South Korea, but say that around 80 percent of the victims in the attacks are Russian organizations.
Ali Islam, security researcher for FireEye, says it's possible that Korea is being used as a proxy for the attack

The other meaning of “swipe”
New 'Dexter' malware strikes point-of-sale systems
Retailer point-of-sale systems may be at risk of malware that steals credit card data.
Israel-based security firm Seculert has identified a strain of malware, dubbed Dexter, which it asserts has infected hundreds of point-of-sale (POS) systems across 40 countries in the past two to three months. English-speaking countries appear to be a prime target, with 30 percent of infections in the U.S., 19 percent in the U.K., and 9 percent in Canada.

Perhaps now I can develop that “Electronic Bounty Hunter” course I've been talking about.
"Japanese police are looking for an individual who can code in C#, uses a 'Syberian Post Office' to make anonymous posts online, and knows how to surf the web without leaving any digital tracks — and they're willing to pay. It is the first time that Japan's National Police Agency has offered a monetary reward for a wanted hacker, or put so much technical detail into one of its wanted postings. The NPA will pay up to $36,000, the maximum allowed under its reward system. The case is an embarrassing one for the police, in which earlier this year 4 individuals were wrongly arrested after their PCs were hacked and used to post messages on public bulletin boards. The messages included warnings of plans for mass killings at an elementary school posted to a city website."

(Related) A new toolset...
SpyPhone: Pentagon Spooks Want New Tools for Mobile ‘Exploitation’
… The DIA wants “technical exploitation” tools that can efficiently access the data of people the military believes to be dangerous once their spies collect it.
That’s according to a request for information the DIA sent to industry on Wednesday. The agency wants better gear for “triage and automation, advanced technical exploitation of digital media, advanced areas of mobile forensics, software reverse engineering, and hardware exploitation, reverse engineering, and mobile applications development & engineering.” [Reads like a list of Ethical Hacker classes Bob] If the DIA runs across digitized information, in other words, it wants to make rapid use of it.

In the tradition of “Double Secret Probation” citizens are now members of the Animal House.
Attorney General Secretly Granted Gov Ability to Develop and Store Dossiers on Innocent Americans
December 13, 2012 by Dissent
Kim Zetter reports:
In a secret government agreement granted without approval or debate from lawmakers, the U.S. attorney general recently gave the National Counterterrorism Center sweeping new powers to store dossiers on U.S. citizens, even if they are not suspected of a crime, according to a news report.
Earlier this year, Attorney General Eric Holder granted the center the ability to copy entire government databases holding information on flight records, casino-employee lists, the names of Americans hosting foreign-exchange students and other data, and to store it for up to five years, [and then start a “new” dossier? Bob] even without suspicion that someone in the database has committed a crime, according to the Wall Street Journal, which broke the story.
Read more on Threat Level.

(Related) Is this simply a coincidence or a “massive government conspiracy?”
"Hotmail and Yahoo Mail are apparently sharing [or have been given... Bob] a secret blacklist of domain names such that any mention of these domains will cause a message to be bounced back to the sender as spam. I found out about this because — surprise! — some of my new proxy site domains ended up on the blacklist. Hotmail and Yahoo are stonewalling, but here's what I've dug up so far — and why you should care."
Read on for much more on how Bennett figured out what's going on, and why it's a hard problem to solve.

(Related) Apparently, Harvard Law lets you skips the “How a Law is Made” class in favor of the “Expanding Executive Powers” class.
Obama Administration Rushes “Creepy Black Box” Mandate on All New Car Buyers
December 14, 2012 by Dissent
National Center Adjunct Fellow Horace Cooper is condemning the decision by the Obama Administration to bypass Congress and implement its automobile “black box” mandate administratively.
The Department of Transportation has announced a proposed rule to require Event Data Recorders (EDRs) in 100% of all light vehicles sold in the United States. EDRs are more commonly known as “black boxes,” such as those carried by aircraft.
Last year a similar proposal was killed by the House of Representatives when it was included in a Senate-passed bill to fund the nation’s transportation needs.
Not only will this new requirement give new resources and data to the DOT to support more economically-damaging regulations in the future; this mandate itself represents an unprecedented breach of privacy for Americans. Operating more like a surveillance camera than a tool for accident investigation, this DOT rule-making is the embodiment of Orwellian monitoring,” Cooper explained.
Contrary to what is now being claimed, EDRs can and will track the comings and goings of car owners and even their passengers,” Cooper said. “EDRs not only provide details necessary for accident investigation, they also track travel records, passenger usage, cell phone use and other private data. Who you visit, what you weigh, how often you call your mother and more is captured by these devices. Mandating that they be installed and accessible by the DOT is a terrible idea.”
This decision to bypass Congress and adopt this change administratively demonstrates a reckless disregard for the privacy rights of the American people,” Cooper argued. “Claiming that the data collected will only be for the time period immediately surrounding the crash is no protection when the system itself will be running whenever the engine is on. In the digital era, we know that even if the programs were simply overwriting after each start, the underlying data remains there to be accessed. In this case, we don’t even have that assurance.”
It is axiomatic that before the government can surreptitiously search a citizen or his car, it needs approval from a judge. Pretending that that protection goes away when the search is carried out electronically not only threatens the liberties of all Americans, it rejects our founders’ clear understanding of the limitations on the government,” Cooper concluded.

New Jersey, a leader in Privacy? Things had been going down hill since Uncle Foster was Governor, are we seeing a reversal?...
New Jersey Restricts Colleges’ Access to Students’ Personal Accounts, Considers Similar Protections for Employees
December 13, 2012 by Dissent
Michael Beder writes:
New Jersey earlier this month became the latest state to bar college and university officials from demanding access to students’ or applicants’ personal online accounts. Gov. Chris Christie signed the law, which takes effect immediately, on Dec. 3.
Under the new law, which applies to public and private higher-education institutions, schools cannot require a student or applicant to “in any way provide access” to “a personal account or service through an electronic communications device,” nor may schools “in any way inquire as to whether a student or applicant” has a social-media account.
Read more on Inside Privacy.

Interesting. Even though they use the financial area for their example, doesn't this suggest that Congress is ignorant? (Yes, Bob, it sure does.)
Effective Regulation Requires Information Richness
… We appreciate the efforts of thousands of good, well-meaning people who are dedicating large portions of their careers to resolving the issues, especially in light of conflicting political demands.
But as investors, citizens, and taxpayers, we find the lack of progress troubling, to say the least.
We suggest a new way of thinking about regulatory effectiveness to help inform honest debate, crystallize the issues, and break the stalemate. Actually, this new thinking is not so new. It stems directly from cybernetics, quality control, and information theory, all with roots at least 60 years old.
The most important principle (with some restatement on our part) comes from Stafford Beer in The Heart of Enterprise: "The complexity of the regulator must match the complexity of the regulated."

At last, someone is listening to me!
"Enthusiasm about Google's Kansas City fiber project is overwhelming. But in the Emerald City, the government doesn't want to wait. They have been stringing fiber throughout the city for years, and today announced a deal with company Gigabit Squared and the University of Washington to serve fiber to 55,000 Seattle homes and businesses with speeds up to a gigabit. The city will lease out the unused fiber, but will not have ownership in the provider nor a relationship with the end customers. [Exactly the model I suggested 20 years ago! Bob] The service rollout is planned to complete in 2014. It is the first of 6 planned university area network projects currently planned by Gigabit Squared."

The education model has changed – keep up or become obsolete?
UK Universities Forge Open Online Courses Alliance: FutureLearn Consortium Will Offer Uni-Branded MOOCs Starting Next Year
… Today’s news means even more MOOCs will be offered next year, as 12 UK universities are getting together to form a new company that will offer the online courses — under the brand name of FutureLearn Ltd. The universities are: Birmingham, Bristol, Cardiff, East Anglia, Exeter, King’s College London, Lancaster, Leeds, Southampton, St Andrews and Warwick, along with UK distance-learning organization The Open University (OU).

For my Data Analytics class
Mixpanel Launches A Site For Analytics Education, With Video Lectures From YouTube, BranchOut, And Others
Analytics startup Mixpanel has launched a new page on its website that co-founder Suhail Doshi described as “TED for analytics.”
The goal, he said, is to help companies get a better understanding of what kind of data to collect and how to use it. To that end, Mixpanel invites experts to its office for six weeks or so for an “office hours” event where they deliver lectures to customers and other friends of the company. Now Mixpanel is sharing those videos with a larger audience.
… You can browse the videos here.

Thursday, December 13, 2012

Were they using Jedi Mind Skills to make this determination? Interesting that the video showing her being tasered also records someone else videoing the same event.
"A woman who said she was asked to leave New Hampshire's Pheasant Lane Mall because she wanted to buy too many iPhones was pinned down by Nashua police and zapped by a Taser (video) as she shrieked in front of crowds of shoppers Tuesday. The Chinese woman from Newton, Mass blamed a language barrier for the confrontation outside the Apple Store in the Pheasant Lane Mall Tuesday afternoon. Police say Li knew exactly what they were telling her and simply refused to comply. Police said Li had $16,000 in cash in her purse at the time of her arrest and may have been purchasing the phones for unauthorized export resale."
[From the first article:
Jay said her mother bought two iPhones last Friday, and was told that was the limit. When she took video of others she claimed were buying more, the store manager asked her to leave.
The confrontation involving the Taser happened when Li went to the store on Monday to pick up two iPhones she ordered online.
"The management of the store asked us to have her removed. The officer approached her, told her she wasn't welcome in the store, and she refused to leave," Nashua Police Capt. Bruce Hansen said.
Police say the store had issued a stay-away order against Li.

I was going to rant against apathy, but then I realized no one cares...
"The voting period for the proposed changes to Facebook's Statement of Rights and Responsibilities and Data Use Policy has ended on Monday, and despite the email sent out to the users asking them to review the changes and cast their vote, less than one percent of all users have done so. 'An external auditor has reviewed and confirmed the final results. Of the 668,872 people who voted, 589,141 recommended we keep our existing SRR and Data Use Policy,"'stated Elliot Schrage , Facebook's vice president of communications, public policy, and marketing. Still, that is not nearly enough to prevent the proposed changes — as required by Facebook, at least 30 percent of the users should have voted against them in order to keep the previous versions of the policies. Schrage pointed out that that the whole experience illustrated the clear value of Facebook's notice and comment process."

Useful tool?
Forget ‘Do Not Track’ — Protect Your Privacy Today With ‘DoNotTrackMe’ Add-On
The World Wide Web Consortium is currently working to standardize a “Do Not Track” mechanism to stop advertisers from following your every move around the web. Unfortunately, while the DNT tools are already supported in most web browsers, hardly any advertisers actually honor it. In fact, some advertisers seriously proposed an exception be made to DNT to allow web tracking.
If you’re serious about online privacy you’re going to have to do more than hope that advertisers voluntarily stop tracking you, you’re going to have to actively block them.
There are several tools that make it easy to stop the tracking. One of the best, DoNotTrackPlus, was recently renamed DoNotTrackMe (DNTMe). The new name arrives alongside a major upgrade that blocks more trackers, adds some nice analytics and offers per-site tracking reports.
The DNTMe add-on is available for Chrome, IE, Firefox and Safari. You can grab a copy for your browser from Abine’s download page.

“Well, no, he didn't actually click on the link, but he was hovering his mouse over it with intent to click.”
"A new Internet Explorer vulnerability has been discovered that allows an attacker to track your mouse cursor anywhere on the screen, even if the browser isn't being actively used. 'Whilst the Microsoft Security Research Center has acknowledged the vulnerability in Internet Explorer, they have also stated that there are no immediate plans to patch this vulnerability in existing versions of the browser. It is important for users of Internet Explorer to be made aware of this vulnerability and its implications. The vulnerability is already being exploited by at least two display ad analytics companies across billions of page impressions per month.' All supported versions of Microsoft's browser are reportedly affected: IE6, IE7, IE8, IE9, and IE10."

I was hoping for guidance on how I might learn to lie “for the right reasons” but asside from the obvious (go to Law School) they never addressed this question.
Spoofing Upheld, If Done for the Right Reasons
December 12, 2012 by Dissent
Cameron Langford reports:
Mississippi cannot outlaw spoofing services that do not try to cause harm by misrepresenting a phone caller’s number to the recipient, the 5th Circuit ruled.
In 2010 Mississippi enacted the Caller ID Anti-Spoofing Act (ASA) which makes it illegal for a person to enter false information into a phone caller ID system with the intent to deceive, defraud or mislead the recipient. The law also makes it illegal to knowingly place a call after false info has been entered into the phone caller ID system with intent to deceive, defraud or mislead the recipient.
Read more about the case and the Fifth Circuit’s ruling on Courthouse News.
[From the article:
A federal judge ultimately found that Mississippi's law violated the commerce clause because it regulated commerce outside the state.
… "There is an inherent federal objective in TCIA to protect non-harmful spoofing. ASA's proscription of nonharmful spoofing - spoofing done without 'intent to defraud, cause harm, or wrongfully obtain anything of value' - frustrates this federal objective and is, therefore, conflict-preempted."

It's no longer called evidence, now it's called, “Foreverdence”
December 12, 2012
Commentary - The life span of email
Curt Hopkins for The Daily Dot: "When a user “deletes” an email in the normal fashion, it becomes invisible to that user [“Out of sight, out of mind” Bob] and is immediately a candidate to be overwritten. But until it is in fact overwritten, it exists. And it may persist longer on company servers. So, even if it is taken off your computer, it may still be available on the host’s server. Given that email-hosting companies are legally obliged to turn over user information to law enforcement and intelligence authorities with warrants—and these days even without them—the impossibility of being certain of a deletion means you must presume that any email you compose will be available remain accessible forever."

What an interesting business model. Sell shares in your lawsuit! Add in the twist documented in “The Producers” and sell 800% of a “sure looser” and you never even need to go to court!
David v. Goliath: Students turn to crowd-funding for Facebook privacy court case
December 13, 2012 by Dissent
Moritz Jaeger of The German View reports:
A student group planning to take legal action against Facebook has turned to crowd-funding to finance its court case.
The Austrian student group Europe-v-Facebook announced its intention last week to press ahead with a civil case against Facebook, claiming the social network is violating European data protection law.
Europe-v-Facebook is now preparing for court, and estimates that the cost of the case might range between €100,000 and €300,000. With no access to legal aid, the group is hoping to finance its battle using contributions from supporters online.
Read more on ZDNet

Perspective One of the few technologies actually used for the intended purpose?
December 12, 2012
Pew - Social Networking Popular Across Globe
"Social networking has spread around the world with remarkable speed. In countries such as Britain, the United States, Russia, the Czech Republic and Spain, about half of all adults now use Facebook and similar websites. These sites are also popular in many lower-income nations, where, once people have access to the internet, they tend to use it for social networking. Meanwhile, cell phones have become nearly ubiquitous throughout much of the world, and people are using them in a variety of ways, including texting and taking pictures. Smart phones are also increasingly common – roughly half in Britain, the U.S., and Japan have one. Globally, most smart phone users say they visit social networking sites on their phone, while many get job, consumer, and political information."

Interesting conjecture for my Criminal Justice students to kick around.
Lois McMaster Bujold: Crime Scenes Tend to Be Book-Free Zones

The best of 2000 nominations in 20 categories. Worth a look now that the filtering has been done for you.
The Edublog Awards

Worth a read...
  • New collaboration tools for Word.
  • Recommended graph tools in Excel.
  • Slide design improvements for PowerPoint.
  • Using OneNote for improved productivity.
  • Using SkyDrive effectively.
  • Upgrades to Access and Publisher.

Wednesday, December 12, 2012

Doesn't anyone read these cautionary tales?
By Dissent, December 12, 2012 7:56 am
Danny Garcia reports on some good news for Miami Family Medical Centre in Australia. As I previously noted, their patient records had been encrypted by an overseas hacker who was demanding ransom to give them the encryption key:
Garcia reports that Essential IT Services, a Gold Coast based reseller, was able to get them back into their data.
One of the take-home messages from this incident was that you should not leave your backups on the same server and connected to the Internet. The medical center had backups, but they, too, had been locked.
“The backup system in place was pretty good but the recovery of the data and getting them up and running has been a bit of a job”, said Jason Fillmore, who is the managing director at the reseller firm.
Fillmore said hackers have not left a single stone unturned to make the case complicated. But, it was great to know that their client has recorded their backups on DAT as well. [I suspect this means Digital Audio Tape, but that makes me wonder why it wasn't mentioned in earlier articles. (Perhaps management didn't know?) Bob] Work is going to repair the system, said Fillmore, who affirmed that the centre system will be fully operational by next week. It means that the centre will be back after one week, which is after two weeks of attack.

Are we fighting “virtual crime syndicates?” A multi-jurisdiction investigation must take some serious coordination, or do we wait until the arreats to tell other countries?
Facebook helps FBI take down $850M botnet crime ring
Facebook helped the FBI take down an international crime ring that used a botnet to infect 11 million computers and steal more than $850 million, one of the largest cybercrime hauls in history.
… The FBI said the arrests occurred in Bosnia and Herzegovina, Croatia, Macedonia, New Zealand, Peru, the United Kingdom, and the United States.
… The FBI did not elaborate on how it arrived at its $850 million theft figure, but that haul easily dwarfs the Eurograbber, which was revealed last week to have stolen about $47 million from European banking customers in the past year. The Yahos spoils also surpass the take by the Zeus botnet crime ring, which infected an estimated 13 million computers with malware to steal more than $100 million.

“This way to the egress!” (The victory of curiosity over common sense?)
"QR codes are very handy for directing users to specific sites by simply scanning them with their smartphones. But the ease with which this technology works has also made it a favorite of malware peddlers and online crooks, who have taken to including QR codes that lead to malicious sites in spam emails. They have also begun using the same tactic in the physical world, by printing out the malicious QR codes on stickers and affixing them on prominent places in locations where there is a lot of foot traffic. According to Symantec Hosted Services director Warren Sealey, these locations include airports and city centers, where the crooks stick them over genuine QR codes included in advertisements and notices, and most likely anywhere a person might look and be tempted to scan them."

For my Ethical Hackers...
"Darren Nix works for 42Floors, a business that uses its website to help people find office space. He recently received a marketing email for a service that offered to identify visitors to his website. After squeezing some information out of the marketer and playing around with a demo account, he now explains exactly how sketchy companies track your presence across multiple websites. The marketer offered to provide Nix with 'tracking code that would sit in your web site' which would 'grab a few key pieces of data from each visitor.' This includes IP addresses and search engine data. The marketer's company would then automatically analyze the data to try to identify the user and send back whatever personal information they've collected on that user from different websites. Thus, it's entirely possible for a site to know your name, email address, and company on your very first visit, and without any interaction on your part. Nix writes, 'A real-world analogue would be this scenario: You drive to Home Depot and walk in. Closed-circuit cameras match your face against a database of every shopper that has used a credit card at Walmart or Target and identifies you by name, address, and phone. If you happen to walk out the front door without buying anything your phone buzzes with a text message from Home Depot offering you a 10% discount good for the next hour. Farfetched? I don't think so. ... All the necessary pieces already exist, they just haven't been combined yet.'"

What should we adopt, what should we be wary of?
December 11, 2012
Privacy International - A New Dawn: Privacy in Asia
"Privacy has truly become an issue of global resonance. A quick glance at policy agendas in countries around the world shows that privacy and surveillance issues are increasingly important. The challenge, however, is improving the ability of governments and policy stakeholders to engage in a policy debate that is informed about the dangers of surveillance and the importance of protecting privacy. This is the primary objective of our Privacy in the Developing World programme. In this report, A New Dawn: Privacy in Asia, we summarise our partner’s research into privacy in developing countries across Asia. The experiences of privacy in these countries are illustrative of the many opportunities for and challenges to the advancement of privacy, not only the developing world but across the world. Click here for individual country reports for India, Pakistan, Bangladesh, Indonesia, Nepal, Malaysia, Thailand, Hong Kong, China and the Philippines."

Always was a fan of Science Fiction. Fortunately, I speak enough Japanese to order beer...
"Yesterday the National Intelligence Council (NIC), which is made up of 17 U.S. government intelligence agencies, released the 140-page report Global Trends 2030 Alternate Worlds. In all four of the alternative visions of the future, U.S. influence declines and it may be regarded more as a 'first among equals.' By 2030, the West will be in decline and Asia will wield more overall global power than the U.S. and Europe combined. 'China alone will probably have the largest economy, surpassing that of the United States a few years before 2030,' the report states. 'Megatrends' include an overall reduction of poverty and the 'growth of a global middle class.' NIC also sees a potential world of scarcities as the demand for food and water increase as the world's population swells from 7.1 billion to 8.3 billion people. Advances in health technologies will help people live longer, but 60% of the world's population is expected to live in an urban environment. The report also addresses technological augmentation: 'Successful prosthetics probably will be directly integrated with the user’s body. Brain-machine interfaces could provide “superhuman” abilities,enhancing strength and speed, as well as providing functions not previously available.'"

Another “Asian power” rising? “Oh look, the maniac has a gun and has shown us he can use it.”
virtualXTC writes with news that North Korea, in defiance of international pressure to halt development and testing of long-range weaponry, launched a multi-stage rocket which successfully followed its intended trajectory. The North Korean government claims a weather satellite was placed into orbit. [They also claimed that the Onion article naming Kim Jong Un the sexest man alive was fact. Bob]
"South Korea has confirmed the launch time, and Japan has confirmed that the rocket went over Okinawa. Two stages of the rocket have successfully avoided other countries and fallen into the sea. While it is still unconfirmed as to whether or not North Korea actually put a satellite into orbit, it seems clean that sanctions have failed to curb North Korea's quest for more powerful weaponry."

Stupid law. “There is a 0.0000001 chance that you will use this to pirate copyrighted material, so you should pay us the same fee we collect on a sale.” Perhaps I should calculate the odds of me winning a lawsuit against the RIAA and asking them to pay me the full amount now...
"Depending on where you are in the world, blank media may have a secondary tax applied to it. It seems ludicrous that such a tax even be considered, let alone be imposed, and yet an Austrian rights group called IG Autoren isn't happy with such a tax covering just physical media; it wants cloud storage included, too. At the moment, consumers in Austria only pay this tax on blank CDs and DVDs. IG Autoren wants to expand that to include the same range of media as Germany, but also feels that services like Dropbox, SkyDrive, Google Drive etc. all fall under the blank media banner because they offer storage, and therefore should carry the tax — a tax consumers would have to pay on top of the existing price of each service."

(Related) Useless law. Note that this doesn't actually provide any protection from lawsuits, at least in Canada.
"Ars Technica reports that Voltage Pictures, the studio behind the infamous Hurt Locker debacle, has requested subscriber information for thousands of TekSavvy customers in relation to alleged copyright infringements. In their official blog, TekSavvy clarifies the situation and provides further reassurance that they will not release any private customer information without a court order. They have also posted the legal documents containing both the official notice and list of films that are the subjects of the alleged infringements. However, several questions remain to be answered: will Canadian courts be amicable to these tactics after changes to copyright law were made specifically to prevent the predatory legal entanglement of Canadian citizens? Will the studio actually attempt to pursue the situation beyond the proliferation of threatening extortion letters? How would the already-clogged courts react to what amounts to denial-of-service attack on the judicial system?"

It's annoying, but it's not yelling “Fire!” In a crowded theater. If they loose, will I be able to use the ruling to block those annoying political ads?
"ccAdvertising, a company purported to have 'a long, long, long history of pumping spam out of every telecommunications orifice, and even boasting of voter suppression' has asked the FCC to declare spam filters illegal. Citing Free Speech rights, the company claims wireless carriers should be prohibited from employing spam filters that might block ccAdvertising's political spam. Without stating it explicitly, the filing implies that network neutrality must apply to spam, so the FCC must therefore prohibit spam filters (unless political spam is whitelisted). In an earlier filing, the company suggests it is proper that recipients 'bear some cost' of unsolicited political speech sent to their cell phones. The public can file comments with the FCC on ccAdvertising's filing online."

Perspective Any bets on how many providers will use this in their advertising?
"Netflix will start releasing monthly ISP speed reports for the U.S. Google Fiber ranks at the top. They say, 'Broadly, cable shows better than DSL. AT&T U-verse, which is a hybrid fiber-DSL service, shows quite poorly compared to Verizon Fios, which is pure fiber. Charter moved down two positions since October. Verizon mobile has 40% higher performance than AT&T mobile.' Hopefully this will give consumers a better overall picture on how their ISP performs compared to others."

December 11, 2012
Pew - The Demographics of Mobile News
The Demographics of Mobile News Habits Men, College Grads and the Young are more Engaged, December 11, 2012: - Younger Americans demonstrate much stronger news habits in the mobile realm than on other news platforms, according to a new study by PEJ in collaboration with The Economist Group. Another finding, with potentially significant implications for the news industry, reveals that younger users are more responsive than other age groups to advertisements in the mobile news space... Overall, news consumption ranks high on mobile devices. Over a third report getting news daily on the tablet and the smartphone, putting it on par with other activities such as email and playing games on tablets and behind only email on smartphones. The popularity of news remains strong across all demographic groups studied, but is especially prevalent among men and the college educated. On the smartphone, differences also emerge in age and income."

Dilbert provides counterpoint for my Statistics students.

Tuesday, December 11, 2012

Can anyone send your application a “self-destruct” code? This could be rather important strategically. As infrastructure becomes more complex, it becomes more fragile. And (apparently) not all points of failure are well documented.
Google Accidentally Transmits Self-Destruct Code to Army of Chrome Browsers
Google’s Gmail service went down for about 20 minutes on Monday. That was annoying, but not exactly unprecidented. These sorts of outages happen all the time. What was strange is that the Gmail outage coincided with widespread reports that Google’s Chrome browser was also crashing.
Late Monday, Google engineer Tim Steele confirmed what developers had been suspecting. The crashes were affecting Chrome users who were using another Google web service known as Sync, and that Sync and other Google services — presumably Gmail too — were clobbered Monday when Google misconfigured its load-balancing servers.
… “It’s due to a backend service that sync servers depend on becoming overwhelmed, and sync servers responding to that by telling all clients to throttle all data types,” Steele said. That “throttling” messed up things in the browser, causing it to crash.
This may be a first. Bad webpage coding can often cause a browser to crash, but yesterday’s crash looks like something different: widespread crashing kicked off by a web service designed to help drive your browser.
Think of it as the flip side of cloud computing. Google’s pitch has always been that its servers are easier to use and less error-prone than buggy desktop software. But the Sync problem shows that when Google goes down, it can not only keep you from getting your e-mail — it can knock desktop software such as a browser offline too.

(Related) I imagine the Pentagon watched these with concern that it was the start of “the next Pearl Harbor” and if not, why not?
Facebook Is Down, Mobile Apps Still Working For Some — Second Big Tech Outage Of The Day (Update: It’s Back)
According to our own tests, as well as reports on Twitter, Facebook is down for a vast number of users. It’s the second big outage of the day after Google’s.

If true, what does it say about the average security of government agencies?
GhostShell claims breach of 1.6M accounts at FBI, NASA, and more
Team GhostShell, the hacktivist collective, said today that it has stolen accounts from a large number of government agencies, contractors, and security firms, posting information from 1.6 million accounts online.
Dubbed Project White Fox, the hacking project appears to have affected NASA, the FBI, the Pentagon, and Interpol, among many others. The hackers announced their work in a file posted on Pastebin.
… GhostShell is said to be loosely connected to hacktivist network Anonymous. The Next Web notes that GhostShell previously made headlines in October, when it breached 100 universities and leaked more than 100,000 student records online. It later declared "war" on Russia to protest government repression.

We know WHAT, do we know WHY?
Public Buses Across Country Quietly Adding Microphones to Record Passenger Conversations
… The use of the equipment raises serious questions about eavesdropping without a warrant, particularly since recordings of passengers could be obtained and used by law enforcement agencies.
It also raises questions about security, since the IP audio-video systems can be accessed remotely via a built-in web server (.pdf), and can be combined with GPS data to track the movement of buses and passengers throughout the city.

In the news, but nothing really new.
December 10, 2012
FTC's Latest Kids’ App Report Finds Little Progress in Addressing Privacy Concerns
News release: "The Federal Trade Commission issued a new staff report, Mobile Apps for Kids: Disclosures report Still Not Making the Grade, examining the privacy disclosures and practices of apps offered for children in the Google Play and Apple App stores. The report details the results of the FTC’s second survey of kids’ mobile apps... Staff examined hundreds of apps for children and looked at disclosures and links on each app’s promotion page in the app store, on the app developer’s website, and within the app. According to the report, “most apps failed to provide any information about the data collected through the app, let alone the type of data collected, the purpose of the collection, and who would obtain access to the data. Even more troubling, the results showed that many of the apps shared certain information with third parties – such as device ID, geolocation, or phone number – without disclosing that fact to parents. Further, a number of apps contained interactive features – such as advertising, the ability to make in-app purchases, and links to social media – without disclosing these features to parents prior to download.”

Apparently it is difficult to tell “outrage” from “Jealousy” but since these companies are smart enough to follow the established procedures for minimizing their taxes, what is there to be outraged about? Oh, yeah. “I'm too dumb to do that.” (Beware of any rant including the word “fair”)
"After the ongoing row about companies not paying a fair share of tax in the United Kingdom, and with companies such as Starbucks, Amazon and Google being in the headlines, focus has now turned to Microsoft. Whilst the tax arrangements are strictly legal, there has been outrage on how companies are avoiding paying their fair share of tax generated in the country."
And over here in the U.S., dstates sent in new of Google getting caught doing something similar:
"Bloomberg reports that Google is using Bermuda shell companies to avoid paying billions of dollars in taxes world wide. By routing payments and recording profits in zero tax havens, multinational companies have been avoiding double digit corporate taxes in the US and Europe. Congressional hearings were held in July on the destructive consequences of off shoring profits. Why aren't the US and Europe exerting more diplomatic pressure on these tax havens that are effectively stealing [Even though they get “zero taxes?” Bob] from the US and European treasuries by allowing profits that did not result from activities in Bermuda or the Cayman Islands to be recorded as occurring there?"

This could be generalized for other types of organizations...
FERPA and the Cloud: Why FERPA Desparately Needs Reform
December 10, 2012 by Dissent
Dan Solove writes:
The Family Educational Rights and Privacy Act (FERPA) is in dire need of reform. In so many ways, the statute fails to address the key issues that schools are facing. In this essay, I will address how FERPA’s shortcomings impact a specific issue – cloud computing.
Selecting a Cloud Provider
FERPA says little about selecting a cloud provider. As I wrote in an earlier essay, there are numerous issues that schools ought to consider when choosing a cloud provider, and many terms that schools should ensure are included in an agreement with a cloud provider.
Read more on SafeGov.

Also searches for courses...
Students search for educational videos to learn about subjects all the time. But educational videos on the same subject can be of a various nature and not take the approach that you were hoping. Here to help is a source of educational videos that lets you search for videos based on the words spoken in them; this source is called Mobento.
Mobento is a free to use online web service that offers its users the ability to stream numerous educational videos.