Thursday, May 16, 2013

Aargh! “Yes we encrypted the data, but then we put the key ON THE SAME SERVER so we wouldn't need to remember it.” Clearly, this one is going in my collection of “Worst Practices.”
HealthITSecurity.com has obtained more details on the breach affecting almost 10,000 patients of Presbyterian Anesthesia Associates. Apparently the data were encrypted, but the encryption key was acquired by whomever attacked the E-Dreamz server hosting the practice’s database.


The dynamic of a security breach changes a bit when the 'victims' are corporations with deep pockets and a good legal team.
Ryan Nakashima reports:
Lawyers for JPMorgan Chase & Co. are asking financial news and data company Bloomberg LP to turn over any records it has of reporters looking up the log-in and usage data of JPMorgan employees.
A formal letter was sent this week, a person familiar with the matter said. The person wasn’t authorized to speak publicly and spoke on condition of anonymity.
Read more on Boston.com.
[From the article:
The letter seeks data going back to 2008 as the bank examines whether the seller of ubiquitous trading-data terminals was in breach of contract, the person said.
It comes after the revelation Friday that, until recently, Bloomberg reporters had special access to client usage data and sought to use it to break stories. On Monday, Bloomberg News Editor-in-Chief Matthew Winkler apologized for the practice, which he said had been going on since the 1990s. He said the special access for reporters had been cut off last month after Goldman Sachs complained.
… The Federal Reserve is also looking into whether Bloomberg journalists tracked data about terminal usage by top Fed officials.


So anyone (newspaper, school, police department, individual) could do this.
Today The New Yorker unveiled a project called Strongbox, which aims to let sources share tips and leaks with the news organization in a secure manner. It makes use of the TOR network and encrypts file uploads with PGP. Once the files are uploaded, they're transferred via thumb-drive to a laptop that isn't connected to the internet, which is erased every time it is powered on and booted with a live CD. The publication won't record any details about your visit, so even a government request to look at their records will fail to find any useful information. "There’s a growing technology gap: phone records, e-mail, computer forensics, and outright hacking are valuable weapons for anyone looking to identify a journalist’s source. With some exceptions, the press has done little to keep pace: our information-security efforts tend to gravitate toward the parts of our infrastructure that accept credit cards." Strongbox is actually just The New Yorker's version of a secure information-sharing platform called DeadDrop, built by Aaron Swartz shortly before his death. DeadDrop is free software.


“We designed it so we could and we saw no reason to turn this function off for the App vendors.”
Jaikumar Vijayan reports:
Several users of devices running Google’s Android operating system have filed an amended version of an earlier lawsuit accusing the company of illegally collecting, and allowing others to collect, extensive amounts of mobile user data without proper notice or consent.
The lawsuit, filed last week in the U.S. District Court for the Northern District of California, is an updated version of a consolidated lawsuit from January 2012. It alleged that Google’s actions had harmed the privacy, security and financial interests of the six named plaintiffs in the case.
Read more on Computerworld. Courthouse News previously covered the amended complaint, a copy of which can be found on their site.


An interesting argument.
Long-time readers may remember the case of Nina Yoder, a nursing student who was expelled from the University of Louisville School of Nursing [SON] in 2009 for allegedly breaching the honor code and confidentiality agreements she had signed by her posts on MySpace. A district judge had ordered her reinstatement in August 2009, and Yoder eventually graduated from the program, but it seems the part of her lawsuit dealing with damages and constitutional issues of free speech and due process had not been addressed and remained in the courts.
The question of what nursing or medical students or staff can say online that might be subject to disciplinary action is an important one, as it may pit notions of protected speech against an entity’s or employer’s legitimate concerns about disclosures. The issue also raises questions about whether online speech during off-duty hours on one’s own computer can be subject to disciplinary action. Since the time this case first arose, a number of schools have attempted to regulate off-campus online speech in attempts to deal with cyber-bullying. But what about adults disclosing information learned on the job or in their internships or rotations if they’ve signed a confidentiality agreement?
In an opinion issued by the Sixth Circuit Court of Appeals on the free speech claim, the court notes the absence of relevant precedent:
In addition, both parties rely heavily on Supreme Court cases that govern student speech standards, none of which considers the unique circumstances posed here. Yoder has not identified any case—nor are we aware of any—that undermines a university’s ability to take action against a nursing (or medical) student for making comments off campus that implicate patient privacy concerns. Defendants have legal and ethical obligations to ensure that patient confidentiality is protected, and that nursing students are trained with regard to their ethical obligations. See, e.g., Ky. Rev. Stat. § 314.031(4)(d), (k); id. § 314.111. Yoder gained access to the Patient through the SON’s clinical program, and patients allow SON students to observe their medical treatment in reliance on the students’ agreement not to share information about their medical treatment and personal background. Under such circumstances, Defendants could not “fairly be said to ‘know’ that the law forb[ids] [discharging a student under these circumstances].” Harlow, 457 U.S. at 818.
You can read the full opinion here (pdf). They do not seem to reach the issue of whether Yoder’s speech was protected speech, but analyze whether the university officials had reasonable grounds to believe that Yoder had waived any First Amendment rights because she had signed the confidentiality agreement and other documents.


We just had a decision that continuous monitoring of location data (from cell phones) eventually constituted a search under the 4th Amendment. Purchasing data from a vendor does not. Even if you supplied the initial information (DMV records)
sosadmin writes:
Did you know that a private company which hoards detailed information about your driving habits also has plans to create the largest private sector law enforcement database in the world, by combining plate reads with commercial databases, face recognition technology and more?
Vigilant Video is a private corporation. It maintains a database called the National Vehicle Location Service (NVLS), containing hundreds of millions of data points showing the travel patterns of millions of people in the United States. The data in the system comes from a variety of sources including government agencies, other companies like tow truck and repo firms, and a fleet of company cars that drives around sucking up license plate information on our streets and in our neighborhoods.
Read more on privacysos.org.

(Related) “Our business is based on extracting information about you for our customers, but extracting information about you for you is something else entirely. We don't know how to do that.”
"Contrary to recent reports, data broker Acxiom is not planning to give consumers access to all the information they've collected on us. That would be too great a challenge for the giant company, says spokesperson Alexandra Levy. Privacy blogger Dan Tynan recently spoke with Jennifer Barrett Glasgow, Chief Privacy Officer at Acxiom (she claims to be the very first CPO) about how the company collects information and what they do with it. This should give you some small measure of comfort: 'We don't know that you bought a blue shirt from Lands End. We just know the kinds of products you are interested in. We're trying to get a reasonably complete picture of your household and what the individuals who live there like to do,' says Glasgow."

(Related)
Cops Should Get Warrants to Read Your E-Mail, Attorney General Says
Attorney General Eric Holder became the White House’s highest ranking official to support sweeping privacy protections requiring the government, for the first time, to get a probable-cause warrant to obtain e-mail and other content stored in the cloud.
“It is something that I think the Department will support,” Holder testified before the House Judiciary Committee, when questioned about the Justice Department’s position.
Last month, the Senate Judiciary Committee approved a package that nullifies a provision of federal law allowing the authorities to acquire a suspect’s e-mail or other stored content from an internet service provider without showing probable cause that a crime was committed if the content is 180 days or older.
Under the current law, the 1986 Electronic Communications Privacy Act, the government can obtain e-mail without a warrant as long as the data has been stored on a third-party server — the cloud — for 180 days or more. The government only needs to show, often via an administrative subpoena, that it has “reasonable grounds to believe” the information would be useful to an investigation.
Holder, who was speaking at a Justice Department oversight hearing, said that warrants are unnecessary for non-criminal investigations. [Should I read that as: “We don't need a warrant if we're going to sue you?” OR “We can't tie you to a crime yet, but we want to look at all your emails to see if we can find a crime.” Bob]


Perhaps being elected Governor makes you stupid or willing to go to rediculous lengths to posture for re-election? If one of the Service Academies asked for a high school transcript, would they be denied?
WRCB reports:
Governor Nathan Deal signed an executive order Wednesday which prohibits the state from collecting or sharing with the federal government any personally identifiable data on students or their families.
The order focuses on multiple areas of education and points out that intrusive data tracking is an invasion of privacy and the federal government has no constitutional right to determine how children in the State of Georgia should be educated.
Read more on WRCB.
The text of the Executive Order reads as follows:
WHEREAS: The federal government has no constitutional right to determine how children in the State of Georgia will be educated; and
[ … ]
NOW, THEREFORE, PURSUANT TO THE AUTHORITY VESTED IN ME AS GOVERNOR OF THE STATE OF GEORGIA, IT IS HEREBY
ORDERED: That no educational standards shall be imposed on Georgia by the federal government.
[ ... ]
IT IS FURTHER ORDERED: That no personally identifiable data on students and/or their families’ religion, political party affiliation, biometric information, psychometric data and/or voting history shall be collected, tracked, housed, reported or shared with the federal government.
IT IS FURTHER ORDERED: That no student data shall be collected for the purpose of the development of commercial products or services.
This __15th__ day of May, 2013.
While the student privacy aspect is certainly attractive, keeping the federal government out of educational issues totally has some drawbacks, particularly if you, like me, follow cases pursued by the Department of Justice Office of Civil Rights, which has investigated Georgia districts over segregation and discrimination claims. Barring districts from sharing data with the federal government may result in students in special education and minority students having less protections and fewer services than they currently have. The Executive Order would also seemingly permit local districts to decide to teach the Bible and not evolution, and to teach that homosexuality is bad, etc.
So privacy interests notwithstanding, I think this Executive Order is very problematic.


What could possibly go wrong?
"In their ongoing battle against websites said to infringe music copyrights, record labels have initiated a fresh wave of actions aimed at forcing UK ISPs to carry out domain blocking. This third wave is set to be the biggest so far, affecting as many as 25 domains and including some of the world's largest torrent sites and file-hosting search engines. Furthermore, the BPI – the entity coordinating the action – will ask courts to block U.S.-based music streaming operation, Grooveshark."

(Related)
cluedweasel writes
"A Federal judge in Medford, OR has dismissed a piracy case lodged against 34 Oregonians. Judge Ann Aiken ruled that Voltage Pictures LLC unfairly lumped the defendants into what she called a 'reverse class action suit' to save on legal expenses and possibly to intimidate them into paying thousands of dollars for viewing a movie that could be bought or rented for less than $10."
The judge was not enthused that they offered to settle for $7500 while noting that potential penalties could be as much as $150,000.


Eventually we may be able to take an idea from regulation “A” and a concept from law “B” and come up with some decent guidance.
I’ve been looking for an English language report on the new breach guidelines in Belgium and finally found one. Cédrine Morlière and Ludo Deklerck of Bird & Bird write:
When the data breach results in a “public incident” (when a data breach results in a public leakage of private data), according to the guidance, the Data Protection Commission is to be informed of the causes and consequences of the incident within 48 hours. In addition, a public information campaign should be rolled out within 24-48 hours after notifying the Data Protection Commission.
The Belgian Data Protection Commission also announced its intention to reinforce the present legal framework. There is already a legal obligation for data controllers to put adequate security measures in place pursuant to the Belgian Data Protection Act, however, this obligation is not being implemented seriously enough, according to the Commission. The Commision will now lobby the Belgian legislator in order to be entitled to make its recommendations on security measures legally binding.
Read more about the new guidelines on Bird & Bird. As always, I’m skeptical of the value of certain reporting demands such as notification to the public within 48 hours. Rushing to notify often leads to errors and necessitates revised notifications with more cost and more frustration or anger for those affected by a breach.


Something for the “How that legal stuff works” bookshelf.
May 15, 2013
Updated Edition of Benchbook Now Available
US Courts: "The 6th edition of the Benchbook for U.S. District Court Judges, a publication of the Federal Judicial Center, is now available online. The book, last updated in 2007, is a concise and practical guide to situations federal judges are likely to encounter on the bench. The Benchbook covers procedures that are required by statute, rule or case law, with detailed guidance from experienced trial judges. And although new judges may benefit the most from the Benchbook, even experienced judges may find useful reminders about how to deal with routine matters, suggestions for handling more complex issues, and helpful starting points in new situations. The 6th Edition includes a primer on a prosecutor's duty to disclose favorable information to defendants under Brady v. Maryland. There's a new section on civil pretrial case management focusing on the judge's role as an active case manager, and a completely revised section on sentencing, which contains an extensive colloquy for the sentencing hearing. There also are subsections on handling disruptive or dangerous defendants, and expanded jury instructions on the use of social media. Due to budgetary constraints, this edition of the Benchbook is published in electronic format only."


Something new for the terrorist toolkit? “Computer Assisted Sniping” – Take your shot while sipping a latte at your local Starbucks, immediately post the video to Youtube.
"A story on NPR reports that the TrackingPoint rifle went on sale today, and can enable a 'novice' to hit a target 500 yards away on the first try. The rifle's scope features a sophisticated color graphics display (video). The shooter locks a laser on the target by pushing a small button by the trigger... But here's where it's different: You pull the trigger but the gun decides when to shoot. It fires only when the weapon has been pointed in exactly the right place, taking into account dozens of variables, including wind, shake and distance to the target. The rifle has a built-in laser range finder, a ballistics computer and a Wi-Fi transmitter to stream live video and audio to a nearby iPad. Every shot is recorded so it can be replayed, or posted to YouTube or Facebook."


Global Warming! Global Warming! Another article that I apparently don't understand.
"Global warming is changing the location of Earth's geographic poles, according to a study published this week. Researchers at the University of Texas, Austin, report that increased melting of the Greenland ice sheet — and to a lesser degree, ice loss in other parts of the globe — helped to shift the North Pole several centimeters east [...and here I was taught that the only direction you could go from the North Pole was South. Bob] each year since 2005. From 1982 to 2005, the pole drifted southeast towards northern Labrador, Canada, at a rate of about 2 milliarcseconds — or roughly 6 centimetres — per year. But in 2005, the pole changed course [So Global Warming began to melt the ice in 2005? Bob] and began galloping east towards Greenland at a rate of more than 7 milliarcseconds per year (abstract). The results suggest that tracking polar shifts can serve as a check on current estimates of ice loss. Scientists can locate the north and south poles to within 0.03 milliarcseconds by using Global Positioning System measurements to determine the angle of Earth's spin. When mass is lost in one part of a spinning sphere, its spin axis will tilt directly towards the position of the loss [Clearly a pound of ice weighs more than a pound of melted ice... Bob] — exactly as the team observed for Greenland."

(Related) Global Cooling! Global Cooling! (Next lecture will feature Al Gore in a parka an mukluks.)
May 15, 2013
NOAA - April temperatures were coolest since 1997
  • "The April average temperature for the contiguous U.S. was 49.7°F, which was 1.4°F below the 20th century average. April 2013 ranked as the 23rd coolest such month on record and marked the coolest April since 1997 when the monthly average temperature for the contiguous U.S. was 48.0°F."


Purely for Academic purposes, I will seek a grant to carefully and completely find and measure all the porn on the Internet. Contributions gratefully accepted...
The Internet’s Dirty Secret: Nobody Knows How Much Porn There Is


For my Math students (It can't hurt)
Mad 4 Maths is an addictive and interactive game for kids (and adults) that enhances mental arithmetic abilities of the player. While this game is aimed at kids to get them familiar with basic arithmetic operations (addition, subtraction, multiplication and division) it also can be enjoyable for adults to practice their basic math skills. It is available for free download for Android and Blackberry platforms.

Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)