Saturday, February 02, 2013

If you haven't been hacked, China doesn't think you're important. (This Blog is safe.) On the other hand, Who has been hacked but has not (yet?) detected it?
Following on the heels of the New York Times, Bloomberg News, and the Wall Street Journal, sources have come forward to state that The Washington Post has also been hit by cyberattacks originating in China. The information was provided by individuals said to be familiar with the situation, including a former Post employee. The attacks were said to have occurred over the course of at least four years.


...and just for fun, we did it with 140 character programs!
"Earlier this week, hackers gained access to Twitter's internal systems and stole information, compromising 250,000 Twitter accounts before the breach was stopped. Reporting the incident on the company's official blog, Twitter's manager of network security did not specify the method by which hackers penetrated its system, but mentioned vulnerabilities related to Java in Safari and Firefox, and echoed Homeland Security's advisory that users disable Java in their browsers. Sure, blame everything on Larry Ellison. Looks like bad things do happen in threes — Twitter's report comes on the heels of disclosures of hacking attacks on the WSJ and NY Times."


What's the French word for “extortion?” Oh yeah, it's “extorsion.” Vive le France!
New submitter Flozzin writes with news of some resolution to the long-standing dispute that some French publishers have had with Google for republishing snippets of news reports without sharing revenue earned from the ads run alongside. Now, reports the BBC, "Google has agreed to create a 60m euro ($82m; £52m) fund to help French media organisations improve their internet operations. [Let's hope this does not mean “find more victims” Bob] It follows two months of negotiations after local news sites had demanded payment for the privilege of letting the search giant display their links. The French government had threatened to tax the revenue Google made from posting ads alongside the results."


A potential guide for government Health Care systems?
Jack Doyle reports:
GPs are to be forced to hand over confidential records on all their patients’ drinking habits, waist sizes and illnesses.
The files will be stored in a giant information bank that privacy campaigners say represents the ‘biggest data grab in NHS history’.
They warned the move would end patient confidentiality and hand personal information to third parties.
The data includes weight, cholesterol levels, body mass index, pulse rate, family health history, alcohol consumption and smoking status.
Diagnosis of everything from cancer to heart disease to mental illness would be covered. Family doctors will have to pass on dates of birth, postcodes and NHS numbers.
Officials insisted the personal information would be made anonymous and deleted after analysis.
Read more on Daily Mail.
And if you’re looking for additional information on the Everyone Counts initiative, you might want to check out this NHS Commissioning Board web site. One of the documents on that site provides more details on the clinical data sets and the types of information GPs are required to submit.
It is understandable, and even commendable, that public health authorities want to get a handle on the state of the public’s health and available services to improve them. Our own CDC also compiles data that points to underserved groups of patients, etc. But requiring physicians to provide such extensive information on every patient in conjunction with the patient’s national NHS identifier when we know that the NHS has had numerous data security and privacy breaches is a breach waiting to happen. Under the scheme, GPs would be providing:
  • NHSNumber
  • Date of Birth
  • Gender
  • PostCode
  • EthnicityCode
  • Registration Status
  • RegistrationDate
  • DeRegistrationDate
  • Date of Death
And then there is all the medical/mental health information.
I think the NHS is overly and unduly confident of its ability to secure data. How many thousands of people will have access to the data that has been electronically inputted by physicians? And for how long will they store the data before it is analyzed and then deleted?
Overall, it appears that the NHS has taken the notion of public health to an extreme at the expense of patient confidence in the confidentiality of their visits to their doctors. How many patients will not seek care for fear of mental health or other problems being reported to a central authority?
Just as health care professionals in the U.S. need to resist some government plans to require us to provide data on our patients, so, too, do British health care organizations need to take a long hard look at confidentiality issues. The BMA has expressed some concerns, but confidentiality doesn’t appear to be among them. Hopefully they will address confidentiality and security issues in a further post.


On Marh 15th, The Privacy Foundation (http://privacyfoundation.org/ ) will host a seminar to correct all of the FTC's errors. Mark your calendar!
The FTC has released a new report: Mobile Privacy Disclosures: Building Trust Through Transparency. From the Executive Summary:
Based on the Commission’s prior work in this area, the panel discussions, and the written submissions, this report offers several suggestions for the major participants in the mobile ecosystem as they work to improve mobile privacy disclosures.
Platforms, or operating system providers offer app developers and others access to substantial amounts of user data from mobile devices (e.g., geolocation information, contact lists, calendar information, photos, etc.) through their application programming interfaces (APIs). In addition, the app stores they offer are the interface between users and hundreds of thousands of apps. As a result, platforms have an important role to play in conveying privacy information to consumers. While some platforms have already implemented some of the recommendations below, those that have not should:
  • Provide just-in-time disclosures to consumers and obtain their affirmative express consent before allowing apps to access sensitive content like geolocation;
  • Consider providing just-in-time disclosures and obtaining affirmative express consent for other content that consumers would find sensitive in many contexts, such as contacts, photos, calendar entries, or the recording of audio or video content;
  • Consider developing a one-stop “dashboard” approach to allow consumers to review the types of content accessed by the apps they have downloaded;
  • Consider developing icons to depict the transmission of user data;
  • Promote app developer best practices. For example, platforms can require developers to make privacy disclosures, reasonably enforce these requirements, and educate app developers;
  • Consider providing consumers with clear disclosures about the extent to which platforms review apps prior to making them available for download in the app stores and conduct compliance checks after the apps have been placed in the app stores;
  • Consider offering a Do Not Track (DNT) mechanism for smartphone users. A mobile DNT mechanism, which a majority of the Commission has endorsed, would allow consumers to choose to prevent tracking by ad networks or other third parties as they navigate among apps on their phones.
App developers should:
  • Have a privacy policy and make sure it is easily accessible through the app stores;
  • Provide just-in-time disclosures and obtain affirmative express consent before collecting and sharing sensitive information (to the extent the platforms have not already provided such disclosures and obtained such consent);
  • Improve coordination and communication with ad networks and other third parties, such as analytics companies, that provide services for apps so the app developers can provide accurate disclosures to consumers. For example, app developers often integrate third-party code to facilitate advertising or analytics within an app with little understanding of what information the third party is collecting and how it is being used. App developers need to better understand the software they are using through improved coordination and communication with ad networks and other third parties.
  • Consider participating in self-regulatory programs, trade associations, and industry organizations, which can provide guidance on how to make uniform, short-form privacy disclosures.
Advertising networks and other third parties should:
  • Communicate with app developers so that the developers can provide truthful disclosures to consumers;
  • Work with platforms to ensure effective implementation of DNT for mobile.
App developer trade associations, along with academics, usability experts and privacy researchers can:
  • Develop short form disclosures for app developers;
  • Promote standardized app developer privacy policies that will enable consumers to compare data practices across apps;
  • Educate app developers on privacy issues.
Download the full report here.


We heard your protests and after review have decided to ignore them.”
"Facebook has brought back its photo Tag Suggestions feature to the U.S. after temporarily suspending it last year to make some technical improvements. Facebook says it has re-enabled it so that its users can use facial recognition 'to help them easily identify a friend in a photo and share that content with them.' Facebook first rolled out the face recognition feature across the U.S. in late 2010. The company eventually pushed photo Tag Suggestions to other countries in June 2011, but in the US there was quite a backlash. Yet Facebook doesn't appear to have made any privacy changes to the feature: it's still on by default."


Not exactly an App, but an interesting “big data” tool...
IBM Security Tool Can Flag ‘Disgruntled Employees’
… The new tool, called IBM Security Intelligence with Big Data, is designed to crunch decades worth of emails, financial transactions and website traffic, to detect patterns of security threats and fraud. Beyond its more conventional threat prevention applications, the new platform, based on Hadoop, a framework that processes data-intensive queries across clusters of computers, will allow CIOs to conduct sentiment analysis on employee emails to determine which employees are likely to leak company data, Mr. Bird said. That capability will look at the difference between how an employee talks about work with a colleague and how that employee discusses work on public social media platforms, flagging workers who may be nursing grudges and are more likely to divulge company information. “By analyzing email you can say this guy is a disgruntled employee and the chance that he would be leaking data would be greater,” Mr. Bird said of IBM’s new tool.


For my Geeks...


For anyone who has to be out and about during “Commercial Fest” (More sources in the article)
… If you head over to the CBS Sports home page and click on over to their /SuperBowl/ portal, you’ll be able to see the whole game live.
… If you’re a Verizon user and you’ve subscribed to NFL Mobile, you’re in luck – the whole game will be streamed through your smartphone.


The future of education?
Friday, February 1, 2013
200+ MOOCs and Free Online Certificate Programs
… To help you find a MOOC that interests you and or your students Open Culture has created a list of more than 200 MOOCs and free certificate programs.
Stephen Downes also has a nice MOOC listing going on his MOOC.ca page. 


My weekly amusement...
TorrentFreak reports that the University of Illinois is disconnecting the Internet of students who are accused of piracy after their first warning. “When copyright holders send a DMCA notice informing the university about unauthorized BitTorrent downloads, the student’s dorm room is immediately cut off from the Internet.”
The patent system in the U.S. is broken. Case in point, the awarding this week of a patent to the University of Phoenix for its Academic Activity Stream, an educational news feed. There’s lots of prior art here, including Facebook’s patent on the news feed itself. Phil Hill offers more thoughts on e-Literate. Will ed-tech soon see round 2 of the great LMS patent wars (Blackboard v Desire2Learn) with the University of Phoenix going after those who use news feeds in their software (namely Instructure, Edmodo, Schoology, Pearson’s OpenClass…)?


Dilbert shows one downside (upside?) of Behavioral Advertising...

Friday, February 01, 2013

It's just the Chairman, checking his US investments...
"The Wall Street Journal said Thursday its computers were hit by Chinese hackers, the latest U.S. media organization citing an effort to spy on its journalists covering China. The Journal made the announcement a day after The New York Times said hackers, possibly connected to China's military, had infiltrated its computers [Interesting phrase from journalists who write accurately... Bob] in response to its expose of the vast wealth amassed by a top leader's family. The Journal said in a news article that the attacks were 'for the apparent purpose of monitoring the newspaper's China coverage' and suggest that Chinese spying on U.S. media 'has become a widespread phenomenon.'"

(Related) Can we wage war without drones? (Is this what all the “digital Pearl Harbor” posturing was about?)
U.S. weighs retaliation to alleged Chinese cyberattacks
The Obama administration is considering further action after the failure of high-level talks with Chinese officials over cyberattacks against America, according to the Associated Press.
The AP reports that two former U.S. officials say the administration is currently preparing a new National Intelligence Estimate -- a governmental assessment of concerns relating to security -- in order to better understand and analyze the persistence of cyberattacks that come from China.
Once this is complete, it will apparently be possible to better address the security threat, as well as justify actions to defend both the general public and national security.


At least they weren't Chinese...
"Amazon.com, the multi-billion online retail website, experienced an outage of unknown proportions on Thursday afternoon. Rumblings of an Amazon.com outage began popping up on Twitter at about 2:40 PM ET. Multiple attempts to access the site around 3:15 PM ET on Thursday were met with the message: 'Http/1.1 Service Unavailable.' By 3:30 PM ET the site appeared to be back online for at least some users. How big of a deal is an hour-long Amazon outage? Amazon.com's latest earnings report showed that the company makes about $10.8 billion per quarter, or about $118 million per day and $4.9 million per hour."
Update: 01/31 22:25 GMT by T : "Hackers claim credit."
[From the update:
The group went on detail how it knocked the front door down (only Amazon.com's front page was offline), with a large "botnet" or network of thousands of computers working together.
… Amazon.com averages $100,000 per minute in sales according to the Seattle Times.
“The gateway page of Amazon.com was offline to some customers for approximately 49 minutes,"


Your Computer Security managers should be able to explain each of these...
Security threats have increasingly come from new directions and that isn’t looking set to change in 2013. There are new risks you should be aware of, exploits of popular applications, increasingly sophisticated phishing attacks, malware, and scams targeting our love of social networks and photo sharing, and threats associated with viewing online videos.


Honest, this is not my Ethical Hackers retaliating for the New York Times hack. I know the lawyers at the Sturm College of Law (University of Denver) are looking at Mobile Apps for a March 15th seminar, perhaps we can get them to include a few malware Apps like this one...
"A new discovered malware is potentially one of the most costly viruses yet discovered. Uncovered by NQ Mobile, the 'Bill Shocker' (a.expense.Extension.a) virus has already impacted 620,000 users in China and poses a threat to unprotected Android devices worldwide. Bill Shocker downloads in the background, without arousing the mobile device owner's suspicion. The infection can then take remote control of the device, including the contact list, Internet connections and dialing and texting functions. Once the malware has turned the phone into a "zombie," the infection uses the device to send text message to the profit of advertisers. In many cases, the threat will overrun the user's bundling quota, which subjects the user to additional charges."

(Related) Some of these depend on users having Smartphones.
FTC’s $50,000 Robocall Challenge nets 744 ideas to shut down robocallers
The Federal Trade Commission today said the submission period for its Robocall Challenge had ended and it got 744 new ideas for ways to shut down the annoying automated callers.


Now there is an eye catching headline! (I can't yet confirm this, but I am dilligently viewing as many porn sites as possible...)
"The popular belief is that security risks increase as the user engages in riskier and shadier behavior online, but that apparently isn't the case, Cisco found in its 2013 Annual Security report. It can be more dangerous to click on an online advertisement than an adult content site these days, according to Cisco. For example, users clicking on online ads were 182 times more likely to wind up getting infected with malware than if they'd surfed over to an adult content site, Cisco said. The highest concentration of online security targets do not target pornography, pharmaceutical, or gambling sites as much as they affect legitimate sites such as search engines, online retailers, and social media. Users are 21 times more likely to get hit with malware from online shopping sites and 27 more times likely with a search engine than if they'd gone to a counterfeit software site, according to Cisco's report (PDF). There is an overwhelming perception that people get compromised for 'going to dumb sites,' Mary Landesman, senior security researcher at Cisco, told SecurityWeek."


I forget. Are we here in Oceania at war with Eastasia or Eurasia?
"Leading privacy expert Caspar Bowden, warned European citizens not to use cloud services hosted in the U.S. over spying fears. Bowden, former privacy adviser to Microsoft Europe, explained at a panel discussion hosted at the recent Computers, Privacy and Data Protection conference in Brussels, that a section in the Foreign Intelligence Surveillance Act Amendments Act 2008 (FISAAA) permits U.S. intelligence agencies to access data owned by non-U.S. citizens on cloud storage hosed by U.S. companies, if their activity is deemed to affect U.S. foreign policy. Bowden claimed the Act allows for purely political spying of activists, protesters and political groups. Bowden also pointed out that amendments to the EU's data protection regulation proposal, introduce specific loopholes that permit FISAAA surveillance. The president of Estonia, Toomas Hendrik Ilves (at a separate panel discussion) commented that, "If it is a US company it's the FBI's jurisdiction and if you are not a US citizen then they come and look at whatever you have if it is stored on a US company server". The European Data Protection Supervisor declined to comment but an insider indicated that the authority is looking into the matter."


Pop quiz material for my students!

Thursday, January 31, 2013

It's only the Times. God help them if they shut down the SuperBowl telecast!
Hackers in China Attacked The Times for Last 4 Months
For the last four months, Chinese hackers have persistently attacked The New York Times, infiltrating its computer systems and getting passwords for its reporters and other employees.
… The timing of the attacks coincided with the reporting for a Times investigation, published online on Oct. 25, that found that the relatives of Wen Jiabao, China’s prime minister, had accumulated a fortune worth several billion dollars through business dealings.
… The hackers tried to cloak the source of the attacks on The Times by first penetrating computers at United States universities and routing the attacks through them, said computer security experts at Mandiant, the company hired by The Times. This matches the subterfuge used in many other attacks that Mandiant has tracked to China.


Keeps my secret identity secret!
I’ve been checking Foursquare’s site occasionally today as they indicated that a change in their Terms of Service was forthcoming. Now it’s here, and it’s great.
As I blogged earlier today, Foursquare had implemented their new “full name” privacy policy, announced last month, even though it seemed to be in conflict with their media statements that suggested nyms could be used, and their Terms of Service that required “truthful” registration information.
Their new TOS, dated yesterday but uploaded today, states, in relevant part:
Registration and Eligibility.
You may browse the Site and view Content without registering, but as a condition to using certain aspects of the Service, you are required to register with Foursquare and represent, warrant and covenant that you provide Foursquare with accurate and complete registration information (including, but not limited to a user name (“User Name”), e-mail address and a password you will use to access the Service) and to keep your registration information accurate and up-to-date. Failure to do so shall constitute a breach of these Terms of Use, which may result in immediate termination of your Foursquare account. We recommend, but do not require, that you use your own name as your User Name so your friends can recognize you more easily. (emphasis added by me)
This is good news, indeed, and I think they made a great policy decision. Hopefully, they’ll allow users who registered using real names to change to usernames if they so desire.
Frankly, I have no idea if any of this was already under internal review before Jules Polonetsky, Greg Norcie, and I individually contacted them with our observations and questions, but either way, it’s a good outcome for user privacy.


I don't think the IRS has a sense of humor either...
"An employee of the Canada Revenue Agency lost his job after releasing a humorous game in which the player answers customer service calls for the Agency, usually leading to his termination. In an email National Revenue Minister Gail Shea said: 'The Minister considers this type of conduct offensive and completely unacceptable. The Minister has asked the Commissioner (of Revenue, Andrew Treusch) to investigate and take any and all necessary corrective action. The Minister has asked the CRA to investigate urgently to ensure no confidential taxpayer information was compromised.'"


Perhaps we should think about this in the US?
"As the UK prepares to shake up the way computer science is taught in schools, Redmond is warning that the UK risks falling behind other countries in the race to develop and nurture computing talent, if 'we don't ensure that all children learn about computer science in primary schools.' With 100,000 unfilled IT jobs but only 30,500 computer science graduates in the UK last year, MS believes: 'By formally introducing children to computer science basics at primary school, we stand a far greater chance of increasing the numbers taking the subject through to degree level and ultimately the world of work.'"


OMG! IMHO this is too much! (Don't they Google these requests?)
First time accepted submitter 3seas writes in about DMVs across the country learning textspeak in order to keep vulgar acronyms off the road.
"You can have txtspeak on your plate in Arizona, but only if you keep it clean. 'ROFLMAO' is a no-go. Arkansas, however, seems to be a little slower on the uptake. 'ROFLMAO' doesn't appear on the state's prohibited list. That doesn't necessarily mean the plate would pass DMV scrutiny should someone request it."


Everything is a joke today... Isn't it? I mean, would we ever see the “TRUE” sign?
The Washington Post has announced a prototype news application called "Truth Teller", that displays “TRUE" or “FALSE” in real time next to video of politicians as they speak. The Knight Foundation-funded program automatically transcribes speeches and checks the statements against a database of facts. From the article: "For now, the early beta prototype has to be manually hand-fed some facts, and thus only works on topics it has been specifically designed to recognize. Since Congress has yet to pass a budget, and financial discussions are prone to widespread lies and misstatements, Truth Teller is being piloted on the issue of tax policy."


Now all I need is a reason for everyone to give me money!
… I’d like to ... show you all of the different ways that you can actually accept payments from people.


Dilbert voices one of my long time concerns...

Wednesday, January 30, 2013

So would this automatically suggest negligence?
"Five years after the disclosure of a serious vulnerability in the Domain Name System dubbed the Kaminsky bug, only a handful of U.S. ISPs, financial institutions or e-commerce companies have deployed DNS Security Extensions (DNSSEC) to alleviate this threat. In 2008, security researcher Dan Kaminsky described a major DNS flaw that made it possible for hackers to launch cache poisoning attacks, where traffic is redirected from a legitimate website to a fake one without the website operator or end user knowing. While DNS software patches are available to help plug the Kaminsky hole, experts agree that the best long-term fix is DNSSEC, which uses digital signatures and public-key encryption to allow websites to verify their domain names and corresponding IP addresses and prevent man-in-the-middle attacks. Despite the promise of DNSSEC, the number of U.S. corporations that have deployed this added layer of security to their DNS server is minuscule."


The models for 'Best practices' or simply the 'Least Bad?' Most likely, neither...
From their Executive Summary:
Ponemon Institute’s Most Trusted Companies for Privacy Study is an objective study that asks consumers to name and rate organizations they believe are most committed to protecting the privacy of their personal information. This annual study tracks consumers’ rankings of organizations that collect and manage their personal information.
More than 100,000 adult-aged consumers were asked to name up to five companies they believe to be the most trusted for protecting the privacy of their personal information. Consumer responses were gathered over a 15-week period concluding in December 2012 and resulted in a final sample of 6,704 respondents who, on average, provided 5.4 discernible company ratings that represent 25 different industries.
Following are our most salient findings:
  • American Express (AMEX) continues to reign as the most trusted company for privacy among 217 organizations rated in our most trusted companies list.
  • New entrants to this year’s top 20 most trusted list includes: Microsoft (ranked 17), United Healthcare (ranked 18) and Mozilla (ranked 20).
  • Healthcare, consumer products, and banking are the industry segments considered by consumers to be the most trusted for privacy (among 25 industry categories). In contrast, Internet and social media, non-profits (charities) and toys are viewed as the least trusted for privacy.
  • Seventy-eight percent of respondents continue to perceive privacy and the protection of their personal information as very important or important to the overall trust equation. Further, the importance of privacy has steadily trended upward over seven years.
  • While most individuals say protecting the privacy of their personal information is very important, 63 percent of respondents admit to sharing their sensitive personal information with an organization they did not know or trust. Of those who admit to sharing, 60 percent say they did this solely for convenience such as when making a purchase.
  • Fifty-nine percent of respondents believe their privacy rights are diminished or undermined by disruptive technologies such as social media, smart mobile devices and geo-tracking tools. Fifty-five percent say their privacy has been diminished by virtue of perceived government intrusions.
  • Only 35 percent of respondents believe they have control over their personal information and this result has steadily trended downward over seven years.
  • Less than one-third (32 percent) of respondents admit they do not rely on privacy policies or trust seal programs when judging the privacy practices of organizations they deal with. When asked why, 60 percent believe these policies are too long or contain too much legalese.
  • Forty-nine percent of respondents recall receiving one or more data breach notifications in the past 24 months. Seventy percent of these individuals said this notification caused a loss of trust in the privacy practices of the organization reporting the incident.
  • Seventy-three percent of respondents believe the substantial security protections over their personal information is the most important privacy feature to advancing a trusted relationship with business or government organizations. Other important privacy features include: no data sharing without consent (59 percent), the ability to be forgotten (56 percent) and the option to revoke consent (55 percent).
  • The number one privacy-related concern expressed by 61 percent of respondents is identity, closely followed by an increase in government surveillance (56 percent).
Read the full report here.


So all the contract language needs to change?
Helpful write-up by Dena Feldman on the final HITECH rule as it applies to business associates and subcontractors includes:
Direct Liability under the Security Rule. The final rule alters the regulations to expressly subject business associates to the administrative, physical, and technical safeguard requirements of the Security Rule. HHS commented that, because business associates previously had to agree in their business associate agreements with covered entities to appropriately protect and safeguard PHI, business associates and subcontractors “should already have in place” security practices that are compliant with the rule or need only “modest improvements.” HHS recognized, however, that many business associates will not have engaged in the “formal administrative safeguards” required by the rule.
Direct Liability under the Privacy Rule. The final regulations modify the Privacy Rule to extend direct liability for disclosures of PHI by business associates. However, the rule does not subject business associates to liability for all aspects of the Privacy Rule. Business associates are liable for:
  • uses or disclosures of PHI in a manner not in accord with the business associate agreement or the Privacy Rule;
  • failure to disclose PHI when required by HHS for an investigation and/or determination of the business associate’s compliance with HIPAA;
  • failure to disclose PHI to the covered entity, an individual (to whom the information pertains), or the individual’s designee with respect to an individual’s request for an electronic copy of the information;
  • failure to make reasonable efforts to limit PHI uses, disclosures, and requests to the minimum necessary amount; and
  • failure to enter into a business associate agreement with a subcontractor that creates or receives PHI on their behalf.
Read more on InsidePrivacy.


I have visions of teachers discovering communications with lawyers about abuse by school officials. Things could go south really quickly.
The Fourth Amendment question here is not about the seizure, but the search that came afterward.
A Berne parent grew outraged after a school principal confiscated his son’s phone earlier this week after being caught texting in class. It’s not the confiscation of the 14-year-old’s iPhone 5 that caused the ire, but rather the searching of it, which revealed inappropriate photos of his 14-year-old ex-girlfriend. The principal, Brian Corey, contacted the Albany County Sheriff’s Department.
Law enforcement and legal experts agree schools have a greater right to search students and their property than do police among the general public, where the Fourth Amendment protects against unreasonable searches and seizures. The question is the line where it becomes too invasive given the circumstances.
Read more on the Albany Times-Union.
Does your teen understand that their school administrator might not only confiscate, but scroll through their images and emails? I’m not saying administrators should – indeed, I think they generally shouldn’t unless there’s an imminent threat of danger to the student or others — but it could happen. And as in this case, inappropriate images could result in the police being called for child pornography.
Are you ready for that? Is your child?
Talk with your kids. Again and again and again.
But also ensure you understand your school district’s policies on this. If you’re not sure, ask under what conditions they might not only confiscate, but search your child’s mobile devices.
And then talk with your child again.
[From the article:
Technically, since the ex-girlfriend sent the images, both youths could face child pornography charges for the photos. The sheriff's department is in the process of obtaining a search warrant for the phone, but at this point it doesn't appear any charges, which would go to Family Court, will be filed.
"We've spoken to the district attorney's office," Sheriff Craig Apple said. "Right now, they don't want to go forward with the information they have.
… Apple … said, he believes students can't have an expectation of privacy on school grounds.

(Related) Another area where the constitution does not apply?
Brothel Patrons Have No Legal Expectation of Privacy, Judge Rules
Brothel patrons have no expectation of privacy, a Maine judge has ruled while dismissing 49 criminal counts against a man accused of secretly filming illicit sexual encounters at his Zumba studio that authorities claim was a bordello.
A local judge dropped the counts against Mark Strong, Sr., who was accused of breaching the privacy of those who paid to have sex with his female business partner at a Kennebunk, Maine dance studio he managed.
The 57-year-old defendant’s attorney, Dan Lilley, successfully argued that the state law protecting the privacy of people in dressing rooms, locker rooms and restrooms did not apply to those having illegal sex with a prostitute.
That law, Lilley argued, “does not apply to bordellos, whorehouses and the like.” He said “those places are to commit crime. There is no expectation to privacy.”


Dude, don't mess with the Mouse! It's clear from this letter that they carefully introduced the program – nothing happens haphazardly in the Magic Kingdom.
Dominic Patten reports:
Bob Iger today told a Massachusetts congressman that his privacy issue concerns about new technology being introduced at Disney theme parks are bunk. “We are offended by the ludicrous and utterly ill-informed assertion in your letter dated January 24, 2013, that we would in any way haphazardly or recklessly introduce a program that manipulates children, or wantonly puts their safety at risk,” the Disney chairman and CEO wrote in a letter (read it in full below) Monday to Ed Markey.
Read more on Deadline.com


New features equals new concerns for management.
"Microsoft's release of Office 2013 represents the latest in a series of makeover moves, this time aimed at shifting use of its bedrock productivity suite to the cloud. Early hands-on testing suggests Office 2013 is the 'best Office yet,' bringing excellent cloud features and pay-as-you-go pricing to Office. But Microsoft's new vision for remaining nimble in the cloud era comes with some questions, such as what happens when your subscription expires, not to mention some gray areas around inevitable employee use of Office 2013 Home Premium in business settings."
Zordak points to coverage of the new Office model at CNN Money, and says "More interesting than the article itself is the comments. The article closes by asking 'Will you [pay up]?' The consensus in the comments is a resounding 'NO,' with frequent mentions of the suitability of OpenOffice for home productivity." Also at SlashCloud.


For my literate friends who will no doubt say, “Bob you idiot, you forgot...”


Worth reading. Here are some bits...
Eight Brilliant Minds on the Future of Online Education
Why this disruption is happening:
Peter Thiel, partner, Founders Fund
"In the United States, students don't get their money's worth. There's a bubble in education as out of control as the housing bubble and the tech bubble in the 1990s.
Bill Gates, chairman of Microsoft
Our whole notion of 'credential', which means you went somewhere for a number of hours, needs to move to where you can prove you have the knowledge and the quality of these online courses need to improve.
Rafael Reif
"Can you hire MIT professors who know that they need to teach 150,000 people and not 150?

Tuesday, January 29, 2013

What strategic objective is being addressed by repeatedly crying “Wolf!??”
"Security pros and government officials warn of a possible cyber 9/11 involving banks, utilities, other companies, or the Internet, InfoWorld reports. 'A cyber war has been brewing for at least the past year, and although you might view this battle as governments going head to head in a shadow fight, security experts say the battleground is shifting from government entities to the private sector, to civilian targets that provide many essential services to U.S. citizens. The cyber war has seen various attacks around the world, with incidents such as Stuxnet, Flame, and Red October garnering attention. Some attacks have been against government systems, but increasingly likely to attack civilian entities. U.S. banks and utilities have already been hit.'"
[One random Comment:
Well, how else are you going to convince people that they should be spending huge sums of taxpayer money to help private industry do the computer security work they should have already done at their own expense?
But yes, it cheapens the meaning of the real 9/11 when you use it to scare people into responding to non-lethal threats. Apparently, banks and utilities have already been hit, and nobody outside of those organizations even noticed. That tells you how much of a non-threat it is.


They keep sharing our secrets!
"Eighteen brands of security camera digital video recorders are vulnerable to an attack that would allow a hacker to remotely gain control of the devices to watch, copy, delete or alter video streams at will, as well as to use the machines as jumping-off points to access other computers behind a company's firewall, according to tests by two security researchers. And 58,000 of the hackable video boxes, all of which use firmware provided by the Guangdong, China-based firm Ray Sharp, [Coincidence, I'm sure Bob] are accessible via the Internet. Early last week a hacker who uses the handle someLuser found that commands sent to a Swann DVR via port 9000 were accepted without any authentication. That trick would allow anyone to retrieve the login credentials for the DVR's web-based control panel. To compound the problem, the DVRs automatically make themselves visible to external connections using a protocol known as Universal Plug And Play, (UPnP) which maps the devices' location to any local router that has UPnP enabled — a common default setting. ...Neither Ray Sharp nor any of the eighteen firms have yet released a firmware fix."


Just in time for Privacy Day...
January 28, 2013
Google’s approach to government requests for user data
Google Official Blog: "..January 28, is Data Privacy Day, when the world recognizes the importance of preserving your online privacy and security. If it’s like most other days, Google—like many companies that provide online services to users—will receive dozens of letters, faxes and emails from government agencies and courts around the world requesting access to our users’ private account information. Typically this happens in connection with government investigations. It’s important for law enforcement agencies to pursue illegal activity and keep the public safe. We’re a law-abiding company, and we don’t want our services to be used in harmful ways. But it’s just as important that laws protect you against overly broad requests for your personal information... Today, for example, we’ve added a new section to our Transparency Report that answers many questions you might have. And last week we released data showing that government requests continue to rise, along with additional details on the U.S. legal processes—such as subpoenas, court orders and warrants—that governments use to compel us to provide this information."


Bad examples from good intentions? Does this suggest a lawyer who has never handled a data breach lawsuit?
Steven J. McDonald is General Counsel at Rhode Island School of Design and previously served as Associate Legal Counsel at The Ohio State University. On Data Privacy Day, he wrote a post on EDUCAUSE on FERPA that unintentionally demonstrates how imprecise standards are for data security and protection of student records. For example, he writes:
electronic records do raise unique security concerns, and FERPA does require us to address them. Even then, however, the standard is the same as for paper records: we must use “reasonable methods” to protect all student records. Just as it is appropriate to lock the file cabinet in which we maintain paper student records, it is appropriate to take steps to prevent unauthorized access to and disclosure of our electronic student records. How we do that, however, is largely up to us. In the words of the Family Policy Compliance Office:
[T]he standard of “reasonable methods” is sufficiently flexible to permit each educational agency or institution to select the proper balance of physical, technological, and administrative controls to effectively prevent unauthorized access to education records, based on their resources and needs.
and:
an educational agency or institution may use any method, combination of methods, or technologies it determines to be reasonable, taking into consideration the size, complexity, and resources available to the institution; the context of the information; the type of information to be protected (such as social security numbers or directory information); and methods used by other institutions in similar circumstances. The greater the harm that would result from unauthorized access or disclosure and the greater the likelihood that unauthorized access or disclosure will be attempted, the more protections an agency or institution should consider using to ensure that its methods are reasonable.
Should consider using? But they don’t have to, because there’s no law requiring them to if they don’t see a real risk of compromise or they just don’t have the resources.
And therein lies a big part of the rub. If a district is totally negligent in its security and your child’s education records are breached and their PII stolen or acquired, FERPA provides no cause of action for you to sue your child’s district.
But I totally disagree with his statement:
Dealing with electronic student records is thus really not terribly difficult, nor terribly different from dealing with other electronic records. The key is simply to think about these issues, rather than to just assume that the system will take care of them. If you have a good general data security program in place already, you’re probably in good shape when it comes to student records.
How many k-12 districts have good general data security programs in place? If you think they do, trot on over to the sister site, DataBreaches.net, and start looking at some of the audits I’ve posted over the years.
Does your district have a good security program? If you want to find out, send them the letter I published earlier today. [In this blog, yesterday Bob]


Do they write subpoenas in 140 characters?
From Twitter’s blog:
Last July we released our first Twitter Transparency Report (#TTR), publishing six months of data detailing the volume of government requests we receive for user information, government requests to withhold content, and Digital Millennium Copyright Act-related complaints from copyright holders.
Since then we’ve been thinking about ways in which we can more effectively share this information, with an aim to make it more meaningful and accessible to the community at large. In celebration of #DataPrivacyDay, today, we’re rolling out a new home for our transparency report: transparency.twitter.com.
In addition to publishing the second report, we’re also introducing more granular details regarding information requests from the United States, expanding the scope of the removal requests and copyright notices sections, and adding Twitter site accessibility data from our partners at Herdict.
Read more on Twitter.

Monday, January 28, 2013

This is brilliant on many levels. I may ask my Computer Security students to create a similar letter tailored to their industry. Could be a very educational project. Why didn't I think of this? (You don't need to answer that, really)
For Data Privacy Day 2013 on January 28, I’ve tried to compile a list of questions parents should ask their child’s school district about how their child’s personal information is protected. Send your letter to your district’s Superintendent with a cc: to your district’s Board of Education:
Dear ________:
As a parent of a student in this district, I have a number of questions about the protection and security of students’ personal, private, and sensitive information. For purposes of this letter, by “personally identifiable information,” I mean name, contact details, parents’ contact information, Social Security numbers, Medicaid numbers, and/or any other personally identifiable information (PII), regardless of whether the District considers any of the above “directory information” under FERPA. By “private, personal and sensitive information” (PPSI), I mean any health-related information, behavior or discipline records, religion, any financial information such as credit card or debit card numbers or parents’ financial information, and any information or records pertaining to sexual orientation, political views, etc.:
1. Are school district personnel permitted to take paper records containing students’ PII or PPSI off school district premises? If so, I would like to see any and all policies concerning the security and protection of information taken off premises, including, but not limited to, how records are to be secured in personnel’s homes, and whether records may ever be left in unattended vehicles, etc.
2. Are school district personnel permitted to store – either temporarily or long-term – students’ PII or PPSI on their personal devices such as laptops, smart phones, iPads, USB drives, etc.? If they are permitted to do so, I would like to see copies of the policies that inform personnel how they are required to secure the information on their personal devices and how they are to securely delete information or destroy devices. I am also requesting to see any policies as to how the District tracks and monitors students’ PII and PPSI that may be on employees’ personal devices.
3. Does the District provide employees with USB drives or mobile devices to perform their work-related duties? If so, are those USB drives or devices encrypted? I would also like to see all policies concerning the use and security of District-provided drives and mobile devices that may hold students’ PII and/or PPSI. And if the District does provide staff with portable devices, when was the last time the District conducted an audit to determine the location of all District mobile devices? If they were not all accounted for, how many were missing and what types of student information were on them?
4. I would like to see any District policy or policies concerning the use of employees’ personal e-mail accounts for the transmission or storage of students’ PII and/or PPSI.
5. Is there any District policy concerning personnel’s obligations to timely report any breach or potential breach involving students’ PII or PPSI (for both paper and electronic records)? If so, I would like to see the policy or policies.
6. Are students’ Social Security numbers, Medicaid numbers, and/or health insurance policy numbers stored in any electronic databases? If so: (a) are those databases connected directly or indirectly to the Internet, (b) are those databases encrypted, and (c) do any non-District personnel have access to those databases, and if so, who?
7. What is the District’s written policy as to how often the District’s IT personnel audit access logs to determine if electronic databases containing students’ PII and/or PPSI have been compromised or improperly accessed?
8. Under our state’s Freedom of Information law, I am also requesting inspection of any records relating to any privacy breaches or data security breaches the District may have experienced since January 1, 2008, including, but not limited to, hacks of databases containing students’ PII and/or PPSI, employees exceeding authorized access and accessing others’ PII or PPSI improperly, students’ using personnel’s login credentials to access databases containing students’ PII and/or PPSI, loss of USB drives or other devices containing students’ PII or PPSI (regardless of whether they are district-owned or the individual’s personal property), loss or theft of paper records containing students’ PII and/or PPSI, inadvertent web exposure or e-mail exposure of students’ PII and/or PPSI, etc.
9. If the District uses a third party web host or cloud provider, does the District have written contracts in place that cover responsibility for the security of students’ PII and/or PPSI? Who can access that information? If such vendors or contractors are involved in storing or processing students’ PII and/or PPSI, how does the District ensure that the data are not being improperly accessed or compromised?
10. If there are other District policies that I haven’t requested but that relate to data security and protection of student’ PII and/or PPSI, please tell me what they are or provide me with copies of them.
I know that some parents hesitate to do anything that might be perceived as “making waves.” Asking questions about how well your child’s district protects their privacy and the security of their information is not “making waves.” It’s being an informed parent. I would encourage parents to ask that their District devote an entire information meeting for all parents to go over the questions raised above.
It’s quite possible your child’s district may not have written policies for some of the questions raised above. If that’s the case, then your next step may be to ask them why there are no written policies and to ask them to formulate formal policies (not guidelines, but enforceable policies) to address security and protection of students’ PII and PPSI.
Happy Data Privacy Day 2013!
Note: This post may be reproduced for non-commercial use under Creative Commons License.


How fast did other branches of the military grow?
Mamas, don't let your babies grow up to be hackers
Don't let 'em click on computers and jiggle their mouse
Make 'em be doctors and lawyers and such
Pentagon to boost Cyber Command fivefold, report says
Cyberattacks and data breaches are becoming a common occurrence worldwide.
When it takes little more than a script kiddie or a downloadable toolkit to cause havoc in corporate systems -- or even transform a governmental Web site into a game of Asteroids as part of a protest, governments are in serious trouble unless they begin to invest more in the future of their digital defense.
… The Pentagon currently only has 900 members within its cybersecurity force, but that is about to change.
According to the Washington Post, although the move is yet to be formally announced, the U.S. government will be increasing this number to 4,900 within several years.
Said to be at the request of Gen. Keith B. Alexander, the Defense Department's head of Cyber Command, more staff will be assigned positions in the new-and-improved cybersecurity force to try to counter not only homegrown attacks against governmental systems, but also to "conduct offensive operations against foreign foes," according to an unnamed U.S. defense official.


Just because you don't hear much about Japan's military does not mean they don't exist.
According to the Daily Yomiuri, "Japan launched two satellites on Jan. 27 to strengthen its surveillance capabilities, including keeping a closer eye on North Korea which has vowed to stage another nuclear test. One of them was a radar-equipped unit to complete a system of surveillance satellites that will allow Tokyo to monitor any place in the world at least once a day. The other was a demonstration satellite to collect data for research and development." The Defense News version of the story says "Japan developed a plan to use several satellites as one group to gather intelligence in the late 1990s as a response to a long-range missile launch by Pyongyang in 1998. The space agency has said the radar satellite would be used for information-gathering, including data following Japan’s 2011 quake and tsunami, but did not mention North Korea by name."


More details leak. Always assume the true capabilities are at least an order of magnitude better that those you read about... Short video is worth watching. (At roughly 2:25, they mention storing a million terabytes each day.)
Watch the World’s Highest Resolution Drone-Mounted Camera in Action
… At 1.8 gigapixels, the DARPA-developed ARGUS-IS the highest resolution surveillance platform in the world, and, when mounted to a drone, can single-handedly do the work of an army of 100 predator drones watching the area of one medium-sized city.
ARGUS's view is both wide and precise. It can cover areas of up to 15 square miles at a glance while still spotting objects as small as six inches around from heights of 17,500 feet.
… You can find out more about the ARGUS-IS and other drones in PBS's Nova special "Rise of the Drones," which this clip is taken from.


To settle, or not to settle--that is the question:
Whether 'tis nobler in the mind to suffer
The slings and arrows of outrageous lawsuits
Or to take arms against a sea of troubles
And by opposing end them.
How Newegg crushed the “shopping cart” patent and saved online retail
… The company's plan to extract a patent tax of about one percent of revenue from a huge swath of online retailers was snuffed out last week by Newegg and its lawyers, who won an appeal ruling [PDF] that invalidates the three patents Soverain used to spark a vast patent war.


Still amusing...
Kim Dotcom Wants To Encrypt Half Of Internet To End Government Surveillance
In an in-depth interview, Megaupload founder Kim Dotcom discusses the investigation against his now-defunct file-storage site, his possible extradition to the US, the future of Internet freedoms and his latest project Mega with RT’s Andrew Blake.
… the timing is very interesting, you know? Election time. The fundraisers in Hollywood set for February, March [and] April. There had to have some sort of Plan B, an alternative for SOPA
… And Hollywood is a very important contributor to Obama’s campaign. Not just with money, but also with media support. They control a lot of media: celebrity endorsements and all that.
So I’m sure the election plays an important role.
RT: The US Justice Department wants to extradite you, a German citizen living in New Zealand operating a business in Hong Kong. They want to extradite you to the US. Is that even possible?
KD: That is a very interesting question because the extradition law, the extradition treaty in New Zealand, doesn’t really allow extradition for copyright. So what they did, they threw some extra charges on top and one of them is racketeering, where they basically say we are a mafia organization and we set up our Internet business to basically be an organized crime network that was set up and structured the way it was just to do criminal copyright infringement.

(Related) Is the encryption working? The Numerama article (French) suggests they asked for links (not files) to be taken down. Perhaps no encryption was involved?
Mega Passed Its First Copyright Takedown Test
In addition to protecting itself from your pirated content with its see-no-evil encryption, Kim Dotcom’s Mega service aims to stay on the law’s good side by playing nicely with copyright takedown requests and keeping that super important DMCA safe harbor status.
… So far, at least one anti-piracy group has been able to see through the encryption haze and spot some stuff that shouldn’t be on there. LeakID, a content managing service, submitted five DMCA-like takedown requests to Mega last week, pertaining to copyright infringing episodes of Naruto that were floating around. And according to Numerama, all five came down in 48 hours.


Because you never know when you might need a little knowledge...
January 27, 2013
New on LLRX - Knowledge Discovery Resources 2013
Via LLRX.com - Knowledge Discovery Resources 2013 - An Internet Annotated Link Dataset Compilation - Marcus P. Zillman's current annotated link compilation encompasses top value-added resources for knowledge discovery available through the Internet. The selected resources and sites provide a wide range of actionable knowledge and avenues for information discovery to leverage as part of your overall research project strategy.