Saturday, December 29, 2012

If this is what it costs to lose an unencrypted laptop, and encryption is really really cheap, is the failure to encrypt negligence? Somehow I think there is much more to the story.
By Dissent, December 28, 2012 11:48 am
I was surprised to read this morning that Hospice of North Idaho had settled charges by HHS over a laptop stolen from an employee’s car in the summer of 2010.
I was surprised, in part, because I was not aware of this incident at all as it had not appeared in HHS’s breach tool. Since it occurred after HITECH went into effect, it’s possible that the breach affected less than 500 patients. According to a statement from the hospice reported by David Cole of the Coeur d’Alene Press, the hospice had appropriately reported the incident at the time to HHS.
So why did HHS fine this hospice $50,000? Was it to make some point about leaving laptops in unattended cars? If so, I approve in principal, but why this hospice instead of one of the many other covered entities that have had laptops stolen from cars? At least in this case, it is somewhat more understandable that an employee would have removed patient data from the office as they provide home-based hospice services.
Should the data have been encrypted or otherwise protected? Obviously. And do I agree with the hospice’s statement that “The theft of the laptop was out of our hands?” Obviously not. If you wouldn’t leave your wallet with all your credit cards and IDs in your car to be stolen, you shouldn’t be leaving a laptop with patient information in your car to be stolen. And if you would leave your wallet in your car, I personally don’t think you should ever be trusted with patient data.
But a $50,000 fine for a hospice that self-reported a breach seems harsh, particularly when we think of all the other cases where no fine was imposed.
There is no statement on the hospice’s web site at this time. Nor on HHS’s. I’ve e-mailed both requesting a statement or explanation as to why this breach resulted in a fine and hope we’ll find out more. [I'll watch for that... Bob]


Tools & Techniques Who should have these installed? (Each has a free version)
… What exactly is a keylogger? Forgive me for using the term in the definition, but it’s a malicious infection that resides on your computer, logging a record of your keys as you press them. It saves every key pressed on your keyboard then sends that information back to a home server somewhere. A hacker then uses this information to break into your personal accounts and dig through your information.
The cold and honest truth, however, is that preventative software will never catch 100% of keylogger cases. Hackers are constantly creating new keyloggers and new malware to infest computers all over the globe. Protective software will always be playing a game of “catch up”.
So if you want to maximize your safety, be sure to read Matt’s article on 4 ways to protect yourself against keyloggers.


What ever you do, don't broadcast on 104.7 FM (without recording it all on your smartphone!)
"For months, dozens of people could not use their keyless entry systems to unlock or start their cars when parked in the vicinity of the eight-story Regents bank building in Hollywood, FL. Once the cars were towed to the dealership for repair, the problem went away. The problem resolved itself when police found equipment on the bank's roof that was broadcasting a bootleg radio station. A detective and an FCC agent found the equipment hidden underneath an air conditioning chiller. The man who set up the station has not been found, but he faces felony charges and fines of at least $10,000 if he is caught. The radio station was broadcasting Caribbean music around the clock on 104.7 FM."


A concise summary, with lots of links.
December 28, 2012
TrendMicro - The Trends in Targeted Attacks of 2012
Nart Villeneuve (Senior Threat Researcher): "Throughout 2012, we investigated a variety of targeted attacks including several APT campaigns such as LuckyCat and Ixeshe, as well as updates on some long running campaigns such as Lurid/Enfal and Taidoor. There was a lot of great research within the community related to targeted attacks published this year, and I’ve clustered the research I found to be the most interesting into six themes that I think also encapsulate the trends in targeted attacks of 2012."


Ah, if only... Meanwhile, have fun imagining the various scenarios that could result in a cloned profile.
There’s a story in the Cranberry Eagle by Jared Stonesifer about a man who has sued LinkedIn because his information was displayed in a profile that he hadn’t created, and LinkedIn wouldn’t tell him who created it – even though they removed the page:
The lawsuit, which was filed Thursday, says that Senft keeps his personal contact information private.
The Point Daily also covers the lawsuit.
So what do you think will happen here? Will LinkedIn try to settle the suit by giving the plaintiff the information he requested, or will it hold out for a court order? And what should be the consequences of this breach? Can Senft show harm? Or will this breach, too, gets dismissed?
I can’t wait to see what Venkat Balasabrumani thinks of its chances.
[From the PointDaily article:
… the supporters of improved privacy on social media are taking this development very seriously, because other people can also be effected by similar results as well. On the other hand, Linkedin Corp. is not reacting to the legal action proactively and is looking to bury the matter under the dust of time, analysts added.


Soon, everyone will have at least one drone. Perhaps we should get into the “Rent a Drone” business?
In January of this year, we posted news of a major pollution site in Texas that was the subject of some anonymous amateur sleuths with drones, who used their UAVs to document the release of a "river of blood" (pig blood, that is) into the Trinity River as it flows through Dallas. Now, garymortimer writes, that documentation has resulted in legal action in the form of an indictment from a Dallas grand jury.
"The story went viral and continues to receive hits nearly a year later. I believe this is the first environmental crime to be prosecuted on the basis of UA evidence. Authorities had to act because of the attention the story was receiving." [Not entirely true, but an invitation to activists with drones... Bob]

(Related)
Texas UAV Enthusiast Uses Pilotless Aircraft to Uncover River Contamination
… The contamination was noticed by the operator after reviewing images he’d taken of the Trinity River while flying a homemade UAV, according to Small Unmanned Aerial Systems News (sUAS), a Web site that tracks unmanned vehicle-related news.
“This flight was undertaken completely within the law, below 400 feet and visual line of sight,” wrote Gary Mortimer of sUAS.
… The UAV used to photograph Trinity River was created by mounting a point-and-shoot digital camera onto a $75 airframe.
… Mortimer says UAS technology gives operators the "ability to look over a fence" that didn't exist years ago, so privacy issues are inevitable.


I wonder who gave them this idea?
"Prenda Law — one of the most notorious copyright trolls — has sued hundreds of thousands of John Doe defendants, often receiving settlements of thousands of dollars from each. Prenda Law principal John Steele has reportedly made a few million dollars suing BitTorrent file-sharers. Prenda Law has been accused in federal court of creating sham offshore corporations using the identity of his gardener. In other words, it is alleged that the law firm and their client are the same entity, and that Prenda law has committed identity theft and fraud. Now, a judge in California has granted a John Doe defendant's motion to further explore the connection between the offshore entity and the law firm."


This is very wrong students. I'm only pointing out the details so you can avoid doing wrong (under your own name)
… Amazon’s official Kindle Store Terms of Use are very clear about this, stating “Kindle Content is licensed, not sold, to you by the Content Provider”. Technically speaking, Amazon can take the book away at any time – simply remove it from your device remotely and delete your account, which wouldn’t be a first for them.
… After you de-DRM your Kindle books, you will be able to read them on your Kindle as per usual, but you will also be able to convert them to PDFs, ePubs (for reading on a Nook, for example), and any other format. Most importantly, Amazon would never be able to take those books away from you – you get to keep what you bought.
  • Stripping DRM violates Amazon’s ToS.
  • Stripping DRM may be illegal in your country or state.
  • If you are a decent human being, I trust that you will not distribute the content you de-DRM.
  • Last but not least: DRM is a cat-and-mouse game. This method works at the time of this writing, and may stop working tomorrow, as soon as Amazon change things.


End of year lists...


Because nobody will ever create an Infographic of “Bob Quotes” (I particularly like number 13)


Well, I find it interesting...
… As of January 1, 2013, we can welcome to the public domain (in countries that follow the “life plus 70 years” copyright period) the works of writers and artists like anthoplogists Franz Boas and BronisÅ‚aw Malinowski and Anne of Green Gables author L. M. Montgomery. Mike Masnick has pulled together the list of new items in the public domain for the U.S. — empty.
… A competition on the machine learning site Kaggle is looking for folks to “visually uncover trends in the Colorado public school system” by using 3 years of school grading data supplied by the Colorado Department of Education. The prize is $5000. The deadline, January 19.

Friday, December 28, 2012

Has BYOD become so worrysome that this is their best response? Can't they come up with adequate controls by any other method? I think this is something we need to watch.
December 27, 2012
Companies deploying iPads to employees - no more bring your own devices to work
American Banker: "Barclays recently announced that it has made a bulk order of 8,500 iPads for staff in order to improve customer service and boost sales. The devices are being given to front-office employees in its 1,600 branches — an average of five per branch — in one of the largest uses so far of Apple's tablets in an enterprise. Sovereign Bank and others are following suit... Many banks and other large businesses Tekserve works with are buying iPads for their employees and setting up the devices with recommended apps and personalization, so that the user's email account, VPN access and such are already on the device the first time she uses it. Some companies assign each user an app store login and let them install their own apps... Another corporate customer, CableVision, is deploying 3,000 iPads to field service technicians. When they get the iPad from Tekserve, it has their email, corporate desktop and 30 apps on it."


Holiday reading...
Dec 282012
Below are some articles recently uploaded to SSRN. Clicking on the links will take you to SSRN where you can download the full paper or book.
Drones and Privacy Governance
Gregory S. McNeal Pepperdine University School of Law ; Pepperdine University – School of Public Policy
Law, Dissonance and Remote Computer Searches
Susan W. Brenner University of Dayton – School of Law
Surveillance and the Individual’s Expectation of Privacy Under the Fourth Amendment
Eoin Carolan University College Dublin (UCD) – School of Law
Open Book: The Failed Promise of Information Privacy in America
James P. Nehf Indiana University Robert H. McKinney School of Law
Online Advertising and Privacy
Alexandre De Corniere, Oxford University and Romain De Nijs, University of California, Berkeley – Haas School of Business and Ecole des Ponts ParisTech


I thought I was safe when wearing my tinfoil yarmulke but now I'm switching to a sombrero and one of those “Mission Impossible” masks of this Law School professor I know...
Security Drones Foil Crooks Who Look Up
Flying drones are big big news. The government uses them to kill people, the cops use them to catch bad guys and, for a moment, anyway, we thought we’d use them to deliver tacos. And now security companies are hoping to cash in with an autonomous eye in the sky to keep you safe.
Japanese security firm Secom announced on Thursday that it will lease security drones to clients beginning in May.
… It sounds like a great plan until you realize the hoodlum must look up in order to be identified. Maybe that won’t be so tough, given that quadrocopters make a lot of noise. That, of course, leads to another issue: keeping the thing in the air. All it takes is a stick or well-thrown rock to disable a drone. You know what happens when the drone hits the ground? It becomes part of the haul. What thief would resist a quadrocopter loaded with the latest camera equipment? [...and a GPS that can “phone home?” Bob]


Fishy from the start...
HP acquired Autonomy for $11.1 billion, only to take an $8.8 billion writedown due to alleged fraud on Autonomy’s part. HP states that Autonomy is guilty of “serious accounting improprieties,” and that it fraudulently inflated its apparent worth to make HP bid accordingly. Now the U.S. Department of Justice has gotten involved, opening an investigation in the matter.
… Rumors that Autonomy was up to no good were circling before HP acquired the company, and according to inside sources, HP wanted out of the deal. The company failed to find any evidence of fraud on Autonomy’s part, however, giving it no legitimate excuse to back out. [They should have hired a lawyer Bob]


Announcing the “Send Bob to New Zealand” fund! (and more on the story the RIAA hoped would die quietly)
Kim Dotcom To Host Mega’s Launch Event At His New Mega Zealand Mansion Next Month
Kim Dotcom doesn’t do things small. The man behind the Megaupload empire is about to launch his next service dubbed simply Mega. But don’t expect a simple press event in a hotel conference room. Nope, on January 20, 2013, exactly one year after his over-the-top takedown, Dotcom is hosting the Mega launch event at his sprawling New Zealand estate — effectively giving the finger to the RIAA, MPAA, and the shady US Justice Department.


Local. All I got was a sweater.
Kid Finds Homemade Porn on Nintendo 3DS He Got for Christmas
OK, so here's a reason to rethink buying refurbished. Five-year-old Braydon Giles popped open a 3DS he just got for Christmas to find about nine photos of people, presumably the previous owners (or the previous owner's parents?), having sex.
… The Colorado Gamestop where Giles purchased the 3DS has of course apologized, and Gamestop has issued a you're-probably-still-suing-us-but-hey-it's-worth-a-try statement about the incident:
"GameStop is currently researching this situation. We have a rigorous quality control process in place [Tip: Every now and the, check to see if it is working... Bob] to ensure that existing content is removed from all devices before they are re-sold. Out of millions of transactions each year, ones like this happen very rarely. [So they do happen? Bob] Our number one priority is to make this right for our customer."

(Related) Doomed to fail.
South Korea planning to block pornography and swear words on teenagers' smartphones
The South Korean government has laid out plans to install software on teenagers’ smartphones that will block "'illegal [and] harmful information." The Ministry Of Gender Equality And Family believes that installing the software will block swear words and slang — as well as prevent cyber-bullying — on social and messaging networks such as KaKao Talk, Facebook, and Twitter. The governmental body will also require a compulsory filtering service for mobile carriers that will block "harmful information" that includes pornography and nudity.


Perspective
… For many people, having a home phone makes no sense when all calls can go to a mobile phone or smartphone that can be on your person at all times. The source of the survey that showed only half of Americans have home phone is rather surprising.
The study was conducted by the Center for Disease Control and is called the National Health Interview Study.


A different way to look at social relationships. (A 3 minute video.)
Three New Networks for the Digital Age
Lynda Gratton, London Business School professor, suggests ways to stay connected in an increasingly mobile world.


Stories I tell my Math students. (I also mention that we are probably failing to identify many Ramanujans, Einsteins, or Mozarts because they don't live in places where it is easy to find them. Like war zones or countries without adequate infrastructure. Shame)
"Another chapter in the fascinating life of Srinivasa Ramanujan appears to be complete: 'While on his death bed, the brilliant Indian mathematician Srinivasa Ramanujan cryptically wrote down functions he said came to him in dreams, with a hunch about how they behaved. Now 100 years later, researchers say they've proved he was right. "We've solved the problems from his last mysterious letters. For people who work in this area of math, the problem has been open for 90 years," Emory University mathematician Ken Ono said. Ramanujan, a self-taught mathematician born in a rural village in South India, spent so much time thinking about math that he flunked out of college in India twice, Ono said.'"


Maybe I can learn electronics at last (if they go slow)
Adafruit to Teach Electronics Through Puppets in New Kids’ Show
Adafruit, the kit-based electronics retailer and promoter of hobbyist engineering, is aiming to teach electronics to a younger demographic. So young that they’re enlisting the help of puppets.
Their new online show, titled Circuit Playground, will teach the essentials of electronics and circuitry to children through kid-friendly dolls with names like Cappy the Capacitor and Hans the 555 Timer Chip.

Thursday, December 27, 2012

Is ID theft so common that it is ignored?
They’re guilty of ID theft, but don’t ask the government how/where they got the personal info?
December 26, 2012 by admin
Here’s another case where it’s clear there’s been some compromise of PII, but we have no idea how from what law enforcement tells us:
According to documents filed in court, Miami-Dade Police Department (MDPD) officers executed a search warrant at [Travonn Xavier Russell's] residence on January 18, 2012. During the search, MDPD officers found the following inside the residence: distribution quantities of different types of narcotics (cocaine, MDMA, and marijuana); paraphernalia associated with narcotics distribution; two firearms; approximately 129 debit cards in various names; tax return documents in names other than the defendant’s; and multiple notebooks with personal identifying information (names, dates of birth, and social security numbers) of 442 individuals.
The criminal complaint also indicated that they found “various employment applications with personal identifying information along with photocopies of driver’s licenses belonging to individuals other than Russell” and “additional photocopies of social security cards and driver’s licenses in names other than Russell.”
With respect to the notebooks, the complaint states:
Notebooks with hundreds of hand-written entries with names, social security numbers, dates of birth, addresses, occupations, e-mail addresses with password, date accepted, date filed and dollar amount – none of which were in the name of RUSSELL (numerous entries of personal identifying information in the notebooks match the names embossed on the debit cards).
So where did he get the identity info? They don’t say. In fact, nowhere in the court records that I read does it mention the source of the identity information. You’d think law enforcement might ask or make a point of finding out, right? Apparently not.
I had an interesting conversation recently with someone knowledgeable about USAO press releases. He informed me that there were actually very strict laws about what they are allowed to include in press releases and that the releases cannot go beyond the public record. That makes sense, I suppose, but it is still frustrating because I think it should be in the court documents.
I wish prosecutors would make it part of any plea deal that the defendant has to explain how/where they got the identity information.
But that’s in the World According to Dissent. Most law enforcement officials don’t inhabit that world.

(Related) Certainly the bad guys can get stolen Ids cheap.
Exploring the Market for Stolen Passwords
December 26, 2012 by Dissent
If you haven’t been keeping up with what’s going on in the online criminal market for your credentials and information, you really need to read a new column by Brian Krebs. As Brian reports, the days of compromised PCs just being used for spam runs or denial of service attacks is in the past. Now the information on your PC – including your email, banking, and store login credentials are being harvested and monetized:
Some of the most valuable data extracted from hacked PCs is bank login information. But non-financial logins also have value, particularly for shady online shops that collect and resell this information.
Logins for everything from Amazon.com to Walmart.com often are resold — either in bulk, or separately by retailer name — on underground crime forums. A miscreant who operates a Citadel botnet of respectable size (a few thousand bots, e.g.) can expect to quickly accumulate huge volumes of “logs,” records of user credentials and browsing history from victim PCs. Without even looking that hard, I found several individuals on Underweb forums selling bulk access to their botnet logs; for example, one Andromeda bot user was selling access to 6 gigabytes of bot logs for a flat rate of $150.
Read more on KrebsonSecurity.com.


For those of us who think mandatory brach disclosure is a good thing, I give you a “for instance.”
December 26, 2012
NextGov - New mandate would require military contractors to report cyber breaches
Aliya Sternstein reporting in NextGov: "The Defense authorization bill approved by Congress last week would require contractors to tell the Pentagon about penetrations of company-owned networks that handle military data. If President Obama signs the legislation into law, it would make permanent part of a Pentagon test program under which participating contractors report computer breaches in exchange for access to some classified cyber threat intelligence. What began as a defense industrial base pilot program in 2011 was opened to all interested military vendors in May. In October, reports surfaced that five of the 17 initial contractors dropped out of part of the program in which the National Security Agency shares classified threat indicators with the participants, apparently because they concluded the requirements for participation were too expensive and time-consuming for any enhanced security benefit. At the time, Lockheed Martin Corp. executives who help run the program noted the growth potential of another segment of the program that allows contractors to voluntarily share information about breaches to their networks without revealing identifying information to fellow contractors and the government. Now they say interest in the whole program is increasing."


Why butt your head against even moderately good security when you can easily find data that has no security at all?
By Dissent, December 26, 2012 4:25 pm
This will come as absolutely no surprise to regular readers of this blog, but The Washington Post has published the results of an investigation into security in the healthcare sector, and the results are… well, what I’d expect. The article is instructive for the range of problems it covers and some real-world examples.
Many of the potential risks are obvious – like employees losing laptops or mobile devices or having them stolen with unencrypted information on them. Others may not be so obvious to hospitals and practitioners, like this example:
Another researcher, Tim Elrod, a consultant at FishNet Security, found vulnerabilities in a system that enables care providers using a Web browser to automatically dispense drugs from a secure cabinet produced by Omnicell.
Working with Stefan Morris, Elrod discovered that unauthorized users could sidestep the login and password page and gain control of a cabinet at a hospital run by Integris Health, the largest health organization in Oklahoma. They used a well-known hacking technique called a “forced browsing” attack.
At that point, we had full administrative control,” Elrod said. “We could do anything.”
After being contacted by The Post, Peter Fisher, vice president of engineering at Omnicell, said he “is launching an immediate investigation into this reported vulnerability.” The same day, the company issued a software fix to customers around the globe.
The article is not doing much for Omnicell’s public relations, as this is the second time this month that their name has been associated with security problems. In the first case, a laptop stolen from their employee’s car contained information on 4,000 patients in Michigan.
But Omnicell is just one of may firms whose software may contain vulnerabilities or flaws that well-meaning health care systems may not detect in time to protect patient data.
Overall, I really recommend everyone read the Washington Post piece.


Might be worth reading...
This is Your Wakeup Call on Employee Privacy
With social networking and other electronic communications making employees' actions and attitudes more visible than ever to employers, it's clear that a big change in the relationship between work and private life is well underway. Yet little research has been undertaken to understand organizations' use of that information, or how the potential for increased monitoring and surveillance is perceived by workers. My colleagues Dr Brian Cooper from Monash University and Dr Rob Hecker from the University of Tasmania and I have just conducted a survey to understand workers' awareness of employer policies and the current state of what they consider to be fair and reasonable. We polled a random sample of 500 working people in our own country, Australia.


And here I thought that with the anal probing et al thay would already know who you are. Maybe that waits until the second date...
"Noted in an AP story about how fees make it difficult to compare air travel costs, is how the airline industry is moving toward tailoring offer packages (and presumably, fares) for individuals based on their personal information. Worse, 'The airline association said consumers who choose not to supply personal information would still be able to see fares and purchase tickets, though consumer advocates said those fares would probably be at the "rack rate" — the travel industry's term for full price, before any discounts.'"


They could have included information like: “No guns here” “Works 9-5” “Out of town this week” “Collects Krugerrands”
Should registered gun owners be named and mapped?
December 26, 2012 by Dissent
Julie Moos reports:
The Journal News honored victims of the Newtown, Conn., shooting on its front page Christmas Day with memorial candles that named the 26 students and staff killed at Sandy Hook Elementary. The paper chose a less lyrical approach last weekend, when — in response to the shooting – it published maps with the names and home addresses of people who had been issued pistol permits in Westchester County, where the Gannett paper is based, and nearby Rockland County.
So how did folks express their displeasure? They doxed the reporter, the editor, and the publisher.
Read more on Poynter.org about the controversy, keeping in mind that this is not the first time this paper – or other papers have done something like this.

Wednesday, December 26, 2012

Are they crying, “Wolf?” A serious attack would not be so easily detected...
"Iranian officials on Tuesday said a 'Stuxnet-like' cyberattack hit some industrial units in a southern province. 'A virus had penetrated some manufacturing industries in Hormuzgan province, but its progress was halted,' Ali Akbar Akhavan said, quoted by the ISNA news agency. Akhavan said the malware was 'Stuxnet-like' but did not elaborate, and that the attack had occurred over the 'past few months.' One of the targets of the latest attack was the Bandar Abbas Tavanir Co, which oversees electricity production and distribution in Hormuzgan and adjacent provinces. He also accused 'enemies' of constantly seeking to disrupt operations at Iran's industrial units through cyberattacks, without specifying how much damage had been caused. Iran has blamed the U.S. and Israel for cyberattacks in the past. In April, it said a voracious malware attack had hit computers running key parts of its oil sector and succeeded in wiping data off official servers."


Key management...
Glitch imperils swath of encrypted records
December 25, 2012 by admin
Shaun Waterman reports:
A widely used method of computer encryption has a little-noticed problem that could allow confidential data stored by almost all Fortune 500 companies and everything stored on U.S. Government classified computers to be “fairly easily” stolen or destroyed.
The warning comes from the inventor of the encryption method, known as Secure Shell or SSH.
“In the worst-case scenario, most of the data on the servers of every company in the developed world gets wiped out,” Tatu Ylonen, chief executive officer of SSH Communications Security Corp., told The Washington Times.
Mr. Ylonen said a computer programmer could create a virus that would exploit SSH’s weaknesses and spread throughout servers to steal, distort or destroy confidential data.
Read more on Washington Times.
[From the article:
About “90 percent of U.S. companies are out of compliance with regulations governing financial institutions because of this issue,” Mr. Ylonen said.
SSH is used “deep inside the back-end systems” Mr. Ylonen said, referring to programs that run in the background on large computer systems, unnoticed by the average user.
Without careful monitoring and management, SSH goes on creating keys and storing them in easily identifiable directories where hackers can find and use them to access secure computers.
For example, one major bank that Mr. Ylonen’s company audited had used SSH in more than 5,000 applications on as many as 100,000 servers.
He said the auditors found in “a fraction of the bank’s environment” more than 1 million unaccounted-for keys — 10 percent of which granted root access, or control of the server at the most basic level.


Fighting dirty in the gun control debate? (Think of all the other “public information” maps we could produce.)
New York newspaper faces backlash after publishing map of gun permit holders
December 25, 2012 by Dissent
Fox News reports:
A local New York newspaper is drawing the ire of its readers after publishing an interactive map that shows the names and addresses of thousands of residents who have handgun permits.
The online map was published by The Journal News along with an article under the headline: “The gun owner next door: What you don’t know about the weapons in your neighborhood.”
The newspaper obtained, and then published, the names and addresses of pistol permit holders in Westchester and Rockland counties through a Freedom of Information Act request.
Read more on Fox News.
[The map:


Lots of interesting questions here, like: If I buy a company, do I need to repurchase all the software licenses?
The Electronic Frontier Foundation recaps two court cases pending in the U.S. which will decide whether you're allowed to re-sell the things you purchase. The first case deals with items bought in other countries for resale in the U.S., such as textbooks. An unfavorable decision there would mean "anything that is made in a foreign country and contains copies of copyrighted material – from the textbooks at issue in the Kirtsaeng case to shampoo bottles with copyrighted labels – could be blocked from resale, lending, or gifting without the permission of the copyright owner. That would create a nightmare for consumers and businesses, upending used goods markets and undermining what it really means to 'buy' and 'own' physical goods. The ruling also creates a perverse incentive for U.S. businesses to move their manufacturing operations abroad. It is difficult for us to imagine this is the outcome Congress intended." The second case is about whether music purchased on services like iTunes can be resold to other people. "Not only does big content deny that first sale doctrine applies to digital goods, but they are also trying to undermine the first sale rights we do have by forcing users to license items they would rather buy. The copyright industry wants you to "license" all your music, your movies, your games — and lose your rights to sell them or modify them as you see fit."


Isn't this inevitable? As companies grow to dominate one industry, growth requires them to branch out. Since each company develops backroom tools to support their businesses, why not sell those?
Amazon and Google, both giants in the online business world, started out as separate entities with two very different agendas. As each has grown into an empire, the overlapping areas of business between the two companies has grown as well. But with both companies moving strongly into the electronic device market, cloud services, and Amazon now building out its advertising network, they find themselves increasingly at odds, and 2013 may bring more direct battles. "Amazon wants to be the one place where you buy everything. Google wants to be the one place where you find everything, of which buying things is a subset. So when you marry those facts I think you're going to see a natural collision," said VC partner Chi-hua Chien. Adds Reuters, "Not long after Bezos learned of Google's catalog plans, Amazon began scanning books and providing searchable digital excerpts. Its Kindle e-reader, launched a few years later, owes much of its inspiration to the catalog news, the executive said. Now, Amazon is pushing its online ad efforts, threatening to siphon revenue and users from Google's main search website."

(Related) Maybe journalists are just starting to notice? Once upon a time, IBM helped circulate the meme: “No one ever got fired for recommending IBM.”
SternisheFan tips a report at the NY Times about the progress Google is making in its quest to unseat Microsoft's position atop the business software industry. From the article:
It has taken years, but Google seems to be cutting into Microsoft's stronghold — businesses. ... In the last year Google has scored an impressive string of wins, including at the Swiss drug maker Hoffmann-La Roche, where over 80,000 employees use the package, and at the Interior Department, where 90,000 use it. One big reason is price. Google charges $50 a year for each person using its product, a price that has not changed since it made its commercial debut, even though Google has added features. In 2012, for example, Google added the ability to work on a computer not connected to the Internet, as well as security and data management that comply with more stringent European standards. That made it much easier to sell the product to multinationals and companies in Europe. ... Microsoft says it does not yet see a threat. Google 'has not yet shown they are truly serious,' said Julia White, a general manager in Microsoft’s business division. 'From the outside, they are an advertising company.'"


Social replaces email? Definately worth a read...
December 25, 2012
Commentary - the evolving workplace extends to home and beyond
Brett Caine writing in Forbes: "We have become a society that communicates and shares just about everything we do, with one notable exception – work. Work is the place where social firewalls go up when they really should come down. After all, our teams are about teamwork. Social is the perfect tool to get our teams to work more collaboratively. And as it catches on, productivity is improving – people can work and play from anywhere and (finally) debunking the notion that workers need to be in an office to produce. The number of work-at-home employees is increasing dramatically and not just day-extenders. For the first time we are seeing companies implement work-at-home policies and practices that make it possible to work from home as a full member of the team. Everyone wants flexibility, more and more ask for it and the millennials will demand it. What does this changing workforce (and workplace) mean for leaders and managers in the workplace?"


Something for my Statistics class. Does Climate Change equal Rate Increase?
A recent paper in Science (abstract) examines the insurance industry's reaction to climate change. The industry rakes in trillions of dollars in revenues every year, and a shifting climate would have the potential to drastically cut into the profits left over after settlements have been paid. Hurricane Sandy alone did about $80 billion worth of damage to New York and New Jersey. With incredible amounts of money at stake, the industry is taking climate projections quite seriously. From the article:
"Many insurers are using climate science to better quantify and diversify their exposure, more accurately price and communicate risk, and target adaptation and loss-prevention efforts. They also analyze their extensive databases of historical weather- and climate-related losses, for both large- and small-scale events. But insurance modeling is a distinct discipline. Unlike climate models, insurers’ models extrapolate historical data rather than simulate the climate system, and they require outputs at finer scales and shorter time frames than climate models."


Like Khan Academy but with broader coverage?
We’ve been tracking Knowmia since it got underway over the summer. Co-founded by the creator of the Flip video camera, Knowmia has seen tremendous growth and you should start checking it out. Boasting more than 8,000 videos, the site offers video lessons by teachers to anyone.
… If you’re a teacher or want to at least help educate the young minds of the world, you can create a video lesson on Knowmia and then upload it.
They also have an iPad app called Knowmia Teach that lets you easily create your own lessons and add them to Knowmia. Check that out here.

Tuesday, December 25, 2012

Merry Christmas, ho ho ho! (Old is relative)
Security Loophole In Facebook’s Camera App Allowed Hackers To Hijack Accounts Over WiFi [Confirmed]
PSA to all Facebook Camera users on iOS: If you haven’t update you app in the past few days, update it now. The older version of the app, pre-1.1.2 and released before December 21, has a security loophole. When used over WiFi networks, malicious hackers can tap the network and hijack Camera users’ accounts, picking up information like email addresses and passwords in the process.
… As he puts it, “The problem is the app accepts any SSL certification from any source, even evil SSL certifications and this enables any attacker to perform Man in The Middle Attack against anyone uses Facebook Camera App for IPhone. This means that the application doesn’t warn the user if someone in the same [WiFi network] trying to hijack his Facebook account.”


One of the drivers for the BYOD movement has been the ability to do things on a personal device that have not yet been added to the organization's toolkit. It has always been so. The first “personal” computers in corporations were Apple IIs running VisiCalc spreadsheets in accounting departments.
By Dissent, December 24, 2012 10:41 am
John Cox reports:
A new study finds that more than two-thirds of nurses are using their personal smartphones for clinical communications. Yet 95% of nurses in the sample say hospital IT departments don’t support that use for fear of security risks.
The report, “Healthcare without Bounds: Point of Care Computing for Nursing 2012,” by Spyglass Consulting Group, points to the collision of healthcare information demands on nurses, and the limits of mobile and wireless technology, at the point of care — typically the patient’s bedside. Nurses in the survey decry the lack of IT support; and IT staff are frustrated by the unsanctioned and often explicitly banned use of personal devices for clinical communications.
Read more on Network World.
This is really cause for concern on so many levels. If available and IT-sanctioned technology is not meeting the needs of nurses, their needs must be addressed. But a cowboy approach of ignoring policies on tech and security is not a solution.  Using smartphones puts patient data at risk, particularly as we’ve seen so many apps that are not truly secure nor privacy-protective.
The issue that “meaningful use” requirements are adding a burden to nursing care that does not translate into more efficient or better quality nursing also needs to be addressed, but it’s related if the nurses are under pressure to enter more data yet don’t have technology that facilitates productivity and compliance.
[For your e-Stocking:
The original VisiCalc program is available for download in a zip file. Download the zip file by clicking here

(Related) Once prices reach a “certain point” (unique to each user) it makes sense to buy a device for each purpose. For instance, I will buy a tablet for teaching, including Apps and resources that I use in class and keep my laptop for managing my finances and the desktop for writing my Blog.
"In August 2011, Acer Chairman JT Wang declared that the consumer affection for tablets had already begun to cool, basically labeling it a fad. What a difference a year (and a half) makes. Acer now plans to introduce a 'category killer' $99 tablet. 'In the past few months, we've made project roadmap changes in response to big changes in the tablet market,' according to a source at the Wall Street Journal. 'The launch of the Nexus 10 has changed the outlook for what makes competitive pricing.' Acer is aiming the new tablet at emerging markets, competing with Chinese 'white box' tablets (already available in Shenzhen at $45 each)."


Law in the Age of the Internet OR “Stupid is, as hundreds of millions of users say it is”
Instagram Hit With Class Action Lawsuit Related To Last Week’s Change Of Service Terms
Instagram just got a lump of coal in its stocking: a class action lawsuit, which was filed in response to its change of service terms last week. Reuters reports that a California Instagram user has leveled breach of contract and other claims against Instagram owner Facebook. In response, Facebook told Reuters “we believe this complaint is without merit and we will fight it vigorously.”
… Although Instagram almost immediately changed some of the terms of service, it still kept language indicating “that we may not always identify paid services, sponsored content, or commercial communications as such.” Instagram also kept wording that gives it the ability to place ads related to user content, as well as a new a new mandatory arbitration clause that means users waive their rights to participate in class action lawsuits under almost all circumstances (the lawsuit comes before the new TOS goes in effect on January 19).
The lawsuit filed by San Diego-based law firm Finkelstein & Krinsk alleges that even if users delete their Instagram account, they forfeit rights to photos they have already uploaded.
“In short, Instagram declares that ‘possession is nine-tenths of the law and if you don’t like it, you can’t stop us,’” the lawsuit says.


Introducing “To whom it may concern” tickets! OR “Want your car back buddy? We'll remove the Denver Boot when you pay the ticket.” OR One of the Commenters asks, “Can the car hire its own lawyer?”
"New Scientist asks a Bryant Walker Smith, from the Center for Internet and Society at Stanford Law School, whether the law is able to keep up with recent advances in automated vehicles. Even states which have allowed self-driving cars require the vehicles to have a 'driver,' who is nominally in control and who must comply with the same restrictions as any driver such as not being drunk. What's the point of having a robot car if it can't drive you home from the pub while you go to sleep in the back?"


From a guy interested in the authenticity of electronic information. (I was able to find this in a library in Wyoming)
"When the IBM PC first came out 31 years ago, it supported a maximum of 256KB RAM. You can buy an equivalent computer today with substantially more CPU power at a fraction of the price. But in those 31 years, the information security functionality in which the PC operates has not progressed accordingly. In Burdens of Proof: Cryptographic Culture and Evidence Law in the Age of Electronic Documents, author Jean-François Blanchette observes that the move to a paperless society means that paper-based evidence needs to be recreated in the digital world. It also requires an underlying security functionality to flow seamlessly across organizations, government agencies and the like. While the computing power is there, the ability to create a seamless cryptographic culture is much slower in coming."
… The book details the many challenges that businesses and governments face in moving from a paper-based record society and the underlying trust mechanisms that go along with it, to a new digital-based record system, and how a new framework is needed for such a method. The book details part of that new framework.
The book opens with an observation on the authenticity of President Obama's birth certificate. While Blanchette is not a birther, he does note that if the moral authority of paper records has diminished, then the electronic documents replacing them, which are what the Obama administration provided, appear to be even more malleable. And that is precisely the issue that he addresses.


Might be fun for my students...
… All work on Tinder happens in the cloud, so you can get access to your coworkers in real-time. One of the main hooks for Tinder is how flexible the structure is. It gives you the ability to tweak it for the needs of your organization. If the needs of your company change, you can change the structure on the fly.
Users can use this service to communicate with co-workers and share files. It saves document revisions, so if you need to go back in time to a previous version of a file because one of your people made a mistake, Tinder has you covered. The layout is very friendly to anyone who has used a social network, so it should be easy for your team to adopt the program. Best of all, it’s free for up to five people.


I have been looking for at least ONE Well worth a peek...
People in general, hold onto beliefs that are shaped by early experiences, the media, and faulty influences. The following list is a compilation of research that may surprise you. Video games, e-books, playtime, and music are all a part of an educator’s repertoire.


I plan on trying more Apps next year... Started as an iPad only list, but most run on multiple platforms.


A geeky stocking stuffer – FREE from Microsoft!
… Even on Windows 8, where it’s much-improved, the task manager can’t come close to the power of Process Explorer. It’s part of the Sysinternals set of tools that Microsoft purchased – and for good reason. They’re among the most powerful system utilities for Windows.
In addition to its power, Process Explorer is also flexible. It’s available from Microsoft as a single .exe file. That makes it a portable app you can throw on a USB drive and run on any computer.

Monday, December 24, 2012

The question is, what will the computer do with email that it flags as potentially terrorist or mentally ill gun nut or music pirate or Libertarian or … Otherwise, I kinda agree with the article.
Article: Can a Computer Intercept Your Email?
December 23, 2012 by Dissent
Bruce E. Boyden has an article in Cardozo Law Review (Vol. 34, No. 2). Here’s the abstract:
In recent years, it has become feasible for computers to rapidly scan the contents of large amounts of communications traffic to identify certain characteristics of those messages: that they are spam, contain malware, discuss various products or services, are written in a particular dialect, contain copyright-infringing files, or discuss symptoms of particular diseases. There are a wide variety of potential uses for this technology, such as research, filtering, or advertising. But the legal status of automated processing, if it is done without advance consent, is unclear. Where it results in the disclosure of the contents of a message to others, that clearly violates the federal law governing communications privacy, the Electronic Communications Privacy Act (ECPA). But what if no record of the contents of the communication is ever made? Does it violate communications privacy simply to have a computer scan emails?
I argue that automated processing that leaves no record of the contents of a communication does not violate the ECPA, because it does not “intercept” that communication within the meaning of the Act. The history, purpose, and judicial interpretation of the ECPA all support this reading: interception requires at least the potential for human awareness of the contents. Furthermore, this is not simply an accident of drafting or an omission due to the limited foresight of legislators. Under most theories of privacy, automated processing does not harm privacy. Automated processing may in some cases lead to harm, but those harms are not, in fact, privacy harms, and should be analyzed instead under other legal regimes better adapted to dealing with such issues.


This is news?
The NSA was originally supposed to handle foreign intelligence, and leave the domestic spying to other agencies, but Presto Vivace writes with this bit from CNET:
"'The National Security Agency's Perfect Citizen program hunts for vulnerabilities in 'large-scale' utilities, including power grid and gas pipeline controllers, new documents from EPIC show.' 'Perfect Citizen?' Who thinks up these names?"
"The program is scheduled to continue through at least September 2014," says the article.
[From the Cnet article:
One job description, for a senior penetration tester, says the position will "identify and demonstrate vulnerabilities," and requires experience using security-related utilities such as Nmap, Tenable's Nessus, Libnet, and Netcat. Raytheon is required not to disclose that this work is being done for the NSA. [Interesting list of tools. Same ones we teach our Ethical Hackers. Bob]


So there must be a business here somewhere...
Get Ready For The Rise Of Personal Drones
Drones can be used for more than just war.
Already, companies like FedEx are counting the days until drones are admitted to standard US airspace.
FedEx wants to be able to use drones to transport packages, rather than having to rely on passenger planes.
… Meanwhile, there's a growing community of amateurs who build and fly their own drones. The drones typically have two-foot long wings and weigh about two pounds.
… Since launch, DIY DRONES has grown to a community of 33,000 active members who fly drones that they have either been made themselves, or purchased from companies like 3D Robotics.
… Anderson also compares the rise of personal drones to the rise of the personal computer.
"[Computers are] in a class of technology that previously existed and then people started adding the word personal to it," Anderson says. "The user and the new class of users are what revolutionized the industry, not the computer itself. Democratization of technology is not about technology, it's about who uses it."


Clear and simple. Who wrote these?
December 23, 2012
UK - Interim guidelines on prosecuting cases involving communications sent via social media
Interim guidelines on prosecuting cases involving communications sent via social media, Issued by the Director of Public Prosecutions on December 19, 2012
  • "These guidelines set out the approach that prosecutors should take when making decisions in relation to cases where it is alleged that criminal offences have been committed by the sending of a communication via social media. The guidelines are designed to give clear advice to prosecutors who have been asked either for a charging decision or for early advice to the police, as well as in reviewing those cases which have been charged by the police. Adherence to these guidelines will ensure that there is a consistency of approach across the CPS."


Ask yourself how many your local school is implementing.
A new infographic sheds light on six of the biggest pieces of emerging technology you should know about. From cloud computing to personal learning environments, there’s a lot to know and the future is bright.