Saturday, April 27, 2013

Half the size of the T.J.Maxx or Heartland data breaches, but the biggest one recently. I doubt it will stay in the news for long.
Update: Double-WOW. Their breach notice is already up on the California Attorney General’s web site. According to their submission to the state, the breach occurred on April 5 and was discovered on April 12. Original post follows:
Wow. is reporting:
LivingSocial, the daily deals site owned in part by Amazon, has suffered a massive cyber-attack on its computer systems, which an email — just sent to employees and obtained by — said resulted in “unauthorized access to some customer data from our servers.”
The breach has impacted 50 million customers of the Washington, D.C.-based company, who will now be required to reset their passwords. All of LivingSocial’s countries across the world appear to have been affected, except in Thailand, Malaysia, Indonesia and the Philippines, as LivingSocial units Ticketmonster and Ensogo there were on separate systems.
One positive note in a not-so-positive situation: The email sent to employees and customers noted that neither customer credit card nor merchant financial information was accessed in the cyberattack.
Read more on, where they’ve posted the text of the internal message and provide additional details.

This has 'Bad' written all over it. Someone's security procedures missed something that would have alerted them two years ago, and no one noticed the weak procedure. No one will emerge from this garbage smelling fresh.
OneWest Bank has been notifying customers of a breach that occurred back in 2011.
According to their letter, a copy of which they submitted to California under the state’s breach reporting requirements, the bank
recently learned that one of our service providers, was the victim of an illegal and unauthorized intrusion into its network (“Network Intrusion”) during the first quarter of 2011. In response, the service provider enhanced the security of its network systems, cooperated with law enforcement including the United States Secret Service (“USSS”), and investigated using leading outside security firms.
Information that was accessed included customer information such as name, address, birthdate, phone number, drivers license number, passport number, and Social Security Number. The bank does not believe that the data were downloaded or copied, but offered customers free credit monitoring services.
The letter does not state when the unnamed vendor first learned of the breach or how it learned of it. I emailed the bank on Wednesday to inquire, and although they indicated they would get back to me with information, I have not heard back from them with answers to those questions. So… did the vendor know about this years ago or months ago and first informed them now, or did the vendor first learn of the breach now, and in any event, how did the vendor learn of the intrusion?
Somewhat surprisingly – particularly in light of the delayed discovery and notification – I do not see any apology from the bank in their notification letter or even recognition that customers might be dismayed or angry about the delayed notice.

Just keep your thumb off the scales of Justice!
CISPA Is Dead. Now Let’s Do a Cybersecurity Bill Right
The controversial Cyber Intelligence Sharing and Protection Act (CISPA) now appears to be dead in the Senate, despite having passed the House by a wide margin earlier this month. Though tech, finance, and telecom firms with a combined $650 million in lobbying muscle supported the bill, opposition from privacy groups, internet activists, and ultimately the White House (which threatened to veto the law) seem to have proven fatal for now.
… Americans have grown so accustomed to hearing about the problem of “balancing privacy and security” that it sometimes feels as though the two are always and forever in conflict — that an initiative to improve security can’t possibly be very effective unless it’s invading privacy. Yet the conflict is often illusory: A cybersecurity law could easily be drafted that would accomplish all the goals of both tech companies and privacy groups without raising any serious civil liberties problems. [Might make for some interesting arguments at a Privacy Foundation seminar... Bob]

From the “Kick 'em while they're down” school of public service...
"New York City Police Commissioner Ray Kelly thinks that now is a great time to install even more surveillance cameras hither and yon around the Big Apple. After the Boston Marathon bombing, the Tsarnaev brothers were famously captured on security camera footage and thereby identified. That just may soften up Americans to the idea of the all-seeing glass eye. 'I think the privacy issue has really been taken off the table,' Kelly gloats."
[From the article:
Kelly dismisses critics who argue that increased cameras threaten privacy rights, giving governments the ability to monitor people in public spaces.
“The people who complain about it, I would say, are a relatively small number of folks, because the genie is out of the bottle,” Kelly said. “People realize that everywhere you go now, your picture is taken.” [From the “Hey, the knife was already in his chest, I just wiggled it around a bit” school of phoney justifications Bob]
… As Reason's own Brian Doherty has pointed out, surveillance advocates conveniently forget that it was private security cameras from which footage is shared with authorities only in emergencies, like the aftermath of the bombing, that did the honors in Boston

Meet the Stalkers
Behind the mysterious world of data brokers, who have access to a lot more of your life than you think

Unless of course, this helps them make a lot of money...
"'It's a deal with the devil,' one studio executive [said]. 'Cinedigm is being used as their pawn.' Cinedigm announced this weekend that it would offer the first seven minutes of the Emily Blunt-Colin Firth indie Arthur Newman exclusively to BitTorrent users, which number up to 170 million people.... Hollywood studios have spent years and many millions of dollars to protect their intellectual property and worry that by teaming up with BitTorrent, Cinedigm has embraced a company that imperils the financial underpinnings of the film business and should be kept at arm's length. 'It's great for BitTorrent and disingenuous of Cinedigm,' said the executive. 'The fact of the matter is BitTorrent is in it for themselves, they're not in it for the health of the industry.' [Note: BitTorrent is not in the movie industry Bob] Other executives including at Warner Brothers and Sony echoed those comments, fretting that Cinedigm had unwittingly opened a Pandora's box in a bid to get attention [If we were not so mad, we'd call that 'advertising' Bob] for its low-budget release. ... 'Blaming BitTorrent for piracy is like blaming a freeway for drunk drivers, ' Jill Calcaterra, Cinedigm's chief marketing officer said. 'How people use it can be positive for the industry or it can hurt the industry. We want it help us make this indie film successful.' ... 'We'll be working with all of [the studios] one day,' [Matt Mason, BitTorrent's vice president of marketing] said. ' It's really up to them how quickly they come to the table and realize we're not the villain, we're the heroes.'"

For my Computer Forensics class. Copy (steal?) files easily. Plant evidence! What else could you desire.
… Even though most modern laptops let you create Wi-Fi hotspots, not all phones allow you to easily setup sharing permissions that enable file transfer between the computer and phone. While there are phone applications that help you find a work around or solution for this, they are usually limited to a singular type of phone and computer operating system. In that situation, the problem becomes that you are unable to transfer files to all types of handheld devices and computers. Here to be the ultimate solution for all of these inconveniences is the user friendly tool called Sharable.
Sharable is a free to use smartphone and computer application that brilliantly facilitates file sharing between multiple operating system types. Using this app, you can share files between phone running iOS and Android; file can be share amongst phone or to and from computer running Mac as well as Windows. You can install the app on each of your devices and view the connected ones in your app’s dashboard.
… Remember that the devices you use for transfer should all be connected over the same local WI-FI network.

Youtube also has many Math tutorial videos, so I'm sure my students will want to string a bunch of them together... (Yeah, I don't believe that either.)
YouTube is a highly popular video streaming website that people use for streaming various websites. Music videos are the most common type of videos streamed by people on YouTube. You will find an amazing collection of old and modern music on YouTube, enough to fill your music quota for the day. This is why people create playlists on YouTube. But to make those playlists you need to add tracks after signing into the YouTube; the same applies to checking out those playlists. Here to help you create music playlists from YouTube songs without requiring you to sign into YouTube is an excellent website called Jiggyape.

(Related) Okay, this is more likely than Math videos...

Everyone could use this...
… With Prey, you’ll never have to worry about absentmindedness or theft ever again, at least when it comes to your mobile devices.
Prey is great for three main reasons – it’s easy to set up, it’s easy to use, and you won’t ever have to pay a cent to use it. There’s no trial period or crippled feature set here – the free version is enough to keep your devices adequately protected. Of course, there’s a premium version but its features are mostly for power users ...
… In order to use Prey, you’ll need to create a free account on their website. Why, you ask? Because the individual installations on each device (PC, Mac, Android, etc.) only provide the capabilities for tracking those particular devices. The actual control panel, or dashboard, is entirely web-based for your convenience. In other words, no matter which device you lose, you’ll always be able to track them down as long as you have Internet access.
… Prey is available on the following platforms: Windows, Mac, Linux, iOS, and Android. For the desktop OSes, all you need to do is download the installer files (or packages) from the website and run them like any other installer. For the mobile apps, you can find them in the Apple Store or Google Play.
… When a device is set to Missing, it will begin sending Reports to the central Prey servers. How often does the device send a report? You can set it in the dashboard. You can also set the activation and deactivation phrases. If you have Prey set up on a phone, send these phrases by SMS to your device in order to wake up or shut down Prey.
… Each Prey report can contain as much or as little data as you choose and these options can be toggled in the dashboard.
For example -
  • Geo will include geological data based on GPS in the report.
  • Network will include information such as the device’s current IP address and nearby WiFi networks.
  • Webcam will attempt to take a picture from the phone’s camera. If you have Prey installed on a laptop, you can also choose to include Session data (e.g., a screenshot to show what the thief is doing with the computer).
Prey can also perform a few actions on the lost/stolen device -
  • Alarm blasts a sound for 30-seconds to help you locate it.
  • Alert will notify the thief that you are tracking the device.
  • Lock the device with a password to prevent usage.
  • Secure deletes sensitive data on the device so no one can ever access it.

Friday, April 26, 2013

The problem with drawing a line in the sand is, you must act when someone crosses it. The problem with failing to draw a line is, that same someone assumes you don't really care. I find this interesting because we have many areas (CyberWar) that have no clearly defined lines of any kind.
Seeing Red
If Syria has used chemical weapons against its own people and crossed Obama’s red line, how should the president respond?
It seemed for a moment today that we might soon be at war with Syria.
Secretary of Defense Chuck Hagel told reporters that, according to new intelligence analyses, Syrian president Bashar al-Assad has likely used chemical weapons, specifically sarin, against rebel forces.

Interesting question. My guess is that this will go away when everything is on your smartphone. (and that too will hold unencrypted data as you lose the phone in even more places.)
OptiNose US Inc. has been notifying some of its consultants that their names and Social Security numbers were on a laptop stolen from an employee’s car.
The laptop was stolen on March 26 in a Philadelphia suburb, and OptiNose started sending out notification letters on April 16. The letter did not inform recipients that the laptop was stolen from an unattended vehicle. The letter states that OptiNose “has no information that any personal data has been accessed by an unauthorized party.” They do not state whether there was any software on the laptop that would even provide such information.
OptiNose offered those affected credit monitoring at the firm’s expense, but get this – enrollees have to pay for the service and then submit a request for reimbursement.
The notification letter does not indicate whether the employee was disciplined at all or what steps OptiNose is taking to prevent this from ever happening again.
If you get the sense that I am unimpressed with their handling of this breach, you’re right.
The incident was reported to the New Hampshire Attorney General’s Office on April 16 and the Vermont Attorney General’s Office on April 23.

The Total Information Awareness (TIA) project was dropped due to public backlash. The part of that effort that pulled together public data would have been called the “PIA” – and that is what they are attempting here. (I'm sure it's just a concidence that Privacy Impact Assessment has the same initials) NOTE: Appendix A lists the sites monitered. Appendix B lists the search terms followed.
April 25, 2013
Publicly Available Social Media Monitoring and Situational Awareness Initiative Update
Privacy Impact Assessment for the Office of Operations Coordination and Planning - Publicly Available Social Media Monitoring and Situational Awareness Initiative, DHS, Update April 1, 2013
  • "To monitor social media, National Operations Center Media Monitoring analysts only use publicly available search engines, content aggregators, and site-specific search tools to find items of potential interest to DHS. Once the analysts determine an item or event is of sufficient value to DHS to be reported, they extract only the pertinent, authorized information, [Authorized by whom? Bob] and put it into a specific web application (Media Monitoring Capability (MMC) application) to build and format their reports. The unused information for each item of interest is not stored or filed for reference and is lost when the webpage is closed or deleted. [They delete your Facebook page? I think not! Bob] The MMC application also facilitates tracking previous reports to help avoid duplicative reporting and ensures further development of reporting on ongoing issues. It allows analysts to electronically document details using a customized user interface, and disseminate relevant information in a standardized format. Using the MMC application, NOC MMC analysts can efficiently and effectively catalog the information by adding meta - tags such as location, category, critical information requirement, image files, and source information. The application empowers NOC MMC analysts to have a better grasp of the common operating picture by providing the means to quickly search for an item of interest using any of the above - mentioned meta-tags as well as enabling them to respond to requests for information from other collaborating entities in a timely fashion."

(Related) Monitoring search terms and social media for fun and profit. More for my Statistics students.
Google, as many researchers know well, is more than a search engine—it’s a remarkably comprehensive barometer of public opinion and the state of the world at any given time. By using Google Trends, which tracks the frequency particular search terms are entered into Google over time, scientists have found seasonal patterns, for example, in searches for information about mental illnesses and detected a link between searching behavior and a country’s GDP.
A number of people have also had the idea to use these trends to try achieving a more basic desire: making money. Several studies in recent years have looked at the number of times investors searched for particular stock names and symbols and created relatively successful investing strategies based on this data.
A new study published today in Scientific Reports by a team of British researchers, though, harnesses Google Trends data to produce investing strategies in a more nuanced way. Instead of looking at the frequency that the names of stocks or companies were searched, they analyzed a broad range of 98 commonly used words—everything from “unemployment” to “marriage” to “car” to “water”—and simulated investing strategies based on week-by-week changes in the frequencies of each of these words as search terms by American internet users.
The changes in the frequency of some of these words, it turns out, are very useful predictors of whether the market as a whole—in this case, the Dow Jones Industrial Average—will go down or up (the Dow is a broad index commonly considered a benchmark of the overall performance of the U.S. stock market).

For my WolframAlpha using Statistics students.
April 25, 2013
Datascience of the Facebook World via Wolfram|Alpha Blog
"More than a million people have now used our Wolfram|Alpha Personal Analytics for Facebook. And as part of our latest update, in addition to collecting some anonymized statistics, we launched a Data Donor program that allows people to contribute detailed data to us for research purposes. A few weeks ago we decided to start analyzing all this data. And I have to say that if nothing else it’s been a terrific example of the power of Mathematica and the Wolfram Language for doing data science. We’d always planned to use the data we collect to enhance our Personal Analytics system. But I couldn’t resist also trying to do some basic science with it... So a first quantitative question to ask is: How big are these networks usually? In other words, how many friends do people typically have on Facebook? Well, at least for our users, that’s easy to answer. The median is 342—and here’s a histogram showing the distribution (there’s a cutoff at 5000 because that’s the maximum number of friends for a personal Facebook page)..."

Because in some countries, some types of information are banned...
Google Sees More Government Requests to Remove Content 'Than Ever Before'
In the latest edition of its Transparency Report, released this morning, Google revealed that the final six months of 2012 saw an increase in government requests to remove content -- often YouTube videos. All told, Google received 2,285 such requests (compared with 1,811 during the first half of 2012) that named a total of 24,179 pieces of content for removal (compared with 18,070 in the preceding period).
… The number of content-removal requests from various American government agencies and courts has steadily increased in recent years, totaling 321 (second only to Brazil) for the most recent period.

I requested this from my local library. I certainly don't need to buy it.
"Eric Schmidt and Jared Cohen begin their new nonfiction book, The New Digital Age, with a rather bold pronouncement: 'The Internet is the largest experiment involving anarchy in history.' Subsequent chapters deal with how that experiment will alter life in decades to come, as more and more people around the world connect to the Internet via cheap mobile phones and other devices."

Thursday, April 25, 2013

For my Ethical Hackers. I told you word would leak out. Remember, we're only “gathering data for academic purposes.”
"Using a Samsung Galaxy SIII — one of the most popular smartphones available in Canada — and a free app downloaded from the Google Play store, CBC was able to read information such as a card number, expiry date and cardholder name simply holding the smartphone over a debit or credit card. And it could be done through wallets, pockets and purses. ... Although the NFC antennas in current smartphones need to be very close to a card in order to work — no farther than 10 cm — that could change with the next generation of Android smartphones. Legary said the Samsung Galaxy S4, set to go on sale this spring, might have a much more capable NFC antenna, which could not only read credit cards from a greater distance, but could also be able to read the chips embedded in enhanced driving licenses and passports." [If I can read it, I can clone it. Bob]

Should I say,“I've never seen that encrypted file before in my life” or “That's a file my lawyer asked me to keep for him.”
Here’s a Good Reason to Encrypt Your Data
… The issue is front and center as a federal magistrate is refusing to order a Wisconsin computer scientist to decrypt his data that the authorities seized from kiddie-porn suspect Jeffrey Feldman. The reason is simple: The Fifth Amendment right against compelled self-incrimination protects even those suspected of unsavory crimes, according to U.S. Magistrate William Callahan Jr. of Wisconsin, who wrote:
This is a close call, but I conclude that Feldman’s act of production, which would necessarily require his using a password of some type to decrypt the storage device, would be tantamount to telling the government something it does not already know with ‘reasonably particularity’—namely, that Feldman has personal access to and control over the encrypted storage devices. Accordingly, in my opinion, Fifth Amendment protection is available to Feldman. Stated another way, ordering Feldman to decrypt the storage devices would be in violation of his Fifth Amendment right against compelled self-incrimination. (.pdf)
… Federal prosecutors did not immediately respond for comment, but said in court papers they have spent months trying to decrypt the data.
“The FBI is performing admirable in the digital arms race between those seeking to hide evidence of their wrongdoing through encryption and law enforcement officers seeking to uncover that evidence; but the expense in time and resources in investigating cases like this one is beginning to inhibit the provision of justice,” [“It would be lots cheaper if you allowed us to beat it out of him.” Bob] the government said (.pdf) in seeking the magistrate to compel the suspect to unlock the data.

Must be a new agent. All the movies and TV shows tell us the when cops need a warrant someone will say either “Judge X owes me a favor” or “Try Judge Y, he's a pushover.”
Cyrus Farivar reports:
A federal magistrate judge has denied (PDF) a request from the FBI to install sophisticated surveillance software to track someone suspected of attempting to conduct a “sizeable wire transfer from [John Doe’s] local bank [in Texas] to a foreign bank account.”
Back in March 2013, the FBI asked the judge to grant a month-long “Rule 41 search and seizure warrant” of a suspect’s computer “at premises unknown” as a way to find out more about this possible violations of “federal bank fraud, identity theft and computer security laws.”
In an unusually-public order published this week, Judge Stephen Smith slapped down the FBI on the grounds that the warrant request was overbroad and too invasive.
Read more on Ars Technica.
Judge Smith recently commented on his case load for federal requests vs. his colleagues. One might think that federal prosecutors and law enforcement are avoiding him as he tends to set higher standards for approving warrants or requests. This latest opinion may be another case in point.

(On the other hand)
Declan McCullagh reports:
Senior Obama administration officials have secretly authorized the interception of communications carried on portions of networks operated by AT&T and other Internet service providers, a practice that might otherwise be illegal under federal wiretapping laws.
The secret legal authorization from the Justice Department originally applied to a cybersecurity pilot project in which the military monitored defense contractors’ Internet links. Since then, however, the program has been expanded by President Obama to cover all critical infrastructure sectors including energy, healthcare, and finance starting June 12.
Read more on CNET.

Do you think this might be “Coming soon to a TSA agent near you!”
"Israeli security officials at Ben Gurion airport are legally allowed to demand access to tourists' email accounts and deny them entry if they refuse, the country's top legal official said on Wednesday. Details of the policy were laid out by Attorney General Yehuda Weinstein in a written response to the Association for Civil Rights in Israel (ACRI), the group said in a statement. 'In a response dated April 24, 2013, the attorney general's office confirmed this practice,' ACRI said, quoting sections of the document which said it was only done in exceptional cases where 'relevant suspicious signs' were evident and only done with the tourist's 'consent'. 'Allowing security agents to take such invasive measures at their own discretion and on the basis of such flimsy "consent" is not befitting of a democracy,' commented Lila Margalit from ACRI."

I think I need a Glossary for all these government programs.
April 24, 2013
DHS Releases Revises Privacy Impact Assessment on Internet Monitoring Program
EPIC: "The Department of Homeland Security has released a Privacy Impact Assessment for Einstein 3 - Accelerated. Einstein 3 is a government cybersecurity program that monitors Internet traffic. The monitoring includes scanning email destined for .gov networks for malicious attachments and URLs. According to DHS, the basis of the government’s authority to perform the monitoring is National Security Presidential Directive 54. EPIC is pursuing FOIA litigation to force the government to release the Directive to the public. For more information, see EPIC v. NSA - Cybersecurity Authority."

April 24, 2013
EPIC FOIA Request Reveals Details About Government Cybersecurity Program
EPIC: "New documents obtained by EPIC in a Freedom of Information Act lawsuit reveal that the Department of Defense advised private industry on how to best circumvent federal wiretap law. The documents concern a collaboration between the Defense Department, the Department of Homeland Security, and private companies to allow government monitoring of private Internet networks. Though the program initially only applied to defense contractors, an Executive Order issued by the Obama administration earlier this year expanded it to include other "critical infrastructure" industries. The documents obtained by EPIC also cited NSPD 54 as one source of authority for the program. NSPD 54 is a presidential directive issued under President Bush that EPIC is pursuing in separate FOIA litigation. For more information, see EPIC: EPIC v. DHS (Defense Contractor Monitoring), and EPIC: EPIC v. NSA - Cybersecurity Authority."

Of course they will. (And probably many other “skies.”) That allows us to withdraw without actually withdrawing from a country declaired “ready to defend itself” that we have determined isn't actually ready to defend itself. Makes perfect sense!
After U.S. Troops Leave, Armed Drones Will Patrol Afghanistan’s Skies

Completely unrelated. “Ah man, They're trying to take away my God given right to use my .22 armed drone to wipe out the prarie dogs in my horse pasture!”
"A DC Area Drone User Group has posted an open letter in response to recent comments by Eric Schmidt about banning drones from private use. The closing section reads: 'Personally owned flying robots today have the power to change the balance of power between individuals and large bureaucracies in much the same way the Internet did in the past. And just as the military researchers who developed GPS for guiding munitions could never have imagined their technology would be used in the future to help people conduct health surveys in the world's poorest countries or help people find dates in the world's richest, there is a whole world of socially positive and banal applications for drones that are yet to be discovered. We should embrace this chance that technology provides instead of strangling these opportunities in their infancy. Our hope is that you and the rest of Google's leadership will embrace this pro-technology agenda in the future rather than seeking to stifle it. We would welcome the opportunity to speak further with you about this topic.'"

Prometheus Facebook Unbound, a four act play about the torments of Mark Zuckerberg
Associated Press reports that Facebook has won a round in court against a German data protection regulator who was trying to block Facebook from requiring real name registration:
Schleswig-Holstein state’s data protection office had argued that the ban on fake names breaches German privacy laws and European rules designed to protect free speech online.
But a state appeals court has confirmed a lower tribunal’s ruling that German privacy laws don’t apply to Facebook because the social networking site has its European headquarters in Ireland, where privacy rules are less stringent.
Read more on Washington Post.

It takes the government 281 pages to say what NPR's “The Car Guys” summarized in a single bumper sticker: “Honk if you love Jesus, Text if you want to meet him” Same old Question: How does the phone know you are the driver and not a passenger?
How Federal Distracted-Driving Guidelines Will Shape Your Next Phone
… The guidelines – and they’re just that, suggestions, not requirements – are laid out in a 281-page report by the National Highway Traffic Safety Administration (.PDF) and the Department of Transportation, which under the direction of outgoing transportation secretary Ray LaHood have made distracted driving a pet cause.
… The main thrust of the recommendations is limiting the amount of time the driver takes his eyes off the road or hands off the wheel, with a maximum of two seconds for each input and total of 12 seconds to complete a task. NHTSA wants automakers to disable certain functions of a car’s built-in infotainment systems whenever the vehicle is in motion.
Specifically, NHTSA wants automakers to nix the ability to enter text for messaging and internet browsing, disable any kind of video functionality (think Skype, FaceTime and watching the latest Lady Gaga video) and prevent text-based information from being displayed, including web pages, social media content, emails and text messages.

“Hey, it's your law. I'm just following it.” Now we can expect them to write a version of the law that 'gets medieval.'
"Aereo's court battles are far from over, to be sure, but the ruling earlier this month that the TV streaming service doesn't violate copyright laws must have the folks at music streaming service Pandora shaking their heads, wondering why they're still paying royalties that currently consume more than half their revenues. The implications of Aereo's business model are far-reaching and may ultimately 'be resolved by Congress, just as it did when cable first came on the scene, by passing legislation to redefine a public performance,' writes broadcast industry attorney David Oxenford."

For a Risk Assessment class.
April 24, 2013
TRAC - Domestic Terror Cases Outnumbering International Two-to-One in FY 2013
"During February 2013, there were 16 new federal criminal prosecutions for terrorism and national internal security offenses, according to the latest available data from the Justice Department. So far during fiscal year 2013 (which began October 2012), a total of 83 such cases have been filed. These criminal prosecutions have been brought in a surprisingly large number of federal districts from all regions of the country. And at this point, domestic terrorism cases outnumber international terrorism by a factor of two-to-one. For more details, including district rankings, see the report here."

For those time when you can't waterboard? I seems to remember a whole library full of ways to spot lies from body language, but changes in word choice is well documented also. I wonder if we could explan on this?
… Below are some of those ways to figure out whether or not someone is pulling the virtual wool over your eyes. Are the determining factors perfect? No. Neither are lie detector results. Nevertheless, they are a good start if you have a quick mind and generally know people fairly well.
Abnormal Changes In Syntax
Varying Response Times During IM
Status Updates Simply Don’t Line Up

For my Math students. Look at the difference between “Upper Level” workers and “Lower Level” workers and tell me how much Math you need to move up.
Here's How Little Math Americans Actually Use at Work
… As it turns out, less than a quarter of U.S. workers report using math any more complicated than basic fractions and percentages during the course of their jobs. The graphs below are based on survey data compiled by Northeastern University sociologist Michael Handel. Handel surveyed about 2,300 workers first from 2004 through 2006, then again between 2007 and 2009. The catchall category of "any more advanced" math includes algebra through calculus.

Wednesday, April 24, 2013

This is (according to Google) my 2500th Centennial-Man blog post.
Since I do it all wrong, posting many articles at once, I have to recalculate the details at each milestone. 2500 posts is approximately 25000 articles, gleened from (complete SWAG here) 350,000 articles read. Of course I've been sending “Clippings” emails for years before that and before the emails I actually used to cut articles from the technical journals and mark them up with highlighters and actual ink comments (how 'old school')
Of course, 2500 days is 6.8 years or 82 months or 357 weeks (according to and I estimate I spend at least 2 hours each day reading, clipping and commenting. So that's 5000 hours (208 days or 300,000 minutes) spent in a futile attempt to keep my brain from turning to mush.

Just a quick question. Is an attack on Twitter considered an attack on our (the US) infrastructure? If not, why not? (Look at the graph!)
What Happened to Stock Markets When the AP's Twitter Account Was Hacked
Stock markets momentarily plunged after a tweet sent by the Twitter account of the Associated Press, which was apparently hacked, erroneously reported that explosions at the White House had injured US president Barack Obama.
AP staff have confirmed that the tweet was "bogus," and the @AP account has been suspended.
The Dow fell 146 points before recovering almost immediately. The S&P 500, which was hovering around 1576 before the mischievous tweet hit, tumbled by 0.8% in a matter of moments, falling to nearly 1563 at 1:10 p.m. EST.
… In a knee jerk move, the CBOE Volatility Index, or Vix -- the so-called fear gauge of the US stock market -- shot sharply higher

In theory, I speak English. Fortunately, I've already Googled “lakh” to translate past articles. NOTE: You need backups as soon as you have the data in hand! Hidden question: How will they notify the people whose data they lost?
Data loss, but no seemingly big risk of data misuse:
Maharashtra government has lost data of about three lakh people collected under the controversial Aadhaar scheme, mostly from Mumbai who enrolled into the number scheme.
According to a report in the Times of India, the data containing permanent account number (PAN) and biometric information was lost while being uploaded from Mumbai to Unique Identification Authority of India (UIDAI) server in Bengaluru. “While the transmission was in progress, the hard disk containing data crashed. When the data was downloaded in Bangalore, it could not be decrypted,” the newspaper report said quoting an official from Maharashtra information technology (IT) department, which is overseeing the enrolment of citizens.
Read more on MoneyLife.
Three lakh is 300,000 people. And if you’re wondering as to whether there was a backup, the Times of India reports that those whose data were lost will have to re-register for their Aadhaar ID – a time-consuming a frustrating process. Was there no backup of the drive??

A day for reminders?
April 23, 2013
Microsoft Security Intelligence Report v14: Why antivirus software matters
"The latest volume of the Security Intelligence Report (SIR) highlights the importance of using antivirus software. Antivirus software helps protect your computer from malicious software (malware) and can be downloaded or installed inexpensively or at no charge. Still, according to the SIR v14 findings, 24 percent of computers worldwide were not running up-to-date antivirus software, leaving them 5.5 times more likely to be infected with viruses."
  • SIR Volume 14: July 2012 to December 2012 - The Microsoft Security Intelligence Report (SIR) analyzes the threat landscape of exploits, vulnerabilities, and malware using data from Internet services and over 600 million computers worldwide. Threat awareness can help you protect your organization, software, and people."

Refining our understanding of the risk environment...
Caroline Donnelly reports:
The Information Commissioner’s Office (ICO) has stepped up its enforcement activities, by issuing double the number of data breach fines in 2012-2013 as it did in the previous 12 months.
This is according to data obtained via a Freedom of Information (FoI) request by digital comms vendor ViaSat.
Between March 2012 and March 2013, there were 1,150 self-reported breaches made to the ICO, despite only 730 being made between 22 March 2011 and 17 February 2012.
Read more on IT Pro.

Oops! “...but look how quickly we made the arrest!”
Focus Shifts in Ricin Case as Charges Are Dropped
… One day after the F.B.I. said it could find no evidence that the man, Paul Kevin Curtis, was behind the plot, a federal judge released him from jail and federal authorities shifted focus to another person of interest in the case.
… According to a senior federal law enforcement official, the authorities were first drawn to Mr. Curtis because the language used in the letters was strikingly similar to language he had used before in letters to elected officials.
Prosecutors did not immediately respond to questions about the dropped charges. A court filing released Tuesday said the “ongoing investigation has revealed new information.”

April 23, 2013
EFF - How Facebook Teams Up With Data Brokers to Show You Targeted Ads
EFF: "Recently, we published a blog post that described how to opt out of seeing ads on Facebook targeted to you based on your offline activities. This post explained where these companies get their data, what information they share with Facebook, or what this means for your privacy. So get ready for the nitty-gritty details: who has your information, how they get it, and what they do with it. It’s a lot of information, so we’ve organized it into an FAQ for convenience."

Okay, ya got me. Everything here is repackaged, except my words of wisdom.
Is It Journalism, or Just a Repackaged Press Release? Here's a Tool to Help You Find Out
… Today, the Sunlight Foundation has unveiled a tool that will help us all with this work. "The tool is, essentially, an open-source plagiarism detection engine," web developer Kaitlin Devine explained to me. It will scan any text (a news article, e.g.) and compare it with a corpus of press releases and Wikipedia entries. If it finds similar language, you'll get a notification of a detected "churn" and you'll be able to take a look at the two sources side by side.

Tools & Techniques
LaTeX is a document markup language that is popularly used in academia. Researchers who are writing papers or books of their own on technical topics mostly choose LaTeX to prepare their documents. There are various desktop text editors that help you prepare documents using the LaTeX language. To share these documents, you must first save them and then send the file to your peers online. You must also make sure that they have a text editor installed that is capable of viewing and, if necessary, editing LaTeX files. In case the file’s recipient does not have LaTeX ready software, it is very difficult for them to view these files. An effective solution is offered by a site called writeLaTeX – it lets you write and share LaTeX from an online interface.
… Creating an account is not necessary but required in case you want to save your work and manage different saved documents. Your documents are published under a unique URL that can be shared with others for them to view and edit the document. Finished documents can also be exported to PDF files or ZIP files that include all the source files.
Similar tools: ScribTex, MonkeyTex and Verbosus.

Tuesday, April 23, 2013

Always informative.
Verizon has released the Verizon Data Breach Investigations Report (DBIR). You can download the Executive Summary here and the full report here.
The DBIR analyzes data from 19 organizations — covering more than 47,000 reported security incidents and 621 confirmed data breaches from the past year. Because VZ has the cooperation of so many organizations, it provides a unique opportunity to analyze data. Although we do not know what percent of the incidents in their analyses overlap with the more than 1200 incidents compiled by for 2012, I find it fascinating to look at where the two organizations’ reports agree, and they do agree numerous key findings – including the fact that most incidents involve external agents, not insiders, that over half of incidents involve hacking, and that breaches from the healthcare sector, while garnering much media attention, account for only about 1% of breaches. Their report is also consistent with RBS/OSF’s report indicating that most incidents do not involve particularly sophisticated attacks and most could be easily prevented. Verizon’s report, however, gives us a first harder look at state-sponsored attacks and other factors that RBS/OSF’s report does not address, such as their finding that approximately two-thirds of confirmed breaches involved data at rest or data being processed – and not data in transit. Worryingly, the majority of breaches take months to detect (and the problem got worse in 2013 compared to their 2012 data), and most breaches are not detected by the entity’s IT personnel.
So… how many times do we have to tell people to purge data that’s no longer really needed and to monitor to ensure that if you have policies in place to protect data on mobile devices, those policies are being implemented? DBIR notes – and most of us would agree, I think – that there is no one-size fits all in terms of protecting assets. Knowing the risks for your industry and type of data is critical.
Read their report for more details, and kudos to them for another fine report.

Surely regulated firms have control of their own (official?) social media accounts and are required to keep records. This is targeted at employee personal accounts, right?
Securities regulators balk at employee social-media privacy
Securities regulators are advocating for special exemptions to new and pending state laws that prevent employers from snooping on employee Twitter or Facebook accounts.
The Financial Industry Regulatory Authority, an independent U.S. securities regulator that seeks to protect investors, is asking lawmakers in around 10 states to amend their legislation to allow financial firms to peak at social media accounts when employee misuse is suspected, a spokesperson told the Wall Street Journal.
The fear seems to be that brokers could use their social media accounts to spread information that would influence stocks, and that misdeeds would go unchecked without monitoring allowances.
At least six states including California, Illinois, New Jersey, and Delware have passed legislation to prohibit employers from requiring an employee or applicant to hand over social media account usernames and passwords. Some 35 states have started considering adopting similar social-media legislation since the beginning of the year, according to the Journal.
… Though securities regulators and financial firms may not take kindly being locked out of employee accounts, Wall Street has embraced social media in a different way. Earlier this year, the Securities and Exchange Commission decreed that it was okay for public companies to announce their news on Facebook or Twitter first, so long as investors were told ahead of time where to look for the disclosures.

In defiance of conventional wisdom?
Deregulate the Skies: Why We Can’t Afford to Fear Drones
… Until now, only law enforcement agencies and hobbyists have been allowed to operate drones or unmanned aerial vehicles (UAVs) and systems (UASs) in our airspace. But six new test sites will soon be announced for integrating commercial drones into U.S. airspace, because the Federal Aviation Administration (FAA) has been mandated by Congress to do so everywhere within just three years.
While we’re talking about commercial — not military — applications of drones, people still have concerns: especially around privacy. In their zeal to protect people from “eyes in the skies” collecting data without permission, privacy advocates want drone operators in the early test sites to be constrained by strict privacy policy requirements.
It sounds like a good idea, but it’s not. Such requirements are unwise and definitely premature, as my colleagues Jerry Brito, Adam Thierer, and I argue in our FAA filing today.

If there is a 'least common denominator,” will Microsoft start designing products to address privacy concerns?
Microsoft asks: What’s your online privacy type?
What’s your privacy type? That’s the question Microsoft is asking with a new consumer campaign that’s focused on measuring consumer attitudes toward online privacy.
As part of its new initiative, the tech giant has put out a quiz asking people to assess their attitudes about online privacy. The spectrum goes from the unconcerned “Casual Surfer” to those who say “Privacy Please.”
Mary Snapp, Corporate Vice President & Deputy General Counsel at Microsoft, said that the quiz is supposed to get people talking about their attitudes toward online privacy.
… while Microsoft has heard that its users are very concerned about privacy, they’re less sure about how to address those worries.
Microsoft launched the quiz as part of a larger Web site dedicated to “Your Privacy” on Monday. The campaign is first focusing on the Washington, D.C. area — which included an ad in Monday’s print edition of The Washington Post — but will roll out across the country in the coming weeks.

Oh the joys of trying to be all things to all people. (With something for my Statistics students.)
The Many, Sometimes Conflicting, Problems With Facebook Home
… When Facebook Home launched, Wired called it a triumph in mediocrity. Home, and the first phone to feature it, simply aren’t made for tech enthusiasts. It’s for people who consider Facebook the Internet — or at least half of the Internet, with Google being the rest. It’s for your aunt who wants to like all of your photos or your friend who posts ten status updates a day. To that end, we gave Facebook Home a decent review.
But the people downloading Facebook Home have something else to say. More than half of the user reviews give it just one star. One. The criticism ranges from the fact it absolutely kills battery life — Home is a total resource hog — to too much Facebook to, oddly, too little Facebook. Here’s a breakdown of Facebook Home’s many, often conflicting, problems, according to users.

Interesting, if true.
Rumor: Apple returned batch of 8 million defective iPhones to Foxconn
The alleged manufacturing issues were detailed on Monday by The Register, which cited a report first published by China Business. It's alleged that an anonymous Foxconn employee revealed that the number of iPhones affected ranges from 5 million to 8 million.
The Register also speculated that the rumored production problems could be related to Apple's next-generation handset, frequently referred to as an "iPhone 5S." Well-connected analyst Ming-Chi Kuo indicated earlier this month that Apple's "iPhone 5S" is likely to face production problems due to technical challenges, namely the anticipated inclusion of a fingerprint sensor below the home button.

I'm curious to see what my Criminal Justice students think.
April 22, 2013
Dzhokhar Tsarnaev Criminal Complaint Filed in Federal Court
(FindLaw's Courtside) - "A criminal complaint against Dzhokhar Tsarnaev, 19, the surviving suspect in the Boston Marathon bombings, has been filed in federal court. The White House announced that in charging Tsarnaev with using a “weapon of mass destruction” would not be tried before a military tribunal as an “enemy combatant.”

Tools & Techniques
Twitter Search The default search feature offered by Twitter

… HTML 5 is a very slick way to make interesting animated presentations, and it can be quite beautiful. If you are looking for a way to make HTML 5 presentations, interactive infographics, product demos, and more, you should try out EWC Presenter. It comes with everything you need, and it works directly in your browser, so there is no need to download any kind of file to your computer. Because it’s HTML 5, everything created works on mobile as well.

Monday, April 22, 2013

Is Facebook's “facial recognition” tool superior to that being developed by the FBI?
Facial-recognition tech played no role in ID'ing bomb suspects
… Despite several images of Tamerlan and Dzhokhar Tsarnaev from the scene of the deadly bombings and the existence of images of the brothers in official government databases, facial-recognition software was unable to put names to their faces, Boston Police Commissioner Edward Davis told the Washington Post in an interview published Saturday. Dzhokhar Tsarnaev has a Massachusetts driver's license, while Tamerlan Tsarnaev, the elder brother who died Friday after a shootout with police, had been the subject of an FBI investigation, the Post noted.
… The FBI is expected to develop a facial-recognition system next year for police agencies in the western United States, Western Identification Network CEO Ken Bischoff told the Mercury News.

(Related) But failure never stopped those looking for larger budgets.
Joe Cadillic, a frequent submitter to this blog and a private investigator in Massachusetts, expresses his concerns in a blog post:
Surveillance cameras — which have proliferated in London, Chicago and elsewhere — may take on new allure. Informal surveillance by private citizens may proliferate as well; the FBI says it expects the public to be its “eyes and ears” as the investigation continues.
The upside of this expanding surveillance network is clear — a greater potential for law enforcement to solve crimes and, in some instances, to prevent them. David Antar of New York-based IPVideo Corporation says video surveillance can be set up to trigger warnings if bags are left unattended or suspicious activity takes place before or during a large-scale event.
Read more on MassPrivateI
Can events in Boston be used to justify expanded public surveillance? They have that potential as people tend to use incidents to support their political agenda. And there is the point of no serious expectation of privacy in public spaces anyway. But what some – like Representative Pete King – are talking about goes beyond that. Joe writes:
Peter King sees the attacks in Massachusetts this week as a wake-up call to local law-enforcement authorities to increase their surveillance and awareness of potential terrorists.
“Police have to be in the community, they have to build up as many sources as they can, and they have to realize that the threat is coming from the Muslim community and increase surveillance there,” the New York Republican congressman tells National Review.
Boston already has a fusion center. Did the FBI ever share the info they received from Russia about the older brother in 2011? If so, what happened? Is this a case – like we saw after 9/11 – that the FBI potentially could have recognized a threat and dealt with it before the acts of terrorism? If so, that doesn’t argue for more surveillance but for better analysis and follow-up of intel the government already gets.
Those yelling their heads off for more surveillance also need to remember that they are also talking about domestic surveillance of U.S. citizens. Identifying people by their religion does not strip them of their rights as Americans – or shouldn’t. I personally find Rep. King’s statements as offensive as the NYPD’s stop-and-frisk program. Claiming to protect national security by marginalizing huge swaths of our population just doesn’t cut it for me.

“We know who you are. We know where you live. We know where your children go to school. Now buy our product or suffer the consequences.” New Jersey Marketing
April 21, 2013
Pew - The State of Digital Marketing in the Networked Age
The State of Digital Marketing in the Networked Age, by Lee Rainie, April 19, 2013 - at Mid-Atlantic Marketing Summit
  • "Pew Interent Director Lee Rainie [discussed] the Project’s latest research into internet trends, mobile connectivity, and use of social media and what they mean for marketers. He will also look[ed] ahead at some of the big questions about the next stages of technology."

“Rah, rah us!” Cyber attacks lead, but with a more rational assessment (no mention of a “Cyber Pearl Harbor”)
April 21, 2013
Worldwide Threat Assessment of the US Intelligence Community
Worldwide Threat Assessment of the US Intelligence Community. James R. Clapper, Director of National Intelligence, April 18, 2013
  • "This year, in both content and organization, this statement illustrates how quickly and radically the world—and our threat environment—are changing. This environment is demanding reevaluations of the way we do business, expanding our analytic envelope, and altering the vocabulary of intelligence. Threats are more diverse, interconnected, and viral than at any time in history. Attacks, which might involve cyber and financial weapons, can be deniable and unattributable. Destruction can be invisible, [??? Bob] latent, and progressive. We now monitor shifts in human geography, climate, disease, and competition for natural resources because they fuel tensions and conflicts. Local events that might seem irrelevant are more likely to affect US national security in accelerated time frames. In this threat environment, the importance and urgency of intelligence integration cannot be overstated. Our progress cannot stop. The Intelligence Community must continue to promote collaboration among experts in every field, from the political and social sciences to natural sciences, medicine, military issues, and space. Collectors and analysts need vision across disciplines to understand how and why developments—and both state and unaffiliated actors—can spark sudden changes with international implications."

(Related) Makes me wonder how different this “outlook” is from the 'wisdom of the CIA' if they produced it and only asked outsiders to “review” their work.
April 21, 2013
The National Intelligence Council's Global Trends Report
"The National Intelligence Council's (NIC) Global Trends Report engages expertise from outside government on factors of such as globalization, demography and the environment, producing a forward-looking document to aid policymakers in their long term planning on key issues of worldwide importance... Global Trends 2030 is intended to stimulate thinking about the rapid and vast geopolitical changes characterizing the world today and possible global trajectories over the next 15 years. As with the NIC’s previous Global Trends reports, we do not seek to predict the future—which would be an impossible feat—but instead provide a framework for thinking about possible futures and their implications. In-depth research, detailed modeling and a variety of analytical tools drawn from public, private and academic sources were employed in the production of Global Trends 2030. NIC leadership engaged with experts in nearly 20 countries—from think tanks, banks, government offices and business groups—to solicit reviews of the report."

How we intrude... Tools & Techniques (and a few new project names)
April 21, 2013
Federal Agency Data Mining Report 2012
Office of the Director of National Intelligence, 2012 Data Mining Report For the Period January 1, 2012 through December 31, 2012: "The Office of the Director of National Intelligence (ODNI) provides this report pursuant to Section 804 of the Implementing the Recommendations of the 9/11 Commission Act of 2007, entitled The Federal Agency Data Mining Reporting Act of 2007 (Act)."
[From the report:
… The objective of the KDD program is to enable an analyst to utilize large, complex and varied data sets that he has not seen before to produce actionable intelligence in a timely manner. [Digital data analysis tool Bob]
… The objective of the ALADDIN program is to enable an analyst to query large video data sets to quickly and reliably locate those video clips that show a specific type of event. [Find me a bomber? Bob]
… The APP program [ … ] developed secure distributed private information retrieval (PIR) protocols that permit an entity (Client) to query a cooperating data provider (Server) and retrieve only the records that match the query without the Server learning what query was posed or what results were returned. [Data stealing too Bob]
The SPAR program was launched in 2011 to build on the successes of APP and explore additional applications of PIR to realistic IC scenarios.

This seems relatively insane to me...
"Cryptographers on StackExchange were discussing CipherCloud, using some promotional material from the same to provide detail. CipherCloud responded with a DMCA takedown request that some have characterized as abusive."

Where “Big Data” come from. An Infographic.
Information Revolution: Big Data Has Arrived at an Almost Unimaginable Scale