Saturday, May 11, 2013

Probably too expensive. Insurance was probably too expensive also.
Yesterday, federal prosecutors in Brooklyn revealed that an international team of thieves had stolen close to $45 million in the biggest ATM fraud case in history. The heist required some hacking and a lot of orchestration, so news organizations and police forces have been calling it high-tech and "sophisticated." Which it isn't, really! It's possible because the US--yes, specifically the US--is wildly behind the times in terms of transactional security, relying on a 50-year-old technology.

(Related) How will this change their liability?
Dinesh Nair and Jessica Dye of Reuters report that one of the card processors whose security was breached in a $45 million global cyber heist was India’s ElectraCard Services. No one has confirmed that officially, however, as the sources spoke on condition of anonymity. You can read the Reuter’s exclusive coverage here.

“We find it useful. Why would we think it might be wrong?”
Amy Chozik and Ben Protess report on what they NYT calls a privacy breach, but is also a security breach, in my opinion:
A shudder went through Wall Street on Friday after the revelation that Bloomberg News reporters had extracted subscribers’ private information through the company’s ubiquitous data terminals to break news.
The company confirmed that reporters at Bloomberg News, the journalism arm of Bloomberg L.P., had for years used the company’s terminals to monitor when subscribers had logged onto the service and to find out what types of functions, like the news wire, corporate bond trades or an equities index, they had looked at. Bloomberg terminals, which cost an average of more than $20,000 a year, are found in nearly every banking and trading company.
Bloomberg said the functions that allowed journalists to monitor subscribers were a mistake and were promptly disabled after Goldman Sachs complained that a Bloomberg reporter had, while inquiring about a partner’s employment status, pointed out that the partner had not logged onto his Bloomberg terminal lately. [Following the “dang, we've been caught!” protocol. Bob]
Read more on NY Times.
Zachary Seward has a companion piece on Quartz, called, What Bloomberg employees can see when they snoop on customers.

“We find it politically useful. Why would we think it might be wrong?” Obviously Tax laws are always political.
"A recurring theme in comments on Slashdot since the 9/11 attacks has been concern about the use of government power to monitor or suppress political activity unassociated with terrorism but rather based on ideology. It has just been revealed that the IRS has in fact done that. From the story: "The Internal Revenue Service inappropriately flagged conservative political groups for additional reviews during the 2012 election . . . Organizations were singled out because they included the words 'tea party' or 'patriot' in their applications for tax-exempt status, said Lois Lerner, who heads the IRS division that oversees tax-exempt groups. In some cases, groups were asked for their list of donors, which violates IRS policy in most cases, she said. 'That was wrong. That was absolutely incorrect, it was insensitive and it was inappropriate. That's not how we go about selecting cases for further review,' Lerner said . . . 'The IRS would like to apologize for that,' she added. . . . Lerner said the practice was initiated by low-level workers in Cincinnati and was not motivated by political bias. . . . she told The AP that no high level IRS officials knew about the practice. Tea Party groups were livid on Friday. ... In all, about 300 groups were singled out for additional review. . . Tea Party groups weren't buying the idea that the decision to target them was solely the responsibility of low-level IRS workers. ... During the conference call it was stated that no disciplinary action had been taken by those who engaged in this activity. President Obama has previously joked about using the IRS to target people."
So it's not how they choose cases for review (except when it is), and was not motivated by political bias (except that it was). Also at National Review, with more bite.

For my Computer Forensics class. (Another reason to avoid “sexting?”)
Mobile photo-sharing app SnapChat has one claim to fame, compared to other ways people might share photos from their cellphones: the photos, once viewed, disappear from view, after a pre-set length of time. However, it turns out they don't disappear as thoroughly as users might like. New submitter nefus writes with this excerpt from Forbes:
"Richard Hickman of Decipher Forensics found that it's possible to pull Snapchat photos from Android phones simply by downloading data from the phone using forensics software and removing a '.NoMedia' file extension that was keeping the photos from being viewed on the device. He published his findings online and local TV station KSL has a video showing how it's done."

Is this the proper way to do it?
Kevin Chen reports that an announcement by LinkedIn is being met with some skepticism:
Next week, LinkedIn will update its privacy policy to let advertisers sponsor content on the LinkedIn feed. LinkedIn announced the plans to change its privacy policy so as to not surprise its users.
Beyond introducing advertising changes on its platform, LinkedIn will also launch a Privacy Portal, a one-stop shop for users to access all their LinkedIn data. The company says it will also look to “clarify and simplify” the policy’s language so that privacy details are easier to understand.
Read more on The Motley Fool.

One should have only impersonal assistants.
CBC News reports:
Education Minister Jody Carr is facing calls for his resignation after he admitted on Thursday that one of his political assistants breached the privacy rights of a high school student.
Carr acknowledged that his staffer released the mark the student earned on an exam and the Opposition Liberals say based on precedent, Carr should step down from cabinet.
Read more on CBC News.

One would not expect the “Deer Hunter” state to practice “Ready, Fire!, Aim” legislative tactics. No doubt they argued that they “had to do something!”
Blaine Kimrey of Lathrop & Gage LLP has a commentary on a breach notification law that passed the PA Senate. As noted previously on this blog, the bill extends existing data breach notification responsibilities to state agencies, but also requires notification of those affected within seven days. Kimrey writes:
After a series of embarrassing governmental data breaches, the Pennsylvania Senate has overreacted, imposing a seven-day notice requirement on governmental entities faced with data breaches. While governmental entities certainly should be held to the same data breach standards as private industry, this seven-day requirement simply goes too far and ensures that in responding to data breaches, Pennsylvania agencies will fail.
I agree.
You can read his full commentary on Lexology. The bill is now in the House, where it was referred to the Judiciary Committee. The Governor’s office had informed me that if the bill passes, the Governor will likely sign it.

Will logic prevail?
"The Federal Circuit has divided CLS Bank vs. Alice Corp., a case about various sorts of patents, including software patents. Although the judges disagreed, to a lesser or greater extent, on the individual parts of the ruling, more than half decided that the patents in question — algorithms for hedging risk — were ineligible patent matter, and that merely adding an 'on a computer'-like clause to an abstract algorithm does not make it patentable. Further coverage is available at Groklaw, or you can read the opinion itself (PDF)."

For my Geeks.
Mozilla offers developers phones to write Firefox OS apps
Mozilla has a deal for programmers: We'll supply the phones if you supply the apps.
In an effort to ensure there will be good Firefox OS apps in the Firefox Marketplace, Mozilla is offering developer phones to programmers who have compelling ideas for software. In a blog post Thursday, Mozilla employee Havi Hoffman tried to drum up interest:
If you can show you've got a great app idea and the skill to build it, we'd love to see your apps in the Marketplace when the Firefox OS launch begins later this summer. And to sweeten the deal, we'll send a Firefox OS Developer Preview device for you to work with now.

For my Intro to IT students...
This is the first article of a two-part series where we will explore the benefits of creating a personal website. Today, we’ll cover the common misconceptions that are keeping you from creating an awesome personal website.
Myth 1: What I Do Isn’t Interesting Enough To Have On a Website
Myth 2: I’m A Private Person and I Don’t Like Being Known About
Myth 3: I Have No Idea Where to Even Start
Myth 4: I Don’t Know How To Code – Like, At All
Myth 5: Building A Website Would Take Far Too Much of My Time
Above is a video by Thomas Frank, the one who inspired me to build my own personal website with his article The Ultimate Guide To Building A Personal Website, which lives up to its name and is a very good resource that I recommend for creating your own self-hosted WordPress site.
Myth 6: Owning A Website Is Way Out Of My Budget
… If you still don’t feel like it can really benefit you, I highly recommend you follow up with the second article in this series where we look at how it can add value to your career.
There are also a ton of awesome websites that you can use as inspiration. Thomas Frank, the guy I mentioned earlier who wrote the ultimate personal website guide, put together another article where he featured several of his own readers’ websites. If you’re looking for some inspiration as to what it should look like or have on it, those will definitely be a help.

The 5 Biggest Education Technology Trends To Know About

My weekly chuckle...
… A group of young boys at Driver Elementary School in Virginia were suspended by district officials for pointing pencils at each other and making shooting noises. The district has a “no tolerance” policy for violence and “there has to be a consequence,” said a district spokesperson. [We have become a nation of terrified wimps! Bob]
USA Today reports that Xerox is getting into the grading papers business with a new product called Ignite “that turns the numerous copiers/scanners/printers it has in schools across the United States into paper-grading machines.” The article invokes the phrase “game changer” so there ya go.
PBS aired a one-hour special of TED Talks on education this week, featuring Bill Gates. The Gates Foundation’s list of grants awarded to PBS is here.
Bloomberg reports that textbook publisher Cengage Learning might file for bankruptcy. “Cengage reported an operating loss of $2.77 billion for the three months ended March 3.”

Friday, May 10, 2013

The logistics clearly make this an “organized crime” operation. Note that the seven arrested took only a small fraction ($2.8 million) of the total.
This will be one for the books… and Hollywoood spinoffs. Jessica Dye and Jim Finkle of Reuters report:
The government charged eight people with using data obtained by hacking into two credit card processors in a worldwide scheme that netted some $45 million within hours, a crime prosecutors described as one of the biggest bank heists in history.
The individuals formed the New York-based cell of a global cybercriminal organization that stole MasterCard debit card data from two Middle Eastern banks, the Justice Department said. The information was used to make more than 40,500 withdrawals at automated teller machines in 27 countries, prosecutors said.
Read more on CNBC. Here’s the press release from the U.S. Attorney’s Office, Eastern District New York.
[From the CNBC article:
Prosecutors said the attacks, known as "unlimited operations," occurred in two separate incidents, in December 2012 and February 2013.
… In the New York area, the ring withdrew nearly $400,000 in less than three hours at more than 140 ATMs, the prosecutors said. On another occasion, about $2.4 million was collected in nearly 3,000 ATM withdrawals over 10 hours, they said.
[From the US Attorney's press release:
Over the course of approximately 10 hours, casher cells in 24 countries executed approximately 36,000 transactions worldwide and withdrew about $40 million from ATMs. From 3 p.m. on February 19 through 1:26 a.m. on February 20, the defendants and their co-conspirators withdrew approximately $2.4 million in nearly 3,000 ATM withdrawals in the New York City area.

Interesting (if small) breach. Looks like they ignored almost every “Best Practice” They didn't detect the breach and once told about it, it sounds like a very poor response.
Rachel La Corte reports:
The Washington state Administrative Office of the Courts was hacked in February, and up to 160,000 Social Security numbers and 1 million driver license numbers may have been accessed during the data breach of its public website.
Officials with the courts announced Thursday that so far, it has been confirmed that 94 Social Security numbers were obtained. Initially, authorities didn’t think confidential information was taken, but following an investigation by the Multi-State Information Sharing and Analysis Center, the broader breach was confirmed in April, said courts spokeswoman Wendy Ferrell.
Read more on KOMO News. Somewhat surprisingly (to me, anyway):
Ferrell said that there is no active law enforcement investigation at this time, but people who believe they are at risk should take precautions to monitor credit.
Why is there no active law enforcement investigation of a hack involving the state?

(Related) How they did it.
Rachel La Corte has more on the hack reported earlier today on this blog:
The breach happened due to vulnerability in an Adobe Systems Inc. software program, ColdFusion, that has since been patched, court officials said. The hack happened sometime after September but wasn’t caught until February, they said.
Mike Keeling, the courts’ information technology operations and maintenance manager, said officials were alerted to the breach by a business on the East Coast that had a similar intrusion.
They recognized our information in their breach log,” Keeling said, which led them to install the patch provided by Adobe and start an investigation.
Keeling acknowledged that confidential information should have been kept in a different area, “and now they are.”
“I can say nothing more than it was an oversight on our part,” he said.
Read more on Yakima Herald.

Perhaps my Ethical Hackers would do this faster? (For a modest fee, of course)
Apple deluged by police demands to decrypt iPhones
Apple receives so many police demands to decrypt seized iPhones that it has created a "waiting list" to handle the deluge of requests, CNET has learned.
Court documents show that federal agents were so stymied by the encrypted iPhone 4S of a Kentucky man accused of distributing crack cocaine that they turned to Apple for decryption help last year.
An agent at the ATF, the federal Bureau of Alcohol, Tobacco, Firearms and Explosives, "contacted Apple to obtain assistance in unlocking the device," U.S. District Judge Karen Caldwell wrote in a recent opinion. But, she wrote, the ATF was "placed on a waiting list by the company."
A search warrant affidavit prepared by ATF agent Rob Maynard says that, for nearly three months last summer, he "attempted to locate a local, state, or federal law enforcement agency with the forensic capabilities to unlock" an iPhone 4S. But after each police agency responded by saying they "did not have the forensic capability," Maynard resorted to asking Cupertino.
Because the waiting list had grown so long, there would be at least a 7-week delay, Maynard says he was told by Joann Chang, a legal specialist in Apple's litigation group. It's unclear how long the process took, but it appears to have been at least four months.
… It's not clear whether that means Apple has created a backdoor for police -- which has been the topic of speculation in the past -- whether the company has custom hardware that's faster at decryption, or whether it simply is more skilled at using the same procedures available to the government. Apple declined to discuss its law enforcement policies when contacted this week by CNET.

“We are determined to give our secret police the ability to create complete dossiers on every citizen. How else can we control them?”
David Kravets reports:
The immigration reform measure the Senate began debating yesterday would create a national biometric database of virtually every adult in the U.S., in what privacy groups fear could be the first step to a ubiquitous national identification system.
Buried in the more than 800 pages of the bipartisan legislation (.pdf) is language mandating the creation of the innocuously-named “photo tool,” a massive federal database administered by the Department of Homeland Security and containing names, ages, Social Security numbers and photographs of everyone in the country with a driver’s license or other state-issued photo ID.
Read more on Threat Level.
[From the article:
Employers would be obliged to look up every new hire in the database to verify that they match their photo. [After all, job applicants are guilty until proven innocent, right? Bob]
… “It’s like a national ID system without the card.”

Interesting. Is that a “We'll never make that mistake again” or a “Let's let the anger die down for a while?” Or perhaps they have a better way? In-store drones?
Angela Martin of CBS-DFW follows up on a story mentioned previously on this blog:
Nordstrom is no longer collecting information from the smart phones of its customers.
Since September, sensors staged throughout the stores were able to track signals from smart phones as they attempted to connect to Wi-Fi service. The company said it was using the data to measure foot traffic within different departments of its stores at different times of the day.
Nordstrom spokesperson Tara Darrow confirmed the company stopped using sensors the day after CBS 11 aired a story about the practice. [Yep. A definate “We didn't think we'd get caught!” Bob] After the story, customers contacted the company to ask questions and share feedback, according to Darrow.
Read more on CBSDFW.
Shining the light on surveillance practices – by government or businesses – sometimes help. In this case, it seems to have brought the “experiment” to a quicker halt and gave the business some feedback from customers who were unhappy with what the store was doing.

Nordstrom may no longer be using Euclid to track smartphones, but other retailers are. And Ryan Grenoble reports that opting out may not be easy for some shoppers:
On its privacy page, Euclid assures skeptics it does not collect sensitive data, such as “who you are, whom you call or the websites you visit.” The anonymous data on individual shoppers that the company does collect is bundled with data from other individuals, resulting in an aggregate report of anonymous information.
Euclid has an opt-out option for shoppers who would rather not be tracked as they wander the aisles of participating retailers, though the process requires the user to look up his smartphone’s MAC address, a unique code that identifies the device to a network. (However, the MAC address is usually buried deep in the phone’s settings, and digging it out may be a daunting task for some users.) After a shopper opts out, his information is wiped from Euclid’s database along with Euclid’s record of the phone’s MAC address.
Read more on Huffington Post.

I think I'll forget this article...
May 09, 2013
On The "Right to Be Forgotten": Challenges and Suggested Changes to the Data Protection Regulation
  • "Since January 2012, the European Union institutions have been debating draft legislation to reform European rules on data protection (commonly referred to as the Data Protection Regulation (DPR)). Article 17 of the proposed DPR presents the concept of a "Right to Be Forgotten". Article 17 would allow a user to request that an online service provider delete all data – including data that has been made public – it has about that user. While CDT is sympathetic to the concerns that underlie Article 17, we have recommended that it be redrafted and narrowed substantially. As laid out in the Commission╩╝s proposal it would significantly limit users╩╝ free expression rights and impose unreasonable burdens on online platforms and ISPs, likely leading to fewer platforms for user speech. Private companies are ill-equipped to take responsibility for decisions that balance the right to privacy with the right to free expression. [Are they being asked to make a decision? Bob] Such questions are ultimately for courts to decide, interpreting carefully drawn legislative mandates in light of relevant human rights jurisprudence. Moreover, we believe that the measures to protect journalistic and artistic expression – namely, those granted by Article 80 of the DPR – are too narrowly drafted and do not satisfy international human rights obligations regarding free expression."

As goes California? I imagine the social networks will fight to avoid loss of their most easily influenced age group.
Philip Janquart reports:
A bill intended to give parents the right to pull their children’s’ personal information off social networking sites has passed the California Senate.
After a 23-10 vote, SB501, or the Social Networking Privacy Act, now moves to the Assembly, the lower house of the California Legislature.
Read more on Courthouse News.
“It’s for the children” arguments are often problematic. Should a parent really be allowed to demand removal of a 17 year-old’s information? What if the 17 year-old is politically advocating for changes in law and gives out his/her details because s/he wants to be contacted by others with similar views?

Think of this as a “Get out of jail, free” card.
Karen Gullo reports:
Delta Air Lines Inc. won dismissal of claims it violated California’s Internet privacy law because its mobile-phone application didn’t notify users that personal information, such as their locations, was being collected.
California Attorney General Kamala Harris sued Atlanta-based Delta in December alleging its “Fly Delta” app didn’t have a clearly posted privacy policy. Judge Marla Miller in state court in San Francisco agreed today with the airline that the federal Airline Deregulation Act bars states from imposing regulations on airlines related to price, routes or services.
Read more on Bloomberg News.

“It's a bird! It's a plane! It's SuperDrone!” Except where prohibited by law...
Jackie Johnson reports:
Photos, video and audio recordings captured without permission on private property with the use of a drone would be against the law under legislation being introduced at the state Capitol.
Lawmakers from both sides of the political aisle in Wisconsin want to ensure remote-controlled [How about autonomous drones? Bob] flying devices do not threaten individual privacy rights.

(Related) Is the era of the drone already at an end? (reads more like a hypothetical case to me)
Scott Bomboy writes:
A United Nations report about “killer robots” is a new spin on the rising concern about drones—and the legal problems caused by self-guided machines could be closer than you think.
The U.N. Human Rights Commission plans to address part of the issue later this month in Geneva. Christof Heyns, a South African professor of human rights law, released an extensive U.N. report on the topic in April that has ominous overtones.
Like many military technologies, these robots are also making their way into the civilian world. FEMA’s website lists government-approved robots including the SNEAKY, a small surveillance robot that literally sneaks around gathering evidence. SNEAKY can do border inspections, gather audio and video evidence, sniff bags, and issue voice instructions.
Read more on Constitution Daily.

This could be very interesting, if it ever actually happens.
May 09, 2013
Executive Order -- Making Open and Machine Readable the New Default for Government Information
"To promote continued job growth, Government efficiency, and the social good that can be gained from opening Government data to the public, the default state of new and modernized Government information resources shall be open and machine readable. Government information shall be managed as an asset throughout its life cycle to promote interoperability and openness, and, wherever possible and legally permissible, to ensure that data are released to the public in ways that make the data easy to find, accessible, and usable. In making this the new default state, executive departments and agencies (agencies) shall ensure that they safeguard individual privacy, confidentiality, and national security."

We knew this was coming...
Google announced on Thursday the launch of a pilot program designed to offer paid channels on YouTube with subscription fees starting at $0.99 per month. The program kicked off with a small group of partners including the producers of Sesame Street, Big Star Movies, DHX Kids TV, National Geographic Kids, Primezone Sports, and TYTPlus.
According to Google, there are over 1 million channels generating quality professional content and revenue on YouTube, making paid channels a natural way for content producers to increase their revenue beyond advertising sponsorship.
The paid channels work similarly to any online subscription service.

Fun and games for my Ethical Hackers?
Gianna, 14, discovers iPad 2 heart risk
Gianna Chien is somewhat different from all the other researchers reporting on their work to more than 8000 doctors at the Heart Rhythm Society meeting in Denver, Colorado.
Chien is 14, and her study – which found that Apple's iPad 2 can, in some cases, interfere with life-saving heart devices because of the magnets inside – is based on a science-fair project that didn't even win her first place.
… If a person falls asleep with the iPad 2 on the chest, the magnets in the cover can "accidentally turn off" the heart device, said Chien, a high school freshman in Stockton, California, whose father is a doctor. "I definitely think people should be aware. That's why I'm presenting the study."
Defibrillators, as a safety precaution, are designed to be turned off by magnets. The iPad 2 uses 30 magnets to hold the iPad 2's cover in place, Chien said. While the iPad 2 magnets aren't powerful enough to cause problems when a person is holding the tablet out in front of the chest, it can be risky to rest it against the body, she found.

Thursday, May 09, 2013

So this could reveal who is in a 'battered women's shelter' or the location of foster children? Not good, but not talking about the risks is even worse!
This could be bad. WGN TV reports:
Chicago police are investigating a “significant theft” of computer equipment from the Dept of Family and Support Services.
Someone stole about $41,000 worth of computer equipment from a city office building on the West Side in a burglary, police said.
Police could not comment on what information may have been compromised.
A spokesperson for DFSS was also unable to comment saying “Because this matter is under investigation by Chicago Police, it would be inappropriate for us to comment on any of the details that could be a part of that investigation.”
The Chicago Tribune has a bit more on the burglary, including the fact that not all of the equipment stolen was new equipment.
If any unencrypted PII or PHI were on the stolen computers, the police would not want to tip the burglars to the presence of usable information. But by the same token, if there are PII or PHI on it, DFSS cannot afford to wait long to alert clients, who will need to protect themselves.

(Related) Statistically, this might be true, but potential victims would rather have the particulars for this case, not what happens “on average.”
A breach notification letter submitted this week to the Vermont Attorney General’s Office by WorldVentures Marketing had me grinding my teeth.
According to the notification to consumers, WorldVentures recently became aware of unauthorized access to their servers. The access may have occurred from October 23, 2012 through March 14, 2013. The server held customers’ credit card numbers with expiration dates. They do not indicate how they became aware of the unauthorized access.
The firm says that they do not have any evidence that the card data were extracted. Then again, do they have any firm proof it wasn’t extracted?
“We believe the risk of harm to you is low.”
If you don’t know for sure that data were not extracted, should you write that? No.
The firm did not offer affected customers any free credit monitoring services.

“It's for your own good!”
hypnosec tipped us to news that India is rolling out a new intrusive monitoring system, using the authority of a 2000 telecom law. Quoting The Times of India:
"However, Pavan Duggal, a Supreme Court advocate specialising in cyberlaw, said the government has given itself unprecedented powers to monitor private Internet records of citizens. 'This system is capable of abuse,' he said. The Central Monitoring System, being set up by the Centre for Development of Telematics, plugs into telecom gear and gives central and state investigative agencies a single point of access to call records, text messages, and emails as well as the geographical location of individuals."
Privacy advocates are worried about abuse, partially because India has no effective privacy legislation, and the "...Indian government under PM Manmohan Singh has taken an increasingly uncompromising stance when it comes to online freedoms, with the stated aim usually to preserve social order and national security or fight 'harmful' defamation."

Don't locate it next to a skeet range...
Colorado's Mark Udall, a privacy watchdog, stumps for domestic drones
Sen. Mark Udall … is spinning a sunnier side to unmanned machines that fly in the sky with cameras.
At a Washington speech Wednesday to entrepreneurs and business leaders in the unmanned aerial technology sector, Udall urged development of the technology, saying it will help people. [at least, Sen. Udall Bob]
"We need to integrate unmanned aerial systems into the American psyche in a way that isn't threatening or scary," [i.e. Sneak up on them? Bob] he said, in remarks at the National Press Club. "Many here today have likely recognized that I'm deliberately not using the word 'drone' because it carries a stigma.
… Udall, along with other Colorado officials, is urging the Federal Aviation Administration to make Colorado a test site for the unmanned aircraft systems.
… To keep the checks and balances intact, Udall plans proposed legislation that would prohibit individuals or private businesses from spying on another person using a privately operated drone.

It's a Jedi mind trick: “This is not the Fourth Amendment violation you are looking for...”
Additional perspective on today’s ruling in Rigmaiden from Linda Lye of the ACLU:
Today, a federal district judge in Arizona issued a very disappointing decision concerning the government’s obligations to be candid with courts about new technologies they are seeking a warrant to use.
The case involves Daniel Rigmaiden, who is being criminally prosecuted for an alleged electronic tax fraud scheme. The government used a surveillance device known as a stingray to locate Mr. Rigmaiden. A stingray operates by simulating a cell tower and tricking all wireless devices on the same network in the immediate vicinity to communicate with it, as though it were the carrier’s cell tower. In order to locate a suspect, a stingray scoops up information not only of the suspect, but all third parties on the same network in the area. This means that when the government uses a stingray to conduct a search, it is searching not only the suspect, but also tens or hundreds of third parties who have nothing to do with the matter. When the FBI sought court permission to use the device to locate Mr. Rigmaiden, it didn’t explain the full reach of stingrays to the court.
The ACLU and the Electronic Frontier Foundation filed an amicus brief arguing that when the government wants to use invasive surveillance technology, it has an obligation to explain to the court basic information about the technology, such as its impact on innocent third parties. This is necessary to ensure that courts can perform their constitutional function of ensuring that the search does not violate the Fourth Amendment. Unfortunately, today’s decision trivializes the intrusive nature of electronic searches and potentially opens the door to troubling government misuse of new technology.
In today’s decision denying the motion to suppress, the judge held that information about how the stingray operates – such as the fact that it scoops up third party data – was merely a “detail of execution which need not be specified.” We respectfully but strongly disagree.
Read more on ACLU’s blog.

If aggregating lots and lots of trivial data points could add up to a search, where would that leave the data brokers who collect all that behavioral advertising stuff?
Orin Kerr writes:
I haven’t blogged recently on judicial decisions considering the mosaic theory of the Fourth Amendment. As regular readers will recall, the “mosaic theory” is a term for the idea that long-term monitoring of a suspect can be a Fourth Amendment search even if short-term monitoring is not. Under this approach, which was suggested by the concurring opinions in United States v. Jones, surveillance and analysis of a suspect is outside the Fourth Amendment until it reaches some point when it has gone on for too long, has created a full picture of a person’s life (the mosaic), and therefore becomes a search that must be justified under the Fourth Amendment. I think the mosaic approach is a misstep for reasons I elaborated on in this article. And the handful of lower courts to have considered the theory since Jones mostly have not adopted it, either because they found it unpersuasive, because they distinguished Jones on the facts, or because they avoided the question under the good-faith exception to the exclusionary rule. See, e.g., United States v. Graham, 846 F.Supp.2d 384 (D.Md. 2012).
In the last week, two district courts have divided on the question: United States v. Ringmaiden (D. Ariz. May 8, 2013), and United States v. Powell, — F.Supp.2d –, 2013 WL 1876761 (E.D. Mich May 3, 2013) In this post, I want to discuss the two rulings, and then offer some critical commentary on Powell at the end.
Read more on The Volokh Conspiracy.

(Related) We can, therefore we must? (Remember, “To Serve Man” is a Twilight Zone cookbook) Note that the sensors can tell what department you are in (and that is no doubt logged with a time stamp), but can't follow from deparment to department (except by arranging the deparments in time sequence). Does no one ever read this stuff before publishing?
CBS in Dallas-Forth Worth reports:
Nordstrom says it wants to serve you better, so it’s tracking your movements through their stores. The CBS 11 I-Team has learned the retailer is using software to track how much time you spend in specific departments within the store. The technology is being used in 17 Nordstrom and Nordstrom Rack stores nationwide, including the NorthPark store in Dallas.
A company spokesperson says sensors within the store collect information from customer smart phones as they attempt to connect to Wi-Fi service. The sensors can monitor which departments you visit and how much time you spend there.
However, the sensors do not follow your phone from department to department, nor can they identify any personal information tied to the phone’s owner, says spokesperson Tara Darrow.
Read more on CBSDFW.
So if you want to shop and don’t want to contribute to their “aggregate” information, you have to shut off your phone? I guess they can get away with this, but should they be able to?

(Related) For my Ethical Hackers
"A researcher has found that Apple user locations can be potentially determined by tapping into Apple Maps and he has created a Python tool to make the process easier. iSniff GPS accesses Apple's database of wireless access points, which is collected by iPhones and iPads that have GPS and Wi-Fi location services enabled. Apple uses this crowd-sourced data to run its location services; however, the location database is not meant to be public. You can download the tool via Giuthub."

A clear explanation...
Why facial recognition tech failed in the Boston bombing manhunt
In the last decade, the US government has made a big investment in facial recognition technology. The Department of Homeland Security paid out hundreds of millions of dollars in grants to state and local governments to build facial recognition databases—pulling photos from drivers' licenses and other identification to create a massive library of residents, all in the name of anti-terrorism. In New York, the Port Authority is installing a "defense grade" computer-driven surveillance system around the World Trade Center site to automatically catch potential terrorists through a network of hundreds of digital eyes.
But then an act of terror happened in Boston on April 15. Alleged perpetrators Dzhokhar and Tamerlan Tsarnaev were both in the database. Despite having an array of photos of the suspects, the system couldn't come up with a match. Or at least it didn't come up with one before the Tsarnaev brothers had been identified by other means.
For people who understand how facial recognition works, this comes as no surprise. Despite advances in the technology, systems are only as good as the data they're given to work with. Real life isn't like anything you may have seen on NCIS or Hawaii Five-0. Simply put, facial recognition isn't an instantaneous, magical process. Video from a gas station surveillance camera or a police CCTV camera on some lamppost cannot suddenly be turned into a high-resolution image of a suspect's face that can then be thrown against a drivers' license photo database to spit out an instant match.

Nothing new to my Ethical Hackers, but it might amuse my Intro to IT students.
Use These Secret NSA Google Search Tips to Become Your Own Spy Agency
There’s so much data available on the internet that even government cyberspies need a little help now and then to sift through it all. So to assist them, the National Security Agency produced a book to help its spies uncover intelligence hiding on the web.
The 643-page tome, called Untangling the Web: A Guide to Internet Research (.pdf), was just released by the NSA following a FOIA request filed in April by MuckRock, a site that charges fees to process public records for activists and others.
The book was published by the Center for Digital Content of the National Security Agency, and is filled with advice for using search engines, the Internet Archive and other online tools. But the most interesting is the chapter titled “Google Hacking.”
… Lest you think that none of this is new, that Johnny Long has been talking about this for years at hacker conferences and in his book Google Hacking, you’d be right. In fact, the authors of the NSA book give a shoutout to Johnny, but with the caveat that Johnny’s tips are designed for cracking — breaking into websites and servers. “That is not something I encourage or advocate,” the author writes.

Wednesday, May 08, 2013

Is your bad programming automatically fraud on my part? If not, I'm moving to Reno.
Feds Drop Hacking Charges in Video-Poker Glitching Case
They know when to fold ‘em. Las Vegas prosecutors targeting two men who took advantage of a software bug to win a small fortune at video poker have dropped all hacking charges from the case, cashing out an 18-month legal battle over the applicability of the 1986 Computer Fraud and Abuse Act.
“The United States of America, by and through the undersigned attorneys, hereby moves this Court to dismiss Counts 2 and 3 of the Indictment,” wrote(.pdf) Assistant U.S. Attorney Michael Chu yesterday, in a terse motion immediately granted by U.S. District Judge Miranda Du.
Du had asked prosecutors to defend their use of the federal anti-hacking law by Wednesday, in light of a recent 9th Circuit ruling that reigned in the scope of the CFAA.
The dismissal leaves John Kane, 54, and Andre Nestor, 41, facing a single remaining charge of conspiracy to commit wire fraud — another federal law that generally criminalizes fraudulent schemes that use wire communications. Trial is set for August 20.
… Prosecutors had argued that the complex sequence of button presses needed to activate the bug made it a form of hacking. But defense lawyers argued that Kane and Nestor only played by the rules imposed by the machine.
“The case never should have been filed under the CFAA,” says Kane’s lawyer, Andrew Leavitt. “It should have been just a straight wire fraud case. And I’m not sure its even a wire fraud. I guess we’ll find out when we go to trial.”

Failure to verify your customers in this case means you could be selling to an Identity Thief. I wonder how the letters were worded? “Please stop breaking the law or we'll have to send you a much firmer warning...”
Grant Gross reports:
More than 20 percent of data brokers checked by the U.S. Federal Trade Commission allegedly violated a U.S. privacy law when sharing personal data with agency workers posing as companies wanting to purchase information.
This week, the FTC warned 10 data brokers, most with a significant online presence, that they may be violating the Fair Credit Reporting Act (FCRA).
The FCRA requires consumer reporting agencies to reasonably verify the identities of data customers and to ensure that these customers have a legitimate purpose for receiving the information.
Read more on Computerworld.

Is the data required or merely 'easily available?'
Robyn Greene writes:
Last week served as yet another reminder of the threats posed to Americans’ privacy by the post-Patriot Act surveillance state. According to the Department of Justice’s annual report, FISA applications to the secretive Foreign Intelligence Surveillance Court (FISC) in 2012 revealed a continued increase in the FBI’s surveillance of Americans. The report covers the Bureau’s requests for electronic and physical surveillance, secret court orders under Section 215 of the Patriot Act, and National Security Letters (NSLs).
Over the last four years, the government’s requests for electronic and physical surveillance have steadily increased after a brief decline in 2008 and 2009, with a total of 1,856 applications in 2012. However, the truly shocking number is how many times it applied for Section 215 orders, also known as business records requests, which as far as we know give the government extremely broad authority to access “any tangible thing,” including sensitive information such as financial records, medical records, and even library records.
Read more on ACLU’s Blog.

(Related) “Give us access to everthing and we'll probably find something.”
Charlie Savage reports:
The Obama administration, resolving years of internal debate, is on the verge of backing a Federal Bureau of Investigation plan for a sweeping overhaul of surveillance laws that would make it easier to wiretap people who communicate using the Internet rather than by traditional phone services, according to officials familiar with the deliberations.
Read more on the NY Times.
[From the article:
I think the F.B.I.’s proposal would render Internet communications less secure and more vulnerable to hackers and identity thieves,” said Gregory T. Nojeim of the Center for Democracy and Technology. “It would also mean that innovators who want to avoid new and expensive mandates will take their innovations abroad and develop them there, where there aren’t the same mandates.”

Can't tell the players without a scorecard...
May 07, 2013
EPIC - Senate Confirms Chairman of Privacy and Civil Liberties Oversight Board
EPIC: "Today the Senate voted to confirm David Medine as the Chairman of the Privacy and Civil Liberties Oversight Board (PCLOB), an agency established to review executive branch actions and to protect privacy and civil liberties after 9/11. EPIC urged the creation of an independent privacy agency after 9/11. At the first meeting of the agency in 2012, EPIC set out several priorities for PCLOB, including (1) suspension of the fusion center program, (2) limitations on CCTV surveillance, (3) removal of airport body scanners, (4) establishing privacy regulation for drones, (5) updating data disclosure standards, and (6) ensuring Privacy Act adherence. For more information, see EPIC: The 9/11 Commission Report and EPIC: The Sui Generis Privacy Agency."

For my Intro to IT class...
… today you an rest assured that anyone who wants to know anything about you has already typed your name in Google. But what did they find when they did that? Did they actually find information about you? Was it information you really wanted them to have? And who are those people who might be searching for your name on Google?

For my Statistics class. Can we determine why?
May 07, 2013
BJS - Firearm Violence, 1993-2011
Michael Planty, Ph.D., Jennifer L. Truman, Ph.D. May 7, 2013. NCJ 241730. "Presents trends on the number and rate of fatal and nonfatal firearm violence from 1993 to 2011. The report examines incident and victim demographic characteristics of firearm violence, including the type of firearm used; victim's race, age, and sex; and incident location. The report also examines changes over time in the percentages of nonfatal firearm crimes by injury, reporting to the police, and the use of firearms in self-defense. Information on homicide was obtained primarily from the Centers for Disease Control's (CDC) National Vital Statistics System. Nonfatal firearm violence data are from the National Crime Victimization Survey (NCVS), which collects information on nonfatal crimes reported and not reported to the police against persons age 12 or older from a nationally representative sample of U.S. Households. Highlights:
  • Firearm-related homicides declined 39%, from 18,253 in 1993 to 11,101 in 2011.
  • Nonfatal firearm crimes declined 69%, from 1.5 million victimizations in 1993 to 467,300 victimizations in 2011.
  • Firearm violence accounted for about 70% of all homicides and less than 10% of all nonfatal violent crime from 1993 to 2011.
  • From 1993 to 2011, about 70% to 80% of firearm homicides and 90% of nonfatal firearm victimizations were committed with a handgun.

Since I spend too much time working with students who aren't ready, this is interesting...
May 07, 2013
Report - What Does It Really Mean to Be College and Work Ready?
"Today the National Center on Education and the Economy (NCEE) released What Does It Really Mean to Be College and Work Ready?, a study of the English Literacy and Mathematics required for success in the first year of community college. During a day-long meeting with key education and policy leaders, NCEE will discuss the results of the study and its implications for community college reform, school reform, teacher education, the common core state standards, and vocational education and the workplace."
Helpful Links:

Have an idea for a MOOC?
George Veletsianos (an Associate Professor in the School of Education and Technology at Royal Roads University in Victoria, BC) and I have submitted an application for Iversity’s MOOC production fellowship program. If funded, we will co-teach a course titled “Foundations of Educational Technology.” (If not funded, we’ll figure something else out…)
… The recipients of the Iversity MOOC fellowship will be chosen through a combination of peer review and public voting, and George and I would love your support for the latter. To vote for our proposal, you do have to register on the platform (ugh) first. You can also read more about the class there.
George has more details on his blog too, including an awesome list of other friends, colleagues, professors, and grad students who’ve volunteered to help.

Tuesday, May 07, 2013

“Oh, you noticed that we broke into your home? Don't worry, we were just testing your security.”
Associated Press reports:
The Speaker of the Missouri House says an attempt to access a secure website listing Missouri’s concealed gun permit holders was part of an investigation into whether the state had appropriately shielded the information.
In an interview with The Associated Press, House Speaker Tim Jones, R-Eureka, declined Monday to identify the person who tried to access the information last Thursday. But Jones said it was an appropriate action.
Read more on KY3.
So wait… when researchers attempt to test the security of systems, they can get prosecuted criminally, but state legislators can grant themselves permission to attempt to hack a state database and that’s okay?
[From the article:
Those attempts were unauthorized because information on concealed gun permit holders can only be shared with law enforcement.

“What do they know and how long will they keep it?”
The Electronic Frontier Foundation (EFF) and the American Civil Liberties Union of Southern California (ACLU-SC) today jointly filed suit against two Los Angeles-area law-enforcement agencies over their failure to produce records related to the use of automatic license plate readers (ALPRs).
Mounted on squad cars and telephone poles, these sophisticated camera systems read license plates and record the time, date, and location a particular car was encountered. EFF and the ACLU-SC filed requests with the Los Angeles Police Department and the Los Angeles County Sheriff’s Department under the California Public Records Act seeking documents relating to policy and training on ALPRs, as well as a week’s worth of ALPR data collected by the agencies in 2012. While the sheriff and police departments produced some materials, they failed to provide documents related to sharing information with other agencies, and neither agency has produced the data collected during the one-week period.
“Location-based information like license plate data can be very revealing,” said EFF Staff Attorney Jennifer Lynch. “By matching your car to a particular time, date and location — and building a database of that information over time — law enforcement can learn where you work and live, what doctor you go to, which religious services you attend, and who your friends are. The public needs access to data the police actually have collected to be able to make informed decisions about how ALPR systems can and can’t be used.”
… While the police can use this technology to match license plates against databases to find stolen or wanted cars, the systems currently record and store information on every car, even where there’s no reason to think a car is connected to any crime.

Is this “playing nice?” Will China pass a law requiriing Texas to turn over data?
Karen Brooks Harper reports:
A minor dustup over the protection of private info hosted by ISPs flared up briefly on the floor, on a bill by Rep. John Frullo that would allow Texas judges to issue search warrants for companies based in other states – like Yahoo in California – to hand over online records that could help them investigate crimes relating to cases like child pornography and human trafficking.
Frullo briefly tried to fend off an amendment by Bedford GOP Rep. Jonathan Stickland that requires law enforcement to get a warrant before they can get emails from an ISP that are over 180 days old.
Read more on Dallas Morning News. And see Grits for Breakfast for comments on this development.

Finally someone will smack these lawyers?
Judge Asks IRS, Feds to Investigate Copyright-Trolling Attorneys
Using terms like “brazen conduct and relentless fraud,” a federal judge on Monday sanctioned attorneys running a BitTorrent copyright lawsuit factory, and recommended federal prosecutors investigate for potential criminal charges.
Los Angeles federal judge Otis D. Wright II said the Prenda Law attorneys’ “moral turpitude” is “unbecoming of an officer of the court.” (.pdf) The judge said the attorneys “fraudulently signed” documents about who owned the rights to sue thousands over the illegal downloading of pornographic films.
The attorneys, including John Steele, a Chicago barrister who has sued thousands for unlawfully downloading porn, were also labeled a racketeering outfit.
The judge often used Star Trek references as he blasted them.
“The federal agency eleven decks up is familiar with their prime directive and will gladly refit them for their next voyage. The Court will refer this matter to the United States Attorney for the Central District of California. The will also refer this matter to the Criminal Investigation Division of the Internal Revenue Service and will notify all judges before whom these attorneys have pending cases.”
Kurt Opsahl, an intellectual property attorney with the Electronic Frontier Foundation, said the judge’s opinion underscores “the ease of which you can file copyright lawsuits.”
… “Plaintiffs have outmaneuvered the legal system. They’ve discovered the nexus of antiquated copyright laws, paralyzing social stigma, and unaffordable defense costs,” the judge wrote.
Adding insult to injury, the lawyers were ordered to pay $40,000 in legal fees and the same in sanctions.

I thought this would be a 1 word report: “Nuts!”
May 06, 2013
Military and Security Developments Involving the Democratic People’s Republic of Korea 2012
DOD - Military and Security Developments Involving the Democratic People’s Republic of Korea 2012. A Report to Congress Pursuant to the National Defense Authorization Act for Fiscal Year 2012.
  • "Section 1236 of the National Defense Authorization Act for Fiscal Year 2012, Public Law 112-81, provides that the Secretary of Defense shall submit a report "in both classified and unclassified form, on the current and future military power of the Democratic People's Republic of Korea" (DPRK). The report shall address an assessment of the security situation on the Korean Peninsula, the goals and factors shaping North Korean security strategy and military strategy, trends in North Korean security, an assessment of North Korea's regional security objectives, including an assessment of the North Korean military's capabilities, developments in North Korean military doctrine and training, an assessment of North Korea's proliferation activities, and other military security developments." [Greta E. Marlatt]

(Related) Nothing new here...
U.S. says Chinese government behind cyberespionage
The Chinese government and military have engaged in widespread cyberespionage targeting U.S. government and business computer networks, the Pentagon said Monday.
China maintained a steady campaign of computer intrusions in 2012 that were designed to acquire information about the U.S. government's foreign policy and military plans, according to the Pentagon's annual report to Congress on China's military.
"China is using its computer network exploitation capability to support intelligence collection against the U.S. diplomatic, economic, and defense industrial base sectors that support U.S. national defense programs," according to the 83-page 2013 "Military and Security Developments Involving the People's Republic of China" (PDF).

For the Crypto class...
May 06, 2013
Revolutionary Secrets: Cryptology in the American Revolution
Revolutionary Secrets: Cryptology in the American Revolution, Jennifer Wilcox, Center for Cryptologic History, National Security Agency, 2012.

Another take on the “Freemium” model?
Google nears launch of paid YouTube subscriptions, report says
The information comes from a Financial Times report over the weekend that suggests the company could be rolling out paid subscriptions for over 50 different premium channel partners. The subscriptions will reportedly set you back about $2 per month, per channel.
We heard rumblings about paid YouTube subscriptions back in January, with the video service rumored to have been in discussions with several of its channel partners about a new subscription-based program. It was also said that those subscriptions would range between $1 and $5 per month, which is in line with the FT report.
Google is currently making plenty of money on YouTube videos, but the company realizes it’s hitting a brick wall when it comes to gaining the kind of content that people desire from other video services. The company has already spent upwards of $200 million to market and cultivate premium content through its channel partners, but so far it’s still not lucrative enough for those partners. The subscription would likely be another source of revenue both for Google and those content creators.

(Related) Resolving the “First Sale” question?
"According to CNET and various other sources, CS6 will be the last version of Adobe's Creative Suite that will be sold in the traditional manner. All future versions will be available by subscription only, through Adobe's so-called 'Creative Cloud' service. This means that before too long, anyone who wants an up-to-date version of Photoshop won't be able to buy it – they will have to pay $50 per month (minimum subscription term: one year). Can Adobe complete the switch to subscription-only, or will the backlash be too great? Will this finally spur the creation of a real competitor to Photoshop?"

For my phone and tablet packing students.
Office Suite Pro 7 (PDF &HD) Made by MobiSystems, OfficeSuite Pro allows you to view, create, edit, print and share Word, Excel and PowerPoint files on the go.