Saturday, March 23, 2013

I suppose we needed a few examples of how poor information sharing has been without President Obama's new mandates, but two years? Where else could we lay the blame?
From the college’s press release today:
Tallahassee Community College, on Friday, announced that an unauthorized acquisition of computerized data that may materially compromise the security, confidentiality, or integrity of personal information occurred in March 2011.
College officials were recently notified of the breach of security by federal officials. The federal investigation resulted in the conviction of a Miami, Fla., man on one count of conspiracy to submit false claims to the Internal Revenue Service, one count of access device fraud, and two counts of aggravated identity theft.
“TCC values the protection of private information, so we take this matter very seriously,” said TCC Chief of Police David Hendry. “We have identified the group of individuals whose information may have been compromised, and we will immediately begin the process of contacting each one.”
According to Hendry, the College believes the breach occurred internally and impacts approximately 3,300 individuals. An investigation into the breach is ongoing.
Beginning Monday, TCC will mail personalized letters to the persons potentially impacted by the data breach. The letters will detail what steps individuals can take to check the security of their identities; TCC will also provide additional resources, including a TCC hotline to provide further information.
If the federal investigation led to a conviction, then the feds clearly knew about this for a while. Why didn’t they inform the college before now? And why didn’t the college discover this breach on their own two years ago? What does the police chief mean that it occurred “internally?” Is he suggesting an employee was implicated in wrongdoing or something else?

Practically everyone is contributing to the “Hacking for fun and profit” guidebook...
"Twitter, Linkedin, Yahoo! and Hotmail accounts are open to hijacking thanks to a flaw that allows cookies to be stolen and reused. Attackers need to intercept cookies while the user is logged into the service because the cookies expire on log-out (except LinkedIn, which keeps cookies for three months). The server will still consider them valid. For the Twitter attack, you need to grab the auth_token string and insert it into your local Twitter cookies. Reload Twitter, and you'll be logged in as your target (video here). Not even password changes will kick you out."

I've been screaming for better security, so I should support a bank that offered it. But was it so much more costly or time consuming (same thing) that they could not make it the default option? In this case, it looks like “Dual Control” was turned down because one of the two authorizers might be out of the office. Saving a few bucks on a couple of Smartphones cost them $440,000 (plus court fees)
More on the lawsuit and countersuit between Choice Escrow and Land Title and BancorpSouth, mentioned previously on this blog. Tracy Kitten reports:
A federal court has sided with a Mississippi bank in a lingering dispute with a customer over financial losses linked to an account takeover incident dating back to March 2010. That means the bank will not have to cover the cost of the loss or pay damages.
On March 18, in a summary judgment filed in a U.S. District Court in Missouri, a magistrate judge favored BancorpSouth in its legal dispute with Choice Escrow Land Title LLC over a $440,000 loss that resulted from fraudulent wire transfers.

"In an effort to increase security for user accounts, Apple on Thursday introduced a two-step verification option for Apple IDs. As the 'epic hacking' of Wired journalist Mat Honan proved, an Apple ID often carries much more power than the ability to buy songs and apps through Apple's App store. An Apple ID can essentially be the keys to the Kingdom when it comes to Apple devices and user maintained data, and as Apple explains, is the key to many important things you do with Apple, such as purchasing from the iTunes and App Stores, keeping personal information up-to-date across your devices with iCloud, and locating, locking, or wiping your devices.' 'After you turn [Two-step verification] on, there will be no way for anyone to access and manage your account at My Apple ID other than by using your password, verification codes sent your trusted devices, or your Recovery Key, a support entry announcing the new service explained."

(Related) Perhaps you should take Apple up on the improved security...
Apple ID password reset exploit reportedly in the wild
A new exploit lets anyone who knows your birthday and e-mail address reset your Apple ID password, according to a new report.
The exploit, described by The Verge though not posted publicly, makes use of a special URL that gets around the need for a security question, a security measure Apple put in place on all Apple ID accounts last April.
The reported exploit does not work on accounts with two-step verification enabled, which Apple introduced yesterday, and does away with the security question in favor of sending a four-digit PIN code to a cell phone that needs to be entered along with the typical password.
"Apple takes customer privacy very seriously," an Apple spokesperson told CNET. "We are aware of this issue and working on a fix."

I never even considered that there might be an 'honest to God” Red-Light camera advocacy group...
Red-Light Cameras Can Stop Crime, Says Red-Light Camera Advocacy Group
One way to catch criminals is by giving police departments access to red-light camera footage even when a traffic violation isn’t involved, according to a nonprofit that argues in favor of the law-enforcement devices.
The National Coalition for Safer Roads, whose stated mission is to “save lives and protect communities by demonstrating how red light safety cameras can improve driver behavior,” announced the findings in a new study that contends the cameras can catch criminals guilty of infractions far greater than rolling through a red light. The coalition is funded by American Traffic Solutions, a manufacturer of traffic-control devices such as red-light cameras, so let’s just say the researchers’ motives might not be entirely altruistic.

On the road to “Do Not Track?”
itwbennett writes
"Do you know what data the 1300+ tracking companies have on you? Privacy blogger Dan Tynan didn't until he had had enough of being stalked by grandpa-friendly Jitterbug phone ads. Tracking company BlueKai and its partners had compiled 471 separate pieces of data on him. Some surprisingly accurate, some not (hence the Jitterbug ad). But what's worse is that opting out of tracking is surprisingly hard. On the Network Advertising Initiative Opt Out Page you can ask the 98 member companies listed there to stop tracking you and on Evidon's Global Opt Out page you can give some 200 more the boot — but that's only about 300 companies out of 1300. And even if they all comply with your opt-out request, it doesn't mean that they'll stop collecting data on you, only that they'll stop serving you targeted ads."

(Related) Tracking data is valuable...
"PayPal, Google Wallet and other online payment systems face higher transaction fees from MasterCard in retaliation for their refusal to share data on what people are spending. Visa is likely to follow suit. The amount that PayPal has to pay MasterCard for every transaction will go up as the latter introduces new charges for intermediated payment processors. This change is on the grounds that such processors don't share transaction details, which the card giants would love to get hold of as it can be used to research buying patterns and the like. Companies such as PayPal allow payments between users, so the party (perhaps a merchant) receiving the money doesn't need to be registered with the credit-card company. PayPal collects the dosh from the payer's card, and deducts a processing fee before passing the cash on to the receiving party. MasterCard would prefer the receiver to be registered directly so will apply the new fee from June to any payment that is staged in this way."

Inevitable I suppose, but don't the sex offender laws strip offenders of any and all rights? (Colorado also has a sex offender site:
Luke Duecy reports:
A group of convicted sex offenders is suing three websites for posting their photos and personal information and then allegedly charging them to take the information down.
In their federal lawsuit, the sex offenders claim that is extortion.
Read more on Komo News.
Update: Courthouse News has more on the RICO complaint, here. The plaintiffs also allege violations of California’s right of publicity law and intentional infliction of emotional distress.

What would Walter Cronkite say?
"Jack Mirkinson reports that Pew Research Center's annual "State of the Media" study found that, since 2007, CNN, Fox News and MSNBC have all cut back sharply on the amount of actual reporting found on their airwaves. Cheaper, more provocative debate or interview segments have largely filled the void. Pew found that Fox News spent 55 percent of the time on opinion and 45 percent of the time on reporting. Critics of that figure would likely contend that the network's straight news reporting tilts conservative, but it is true that Fox News has more shows that feature reporting packages than MSNBC does. According to Pew MSNBC made the key decision to reprogram itself in prime time as a liberal counterweight to the Fox News Channel's conservative nighttime lineup. The new MSNBC strategy and lineup were accompanied by a substantial cut in interview time and sharply increased airtime devoted to edited packages. The Pew Research examination of programming in December 2012 found MSNBC by far the most opinionated of the three networks, with nearly 90% of MSNBC's primetime coverage coming in the form of opinion or commentary."

So they must have a simple way to identify what are essentially “electronic gambling devices” but for some reason they can't close the operator down?
"Concerned about their use as fronts for gambling operations, the Florida legislature passed a law banning Internet cafes. The law appears to be a reaction in part to the recent stepping down of Lt. Gov. Jennifer Carroll, embroiled in a scandal involving a company that operates Internet Cafes. More ordinary cafes with Wi-fi, where you supply your own computer (such as Starbucks), are not affected by the ban."
The nomenclature here is confusing; the bill (PDF) (summary) is clearly aimed only at "cafes" that are essentially gambling venues; an Internet cafe wouldn't violate the proposed rule merely by providing computers. Whatever you think of prohibitions on gambling among consenting adults, the bill itself is sort of amusing for its very specific loopholes for bingo and "reverse vending machines."

Does this have potential?
Twitter Needs to Deal With Misinformation. Here's How
… Zeynep Tufekci is a fellow at Princeton University's Center for Information Technology Policy. Earlier this month, Tufekci tweeted what she thought was the new Pope's Twitter handle. It turned out that the username was a fake. Although Tufekci corrected herself immediately after discovering the mistake, it didn't stop people from seeing her older, incorrect tweet.
In a blog post later, Tufekci called on Twitter to create a feature that would alert innocent users to misinformation. Her suggestion? Allow the creator of the original, mistaken tweet to issue the offending tweet again, but this time with a big "REDACTED" or "ERROR" sign on it.*
As a way to promote transparency and accountability among users, this isn't a bad idea. But as Tufekci points out, there's also no guarantee that everyone will see the second tweet with the correction appended. Nor would the system do anything to modify her original, mistaken tweet, which is still living in cyberspace (she didn't delete it so that there would be a record both of the error and the correction).
Given that some people almost certainly saw just the wrong information and not the correction, I'd suggest an addition to Tufekci's idea—a feature that:
  • Lets users mark their own tweets as incorrect after the fact, much in the way that users are able to mark their tweets as "favorites" now; that then
  • Flags the content publicly with a colored tab; and
  • Alerts anyone who clicks "retweet" that the tweet has been marked as incorrect by the original user.

Now this looks interesting...
Friday, March 22, 2013
Monosnap - A Screen Capture Tool for Mac, Windows, iOS and Chrome
… Monosnap is now available for Windows, iOS, and Chrome.
To get started using Monosnap download the version that is appropriate for your device. Once installed you can use Monosnap to capture a portion or all of your screen. Like other screen capture tools you can write on your captured images, draw arrows, and obscure parts of the image. One neat option in Monosnap is capturing your screen after a ten second delay. The delayed capture option gives you time to get everything into place for the image. That's particularly handy when you're trying to capture a pop-up box or drop-down menu that otherwise would disappear when you click away from it. You can save your screen captures on your computer or upload them to a free Monosnap account.
Applications for Education
Monosnap, like other screen capture tools, could be used for creating directions on how to use a new program or application. The option to obscure parts of an image is useful if you want to hide contact information that was accidentally captured in your screen capture.

All hail the Google! (Because most students just think they know how to use it)
… We are vocabulary challenged because we are lazy about looking up new words. Don’t be; you can use a single dictionary like the excellent to learn new words…get their pronunciations right…use synonym dictionaries to find similar words…use a few slang dictionaries to learn urban speak…have some fun with video dictionaries…or just use Google.

For my rock 'n roll niece...
Thanks to guitar tabs being shared online, playing songs on the guitar has become easier than before. But sometimes, you need to see somebody play the song and visually check out their chord progressions and other techniques.
… Soundslice is a free to use web service that offers you guitar tabs of songs along with videos. You can search the website for songs and find their guitar tabs. As the tabs are shown, you will find a video of somebody performing the song. The speed of the video can be slowed down so you can better observe the things being played. You can create your own videos on the site as well and share it with your friends and students to instruct them.

Friday, March 22, 2013

Perhaps they should have followed the “Best Mob Practices” as perfected in New Jersey. There was no need for a formal identity check, but the lenders did know where you lived, and where your family lived – and which knee you liked best.
We don’t see this too often, but lack of adequate security costs this business its business, and the consequences were imposed by a regulator. reports:
MCO Capital Limited made loans in the name of 7,000 people whose identity was used by fraudsters without their permission or knowledge. The loans totalled millions of pounds and demonstrated MCO’s inability to put in place adequate identity checks for loan applicants. Money laundering laws require lenders to conduct identity checks.
The OFT revoked MCO’s consumer credit licence in August and imposed a penalty of £544,505 on the company. MCO appealed and continued to trade while the appeal was pending but has now withdrawn its appeal. It will continue to appeal against the penalty.
The company, which operated using brands including Speedcredit and Paycheckcredit, also engaged in unfair business practices by demanding money from the real identity holders who had not taken out loans.

With each new technology, organizations face the same Privacy/perception challenges. Fortunately, with very minor tweeks they can employ the same solutions. (From my first lecture in Intro to Computer Security)
Jason Koebler reports on law enforcement’s perspective over drone privacy issues and public reaction:
Stephen Ingley, executive director of the Airborne Law Enforcement Association, argues that drones don’t have any advanced spying capabilities, that the drones police officers are most interested in can only fly for 15 minutes at a time, and that they are unfeasible options for so-called “persistent surveillance.”
But that hasn’t stopped more than 30 states from considering legislation restricting drone use.
“This legislation happened so fast, with such a devastating blow [Unlikely. Unless the legislation addresses your 15 minute drones. Bob] that it took us all aback,” he says.

(Related) With each new technology, organizations face the same security challenges. Fortunately, with very minor tweeks they can employ the same solutions. (From my first lecture in Intro to Computer Security)
Hack-Proof Your Company's Social Media
On Monday, Feb. 18, Burger King woke up to one whopper of a social media problem. The company's Twitter account had been hacked — its name changed to McDonalds and its background replaced with an image of Fish McBites. In the hour it took for officials to regain control, hackers proceeded to send 53 tweets to the burger chain's more than 80,000 followers, ranging from the mildly funny ("if I catch you at a wendys, we're fightin!") to the patently offensive ("We caught one of our employees in the bathroom doing this...," with an image of a drug user shooting up).
And Burger King wasn't alone. Less than 24 hours later, a similar fate befell Jeep. Hackers replaced the company's Twitter avatar with a Cadillac logo and explained to Jeep's 100,000-plus followers that the company had been sold because its employees and CEO were found using drugs. These incidents followed closely on the heels of a security breach at international media retailer HMV in late January, when a disgruntled social media manager hijacked one of the company's social media accounts and aired to the world details about recent layoffs and mismanagement.
So what's a socially engaged company to do?
Get serious about passwords.
Centralize social media channels.
Control who can post messages.
Offer basic social media education.

(Related) Oops! Too late.
"Following BBC Weather on Twitter seems like it wouldn't throw up too many surprises — possibly news of the odd blizzard now and again. But today, the account's 60,000 followers got a little more than 'chance of a light drizzle' when the pro-Assad Syrian Electronic Army hacked the account, along with a couple of other BBC accounts, in an apparent protest at what it sees as reports which don't show the Syrian regime in the best light."

Careful wording...
Brad Smith, General Counsel & Executive Vice President, Legal & Corporate Affairs for Microsoft, writes on their blog:
Today, we are releasing our 2012 Law Enforcement Requests Report. This is our first Law Enforcement Requests Report. It provides data on the number of requests we received from law enforcement agencies around the world relating to Microsoft online and cloud services and how we responded to those requests. All of our major online services are covered in this report, including, for example, Hotmail,; SkyDrive; Xbox LIVE; Microsoft Account; and Office 365. We’re also making available similar data relating to Skype, which Microsoft acquired in October 2011.
We will update this report every six months.
One of the most surprising finds, perhaps was how relatively few requests resulted in disclosure of content:
First, while we receive a significant number of law enforcement requests from around the world, very few actually result in the disclosure to these agencies of customer content. To be precise, last year Microsoft (including Skype) received 75,378 law enforcement requests for customer information, and these requests potentially affected 137,424 accounts or other identifiers. Only 2.1 percent, or 1,558 requests, resulted in the disclosure of customer content.

It's not exactly an App to select your Privacy settings, but it's a step in that dorection.
… The problem with privacy is not that we don’t care about it, but that we don’t always know how to protect it, or don’t have the time and motivation to go scanning through the settings of every website we use. Whatever the reason, many users don’t take good enough care of their online privacy, leaving sensitive information on Facebook, Gmail, and even Amazon and eBay, public.
Recently, I told you about things you should not share on Facebook if you care about your privacy, and also shared a cool tip about disabling Facebook’s Graph Search. In a comment to that article, reader suneo nobi shared a Chrome extension with me called Priveazy, saying it helps make some privacy tweaks. Not expecting much, I checked this extension out, and imagine my surprise when I discovered a real magic solution for all my burning online privacy problem.
… Priveazy is a Chrome extension (soon to come to Firefox too) and a website that is comprised of three parts: The Chrome extension called Priveazy Lockdown, a Web app, and the Priveazy classroom. The Chrome extension and Web app have a similar function, and help you protect and maintain your privacy on various online accounts such a Facebook, Google, eBay, LinkedIn, Amazon, etc. The classroom includes detailed lessons about various subjects such as Web Browsing Safety, Facebook Privacy 101, Home Wi-Fi Security, etc.
Priveazy won’t do the actual work for you – you still need to care enough about your privacy to change the necessary settings. It does, however, makes the task 10 times easier by telling you exactly what to do, how to do it, and by loading the relevant settings page automatically.

Clearly something we will need to do here in the US.
Lachlan Urquhart provides an overview of drone regulation in the U.K., writing, in part:
More broadly, a number of UK laws could become relevant when considering regulation of surveillance drones, although the scope of application is not always clear. For example, covert use in police investigations would require compliance with the rules on directed and intrusive surveillance in Part II of theRegulation of Investigatory Powers Act 2000 (RIPA). Section 26(5) of RIPA determines if surveillance is deemed intrusive, and states surveillance which… ‘is carried out by means of a surveillance device in relation to anything taking place on any residential premises or in any private vehicle but… is carried out without that device being present on the premises or in the vehicle, is not intrusive, unless the device is such that it consistently provides information of the same quality and detail as might be expected to be obtained from a device actually present on the premises or in the vehicle’ (emphases added). This subjective dependency on consistency, quality and detail of drone obtained images could introduce uncertainty into classifying the nature of surveillance, and therefore the application of RIPA, Part II.
Read more on SCL.

If a single data element is worthless, there is no impact to Privacy if you collect and save it. In fact, if you collect everything, one element at a time, you never need to consider Privacy laws at all! (By the way, this is not what I was taught as an Intelligence Analyst)
On government mentality:
The value of any piece of information is only known when you can connect it with something else that arrives at a future point in time. Since you can’t connect dots you don’t have, it drives us into a mode of, we fundamentally try to collect everything and hang on to it forever.
– Ira “Gus” Hunt, CIA Chief Technology Officer, speaking at conference this week.
Read more on Huffington Post.

(Related) Obfuscation is the new denial.
U.S. cyber plan calls for private-sector scans of Net
The U.S. government is expanding a cybersecurity program that scans Internet traffic headed into and out of defense contractors to include far more of the country's private, civilian-run infrastructure.
As a result, more private sector employees than ever before, including those at big banks, utilities and key transportation companies, will have their emails and Web surfing scanned as a precaution against cyber attacks.
… The Department of Homeland Security will gather the secret data and pass it to a small group of telecommunication companies and cybersecurity providers [See? You don't have to be a situation comedy to have a spin-off! Let's call them “Baby NSAs” Bob] that have employees holding security clearances, government and industry officials said. Those companies will then offer to process email and other Internet transmissions for critical infrastructure customers that choose to participate in the program.
By using DHS as the middleman, the Obama administration hopes to bring the formidable overseas intelligence-gathering of the NSA closer to ordinary U.S. residents without triggering an outcry from privacy advocates who have long been leery of the spy agency's eavesdropping.
The issue of scanning everything headed to a utility or a bank still has civil liberties implications, even if each company is a voluntary participant.
Lee Tien, a senior staff attorney with the nonprofit Electronic Frontier Foundation, said that the executive order did not weaken existing privacy laws, but any time a machine acting on classified information is processing private communications, it raises questions about the possibility of secret extra functions that are unlikely to be answered definitively.

Interesting to read this along with the laws of war from yesterday.
March 20, 2013
Worldwide Threat Assessment of the US Intelligence Community
Statement for the Record - Worldwide Threat Assessment of the US Intelligence Community, Senate Select Committee on Intelligence. James R. Clapper, Director of National Intelligence, March 12, 2013
  • "This year, in both content and organization, this statement illustrates how quickly and radically the world—and our threat environment—are changing. This environment is demanding reevaluations of the way we do business, expanding our analytic envelope, and altering the vocabulary of intelligence. Threats are more diverse, interconnected, and viral than at any time in history. Attacks, which might involve cyber and financial weapons, can be deniable and unattributable. Destruction can be invisible, latent, and progressive. We now monitor shifts in human geography, climate, disease, and competition for natural resources because they fuel tensions and conflicts. Local events that might seem irrelevant are more likely to affect US national security in accelerated time frames. In this threat environment, the importance and urgency of intelligence integration cannot be overstated. Our progress cannot stop. The Intelligence Community must continue to promote collaboration among experts in every field, from the political and social sciences to natural sciences, medicine, military issues, and space. Collectors and analysts need vision across disciplines to understand how and why developments—and both state and unaffiliated actors—can spark sudden changes with international implications."

Let's hope they don't screw this one up...
March 21, 2013
Publishing Scientific Papers with Potential Security Risks: Issues for Congress
  • "The federal government generally supports the publication of federally funded research results because wide dissemination may drive innovation, job creation, technology development, and the advance of science. However, some research results could also be used for malicious purposes. [I'll go so far as to say ALL research results could be used for evil – you just have to be creative! Bob] Congress, the Administration, and other stakeholders are considering whether current policies concerning publishing such research results sufficiently balances the potential benefits with the potential harms. The current issues under debate cut across traditional policy areas, involving simultaneous consideration of security, science, health, export, and international policy. Because of the complexity of these issues, analysis according to one set of policy priorities may adversely affect other policy priorities. For example, maximizing security may lead to detriments in public health and scientific advancement, while maximizing scientific advancement may lead to security risks. Accounting for such trade-offs may allow policymakers to establish regulatory frameworks that more effectively maximize the benefits from such “dual-use,” i.e., potentially beneficial and also potentially harmful, research while mitigating its potential risks."

(Related) Oops! Too late. (Perhaps they believe it is so difficult to dowload these documents that China hasn't done it yet?)
"The extensive NASA Technical Report Archive was just taken offline, following pressure from members of U.S. Congress, worried that Chinese researchers could be reading the reports. U.S. Representative Frank Wolf (R-VA) demanded that 'NASA should immediately take down all publicly available technical data sources until all documents that have not been subjected to export control review have received such a review,' and NASA appears to have complied. Although all reports are in the public domain, there doesn't appear to be a third-party mirror available (some university libraries do have subsets on microfiche)."

A legal question: Does the application for a firearms manufacturing license mention 3D printing (or any other manufacturing technique) anywhere? 2D plans are available in many gun magazines. Figuring how big to make the barral for a 9mm bullet shouldn't be beyone even my math students.
"Defense Distributed, a U.S. nonprofit that aims to make plans for guns available owners of 3-D printers, recently received a federal firearms license from the Bureau of Alcohol, Tobacco and Firearms. That license doesn't cover semi-automatic weapons and machine guns, though — and there are questions about whether the legislation that defines that license really apply to the act of giving someone 3-D printing patterns. Experts on all sides of the issue seemed to agree that no clarification of the law would happen until a high-profile crime involving a 3-D printed weapon was committed."

Perspective. And all I've ever asked for is one dollar per user per year. Very reasonable. I bet if I actually had a legitimate claim I could get a whole bunch of lawyers interested in my request.
YouTube Hits 1 Billion Monthly Users
YouTube is big. It is, by far, the most popular place to watch video on the internet. It’s a juggernaut. A behemoth. A massive morass of cute animal videos, Harlem shakers, one-hit-wonder pop songs, teen diaries, street violence, natural disasters, news clips, over-the-top advertising and just about every other type of entertainment that can exist on video.
And, on Thursday, YouTube announced that it has racked up 1 billion unique monthly users. About as many people use YouTube (which is owned by Google) as they do Facebook.

We might as well install this on the computer lab computers so our students don't have to waste time listening to my lectures...
… Just recently, I noticed that Pinger had launched a brand new product called Pinger Desktop. I had originally thought this was just a renamed version of Textfree Web, which is an interface available to users by the browser, but it’s a completely standalone application. What Pinger has managed to do is take texting and bring it to an instant messaging format, and I really love that.

Haven't I been saying we should do this? I have, I have!
"Inspired by an earlier Slashdot story about Finnish teachers and students writing a math textbook, I pitched the idea of writing our own much cheaper/free C++ textbook to my programming students. They were incredibly positive, so I decided to move forward and started a Kickstarter project. We hope to release the textbook we produce under a CC BY-NC-SA 3.0 license and sell cheap hard copies to sustain the hosting and other production costs."

Thursday, March 21, 2013

Unfortunately, I fear we may need this sooner rather than later...
March 20, 2013
Tallinn Manual on the International Law Applicable to Cyber Warfare
"The Tallinn Manual on the International Law Applicable to Cyber Warfare, written at the invitation of the Centre by an independent ‘International Group of Experts’, is the result of a three-year effort to examine how extant international law norms apply to this ‘new’ form of warfare. The Tallinn Manual pays particular attention to the jus ad bellum, the international law governing the resort to force by States as an instrument of their national policy, and the jus in bello, the international law regulating the conduct of armed conflict (also labelled the law of war, the law of armed conflict, or international humanitarian law). Related bodies of international law, such as the law of State responsibility and the law of the sea, are dealt within the context of these topics. The Tallinn Manual is not an official document, but instead an expression of opinions of a group of independent experts acting solely in their personal capacity. It does not represent the views of the Centre, our Sponsoring Nations, or NATO. It is also not meant to reflect NATO doctrine. Nor does it reflect the position of any organization or State represented by observers."
… The Tallinn Manual is available in both paper and electronic copies from Cambridge University Press (© Cambridge University Press 2013). We have also made the book available for reading and research below.

(Related) ...and apparently, I'm not alone. What would the attacker be thinking?
Tone Down the Cyberwarfare Rhetoric, Expert Urges Congress
As the nation spent this week pondering the wisdom of its decision to invade Iraq a decade ago, a witness urged Congress on Wednesday to consider more carefully how the United States will respond to a cyber 9/11 should one occur and to weigh carefully the use of strong statements that could force the nation to respond forcefully to a cyberattack, whether doing so is wise or not.
Referring to last week’s announcement by the U.S. director of national intelligence that cyberattacks were the biggest threat the nation faced, Martin Libicki, senior management scientist at the RAND Corporation, told the House Homeland Security Committee that making strong statements about cyberattacks “tends to compel the United States to respond vigorously should any such cyberattack occur, or even merely when the possible precursors to a potential cyberattack have been identified. Having created a demand among the public to do something, the government is then committed to doing something even when doing little or nothing is called for.”
Put in perspective, cyber attacks might disrupt life, but they cannot be used to occupy another nation’s capital or force regime change. [Oh? Bob] No one has yet died from a cyberattack either, he noted. Therefore, a cyberattack in and of itself, “does not demand an immediate response to safeguard national security,” Libicki said during a hearing on cyberthreats against critical infrastructure from China, Russia and Iran.
By wailing about the damages of an attack in order to drum up outrage, we’re inviting more attacks, Libicki suggested. [Didn't you just argue that was better than bombs? Bob]

Today, the ACLU of Northern California filed suit against the City and County of San Francisco and San Francisco Police Chief Gregory Suhr on behalf of a civil rights activist, Bob Offer-Westort, whose cell phone was searched by the San Francisco Police Department without a warrant after he was arrested while engaging in peaceful civil disobedience.
The suit charges that warrantless cell phone searches at the time of arrest violate the constitutional rights not only of arrestees but also of their family, friends, co-workers, and anyone whose information is in their phones. This practice violates the right to privacy, and the right to speak freely without police listening in to what we say and who we talk to.
“Our mobile devices hold our emails, text messages, social media accounts, and information about our health, finances, and intimate matters of our lives. That’s sensitive information that police shouldn’t be able to get without a warrant,” said Linda Lye, staff attorney at the ACLU of Northern California. “The Constitution gives us the right to speak freely and know that police won’t have access to private communications in our cell phones unless there is a good reason.”
… This is the first civil suit in California to challenge warrantless cell phone searches at arrest. In 2011, the California Supreme Court ruled in People v. Diaz that the police can search the cell phone of arrestees without violating the Fourth Amendment to the United States Constitution. This suit brings a challenge under the California Constitution’s stronger guarantees of privacy and freedom from unreasonable search and seizure, as well as a challenge under the U.S. and California Constitutions’ guarantees of freedom of speech and association.
The lawsuit, Offer-Westort, et al. v. City and County of San Francisco, et al., was filed in the Superior Court of California, County of San Francisco. The law firm Pillsbury Winthrop Shaw Pittman LLP is providing pro bono assistance in the suit.
Source: ACLU

Interesting concept. The government will likely adopt it.
What would you say if your employer told you it needed your height, weight, body fat percent and other personal information for health insurance purposes?
That’s what CVS is beginning to do. The company is telling workers who use its health insurance to have a wellness review done or pay up.
CVS says the information will go to a third party administrator of CVS’s benefits, not CVS itself.
The idea is to incentivize healthy living. CVS says the idea is nothing new.
Read more on My Fox Tampa Bay.

Paper versions of government documents brand you as a throwback luddite. Get with the 21st century!
March 20, 2013
Annual Report of the U.S. Government Printing Office (GPO)
GPO 2012 Annual Report: "The Government Printing Office (GPO) is transforming itself from a traditional ink- on-paper operation to a digital information platform. While producing the official printed products of the Government remains an important part of our business, we are using technology to move away from a print-centric business model and toward a content-centric focus, which today serves as the foundation for an increasing variety of digital and secure products and services. GPO’s federal Digital System (), our one-stop, no-fee Web site providing public access to the official information products of all three branches of the Government, continues to grow. Today we have more than 800,000 individual titles accessible via FDsys, and we are seeing more than 37 million documents retrieved each month. By the end of the year FDsys surpassed its 400 millionth document retrieval.

Interesting. The CIA couldn't steal the technology?
March 20, 2013
Federal Computer Week: Amazon and CIA ink cloud deal
"In a move sure to send ripples through the federal IT community, FCW has learned that the CIA has agreed to a cloud computing contract with electronic commerce giant Amazon, worth up to $600 million over 10 years. Amazon Web Services will help the intelligence agency build a private cloud infrastructure that helps the agency keep up with emerging technologies like big data in a cost-effective manner not possible under the CIA's previous cloud efforts, sources told FCW."

Here's how the Big Boys do it...
March 20, 2013
Forrester - Big Data Predictive Analytics Solutions
  • "Predictive analytics enables firms to reduce risks, make intelligent decisions, and create differentiated, more personal customer experiences. But predictive analytics is hard to do without the right tools and technologies, given the increasing challenge of storing, processing, and accessing the volume, velocity, and variety of big data. In Forrester's 51-criteria evaluation of big data predictive analytics solution vendors, we evaluated 10 solutions from Angoss Software, IBM, KXEN, Oracle, Revolution Analytics, Salford Systems, SAP, SAS, StatSoft, and Tibco Software. This report details our findings about how well each solution fulfills the criteria and where they stand in relation to each other, and it helps application development and delivery professionals select the right big data predictive analytics solution."

(Related) And here's one for my Statistics students
Plugging data into a spreadsheet is simple. It might be a little tedious, and it is certainly not fun, but it’s a job anyone can figure out how to do in a relatively short amount of time. However, generating meaningful insights from that data is a much more difficult thing to do. There is always plenty of information that can be extrapolated from data, but just looking at it and trying to find correlations is tough.
That’s where the website Statwing comes into play. It looks at data uploaded and find useful correlations from it.
To use Statwing, all you need to do is upload a spreadsheet or csv, and it will scan the data for you. From there, it will take you to a screen where you can explore the data in a way you just cannot do with a simple spreadsheet. You can look for connections between different pieces of data. Statwing offers a demonstration based on data from travelers on the Titanic. You can easily see how powerful it is when you look for ways different pieces of data connect.

Save it for later... It's not everywhere, yet.
Amazon’s ‘Send to Kindle’ Button Takes Aim at Read-It-Later Services
Sending longreads to your Kindle just got easier.
When your job gets in the way of reading something on the internet, read-it-later services like Pocket and Instapaper will let you download a story to their apps for offline access at your leisure. Now Amazon is entering the read-that-really-long-story-later market with a Send to Kindle button that will push content directly to Kindles and devices with the Kindle app. The button has already launched on Boing Boing, Time and The Washington Post. More will likely follow shortly, as Amazon has created a WordPress plugin and a site to help developers place the Send to Kindle button on their sites.
Sending web articles to the Kindle is nothing new. A Send to Kindle extension for Firefox and Chrome has been available since August 2012.
The first time you use the button, you’re prompted to sign into your Amazon account. A settings window determines which Kindle or device with the Kindle app installed to send articles. After a few minutes the article appears on your device ready to read. The saved articles offer text-to-speech on devices that support the feature

Dilbert provides a perfect introduction to my lecture on Social Media in my Intro to IT class.

Wednesday, March 20, 2013

North Korea regularly creates “border incidents” ranging from infiltrators to artillery barrages, where would this fall in the “not quite at the level where South Korea needs to respond massively?"
South Korea raises alert after hackers attack broadcasters, banks
South Korean authorities were investigating a hacking attack that brought down the servers of three broadcasters and two major banks on Wednesday, and the army raised its alert level due to concerns of North Korean involvement.
Servers at television networks YTN, MBC and KBS were affected as well as Shinhan Bank and NongHyup Bank, two major banks, the police and government officials said.  At least some of the computers affected by the attacks had some files deleted, according to the authorities.
"We sent down teams to all affected sites.  We are now assessing the situation.  This incident is pretty massive and will take a few days to collect evidence," a police official said.
The banks have since restored their operations, but the TV stations could not say when they would be able to get their systems back up.  Some workers at the stations could not boot their computer.
   South Korea's military said it was not affected by the attack but raised its state of readiness in response. None of the country's oil refineries, power stations, ports or airports was affected.
   North Korea has in the past targeted South Korea's conservative newspapers, banks and government institutions.

(Related)  Of course, it’s considered rude to start a war and then say, “Oops!”  
South Korea network attack 'a computer virus'

Always interesting, but I don't think I would go this far...
"Security guru Bruce Schneier contends that money spent on user awareness training could be better spent and that the real failings lie in security design. 'The whole concept of security awareness training demonstrates how the computer industry has failed. We should be designing systems that won't let users choose lousy passwords and don't care what links a user clicks on,' [Agreed, but we should also tell people why we did it that way... Bob] Schneier writes in a blog post on Dark Reading. He says organizations should invest in security training for developers. He goes on, '... computer security is an abstract benefit that gets in the way of enjoying the Internet. Good practices might protect me from a theoretical attack at some time in the future, but they’re a bother right now, and I have more fun things to think about. This is the same trick Facebook uses to get people to give away their privacy. No one reads through new privacy policies; it's much easier to just click "OK" and start chatting with your friends. In short: Security is never salient.'"

As we expose what was secret, do we force the government to try to push information about their programs even further into the “Black?”
Mark Rumold of EFF writes:
In a brief filed on Friday (PDF), EFF continued its fight against secret surveillance law, asking the D.C. Circuit Court of Appeals to order the release of a secret opinion of the Office of Legal Counsel (OLC).
The opinion was generated as part of a lengthy Inspector General investigation (PDF) into the FBI’s use of unconstitutional National Security Letters, so-called “exigent letters,” and other illegal methods of obtaining customer records. The OLC’s opinion provides the federal government with the authority to obtain private call-detail records in “certain circumstances,” without any legal process or a qualifying emergency, and despite federal laws to the contrary. So far, the DOJ has refused to disclose what those circumstances are, and has even refused to disclose the statute on which the government bases its purported authority.
Read more on Infosec Island.

What would the minimum required “evidence” be to send the cops on a “visit?”  Are we that over sensitive because of school shooting? 
Dad says Facebook photo of son with gun brought cops to house
   authorities in New Jersey … were allegedly alarmed by a Facebook photo of Josh Moore, aged 11, holding a .22 rifle
   The photo had been posted by his father, Shawn, to Facebook.  It showed Josh, in his camouflage outfit and rather bright sneakers.
Shawn Moore told his story to a forum on the Delaware Open Carry Web site.
He said he received a text from his wife that police and alleged members of the Department of Youth and Family Services had paid their home a visit.  It was, allegedly, not a social call.
Indeed, he posted a picture of police in what he describes as "tactical gear."
He says the authorities demanded to enter the house in Carneys Point, N.J., and check his guns.  His lawyer, on a cell phone speakerphone, was privy to all the discussions.
Moore insisted that he wouldn't open the safe where his guns are kept-- as no warrant was allegedly presented to him -- and that a lady from the Department of Youth and Family Services refused to identify herself.
The Associated Press says that neither the department nor the police were prepared to comment on the alleged visitation and its purpose.
Moore said none of his visitors had actually seen the photo.  He alleges they had merely received a phone call reporting its details.
The rifle was reportedly Josh Moore's 11th birthday gift.
   The more we insist on exposing who we are to people we don't know, the more hullabaloo seems to inevitably develop.  [I’ll be using that quote…  Bob]

Pro golfers have no expectation of privacy. Can I do the same to amateurs at my local public course? (Can you stop me?)
"In what seems like a surreal mixture of life imitating art, the Golf Channel has taken the wraps of a new camera drone. The hover camera appears to have 8 independent rotors supporting what looks like a gyro-stabilized HD camera. Though it is far from silent, the new drone will be on the course this week at the PGA Tour event taking place at Arnold Palmer Invitational at Bay Hill in Florida. No word on whether or not Lord Vader will be using these to monitor rebel activity on Hoth."

(Related)  Perhaps we should add “Drone Driving” to our Criminal Justice department? 
"Curricula and research projects related to drones are cropping up at both large universities and community colleges across the country.  In a list of 81 publicly-funded entities that have applied for a certificate of authorization to fly drones from the Federal Aviation Administration, more than a third are colleges...  Schools — and their students — are jockeying for a position on the ground floor of a nascent industry that looks poised to generate jobs and research funding in the coming years. 'We get a lot of inquiries from students saying, "I want to be a drone pilot,"' says Ken Polovitz, the assistant dean in the University of North Dakota's John D. Odegard School of Aerospace Sciences."

This will allow Amazon to start trading in “used” eBooks, right? Think of the negotiating advantage this gives them... Will we need an App to trace the chain of custody?
March 19, 2013
CDT - Big Win in Supreme Court Case on "First Sale"
CDT: "The Supreme Court issued a decision today that is a major win for everyone who relies on copyright law's "first sale" doctrine -- including the millions of Internet users who have flocked to Craigslist, eBay, and similar online tools to buy, sell, and "freecycle" all kinds of stuff. The case, Kirtsaeng v. Wiley, effectively asked the Court to consider whether copyright owners should fully control all downstream distribution of copyrighted items manufactured overseas. As CDT and technology industry allies explained in our legal brief in the case last summer, giving copyright owners this kind of indefinite stranglehold on foreign-made goods would be disastrous for everything from yard sales to libraries to the thriving online resale markets that are empowering individual Internet users and small businesses. It would mean that, before you could sell or even lend a legally purchased book (or DVD, or toy with a copyrighted logo, or device with built-in software, etc.), you would have to get the copyright holder's permission... In clear and decisive terms, today's decision confirms that, once you lawfully acquire a book or album or toy, you own it and can re-sell, lend, or give it away as you please. You don't have to try to determine where it was printed or manufactured before you put it up on Craigslist or eBay."

(Related)  Another dose of reality that the RIAA will simply ignore…
"European Commission's Institute for Prospective Technological Studies has published a study which concludes that the impact of piracy on the legal sale of music is virtually nonexistent or even slightly positive.  The study's results suggest that Internet users do not view illegal downloading as a substitute for legal digital music and that a 10% increase in clicks on illegal downloading websites leads to a 0.2% increase in clicks on legal purchase websites.  Online music streaming services are found to have a somewhat larger (but still small) effect on the purchases of digital sound recordings, suggesting a complementary relationship between these two modes of music consumption.  According to the results, a 10% increase in clicks on legal streaming websites leads to up to a 0.7% increase in clicks on legal digital purchase websites."  
It's worth noting that this study only measured the effect of piracy on online purchases, not on revenue from physical formats.

March 19, 2013
Report - the reality of the public library ebook marketplace reflected in usage data from a selection of public libraries
Matt Weaver, Board member, Library Renewal, March 2013: "In order to serve our constituents with electronic content, libraries need to be able to understand how our collections are being used.  This paper aims to present library-centered usage data to help libraries make decisions with regards to e-content, and to counter media and industry hype.  Much has been written about the impact of major publisher changes on library lending, which are noted in the Sidebar. By looking at these events in the context of actual usage data, this report endeavors to demonstrate that a vendor-driven ebook model is neither extensible nor sustainable."

Just out of curiosity, how would you enforce this?  Perhaps there’s an App for that? 
Lionel De Souza writes:
The European Union’s Article 29 Data Protection Working Party (“WP29“), which consists of the 27 data protection authorities of the European Union Member States, has published its “Opinion on Apps in Smart Devices“, adopted on 27 February 2013 (the “Opinion“).
Read more on Hogan Lovells Chronicle of Data Protection.

Perspective.  Mobile replaces Cable?  More fun than texting while driving? 
ABC said to be developing live TV streaming mobile app

For my Intro to IT students...
The popularity of Android and iOS has put a target on their virtual backs. These operating systems are a new frontier for those who use malware to achieve nefarious goals. Many users don’t take security seriously and will happily download dangerous apps they’ve never dream of downloading to their PC.
App stores have hindered as much as they’ve helped. While they provide some policing, and remove known malware, they also lend a facade of credibility to everything they sell. Users assume apps have gone through rigorous testing, but that’s not true. You have to watch out for yourself – so here are warning signs to look for when grabbing a new app.

More places to look for the “perfect” textbook…
16 Companies Working On E-Textbooks Of The Future
The e-textbook movement stands to reshape instruction as new education technologies continue to fill classrooms via tablets and other mobile devices.
Meanwhile, the e-textbook market continues to evolve, and though many of the publishers’ names have remained the same, new players have emerged, and old companies are adopting new strategies.  Here are 16 names in e-textbooks that you should know about, as well as what each of them are doing to set themselves apart in a competitive new area of education: