Saturday, March 02, 2013
Gather ye court victories while ye may
And this same court that smiles to-day
To-morrow will be kicking your butt!
More good news for the state of South Carolina: a judge has dismissed a lawsuit against them filed by former state Sen. John Hawkins over their massive hack in 2011. Although the ruling is not yet available online, Meg Kinnard of Associated Press reports:
In an order obtained by The Associated Press, Circuit Judge G. Thomas Cooper Jr. said the lawsuit had failed to prove that Gov. Nikki Haley [She of “The Haley Effect” Bob] and other government officials had harmed the public by conspiring to keep news of the hacking secret. The order also said the lawsuit couldn’t show [“had not shown” Bob] that anyone had been harmed because of the breach.
“There is no injury that the Court can currently remedy, as no actual harm has been alleged,” Cooper wrote.
The media coverage does not indicate the fate of the complaint against TrustWave, but in a tweet responding to that question, Meg Kinnard indicated that claims against TrustWave were also dismissed.
Of course, I don’t expect this to be the end of litigation. As some people come forward to claim they became victims of fraud or identity theft, I expect to see other litigation against the state where they may be able to survive a challenge on standing.
Does any law talk about how long notification can be delayed? Or how promptly victims should be contacted? Is there a nutral third-party who could notify without giving away details? (You're a victim, but we can;t yet reveal the source.)
Most people I know want law enforcement to investigate some breaches and realize that, sometimes, that results delaying notification of those affected by a breach. But when does delay in notification become unreasonable or too long?
Charles Sweeney reports that Samaritan Hospital in Troy, New York delayed notification from November 2011 – when it determined there was improper access to a patient’s file – until now because of a sheriff’s investigation. In this case, an employee of Rensselaer County Jail seemingly exceeded her authorized access to the hospital’s database. The hospital reportedly did not notify HHS of the breach at the time on the advice of their legal counsel. [Any reason mentioned? Bob]
So… is there ever a point where if an investigation is taking time, patients should still be notified? Isn’t the point of notification to protect and help the patient whose PHI has been breached and who may be at risk of harm or adverse consequences as a result of a breach? One might think that if a breach is serious enough to trigger a criminal investigation, it may also be serious enough to impact the patient. If so, is notification delayed, notification denied?
HITECH requires covered entities to notify individuals within 60 days, except that there is an exemption for law enforcement investigations:
Section 164.412(a), which is based on the requirements of 45 CFR 164.528(a)(2)(i) of the Privacy Rule, provides for a temporary delay of notification in situations in which a law enforcement official provides a statement in writing that the delay is necessary because notification would impede a criminal investigation or cause damage to national security, and specifies the time for which a delay is required. In these instances, the covered entity is required to delay the notification, notice, or posting for the time period specified by the official.
From the wording, the intent was to allow a temporary delay. Fourteen months is not a temporary delay, and yet I can find nothing in HITECH that sets an absolute limit.
I do not know why the hospital didn’t notify HHS of the breach. I do not know why the sheriff’s office took 14 months to investigate or whether any charges have been or will be filed. All I know is that a 14-month delay in notification doesn’t strike me as acceptable.
...and if the court says, “No?” Think for a second about what a “significant interpretation” might mean. e.g. is spying on Senators Okay?
Steven Aftergood writes:
Several members of the Senate Intelligence Committee wrote to the Foreign Intelligence Surveillance Court this month to ask the Court to prepare summaries of classified opinions that represent significant interpretations of the Foreign Intelligence Surveillance Act in order to facilitate their declassification and public release.
Read more on FAS.
An entire new field with no recognized “Best Practices” for security or privacy.
"Now that President Obama's federal health care reform is past its major political hurdles — and with renewed focus on out-of-control costs in healthcare — companies that sell 'big data' software are licking their chops. The reason: Healthcare has huge piles of information that is being used in new ways, to track patient admissions, spending, and much more. From hospitals to insurance companies, they'll all need new ways of crunching those numbers. It's basically an entirely new field that will dwarf the spending growth in traditional data-heavy industries like finance, retail and marketing, a Microsoft regional sales GM says."
“Any sufficiently advanced technology is indistinguishable from
magic a threat to the
"Organizations like the EFF and ACLU have been raising the alarm over increased government surveillance of U.S. citizens. Legislators haven't been quick to respond to concerns of government spying on citizens. But Texas legislators are apparently quite concerned that private citizens operating hobby drones might spot environmental violations by businesses. Representative Lance Gooden has introduced HB912 which proposes: 'A person commits an offense if the person uses or authorizes the use of an unmanned vehicle or aircraft to capture an image without the express consent of the person who owns or lawfully occupies the real property captured in the image. ('Image' is defined as including any type of recorded telemetry from sensors that measure sound waves, thermal, infrared, ultraviolet, visible light, or other electromagnetic waves, odor, or other conditions.)' Can you foresee any unintended consequences if this proposal becomes law?"
Another reader notes that New Hampshire has introduced a similar bill: "Neal Kurk, a Republican member of New Hampshire's House of Representatives knows that those drones present a growing privacy concern, and in response has introduced a bill that would ban all aerial photography in the state. That is, unless you're working for the government. The bill, HB 619-FN (PDF), is blessedly short, and I suggest reading the whole thing for yourself." Here's part of the bill: "A person is guilty of a class A misdemeanor if such person knowingly creates or assists in creating an image of the exterior of any residential dwelling in this state where such image is created by or with the assistance of a satellite, drone, or any device that is not supported by the ground."
Buy my new T-shirt: “A paranoid government is a dangerous government.”
Feds Say Man Deserved Arrest Because Jacket Said ‘Occupy Everything’
A Florida man deserved to be arrested inside the Supreme Court building last year for wearing a jacket painted with “Occupy Everything,” and is lucky he was only apprehended on unlawful entry charges, the Department of Justice says.
The President Barack Obama administration made that assertion in a legal filing in response to a lawsuit brought by Fitzgerald Scott, who is seeking $1 million in damages for his January 2012 arrest inside the Supreme Court building. He also wants his arrest record expunged.
What’s more, the authorities said the former Marine’s claim that he was protected by the First Amendment bolsters the government’s position (.pdf) because the Supreme Court building’s public interior is a First Amendment-free zone.
“Surprise, surprise, surprise!” G. Pyle
"This last week, the Copyright Alert System was rolled out. Now that everyone is getting a better idea of what the alert system looks like, criticisms are building against the system. Freezenet says that the mere fact that ISPs are using a browser pop-up window opens the floodgates for fraudsters to hijack the system and scam users out of money. The EFF criticized the system because the educational material contains numerous flaws. Meanwhile, Web Pro News said that this system will also hurt small business and consumers."
“Become a surgeon in your spare time! Just knock out your neighbor, push this robot's button and remove the organ of your choice!”
Law firms seek victims of 'bad robot surgery'
… In a surreal twist to the ads you often see for legal help with accidents, arrests, or debt, law firms in Louisiana and Alabama are fishing for victims of what they call "bad robot surgery."
The ad below from Becnel Law Firm, LLC and Riley & Jackson looks like something that would play in the background of a sci-fi film, but it's serious. The campaign Web site Badrobotsurgery.com says, "Robotic surgery can severely injure the bowel, bladder, and blood vessels. Some of these injuries can even occur without the surgeon knowing it, which can lead to severe complications if left untreated."
In a video on the site, Alabama surgeon Francois Blaudeau says Intuitive Surgical's wildly popular da Vinci robot surgery system has injured patients who are having their prostate or uterus removed. He adds that the robot may not be properly insulated, causing burns or "even vascular injuries causing death."
Should be Okay as long as the “Oops, I didn't mean to Click that!” button is still open source...
Amazon Patents Gravity-Based Links to Pull You In
Amazon has patented a system that pulls the pointer toward a link or button, just the thing to help you click links — and buy products associated with those links.
How else might this concept be used? “Hopeless Quest: The Search for logic in Congress?”
"Scientists from Cancer Research UK are working with Amazon, Facebook and Google to design and develop a mobile game aimed at speeding up the search for new cancer drugs. The first step is for 40 computer programmers, gamers, graphic designers and other specialists to take part in a weekend "GameJam" to turn the charity's raw genetic data into a game format, with a working title of GeneRun. 'We're making great progress in understanding the genetic reasons cancer develops. But the clues to why some drugs will work and some won't are held in data that needs to be analysed by the human eye — and this could take years,' said Carlos Caldas at Cancer Research UK's Cambridge Institute. 'By harnessing the collective power of citizen scientists we'll accelerate the discovery of new ways to diagnose and treat cancer much more precisely.'"
For my Math classes...
How Fast Would a Small Meteor Travel?
For my “Intro to IT” class.
… If you’re an avid user of RSS readers, one solution to keep up with notifications, is to load them all into Google Reader (if you’re not a fan of Google Reader, we’d definitely recommend Feedly as a slick alternative when it comes to keeping up with RSS feeds).
The reason you might want to use a method like this is for the convenience of having all of your notifications in one place, and while you can keep up with what people are saying to you, or writing on your wall – by not being directly on your Facebook account or Flickr page, you can maintain a certain level of productivity. If you don’t want to get sucked into your social networks, just knowing what’s going on without being able to interact can be a good way to stay up to date.
Another advantage to using RSS feeds to keep up with your social network notifications is that if Facebook or Twitter happen to be blocked by your ISP or at your place of work, you can still see what other people are saying, bypassing any sort of blocks that might exist.
Proof that “Ignorant” people vote! (Some of them vote in the legislature...)
… The Oklahoma legislature passed the HB 1674, the Scientific Education and Academic Freedom Act this week (or as Esquire called it, the “Dare To Be Ignorant Protection Act of 2013,” which prevents schools from penalizing students for their stances on “controversial” science topics like global warming and evolution.
… The Higher Learning Commission, the regional agency that accredits the University of Phoenix, has recommended that the institution be put on probation. According to The Wall Street Journal, “probation was recommended after a review team concluded the University of Phoenix has ‘insufficient autonomy’ from Apollo, its parent company and sole shareholder, that complicates the board’s ability to manage the institution and maintain its integrity.”
… ShowMe, maker of an interactive whiteboard iPad app, has launched a Kickstarter campaign to fund a new app it’s building called Markup, which will enable teachers to grade (essay) assignments (with a stylus) on an iPad.
Friday, March 01, 2013
"The evil that men do lives after them; The good is oft really really hard to find..." (Sorry Will)
The FTC may have settled charges against Aaron’s over the use of DesignerWare LLC software, but the consumers haven’t. Crystal and Brian Byrd are still pursuing a lawsuit against Aaron’s and now there’s another lawsuit filed on behalf of another consumer by the same attorneys. As Associated Press reports:
Spyware installed on computers leased from furniture renter Aaron’s Inc. secretly sent 185,000 emails containing sensitive information _ including pictures of nude children and people having sex _ back to the company’s corporate computers, according to court documents filed Wednesday in a class-action lawsuit.
According to the filings, some of the spyware emails contained pictures secretly taken by the rental computers’ webcams or other sensitive information including Social Security numbers, social media and email passwords, and customer keystrokes, the Federal Trade Commission determined last year.
The attorneys also claimed Atlanta-based Aaron’s hasn’t properly notified at least 800 customers allegedly targeted by spyware made by DesignerWare, a company located in North East, Pa.
Read more on Public Opinion.
With respect to that last point, I went back and looked again at the consent order involving Aaron’s, and it appears that it contains no provision requiring notification of consumers whose images were transmitted. [Oops! Bob] Could the consent order even require that if it allows the respondents to get away with not admitting any guilt or admitting to the facts of the case? Going forward, the FTC needs to consider whether consumers need to be notified of a privacy or data security breach and include some requirement that such notification be made.
Update: I see that ColorTyme is also being sued in another potential class action lawsuit. ColorTyme also one of the companies involved in the FTC’s case. The case files on them can be found here.
Not much for each user and they don't get even that.
Joe Mullin writes:
Internet privacy lawsuits, especially of the class-action variety, have been sprouting up everywhere in the past few years. Some of them have been settled for considerable sums, especially when companies are sued over publicly acknowledged privacy screw-ups that they’ve already taken heat for. One of the most notable was the $9.5 million Facebook settlement over its Beacon program, which broadcast users’ activities from other websites—including what they bought on various shopping sites—in their Facebook news feed.
The number of Facebook users affected by that class-action case was huge—the class was determined to be 3.6 million users at the end of the day. In part due to the large class, the judge allowed a so-called cy pres award, which is when a payment is made to a charity related to the issues in the case rather than to the actual class members. The Facebook settlement will go to a newly created Digital Trust Foundation (DTF), which will fund initiatives related to Internet privacy. $2.3 million of the settlement money will go to fees for the plaintiffs’ attorneys.
Read more about how some conservative judges in the Ninth Circuit are not happy as to how the cy pres award was made on Ars Technica. All Facebook also has more on this as does the Connecticut Law Tribune.
In my Ethical Hacker classes, detection is a 10 point deduction – dropping you to a “B” Where you hack from is less important as long as it looks like you have passed through several countries and dead links...
China claims its military and defense sites were hacked by U.S. attackers
In a move to counter recent reports claiming that a special unit in the Chinese Army is behind repeated cyber attacks on U.S. institutions, the nation Thursday claimed its military and defense ministries websites are routinely hacked from IP addresses originating within the United States.
… "Any kid in a basement can probe a computer in China," Stiennon noted. "For that matter, Google probes every IP address every day, so you can't call that an attack."
Something to plan for...
Kathleen Struck reports:
Hacking into patient medical records can be as easy as tapping into a hospital’s unsecured wireless network from a laptop in the parking lot.
Government auditors proved it “by sitting in hospital parking lots with simple laptop computers” and obtaining “patient information from unsecured hospital wireless networks,” according to Julie K. Taitsman, M.D., J.D., and colleagues from the Office of the Inspector General at the Department of Health and Human Services (HHS).
OK, that’s scary.
Read more on MedPage.
(Related) Not clear in the article, but I suspect these are interrogated via RFID techology. I wonder if they are encrypted?
This Electronic Temporary Tattoo Will Soon Be Tracking Your Health
FitBit too bulky? Why not glue a sensor array to your skin?
The quantified self goes nanoscale with a stick-on silicon electrode network that could not only change the way we measure health metrics, but could enable a new form of user interface. And the researchers behind it aim to have the device available in the next few weeks through a spinoff company, MC10.
The development takes wearable technology to the extreme, designed as a non-invasive diagnostic sensor that could be used to measure hydration, activity, and even infant temperature. It bonds to the skin, somewhat like a temporary tattoo, flexing and bending in sync with your skin the way you wish a Band-Aid would.
(Related) And why would anyone want Medical data?
Marcia Savage reports:
Data security breaches involving third parties are on the rise, particularly in the health-care industry, a panel of security experts said Tuesday at the RSA Conference 2013.
“This is an upward trend,” the panel moderator, James Christiansen, CISO at the Sands Corp., told the audience of security professionals. “If it’s not on your radar, it should be.”
Read more on CRN. One of the panelists, Michael Breummer of Experian Data Breach Resolution provided a real example of how medical ID theft could have had fatal results:
A third party’s office cleaner stole medical records, the boy’s records among them. Someone then bought the records and used the boy’s information to get medical care. That person wasn’t allergic to penicillin, but the boy was. During a subsequent emergency, the boy was nearly treated with penicillin due to an update to his records based on the stolen medical information. Fortunately, the boy’s mother caught the error, he said. As it turns out, the cleaner’s background check was falsified.
It's good to know your local (law school) librarian...
The current issue of Yale Journal of Law & Technology includes two privacy-related articles. Here’s their summary, but it looks like a subscription is required to access the full articles:
Christina P. Moniodis 15 Yale J.L. & Tech. 139
The Supreme Court’s data privacy jurisprudence consists of only two cases, yet these cases have fueled a circuit split on data privacy rights. The Court’s hesitance to foray into data privacy law may be because the nonrival, invisible, and recombinant nature of information causes plaintiffs’ harms to elude courts. Such harms threaten the democratic relationship between citizen and state.
Michael Birnhack 15 Yale J.L. & Tech. 24
Is technology-neutral legislation possible? Technological neutrality in legislation is often praised for its flexibility and ability to apply to future technologies. Yet, time and again we realize that even if the law did not name any technology, it was nevertheless based on an image of a particular technology. When new technologies appear, they expose the underlying technological mindset of the existing law. This article suggests that we read technology-related laws to uncover their hidden technological mindset so that we can better understand the law and prepare for the future.
(Related) Another job for your local librarian.
Shane Harris writes:
More than a decade after the 9/11 terrorist attacks, a set of extraordinary and secretive surveillance programs conducted by the National Security Agency has been institutionalized, and they have grown.
These special programs are conducted under the code name Ragtime, and are divided into several subcomponents, according to the new book Deep State: Inside the Government Secrecy Industry, by Marc Ambinder and D.B. Grady.
Read more on Dead Drop.
Craig Hoffman of BakerHostetler writes:
This compendium represents our global experience in this field. While it is not a substitute for legal advice, it is a reference guide that outlines the basic requirements in place when dealing with an international data breach so that you can know what immediate steps to take and what questions you need to ask to minimize your company’s exposure.
BakerHostetler’s International Compendium of Data Privacy Laws is now accessible.
Read more on Data Privacy Monitor.
It would be easier if we had a “National ID Card.” “e-Papers, Citizen!”
Sophia Elson writes:
Earlier today, there was a hearing in the House Judiciary Committee on whether all employers nationwide should be required to use the employment verification system E-Verify to investigate the backgrounds of each new employee they hire.
The hearing was erroneously titled “How E-Verify Works and How it Benefits American Employers and Workers.” As it turns out, mandatory implementation of E-Verify would be disastrous for both of those groups, forcing employers to navigate a costly and time-intensive bureaucratic system and threatening the security of highly sensitive employee data.
EFF has denounced this invasive proposal in the past and now joins the ACLU and forty-three other organizations in signing a coalition letter that opposes its implementation.
Read more on EFF.
“We can, therefore we must?” I sure don't understand this business model. Perhaps I'm getting to old to appreciate being watched 24/7.
Koozoo pitches surveillance for the masses via smartphones
If Koozoo CEO Drew Sechrist has his way, cameras will record every move you make in public -- and make your life better for it.
The San Francisco startup wants smartphone owners to deploy a network of streaming smartphone cameras that are accessible by anyone within the Koozoo network at any time.
… they can sign up to provide a 24-hour stream using an old smartphone. Anyone can jump on the network to watch the feeds.
The idea of being watched by complete strangers sounds creepy, but Sechrist said Koozoo is anything but. It's about empowering people, he said.
"Big Brother is your government one way looking down at you, and this is the exact opposite. This is from the ground looking up from a system that people can all benefit from," Sechrist.
The service is free. The company plans to charge for more premium services in the future, like saving footage from lives feeds or adding notifications to alert that you that certain events are happening.
To cut down on abuse on live streaming feeds (and so unsuspected feed viewers don't have gross ChatRoulette-like moments), Koozoo reviews new feeds before they go live and existing feeds when they get flagged.
February 28, 2013
New Documents Reveal U.S. Marshals’ Drones Experiment
"The use of surveillance drones is growing rapidly in the United States, but we know little about how the federal government employs this new technology. Now, new information obtained by the ACLU shows for the first time that the U.S. Marshals Service has experimented with using drones for domestic surveillance. We learned this through documents we released today, received in response to a Freedom of Information Act request. The documents are available here. (We also released a short log of drone accidents from the Federal Aviation Administration as well as accident reports and other documents from the U.S. Air Force.) This revelation comes a week after a bipartisan bill to protect Americans’ privacy from domestic drones was introduced in the House."
...so, what's the counter argument?
Outside of the FISA context, the Court’s decision [in Clapper v. Amnesty International] likely will make it more difficult for private plaintiffs in privacy and data breach litigation cases to establish standing based merely on a dignity interest or potential future harm. The “certainly impending” standard used in Clapper may provide further support for courts to find a lack of standing in privacy and data breach cases lacking evidence of misuse of information and actual financial harm.
Read more on Hogan Lovells Chronicle of Data Protection
An interesting question...
To the casual observer, the e-book revolution has produced two bumper crops: smutty trilogies à la “Fifty Shades of Grey” and lawsuits. First there were the authors (as represented by the Authors Guild), who sued Google Books for digitizing their work without permission. Then the Department of Justice sued five publishers and Apple for adopting a policy known as the agency model. Finally, a trio of independent booksellers filed a class-action suit last week against the six largest book publishers and Amazon, accusing them of collaborating to create a monopoly on e-book sales and shutting small retailers out of the market.
The booksellers — Fiction Addiction of Greenville, S.C., Book House of Stuyvesant Plaza in Albany, N.Y., and Posman Books of New York City — are demanding the right to sell what they term “open-source and DRM-free” e-books, files that can be read on a Kindle or any other e-reading device. The publishers are accused of entering into “confidential agreements” with Amazon making this impossible.
Double secret evidence?
"U.S. prosecutors won a New Zealand court victory Friday in their battle to extradite Megaupload founder Kim Dotcom and three colleagues accused of facilitating massive copyright fraud through the now-defunct online file-sharing site. The appeals court overturned an earlier ruling that would have allowed Dotcom and the others broad access to evidence in the case against them at the time of their extradition hearing, which is scheduled for August. The appeals court ruled that extensive disclosure would bog down the process and that a summary of the U.S. case would suffice. Dotcom says he's innocent and can't be held responsible for those who chose to use the site to illegally download songs or movies."
It looks like they are giving away our secrets, but my Ethical Hackers always find a way... Unfortunately.
Open Source Project Prepackages Kim Dotcom’s Security
When you use a web application, you leave your data at the mercy of the company who runs it. Usually, this isn’t a problem, but not always. Last week, the web-based help desk application Zendesk was hacked, potentially exposing data from users of Twitter, Tumblr and Twitter, which all use the application for customer support.
Part of the problem is that a web app gathers so many eggs in one basket. If someone hacks a service provider, it can affect many different people.
But if each user’s information was encrypted so that only that user could see it — locking out even the service provider — then we could reduce the risk of putting our data in these centralized web services. That’s the aim of Crypton, a new open source project that hopes to make it easier for app developers to add this type of encryption to their applications.
It’s not unlike the approach used by Kim Dotcom’s new service Mega. When you upload a file to Mega, it’s encrypted and the key is stored by the service. But the key itself is encrypted by a passphrase that isn’t stored on Mega. That means even Mega’s staff can’t look at the data without your passphrase.
Mega is doing this to limit their liability in case of piracy, but the same principle could be applied to just about any service that stores user data.
Crypton was created by SpiderOak, a company that operates an online store service that’s similar to Box or Dropbox.
My MBA professors taught me that you can create a market for goods consumers didn't know they wanted. ABM (Always Backward Managers) try to convince themselves that consumers who want something they can't provide, don't really want it.
You Don’t Want Super-High-Speed Internet, Says Time Warner Cable
Time Warner Cable chief technology officer Irene Esteves says you don’t really want the gigabit speeds offered by Google Fiber and other high speed providers.
On Wednesday, at a conference in San Francisco, Esteves downplayed the importance of offering a service to compete with Google, as reported by The Verge. “We’re in the business of delivering what consumers want, and to stay a little ahead of what we think they will want…. We just don’t see the need of delivering that to consumers,” she said, referring to gigabit-speed internet connections.
Print a copy of the NEW Second Amendment: ...the right to print and bear arms.”
Watch the New and Improved Printable Gun Spew Hundreds of Bullets
Late last year, a group of 3-D printing gunsmiths developed a key component for an AR-15 rifle that anyone with a 3-D printer could download and make at home. The problem: It only lasted six shots before snapping apart. Now the group is back with a new and improved receiver that can fire more than 600 rounds.
Worth a look!
Canvas Network Social Media Course
I’ve been working hard on developing an open course for Canvas Network on Social Media. The course is now live and publicly visible. This means you can see all the content pages and modules (but not the discussions or announcements). If you’d like to take a peek, visit Social Media on Canvas Network.
Make it a gradable project for your students?
How To Create An Effective Classroom Website
No doubt you have already have a classroom website or will be required to create one in the very near future. Virtually every classroom teacher around the globe is being caught up in the development of this essential communication tool. Most of the early birds to this challenge went out and used providers such as Teacher Web. Now, more and more districts are implementing a provider that the entire district will use that provides continuity and uniformity. This obviously will have its benefits for staff development but may stifle creativity.
I started about 8 years ago with a variety of services, but about two years ago my district settled on one software host for us all to use. I dove in and decided to embrace the challenge to develop a comprehensive site that would be useful for students, parents, and teachers. Visit my classroom website to see how I have put many of the following ideas into place: The Borgeson Bunch. I would like to share with you some of what I have learned during that journey:
Thursday, February 28, 2013
Big Data means there is more to steal...
Overseas hackers nab more than 1TB of data daily
The study, shared exclusively with The Verge, says that overseas hackers are stealing as much as one terabyte of data per day from governments, businesses, militaries, and academic facilities. Apparently, the hackers are using a network of 500 computer servers.
"The Guardian reports that hackers have been targeting officials from over 20 European governments with a new piece of malware called 'MiniDuke.' 'The cybersecurity firm Kaspersky Lab, which discovered MiniDuke, said the attackers had servers based in Panama and Turkey – but an examination of the code revealed no further clues about its origin (PDF). Goverments targeted include those of Ireland, Romania, Portugal, Belgium and the Czech Republic. The malware also compromised the computers of a prominent research foundation in Hungary, two thinktanks, and an unnamed healthcare provider in the US.' Eugene Kaspersky says it's an unusual piece of malware because it's reminiscent of attacks from two decades ago. 'I remember this style of malicious programming from the end of the 1990s and the beginning of the 2000s. I wonder if these types of malware writers, who have been in hibernation for more than a decade, have suddenly awoken and joined the sophisticated group of threat actors active in the cyber world.' The computers were corrupted through an Adobe PDF attachment to an email."
Has parenting become so impossible in the digital age?
A Northern Ireland man has launched a legal challenge to compel Facebook to stop his teenage daughter using the site or publishing suggestive images.
The social media company should be forced to do more to stop the 13-year-old girl having highly sexualised contact with men, the High Court heard.
The case could have major implications for Facebook in the UK.
Read more on BBC.
Perhaps the alien autopsy?
February 27, 2013
Public.Resource.Org's FedFlix - view government videotapes on the web
"FedFlix is a joint venture with the National Technical Information Service (NTIS) in cooperation with other government agencies including the National Archives. They send us government videotapes, we upload them to the Internet Archive, YouTube, and our own public domain stock footage video library — then we send the government back their videotapes and a disk drive with their digitized video. To The Movies!
- The 12 Tables of Codes [ law.resource.org ]
- State Building Codes [ law.resource.org ]
- Yes We Scan! [ yeswescan.org ]
- IRS Bulk Data! [ bulk.resource.org ]
- What Would Luther Burbank Do? [ wwlbd.org ]
- Video from Congress. [ house.resource.org ]
Assuming you find stuff to share...
… there are some excellent tools that are free as well and work practically flawlessly.
But is it working?
How Teachers Are Using Technology at Home and in Their Classrooms
A survey of teachers who instruct American middle and secondary school students finds that digital technologies have become central to their teaching and professionalization. At the same time, the internet, mobile phones, and social media have brought new challenges to teachers, and they report striking differences in access to the latest digital technologies between lower and higher income students and school districts.
Presentation.io - Sync Your Presentations To Your Audience's Laptops and iPads
Presentation.io is a new service that is designed to help your audience follow along with your presentations. Presentation.io does this by allowing the members of your audience to see your slides on their laptops, iPads, and Android tablets and watch them change when you advance your slides. This ensures that everyone is on the same slide at the same time. Presentation.io includes a backchannel that allows your audience to comment on and ask questions about your slides.
To start using Presentation.io upload a PPT or PDF to your free Presentation.io account. Presentation.io then gives you a URL to distribute to your audience. When the members of your audience open that URL they will be able to see and follow along with your presentation. When you're done with your presentation just click "stop presenting" and the synchronization stops.
Presentation.io's free service allows you to share your presentations for 48 hours then you'll have to upload them again.
Could be the future...
Help me design the School in the Cloud, a learning lab in India, where children can explore and learn from each other -- using resources and mentoring from the cloud. Hear his inspiring vision for Self Organized Learning Environments (SOLE), and learn more at tedprize.org.
Wednesday, February 27, 2013
This is very interesting. Stuxnet was considered really sophisticated for 2010, if it really dates back to 2007 it is 4 or 5 generations more sophisticated than we thought! (Counted in Internet years)
Stuxnet Missing Link Found, Resolves Some Mysteries Around the Cyberweapon
As Iran met in Kazakhstan this week with members of the UN Security Council to discuss its nuclear program, researchers announced that a new variant of the sophisticated cyberweapon known as Stuxnet had been found, which predates other known versions of the malicious code that were reportedly unleashed by the U.S. and Israel several years ago in an attempt to sabotage Iran’s nuclear program.
The new variant was designed for a different kind of attack against centrifuges used in Iran’s uranium enrichment program than later versions that were released, according to Symantec, the U.S-based computer security firm that reverse-engineered Stuxnet in 2010 and also found the latest variant.
The new variant appears to have been released in 2007, two years earlier than other variants of the code were released, indicating that Stuxnet was active much earlier than previously known. A command-and-control server used with the malware was registered even earlier than this, on Nov. 3, 2005.
… The new finding, described in a paper released by Symantec on Tuesday (.pdf), resolves a number of longstanding mysteries around a part of the attack code that appeared in the 2009 and 2010 variants of Stuxnet but was incomplete in those variants and had been disabled by the attackers.
So, this is the hackers watching the bank talk to some third-party security types about watching the hackers watch the bank?
Michael Kelley and Geoffrey Ingersoll report:
Anonymous hackers have released 14 gigabytes of information allegedly related to Bank of America and a web intelligence firm it hired to spy on hackers and social activists last year.
Emails detail how employees of TEKSystems actively watched hacker forums and social media sites for anyremotely relevant pieces of “intelligence.”
Read more on Business Insider.
Cyber War News has some additional details on the data dump here and here. There hasn’t been much mainstream media coverage of this data leak yet and BofA has not confirmed claims yet, nor responded to a claim in the press release that no hacking was involved:
The source of this release has confirmed that the data was not acquired by a hack but because it was stored on a misconfigured server and basically open for grabs.
Even more alarming, the data was retrieved from an Israeli server in Tel Aviv – neither the source nor we have any idea what the data was doing there in the first place.
I guess the Pentagon has finally looked around and noticed that the average Afgani has a Smartphone that could be used to talk to the bad guys, photograph the good guys, set off roadside bombs, even fly homemade drones. NOTE: This is similar to the BYOD we are seeing in some organizations.
Pentagon Wants a ‘Family of Devices’ as It Makes Big Move Into Mobile Market
The next big customer for smartphones and tablets? The U.S. military. Finally.
The military has begun talks with device and mobile operating-system manufacturers, as well as the major carriers, to supply troops with secured mobile devices. The idea is for the manufacturers to offer the Pentagon an already-secure device and OS, rather for the military to laboriously build a bespoke mobile suite that inevitably won’t keep pace with commercial innovation. [,,,we have plenty of examples of how poorly that turns out. Bob]
… The architects of the Pentagon’s new Commercial Device Mobile Implementation Plan, unveiled Tuesday, want to be clear they’re not talking about soldiers, sailors, airmen and Marines all buying, say, an iPhone 5 — and being stuck with it for years after the companies come out with improved, upgraded mobile products. And they’d prefer to let the troops pick from a selection of secured, approved smartphones and tablets, not issue everyone a mobile device like they issue rifles.
“We’re device-agnostic,” Air Force Maj. Gen. Robert Wheeler, the Pentagon’s deputy chief information officer, told reporters. “What we’re looking for is a family of devices that are available depending on the operator. … And we’re going to continue to update as they update.”
Meanwhile, here on the home front...
February 26, 2013
ACLU - New Document Sheds Light on Government’s Ability to Search iPhones
"Cell phone searches are a common law enforcement tool, but up until now, the public has largely been in the dark regarding how much sensitive information the government can get with this invasive surveillance technique. A document submitted to court in connection with a drug investigation, which we recently discovered, provides a rare inventory of the types of data that federal agents are able to obtain from a seized iPhone using advanced forensic analysis tools. The list, available here, starkly demonstrates just how invasive cell phone searches are—and why law enforcement should be required to obtain a warrant before conducting them."
I'd like a bit more than the raw numbers.
February 26, 2013
FTC Releases Top 10 Complaint Categories for 2012
- "Identity theft is once more the top complaint received by the Federal Trade Commission, which has released its 2012 annual report of complaints. 2012 marks the first year in which the FTC received more than 2 million complaints overall, and 369,132, or 18 percent, were related to identity theft. Of those, more than 43 percent related to tax- or wage-related fraud. The report gives national data, as well as a state-by-state accounting of top complaint categories and a listing of the metropolitan areas that generated the most complaints. This includes the top 50 metropolitan areas for both fraud complaints and identity theft complaints."
Penny Crosman reports:
A report released by KPMG on Tuesday finds that globally, there’s been a 40% increase in the number of publicly disclosed data loss incidents in the past two years. However, financial services firms have seen an 80% decrease in number of incidents in the past five years.
Read more on American Banker. You can find the KPMG report here (pdf). Haven’t had time to read it yet, but it will be interesting to see how their findings compare with QuickView report and other analyses.
[From the article:
One reason the reporting of data breaches has increased is because of an SEC order in October 2011 that required more transparency over cyber risk and disclosure of the impact of data breaches. "That was the first time publicly traded organizations were obligated to disclose information about data breaches that did not pertain to personally identifiable information," Bell observes.
With linesd like, “A society that permits the unchecked ascendancy of surveillance infrastructures cannot hope to remain a liberal democracy.” you know I'ver got to read this closely.
Jathan Sadowski writes:
… Privacy should have a deeper purpose than the one ascribed to it by those who treat it as a currency to be traded for innovation, which in many circumstances seems to actually mean corporate interests. To protect our privacy, we need a better understanding of its purpose and why it is valuable.
That’s where Georgetown University law professor Julie E. Cohen comes in. In a forthcoming article for the Harvard Law Review, she lays out a strong argument that addresses the titular concern “What Privacy Is For.” Her approach is fresh, and as technology critic Evgeny Morozov rightly tweeted, she wrote “the best paper on privacy theory you’ll get to read this year.” (He was referring to 2012.)
Read more on The Atlantic.
Curious. Is this an indication of a screw-up? Something made their “slam dunk” a lot less probable? Should Kim Dotcom's lawyers talk to this guy?
Feds strike a deal with alleged illegal streaming site operator
After taking down Channelsurfing.net and arresting its alleged owner in 2011, the feds now seem to be easing up. Before going to trial, the government struck a deal earlier this month with the alleged site owner Brian McCarthy.
In a "Deferred Prosecution" memo filed on February 11, which was obtained by TorrentFreak, U.S. Attorney Preet Bharara writes that "after a thorough investigation, it has been determined that the interest of the United States and your own interest will best be served by deferring prosecution in this District.
… It's unclear why the feds are letting McCarthy off the hook. Under the terms of the deal he came to with the government, he has to show good behavior, find a legal job, not violate any laws, and steer clear of anything to do with illegal Internet streaming. He also has to pay back $351,033, which he allegedly made via Channelsurfing.net, according to TorrentFreak
An interesting question. Since not all users are equally valuable, who would flee and how would Google price “freedom” to compensate for their loss?
"I've been thinking a lot about how much information I give to technology companies like Google and Facebook and how I'm not super comfortable with what I even dimly know about how they're handling and selling it. Is it time for major companies like this, who offer arguably utility-like services for free in exchange for info, to start giving customers a choice about how to 'pay' for their service? I'd much rather pony up a monthly fee to access all the Google services I use, for example, and be assured that no tracking or selling of my information is going on. I'm not aware of how much money these companies might make from selling data about a particular individual, but could it possibly be more than the $20 or $30 a month I'd fork over to know that my privacy is a little more secure? Is this a pipe dream, or are there other people who would happily pay for their private use of these services? What kinds of costs or problems could be involved with companies implementing this type of dual business model?"
Perspective. Can anyone remember when it was unusual to hear anyone talk about “a billion” anything?
Dropbox clears 1 billion file uploads per day
People save 1 billion files every day to Dropbox's online storage service, Chief Executive Drew Houston said today at the Mobile World Congress show here.
… When the company started, Dropbox could synchronize people's data among PCs, but now of course it helps bridge the gaps to smartphones, tablets, and presumably other Internet-connected devices of the future. The company has been gradually expanding the abilities of its software to make it more of a central hub for people's data with features such as graphics viewers and automatic photo uploads from phones.
Perspective Convergence means industry techniques are getting smarter and easier for individuals to use... Now every Computer Design major can “print” their own car...
3-D Printed Car Is as Strong as Steel, Half the Weight, and Nearing Production
Picture an assembly line not that isn’t made up of robotic arms spewing sparks to weld heavy steel, but a warehouse of plastic-spraying printers producing light, cheap and highly efficient automobiles.
If Jim Kor’s dream is realized, that’s exactly how the next generation of urban runabouts will be produced. His creation is called the Urbee 2 and it could revolutionize parts manufacturing while creating a cottage industry of small-batch automakers intent on challenging the status quo.
Good news for my Computer Security majors...
Mike Millard reports:
The sixth Global Information Security Workforce Study, conducted by (ISC)² shows that a shortage of information security professionals is having an adverse impact on healthcare and other industries, even as vulnerabilities such as mobile devices and social media are on the rise.
The (ISC)² study, conducted in partnership with Booz Allen Hamilton and Frost & Sullivan, examined security practices across many industries. One of its key findings is that more than two-thirds of chief information security officers say they’re short-staffed – leading to an increased threat of expensive breaches.
Read more on HealthcareIT News
Tuesday, February 26, 2013
No great surprises, but a new survey, Securing Outsourced Consumer Data,commissioned by Experian Data Breach Resolution and conducted by the Ponemon Institute reveals that many organizations (46%) do not evaluate the security and privacy practices of vendors before sharing sensitive or confidential information.
… When sharing sensitive and confidential consumer information, nearly half of respondents (49%) said that they do not monitor — or are unsure whether their organization monitors — vendor security and privacy practices.
… To access the full report, Securing Outsourced Consumer Data, visit http://www.Experian.com/ConsumerDataStudy.
'That don't mean you can't strap on your shooting irons and mosey down main street...”
February 25, 2013
FindLaw - 10th Circuit rules that permits allowing people to carry concealed weapons are not protected by Second Amendment
Findlaw: "The Second Amendment and gun control remain controversial issues in the U.S. A federal district court judge tossed out Gray Peterson’s 2011 lawsuit filed against Denver and Colorado’s Department of Public Safety. Peterson had claimed that being denied a concealed-weapons permit because he was not a Colorado resident violated his Second Amendment right to bear firearms. The 10th Circuit on Friday ruled that carrying concealed firearms is not protected by the Second Amendment or the Privileges and Immunities Clause, nor is the right of people to keep and bear arms infringed upon by laws prohibiting the carrying of concealed weapons. The Court held: “Given that the concealed carrying of firearms has not been recognized as a right, and the fact that concealed carry was prohibited for resident and non-resident alike for much of our history, we cannot declare this activity sufficiently basic to the livelihood of the Nation.”
An interesting summation...
Computerization in Health Care Demands High Data Standards
Monday, February 25, 2013
Granted this is something organizations dread hearing, but if they don't acknowledge the message, they may find the next person asking the question is a reporter. A review of the Comments is interesting.
"As the owner of my own mail domain, I have the luxury of being able to create unique email addresses to use when registering with web sites and providers. So when I started to receive virus-infected emails recently, at an address that I created exclusively for use with a well-known provider of tools for the Systems Administration community (and which I have never used anywhere else), I knew immediately that either their systems or their subscriber list had been compromised. I passed my concerns on to a couple of their employees whom I know socially, and they informed me that they had passed it up the food chain. I have never received any sort of official response, nor seen any public notification or acceptance of this situation. When I received another virus-infected email at that same address this week, I posted a polite note on their Facebook page. Again, nothing. If it was a company in any other field, I might expect this degree of nonchalance, but given the fact that this company is staffed by — and primarily services — geeks, I'm a little taken aback by their apparent reticence. So, since the polite, behind-the-scenes approach appears to have no effect, I now throw it out to the group consciousness: Am I being paranoid, or are these folks being unreasonable in refusing to accept or even acknowledge that a problem might exist? What would you recommend as my next course of action?"
A new legal specialty?
February 24, 2013
New on LLRX - Another NY court on discovery of social media evidence
Via LLRX.com - Another NY court on discovery of social media evidence - Attorney Nicole Black brings context to the impact of the proliferation of social media accounts among the majority of adults in the United States. The information from these accounts has become a prime source for lawyers to mine for evidence to support their clients' cases.
Toward an Automated Lawyer?
February 24, 2013
New on LLRX - LegalTech 2013: Old habits die hard, but die they do
Via LLRX.com - LegalTech 2013: Old habits die hard, but die they do - Attorney Nicole Black's article on the LegalTech 2013 conference, sponsored every year by American Lawyer Media, updates all of us who could not attend on the latest legal technologies and innovations.
[From the article:
… nearly every e-discovery software company that exhibited at LegalTech offered a cloud computing option.
… Also relevant is that the "bring your own device" (BYOD) phenomenon is now a reluctantly accepted reality for most large firm IT departments.
… in recent years, rapid technological change, increased competition from non-traditional sources (such as do-it-yourself websites like Legal Zoom and Rocket Lawyer), and the ailing economy have drastically affected the profitability of doing business as usual. In other words, both the cues (the demand for traditional legal representation) and the rewards (profits) for delivering legal services as we've always done are decreasing.
Since it's so easy to get an answer, I'll have to switch my exams to a Jeopardy format...
February 24, 2013
Butler Business Accelerator Evaluates Q&A Platforms using New Intelligence Index
News release: "A new study using the Butler University Q&A Intelligence Index measures how various mobile Q&A platforms deliver quality, accurate answers in a timely manner to a broad variety of questions. Based on the results of our analysis, ChaCha led all Q&A platforms on mobile devices. Results of the study are based upon review of a large set of responses from each of the major Q&A platforms, coupled with a comparison of disparate Q&A platforms that serve answers in different ways. Our methodology included the creation of a new metric, termed the Butler University Q&A Intelligence Index, which measures the likelihood that a user can expect to receive a correct answer in a timely manner to any random question asked using natural language. We asked questions via mobile services and randomized the questions to cover both popular and long-tail knowledge requests."
For my Website studnets...
Last week, I talked about how important jQuery is to any modern web developer and why it’s awesome. This week, I think it’s time we got our hands dirty with some code and learnt how to actually make use of jQuery in our projects.
… It is assumed however that as a web developer you have a pretty good knowledge of HTML and CSS (and here’s out helpful free xHTML guide if not!).
The most important blog post ever! (Just like all the others)
Tabloid Chic: How Racy Headlines Unlock Money and Power
Once headed for a bland retirement within newspapers, the headline is making a striking comeback online, where tabloid come-ons increasingly convert to fame and fortune.
In its revived form, the headline is finding relevance far beyond news media as it becomes a key weapon in fields like politics and business. No longer the exclusive province of copy editors, it is now the cornerstone of emailed political appeals, the fulcrum of crowdsourcing capital on Kickstarter, and arguably the basis of an entire communications medium, the all-headlines microblogging system Twitter.
Coming soon: My Guide to Anti-Social Media