Wednesday, September 25, 2013

I'm sure I've made this point before, “Compliant” is not the same as “Secure.” Just because you have taken “reasonable measures” to secure your data does not mean that the bad actors will not take “completely unreasonable” (Call it sophisticated or extreme) measures to get at your data. Remember if it works against you, it might also work against hundreds of other “compliant” organizations. Is it unreasonable to expect an organization to know what data is leaving its servers?
We are writing to you because of an incident at Unique Vintage. On September 14, 2013 we discovered a data security incident that involved some of your personal information. Unique Vintage is Payment Card Industry Security Standards Council (“PCI”) compliant and implements the latest measures reasonably possible to protect its customers’ sensitive information. However, the very sophisticated data breach concerning this incident involved malicious malware that was siphoning customer information from Unique Vintage’s website from approximately January 2012 until September 14, 2013. The information breached contained customer names, email addresses, telephone numbers and credit card numbers.
Read more of Unique Vintage’s consumer notification letter here (pdf).


For my Ethical Hackers. Time is money. All you have to do is beat the other guy...
Somebody Stole 7 Milliseconds From the Federal Reserve
Last Wednesday, the Fed announced that it would not be tapering its bond buying program. This news was released at precisely 2 pm in Washington "as measured by the national atomic clock." It takes 7 milliseconds for this information to get to Chicago. However, several huge orders that were based on the Fed's decision were placed on Chicago exchanges 2-3 milliseconds after 2 pm. How did this happen?
CNBC has the story here, and the answer is: we don't know.


Several interesting points...
If you haven’t already bookmarked JustSecurity.org for daily reading, do so now.
Julian Sanchez writes:
Between Edward Snowden’s ongoing leaks and a series of frankly unprecedented disclosures by the government itself, the public now knows quite a bit about the NSA’s controversial telephony metadata program, which makes use of the Patriot Act’s §215 to collect, in bulk, nearly all Americans’ domestic call detail records from telephone carriers. We know far less, however about the government’s bulk collection of Internet metadata under FISA’s pen register/trap-&-trace authority, which supposedly ceased in 2011—though some such collection almost certainly continues in a more limited form.
Read more on Just Security.
[From the article:
The crucial point here is that the detailed “metadata” for a particular Internet communication, past the IP layer, typically wouldn’t be processed or stored by the ISP in the way that phone numbers and other call data is stored by the phone company. From the ISP’s perspective, all of that stuff is content.

(Related) Perhaps they are reading a different constitution?
Nathan Freed Wessler writes:
The Drug Enforcement Administration thinks people have “no constitutionally protected privacy interest” in their confidential prescription records, according to a brief filed last month in federal court. That disconcerting statement comes in response to an ACLU lawsuit challenging the DEA’s practice of obtaining private medical information without a warrant. The ACLU has just filed its response brief, explaining to the court why the DEA’s position is both startling and wrong.
Read more on the ACLU.


How many others should join this quest?
Dropbox has filed an amicus brief in support of a consolidated brought in the FISC by five tech giants seeking to be more transparent with the public about government requests for user information.


You get one “Please,” after that it's “or else.”
Rosalind English writes:
R (on the application of R) v Chief Constable [2013] EWHC 2864 (Admin) 24 September 2013 – read judgment
The High Court has ruled that it is not a breach of the right to private life to request DNA samples from those who were convicted of serious offences before it became commonplace to take samples for the production of DNA profiles for the investigation of crime.
Read more about the case and ruling on UK Human Rights Blog.
[From the article:
He refused to give the sample when it was sought initially, so he was sent a letter requiring him to attend at a police station to provide the sample on pain of arrest. He applied for judicial review of this requirement, arguing that it was an unlawful incursion on his right to privacy under Article 8.
In the light of the fact that the claimant’s previous convictions had been for manslaughter and kidnapping, the police had identified him as falling within the criteria for a nationwide operation [Sort of an informal, retroactive law? Bob] to ensure that those convicted of homicides and/or sexual offences have a confirmed DNA profile held on the National DNA Database.


For my Cloud Security students.
UK – Protecting Vulnerable Data Subjects
“The use of commercial cloud services by public organisations in Europe is growing. While the benefits of cloud computing are indisputable, the public sector contains certain particularly sensitive or vulnerable user populations whose privacy requires special protection. Critical examples include civil servants employed by local or national governments and – the subject of particular emphasis in this report – children in schools.
The most widely used cloud services today are typically free or very inexpensive offerings designed as vehicles for online behavioural advertising aimed at individual consumers. SafeGov.org is concerned that by repurposing such advertising-driven services for users within organisations, cloud providers may deliberately or inadvertently expose these data subjects to online advertising, profiling or other forms of personal information processing that violate their rights under EU data protection laws. The risk is particularly acute in the absence of constraints on the contractual relations between data processors and data controllers that ensure the rights to information and consent of the data subjects in these organisational contexts.”


The pendulum has swung a bit too far here.
7th-grader suspended for playing with airsoft gun in own yard
A seventh-grade student in Virginia Beach, Va., has been suspended from school for playing with an airsoft gun with a friend in his front yard while waiting for the school bus.
WAVY-TV reports that 13-year-old Khalid Caraballo will find out soon if he will be expelled for "possession, handling and use of a firearm" because the guns were fired at two others playing in Caraballo's yard.
A neighbor saw Khalid shooting the airsoft gun in his yard and called 911, telling the dispatcher, "He is pointing the gun, and it looks like there's a target in a tree in his front yard," the station reported.
The school's so-called "zero-tolerance" policy on guns extends to private property, according to the report.
Khalid's mother, Solangel Caraballo, said it's ridiculous that her son and his friends were suspended because they were firing the airsoft gun on private property.
"My son is my private property. He does not become the school's property until he goes to the bus stop, gets on the bus, and goes to school," Caraballo told the station.
… "The school said I had possession of a firearm. They aren't going to ask me any questions. They are going to think it was a real gun, and I was trying to hurt someone," he said


Is this what makes it a great investment? Definitely worth reading the article.
Josh Harkinson writes:
Facebook gets all the bad press, but the bigger threat to your online privacy these days might be your Twitter account. Twitter knows you much better than you may realize. And as it prepares for an IPO, it’s taking steps that may allow it to profit from your data in ways that would provoke howls of protest were Mark Zuckerberg to try the same.
Read more on Mother Jones.
[From the article:
Much of the data Twitter collects about you doesn't actually come from Twitter. Consider the little "tweet" buttons embedded on websites all over the net. Those can also function as tracking devices. Any website with a "tweet" button—from Mother Jones to Playboy—automatically informs Twitter that you've arrived.
… These moves might seem quaint a year from now, when Twitter ranks as the most sophisticated advertising platform in cyberspace. Earlier this month, the company announced that it was acquiring MoPub, a middleman that places ads within mobile apps. "The MoPub acquisition allows Twitter to fundamentally change how mobile ads are purchased and places them at the forefront of how mobile, Web, and social ads interact," Antonio Garcia, a former Facebook employee and creator of its FBX real-time ad exchange, wrote on his blog last week. "This makes Twitter the most interesting company in advertising right now."

(Related) Your own, personal “stalker tool.”
– When you evaluate a Twitter Profile, whether to follow them or to reach out to them as an infuencer, you can’t get a good idea about them unless you manually go through page after page of their tweets. Twibitz was created to solve this problem by analyzing any public Twitter profile and creating a snapshot of that user based on their profile and history.


Something to kick around with my fellow Computer Security instructors...
Professionalizing the Nation’s Cybersecurity Workforce? Criteria for Decision-Making
“This report examines workforce requirements for cybersecurity and the segments and job functions in which professionalization is most needed; the role of assessment tools, certification, licensing, and other means for assessing and enhancing professionalization; and emerging approaches, such as performance-based measures. It also examines requirements for the federal (military and civilian) workforce, the private sector, and state and local government. The report focuses on three essential elements: (1) understanding the context for cybersecurity workforce development, (2) considering the relative advantages, disadvantages, and approaches to professionalizing the nation’s cybersecurity workforce, and (3) setting forth criteria that can be used to identify which, if any, specialty areas may require professionalization and set forth criteria for evaluating different approaches and tools for professionalization. Professionalizing the Nation’s Cybersecurity Workforce? Criteria for Decision-Making characterizes the current landscape for cybersecurity workforce development and sets forth criteria that the federal agencies participating in the National Initiative for Cybersecurity Education—as well as organizations that employ cybersecurity workers—could use to identify which specialty areas may require professionalization and to evaluate different approaches and tools for professionalization.


For my students who research (it should be all of them!)
A brief guide to discovering open access journals and articles on ScienceDirect
News release: “At Elsevier, we have been busy scaling our open-access publishing program; we now publish 56 open-access journals and host a further 91 on behalf of our society and publishing partners. However, you may not know how to navigate to these journals and articles. Here are some tips to help you find this content easily.
1. Find a list of open-access journals: You can navigate to our list of open access journals from the ScienceDirect homepage by clicking the link for our “Open Access Journal Directory” or bookmarking http://www.sciencedirect.com/science/browse/all/open-access.
2. Find a list of all journals that have open-access articles: In addition to our 56 open access journals, we give authors the option to publish open-access articles in over 1,600 of our established journals. Find a list of these journals on the ScienceDirect homepage by clicking “View all publications with Open Access articles.” Once you are in the publication list, you can limit your results to open-access journals or journals that contain open-access articles by selecting the appropriate filter checkboxes.
3. Find a list of open-access articles: The easiest way to find relevant open-access articles is to search ScienceDirect. By keying in your search terms, you will be able to identify any relevant open-access articles in your search results by looking for the label “Open Access.” .
4. Search only for open access articles: If you would prefer to see filtered results that only show open-access articles, then you need to use the advanced search. In the advanced search, you can refine your search results to only show open-access articles by selecting the checkbox for Open Access Articles.”


It looks like I'll get to play with the school's 3D printer. I better start gathering some 3D tools. This one is more for display than printing.
The Future Is Here: Sketchfab Puts 3D Models Right In Your Browser
With free, powerful 3D modeling applications like Blender and SketchUp, creating high-quality 3D models is more affordable and doable than ever before. Judging by the comments to my interview with Rafael Grassetti, there’s lot of interest in creating models and working in 3D. Sharing those models with others, however, remains tricky. SketchUp has its 3D Warehouse where users can share models, but the warehouse requires you to log in — and you must share the actual model, rather than a 3D render of it.
Sketchfab is an interesting service that tries to solve this, by letting you upload 3D models and embed them in beautifully rendered form anywhere on the Web. No plug-ins are required to view your embedded models: Just HTML5. Even if you’re not a 3D designer, the Sketchfab website is a beautiful repository of inspiring designs, and is fun to just cruise around in.

(Related)
Autodesk and Circuits.io Launch New Electronics Design Tool 123D Circuits
Autodesk expanded its offering of free 3D modeling tools last week by joining with Circuits.io to launch a free electronics design tool called 123D Circuits. 123D Circuits allows the user to either learn circuit design or put their existing electronics knowledge to use by designing virtual electronic circuits that can be simulated inside of the software. It’s a web-based tool, so the user doesn’t need to install any software to create virtual circuits.
… You can access 123D Circuits directly at the Circuits.io website.


For my Ethical Hackers.
FREE MANUAL! Take Control: The Android Rooting Guide


For my students.
How You Can Learn A New Language While Browsing The Web With Lingua.ly
… The Internet has helped to do away with the language tutor – websites like Duolingo and Busuu can easily tell you if you have an ear for new languages; and how you can develop one. But once you get the basics right, you need to keep practicing. That’s what inspired me to write the article on how to learn a new language with the help of Chrome.
Following in that wake, I discovered Lingua.ly. Lingua.ly is another innovative language learning tool that helps you become familiar with foreign words while browsing the Web.
Lingua.ly is a Chrome extension. Think of it as your smart personal language “tutor”. … Currently, you can learn Spanish, French, Hebrew, Arabic, and English.
… After installing the extension, just go to a webpage which is in the language of your choice. .. On the webpage, click on the words you want to learn. Lingua.ly automatically picks them up and displays the translation for you to understand with the help of audio pronunciations and definitions.


I'm teaching Statistics again next Quarter. It's always useful to find a little inspiration before I start.
Nate Silver on Finding a Mentor, Teaching Yourself Statistics, and Not Settling in Your Career
Perhaps no one has done more for the cause of data-driven decision-making in the minds of the public than Nate Silver. His book, The Signal and the Noise, explains the power of statistical modeling to improve our predictions about everything from the weather to sports to the stock market. Data science is the hottest field to be in right now, and Silver is its poster child.

No comments: