Friday, September 13, 2013

For my Computer Security students. If not Best Practices, at least consider these “Things you can do to avoid hassles by the FTC.” Note that all of these are in Chapter One of the Intro to Computer Security textbook. More importantly, look at all the practices they don't mention! For my regular Blog readers: Told ya so!
The Federal Trade Commission has released a provisionally redacted public version of its complaint against LabMD (’s coverage of LabMD linked here).
The complaint provides what could be useful guidance as to what types of practices the FTC considers to be problematic practices under the Act:
10. At all relevant times, respondent engaged in a number of practices that, taken together, failed to provide reasonable and appropriate security for personal information on its computer networks. Among other things, respondent:
(a) did not develop, implement, or maintain a comprehensive information security program to protect consumers’ personal information. Thus, for example, employees were allowed to send emails with such information to their personal email accounts without using readily available measures to protect the information from unauthorized disclosure;
(b) did not use readily available measures to identify commonly known or reasonably foreseeable security risks and vulnerabilities on its networks. By not using measures such as penetration tests, for example, respondent could not adequately assess the extent of the risks and vulnerabilities of its networks;
(c) did not use adequate measures to prevent employees from accessing personal information not needed to perform their jobs;
(d) did not adequately train employees to safeguard personal information;
(e) did not require employees, or other users with remote access to the networks, to use common authentication-related security measures, such as periodically changing passwords, prohibiting the use of the same password across applications and programs, or using two-factor authentication;
(f) did not maintain and update operating systems of computers and other devices on its networks. For example, on some computers respondent used operating systems that were unsupported by the vendor, making it unlikely that the systems would be updated to address newly discovered vulnerabilities; and
(g) did not employ readily available measures to prevent or detect unauthorized access to personal information on its computer networks. For example, respondent did not use appropriate measures to prevent employees from installing on computers applications or materials that were not needed to perform their jobs or adequately maintain or review records of activity on its networks. As a result, respondent did not detect the installation or use of an unauthorized file sharing application on its networks.
11. Respondent could have corrected its security failures at relatively low cost using readily available security measures.
12. Consumers have no way of independently knowing about respondent’s security failures and could not reasonably avoid possible harms from such failures, including identity theft, medical identity theft, and other harms, such as disclosure of sensitive, private medical information.
LabMD will likely respond that the FTC should have published these as a guideline before going after companies for not complying with them, but other businesses may want to use this complaint for their own guidance. In the meantime, LabMD continues complaining vociferously about the FTC’s action.

(Related) This is a peak at Data Brokers. Moer Privacy than Security
EFF – Data Broker Acxiom Launches Transparency Tool, But Consumers Still Lack Control
EFF: “Acxiom, a data broker that collects 1,500 data points per person [How many can you name of the top of your head? Bob] on over 700 million consumers total and sells analysis of such information, is trying to ward off federal privacy regulations by flaunting transparency—a diluted term, in this case—around user data. The company just launched, a site that will let users see and edit some information that Acxiom has about them—only “some,” since Acxiom’s analytics reveal far more information about you (living habits and personal preferences) that isn’t readily available to you, but is sold to partner companies. Everyone should be deeply concerned about data brokers. These companies are scavengers [Data Miners and Big Data analysts? Bob] for very personal data, amassing details about everything from “major life events” (like a wedding or a baby) to your browsing history and shopping habits, and they have even begun exploring business relationships with social media giants like Facebook and Twitter. And once this data is collected, it’s a small step away from government agencies and law enforcement. (There was hubbub around Acxiom and travel information, which the government collected and inadvertently shared.) ACLU has an excellent breakdown of Acxiom after the company released operational details in response to a Congressional inquiry. The Federal Trade Commission (FTC) has launched an in-depth investigation into data brokers to see what information they gather and how it is used. Commissioner Julie Brill recently wrote an op-ed demanding transparency around what user data is being collected through a voluntary “Reclaim Your Name” campaign.”

So fingerprints should not become a “Best Practice.”
Marcia Hofmann writes:
There’s a lot of talk around biometric authentication since Apple introduced its newest iPhone, which will let users unlock their device with a fingerprint. Given Apple’s industry-leading position, it’s probably not a far stretch to expect this kind of authentication to take off. Some even argue that Apple’s move is a death knell for authenticators based on what a user knows (like passwords and PIN numbers).
While there’s a great deal of discussion around the pros and cons of fingerprint authentication — from the hackability of the technique to the reliability of readers — no one’s focusing on the legal effects of moving from PINs to fingerprints.
Because the constitutional protection of the Fifth Amendment, which guarantees that “no person shall be compelled in any criminal case to be a witness against himself,” may not apply when it comes to biometric-based fingerprints (things that reflect who we are) as opposed to memory-based passwords and PINs (things we need to know and remember).
Read more of her excellent OpEd on Wired.

Politics is the art of “anything you can get away with.” This is a case of “We can, therefore we must.”
Tesla Rodriquez reports:
State Rep. Steve Drazkowski is one of 18 plaintiffs in a lawsuit filed Thursday that claims employees from Wabasha and Winona counties, the city of Winona and nearly 50 other counties and cities illegally accessed personal information hundreds of times.
The lawsuit claims that an unknown number of state employees used the state’s driver’s license database more than 600 times since April 2003 to look up their records, which include photos, Social Security numbers, addresses, weight, height and other private information.
Read more on Winona Daily News.
[From the article:
The lawsuit claims that an unknown number of state employees used the state’s driver’s license database more than 600 times since April 2003 to look up their records, which include photos, Social Security numbers, addresses, weight, height and other private information.
The 18 plaintiffs, a majority of whom are from Wabasha County, say they were targeted because of political reasons, such as for writing a letter to a newspaper, running for election, supporting a campaign or pushing for government reform.
“My clients do something (political),” said attorney Erick Kaardal, who represents the clients. “Police identify them and then run a check.”

Lots of information, so I'm not going to reproduce it here. Worth scanning!
Medical identity theft affected about 1.84 million adults or their family members this year at a projected out-of-pocket cost to the victims of over $12 billion, according to a new report released today.

Are the judges on the Ninth Circuit so far behind the average high school student that they think unencrypted wi-fi is hard to detect and record? Do they still use quill pens? Did they even consider a Google search?
EPIC – Federal Appellate Court Upholds Privacy Protection for Wi-Fi Communications
“The Court of Appeals for the Ninth Circuit has upheld a lower court ruling against Google in a case arising out of the Street View interception of private Wi-Fi communications. The lawsuit alleges that Google’s ongoing interception of Wi-Fi payload data through its Street View program violated several laws, including the federal Wiretap Act. The court rejected Google’s arguments that the interception was permissible. The court said that Google’s interpretation could have the absurd result of rendering private communications, like email, unprotected simply because the recipient fails to encrypt their Wi-Fi network. [I would agree with Google. That's why encryption is a “Best Practice!” Bob] Furthermore, the court explained that the unencrypted nature of the Wi-Fi networks did not make the data transmitted over them “readily accessible to the general public” because the data was still difficult for an ordinary person to intercept. [Nonsense. Bob] EPIC filed a “friend of the court” brief in the case urging the court to uphold legal protections for Wi-Fi communications, and discussing both the intent of the federal law and the operation of a typical home W-Fi network. For more information, see EPIC: Ben Joffe v. Google and EPIC: Google Street View.”

[See also:
Everyone knows that unencrypted wireless traffic can be viewed by anyone, and your data can easily be compromised.

This is really interesting. I wonder if there are similar sites for other professions? MBA, Computer Security, etc. (Sturm is there)
Law School News Aggregator
Elmer Masters: “Law School News. You can check it out at In a nutshell it’s a site that aggregates RSS/Atom news feeds from just over 100 law schools in the US. There are more details about how it got built and what’s there on my blog at”

Come to thing of it, this could make lots of things easier!
To Enjoy Driverless Cars, First Kill All the Lawyers

Perspective: My students could at least try reading the textbook...
Welcome to the 72-Hour Work Week
How many hours do you think the average American professional works each week? If you think 40, 50 or even 60, think again. For many, 72 hours is the new norm.

Could be handy
– allows you to design your own personal startpage with your most important bookmarks and RSS feeds. Easy to use, reliable and completely (ad) free. Your startpage is stored in the cloud so that you can access it anywhere and on any device. Categorize bookmarks and RSS feeds in pages and lists. Import and export your bookmarks and RSS feeds. Make your pages public and share them.

For all my students. (At least the ones who like Chrome.)
Turn Chrome Into a Research Hub With These Extensions
We’ve covered a few tools like this before, like Diigo and Google Drive, but I’ll be going through four of the extensions that help me out the most as a student, and they can help you too.
OverTask is a like a homebase for organizing all of your tabs. It replaces your New Tab page with the OverTask main page where you can create tasks and view all of your tasks in a nice, simple, colorful layout. When you select a task or create one, it will close all of your tabs and leave you with just one tab for your task.
Citelighter is a toolbar that sits at the top of your window and help you keep your research organized and cited.
Joining the hordes of vowel-deprived services like Tumblr and Flickr is Stay Focusd; this app, as the name implies, attempts to keep you focused on your work. It does this by limiting the amount of time you can spend on a certain list of websites.
Citable is a tool for organizing your sources, similar to Citelighter. It creates a button in the upper right hand of Chrome that you can click to cite the website you are on.

For my students with thumbdrives...
5 Websites For Every Portable Application On The Web
Applications are linked to reviews that already exist on MakeUseOf.
As the name implies, everything you’ll find here is 100% free and portable. is a very large and organized directory that is quite similar to The Portable Freeware Collection, but just structured differently.
The huge majority of the applications here are portable (I’ve yet to find one otherwise) and they are all extremely small in size. is one of the most well-known places on the web to go for portable applications, most specifically their famous Suite. However, also offers their applications in a standalone format through a directory of more than 300 apps.

No comments: