Saturday, February 23, 2013

In the Cloud, even a “minor” problem is a Big Deal!
Microsoft’s Cloud Goes Dark Across the Globe
Microsoft’s cloud crashed on Friday. Big time.
Just before 2 p.m. Pacific time, Microsoft reported worldwide problems with its Windows Azure cloud computing platform. The problem has to do with the security certificate used by Azure’s storage service, which in turn affected a number of other Azure services.
That meant that web developers who tried to connect to Azure securely over the internet in order to run their programs weren’t getting through. Instead, they were greeted with error messages.
… The company didn’t identify the root cause of the problem or respond immediately to an inquiry from Wired. According to this post in Microsoft’s Azure community forums, the SSL, or secure sockets later, certificate used by Microsoft had been set to expire on Friday.

Something for my Ethical Hackers...
At last year's RSA security conference, we ran into the Pwnie Plug. The company has just come out with a new take on the same basic idea of pen-testing devices based on commodity hardware. Reader puddingebola writes with an excerpt from Wired:
"The folks at security tools company Pwnie Express have built a tablet that can bash the heck out of corporate networks. Called the Pwn Pad, it's a full-fledged hacking toolkit built atop Google's Android operating system. Some important hacking tools have already been ported to Android, but Pwnie Express says that they've added some new ones. Most importantly, this is the first time that they've been able to get popular wireless hacking tools like Aircrack-ng and Kismet to work on an Android device."
Pwnie Express will be back at RSA and so will Slashdot, so there's a good chance we'll get a close-up look at the new device, which runs about $800.

Push it! Push it!
The Most Terrifying Button On Facebook
… searches are "Only Me" by default, and clicking that button on your profile doesn't mean anyone else can see them. We should know by now not to feel shocked that Facebook knows whose profile we've looked at or that what we search for is stored in some server in a data center at the bottom of a volcano or something. Yet it's a surprise that this information is actually sitting there on your profile this whole time, visible if you want it.
While this information is private, imagine if someone had access to your account from your computer, which isn't a totally unreasonable circumstance. Young people even have a name for it: "frape," for Facebook rape, a term that isn't appropriate, but endures nonetheless

Are we back to the National ID Card? It can't be just for immigrants, since if you dispose of your “I'm an immigrant” card you must be a citizen, right?
Fox News Latino reports:
In a move that could split a coalition of eight Democratic and Republican senators discussing comprehensive immigration reform, a number of lawmakers want to explore the possibility of issuing U.S. workers high-tech identity cards that use fingerprints and other identifiers to prove a person’s legal status to work.
In hazily worded language [What else would we expect... Bob] from the senators, the ID cards would also track Americans at airports, hospital and other public spaces – worrying a number of privacy advocates and others concerned with being tracked by the federal government.
Read more on Fox News Latino. The report is based on a report by Danny Yadron of the Wall Street Journal.
That my senator supports this plan is troubling. Very troubling.
[From FOX:
The cards would allow lawmakers to quickly obtain the information of a prospective employee and would be similar to the E-Verify system now in place.
E-Verify uses social security numbers and other information to screen prospective employees, but can be fooled by undocumented immigrants who use false names or other information.

Why do I suspect this (totally unbiased) group will find that drones were mandated in the Constitution?
Declan McCullagh reports:
A Homeland Security office says it plans to review the privacy implications of using drones to monitor U.S. citizens.
The department’s Office for Civil Rights and Civil Liberties has created a working group that will “clarify any misunderstandings that exist” about DHS’s drone program, as well as make an effort to “mitigate and address any outstanding” privacy concerns.
Read more on CNET.
[From the article:
It isn't clear how rigorous the review will be. The department's privacy office lacks key investigative powers, and last fall it blessed the controversial practice of monitoring social media as perfectly acceptable. In 2006, however, it did slap down the Transportation Security Agency for "privacy missteps" when collecting details on millions of air travelers.
… Some legal scholars and civil libertarians say they're worried that the Obama administration has not explicitly ruled out the possibility of assassinating U.S. citizens inside the country using armed drones. In a written response to the Senate (PDF) this month, John Brennan, Obama's nominee for CIA director, declined to answer this question: "Could the administration carry out drone strikes inside the United States?"

(Related) With a drone, they could have simply nuked it... Can you say, “Streisand Effect” Look at the number of Comments on this latest DHS kerfuffle.
"Michael Arrington, founder of TechCrunch, lives near Seattle and bought a boat there. He ordered it from a company based near him, but across the border in Canada. Yesterday, the company tried to deliver it to him, and it had to clear customs. An agent for the Department of Homeland Security asked him to sign a form. The form contained information about the boat, including its cost. The price was correct, but it was in U.S. dollars rather than Canadian dollars. Since the form contained legal warnings about making sure everything on it is true and accurate, Arrington suggested to the agent that they correct the error. She responded by seizing the boat. 'As in, demanded that we get off the boat, demanded the keys and took physical control of it. What struck me the most about the situation is how excited she got about seizing the boat. Like she was just itching for something like this to happen. This was a very happy day for her. ... A person with a gun and a government badge asked me to swear in writing that a lie was true today. And when I didn't do what she wanted she simply took my boat and asked me to leave.'"

Run about! Scream and shout! The sky is falling!
"Starting next week, most U.S. Internet users will be subject to a new copyright enforcement system that could force them to complete educational programs, and even slow their Internet speeds to a crawl. A source with direct knowledge of the Copyright Alert System [said] the five participating Internet service providers will start the controversial program Monday. The ISPs — industry giants AT&T, Cablevision, Comcast, Time Warner, and Verizon — will launch their versions of the CAS on different days throughout the week. Comcast is expected to be the first, on Monday."
Of course, there are many ways around the Copyright Alert System, so it probably won't be terribly effective.

Before justice comes understanding. Definately worth a read...
Close, But No Privacy
A computer is more like:
  1. A safe
  2. A file cabinet
  3. A suitcase
  4. A garbage can
  5. A computer
The answer to this question will determine whether you spend a lengthy period of time as a guest of the federal government at one of their lovely vacation spots. When it comes to technology, the question of which precedent to apply is based largely on which analogy a judge prefers, which in turn is based on either a judge's grasp of technology, which is not always the same as, say, more attuned users, or the analogy that produces the desired result.

An interesting legal questions with implications for website operators?
That’s a question that came up recently after a famous Banksy work in London was ripped out of the side of a building, shipped across the Atlantic, and put up for auction with an estimated final price of over half a million dollars.
The piece in question (shown above) is titled “Slave Labour,” and first appeared on the side of a discount store in North London in May 2012. CNN reports that many residents grew quite fond of the piece and the attention it gave the neighborhood.

Tools for “sexting?” There's an App for that.
… Well it seems that a very popular iPhone and Android app called Snapchat might be a simple solution for texting your kinky photos without them being released to the wider public.
… Snapchat, as with similar self-destructing emails and text message apps, is not foolproof, although it can still be fun to use.
… if recipients know how to do so, they can take a screenshot of your photo or video before the time expires. Snapchat tries to address this issue by requiring recipients to keep their finger pressed down on the capture in order to view it. With a three second time limit, it is very difficult for a recipient to keep his or her finger pressed down while also taking a screenshot – which requires pressing both the on/off and Home buttons on the iPhone at the same time. [Of course, you could turn on “video screen capture” before viewing – I'm sure there's an App for that too Bob]

For when you get serious about backup.
Being able to sync from our many devices to the Cloud is an awesome benefit of modern computing. We’re able to take our files with us on mobile devices, access them from other computers without the need of a device like a flash drive or SD card, and it’s an excellent solution for backing up that data that we can’t live without.
Speaking of backing up that data, one of the best, but seldom used, ways to use cloud storage services is to create a redundancy backup system. Basically this means you would use two or more cloud storage services to sync your data between them and to your computer, without creating duplicate files on your computer system.

Tools for my Website class...
For website developers, they need to make sure that their websites are ready to adapt to the tablet’s smaller screen. iPad Mini Website Simulator is a cool website that will show any URL on a screen that’s the same size as an iPad Mini, so you will know exactly what your website will look like when the device hits the market.

I have mentioned this one before, but now is a good time to review what it can do...
… Symbolab hopes to help soften the blow a little by offering a semantic search engine for equations. What’s a semantic search? It means it does more than just show links; it actually shows the equations on the screen as well as links. It’s like one part Google, one part Wolfram Alpha, all math.
The search engine has the tools you need to enter complex formulas. It has every type of modifier from the most basic to most advanced, which makes it easy to find what you are looking for. Once you search, it shows you the forumla on a graph, or how it’s solved. It also shows you information about the formula from various sources on the web. This makes it so you can actually learn more about the formula and not just find the answer.

For my students. Still feel like dropping out?
gh Pickens writes "The NY Times reports that a college degree is becoming the new high school diploma: the new minimum requirement for getting even the lowest-level job. Many jobs that didn't require a diploma years ago — positions like dental hygienists, cargo agents, clerks and claims adjusters — increasingly requiring a college degree. From the point of view of business, with so many people going to college now, those who do not graduate are often assumed to be unambitious or less capable. 'When you get 800 résumés for every job ad, you need to weed them out somehow,' says Suzanne Manzagol. A study by Georgetown University's Center on Education and the Workforce found that more than 2.2 million jobs that require a minimum of a bachelor's degree have been created (PDF) since the 2007 start of the recession. At the same time, jobs that require only a high school diploma have decreased by 5.8 million in that same time. 'It is a tough job market for college graduates but far worse for those without a college education,' says Anthony P. Carnevale, co-author of the report. 'At a time when more and more people are debating the value of post-secondary education, this data shows that your chances of being unemployed increase dramatically without a college degree.' Even if they are not exactly applying the knowledge they gained in their political science, finance and fashion marketing classes, young graduates say they are grateful for even the rotest of rote office work they have been given. 'It sure beats washing cars,' says Georgia State University graduate Landon Crider, 24, an in-house courier who, for $10 an hour, ferries documents back and forth between the courthouse and his company's office."

For my amusement...
edX, the non-profit MOOC platform funded initially by MIT and Harvard, announced a major expansion this week, adding six new schools to its consortium: The Australian National University (ANU), Delft University of Technology, École Polytechnique Fédérale de Lausanne (EPFL), McGill University, the University of Toronto, and Rice University. According to documents obtained by The Chronicle of Higher Education, edX plans to offer participating institutions two choices regarding revenue-sharing: one based on a self-service model and one based on an “edX-supported model.” It’s still not clear, however, where exactly this “revenue” is going to come from.
Coursera also added more universities — 29 new ones — to its MOOC platform this week: California Institute of the Arts, Case Western Reserve University, Curtis Institute of Music, Northwestern University, Penn State University, Rutgers University, UC San Diego, UC Santa Cruz, UC Boulder, University of Rochester, University of Minnesota Twin Cities, University of North Carolina Chapel Hill, University of Wisconsin Madison, Universidad Nacional Autónoma de México, Tecnológico de Monterrey, Ecole Polytechnique, IE Business School, Leiden University, Ludwig-Maximilians-Universitat Muenchen, Sapienza University of Rome, Technical University Munich, Technical University of Denmark, University of Copenhagen, University of Geneva, Universitat Autonoma de Barcelona, The Chinese University of Hong Kong, National Taiwan University, National University of Singapore, and University of Tokyo. unveiled a new education vertical to encourage teachers to use the blogging platform.

Why take any course from someone who is not the absolute best person in the world to teach that course?
You Can Now Take Classes From the Most Selective College in the Country on Coursera
The most selective college in the country -- the hardest school to get into -- isn't in the Ivy League or West Point, NY. It's not an engineering college or a medical school. It's the Curtis Institute of Music, a tiny conservatory of classical music in Philadelphia which can boast, according to US News and World Report, an admission rate of 3.2 percent.
And which, starting soon, will offer courses on Coursera.
… The school only enrolls enough students to fill an orchestra and an opera company (that's 166, at the moment), and all students attend for free.

Might be useful... Launches Education Vertical For Students And Teachers just rolled out a new education vertical that is meant to help educators easily create good-looking websites for their classes.
… With this launch, is also introducing a new theme, Chalkboard, that it will highlight in addition to the other education-focused designs in its gallery.
… Given that not every school and parent will be comfortable with all the class information being freely available on the web,’s announcement also stresses that these sites and/or individual pages can always be hidden behind passwords.
The launch of all of these verticals over the last few months is clearly meant to highlight the fact that WordPress is not just a basic blogging platform anymore. Thanks to its flexible theming engine and the addition of custom post types, WordPress has now become a pretty capable content management system that can be used for far more than basic blogging.

Friday, February 22, 2013

An (over)abundance of caution? Why tell users it's because of an error? How vulnerable is Facebook?
Facebook blocks NBC site after reported hack
It seems Facebook is blocking links to after the TV network's site was compromised earlier today.
… Reports about NBC's brief security breach surfaced earlier today. The network confirmed the hack, adding that no user information was compromised. Other companies, like Bitly and Google, are taking precautions after the breach by warning users before they enter that there might be a problem with security.

Reacting to a true invasion of privacy.
As I mentioned in previous posts, Johns Hopkins’ first breach statement about OB/GYN patients who may have been secretly photographed or videotaped by a physician included a reference to “counseling” for patients. Since this was the first time I’ve ever seen a reference to “counseling” in a breach notification statement and it struck me as a potentially meaningful way to help mitigate harm from the breach, I contacted Johns Hopkins to inquire as to the scope of the counseling and whether it might include face-to-face counseling for patients who were distraught over having been secretly taped.
Today I received a statement from Johns Hopkins:
We are offering his patients free, face-to-face, professional counseling services that focus on crisis response, stabilization, and referrals for longer term treatment if/when needed. The counselors providing this service are masters and doctorate level clinicians with a minimum of 5 years general practice experience, though most have more than that. We are committed to working with people through stabilization; if conditions are assessed that indicate longer term treatment is appropriate, we will assist in making an appropriate referral. This means if the client has health insurance, we will work with that plan to find a therapist; if not, we will refer to a community mental health resource.
As I have seen them do in the past, Johns Hopkins is once again rising to the challenge of a breach, and while I realize some will not find their response satisfactory, I am impressed with their offer.
This breach is a nightmare for many patients who still don’t know whether they were among those who were photographed or videotaped, for those who worry that the doctor may have uploaded videos to gynecology fetish web sites, for the doctor’s family, and for the hospital. Seldom do I see breaches with such potential for psychological harm and/or for making patients afraid to trust doctors. Whatever Johns Hopkins can do to mitigate the harm caused by the doctor’s actions, I sincerely hope it helps.

Attention IT Departments! Did you get one for your CEO? (The benefits of good Lobbyists)
"Some two million people have bought cell-phone wireless signal boosters and have been using them to get better communication between their phones and distant cell towers. But now, the FCC says they all have to turn their boosters off and ask permission from their providers, and register their devices with those providers, before they can turn them back on."
[From the article:
Major carriers haven't said how the registration process will work, but one conceivable outcome is that they could charge customers an extra fee to use boosters, like they do with other devices that improve signals.
Wireless boosters are "saving the carriers money by not making them build more towers, but now they can charge you for improving the holes in their own network," Feld said.

Better than a tin foil hat? Perhaps we could adapt them to an urban environmant?
"Ever wonder how al-Qaeda operates under the watchful eye of the U.S. Army? Well, the Associated Press found a list of 22 of their tips and tricks on avoiding drone strikes. Most of it consists of the obvious: stay in the shadows or under thick trees, don't use wireless communications. However, there are also some less obvious solutions, like the $2,595 Russian 'sky grabber, which can track the drones. Their document (PDF) also suggests covering your roof and car with broken glass. They also claim good snipers can take out the reconnaissance drones, which fly at a lower level. Now the question is: will all of this still be relevant during the robo-apocalypse?"

The Privacy of Mobile Apps...
February 22, 2013
MEF Global Privacy Survey - challenges and opportunities
"Mobile apps offer consumers fun and functionality via the one device that stays with them throughout the day. The explosion of the apps ecosystem is driven by new business models where many apps are free or heavily discounted which of course consumers love, but where developers monetize the information they collect on their users. The report, supported by AVG Technologies, was carried out in partnership with mobile specialists On Device Research to understand global consumer understanding and perceptions of apps that gather and use personal data such as address book information and location. The ten country study of 9,500 respondents reveals consumer attitudes towards the use of their personal information by mobile app providers, scrutinizing four key factors of privacy, Transparency, Comfort, Security and Control."

There are good reasons to share medical data as long as it is done within the rules. What do you mean, “There are no rules?”
Some collaboration or sharing of patient information seems potentially useful, even if it is money motivating the sharing. Julie Bird reports:
Hospitals are looking to large drugstore chains, their vast databases and patient-outreach resources to help reduce hospital readmission rates.
With medication discrepancies doubling the risk of hospital readmissions, contracting with drugstores to monitor for prescription conflicts and follow up with patients is well worth the expense, healthcare researcher Jane Brock tells Colorado Public Radio.
Now that Medicare payments are at risk if too many patients come back within 30 days of discharge, hospitals have even more incentive to pursue drugstore partnerships.
Read more on FierceHealthcare. Of course, I’d feel a bit better if we didn’t read of so many cases where pharmacies improperly dispose of patient prescription records, but the concept of follow-up to discharge is a good one. I just wonder if patients are informed of this program and that their data will be shared while they are in-patient.

The question is, can anyone create truly anonymous data? If I know you are a Professor of Business Law at a certain Wyoming University, drive a Ferrari and have an extensive wine cellar, that sort of makes identification simple. (Okay, I led about the Ferrari – but only because I can't spell Maseratti.)
Organisations should be able to process pseudonymised data without the consent of individuals, a European Parliament committee has proposed.
The Industry, Research and Energy Committee (IREC) has outlined changes it would like to see made to the European Commission’s draft Data Protection Regulation which was originally published last year. One of those changes should be to list the processing of pseudonymised data as a “legitimate interest” of data controllers, it said.
So could a business take two already self-pseudonymized databases (i.e., databases that use user-generated pseudonyms) and aggregate them and process the larger database without user consent? How exactly would this work?

(Related) What databases are available to help de-anonymize data? (Another government “Trust us!” fails...)
The Government Accountability Office released a report this week with a scary conclusion: The Census Bureau, tasked with collecting personal information on every single American, has not adequately protected this data. Specifically, the GAO found, the Census Bureau is not fully prepared in cybersecurity, making Americans’ information vulnerable to hackers.
[From the article:
Many security protocols have been left "partially implemented" or "not implemented." This includes inadequate password protection and leaving some databases completely unencrypted.

(Related) Sharing when anonymity is not an issue?
Human Services - Sustained and Coordinated Efforts Could Facilitate Data Sharing While Protecting Privacy, GAO-13-106, Feb 8, 2013

We can learn from bad legislation. (We should learn to elect people who stay within their areas of expertise.)
State lawmakers all across the country busy at work crafting ridiculous, head-spinning laws can take the day off. There is no way they can top this.
A new bill proposed in the Illinois State Senate looks to completely wipe out any form of anonymity on the internet by requiring that the operators of basically any website on the entire internet take down any comment that isn’t attached to an IP, address, and real name-verified poster.
It’s called the Internet Posting Removal Act and was introduced on February 13th by Illinois General Assembly veteran Ira I. Silverstein [D].
Read more on WebProNews. And yes, the bill’s language is really as bad as you might expect.

Worse legislation: “We're mad and we want to shoot someone... Anyone.”
New amendment that would make internet service providers disclose the identity of users who commit crimes online. If providers refuse they will become suspects in criminal cases instead of the users.

Why did this take so long?
"Three independent bookstores are taking Amazon and the so-called Big Six publishers (Random House, Penguin, Hachette, HarperCollins, Simon & Schuster and Macmillan) to court in an attempt to level the playing field for book retailers. If successful, the lawsuit could completely change how ebooks are sold. The class-action complaint, filed in New York on Feb 15., claims that by entering into confidential agreements with the Big Six publishers, who control approximately 60 percent of print book revenue in the U.S., Amazon has created a monopoly in the marketplace that is designed to control prices and destroy independent booksellers."

“Hey! We're smarter than those guys!” A big win for Google?
A Wisconsin appeals court has ruled in favor of a Milwaukee area law firm that paid to use the names of a competing firm in Internet search engines to promote its own link.
The 1st District Court of Appeals ruled Thursday Cannon & Dunphy did not violate Habush, Habush & Rottier’s right of privacy.

Not just for the inordinately curious...
February 21, 2013
Open States: Legislative Data Across All 50 States
Amy Ngai, Sunlight Foundation: "Do you ever find yourself looking up state legislative information? Instead of hopping from one legislative website to the next, Open States allows you to search and explore legislative data from all 50 states, D.C. and Puerto Rico -- from a single site. The free tool also lets you identify your state legislator, review their votes, track bills and discover upcoming events at your state house."

Eight will get you 10 that eventually every state with cassinos will follow suit.
Nevada governor signs online gambling bill law after measure fast-tracked through Legislature
… Nevada wanted to beat New Jersey, its East Coast casino rival, to the online gambling punch. New Jersey Gov. Chris Christie previously vetoed an online wagering bill but has indicated he may sign an amended version next week.

Is Republic's $19 cell phone service too good to be true?
Republic Wireless's $19 a month plan, which includes unlimited voice, text messaging, and data, is a hard deal to beat. In fact, I don't know of any other cell service that can compete at that price. But your instincts about a "catch" are justified.
… Republic is able to offer its service so cheaply because it uses Wi-Fi to handle most of the calls, text messages, and data sessions instead of a cellular network.
Because Republic believes that its customers will be in Wi-Fi hotspots more often than they won't be, it's able to eat the cost of connecting via Sprint's network and thus keep the cost of its service lower than its competitors' prices.
The phone used on Republic's network is configured to make calls and send text messages over either Wi-Fi or a cellular network. This means that users don't have to launch a separate app to make calls over Wi-Fi. The phone is able to detect which network is available and which one is best for the call. If no Wi-Fi is available or the signal is too weak, the phone automatically dials the number over Sprint's cellular network. Users can also manually turn off the Wi-Fi calling feature to use Sprint's network.
… The other potential drawback is that in order to use Republic's service, you must buy a Republic device.

An interesting KickStarter project with some real interest...
myIDkey is a voice-activated, fingerprint secure Bluetooth / USB Drive that displays passwords and personal info online and on the go.

Thursday, February 21, 2013

“Hey! Someone stole some credit card data!” Not the most useful of notices – do you reissue all your cards?
It seems that every bank in the Bahamas has been notified of a breach at a foreign processor or acquiring bank. Most of the banks do not yet know how many of their customers’ card numbers are compromised, and while some banks have already started re-issuing cards, others are taking a wait-and-see approach. The foreign processor has not been named, but Visa and MasterCard reportedly notified banks last Friday.
[From the article:
Most banks responded by lowering the call-back threshold for customers to $500. In other words, if you spent more than that on the weekend, the bank would immediately verify your identity.
… According to a global research team from Websense Inc., a leader in Internet security, The Bahamas is ranked second among the top five countries in the world which host phishing sites.
… The report said that organizations face an average of 1,719 attacks for every 1,000 users.

Another “not thought through” example...
"Educause members and 7,000 university websites are being forced to change account passwords after a security breach involving the organization's .edu domain server. However, some initially hesitated to comply because the Educause notification email bore tell-tale markings of a phishing attempt. 'Given what is known about phishing and user behavior, this was bad form,' says Gene Spafford, a Purdue University computer science professor and security expert. 'For an education-oriented organization to do this is particularly troubling.'"

Rules alone do not good security make.
By Dissent, February 20, 2013 12:24 pm
Winston J. Maxwell writes:
An article published by specialist healthcare news website Actusoins has revealed data breaches at several French hospitals and clinics, demonstrating that such incidents can occur even in a highly regulated jurisdiction.
The journalist was researching another article and entered the name of a physician into Google. She was astonished to find, at the top of the results, a scanned copy of the doctor’s prescription for a PET scan for a cancer patient whose name was still on the prescription. The journalist continued her investigation and discovered numerous other data breaches, including:
  • lists of patients admitted to various services in different hospitals;
  • a list of disableed adults and children; and
  • patients’ test results.
Read more on reg. required). It appears from the article that both Hopital Foch and Pôle de Santé du Plateau had web exposure breaches, as did other healthcare facilities who were not named because their patients’ data was still available on the Internet at the time of the article’s publication.

Is this the model we've been looking for?
State helps parents access dead child's Facebook content
Virginia has made it easier for parents and legal guardians to obtain Facebook content and other digital assets created by a child who has passed away.
This week, the Virginia General Assembly voted to adopt a new bill, HP 1752, that compels online account service providers such as Facebook to provide the guardian of a deceased minor with online assets within 30 days after receiving a written request.
The bill, which currently awaits the governor's signature, passed the state Senate on Monday before gaining approval in the House yesterday.

Could be the first slip on the slope...
A ruling by the Pennsylvania Supreme Court says the state constitution doesn’t give people a right to privacy when it comes to their home addresses, clarifying what has been a major point of dispute in the open records law.
Read more on WITF.

Does this also “Green light” my Ethical Hackers?
Ontario’s highest court has signalled that the right of police officers to look through someone’s phone depends on whether there’s a password.
The Court of Appeal for Ontario says it’s all right for police to have a cursory look through the phone upon arrest if it’s not password protected, but if it is, investigators should get a search warrant.
Read more on Global Ontario. The court’s reasoning is a bit of a head-scratcher, as they seem to be saying that if you password protect your cellphone, it’s functioning as a computer, which does have a (higher) expectation of privacy. So what happens to people who don’t password protect their laptops? Can the police search them on arrest by arguing that the failure to password protect means no expectation of privacy?
In any event, it’s always a good idea to password protect your devices if they contain anything you don’t want law enforcement or others to be able to easily access.

Like Scotch, it's an acquired taste...
Mosquito repellent Deet 'losing its effectiveness'
People living or travelling in areas plagued by mosquitoes are more at risk of bites after researchers found the insects are first deterred by Deet, but then later ignore it.
… Researchers from the London School of Hygiene and Tropical Medicine took a species of mosquito that spreads dengue and yellow fever and put it in a room with a human arm covered in Deet.
The first time the mosquitoes were tempted with the arm, they were putt off by the smell. However, the second time, researchers found the Deet was less effective.

Wednesday, February 20, 2013

Why would we consider China to be the only entity that finds “insider information” profitable?
Apple, Facebook, Twitter hacks said to hail from Eastern Europe
… Investigators familiar with the matter told Bloomberg they believe a cybercriminal group based in either Russia or Eastern Europe is carrying out the high-level attacks to steal company secrets, research, and intellectual property, which could then be sold on the black market.

Not so terrifying, unless it's not your drone.
Like a Swarm of Lethal Bugs: The Most Terrifying Drone Video Yet
Science writer John Horgan's feature on the many ways drones will be used in coming years is interesting throughout, and terrifying in the passage where he describes an effort to build micro-drones that are, as the U.S. Air Force describes them, "Unobtrusive, pervasive, and lethal."

For my programming students... See if you like this one.
… SynWrite is a freeware desktop application that is sized at nearly 4 MB; the app is compatible with computers running Windows. The application lets you open text files and edit them. If your text files is a source file, you can select the appropriate language from the app’s options and have the right things appropriately highlighted.
Similar tools: and NoteTab Light.

The world is changing... Colleges should make clear what they will and will not accept.
How To Get College Credit For Online Learning
… While the MOOC supporters out there tout the fabulousness of free access to awesome class material, there has been a lot of discussion as to how the distance-based, free MOOC model might be amended to offer university-level course credit to interested students.
We mentioned awhile back that that Colorado State University’s Global Campus was the first US based institution to offer course credit for a MOOC offered through Udacity, and that edX was partnering with Pearson to offer in person exams for some of their MOOCs (not required for the course, but available if a student is interested).
And now we’re hearing that more and more students are using services to get college credit for online learning. They’re taking a course or two and then taking the officially-sanctioned tests (like CLEP and DSST) to get course credit.

...and many for teachers.
48 Free Education Apps Sorted By Grade Level

For my 11 year old niece, the rock star...
Musink is a free music composition editor that lets you easily write music notes. To write a note, you simply click where you would like notes to appear and proceed note by note. Note and rest durations are set and adjusted automatically for you. Most notation editors make it your responsibility to make music look good. Musink takes this burden from you and automates all layout tasks. When you move a note, or add a mark, other marks, notes, rests and text will move automatically to make room. When you delete items, others will move to ensure no unsightly gaps appear in your score.
As soon as you done with your music score, it takes 2 clicks to publish it as a PDF/PNG/XPS document, which you can easily share online or send by email.

Tuesday, February 19, 2013

You can tell the players without a scorecard... And doesn't that make them a legitimate drone target? Perhaps we could issue bubble-gum cards of the big players?
Chinese Army Unit Is Seen as Tied to Hacking Against U.S.
On the outskirts of Shanghai, in a run-down neighborhood dominated by a 12-story white office tower, sits a People’s Liberation Army base for China’s growing corps of cyberwarriors.
… An unusually detailed 60-page study, to be released Tuesday by Mandiant, an American computer security firm, tracks for the first time individual members of the most sophisticated of the Chinese hacking groups — known to many of its victims in the United States as “Comment Crew” or “Shanghai Group” — to the doorstep of the military unit’s headquarters. The firm was not able to place the hackers inside the 12-story building, but makes a case there is no other plausible explanation for why so many attacks come out of one comparatively small area.
… Other security firms that have tracked “Comment Crew” say they also believe the group is state-sponsored, and a recent classified National Intelligence Estimate, issued as a consensus document for all 16 of the United States intelligence agencies, makes a strong case that many of these hacking groups are either run by army officers or are contractors working for commands like Unit 61398, according to officials with knowledge of its classified content.

Please read this.
February 18, 2013
Deloitte Tech Trends Poll: You’ve Been Hacked, Now What?
News release: "More than one in four (28 percent) of respondents surveyed report their organizations were the victims of at least one cyberattack in the past year; nine percent report multiple breaches and an alarming 17 percent were not confident that their organizations could even detect an attack, according to a Deloitte Tech Trends poll of 1,749 business professionals... Based on the Feb. 7 Deloitte Dbriefs webcast “If You Build It, They Will Come – And Try to Hack It,” the results of the poll underscore the increasing importance of cyber intelligence highlighted in the No Such Thing as Hacker-proof chapter in Deloitte’s 4th Annual Tech Trends Report, Elements of postdigital."

Interesting. Many schools don't even know they have a Business Model...
February 18, 2013
Moody's: 2013 outlook for entire US Higher Education sector changed to negative
News release: "The 2013 outlook for the entire US higher education sector is negative, including the market-leading, research-driven colleges and universities, says Moody's Investors Service in its annual industry outlook. Previously Moody's had a stable outlook for these leading institutions and a negative outlook for the rest of the sector since 2009. Moody's perceives mounting fiscal pressure on all key university revenue sources. "The US higher education sector has hit a critical juncture in the evolution of its business model," says Eva Bogaty, the Moody's Assistant Vice President -- Analyst who is the lead author on the report US Higher Education Outlook Negative in 2013. "Even market-leading universities with diversified revenue streams are facing diminished prospects for revenue growth." The rating agency says that most universities will have to lower their cost structures to achieve long-term financial sustainability and fund future initiatives. Universities have been restraining costs in response to the weak economic conditions since the 2008-2009 financial crisis, but they have only recently begun examining the cost structure of their traditional business model."

Send this to your Security Manager and anyone else who might be interested.
February 18, 2013
Security Engineering -The Book, 2nd Ed. Free Online
Security Engineering by Ross Anderson — The Book: "All chapters from the second edition now available free online."

Monday, February 18, 2013

Apparently, nothing interesting happened yesterday. (Or perhaps journalists are partying too hard for President's day)

I wonder if permission was ever denied? (...and what of the other branches of the military?)
February 16, 2013
Secrecy News - Army's use of unmanned aerial systems within the United States
Secrecy News, February 14, 2012: "Legal restrictions on the use of unmanned aircraft systems in domestic operations are numerous," the manual states. The question arises particularly in the context of Defense Support of Civil Authorities (DSCA), refering to military assistance to government agencies in disaster response and other domestic emergencies. "Use of DOD intelligence capabilities for DSCA missions--such as incident awareness and assessment, damage assessment, and search and rescue--requires prior Secretary of Defense approval, together with approval of both the mission and use of the exact DOD intelligence community capabilities. Certain missions require not only approval of the Secretary of Defense, but also coordination, certification, and possibly, prior approval by the Attorney General of the United States...[...from 2003 to 2010, small, unmanned aircraft systems flew approximately 250,000 hours]"

...and the Risk of analyzing Risk is more Risky Risk?
February 17, 2013
Paper - Risks of Friendships on Social Networks
Risks of Friendships on Social Networks - Cuneyt Gurcan Akcora, Barbara Carminati, Elena Ferrari. DISTA, Universit`a degli Studi dell’Insubria, Via Mazzini 5, Varese, Italy
  • "In this paper, we explore the risks of friends in social networks caused by their friendship patterns, by using real life social network data and starting from a previously defined risk model. Particularly, we observe that risks of friendships can be mined by analyzing users' attitude towards friends of friends. This allows us to give new insights into friendship and risk dynamics on social networks."

Sunday, February 17, 2013

A quick 'Heads up!”
"Netcraft confirms a recent increase in the number of malicious proxy auto-config (PAC) scripts being used to sneakily route webmail and online banking traffic through rogue proxy servers. The scripts are designed to only proxy traffic destined for certain websites, while all other traffic is allowed to go direct. If the proxy can force the user to keep using HTTP instead of HTTPS, the fraudsters running these attacks can steal usernames, passwords, session cookies and other sensitive information from online banking sessions."

The Durango Police Department has requested the FBI’s help to investigate widespread credit card fraud that targeted numerous people registered for this year’s Iron Horse Bicycle Classic.
Meanwhile, race officials worked Friday to identify the source of the security breach, said Gaige Sippy, director of the event.
“We are still trying to understand where all of this took place,” he said. “As of right now, there is no clear path.”
Dozens of credit cards have been used for fraudulent charges, all with a common thread of also having been used to register for Iron Horse events, Sippy said.
Organizers are unaware of any security breaches involving the Iron Horse website, which does not store credit card information, Sippy said. The Iron Horse uses third-party companies, including Durango-based Mercury and Plug and Play, to handle credit card processing, he said.
Read more on Durango Herald.
[From the article:
Most of the fraudulent activity appears to have occurred during the first week of February, but some people have reported fraudulent charges up to three weeks ago, Sippy said. Fraudulent charges have ranged from $200 to $1,400, he said.
The charges have occurred at a variety of vendors, including, GameStop, Groupon, Micro Center, Lowe’s and the U.S. Postal Service.
Some people said their credit card companies automatically denied suspicious charges and shut down the credit card. [Credit Card processors were among the first “Big Data” analyzers, just to catch bogus charges. Bob]

Photo Mis-Interpretation. Perhaps this could evolve into something like “SWATting” “My God Holmes, that child has a Maverick armed UAV!”
Facebook pic of toy mortar leads to armed cops raid
When you make your Facebook profile picture that of Action Man (aka the British G.I. Joe), it can be a clue to your fascination with fantasy.
It also suggests that if there's a toy mortar in the background of the picture, that, too, might actually not be entirely real.
Please try telling that to the five carloads of police who raided Ian Driscoll's house in Tewkesbury, England, armed with guns and a search warrant.
"The Action Man looked a bit like me, so I decided to put it as my Facebook picture. I didn't even notice the mortar in the background," 43-year-old Driscoll explained to the Daily Mail.
The image offered more clues as to the mortar's unreality. There was a TV remote control by its side. It offered what some might call scale and perspective.

A couple of reports I should find time to read...
Unmanned Aircraft Systems
Continued Coordination, Operational Data, and Performance Standards Needed to Guide Research and Development
National Strategy, Roles, and Responsibilities Need to Be Better Defined and More Effectively Implemented

Free is good! ...and remember, you can download a Kindle reader for your desktop or laptop PC for free!
… Freebook Sifter makes it easy to find free Kindle books with minimal effort.
All the free kindle books are divided by genre on Freebook Sifter, so you can find the kind of book you are looking for with ease.