Saturday, May 04, 2013

A fly in the ointment?
"Dutch police are set to get the power to hack people's computers or install spyware as part of investigations — but antivirus experts say they won't help police reach their targets. Mikko Hypponen, chief research officer at F-Secure, said the Dutch bill could lead to antivirus firms being asked asked to cooperate with authorities to let an attack reach the target. So far, Hypponen hasn't seen a single antivirus vendor cooperate with such a request, and said his own firm wouldn't want to take part. Purely for business reasons, it doesn't make sense to fail to protect customers and let malware through 'regardless of the source.'"

Even if Bill Gates is behind this, something could go {insert Blue Screen of Death here} horribly wrong!
Paula Katinas reports:
Schools Chancellor Dennis Walcott defended a controversial plan to allow private businesses to get a look at information about public school students, telling a town hall audience in Bensonhurst that pupil’s privacy would not be violated.
Read more on the Brooklyn Eagle.
The fact that the schools will be providing “names, addresses, test scores, and disciplinary, health and attendance records” is a violation of pupils’ privacy as far as I’m concerned if the parents have not consented to it and have made it clear that they want to opt out but are not being allowed to.
It’s funny how politicians who go apeshit over making the morning-after pill available to 15 year-olds, claiming it infringes on parental rights, are quiet when it comes to parental rights to protect their children’s privacy when it comes to school records.

A small legal question. What would my Ethical Hackers need to prove that they are acting for the government (rather than the mob) and would that change their legal status if kidnapped and dragged before a foreign court? What would Robert Oppenheimer's status have been if Hitler got his hands on him?
Alleged ‘SpyEye’ Botmaster Ends Up in America, Handcuffs
A 24-year-old Algerian man landed in Atlanta, Georgia on Thursday to face federal charges that he hijacked customer accounts at more than 200 banks and financial institutions, capping a months-long extradition battle.
Hamza Bendelladj, who went by the name Bx1 online, is also accused of operating botnets of machines infected with the SpyEye banking trojan, and is suspected of operating Zeus botnets as well, although the charges against him in Georgia do not mention Zeus.
A civil complaint filed by Microsoft and the Financial Services – Information Sharing and Analysis Center last year names Bx1 among a long list of more than 50 defendants allegedly operating separate ZeuS botnets that have infected more than 13 million machines and have been used to steal more than $100 million in the last five years.
… Bendelladj was arrested in January at the Bangkok airport in Thailand en route from Malaysia to Egypt and arrived in the U.S. on Thursday for a Friday arraignment. Thai authorities dubbed him the “happy hacker” because he smiled during a press conference there discussing his arrest. U.S. authorities had been tracking him for three years and had issued a warrant for his arrest.

To Tweet or not to Tweet, that is the 140 character question. We are a “Technical” University, so why not use technology in all our classes?
… Twitter … is a great way to simply interact with other like-minded people. One particularly active group of people on Twitter fall into the literary category.
… If you’re not sure where to start your literary journey on Twitter, we’ve got a few tips to get you going – from who to follow, what hashtags to keep an eye on, and even how to get your Twitterary works out to a wider audience.

(Related) Don't Tweet like a Twit?
Navigating Twitter Tutorial: The Basics
This is a short 6-min tutorial to help new and existing Twitter users learn a bit more about navigating in the Twitter web application. Do you know where to find the code to embed a tweet? How about where to make a new list or follow a list? How do you view a tweetstream as a conversation? What’s the difference between a mention and a reply? Who can see a mention? Who can see a reply? Learn it here.

Zero tolerance requires zero thought. “We don't understand this 'science stuff' so it must be evil.”
Expelled girl's 'bomb': Toilet cleaner and foil
As the scientific community rallies around Kiera Wilmot, the 16-year-old expelled for a scientific experiment gone slightly awry, court papers reveal hers was an ordinary experiment. The school, meanwhile, insists it did the right thing.

I'm sure criminals will keep that chunk of steel in their guns.
Daniel_Stuckey writes with this snippet from Motherboard with an update on Cody Wilson's Defense Distributed project:
"On Friday morning, Forbes's Andy Greenberg published photos of the world's first completely 3D-printed gun. It has a 3D-printed handle, a 3D-printed trigger, a 3D-printed body and a 3D-printed barrel, all made of polymer. It's not completely plastic, though. So as not to violate the Undetectable Firearms Act and guarantee it would get spotted by a metal detector, Wilson and friends embedded a six-ounce hunk of steel inside the gun. They're calling it 'The Liberator.'"
(A name I'm sure that Wilson didn't come up with accidentally.)

Friday, May 03, 2013

It's perfectly natural. When there is blood in the water, the sharks gather for a meal.
Attorney General George Jepsen of CT and Attorney General Douglas Gansler of Maryland have written to LivingSocial to request more information on their recent breach and how it may impact consumers. Their actions were announced in a press release yesterday.
The Attorneys General have asked the company to provide a detailed timeline of the incident, including when and how the company learned of the data breach, as well as a breakdown on the number of affected individuals in each state and the types of information compromised.
They are seeking information about the password protection, information storage and internal security systems the company had in place, and have asked whether the company has received any reports or complaints from users about unauthorized charges.
Additionally, among other information, they’ve requested:
• Copies of LivingSocial’s privacy policies at the time of the breach,
• Copies of any security reports or forensic analyses related to the incident, and
• An outline of any plan developed to prevent the recurrence of a breach and a timeline for the plan’s implementation.
You can read their full letter here. As of April 26, when LivingSocial reported the breach to the New Hampshire Attorney General’s Office, they indicated that the number of individuals in each state was “uncertain” and that they were “working on methods to develop reliable estimates.”

Victim organizations are not in the business of answering questions about their security breach. That's probably why they do such a bad job of it.
Back in February, I noted that the FBI had been called in to investigate a breach involving the Iron Horse Bicycle Classic. A number of those who signed up for the event had reported credit card fraud.
Now lawyers for Iron Horse Bicycle Classic have reported the breach to the New Hampshire Attorney General’s Office. Their report provides some additional details on what the investigators found.
According to the statement, on March 1, IHBC learned that the server they shared with other companies on an unnamed web host provider had been attacked, and the attacker had been able to send information from the server to an unauthorized address on the Internet. Significantly, the attack may have occurred as early as November 30, 2012.
Although IHBC notified registrants by e-mail on March 14, they first mailed out letters in the last week of April. The letters informed them that the attacker may have obtained their names, postal and e-mail addresses, credit card information, and ages.
IHRB made some changes in how it handles payments, but surprisingly in light of know fraudulent use of information, did not offer registrants any free credit monitoring services.
Of course, now I’m also wondering what other companies on the shared server may also have been hacked or had PII compromised. I’m also wondering what the unnamed web host provider is doing to prevent or catch future attacks.

For my Ethical Hackers. It might be amusing to have a few backdoor entries onto the North Korean military networks in order to disguise the true source. (Just saying...)
Pentagon Warns North Korea Could Become a Hacker Haven
North Korea is barely connected to the global internet. But it’s trying to step up its hacker game by breaking into hostile networks, according to a new Pentagon report.
“North Korea probably has a military computer network operations (CNO) capability,” assesses the Pentagon’s latest public estimate (.PDF) of the military threat from North Korea.
So far, suspected North Korean cyber efforts are more like vandalism and espionage than warfare — as with most so-called “cyberattacks” not related to the U.S./Israeli Stuxnet worm. But the Pentagon believes Pyongyang is going to lean into network attacks in the future, largely out of necessity.
“Given North Korea’s bleak economic outlook, CNO may be seen as a cost-effective way to modernize some North Korean military capabilities,” the report assesses. “The North Korean regime may view CNO as an appealing platform from which to collect intelligence.”

Could be very useful for storing passwords or information on credit cards.
mikejuk writes with news of an advancement for homomorphic encryption and open source:
"To be fully homomorphic the code has to be such that a third party can add and multiply numbers that it contains without needing to decrypt it. In other words they can change the data by working with just the encrypted version. This may sound like magic but a fully homomorphic scheme was invented in 2009 by Craig Gentry. This was a step in the right direction but the problem was that it is very inefficient and computationally intensive. [Not a big problem when you are doing individual transactions Bob] Since then there have been a number of improvements that make the scheme practical in the right situations Now Victor Shoup and Shai Halevi of the IBM T J Watson Research Center have released an open source (GPL) C++ library, HElib, as a Github project. The code is said to incorporate many optimizations to make the encryption run faster. Homomorphic encryption has the potential to revolutionize security by allowing operations on data without the need to decrypt it."

We want the same powers! (Are you going to let us fall behind the Dutch?)
"The Dutch government today presented a draft bill that aims to give law enforcement the power to hack into computer systemsincluding those located in foreign countries — to do research, gather and copy evidence or block access to certain data. Law enforcement should be allowed to block access to child pornography, read emails that contain information exchanged between criminals and also be able to place taps on communication, according to a draft bill published Thursday and signed by Ivo Opstelten, the Minister of Security and Justice. Government agents should also be able to engage in activities such as turning on a suspect's phone GPS to track their location, the bill said. Opstelten announced last October he was planning to craft this bill."

As goes California, so goes the nation? There must be much more to this than what is reported in the article. If not, it's possible we have gone crazy.
The L.A. Times has reported that people who live anywhere within a mile of the site of the Coachella Valley Music Festival in Indio, California (and perhaps residents’ visitors, if any visitors were allowed?) were “required” to wear individually numbered RFID-chipped tracking bracelets throughout the two weekends of the festival:
In 2011, the organization began using microchip-embedded wristbands….
No one can so much as get within a mile of the Empire Polo Field, where Coachella is held, without wearing one. Local residents, whose homes surround the polo field, also have to wear one just to get to their houses, and Guitron said homeowners must also register their cars….
Guitron said it created a safe perimeter for the event, where every concertgoer and resident can be identified via a microchip.
It’s not clear by whom, or by what authority, nearby residents or their guests and visitors could be “required” to wear devices each of which transmit a unique tracking ID number any time it is requested by private parties.
Read more on Papers, Please! Has no resident really challenged this in court?

Looks like the court examines each request long enough to find a place to rubber stamp it...
Secretive Spy Court Approved Nearly 2,000 Surveillance Requests in 2012
A secretive federal court last year approved all of the 1,856 requests to search or electronically surveil people within the United States “for foreign intelligence purposes,” the Justice Department reported this week.
The report (.pdf), released Tuesday to Harry Reid, the Senate majority leader from Nevada, provides a brief glimpse into the caseload of what is known as the Foreign Intelligence Surveillance Court. None of its decisions are public.
The 2012 figures represent a 5 percent bump from the prior year, when no requests were denied either.

Clearly a big fan of James Bond movies...
May 02, 2013
For Their Eyes Only: The Commercialization of Digital Spying
Citizen Lab [University of Toronto] "released a new report, For Their Eyes Only: The Commercialization of Digital Spying. The report features new findings, as well as consolidating a year of our research on the commercial market for offensive computer network intrusion capabilities developed by Western companies. Our new findings include:
  • We have identified FinFisher Command & Control servers in 11 new Countries. Hungary, Turkey, Romania, Panama, Lithuania, Macedonia, South Africa, Pakistan, Nigeria, Bulgaria, Austria.
  • Taken together with our previous research, we can now assert that FinFisher Command & Control servers are currently active, or have been present, in 36 countries.

Self-regulation my foot...
"The Internet advertising industry is keen to stave off government privacy rules and opt-in-only browsers by loudly proclaiming its adherence to a self-imposed code of conduct. Yet a little digging shows that even "self-regulated" advertisers link to services that link to other services that nobody's really sure what they do. That's why, for instance, when you visit a page on the Sears website, your web browsing behavior is being collected by a company that sells ringtones and won't return emails asking about their privacy policy."

Interesting destinction: Destroy evidence after the phone is in police custody. Isn't there software to do just that whaen you phone is stolen?
Orin Kerr writes:
I recently mentioned my new short essay, Accounting for Technological Change, 36 Harv. J. of Law and Public Policy 403 (2013), about how the Supreme Court should resolve the lower court division on the Fourth Amendment rule for searching a cell phone incident to arrest. In light of that, I thought I would flag this morning’s decision by the Florida Supreme Court deepening the lower court division, Smallwood v. Florida. Smallwood rules that the police can routinely seize a cell phone incident to arrest, but they generally need a warrant to search it absent a demonstrated risk that evidence on the phone could be destroyed after it had been seized.
Read more on The Volokh Conspiracy.

When we start talking “equitable,” I cover my wallet.
May 02, 2013
Paper - Internet Content Governance & Human Rights
Lucchi, Nicola, Internet Content Governance & Human Rights (May 1, 2013). Vanderbilt Journal of Entertainment and Technology Law Vol. 16, No. 3 (2013). Available at SSRN
  • "The paper examines how Internet content governance is posing regulatory issues directly related to the growing importance of an equitable access to digital information. In particular, it looks at conflicts arising within the systems of rights and obligations attached to communication (and especially content provision) over the Internet. It seeks to identify emerging tensions and to draw out the implications for the nature and definitions of rights (e.g. of communication and access, but also of IP ownership) and for regulations and actions taken to protect, promote or qualify those rights. These points are illustrated by a series of recent examples."

Why does this make me antsy?
Chinese Scientists Create New Mutant Bird-Flu Virus
… The experiments, described May 2 in Science, reflect a controversial approach to studying influenza: attempting to create strains in a lab that would, if accidentally released or used for nefarious purposes, pose a potentially global health threat.
Some scientists think the risks don’t outweigh the benefits, and that institutional safeguards don’t sufficiently reduce chances of accidents. Public unease with such experiments resulted in a year-long moratorium on the research.

Back when I started working with computers (leaving my job as a dinosaur hunter) maintenance was estimated at 'about 80%.' Either we have improved a bit or we can measure better.
May 02, 2013
CIO Insights: Leading Innovation in a Time of Change
"Each year TechAmerica and Grant Thornton LLP survey federal Chief Information Officers (CIO) on issues most affecting the community. CIOs had a lot to say about budget, policy and governance, acquisition, human capital, mobility, and cybersecurity... The budget is the top concern of CIOs. While budget cuts drive CIOs to improve efficiency and spark innovation, they also hinder investments in modern technologies needed to support the mission. Today, more than 76% of IT spending goes to operations and maintenance (O&M) and infrastructure."

(Related) I have to think about this one...
The Metamorphosis of the CIO
As we all know, the very nature of the enterprise is changing. This is the result of the rapid shifts that have been occurring in the business world over the last few years--the commoditization of goods and services, the individuation of value, the transformation of the workforce--which I discussed in my previous blog post . In order to keep up with these changes and to succeed, future enterprises will need to have three clear characteristics: They will be socially enabled; they will operate as digital business ecosystems, offering innovative services and products as rapidly and inexpensively as possible; and they will view innovation not as an optional advantage, but as the only advantage.

I think they are giving me a firm “maybe.”

I expect a brief flurry of interest in this journal, then a return to Playboy... Might be an excuse for detailed research...
Upcoming Porn Journal to Explore Sexy Science
A soon-to-launch academic journal will peer into corners of the Internet most people erase from their search histories. "Porn Studies," set to debut next spring, will be dedicated to a critical exploration of "those cultural products and services designated as pornographic," according to The Guardian.
The journal will be under the umbrella of academic publisher Routledge, and will welcome work by academics in sociology, film, media, labor studies, law and criminology. Sound prurient? Well, despite the ubiquity of pornography online, very little is known about the psychology of those who participate, or even those who watch. Perhaps the new journal will finally answer the age-old question, "Is porn bad for you?"

Nerd out, dudes!
Free Comic Book Day: These Are the 10 Titles You Need to Grab
Saturday, May 4th is Free Comic Book Day, the very special day each year when comic book shops around the world give away, well, comic books. There will be dozens of free books up for grabs at participating shops--find one near you here--and figuring out what to grab when you get there can actually be a bit overwhelming.
But don't panic. We're here to help.
We've sorted through a stack of 50-plus FCBD comics provided by Things from Another World, and selected the 10 gotta-read books.

Geek out, dudes!
If you’ve yet to play around with your own virtual machine, you’re missing out.
… Using a virtual machine offers a great sandbox if you’re ever dealing with sketchy software that may be riddled with things that you’re way too nervous to allow on your main disk. While some trojans and malware are sophisticated enough to pass through virtual disks, it’s still a common practice.
In a very well-written post from Justin just last year, it was thoroughly explained how you can get a VirtualBox up and running in practically a matter of minutes (depending on your download speed). In this post, I’d like to show you three great websites where you can find a heap of free virtual disk images.

Thursday, May 02, 2013

The 2X4 is just to get the mule's attention.”
Regular readers may recall the frustration I reported when calls to Uniontown Hospital to alert them to a security breach went unanswered. I’m not the only one who can’t get a response when a response might be in the entity’s best interests. Consider this report by security blogger Brian Krebs:
Organized hackers in Ukraine and Russia stole more than $1 million from a public hospital in Washington state earlier this month. The costly cyberheist was carried out with the help of nearly 100 different accomplices in the United States who were hired through work-at-home job scams run by a crime gang that has been fleecing businesses for the past five years.
Last Friday, The Wenatchatee World broke the news of the heist, which struck Chelan County Public Hospital No. 1, one of several hospitals managed by the Cascade Medical Center in Leavenworth, Wash. The publication said the attack occurred on Apr. 19, and moved an estimated $1.03 million out of the hospital’s payroll account into 96 different bank accounts, mostly at banks in the Midwest and East Coast.
On Wednesday of last week, I began alerting the hospital that it had apparently been breached. Neither the hospital nor the staff at Cascade Medical returned repeated calls. I reached out to the two entities because I’d spoken with two unwitting accomplices who were used in the scam, and who reported helping to launder more than $14,000 siphoned from the hospital’s accounts.
Read more on KrebsOnSecurity.
Maybe if insurers decline to cover losses if they find out that someone tried to warn the entity and the entity ignored or failed to respond to the attempted alerts, it would help?

A great headline for Computer Security managers to pass along to management...
A few weeks ago I noted that William Jennings Bryan Dorn VA Medical Center in South Carolina was notifying over 7,000 patients of a breach involving a stolen laptop. Now two of the veterans affected have filed a lawsuit over the breach. Additional details on the lawsuit, which was filed April 12, can be found here.

Mandatory BYOD! This could be really interesting.
"Half of all employers will require workers to supply their own mobile devices for work purposes by 2017, according to a new Gartner study. Enterprises that offer only corporately-owned smartphones or stipends to buy your own will soon become the exception to the rule in the next few years. As enterprise BYOD programs proliferate, 38% of companies expect to stop providing devices to workers by 2016 and let them use their own, according to a global survey of CIOs by Gartner. At the same time, security remains the top BYOD concern. 'What happens if you buy a device for an employee and they leave the job a month later? How are you going to settle up? Better to keep it simple. The employee owns the device, and the company helps to cover usage costs,' said David Willis, a distinguished analyst at Gartner."

Attention everyone downstream! This damn breach could lead to a dam breach! (Sorry, I couldn't resist) Think of this as “Targeting Information”
Hacker Breached U.S. Army Database Containing Sensitive Information on Dams
A hacker compromised a U.S. Army database that holds sensitive information about vulnerabilities in U.S. dams, according to a news report.
The U.S. Army Corps of Engineers’ National Inventory of Dams contains information about 79,000 dams throughout the country and tracks such information as the number of estimated deaths that could occur if a specific dam failed. It’s accessible to government employees who have accounts. Non-government users can query the database but cannot download data from it.
The breach began in January and was only uncovered in early April, according to the Free Beacon, a nonprofit online publication, which first published the news.
… “The U.S. Army Corps of Engineers is aware that access to the National Inventory of Dams (NID), to include sensitive fields of information not generally available to the public, was given to an unauthorized individual in January 2013 who was subsequently determined to not to have proper level of access for the information,” Pierce said in a statement to the publication. “[U.S. Army Corps of Engineers] immediately revoked this user’s access to the database upon learning that the individual was not, in fact, authorized full access to the NID.”
The Corps of Engineers announced on its website that account usernames and passwords had since changed “to be compliant with recent security policy changes.”
All users had been sent an e-mail notification to this effect, which apparently told them that their account username had been changed to their e-mail address and included the new password in plaintext that the Corps did not ask users to change. [Not particularly well thought out... Bob]
Although the website provides links to reset the password if a user forgets it, the links were not working when Wired visited the site.
Unnamed U.S. officials told the Free Beacon that the breach was traced to “the Chinese government or military cyber warriors,” but offered no information to support the claim.

Attention Ethical Hackers! This should not impact our “Online Games for Fun and Profit” class.
Use a Software Bug to Win Video Poker? That’s a Federal Hacking Case
… The question: was it a criminal violation of federal anti-hacking law for Kane and a friend to knowingly take advantage of the glitch to the tune of at least half-a-million dollars? Prosecutors say it was. But in a win for the defense, a federal magistrate found last fall that the Computer Fraud and Abuse Act doesn’t apply, and recommended the hacking charge be dismissed. The issue is now being argued in front of U.S. District Court Judge Miranda Du, who’s likely to rule this month.

Under reporting the number of victims seems to be an Internet Meme. Makes it seem like they don't know what is happening in their own computer system.
So it seems it may not be 300,000 biometric national ID records lost, but 1.4 million….

Could this be the start of a trend?
By a vote of 49-0, the Pennsylvania Senate passed Senate Bill 114, amending the state’s data breach notification law.
Section 1. Section 3 of the act of December 22, 2005 (P.L.474, No.94), known as the Breach of Personal Information Notification Act, is amended by adding subsections to read:
Section 3. Notification of breach.
(a.1) Notification by State agency.–If a State agency is the subject of a breach of security of the system, the State agency shall provide notice of the breach of security of the system required under subsection (a) within seven days following discovery of the breach. Notification shall be provided to the Office of Attorney General within three business days following discovery of the breach. A State agency under the Governor’s jurisdiction shall also provide notice of a breach of its security system to the Governor’s Office of Administration within three business days following the discovery of the breach. Notification shall occur regardless of the existence of procedures and policies under section 7.
(a.2) Notification by county, school district or municipality.–If a county, school district or municipality is the subject of a breach of security of the system, the county, school district or municipality shall provide notice of the breach of security of the system required under subsection (a) within seven days following discovery of the breach. Notification shall be provided to the district attorney in the county in which the breach occurred within three business days following discovery of the breach. Notification shall occur regardless of the existence of procedures and policies under section 7.
Section 2. This act shall take effect in 60 days.

You have to go through all the efforts to match the video captured images to drivers license and other databases, but sometimes you get lucky and someone calls 911.
Boston carjack victim talks about narrow escape
Three nights after the bombing, Danny was sitting in his new Mercedes when a man came from behind the car, put his hand through the open window and opened the door from the inside before pointing a gun only inches from his head.
Danny did not know it was Tamerlan Tsarnaev. His attacker asked him if he had been following the news of the bombings.
“I said, "Yes, of course,’’’ Danny told Lauer. “Then he said, ‘I did that. And I just killed a policeman in Cambridge.’’’
… With the car stopped at a gas station, Danny made his move to escape. When Dzhokhar left his vehicle to go to an A.T.M. and pump gas, Danny unbuckled his seatbelt with his left hand, opened the door with his right hand and ran from the car with Tamerlan still sitting in it.
“I took off,’’ he said. “(Tamerlan) tried to grab me. He was trying to grab me. It was very close. I can feel it.”
Danny ran to another gas station and called 911, telling police they could locate the suspects through his car’s satellite system and the iPhone he left behind.

I'm not sure what (or who) OccupyCorporatism is, but they seems to hate everyone. Also, the headline does not match the article.
Susanne Pesel reports:
The Bill and Melinda Gates Foundation (BMGF) have funded the Measures of Effective Teaching Project (MET) which brings together volunteers and researchers “to build and test measures of effective teaching to find out how evaluation methods could best be used to tell teachers more about the skills that make them most effective and to help districts identify and develop great teaching.”
The BMGF have also invested $5 billion [also reported as $5 million... Bob] into having CCTV cameras installed in all classrooms across the nation allegedly “for every teacher in every classroom in every district to be filmed in action so they can be evaluated and, maybe, improve.”
This initiative would facilitate “videotaped lessons, classroom observations by trained observers, student satisfaction surveys, and value-added calculations based on test scores.”
His proposals are so problematic that it’s hard to even know where to start responding to his ideas, but if you want to create an environment where kids feel emotionally safe to learn, to question, and to take risks in their thinking, constant surveillance is counter-indicated.

May 01, 2013
Google Transparency Report
"Transparency is a core value at Google. As a company we feel it is our responsibility to ensure that we maximize transparency around the flow of information related to our tools and services. We believe that more information means more choice, more freedom and ultimately more power for the individual. In this report, we disclose:
  • Real-time and historical traffic to Google services around the world;
  • Numbers of removal requests we receive from copyright owners or governments;
  • Numbers of user data requests we receive from government agencies and courts.
  • To learn more about the laws governing our disclosure of user data and reforms to those laws that we think are important, visit We hope this report will shine some light on the appropriate scope and authority of government requests to obtain user data around the globe."

Think about it. How hard could it be if you know an individual's ZIP code, birth date and sex?
From the MIT Technology Review:
One of the biggest questions in biology is the nature versus nurture debate, the relative roles that genetic and environmental factors play in determining human traits.
In 2006, George Church at Harvard University and a few others started the Personal Genome Project (PGP) to help answer this question. The goal is to collect genomic information from 100,000 informed members of the public along with their health records and other relevant phenotypic data. The idea is to use this information to help tease apart the relative contributions of genetic and environmental factors.
The project does not guarantee privacy for those who sign up. Indeed, the participants can reveal as much information as they like, including their ZIP code, birth date and sex.
However, the data is ‘de-identified’ in the sense that the owners names and addresses are not included in their profiles on the PGP website and this generates a veneer of privacy.
Today, Latanya Sweeney and colleagues at Harvard show that even this is practically useless in keeping owners identities private. They say a relatively simple comparison of the list of PGP participants with other databases such as voter lists reveals the identity of a significant number of them with remarkable accuracy.
Read more on MIT Technology Review.

Could be an interesting case to watch...
Mozilla Takes Aim at Spyware That Masquerades as Firefox
Mozilla’s lawyers are sending a nasty gram to a U.K. company that writes spyware for government snoops.
The problem is that FinSpy masquerades as FireFox on the PC, according to researchers at The Citizen Lab, a University of Toronto-backed project that investigates technology and human rights. That violates Mozilla’s trademark, the browser-maker said in a statement. “As an open source project trusted by hundreds of millions of people around the world, defending Mozilla’s trademarks from this abuse is vital to our brand, mission and continued success.”
Mozilla says it’s sending the U.K. company that makes FinSpy, Gamma International, a cease-and-desist letter later today “demanding that these practices be stopped immediately.” Gamma International couldn’t immediately be reached for comment. FinFisher is the name of Gamma’s command and control server software that collects the surveillance data. It also makes FinSpy, the spyware that runs on the PC.
Gamma International markets its software as a “remote monitoring” program that government agencies can use to take control of computers and snoop on data and communications. In theory, it could be legitimately used for surveillance efforts by crime fighting agencies, but in practice, it has popped up as a spy tool unleashed against dissident movements operating against repressive regimes

Ethical Hackers: If I can “Control” it, I can hack it... (Might even work if your phone is stolen?)
If you leave your phone at home while leaving for work, you are fretting about missing important text messages and phone calls. There is nothing to do in such a situation but to go back home and fetch your phone.
… Thankfully there is now a smartphone application that provides an effective solution for this predicament that does not involve you going back home to get your phone. This application is called Phonnix.
Phonnix is a free to use smartphone application for devices that are running Android.
If you left your phone at home, then all you need to do is ensure that it has Internet connectivity – either through your carrier’s data plan or through a plain Wi-Fi network. It is then possible to log into the app using a web browser on your computer.
From then onwards you are able to send and receive text messages in the browser instantly. Missed calls notifications can also be instantly received. Integration with Facebook is possible which delivers all this information to your favorite social network and makes it possible for you to receive incoming calls there. Commands can be sent to the phone to forward your calls to another phone number.

Something for our Graphic Design students?
LinkedIn Now Lets You Add a Visual Portfolio to Your Profile
LinkedIn now lets users add visual content like photos, presentations and videos to their profile pages — a feature that has been in high demand with creative professionals like designers and photographers.

Might be handy if you have friends or relatives in places that suffer mad bombers or natural disasters.
Well, regardless of the fatality numbers, any major crisis that shuts down communication systems or travel ends up breaking off a fairly large population of people from the outside world. This isn’t just the case when there’s some kind of violent attack, but it even more commonly occurs following things like earthquakes, hurricanes and other natural disasters. When social infrastructure fails, family and friends out side of the danger zone really start to get nervous when they can’t get in touch with their loved ones. Add on top of that the fact that the news media starts immediately reporting the increase in body count, and you’ve got a situation of all-out panic.
Google Person Finder is offered as a free service for the general public, as well as emergency responders, to use following a catastrophe.
The way it works is relatively simple, and there are some additional features that you can embed on your own website, which I’ll get to later in this article. When you first go to the Google Person Finder page, you’ll see a list of current active events for which the Person Finder is currently active.
Inside of an event page, you’ll find two large link boxes. You’ll also see the current database size underneath those links.
Two links:
I’m looking for someone”
I have information about someone” link

Wednesday, May 01, 2013

I don't think adding Denver residents as CC's on every email would work, so perhaps an open log of Council emails? And perhaps we could make them wear those tracking ankle thingies the parolees wear?
Denver metro chamber demands City Council e-mails over union fears
Responding to nagging fears that some city council members are helping unions organize in Denver, the city's biggest business advocates made the unprecedented move of demanding to see council e-mails.
The Metro Denver Chamber of Commerce last week sent formal records requests under the Colorado Open Records Act to see any correspondence between council members, the Auditors Office and labor unions. The request also seeks any complaints from council members to companies about working conditions for employees.
"Ham-fisted bullying," is what Councilman Chris Nevitt called the chamber's move, saying that if chamber officials wanted the information they could have asked. [This IS how you ask, isn't it? Bob]

No warrant required for commercial data?
Governments Won't Need to Issue IDs: Data Brokers Will Identify You for Them
Our government collects a lot of information about us. Tax records, legal records, license records, records of government services received-- it's all in databases that are increasingly linked and correlated. Still, there's a lot of personal information the government can't collect. Either they're prohibited by law from asking without probable cause and a judicial order, or they simply have no cost-effective way to collect it. But the government has figured out how to get around the laws, and collect personal data that has been historically denied to them: ask corporate America for it.

(Related) ...and when they get here, I'll sic the dogs on them!
Spencer E. Ante reports:
Advertisers already know what people are up to on their personal computers. But understanding their online whereabouts on smartphones or tablets has remained elusive.
A number of companies are trying to better pinpoint mobile users’ online activity with new software and techniques they say could help advertisers track users across devices.
By harvesting cross-screen identities, the ad industry could serve ads to mobile phones based on the interests people express when surfing the Web on their PCs.
Read more on WSJ.

Someone gets it!
From edSurge:
The education data portal, inBloom, raised hackles this week among a group of New York City parents and educators who worry about the nonprofit’s plans to compile student information into a wide-ranging education data portal–and they’re organizing against it via email listservs, open forums and legislative bills.
Local community opposition to the inBloom plan was palpable on Monday (April 29) night in the Brooklyn Borough Hall at a “student privacy town hall meeting” devoted to the issue. Around 150 people gathered to express their frustrations and hear from New York Department of Education representatives. Holding handmade posters with slogans like “Our kids, not your data,” the group voiced unease about the creation of the portal, which many fear is gathering too much data about their children, will sell information to commercial vendors and will be vulnerable to hacking.
Read more on edSurge.

The “State of the Internet?”
April 30, 2013
EFF Surveys Major Tech Companies' Privacy and Transparency Policies
News release: "As you search the Internet, visit websites, and update your social media accounts, you entrust a wealth of data to service providers: your thoughts, your photos, your location, and much more. What happens when the government wants access to all of this information, held by companies like Google and Facebook and AT&T? Will these providers help you fight back against unfair demands for data about your private life? Today the Electronic Frontier Foundation (EFF) releases its third annual report, Who Has Your Back?, which looks at major technology service providers' commitment to users' rights in the face of government data demands. EFF's report examines 18 companies' terms of service, privacy policies, advocacy, and courtroom track records, awarding up to six gold stars for best practices in categories like "require a warrant for content," "tell users about government data demands," and "publish transparency reports."

The techonogy behind anonymity?
April 30, 2013
A Secure Submission System for Online Whistleblowing Platforms
A Secure Submission System for Online Whistleblowing Platforms. Volker Roth, Benjamin G├╝ldenring, Eleanor Rieffel, Sven Dietrich, Lars Ries (Submitted on 26 Jan 2013) An abridged version has been accepted for publication in the proceedings of Financial Cryptography and Data Security 2013.
  • "Whistleblower laws protect individuals who inform the public or an authority about governmental or corporate misconduct. Despite these laws, whistleblowers frequently risk reprisals and sites such as WikiLeaks emerged to provide a level of anonymity to these individuals. However, as countries increase their level of network surveillance and Internet protocol data retention, the mere act of using anonymizing software such as Tor, or accessing a whistleblowing website through an SSL channel might be incriminating enough to lead to investigations and repercussions. As an alternative submission system we propose an online advertising network called AdLeaks. AdLeaks leverages the ubiquity of unsolicited online advertising to provide complete sender unobservability when submitting disclosures. AdLeaks ads compute a random function in a browser and submit the outcome to the AdLeaks infrastructure. Such a whistleblower's browser replaces the output with encrypted information so that the transmission is indistinguishable from that of a regular browser. Its back-end design assures that AdLeaks must process only a fraction of the resulting traffic in order to receive disclosures with high probability. We describe the design of AdLeaks and evaluate its performance through analysis and experimentation."

Email or ePhone?
… This new Skype integration is just a preview for now, and will only be available in the UK at this time. In the next few weeks, users in the US and Germany will be able to enjoy the preview as well, with the rest of the world joining them “in the coming months”.
Skype for brings video and audio calls to’s interface, making it possible to initiate Skype calls right from your inbox. So next time you’re writing an email and suddenly realize text is just not enough, you should be able to start a voice or video chat with just a click or two.

For my Stuudents...
… We’ve put together a list of five key tips to bear in mind when looking for job listings on Twitter. Whether it’s how you use Twitter to search for a job or how you use it to present yourself, there’s a lot that you can do using the social networking site to land your dream job.

Tuesday, April 30, 2013

Well, that's one way. Another might be to donate them to a Computer Security program that might invent a cheap method of decontamination.
"German IT magazine Heise reports (original in German) that the Ministry of Education in Schwerin had a Conficker virus infection on 170 machines, that was dealt with by simply throwing them on the trash. Other German authorities have now decided that 'the approach taken is not up to the principle of efficiency and economy' and that the 187,300 Euro invested in this radical form of virus removal were inappropriate. The ministry had earlier estimated the cost of cleaning their desktops and servers by more conventional means to 130,000 Euro."

For my Ethical Hackers and my Computer Forensics students
"ESET researchers, together with web security firm Sucuri, have been analyzing a new threat affecting Apache webservers. The threat is a highly advanced and stealthy backdoor being used to drive traffic to malicious websites carrying Blackhole exploit packs. Researchers have named the backdoor Linux/Cdorked.A, and it is the most sophisticated Apache backdoor seen so far. The Linux/Cdorked.A backdoor does not leave traces on the hard-disk other than a modified 'httpd' file, the daemon (or service) used by Apache. All information related to the backdoor is stored in shared memory on the server, making detection difficult and hampering analysis."

Yes, we do.
April 29, 2013
Article - The Dangers of Surveillance
The Dangers of Surveillance, Neil M. Richards, Washington University in Saint Louis - School of Law. March 25, 2013, Harvard Law Review, 2013 [Via SSRN]
  • "From the Fourth Amendment to George Orwell’s Nineteen Eighty-Four, our culture is full of warnings about state scrutiny of our lives. These warnings are commonplace, but they are rarely very specific. Other than the vague threat of an Orwellian dystopia, as a society we don’t really know why surveillance is bad, and why we should be wary of it. To the extent the answer has something to do with “privacy,” we lack an understanding of what “privacy” means in this context, and why it matters. Developments in government and corporate practices have made this problem more urgent. Although we have laws that protect us against government surveillance, secret government programs cannot be challenged until they are discovered. And even when they are, courts frequently dismiss challenges to such programs for lack of standing, under the theory that mere surveillance creates no tangible harms, as the Supreme Court did recently in the case of Clapper v. Amnesty International. We need a better account of the dangers of surveillance."

You are either a servent of the state or you are an enemy of the state.
Government Seeks to Fine Companies for Not Complying With Wiretap Orders
It isn’t often that communications companies push back against government requests to monitor customers and hand over information about them, but a government task force is seeking to make it even harder for companies to say no.
The task force is pushing for legislation that would penalize companies like Google, Facebook and Skype that fail to comply with court orders for wiretapping, according to the Washington Post. The cost of non-complying would be an escalating series of fines, starting at tens of thousands of dollars. Fines that remained unpaid after 90 days would double daily.
Unlike telecommunications companies that are required under the 1994 Communications Assistance for Law Enforcement Act (CALEA) to have systems that are wiretap-enabled, some internet communication methods — such as social networking sites and online gaming sites — aren’t easily wiretapped and are not required to enable the capability under CALEA. Companies that argue that they don’t have the means to enable wiretapping have avoided complying with court orders seeking real-time surveillance, the paper notes. The legislation is intended to force these companies into finding technology solutions that would enable real-time surveillance.

Facebook Says It’s Now as Big as Windows (Literally)
… The massive collection of software code needed to create that Facebook page inside your web browser, he says, has now expanded to the point where it’s about the same size as the code that underpins the Windows operating system.
… In January of 2011, in a post to question-and-answer site Quora, Facebook engineer Evan Priestly said that Facebook spanned 9.2 million lines of code — a figure that didn’t include various services used to support the main Facebook application. Jason Evans says that this post was spot on, but then he points out that it happened two years ago — an eternity in the life of Facebook — and he confirms that the figure only applies to a portion of the site as we know it.

...but is it accurate?
Provocative Pro-Gun Billboard Called “Offensive”
Colorado ad bought by local residents has upset Native Americans.

My weekly amusement (a bit late)
… The state of Washington has passed and signed into law HB1472, a bill that creates initiatives to “improve and expand computer science education” in the state. In part, the legislation will allow CS to count as a math or science requirement towards high school graduation.
Mozilla has released the draft version of its Web Literacy standards. Feedback is welcome.
… Universities from 11 European countries have joined forces to launch the MOOC initiative OpenupEd. It will offer 40 classes, taught in 12 different launches.
… Bravo to Mozilla for remixing the meaning of the MOOC acronym — a “Mozilla Open Online Collaboration.” You can join the organization’s MOOC “Teach the Web,” which will help folks learn how to teach digital literacy and webmaking skills and starts May 2.

Monday, April 29, 2013

Not my view of privacy. If I had an arrest record, and that record was public information, I would expect many would not make a 'sensible evaluation' without training at a good law school. On the other hand, no matter how lawfully I live my life, advertisers and the people who peovide targeting information will demand the “right” to intrude on my life, monitor my activities, and build a permanent (if questionable) dossier. What would the founding fathers have thought of that?
Judge Richard A. Posner of the U.S. Court of Appeals for the Seventh Circuit is also a senior lecturer with the University of Chicago Law School. He has an OpEd in the New York Daily News called “Privacy is Overrated.” Here are just two snippets:
[Mayor Bloomberg] wants concerns with privacy to take second place to concerns with security.
I strongly agree, though I’m not sure that the Constitution will have to be reinterpreted in order to enable the shift of emphasis that he (and I) favor. Neither the word “privacy” nor even the concept appears anywhere in the Constitution, and the current Supreme Court is highly sensitive, as it should be, to security needs. The Court can and doubtless will adjust the balance between privacy and security to reflect the increase in long-run threats to the lives of Americans.
There is a tendency to exaggerate the social value of privacy.
Privacy-protecting laws are paternalistic; they are based on a skepticism regarding whether people can make sensible evaluations of an arrest record or other private facts that enter the public domain.
Still, a good deal of privacy just facilitates the personal counterpart of the false advertising of goods and services, and by doing so, reduces the well-being of society as a whole.
Read his entire commentary on NY Daily News.
[From the article:
We don’t want our arrest record to be made public; our medical history to be made public; our peccadilloes to be made public; and so on. We want to present sanitized versions of ourselves to the world.
… I do not argue that all concealment is bad. There is nothing wrong with concealing wealth in order to avoid being targeted by thieves or concealing embarrassing personal facts, such as a deformity or being related to a notorious criminal, that would not cause a rational person to shun us but might complicate our social and business relations.

April 28, 2013
US News: IRS tracks your digital footprint
"The Internal Revenue Service is collecting a lot more than taxes this year -- it's also acquiring a huge volume of personal information on taxpayers' digital activities, from eBay auctions to Facebook posts and, for the first time ever, credit card and e-payment transaction records, as it expands its search for tax cheats to places it's never gone before. [There is a presumption that everyone cheats Bob] The IRS, under heavy pressure to help Washington out of its budget quagmire by chasing down an estimated $300 billion in revenue lost to evasions and errors each year, will start using "robo-audits" of tax forms and third-party data the IRS hopes will help close this so-called "tax gap." But the agency reveals little about how it will employ its vast, new network scanning powers. Tax lawyers and watchdogs are concerned about the sweeping changes being implemented with little public discussion or clear guidelines, and Congressional staff sources say the IRS use of "big data" will be a key issue when the next IRS chief comes to the Senate for approval. Acting commissioner Steven T. Miller replaced Douglas Shulman last November."

(Related) But the crooks have rights!
Fox6 puts a human face on the problems of identity theft, with a focus on how the IRS has not notified people whose identity information (Social Security number) was misused. Frustratingly, the IRS was saying it couldn’t disclose such information because of the privacy rights of the identity thieves. A law passed to remedy some of the problem has been only partially helpful as the IRS still has not done a good job of alerting people when their SSN is being misused.
Read one couple’s story on Fox6.