Saturday, February 09, 2013

Application of Occam's razor would suggest that hacking into a huge target like Walmat would be more rewarding that hacking into hundreds of individual computers in search of Walmart account info. If many non-Walmart accounts were being accessed, I would tip the other way. (Of course, I'd expect this to be much bigger if that was the case.)
I was surprised to read a news report tonight that Walmart.com had been hacked. Part of my surprise was due to the fact that mainstream media did not have the story but a site called SandhillsExpress.com in Nebraska was reporting it:
Ericka and Mike Hunt of Broken Bow were reviewing their bank account online this week and discovered a charge to Walmart.com for nearly $500.00 that they had not made. The Hunt’s contacted their bank, Wal-Mart’s Corporate Office, the Police Department in the town in Alabama where the order was to be shipped, and the local Police Department in Broken Bow. What they discovered is that someone has hacked in to the Wal-Mart records and stolen card numbers and personal information from several accounts. The Alabama Police Department told the Hunt’s that they were approximately the 15th phone call about the same problem. The Hunts were lucky to catch this problem quickly and were able to cancel the shipment and hope to have their money back soon. They also deleted their Wal-Mart account, which they had not used since last fall and changed passwords on all of their online accounts for precautionary reasons. They asked us to tell their story in hopes that no one else will be affected by this problem. We are awaiting a response from Wal-Mart’s Media Relations Department to get a comment on this issue.
I contacted Walmart tonight, and they promptly sent me the following statement by their spokesperson for eCommerce:
Customer privacy [no mention of security? Bob] is a top priority to us. We’re aware of this particular matter and are working with the customer to help them resolve the situation. To be clear, there is no indication of an internal security breach of the Walmart.com system or accounts. In these situations, there are unrelated ways that third parties obtain user names and passwords, such as a phishing attack or by planting malware on users’ computers. Even in these situations, the full credit card number is not visible in a customer’s account. When we become aware of these matters, we work immediately with our customers to help them protect their online security.
Reporting that a large e-commerce site has been hacked when it hasn’t been can do unfair reputation harm to the business and make customers leery of shopping online there. I’m not sure how the Hunt’s “discovered” that someone had hacked Walmart’s server, but sometimes 2 + 2= 5.
In the meantime, there’s nothing to see here, so move along.


Sticking a “Trustworthy” label on malware...
"Bit9, a company that provides software and network security services to the U.S. government and at least 30 Fortune 100 firms, has suffered a compromise that cuts to the core of its business: helping clients distinguish known 'safe' files from computer viruses and other malicious software. A leading provider of 'application whitelisting' services, Bit9's security technology turns the traditional approach to fighting malware on its head. Antivirus software, for example, seeks to identify and quarantine files that are known bad or strongly suspected of being malicious. In contrast, Bit9 specializes in helping companies develop custom lists of software that they want to allow employees to run, and to treat all other applications as potentially unknown and dangerous. But in a blog post today, the company disclosed that attackers broke into its network and managed to steal the digital keys that Bit9 uses to distinguish good from bad applications. The attackers then sent signed malware to at least three of Bit9's customers, although Bit9 isn't saying which customers were affected or to what extent. The kicker? The firm said it failed to detect the intrusion in part because the servers used to store its keys were not running Bit9's own software."


It's not the Chinese? Interesting.
The Lesson of the Bush Family Email Hack: Be Worried
… A hacker by the name of Guccifer has apparently hacked into several Bush family AOL accounts, pilfered private photos and messages and posted them online. The Smoking Gun, pursuient to their mission, republished it all. The stolen goods include a private letter from George W. Bush to his family about planning the funeral of his father. They include private correspondence from the Fox News journalist Brit Hume on the “silver linings” in the 2012 election. They include a Jeb Bush email about how how George H.W. Bush “helped restore” Bill Clinton’s “sordid reputation.” There is more. You can read about it off site. You can also look at the PG-rated pictures that George W. Bush apparently painted of himself bathing.
There is a criminal investigation. This guy may get caught, just like the guy who hacked Scarlett Johansson’s cell phone got caught. But that will be little consolation.


So how did they do it? Sounds more like the police went behing the city council's back and the council was not happy to be blindsided by news of the drones.
Wow.
Trevor Timm writes:
In an amazing victory for privacy advocates and drone activists, yesterday, Seattle’s mayor ordered the city’s police agency to cease trying use surveillance drones and dismantle its drone program. The police will return the two drones they previously purchased with a Department of Homeland Security grant to the manufacturer.
EFF has been warning of the privacy dangers surveillance drones pose to US citizens for more than a year now. In May of last year, we urged concerned citizens to take their complaints to their local governments, given Congress has been slow to act on any privacy legislation. The events of Seattle proves this strategy can work and should serve as a blueprint for local activism across the country.
Read more on EFF.
[From the EFF:
Back in early 2012, the Seattle city council was told that the Seattle police agency had obtained an authorization to fly drones from the Federal Aviation Administration (FAA). But they did not find out from the police; they found out from a reporter who called after the council after he saw Seattle’s name on the list obtained by EFF as part of our lawsuit against the FAA.
City council was understandably not happy, and the police agency was forced to appear before the council and apologize.
… After a townhall meeting held by police, in which citizens showed up in droves and angrily denounced the city’s plans, some reporters insinuated that city counsel members’ jobs could be on the line if they did not pass strict drone legislation protecting its citizens privacy.

(Related)
2012 FAA List of Drone License Applicants


For my “Little Known Laws” folder...
"In a not-so-unexpected move, the Department of Homeland Security has concluded that travelers along the nation's borders may have their electronics seized and the contents of those devices examined for any reason whatsoever — all in the name of national security. According to legal precedent, the Fourth Amendment — the right to be free from unreasonable searches and seizures — does not apply along the border. The memo highlights the friction between today's reality that electronic devices have become virtual extensions of ourselves housing everything from e-mail to instant-message chats to photos and our papers and effects — juxtaposed against the government's stated quest for national security. By the way, the government contends the Fourth-Amendment-Free Zone stretches 100 miles inland from the nation's actual border."


What is the strategy for passing bad laws? Wait a few months until the peasants put their pitchforks back in the barn and extinguish their torches, then do it all over again? I'm not sure that will work in a “connected world”
Presto Vivace sends this news from the Hill:
"House Intelligence Committee Chairman Mike Rogers (R-Mich.) and ranking member Rep. Dutch Ruppersberger (D-Md.) said Friday that they plan to re-introduce the Cyber Intelligence Sharing and Protection Act (CISPA) next week during a speech at the Center for Strategic and International Studies in Washington. The bill is aimed at improving information-sharing about cyber threats between government and industry so cyberattacks can be thwarted in real time. ... It would also encourage companies to share anonymous cyber-threat information with one another, and provide liability protection for businesses so they don't get hit with legal action for sharing data about cyber threats. "
You may recall CISPA from last year, when it was hailed as being even worse than SOPA, the Stop Online Piracy Act. We discussed why it was a bad bill back then; the new version is reportedly identical, so all of the same reasons will apply. The bill stalled last year against White House plans to veto it. Congressman Rogers said this about privacy fears: "We're talking about exchanging packets of information, zeroes and ones, if you will, one hundred millions times a second. So some notion that this is a horrible invasion of content reading is wrong. It is not even close to that." Don't worry folks; it's just zeroes and ones.


Global Warming! Global Warming! I thought this was the weekly average as recently as World War II.
White Russia
With over 85 inches of snow, this winter is already the snowiest Moscow has seen in a century -- and it's only February. "The snow this year has already reached one and a half times the climactic norm," the city's deputy mayor for residential issues remarked this week, as Russian news outlets breathlessly reported on the "Storm of the Century" and nightmarish traffic jams that, when added up, spanned the distance from Moscow to Madrid.
But not all of the country has experienced the capital's record-setting snowfall. During a week that marked the one-year countdown to the 2014 Winter Olympics, the temperatures in the Russian host city of Sochi reached as high as 60 degrees Fahrenheit. Olympic organizers have guaranteed snow for next year and have already begun stockpiling the little they have, even as Moscow has been blanketed.


It's hard to play catch-up. 3D printers are going to be very disruptive. (Do you have a copy?)
YouTube yanks video of 3D-printed rifle magazine
A video showing a gun magazine created by a 3D printer was pulled off YouTube today, only to reappear later in the afternoon.
The removal notice for the popular clip, which was posted by a Texas group known as Defense Distributed, said the video was removed "as a violation of YouTube's policy against spam, scams, and commercially deceptive content."
"Yes, YouTube removed this video because permissive liberals flagged it as inappropriate," the group said in a Tumblr post. "Please steal this and put it everywhere before it is again taken down."


One more for my Website students I need to look at Twitter bootstrap more anyway...
… With Jetstrap, you can build a beautiful information page about nearly anything, and you can do it in the quickest, most efficient way possible.
… You don’t need to know much about code to use this free website designer, as most of the page elements are added by simply dragging and dropping items to the page.
… When finished, you can download the HTML code and upload it to any web server of your choosing.


This could be useful at some point.


For my amusement...
… In a massively ironic online disaster, the Coursera/Georgia Tech course Fundamentals of Online Education was cancelled this week, following a lot of technical and pedagogical hiccups. You can read more about the class from students enrolled — Debbie Morrison’s “How NOT to Design a MOOC: The Disaster at Coursera and How to Fix It,” for example. Lots of finger-pointing here about whose fault this was — the platform, the instructor, the university — and questions about the lack of quality control as well as the lack of respect for the students’ work that was already ongoing in the system but that suddenly became unavailable when the course was closed.
… An Idaho state senator — and chair of the state senate’s Education committee — has introduced a bill mandating all Idaho students read Ayn Rand’s Atlas Shrugged and pass a test on it before they can graduate high school. [Insert joke here about how this violates the 8th Amendment.]
… At the White House Tech Inclusion Summit last week, 5 initiatives were unveiled to help make sure everyone can learn tech skills, particularly girls and women and those from historically underrepresented communities. I mentioned one of the initiatives in last week’s write up — the partnership between Starter League and the Chicago Public Schools that will help train teachers on Web development so they can in turn teach these skills to their students. The White House blog lists the other initiatives unveiled at the meeting.
… The global market for education is $4.4 trillion, according to the investment bank IBIS Capital, which predicts that the e-learning segment of this market will grow by 23% between now and 2017.

Friday, February 08, 2013

I'm confused. Wasn't this obvious? I seem to recall an earlier “change the limit” hack too. (Yes Bob, you were right again: http://www.pogowasright.org/article.php?story=20080124055948438 and Coordinated, Global ATM Heist Nets $13 Million )
Reports are coming in that in the final days of 2012 hackers were able to pull off a major scam using ATM machines and prepaid credit cards. The attack was so successful, that Visa warned all US payment card issuers to be on high alert for additional ATM cash-out fraud schemes in 2013. Sources in the financial industry and law enforcement cited by Krebsonsecurity.com say that thieves made off with approximately $9 million in the scam.
The sources claim that the attackers used a small number of reloadable prepaid debit cards to pull cash out of ATMs in at least a dozen countries. According, to the sources the crooks took approximately $9 million in only a few hours. The sources also claim that around New Year’s Eve the group struck again.
The second attack occurred on ATM networks in India and resulted in the thieves making off with a little less than $2 million according to investigators. This sort of attack is typically avoided because the reloadable, prepaid debit cards are limited to low dollar amounts being withdrawn within a 24-hour period. However, the criminals were somehow able to increase or completely eliminate those withdrawal limits for the accounts they control.
Visa says that the attacks were made possible because the hackers were able to gain access to issuer authorization systems and card parameter information. Once the hackers had access to that information, they were able to manipulate daily withdrawal amount limits, card balances, and other parameters. Visa says that in some instances over $500,000 was withdrawn from a single card within 24 hours. [Must be a really big ATM Bob]


It's not like it's a real computer, why do we need to secure it?”
Vulnerability Lets Hackers Control Building Locks, Electricity, Elevators and More
A critical vulnerability discovered in an industrial control system used widely by the military, hospitals and others would allow attackers to remotely control electronic door locks, lighting systems, elevators, electricity and boiler systems, video surveillance cameras, alarms and other critical building facilities, say two security researchers.
The vulnerability in the Tridium Niagara AX Framework allows an attacker to remotely access the system’s config.bog file, which holds all of the system’s configuration data, including usernames and passwords to log in to operator work stations and control the systems that are managed by them.


Worst Practices? People still mail things? Unencrypted? Don't know what happened to “Certified mail?” 46 days to notify victims?
This was reported by James Haggerty on January 23, but I just stumbled across it now:
A compact disc including information on Medicare patients at Wayne Memorial Hospital disappeared recently en route to its intended recipient.
An administrator at Wayne Memorial in Honesdale on Nov. 28 sent the unencrypted disc and related paperwork by certified mail to the Pittsburgh office of Novitas Solutions Inc., a Camp Hill-based Medicare administrative contractor, the hospital reported.
Although it was mailed in a legal envelope, [they couldn't afford a CD mailer? Bob] Wayne Memorial officials say it arrived at Novitas’s Pittsburgh offices in a cardboard box without the disc. They were notified Dec. 3 that the disc was missing.
Hospital officials suspect the original package was damaged at a postal facility, the disc was lost and the paperwork was inserted into another package, which was delivered to Novitas.
The disc contained the names of 1,182 people who had been Medicare patients at the Honesdale hospital between 2007 and 2012 and have account balances outstanding, hospital spokeswoman Lisa Champeau said. Most of the patients’ Medicare account numbers were included on the disc, she said.
Read more on Citizens Voice.
On January 22, the hospital posted the following notice, linked from their home page:
The News Eagle reports that notification letters were sent out beginning January 18.


Could the people [or the “offices”) responsible actually be held responsible? Stay tuned!
Meg Kinnard of Associated Press reports that Circuit Judge G. Thomas Cooper has dismissed Governor Haley and South Carolina’s former revenue director as defendants in a lawsuit over the state’s massive security breach last year in the Department of Revenue.
But… and this will be interesting to watch, the judge said he needed more time to decide whether to dismiss the claims against the Governor’s office, the Department of Revenue, South Carolina’s Division of Information Technology, and Trustwave.
Read more on ABC.


Words to live by... Or at least to secure your data by... Security is as strong as it's weakest link.
"Deloitte predicts that 8-character passwords will become insecure in 2013. Humans have trouble remembering passwords with more than seven characters, and it is difficult to enter long, complex passwords into mobile devices. Users have not adapted to increased computing power available to crackers, and continue to use bad practices such as using common and short passwords, and re-using passwords across multiple websites. A recent study showed that using the 10000 most common passwords would have cracked >98% of 6 million user accounts. All of these problems have the potential for a huge security hazard. Password vaults are likely to become more widely used out of necessity. Multifactor authentication strategies, such as phone texts, iris scans, and dongles are also likely to become more widespread, especially by banks."


A tool for Stalkers? Always has been, but now it's simpler...
"Software developer Jeff Cogswell is back with an extensive under-the-hood breakdown of Facebook's Graph Search, trying to see if peoples' privacy concerns about the social network's search engine are entirely justified. His conclusion? 'Some of the news articles I've read talk about how Graph Search will start small and slowly grow as it accumulates more information. This is wrong—Graph Search has been accumulating information since the day Facebook opened and the first connections were made in the internal graph structure,' he writes. 'People were nervous about Google storing their history, but it pales in comparison to the information Facebook already has on you, me, and roughly a billion other people.' There's much more at the link, including a handy breakdown of graph theory."
[From the article:
The system allows users to make lengthy natural-language queries in search of Facebook-based information about photos, friends, and other content. For example, you could input “Friends of friends who like trail running” and receive a list of people who meet that description—provided their information is public, and they indicated to Facebook that they “Like” trail running.
Should you input “Friends of friends who like trail running,” you’ll also see a related search: “People who like trail running.” This is interesting, because it goes outside your list of friends, traversing further into Facebook’s enormous data tree. From there, you can refine the search still further, via a list of dropdown boxes on the right side of the page. Want to know which of those “People who like trail running” actually live near you? Simply click on the appropriate box.
When it comes to finding very specific people, how deep does this thing go?


Track your dog, track you?
Dog owners face £500 fine for failing to microchip pets


But I've been doing it for years! How come you're just now telling me it's a crime?”
Mike Durkin reports that federal charges have now been filed against John Hunt, the Minnesota Department of Natural Resources employee accused of improperly accessing 5,000 residents’ information from the state driver’s license database:
The Minnesota Bureau of Criminal Apprehension said Hunt committed a federal crime during off-duty hours. Hunt is accused of illegally viewing the records of 5,000 people roughly 12,000 times between January 2008 and October 2012. [Took them a long time to notice... Bob]
Investigators said the majority of files Hunt accessed belong to women in the public eye: local celebrities, television news personalities, politicians and professional athletes.
Read more on MyFox9.com,
[From the article:
What makes this case particularly egregious is that Hunt was also a data practices designee, responsible for making sure new employees were familiar with the laws and rules concerning access to driver's license records.
… Hunt is charged with six counts of unauthorized computer and data access, as well as public employee misconduct. The six charges are:
    Misconduct of public officer or employee, gross misdemeanor
    Unauthorized computer access (not public data), gross misdemeanor
    Unauthorized computer access, gross misdemeanor
    Use of encryption to conceal commission of a crime, gross misdemeanor
    Unlawful use of private data (license photograph), misdemeanor
    Unlawful use of private data (address on license), misdemeanor
If found guilty, Hunt could be forced to pay $2,500 for each record he illegally viewed.


Is snobbery, not a privacy violation? “Hey your kid is too dumb to get into our school, how about donating miney?”
Wealthy parents are fuming after the uber-exclusive Dalton School sent out an e-mail naming dozens of kids rejected by the school.
Dalton — whose alumni include Anderson Cooper, Chevy Chase, Sean Lennon and Claire Danes — is known for its fiercely competitive admissions process as presided over by the admissions director, Elizabeth Krents.
Recently, the upper-crust school sent out a letter to boosters and alumni with a list of families that have applications pending, as well as names of students who were rejected from Dalton.
The list also included names of students who withdrew applications — which gave away others who didn’t make the cut. Sources explained that alumni parents are often “tipped off” by Dalton that their child may not get in, and the family then has the choice to withdraw their child’s application, saving the embarrassment of having their kid rejected.
The revealing e-mail went out as part of a fundraising effort to have school supporters lobby parents of recently rejected kids for money, sources say.
Read more on The New York Post. The Daily Beast has the school’s apology letter.


That buzzing you hear comes from the dozens of drones monitoring state legislatures.
February 07, 2013
EPIC - States Move to Limit Drone Surveillance
  • "Oregon became the most recent state to consider limits on the deployment of drones in the United States. A new bill sets out licensing requirements for drone use in Oregon and would fine those who use unlicensed drone to conduct surveillance. New limitations are also proposed for federal evidence collected by drone use in a state court. Florida, North Dakota, and Missouri are among the other states that are also considering laws that limit drone use within their jurisdiction. For more information, see EPIC: Domestic Unmanned Aerial Vehicles (UAVs) and Drones."


I thought that was a can of worms...
After Google’s $80M French Publishers’ Fund, Press Lobby Group Chief Calls For Search Giant To Pay Media In Every European Country


Perspective
http://www.businessinsider.com/more-mobile-devices-than-people-2013-2
There Will Soon Be More Mobile Devices Than Humans — And We'll Need A New Internet To Cope


The difficulty of transition and some perspective on how much 'digital' has replaced print... Sounds like Paul David's research still applies http://elsa.berkeley.edu/~bhhall/e124/David90_dynamo.pdf
February 07, 2013
Rebooting the Government Printing Office: Keeping America Informed in the Digital Age
The National Academy of Public Administration (NAPA) independent study of the U.S. Government Printing Office (GPO), Rebooting the Government Printing Office: Keeping America Informed in the Digital Age, January 2013
  • "Over the past two decades, the shift from an industrial age to an information age has affected the way both public and private sector organizations operate. For GPO, the demand for federal print products has declined by half over the past twenty years, but the demand for information that government creates has only increased. While conducting this review, the Panel determined that GPO faces challenges in dealing with the movement to the digital age that are shared across the federal government. Critical issues for the federal government include publishing formats, metadata, authentication, cataloging, dissemination, preservation, public access, and disposition. The Panel believes that the federal government needs to establish a broad government-wide strategy to manage digital information through all stages of its lifecycle. The absence of such a strategy has resulted in a chaotic environment with significant implications for public access to government information—and, therefore, the democratic process—with some observers describing federal digital publishing as the “wild west.” Now that approximately 97 percent of all federal documents are “born digital,” many important documents are not being authenticated or preserved for the future, and the public cannot easily access them. GPO has a critical role to play along with other agencies in developing a government-wide strategy that streamlines processes, clearly defines agency responsibilities, avoids duplication and waste, and effectively provides information to current and future generations."


For my lawyer friends, who are engaged in the buying and selling of lawyers...
February 07, 2013
2013 Report on the State of the Legal Market
"The Center for the Study of the Legal Profession at the Georgetown University Law Center and Thomson Reuters Peer Monitor are pleased to present this 2013 Report on the State of the Legal Market highlighting the trends that we perceived in the legal market in 2012, as well as the factors that we believe will impact the market in 2013 and beyond."


For my Ethical Hackers: “We don't need no stinking phone company!”
… . Those people who have lived through floods, earthquakes, cyclones, fires, tsunamis and other major catastrophes will no doubt agree that having working phones after the disaster struck would have made an incredible difference.
Using mesh technology, the Serval Project has created a way for mobile phone users to stay connected to each other even when the infrastructure of the regular phone network is not working. This means users of the smartphone application will have the ability to communicate amongst themselves in the midst of a disaster when they need it most. At the moment the free mobile chat app is available for Android only, but will eventually be made available on other platforms.
… Here’s where you can get the Serval Mesh Android application for free [Android 2.2+]. The first thing you should acknowledge is that this application is still in development and has only just been released on the Google Play store. You are warned not to expect this application to replace your current phone service and that it may still be buggy. If you are interested in the technology and want to help improve the application, by all means download it and give it a go.
A little warning: If you grant Serval root access, Serval Mesh will take over your phone’s Wi-Fi, so you will need to log out of Serval in order to return to your normal Wi-Fi connections.


For my Design students...
"Web designers, graphics artists, and others who create and edit digital images, have a number of commercial image-manipulation packages from which they can choose — such as Adobe Photoshop and Adobe Fireworks (originally developed by Macromedia). Yet there are also many alternatives in the open-source world, the most well-known being GNU Image Manipulation Program. GIMP is available for all major operating systems, and supports all commonly-used image formats. This powerful application is loaded with features, including plug-ins and scripting. Yet detractors criticize it as being complicated (as if Photoshop is intuitively obvious). Admittedly, anyone hoping to learn it could benefit from a comprehensive guide, such as The Book of GIMP."
Keep reading for the rest of Michael's review.


Education on the cheap...
Curbing The Cost Of College: Coursera Wins Approval To Offer Online Courses For Credit For Under $200

Thursday, February 07, 2013

Costly “errors?”
It’s been an interesting few weeks for those who have followed the Cord Blood Registry (CBR) data breach.
As background: back in February 2011, CBR disclosed that backup tapes with 300,000 people’s information had been stolen from an employee’s unattended vehicle in December 2010. CBR offered those affected one year of free credit monitoring and indicated that they had improved their security. That didn’t satisfy everyone, it seems, as a potential class action lawsuit was filed (Johansson-Dohrmann v. CBR Systems, Inc.).
Then on January 28, the FTC announced that it had settled charges against CBR, which was the first anyone knew that the FTC had opened a case against CBR. The FTC had charged that CBR had not lived up to its privacy policy:
Cbr did not have reasonable policies and procedures to protect the security of information it collected and maintained. In addition, Cbr allegedly created unnecessary risks to personal information by, among other things, transporting backup tapes, a thumb drive, and other portable data storage devices containing personal information in a way that made the information vulnerable to theft.
The settlement included putting CBR under monitoring for 20 years and barred any misrepresentation of their privacy and security protections.
Now today, a judge gave preliminary approval to the class-action lawsuit. Thomson Reuters reports:
Under terms of the proposed settlement, reached last November, CBR will have to provide credit monitoring and identity theft insurance to each affected class member [for up to two years], as well as cash reimbursements for any losses resulting from identity theft.
Plaintiff’s lawyer Patrick Keegan estimated that the credit monitoring package was worth up to $112 million to the class members, according to court documents. The settlement also provides up to $600,000 in payment to the plaintiff’s lawyers.
I wonder how much this breach cost CBR, in total. Investigating the breach to determine who had what information on the devices and who required notification, defending against the lawsuit and the FTC, having to hire auditors, the cost of ID theft insurance and credit monitoring, and improvements to its security are not cheap, even though the majority of class members will likely not even sign up for the free credit monitoring.
And all because devices with unencrypted PII were left in an unattended vehicle.
I bet they won’t do that again. [I'll take that bet. Bob] Or at least, I hope they won’t. The FTC cannot fine first offenders, but if there’s another incident, the FTC could seek heavy monetary penalties.
And I bet they breathed a sigh of relief that they are not a HIPAA-covered entity, or HHS/OCR would have been investigating them, too. As it is, it is still possible that states attorney general could take action, although if we haven’t seen any such press releases by now about investigations, I tend to doubt we will.


Those who do not study history are doomed to repeat it.”
"Michael Geist reports that a coalition of Canadian industry groups, including the Canadian Chamber of Commerce, the Canadian Marketing Association, the Canadian Wireless Telecommunications Association and the Entertainment Software Association of Canada, are demanding legalized spyware for private enforcement purposes. The potential scope of coverage is breathtaking: a software program secretly installed by an entertainment software company designed to detect or investigate alleged copyright infringement would be covered by this exception. This exception could potentially cover programs designed to block access to certain websites (preventing the contravention of a law as would have been the case with SOPA), attempts to access wireless networks without authorization, or even keylogger programs tracking unsuspecting users (detection and investigation)."

(Related)
"Sony's next-generation PS4 unveil is just two weeks away, which means leaks concerning both it and Microsoft's next-generation Xbox Durango (sometimes referred to as the Xbox 720), are at an all-time high as well. Rumors continue to swirl that the next iteration of Xbox will lock out used games entirely and require a constant Internet connection. New games would come with a one-time activation code to play. Use the code, and the game is locked to the particular console or Xbox Live account it's loaded on. Physical games will still be sold (the Durango reportedly supports 50GB Blu-ray Discs), but the used game market? Kiboshed. If this is true, it's an ugly move on Microsoft's part. Not only does it annihilate the right of first sale, it'll eviscerate any game store or business that depends on video game rentals for revenue."


Interesting...
"According to an Al-Jazeera report, 'Charlottesville, Virginia is the first city in the United States to pass an anti-drone resolution. The writing of the resolution coincides with a leaked memo outlining the legal case for drone strikes on U.S. citizens and a Federal Aviation Administration plan to allow the deployment of some 30,000 domestic drones.' The finalized resolution is fairly weak, but it's a start. There is also some anti-drone legislation in the Oregon state Senate, and it has much bigger teeth. It defines public airspace as anything above your shoelaces, and the wording for 'drone' is broad enough to include RC helicopters and the like."


If people keep publishing guides for the clueless, it is going to be difficult to claim you were unable to find “Best Practices.”
Today, the ACLU released a new guide for tech companies: ACLU Guide: Tips for Companies on Protecting User Privacy and Free Speech in 2013
Nicole Ozer writes:
Last year was jam-packed with stories of companies making costly mistakes on user privacy and free speech. To help companies get a fresh start in 2013, the ACLU of California has just released the new edition of Privacy and Free Speech: It’s Good for Business. This primer (and companion website) is a practical, how-to guide illustrating how businesses can build privacy and free speech protections into their products and services – and what can happen if they don’t.
The guide features dozens of real-life casestudies from A(mazon) to Z(ynga) and updated recommendations for policies and practices to take the guesswork out of avoiding expensive lawsuits, government investigations, and public relations nightmares. It walks companies through essential questions and lays out steps to spot potential privacy and free speech issues in products and business models and address these issues head-on.


Motherhood and Apple pie?
Over 40,000 firms, including energy providers, banks and hospitals could be required to report cyber-break-ins under new rules proposed by the EU.
It is part of a move to intensify global efforts to fight cybercrime.
Digital agenda commissioner Neelie Kroes said that Europe needed to improve how it dealt with cybersecurity.
But firms are concerned that reporting online attacks and security breaches might damage their reputations.
Read more on BBC.
The European Commission has issued a Proposed Directive on Network and Information Security – frequently asked questions. From the FAQ, examples of companies that would be required to report significant breaches:
[Hard to read page image here Bob]
Read the full memo here.

(Related) Apparently not. Is this the “Official US Position?”
Matt Grainger reports:
A US diplomat has warned of a ‘trade war’ if the EU continues with proposals that would give people the right to demand that companies delete their private data.
According to the Register, John Rodgers, who is an economic officer with the US Foreign Service told a conference in Berlin that “things could really explode” if the proposals are put through.
We have a right to privacy in our Constitution, but this does not mean a fundamental right to data protection,” said Rodgers. [Huh? Bob]
Read more on PCR.
Perhaps Mr. Rodgers should turn around and warn Congress that if the U.S. doesn’t become more privacy and data protective, U.S. businesses will really suffer when EU citizens decline to do business here.


The UK strikes back?
"The MPAA and other entertainment industry groups have been locked for years in a legal struggle against Newzbin2, a Usenet-indexing site. Since Newzbin2 profited from making it easier for users to find pirated movies online, the MPAA contends they can sue to take those profits on behalf of members who produced that content in the first place. But a British court has rejected that argument."


I'm stunned that Dogbert would actually quote my students.

Wednesday, February 06, 2013

What did DoE ever do to China? (If not China, who?) And why don't they know what happened?
Hackers hit U.S. Department of Energy
The U.S. Department of Energy has confirmed that its computer systems were hacked into last month. According to The New York Times, the federal agency sent around an internal e-mail on Friday telling its employees about the cyberattack.
"The Department of Energy has just confirmed a recent cyber incident that occurred in mid-January which targeted the Headquarters' network and resulted in the unauthorized disclosure of employee and contractor Personally Identifiable Information," the e-mail said.
The agency said that it is working to figure out the "nature and scope of the incident" but that so far it believes "no classified data was compromised." It's unclear which divisions within the Department of Energy were attacked or who was behind the hack.


I guess I missed the Tweets that said “China is the epitome of goodness and ethics!”
Twitter hack may have targeted elected officials, journalists
Although Twitter hasn't revealed who may have been victimized in last week's suspected massive account hack, an analysis suggests that accounts with high levels of influence may have been among those affected.
Within days of accusations that hackers in China were responsible for network breaches at The New York Times and The Wall Street Journal, the microblogging site revealed Friday that about 250,000 accounts might have been compromised.
… "This attack was not the work of amateurs, and we do not believe it was an isolated incident," Twitter said in a company blog post Friday explaining its action.


The start of a CyberWar could take many forms... Escalation to a shooting war could come if they keep playing video games with real warships...
As China and Japan jockey for influence in the Pacific, an unlikely diplomatic fault line has emerged: an archipelago of uninhabited rocks in the East China Sea. Known as the Senkakus in Japan, which controls them, the islands are also claimed by China and Taiwan -- and both are struggling to reassert sovereignty. Tremors have increased in recent months with confrontations between the Japanese and Taiwanese coast guards and rabble-rousing from Chinese media outlets.
… China raised the stakes on Jan. 30, when one of its military frigates aimed weapons-targeting radar at a Japanese warship, prompting Japan to lodge a formal complaint with the Chinese government.


Earlier I said, “In a multi-platform world, we need multi-platform malware.” Apps that run anywhere increase you “network.”
This week the analysis team at Gartner has made it clear that they expect the mobile app market to be more than 50% made up of apps that are cross-platform, aka “hybrid apps”. These apps will be working with a combination of the “portability” of HTML5 Web apps with a native container for each different device, regardless of mobile OS. This means that, as many high-end apps release today already do, so will a much more vast cross-section of brands bring their apps to iOS, Android, Windows Phone, BlackBerry, and more.


Remember, a backlog is just a tool for staying within budget (and an excuse to set priorities.)
By Dissent, February 5, 2013 6:59 pm
To say that I am frequently frustrated by HHS’s “breach tool” would be an understatement. Their reporting form and coding often makes it impossible to know – simply by looking at their entries – what type of breach occurred. Consider this description from one of their entries:
“Theft, Unauthorized Access/Disclosure”,”Laptop, Computer, Network Server, Email”
So what happened there? What was stolen? Everything? And what types of patient information were involved?
Or how about this description:
“Unauthorized Access/Disclosure,Paper”
What happened there? Did a mailing expose SSN in the mailing labels or did an employee obtain and share patients’ information with others for a tax refund fraud scheme? Your guess is as good as mine. And HHS’s breach tool does not include any data type fields that might let us know whether patients’ SSN, Medicare numbers, diagnoses, or other information were involved.
If HHS followed up on these entries in a timely fashion with additional details, it would still be somewhat frustrating, but they don’t. HHS withholds crucial information about breaches that are “under investigation” and they are years behind in investigating incidents.
Yes, years.
If you look at the .csv form of the breach tool, you’ll see that when HHS closes an investigation, it enters a summary of the incident. But if you scroll down their database, you’ll note that some incidents from 2010 and many incidents from 2011 are presumably still open. And not one incident’s investigation from 2012 has been closed. Not one.
It is possible that some investigations that appear open are open because they have been referred to OCR for further action or may involve some enforcement action or pending resolution. But for most of the entries, it is not clear why the breach investigation has not been closed. And until it is closed, HHS will not tell us anything.
Because many entities still do not post notifications on their web sites and I cannot always find substitute notices in local media, the breach tool is often the only information we have about a breach involving more than 500 patients’ protected health information. HHS’s reluctance to discuss a case under investigation is understandable, but not if it takes them years to investigate and close a file. And with the new HITECH breach notification rules, there will likely be an increase in the number of breach notifications to HHS and even more breaches that they will have to investigate.
Something needs to change. Those of us who track and analyze breach trends need more transparency and information, not information that is delayed by more than two years.
I’m not sure who in HHS or Congress might give a damn, but feel free to pass these concerns along.


Another: “We don't have the time to do it right, so we'll take the time to do it over.”
Eric Roper reports:
Attorneys for a former police officer whose driver’s license data was repeatedly breached said Tuesday that the state has agreed to conduct better audits and impose more safeguards of the often-misused drivers license database.
The legal settlement between Anne Marie Rasmusson and the Department of Public Safety is one of the last dominos to fall in a lawsuit that has cost local governments across the state more than $1 million. Rasmusson’s success in the case has prompted a slew of class action lawsuits related to other incidents of driver’s license data misuse.
Good for her for trying to leave the system in better shape to protect others from what she experienced. Roper reports:
Among stipulations of Rasmusson’s settlement, according to Miller-Van Oort: The state will perform monthly audits of top search targets, rather than merely most active users, to identify anomalies. [That's not how I would do it... Bob]
They must also audit the top 50 most-active users and perform randomized audits, Miller-Van Oort said. Gordon said the department began monthly auditing of the top 50 users last year and initiated randomized audits in January.
A modified login screen will present new information about permissible uses and require users to confirm that they have a legitimate search purpose. The settlement also requires the state to augment data training.
It’s a shame it took a lawsuit to get them to agree to enhance data protection. What I don’t see listed in the news report, however, is whether/how the state will actually limit access to the database and not just audit access after the fact.
Read more on the Star Tribune


Look for patterns. Look for patterns we did not expect. Determine what causes a data element to fit a particular pattern.. Look for things that should be in those patterns but are not.
What the Intelligence Community Is Doing With Big Data
… Armed with billions of tweets, Google (GOOG) searches, Facebook (FB) posts, and other publicly available social-media and online data, the Office of the Director of National Intelligence is sponsoring research projects involving 14 universities in the United States, Europe, and Israel with the goal of using advanced analytics to predict significant societal events.
“Our focus is to beat the news with greater accuracy and to do it faster by combining [various sets of] data, and we are seeing that it is possible,” said Jason Matheny, program manager of the Open Source Indicators program, which is housed within the Intelligence Advanced Research Projects Activity, or IARPA, the government’s intelligence research incubator. (Think DARPA, but for intelligence.)
… It would also help the organization know what isn’t foreseeable at all. In other words, they are tackling Donald Rumsfeld’s infamous “unknown unknowns” problem. If you know what you can predict, then you can predict it; if you know what you can’t predict, you can make other plans.


The Fourth Amendment does not apply to crops... (I see a business opportunity. Rent drone crop sprayers like they rent harvesters)
Drone Boosters Say Farmers, Not Cops, Are the Biggest U.S. Robot Market
… UVSI intends to publish a study in the next few weeks anticipating the scope of the domestic, non-military market for drones. But there’s already some data to support Mailey’s hypothesis. “Precision farmers” love using data tools to increase crop yields. In 2009, an Idaho farmer homebrewed his own drone, slapped a commercial digital camera on it, and began extracting data on soil patterns to help his business expand. Companies like CropCam build lightweight, modular, GPS-driven gliders to give farmers an aerial view of their fields without requiring pilot training or the expense of buying a small manned plane. Of course, this is all dependent on drone manufacturers pricing their robots inexpensively enough for farmers who also have to buy a lot of other expensive equipment to ply their trade.
Japan also provides some indication of the potential demand for drones by farmers. Yamaha introduced its RMAX unmanned helicopter for crop-spraying in 1990.

(Related) ...and if you need to surveil your indoor plants...
Tiny, Hackable Quadcopter Drone Launches Pre-Orders
A tiny new open source drone kit made by Bitcraze is buzzing its way to market this spring, targeted at hackers and modders who want to explore droning indoors as well as out.
Marcus Eliasson, Arnaud Taffanel, and Tobias Antonsson are the engineers behind the Swedish startup now accepting pre-orders for a palm-sized quadcopter called the Crazyflie Nano. (Not to be confused with the Norwegian-made nano-copter used by British troops in Afghanistan.)
The trio used only open source material for the project, from mechanics to hardware and code. Not only was it a nod to the open source mantra, it saved them a ton of time; all three have day jobs and have spent the last three years working evenings on the Crazyflie Nano.
The $149 device is controlled by a PC through a 2.4 GHz radio, and an on-board gyroscope and accelerometer keep it steady. (A more advanced, $173 version, with a magnetometer and altimeter will also be available.)


A typical Slashdot question. (Whenever you start something new, assume hundreds of people have done it before you) Note that there are many, many answers.
"I am trying to set up a surveillance system. It is not intended to build a real-time on-line surveillance system to watch a wall of monitors on a 24/7 basis. The main scope is to record video (24/7) from the fixed cameras around our facility and when needed, get back to pre-recorded video and check it for particular event(s). Of course, it is possible to use a human to fast forward through video using a DVR-type FF function for short video sequences. Unfortunately, for long sequences (one week), it is not acceptable solution. I was searching online the whole weekend for the open source software for analysis of pre-recorded video in order to retrieve events and data from recorded video but had no luck. So I ask you, Slashdotters: Can you provide some suggestions for forensic software to analyze/find specific events in pre-recorded video? Some examples of events: 'human entering restricted zone,' 'movement in the restricted zone,' 'light in the restricted zone.'"


Looks more like a “how to” manual...
February 05, 2013
Description of Civil Liberties and Privacy Protections in updated NCTC Guidelines
Description of Civil Liberties and Privacy Protections in the updated NCTC Guidelines, January 2013, Office of the Director of National Intelligence.
  • "In March, 2012, the Director of National Intelligence (DNI), the Attorney General, and the Director of the National Counterterrorism Center (NCTC) approved the updated Guidelines for Access, Retention, Use, and Dissemination by the National Counterterrorism Center and Other Agencies of Information in Datasets Containing Non-Terrorism Information (referred to here as the "NCTC Guidelines" or "Guidelines") (available at www.nctc.gov). The NCTC Guidelines make important updates and modifications to the 2008 version of the Guidelines. The new Guidelines ensure that NCTC has an effective and efficient means of assessing federal agency datasets that are likely to contain significant terrorism information, permit NCTC to use terrorism information for proper purposes subject to multi-layered privacy and civil liberties protections, and establish comprehensive compliance and oversight mechanisms."

(Related) It's a good thing we have privacy guidelines (above) since we're sure gonna need them! (No mention of drones in the guidelines)
February 05, 2013
Integration of Drones into Domestic Airspace: Selected Legal Issues
Integration of Drones into Domestic Airspace: Selected Legal Issues. Alissa M. Dolan, Legislative Attorney - Richard M. Thompson II, Legislative Attorney, January 30, 2013
  • "Under the FAA Modernization and Reform Act of 2012, P.L. 112-95, Congress has tasked the Federal Aviation Administration (FAA) with integrating unmanned aircraft systems (UASs), sometimes referred to as unmanned aerial vehicles (UAVs) or drones, into the national airspace system by September 2015. Although the text of this act places safety as a predominant concern, it fails to establish how the FAA should resolve significant, and up to this point, largely unanswered legal questions... With the ability to house surveillance sensors such as high-powered cameras and thermal-imaging devices, some argue that drone surveillance poses a significant threat to the privacy of American citizens. Because the Fourth Amendment’s prohibition against unreasonable searches and seizures applies only to acts by government officials, surveillance by private actors such as the paparazzi, a commercial enterprise, or one’s neighbor is instead regulated, if at all, by state and federal statutes and judicial decisions. Yet, however strong this interest in privacy may be, there are instances where the public’s First Amendment rights to gather and receive news might outweigh an individual’s interest in being let alone."


Gee, what we need is a lawyer with an Economics degree to evaluate this...
"Two economists at the St. Louis Federal Reserve have published a paper arguing that the American patent system should be abolished. The paper recognizes the harm the current patent system has caused not only to the technology sector but the health sector as well."


Have I missed something or is DHS looking for even more ways to waste money? Do we really think missles will be launched from hundreds of miles away rather than from a ship a few miles away? (Or have they shut down the Potomac?)
"Reuters reports that a pair of bulbous, helium-filled 'aerostats', each 243 feet long, will be moored to the ground and fly as high as 10,000 feet, as part of a high-tech shield designed to protect the Washington D.C. area from an air attack like the one that took place on September 11, 2001. One of the aerostats carries a powerful long-range surveillance radar with a 360-degree look-around capability that can reach out to 340 miles. The other carries a radar used for targeting. [...and connected to what? Bob] Operating for up to 30 days at a time, JLENS is meant to give the military more time to detect and react to threats (PDF), including cruise missiles and manned and unmanned aircraft, compared with ground-based radar and is also designed to defend against tactical ballistic missiles, large caliber rockets and moving vehicles that could be used for attacks, including boats, cars and trucks. 'We're trying to determine how the surveillance radar information from the JLENS platforms can be integrated with existing systems in the National Capital Region,' says Michael Kucharek, a spokesman for the North American Aerospace Defense Command. Washington is currently guarded by an air-defense system that includes Federal Aviation Administration radars and Department of Homeland Security helicopters and fixed-wing aircraft on alert at Reagan National Airport to intercept slow, low-flying aircraft."


I'm sure they are trying to tell me something....
February 05, 2013
Paper - Open Wireless vs. Licensed Spectrum: Evidence from Market Adoption
"The Berkman Center for Internet & Society at Harvard University is pleased to announce the publication of Open Wireless vs. Licensed Spectrum: Evidence from Market Adoption, authored by Yochai Benkler, and published in the latest issue of the Harvard Journal of Law & Technology [download here]. The paper reviews evidence from eight wireless markets: mobile broadband; wireless healthcare; smart grid communications; inventory management; access control; mobile payments; fleet management; and secondary markets in spectrum. Benkler finds that markets are adopting unlicensed wireless strategies in mission-critical applications, in many cases more so than they are building on licensed strategies. If the 1990s saw what was called "the Negroponte Switch" of video from air to wire, and telephony from wire to air, the present and near future are seeing an even more fundamental switch. Where a decade ago most of our wireless capacity was delivered over exclusive control approaches-both command and control and auctioned exclusivity--complemented by special-purpose shared spectrum use, today we are moving to a wireless infrastructure whose core relies on shared, open wireless approaches, complemented by exclusive control approaches for special, latency-intolerant, high-speed mobile applications. The scope of the latter will contract further if regulation catches up to technological reality, and opens up more bands to open wireless innovation, with greater operational flexibility and an emphasis on interoperability."


What's the opposite of “too big to fail?” (Breakup worked really well for Standard Oil)
HP considering company 'breakup,' says report
PC maker Hewlett-Packard is mulling over breaking up the company in a bid to return the maximum value to company shareholders, according to a report.
Citing unnamed sources, blog Quartz said company directors have "discussed the details of a possible breakup scenario," among other options.


Have you ever complained about slow response times?
Nasdaq said to be settling with SEC over Facebook's IPO flop
… One investigation, initiated by the U.S. Securities and Exchange Commission, focused on technical errors in Nasdaq's system that inadvertently delayed trading that first day.
Now, word has it that Nasdaq may be able to settle the debacle with the federal regulators, according to the Wall Street Journal.
Sources familiar with the matter have told the Journal that Nasdaq has been in preliminary settlement talks with the SEC. If the two sides do make a deal, it will most likely include a financial penalty that could be as much as $5 million.


This surprises me. I wonder why?