Wednesday, January 09, 2013

I'll ask this again: What constitutes a CyberWar attack?
Late last year, multiple US banks were attacked online by what was believed to be a hacker group. Now government officials are saying it was actually the work of Iran, possibly in response to cyberattacks it has suffered from the US. This was determined when an investigation revealed that the method used to attack the banks was too sophisticated to be the work a fringe group.

“We don't need no stinking common sense!”
Another data theft in the education sector. And yet again, no one did anything wrong because there was never any policy.
Yesterday I added a breach to DataLossDB involving the Morgan Road Middle School in Georgia. A flash drive with unencrypted student information, including SSNs, was stolen from an teacher’s unattended car. A gradebook was also stolen. In his statement to the media, Richmond County School System Superintendent Frank Roberson said that the information in the teacher’s possession was not unusual. I agree, but why was the District using Social Security numbers instead of non-SSN identifiers? Does a teacher really need to know students’ SSNs? But here’s the part that really rankled:
Dr. Roberson says bottom line, the teacher did not break policy and because of that will not face consequences.
If there was no policy that said “Don’t leave unencrypted student information in unattended vehicles,” then I agree the teacher cannot be disciplined. But the school district should be in pillories.
Then lo and behold, there’s another news story this morning about how 60 Charlotte-Mecklenburg Schools employees in North Carolina have been warned to be on guard against identity theft after files containing their personal data were stolen from a human resource employee’s car.
The personnel files, which contained names, addresses, Social Security numbers, dates of birth and driver’s license numbers, were stolen Nov. 28, when the HR employee stopped for lunch, CMS spokeswoman Tahira Stalberte said. She said a CMS investigation determined that the employee, who was driving from one district office to another, did nothing wrong.
If no one is doing anything wrong by leaving personal information that could be used for ID theft in unattended vehicles, then the school districts are responsible for their failure to implement reasonable security policies, the states are responsible for not auditing the districts and sending a clear message about protection of data, and the U.S. Department of Education is responsible for not promoting regulations that would adequately protect the personal, private and sensitive information of students and employees.
No one’s to blame? I think there’s a lot of blame to go around. And it’s more than high time parents and employees insisted on adequate data security.

Another illustration of my concern with “Push” software updates. Real world impact from the cloud.
"A software update of the California welfare computer system (CalWIN) caused 37,000 Food Stamp recipients to lose their EBT (a credit card paid for by the government) benefits last weekend. According to the article, Hewlett Packard was responsible for the failed update of CalWIN, but at 8:00 a.m. today Xerox (who administers another state welfare system called CalFresh) issued a patch that reactivated the EBT cards."

For my Ethical Hackers. (NTLM = NT LAN Manager)
"Security researcher Mark Gamache has used Moxie Marlinspike's Cloudcracker to derive hashes from captured NTLM handshakes, resulting in successful pass-the-hash attacks. It's been going on for a long time, probably, but this is the first time a 'white hat' has researched and exposed the how-to details for us all to enjoy. 'You might think that with all the papers and presentations, no one would be using NTLM...or, God forbid, LM. NTLMv2 has been around for quite some time. Surely, everyone is using it. Right? Wrong! According to the last data from the W3 Schools, 21% of computers are running XP, while NetMarketShare claims it is 39%. Unless someone has hardened these machines (no MS patches do this), these machines are sending LM and NTLM responses!' Microsoft has posted a little guidance for those who need to turn off NTLM. Have fun explaining your new security project to your management, server admins!"

Don't have a good reason? Make one up!
Police officers have been known to illegally stop someone from recording their actions in public spaces. But police in Ramsey County have offered a new “explanation” and claim that a man recording an incident in public violated HIPAA. Emily Gurnon reports:
Andrew Henderson watched as Ramsey County sheriff’s deputies frisked a bloody-faced man outside his Little Canada apartment building. Paramedics then loaded the man, a stranger to Henderson, into an ambulance.
Henderson, 28, took out his small handheld video camera and began recording. It’s something he does regularly with law enforcement.
He had been filming from about 30 feet away, he said. Henderson said deputies gave him no warning before Muellner took his camera.
The deputy wrote on the citation, “While handling a medical/check the welfare (call), (Henderson) was filming it. Data privacy HIPAA violation. Refused to identify self. Had to stop dealing with sit(uation) to deal w/Henderson.”
Henderson appeared in Ramsey County District Court on Jan. 2. A pretrial hearing was rescheduled for Jan. 30.
The allegation that his recording of the incident violated HIPAA, or the federal Health Insurance Portability and Accountability Act, is nonsense, said Jennifer Granick, a specialist on privacy issues at Stanford University Law School.
The rule deals with how health care providers handle consumers’ health information.
“There’s nothing in HIPAA that prevents someone who’s not subject to HIPAA from taking photographs on the public streets,” Granick said. “HIPAA has absolutely nothing to say about that.”
Read more on Pioneer Press. Henderson plans to pursue this if the charges against him are not dropped.
I’ve never heard of another case like this, have you?
I would prefer that people choose not to upload films of people having medical problems in public to the Internet, but citing HIPAA as a justification to stop someone from recording in a public space seems just wrong.

Can any nation refuse?
There are days when I envy EU data protections. Then there are days when I’m glad we’re not part of the EU. James Slack reports:
Brussels is demanding that 26 police forces across the EU should have access to the personal details of every motorist in Britain.
The Government is being threatened with fines totalling millions of pounds unless it obeys the ‘Orwellian’ edict.
Foreign police also want open access to the UK’s national DNA database and fingerprint records so they can check them against crime scenes and camera footage.
MPs and civil liberties groups fear identity mistakes will lead to Britons being accused of crimes they have not committed.
Read more on The Daily Mail.

“We do not treat children like cattle. Mooove along.”
Francisco Vara-Orta reports that the Northside Independent School District student who has refused to wear an RFID chipped ID tag on religious grounds has lost her lawsuit, and the district can transfer her to another school in the district that does not use RFID-chipped tags if she continues to refuse to wear one.
Andrea Hernandez had refused to wear the tag, claiming that the chip was the “Mark of the Beast.”
The court’s ruling had nothing to do with any privacy claim but had to do with whether the district had accommodated her religious beliefs. The court held that because the district had accommodated her by removing the chip from the tag she was still required to wear, there was no First Amendment issue before the court.
The Rutherford Institute, who provided legal counsel for the student, issued a statement saying they intend to appeal the ruling.

(Related) “We are not cattle, we are sheep.”
Dan Solove writes:
A recently-released Brunswick Insight survey of parental attitudes about student privacy online is quite revealing. The survey involved more than 1000 American adults with children in grades 1-12, and it was done in August 2012. Overall, the survey revealed that parents are very concerned about their students’ online privacy, especially the tracking of their activities and marketing based on behavioral data.
Parents were generally not aware that their children are subjected to online tracking in schools. Nearly half had heard nothing about it.

Apparently, he's not a “second class” citizen... (The UK has srtange rules)
How often have you seen me question a pro-privacy ruling? Not often, right? But a ruling in the UK does have me a bit concerned.
Mike Collett-White reports:
British actress Kate Winslet’s husband won a court battle on Tuesday stopping The Sun newspaper printing photographs of him “semi-naked” at a private fancy dress party several years ago.
Lawyers for Ned RocknRoll, 34, who married the “Titanic” star last month, argued that there was no public interest [There is now. See “Streisand Effect” Bob] in the Sun publishing the pictures, that it would be a breach of his privacy and it could lead to Winslet’s children being bullied.
According to the Press Association, the judge at London’s High Court ruled in favor of RocknRoll and ordered The Sun not to publish the pictures pending any trial, adding that he would give the reasons for his decision at a later date.
Read more on Reuters.
What’s interesting about this injunction (to me, anyway) is that the photo had already been publicly available on the Internet for two years. The Drum reports:
RocknRoll, the 34 year old nephew of Sir Richard Branson who changed his name from Edward Abel Smith, sought the injunction after the Sun newspaper attempted to print the image.
He won despite the offending image having been freely available on a friends Facebook page – which had no privacy settings, but have since been removed.
Niri Shan, head of media law at Taylor Wessing, said: “It is the first time that a Facebook page without any privacy settings has been subject of a successful injunction,” he said. “It is surprising that the fact it had been available on a public page for more than two years and could be seen by his 1,500 friends did not carry more weight.
It is a worrying precedent for the media because Facebook is a big source of information for them.”
As much as I am for pro-privacy rulings, I’m not sure this was a good ruling. If courts are going to grant injunctions based on possible embarrassment to the children of the individual, then we are not really dealing with the adult’s privacy rights. Should everyone who wants a paper blocked from printing an embarrassing picture that’s been circulating for years be entitled to an injunction, or only those who have children who could be impacted? Should only children of celebrities matter in terms of possible bullying, or all children?
Suggesting that there could be an injunction for pictures that one did not try to block for two years but suddenly finds problematic may be consistent with an EU notion of “right to be forgotten” or “right to delete,” but courts in the U.S. have generally not gone along with this type of thinking. So while UK privacy advocates may cheer this injunction, I’m not sure U.S. privacy advocates should. Nor do such injunctions properly protect press freedom, as it’s somewhat shocking that the press should not be able to repeat something that has been freely available on the Internet for years.
Justice Briggs said he would reveal his reasons at a later date. I look forward to reading them.

Something my lawyer friends will explain to me, please?
Why Facebook Data Tends to Condemn You in Court
U.S. courts have a structural bias against “guilty” verdicts, but when it comes to Facebook data the situation is reversed: Social media activity is more readily used to convict you in a court of law than to defend you.
That’s because prosecutors generally have an easier time than defense attorneys getting private information out of Facebook and other social networks, as highlighted in an ongoing Portland murder case. In that case, the defense attorney has evidence of a Facebook conversation in which a key witness reportedly tells a friend he was pressured by police into falsely incriminating the defendant.
Facebook rebuffed the defense attorney’s subpoena seeking access to the conversation, citing the federal Stored Communications Act, which protects the privacy of electronic communications like e-mail – but which carves out an exemption for law enforcement, thus assisting prosecutors. “It’s so one-sided … they cooperate 110 percent anytime someone in the government asks for information,” one Oregon attorney told the Portland Oregonian, citing a separate case in which Facebook withheld conversations that could have disproved a rape charge, but turned over the same conversations when the prosecution demanded them.

Introducing a new concept, that I think is unlikely to work as they think...
Over on the always-impressive HawkTalk blog, Chris Pounder of Amberhawk writes:
In a 215 page report, the European Parliament has suggested 350 Amendments to the text of the Data Protection Regulation published last year. This blog gives you an impression of those proposed changes that caught my eye on a “speed read” of the Report (produced by Jan Albrecht, the rapporteur for the European Parliament’s Committee on Civil Liberties, Justice and Home Affairs).
I think the most important proposal is the fettering of the European Commission’s powers. In many instances, many powers found in the Regulation are amended to involve the European Data Protection Board of Data Protection Commissioners (the Regulation’s formal structure for what we now call the Working Party 29 Group of Commissioners).
The Report has introduced the concept of a not quite personal data; a ‘pseudonym’; I am not sure of the consequences. A ‘pseudonym’ is a “unique identifier which is specific to one given context and which does not permit the direct identification of a natural person, but allows the singling out of a data subject”.
The Report then states that “For the use of pseudonymous data, there could be alleviations with regard to obligations for the data controller undertaking the processing (e.g where personal data are processed only in the form of pseudonyms, consent may be given by automated means)”.
I am not convinced the concept works also and I think it needs a definition of “pseudonymous data” which also considers what other information the data controller has. For instance, suppose I know that is really Fred Bloggs. The mickey.mouse email address is pseudonymous data as it does not “not permit the direct identification of a natural person”; but I know who it is.
Read more on HawkTalk

The Economics of the Internet?
"Peter Ludlow writes in the Atlantic that the internet has turned the dating marketplace into a frictionless market that puts together buyer and seller without transaction costs. And that's a bad thing. 'Finding a partner used to be expensive, and the market was inefficient. If you lived in a large city, there were always people looking for partners, but the problem was how to find them.' But one advantage of inefficient dating markets is that in times of scarcity we sometimes take chances on things we wouldn't otherwise try while in times of plenty, we take the path of least resistance (someone who appears compatible) and we forgo difficult and prima facie implausible pairings. Another problem with frictionless online markets (PDF) is that assume we know what we are looking for. But sometimes we simply don't know what we are looking for until we stumble across it in a search for something else, says Ludlow. 'The result is often unexpected and beautiful. So it is with relationships; compatibility is a terrible idea in selecting a partner,' concludes Ludlow. 'We often make our greatest discoveries and acquire our greatest treasures when local scarcity compels us to be open to new and better things.'"

Not sure when most citizens would reference this, but if you are a history buff this is the bomb!
January 08, 2013
Foreign Relations of the United States Released in E-Book Format
"The Office of the Historian at the U.S. Department of State is pleased to announce the release of its Foreign Relations of the United States (FRUS) series in a new e-book format that is readable on popular electronic devices such as the Amazon Kindle and Apple iPad. The e-book edition combines many of the benefits of print and web publications in a new form that is portable and extremely convenient. During the pilot phase of the FRUS e-book initiative, select FRUS volumes are available here. The public is invited to download the new e-books and provide feedback to help improve the FRUS e-book edition. At the conclusion of the pilot phase, the Office will work to offer e-book versions of many more FRUS volumes both through the Office website and on a wide array of e-bookstores. The Office will continue to expand and enhance its e-book offerings, as part of the ongoing FRUS digitization effort."

(Related) History or geneology?
January 08, 2013
Official Register of the United States Now on FDsys
"As part of the U.S. Government Printing Office (GPO) and the U.S. Department of Treasury pilot project to provide permanent public access to the Treasury Library's digital content, the Official Register of the United States is now available on GPO's Federal Digital System (FDsys). The Official Register of the United States: 1829, 1835-1837, 1841-1861; 1879-1891, 1895-1907, 1911-1921, 1925-1926, 1929-1934, 1936-1959, contains information about the Federal workforce, including the name of every employee, their job title, state or country of birth, the location of their post, and their annual salary."

Strange that the Comments don't point to examples of simple programming tools ( ITTT?) But I did like the comment about searching for "...a big red arrow that points to the answer"
"Adam Wiggins, co-founder of Heroku, agrees with anthropologist Bonnie Nardi that programming isn't just for geeks. The problem, he says, is that today's tools for teaching programming are woefully inadequate. In a commentary, Wiggins argues that there are two major gaps preventing programming tools from being accessible to beginners: 1) they're too fussy, requiring extensive setup, and 2) they're focused on the technology rather than everyday tasks. A good tool for learning programming, Wiggins argues, would emulate an Excel or Google Docs spreadsheet – beginners would be able to fire it up instantly, and would be able to get useful things done right away. (He's dismissive, though, of visual programming tools that 'attempt to hide logic behind a point-and-click interface.') 'Broad programming literacy is crucial in a world increasingly made of computers,' Wiggins says. 'Despite common stereotypes, programming is not out of reach for the average person,' as long as the tools are easy to set up and specialized on the programmer's task."

(Related) ...but the hardware is getting cheaper. Many tablets are already cheaper thant the textbooks I use, but I'm not sure you could load all your textbooks on one.
"One Laptop Per Child is back in the tablet race, announcing a new 7-inch tablet with the Android OS that will be sold commercially and include its learning software. The XO Tablet was announced at the International CES show in Las Vegas. OLPC will license the design to Sakar International, which will sell the tablet in the U.S. through Wal-Mart."

Free stuff, maybe.
"Yesterday, Adobe put up a mysterious webpage from which its now seven-year-old CS2 line of products (Photoshop, Illustrator, InDesign, Acrobat, Premiere and others) could be freely downloaded by anyone. The page even included valid serial numbers that will unlock the CS2 apps for anyone who wants to. This strange 'giveaways' page at quickly went viral on the internet after a few tech bloggers reported on it. An Adobe spokesman said initially that the CS2 downloads are for existing owners of Adobe CS2 software only, who may not be able to activate their software anymore, due to the CS2 activation servers having been shut down by Adobe. But the internet at large took this webpage as meaning 'Free Adobe CS2 Software for Everyone,' which was probably not what Adobe had in mind. It seems that at this point, hundreds of thousands of people have downloaded their 'free' CS2 products and installed them, and started using them. So Adobe is in a bit of a PR pinch now because of this — Do you tell all the thousands of people who have downloaded CS2 products in the last 48 hours that 'you cannot use these products without paying us'? Or do you accept that hundreds of thousands of people now have free access to seven year old Adobe CS2 products, and try to encourage some of them to 'upgrade to the new CS6 products'?"

How NOT to do a online class? I've been pushing a free (or nominal) signup cost, but a charge for tests leading to certification or credit.
"In the shadow of Stanford and Harvard offering free on-line courses, The University of California has been attempting to offer pay-courses for credit. UC online took out a $6.9M loan from UC and spent $4.3M to market these courses. For their efforts, they've been able to quadruple their enrollment year over year. The first year results: only one person not already attending UC paid $1,400 for an online pre-calculus class worth four credits. Now four non-UC are signed up. 'UC Online has to pay back the loan in seven years and expected to sell 7,000 classes to non-UC students for $1,400 or $2,400 apiece, depending on each course's duration. China was thought to be a lucrative potential source of students, but few expressed interest. The U.S. military also fell through.' Methinks head will roll on this one..."

I envision 70,000 fans holding up their phones as they scroll, “Go Broncos!” (in orange LEDs)
… LED Light Fun allows you to display large text messages in bright colours as if you had an LED display board using your Android device.
… Text can be static, scrolling or blinking in various colours against a background of your choosing.
Check out LED Light Fun @ Google Play

Every now and then I do like to try new things...

It's on the Internet, so it must be true!
Got a cold? Have a beer
… Sapporo Breweries, one of the country’s oldest beer makers, funded a study that has discovered that hops – one of beer’s primary ingredients – contain a chemical that could counter the virus that causes cold-like symptoms.

Dilbert explains why you should never let your boss read this blog!

No comments: