Saturday, June 01, 2013

For my Computer Forensics class. I told you these things take time – this was a quick one.
Paul Bond and Frederick Lah write:
After nearly seven years of litigation, two class actions, and millions of dollars in legal and settlement fees, AOL hopes that it can finally put its infamous anonymization failure incident behind it. On May 24, 2013, a Virginia federal judge gave final approval to a class action settlement between AOL and a class of more than 650,000 AOL members whose search queries were disclosed to the public. The settlement agreement involves $5 million in cash payments to class members and nearly $1 million in attorneys’ fees.

Maybe I'm a little dense (okay, probably) but I had to see this better written article to understand what was going on – we're providing Iranians the tools for their own Arab Spring. Where does this fit on the CyberWar spectrum?
"A report at SF Gate notes that 'The United States has lifted portions of two-decades-old sanctions against Iran in an effort to bolster communication between the country's citizens — and potentially aid organization against a repressive Iranian government. Thursday afternoon the U.S. Treasury Department's Office of Foreign Assets Control authorized the sale of hardware and software that pertain to the Internet, instant messaging, chat, e-mail, social networking, sharing of media, and blogging — basically, all things digital. The Treasury Department wrote, 'As the Iranian government attempts to silence its people by cutting off their communication with each other and the rest of the world, the United States will continue to take action to help the Iranian people exercise their universal human rights, including the right to freedom of expression.'"

There is “solving a problem” and then there is “solving a problem without creating more problems.” Let's keep trying for the second one... (and the tattoo is just Nazi creepy)
"In trying to solve the 'mechanical mismatch' between humans and electronics — particularly wearables — special projects chief Regina Dugan unveiled two new projects currently in development at Google's Motorola Mobility centered on rethinking authentication methodology, including electronic tattoos and ingestible pills. Of the pill, which Dugan called her 'first superpower,' she described it as an 'inside-out potato battery' that when swallowed, the acids in one's stomach serve as the electrolyte to power an 18-bit ECG-like signal that essentially turns one's body into an authentication token. 'It means my arms are like wires and my hands are like alligator clips [so] when I touch my phone, my computer, my door, I'm authenticated,' Dugan said. 'This is not science fiction.'"

I'm surprised none of this was in place. I wonder how common this is?
The Newtown Bee reports:
Twenty parents and spouses who lost loved ones at the shooting at Sandy Hook Elementary on 12/14 gathered together at the Capitol in Hartford on Friday, May 31, to call on legislators to pass House Bill 6424, “An Act Concerning Fees for Searches of Accident and Investigative Reports of the Department of Emergency Services and Public Protection.” They were joined by sisters, a brother, a son, a teacher, and others directly affected by what happened 5½ months ago.
Proposed by Senator John McKinney, the amendment to House Bill 6424 would:
*Prevent the release of any photos, videotapes, digital recordings or other depictions of any victim, without the permission of the victim’s immediate family. The adult victims who survived the shooting would also be able to grant permission to release the records;
*Allow any public agency to redact the identity of a minor witness to the shooting; and
*Require public agencies to transcribe 911 recordings and provide written transcripts upon request for a 50-cent-per-page fee, but not require them to provide audio recordings.
Read more on the Newtown Bee.
Although the bill may be well-intentioned, the events at Newtown are of public and national significance that go beyond curiosity and impacts policy discussions of gun control, mental health, and school security issues. As such, I think the First Amendment needs to trump to the understandable concerns of family members.

This seems to be much further along than I thought!
Report: 85 Percent of Educational Institutions Allow BYOD, Yet Security Lags Behind
Eighty-five percent of educational institutions allow instructors or students to use their own devices on institutional networks according to a new survey from Bradford Networks.
Based on responses from more than 500 IT professionals in higher education and K-12 districts in the United States and the United Kingdom, the "Impact of BYOD on Education" survey found that only six percent of respondents reported that their institution had no bring-your-own-device (BYOD) policy and no plans to implement one.

As social networks qua social networks evolve into “Interest Networks” services like this might prove useful. For example: Law, teaching, science fiction
Social media keeps growing at an insane rate. It seems like there is a new social network, a microblogging platform or another kind of new site popping up every single day of the week. With that, it can be hard to decide on which sites you wish to spend your time.
… Ending the confusion is a site called Mamuna. It serves as a catalog and rating service for all different kinds of social media sites.

(Related) You still need to be careful! Another infographic.
A Visual Guide To Staying Safe On Social Media
Check out this handy visual for a bit of insight.
The guide runs through some handy tidbits you should know. For example, what can you post on Facebook, what’s allowed on Tumblr, and how often do people post their location? Should you actually post your location on social networks? The verdict is still out the but the facts are in: this guide shows about a quarter of all users attach their current location to posts. That’s a lot higher than I would have thought!

Something for my geeks (and the lost and found drawer)
… I invite you to gather up all of those so-called “useless” smartphones, and consider following through the steps in this article to transform them into wireless webcam devices that you can use to build your own home surveillance network for absolutely free.

For my Math students. You don't have to take my word. Read the Comments!
"I am currently pursuing a bachelor's in CompSci and I just spent three hours working on a few differential equations for homework. It is very frustrating because I just don't grok advanced math. I can sort of understand a little bit, but I really don't grok anything beyond long division. But I love computers, and am very good at them. However, nobody in the workforce is even going to glance at my direction without a Bsc. And to punish me for going into a field originally developed by mathematicians I need to learn all this crap. If I had understood what I was doing, maybe I wouldn't mind so much. But the double frustration of not understanding it and not understanding why the heck I need to do it is too much. So, how important is it?"

A tool for my “Students should create their own textbook” idea?
Host and Document Collaborative Brainstorming Sessions With Realtime Board
Realtime Board is a nice tool for hosting online, collaborative brainstorming sessions. I've featured the service a couple of times since its launch last fall. The service allows to work with any information and visual content on one board individually or with the team. You can work with images, videos, PDF-files, write notes and comment everything, use colorful post-it stickers and work with files from your Google Drive. Recently, Realtime Board added a free education version. The education version provides schools with all of the features of the Pro version for free. That means you can create unlimited private and public boards, have an unlimited number of collaborators, and 3GB of storage space.
Applications for Education
If you're looking for a free tool that your students can use to plan projects and create multimedia media mindmaps, Realtime Board is definitely worth giving a try. You can try it without creating an account.

...and what did you do this weekend? (“We found some government data that they didn't even know they shared!”)
White House, NASA Celebrate National Day of Hacking
The White House is hosting a hackathon dedicated to government data.
It happens this weekend, and it’s just one of the 93 hackathons organized across the U.S. as part of the National Day of Civic Hacking, a.k.a. June 1. During the two-day event, participants will work to build software applications that solve problems proposed by local, state and federal government organizations. The data sets and challenges were provided by 22 government organizations in total, including the White House, NASA, and the Peace Corps.
“It is an incredible feat that we have so many government agencies making data available. This is the largest ever collaboration across government agencies,” says Celestine Johnson of Innovation Endeavors. Innovation Endeavors — a venture capital firm founded by Dror Berman and Google chairman Eric Schmidt — organized the event with the non-profit organizations Code for America and Random Hacks of Kindness.

Friday, May 31, 2013

Is this part of “nature always finds a way” as explained in “Jurassic Park” or a biological version of Skynet from the Terminator?
"NPR reports that an Oregon wheat farmer found a patch of wheat growing where he did not plant.[Oops! Bob] After RoundUp failed to kill the plants,[Oops! Bob] he sent them to a lab for testing. Turns out the wheat in question is a GMO strain created by Monsanto but never sent to market. Oregon field trials for the wheat ended in 2001. 'Nobody knows how this wheat got to this farm. ... After all such trials, the genetically engineered crops are supposed to be completely removed. [Oops! Bob] Also, nobody knows how widely this genetically engineered wheat has spread, and whether it's been in fields of wheat that were harvested for food.' The USDA is currently investigating and says there is no health-risk. Meanwhile, Monsanto has released a statement and Japan has suspended some wheat imports from the U.S. 'The mystery could have implications on wheat trade. Many countries around the world will not accept imports of genetically modified foods, and the United States exports about half of its wheat crop.'"

Probably applies to drones as well.
"It seems that the UN has started a debate on whether to place limits or bans on robots that can kill without manual supervision. It seems that bombs are viewed as 'kinder' than robots which might be programmed to achieve specific ends (e.g. destroy that bridge, kill anyone carrying a gun, etc.)."

Apparently, moneylenders are a dime a dozen. Instead of playing wack-a-mole, why not run one and trace the money from the inside?
Velcroman1 writes
"On May 15, the Department of Homeland Security seized a digital bank account used by 'MtGox,' the world's largest exchange, where people buy and sell bitcoins. DHS alleged, and a judge agreed, that there is 'probable cause' that MtGox is an 'unlicensed money service business.' If proven, the penalty for operating such a business is a fine and up to 5 years in jail. caught up with several bitcoin exchanges, including CampBX, MtGox, CoinLab and more, to ask them how they've navigated the regulatory waters — and how to go legit."
In other shady bitcoin news, it appears the demise of Liberty Reserve has caused hackers to find a new alternative. twoheadedboy writes
"Despite suggestions Bitcoin might be the ideal currency for dealers on the dark web, it appears Perfect Money, a Panama-based operation, is proving the most popular alternative to the now-defunct Liberty Reserve. A source working the underground forums told TechWeekEurope that, for now, fraudsters are rapidly migrating to Perfect Money. Many vendors have started accepting it, having previously primarily used Liberty Reserve, which was shut down following the arrest of its founder and four other members this past week. Internet fraudsters might be interested in Perfect Money as it has distanced itself from the U.S., cutting off all new American registrations. However, one forum user said he was turned down by Perfect Money as their 'type of activity is not welcome.' Other currencies may yet win out."

Just keep doing what you're doing. I'm sure you can undo it later if we need to.
Judge orders Google to comply with FBI's secret NSL demands
A federal judge has ruled that Google must comply with the FBI's warrantless requests for confidential user data, despite the search company's arguments that the secret demands are illegal.
CNET has learned that U.S. District Judge Susan Illston in San Francisco rejected Google's request to modify or throw out 19 so-called National Security Letters, a warrantless electronic data-gathering technique used by the FBI that does not need a judge's approval. Her ruling came after a pair of top FBI officials, including an assistant director, submitted classified affidavits.

From my Ethical Hackers.
The mutual-friends feature on social networks such as Facebook, which displays users’ shared friendships, might not be so “friendly.”
Often revered for bringing people together, the mutual-friends feature on Facebook actually creates myriad security risks and privacy concerns according to a University of Pittsburgh study published in Computers & Security. The study demonstrates that even though users can tailor their privacy settings, hackers can still find private information through mutual-friends features.
Read more on Phys.Org.
The paper, "Mutual-friend Based attacks in Social Network Systems," was first published online April 22 in Computers & Security.

(I'm not saying it's related) In theory, a group of graduating Ethical Hackers might amuse themselves by sending each other congratulations from the President, and then supplementing that by reporting that the President sent congratulations. Theoretically.
White House Press Corps Website, Twitter Feed Appears To Have Been Hacked

Using my tax dollars to avoid telling me how they are misusing my tax dollars?
"The Justice Department may soon be forced to reveal a classified document that details unconstitutional surveillance of American citizens. The Justice Department has fought to keep the document secret for about a year, but a recent court order demands that they respond to a formal request filed by the Electronic Frontier Foundation by next week, June 7, 2013."

More on “The Wisdom of Governments (or, what the lobbyists explained was wisdom)” Fortunately, no individuals actually work for governments!
U.S. lifts ban on computer exports to people in Iran
The U.S. government is easing sanctions that for more than two decades have prohibited companies from selling electronic devices such as computers, cell phones, and wireless routers to Iran.
The move, announced Thursday by the Treasury Department, allows U.S. residents to export electronic equipment to individuals but not to the Iranian government or "to any individual or entity on the Specially Designated Nationals (SDN) list." The SDN list is a compilation of individuals and groups with whom U.S. residents are prohibited from doing business, such as Al-Qaeda.

Perhaps the French noticed that comment by Eric Schmidt that suggested Google had the ability to do this...
On May 30, 2013, the French Data Protection Authority (“CNIL”) launched a public consultation on the digital “right to be forgotten.”

What do you learn as an Education Major? Apparently not good management practices. Anything not directly related to your mission (that's education in case you forgot) may need to be communicated to parents. (This is the same district, incidentally, that recently expelled high school student Kiera Wilmot for causing an explosion in her chemistry class.)
RT reports:
Parents in Polk County, Florida are outraged after learning that students in area schools had their irises scanned as part of a new security program without obtaining proper permission.
Students at three facilities — an elementary school, a grade school and a high school — had their eyeballs scanned earlier this month as part of a ‘student safety’ pilot program [“It's for the children!” Bob] being carried out by Stanley Convergent Security Solutions.
Read more about the Eye Swipe Nano program on RT.
The parental response was so negative and immediate that the program has been put on hold – at least temporarily. Merissa Green of The Ledger reports:
The Polk County School District has suspended a pilot program that scanned the eyes of students to track their comings and goings on school buses. [...or maybe it's to make the teacher's lives easier. Bob]
The program was conducted May 22-23 at Bethune Academy and Jenkins Academy in Haines City and Davenport School of the Arts.
Some parents at those schools were outraged that they weren’t notified about the program. As a result, the program has been placed on hold although district officials are still considering implementing the program, which would require School Board approval. It was scheduled to begin districtwide in the fall, when the new school year starts.

Sometimes it not just who you sue, it's how you sue. (This might work is other breaches as well.)
Jacob Hale Russell of Thomson Reuters reports that because data breach lawsuits generally get dismissed if plaintiffs cannot show financial harm, lawyers are shifting away from lawsuits based on privacy claims to lawsuits based on theories:
But plaintiffs’ lawyers of late have been switching tack: Rather than framing lawsuits stemming from data breaches as privacy claims, they are accusing hospitals and insurance companies of unjust enrichment and breach of contract. Also, more cases are being filed on behalf of classes of plaintiffs rather than individuals.
So far, only a dozen or so lawsuits along these lines have been filed, lawyers said, but both the plaintiffs and defense bars are watching carefully to see how they fare and whether the trickle could turn into a flood.
Read more on Thomson Reuters.
[From the article:
In unjust enrichment suits, plaintiffs argue that their purchase decisions were based partly on expectations of privacy. When their data was compromised, they say, the defendants got to keep their payments, but plaintiffs lost the benefit of the bargain.
In breach of contract claims, plaintiffs point to specific provisions in contracts and terms of service agreements that mention privacy, arguing that these provisions were part of what led them to purchase the service. In contrast to the privacy suits, these ones allege that plaintiffs were financially harmed by spending money on the health service in the first place.

Why? Simple. Your security can impact my security. (Let's hope they go beyond passwords into real security...)
Google Resources on Password Security
Google Official Blog: “Knowing how to stay safe and secure online is important, which is why we created our Good to Know site with advice and tips for safe and savvy Internet use. Starting today, we’ll also be posting regularly with privacy and security tips. We hope this information helps you understand the choices and control that you have over your online information.”

This is not quite difference between “We gotta do something!” and “We gotta do something rational.”
EPIC Announces TSA “Unplugs, Boxes Up, and Ships Back” X-Ray Body Scanners
EPIC: “The TSA has completed removal of the x-ray body scanners from US airports. The devices revealed detailed images of a person’s naked body and have been described as “digital strip searches.” The TSA action follows an Act of Congress and several lawsuits by EPIC. The TSA was forced to remove the machines after Congress required that the devices produce only generic image. And as result of EPIC v. TSA the TSA is currently required to accept public comments on its airport screening procedures. The public has until June 24, 2013 to voice its opinions. The millimeter wave devices remain in US airports. For more information, see: EPIC: Comment on the TSA Nude Body Scanner Proposal and EPIC: ATR lawsuit.”

This looks less and less like a legitimate criminal case and more like a media event staged for the RIAA and MPAA. What else did they do with no legal basis?
Kim Dotcom wins access to seized property from 2012 raid
Megaupload founder Kim Dotcom has won another one.
A New Zealand court on Friday ruled that the warrants used by law enforcement officials to raid Dotcom's home in 2012 were illegal. Therefore, the court said, police is required to provide copies of all evidence it deems relevant in its prosecution of Dotcom for alleged piracy. Anything that is deemed by the court to not be relevant must be returned to Dotcom.
Until now, Dotcom's defense attorneys did not have access to the seized evidence.
According to a report from January 2012, $42 million in assets were seized from Megaupload and Kim Dotcom. It's not clear how much of that will be returned to him.

Perspective What else would people pay more for?
Accenture: Public Transportation Users Predict Big Increases in the Use of Smartphones, Paperless Travel and Social Media
News release: ‘Three out of four travelers (75 percent) who use public transportation in some of the world’s major cities believe that electronic ticketing would make travel easier, and an overwhelming 92 percent would welcome paperless travel, a new global survey by Accenture reveals. The survey of 4,500 urban travelers in nine major cities in Brazil, France, Germany, South Korea, Spain, UK and the United States showed that approximately 90 percent of people in these cities use public transportation on a regular basis, and they are willing to pay more for technology improvements. According to the survey, 52 percent of respondents would be willing to pay at least 10 percent more for travel if they were offered such technological enhancements as the ability to use a smartphone as a ticket while traveling, an app from transport providers and/or a paperless travel option.

Perspective and something for my geeks. Has Microsoft made a strategic error?
Acer $400 'PC' will run Android, pack Intel's Haswell chip
… Expect this trend to pick up steam as PC vendors announce new systems based on Intel's upcoming Haswell and Bay Trail chips. Intel is already dropping not-so-subtle hints that Android laptops running on the Bay Trail chip are on the way and will be priced between $200 and $300.
… Systems sans Windows 8 can be priced lower and require less hardware.
The Acer AIO will come with only 1GB of memory and storage configurations will be as small as 8GB.

Because Google loves us? Something for my Intro to IT class...
Google introduces nutrition info in search
Google Inside Search Blog: “Figuring out how to make smart choices about some of our favorite foods can often be a cumbersome and daunting process. So we’re hoping we can make those choices a little bit easier: starting today you will be able to quickly and easily find extensive nutrition information for over 1,000 fruits, vegetables, meats and meals in search. From the basics of potatoes and carrots to more complex dishes like burritos and chow mein, you can simply ask, “How much protein is in a banana?” or “How many calories are in an avocado?” and get your answer right away. You’ll hear the answer to your specific question, see relevant nutrition information under an expansion, and be able to switch to other related foods or serving sizes.”

But then I'll need a really big 3-D printer...
"Think of a world where you could simply download the blueprints of your future home for free just like you download any open source software today. A team of British architects developed just that and they are hoping their project called WikiHouse will radically change the way we think about building homes."

For my students who like to argue.
If you are looking for a cool way to discuss almost any issue with other Internet users, a new website called Quibl is perfect for you.

Perfect! Now all I need is a Kindle...
… there are now a large number of people who own Kindle devices to read their eBooks on. However, eBooks are not the only thing these Kindle owners read. They also read articles that are online on various websites. Having to switch from their Kindle to the computer and then back for reading can be quite inconvenient. Here to help you shift all of your reading to a Kindle device is a service called Tinderizer.
Tinderizer is a free to use web service that Kindle users will highly appreciate. The service helps you port web articles in a readable form to your Kindle device for better and more convenient reading. You start by heading to Amazon’s Kindle settings and adding to your Kindle approved email list. Next, you provide Tinderizer’s website with your Kindle email address.
After that you are simply given a bookmarklet that you can drag to your web browser’s bookmarks toolbar. Anytime you want to send an article you are viewing on your computer to your Kindle, simply click on this bookmarklet. You are also given an alternate way through which you can send articles to your Kindle by sending the URL as an email to an address that Tinderizer provides to you.

I may print up a few hundred of these for our grads...
Twelve Rules for New Grads

And just because I find this amusing each week.
… This week, Coursera announced a series of deals with 9 state university systems: the State University of New York, the University of Tennessee system, The Tennessee Board of Regents, the University of Colorado system, the University of Houston system, the University of Kentucky (The Chronicle of Higher Education has a copy of this contract), the University of Nebraska, the University of New Mexico, the University System of Georgia, and West Virginia University. According to its blog, “the partnership with Coursera will give professors the option to experiment with and improve upon the ‘blended learning’ model, which combines online video lectures and content with active, in-person classroom interactions.” Inside Higher Ed offers a lot more details on the deals, arguing that they will “help the company test new business models and teaching methods and potentially put Coursera in competition with some of the ed tech industry’s most established players.” Many education bloggers have chimed in too, noting that this makes Coursera less of a “disruptive innovation” and more of an learning management system, a courseware provider, or an academic publisher. “You can stop worrying about MOOCs now,” says Martin Weller, who says this move shows that the MOOC bubble is already bursting.
… The German business software giant SAP has launched its own “MOOC” and its own “MOOC” platform — Open.SAP.comto teach its employees about the company.
… One of the leading scholars in technology and learning, Candace Thille, is moving from Carnegie Mellon University to Stanford. Thille heads the CMU Open Learning Initiative, and it’s not clear how much of the program or its grant funding will move with Thille. More on her relocation west via Inside Higher Ed.

Northern Arizona U Launches Online Competency Based Degree Programs
Northern Arizona University (NAU) has launched a competency-based online degree program using a subscription model for tuition.
Dubbed "Personalized Learning," the program's first degrees include Computer Information Technology, Liberal Arts, and Small Business Administration, offered for $2,500 per six-month term, with costs such as books and lab fees included.
The new program will also allow students to skip some classes by demonstrating mastery of the material.

Thursday, May 30, 2013

“It's your personnal information, the state just makes it available to criminals for free.” Why would this employee confess to the Fire Department? Lot's of “worst practices' here.
Michael McFall reports:
A Utah Division of Motor Vehicles employee was fired in March after the agency discovered she allegedly gave out people’s personal information.
In response to a Salt Lake Tribune inquiry, DMV spokesman Charlie Roberts confirmed that the agency first learned from the Salt Lake City Fire Department in mid-March that the employee, who was not immediately identified, had allegedly released Utahns’ confidential information taken from DMV databases.
Read more on Salt Lake Tribune, Fox13 provides additional details suggesting that this may have been going on for a long time [See below. Bob] and that the information was being used to commit crimes such as revenge arson.
This is not the first time we’ve seen reports of insider breaches resulting in non-financial crimes. A case in Canada comes to mind, where an employee allegedly gave out contact information on dozens of people, many of whom then had their homes fire-bombed or found themselves shot at.
[From the Fox article:
But state officials acknowledge they may have no way of knowing how widespread the problem is.
… “I believe she stated she’s been doing it for 14 years,” Ellis said.

Someone is getting serious...
China Daily reports:
Police have busted 4,382 cases of personal information theft, involving 5 billion pieces of stolen information, People’s Daily reported Thursday.
More than 4,000 suspects have been arrested in three national crackdowns launched in 2012 and 2013, and at least 1,200 gangs selling and buying personal information illegally have been destroyed.
More than 200 suspects have been punished for providing, selling and obtaining personal information illegally, and the rest face punishment.
That’s impressive. I wish I could find the article on People’s Daily, but haven’t been able to track it down yet.

Does this have broader implications? Hard to see how it could not... So if politics is not a valid reason to sieze laptops, what is?
In a settlement reached with human rights activist David House, the government has agreed to destroy all data it obtained from his laptop and other electronics when he entered the U.S. after a vacation, the American Civil Liberties Union and the ACLU of Massachusetts announced today. House, who was then working with the Bradley Manning Support Network, an organization created to raise funds for the legal defense of the soldier who has admitted to leaking material to WikiLeaks, charged in a lawsuit that the seizure violated his Fourth Amendment rights by subjecting him to unreasonable search and seizure, and violated his First Amendment right to freedom of association.
In November 2010, Department of Homeland Security agents stopped House at O’Hare International Airport in Chicago and questioned him about his political activities and beliefs. They then confiscated his laptop, camera, and USB drive, which contained information identifying members and supporters of the Bradley Manning Support Network. The government copied House’s cell phone at the airport and held his laptop and other devices for 49 days. The data taken from House’s materials was then turned over to the U.S. Army Criminal Investigation Division (CID), which concluded that it would not use the information.
… The government will also hand over numerous documents, including reports describing Army CID’s inspection of House’s data as well as the DHS “Lookout” telling agents to stop House as he entered the country.
… “The seizure of David House’s computer is a chilling example of the government’s overbroad ability to conduct a search at the border that intrudes into a person’s political beliefs and associations,” said John Reinstein, an attorney with the ACLU of Massachusetts.
More information on the case is at:

I was so intrigued reading this bill yesterday that I forgot to blog about it, it seems.
Cyrus Farivar reports:
Assuming that Texas Governor Rick Perry does not veto it, the Lone Star State appears set to enact the nation’s strongest e-mail privacy bill. The proposed legislation requires state law enforcement agencies to get a warrant for all e-mails regardless of the age of the e-mail.
On Tuesday, the Texas bill (HB 2268) was sent to Gov. Perry’s desk, and he has until June 16, 2013 to sign it or veto it. If he does neither, it will pass automatically and take effect on September 1, 2013. The bill would give Texans more privacy over their inbox to shield against state-level snooping, but the bill would not protect against federal investigations. The bill passed both houses of the state legislature earlier this year without a single “nay” vote.
Read more on Ars Technica.

(Related) Really? Texas? Who'd a thunk it? Not just the “Skeet & Drone Gun Club?”
Texas is turning out to be a hotbed of privacy-protective legislation recently. D. Goodwin writes:
A Texas bill that would nullify warrantless drone spying gained final approval this week and now heads to Gov. Rick Perry’s desk for his signature.
HB912 would virtually eliminate all warrantless drone spying in the Lone Star State and criminalizes all drone use outside of carefully prescribed parameters.
The Texas Privacy Act states that “a person commits an offense if the person uses or authorizes the use of an unmanned vehicle or aircraft to capture an image without the express consent of the person who owns or lawfully occupies the real property captured in the image.” The offender would be charged with a Class C misdemeanor if they were caught violating this part of the law.
The bill then outlines acceptable application of drones, including pursuant to a criminal warrant.
Read more on Tenth Amendment Center.

Perhaps my Computer Security students could turn their rants about stupid laws into a cogently argued article? Nah....
SSRN Launches New Cyberspace Law – Student Authors and Intellectual Property Law Section
“We are pleased to announce the creation of Cyberspace Law – Student Authors and Intellectual Property Law – Student Authors eJournals within the Legal Scholarship Network (LSN). These eJournals are designed for submissions by students or others without or prior to receiving an advanced academic degree. They can include Law Review student notes or other student papers.”

This could be interesting. Imagine a similar business model for college students. Sign up for a Semester of Math videos or a Quarter of IP Law. How about a hobby channel? Summer guide to growing tomatos.
With Skillfeed, Shutterstock aims to rework online training
Shutterstock has launched a new subscription service called Skillfeed designed to connect professionals who need to learn how to use their computers with creative types who want to make videos that do the teaching.
With the $19-per-month service, subscribers can watch as many videos as they want, either longer-form courses or shorter "snacks" good for smaller periods of free time, said David Fraga, Skillfeed's general manager. And content contributors get paid: Shutterstock keeps 70 percent of the proceeds, but the rest is divided among all contributors based on what fraction their videos were of the total time watched.

For my Statistics students
Principles and Practices for a Federal Statistical Agency: Fifth Edition
“Publicly available statistics from government agencies that are credible, relevant, accurate, and timely are essential for policy makers, individuals, households, businesses, academic institutions, and other organizations to make informed decisions. Even more, the effective operation of a democratic system of government depends on the unhindered flow of statistical information to its citizens. In the United States, federal statistical agencies in cabinet departments and independent agencies are the governmental units whose principal function is to compile, analyze, and disseminate information for such statistical purposes as describing population characteristics and trends, planning and monitoring programs, and conducting research and evaluation. The work of these agencies is coordinated by the U.S. Office of Management and Budget. Statistical agencies may acquire information not only from surveys or censuses of people and organizations, but also from such sources as government administrative records, private-sector datasets, and Internet sources that are judged of suitable quality and relevance for statistical use. They may conduct analyses, but they do not advocate policies or take partisan positions. Statistical purposes for which they provide information relate to descriptions of groups and exclude any interest in or identification of an individual person, institution, or economic unit. Four principles are fundamental for a federal statistical agency: relevance to policy issues, credibility among data users, trust among data providers, and independence from political and other undue external influence. Principles and Practices for a Federal Statistical Agency: Fifth Edition explains these four principles in detail.”

My Intro to IT students seem to like this type of article.
2013 Internet Trends Report – Slides from Mary Meeker and Liang Wu
Published May 2013 by Mary Meeker and Liang Wu - “The latest edition of the annual Internet Trends report finds continued robust online growth. There are now 2.4 billion Internet users around the world, and the total continues to grow apace. Mobile usage is expanding rapidly, while the mobile advertising opportunity remains largely untapped. The report reviews the shifting online landscape, which has become more social and content rich, with expanded use of photos, video and audio. Looking ahead, the report finds early signs of growth for wearable computing devices, like glasses, connected wrist bands and watches – and the emergence of connected cars, drones and other new platforms.”

(Related) It's a mobile world...
IDC Reports PC Outlook Falls As Market Increasingly Looks to Tablets
News release: “Worldwide PC shipments are now expected to fall by -7.8% in 2013 according to the International Data Corporation (IDC) Worldwide Quarterly PC Tracker. The new forecast reflects a shift in PC buying trends as users increasingly consider alternatives such as delaying a PC purchase or using tablets and smartphones for more of their computing needs. In place of a limited decline of -1.3% in 2013 followed by a gradual increase in volume, the new outlook calls for a more substantial decline of -7.8% in 2013 and -1.2% in 2014 with shipment volume reaching only 333 million in 2017 – still below the 349 million shipped in 2012 and a peak of more than 363 million shipped in 2011. The updated forecast reflects the significant drop in volume during the first quarter of 2013 as well as the transitions happening in PC design as vendors bring products to market that are optimized for Windows 8, including more thin, convertible, touch, and slate models…” In addition, the BYOD (Bring Your Own Device) phenomenon has moved from smartphones to tablets and PCs with nearly 25% of employees in organizations larger than 10 people claiming to have purchased the primary PC they use for work,” said Bob O’Donnell, Program Vice President, Clients and Displays. “This means that some of the corporate PC purchases we expected this year will no longer happen.”

My students should be paying attention to these articles too
Report: Hard Times – College Majors, Employment and Earnings
Georgetown Public Policy Institute Report – Hard Times – College Majors, Employment and Earnings: ”In the past, a college degree all but assured job seekers employment and high earnings, but today, what you make depends on what you take. In Hard Times 2013, we show differences in unemployment and earnings based on major for BA and graduate degree holders. We show that STEM — Science, Technology, Engineering, and Mathematics — majors typically offer the best opportunities for employment and earnings, while unemployment is higher for graduates with non-technical degrees.

I happen to know where I can get my hands on the perfect printer...
Popular Printable Posters

Wednesday, May 29, 2013

From the article, this seems to be a case of “similar vulnerabilities” rather than a central (third party) victim. If so, it's the first I've seen. Perhaps a common vendor opened the door into the various companies?
Stephen Betts reports:
The Port Clyde General Store was one of hundreds of companies across the country that had data from its customers’ credit cards breached by hackers recently.
Attorney Stephen Hayes of Augusta, who represents the store, confirmed that the market was notified by police on May 21 that its system for processing credit card payments “had been compromised by a sophisticated group of criminal hackers.”
Read more on Bangor Daily News. The article also notes other breach reports recently received by the Maine Attorney General’s Office recently, including Vendini, Beachbody LLC, YourTel, the Edgemont Centre, Piedmont Healthcare P.A., Green Fun Store (operated by AHW LLC), and TD Bank.
The following statement was posted on the Port Clyde General’s Store web site:
… The data breach was discovered during an investigation of data security breaches that impacted dozens of Maine businesses and hundreds of companies across the United States.
… Port Clyde General Store uses an outside professional firm to install and manage the hardware and software for its credit card processing. The measures employed to protect customer data complied with all state and federal requirements, including encryption of customer data and daily erasure of customer information following transmission to the card processing company. The servers are protected by firewalls and are regularly scanned with updated antivirus and anti-malware software. The security breach was caused by malware that was designed to avoid industry- standard precautions.
Many of our employees also encountered problems. [Does that suggest more than that they used their cred cards in the store? Bob]

Deans are not Gods? That's not what they tell me!
Actions have consequences.
The Atlantic Wire reports that the Harvard Dean involved in the controversial search of some faculty’s emails is stepping down, presumably because of the incident.

What do they teach “Education” majors?
Susan Sarkauskas reports on a case in Batavia, New York that raises some important questions:
A Batavia High School teacher’s fans are rallying to support him as he faces possible discipline for advising students of their Constitutional rights before taking a school survey on their behavior.
They’ve been collecting signatures on an online petition, passing the word on Facebook, sending letters to the school board, and planning to speak at Tuesday’s school board meeting.
Students and parents have praised his ability to interest reluctant students in history and current affairs.
But John Dryden said he’s not the point. He wants people to focus on the issue he raised: Whether school officials considered that students could incriminate themselves with their answers to the survey that included questions about drug and alcohol use.
Read more on Daily Herald.
We need more details on what, exactly, the parents were told about the contents of the survey – including whether they were told that their children’s responses would be stored for future use and comparison. And in those states who might be sharing data with entities designated as “school officials,” were parents told specifically who would have access to their children’s sensitive information? Were they told if data would be stored only locally or in the cloud?
Although the teacher used it as a moment to teach the 5th Amendment right against self-incrimination, what privacy rights do students have if their parents have not opted them out of a district or school survey? Does a student have the right to say, “This is too personal. I decline to answer?”
And if you don’t know whether your children have the right to (safely) refuse, whom will you ask?

“We said, 'self regulating' not 'if you feel like it.'”
Brent Kendall reports:
The Federal Trade Commission is offering a strong defense of its powers to police cybersecurity practices against a challenge by Wyndham Worldwide Corp.
We wrote about Wyndham’s challenge earlier this month in a case involving attacks by hackers on the hotel chain’s computer systems between 2008 and 2010. The FTC sued Wyndham last year for allegedly lax data security that let hundreds of thousands of credit-card numbers get stolen. The company said the government was unfairly seeking to punish the victim of the crime instead of the hackers who perpetrated it.
Now the FTC is firing back, arguing in a new court filing that corporations that collect consumer data bear responsibility for protecting it. [What a concept! Bob]
“The FTC is not suing Wyndham for the fact that it was hacked, it is suing Wyndham for mishandling consumers’ information such that hackers were able to steal it,” the agency said in a court filing this week.
In a battle of analogies, Wyndham argued the FTC suit was “the Internet equivalent of punishing the local furniture store because it was robbed and its files raided.”
The FTC’s new filing offered a different picture. “A more accurate analogy would be that Wyndham was a local furniture store that left copies of its customers’ credit and debit card information lying on the counter, failed to lock the doors of the store at night, and was shocked to find in the morning that someone had stolen the information.”
Read more on WSJ. This is a case I’ve been following since the hacks were first disclosed, and represents the first time a data breach complaint by the FTC will be adjudicated by a court instead of reaching a settlement. The Chamber of Commerce and others, including TechFreedom, have jumped in on Wyndham’s side. Their argument emphasizes the point that the FTC has never promulgated clear rules that would provide fair notice to businesses as to what actions constitute “unfair or deceptive” practices under the FTC Act. Of course, in many cases, the FTC draws upon other statutes, e.g., if it would be violative of the GLBA or other statutes to do something, that makes it an unfair or deceptive practice for purposes of the FTC. Similarly, the FTC often looks to “industry standards” in determining whether an entity failed to provide adequate security. It also looks to statements made in an entity’s privacy policy or Terms & Conditions to determine what representations the entity made about data security and whether they lived up to those representations.
One criticism that has been lodged against the FTC’s data security actions is that in many cases, there really is no showing of harm or injury to the consumers, who may be protected by their banks for any fraudulent charges on their credit cards. Because most court cases involving data breaches result in dismissal for lack of standing due to absence of demonstrable harm, some (like Michael D. Scott) argue that the FTC should not be able to apply or enforce its powers in cases where you cannot demonstrate that consumers were objectively harmed.
To be clear: I’m hoping the FTC prevails. And if Congress doesn’t like the outcome, then let them get off their asses and introduce legislation that protects consumers from inadequate data security. Congress wanted to avoid legislation and let industry regulate itself, so as not to stifle innovation. All well and good, but with almost every entity suffering data breaches, someone’s got to protect consumers from inadequate security, and the FTC stepped up to the plate. This is no time to go backwards.
The Wyndham case does not strike me as unusual in terms of the grounds the FTC cited for its action. What makes it unusual is that Wyndham didn’t settle and is fighting this. If Wyndham is successful in getting the case dismissed, that will be a serious setback for the FTC. If the FTC wins, I expect we’ll see many businesses paying even more attention to data security.

You can read their brief here. Their brief incorporates some of the issues I discussed in my previous blog entry on this case earlier today, and I’m glad to see it.

Sometimes you don't ned a second court to get a reversal... What happens if the decrypted files are not what the government told the court they were?
Cyrus Farivar reports:
A federal judge who had previously declined to force a Wisconsin suspect to decrypt several hard drives believed to contain child pornography has now changed his mind. After considering new evidence, the judge wrote in an order last week (PDF) that the Milwaukee-area man now must either enter the passwords for the drives without being observed by law enforcement or government counsel or must provide an unencrypted copy of the data.
Read more on Ars Technica.

Were they able to sieze any of that money?
Liberty Reserve Founder Indicted on $6 Billion Money-Laundering Charges
The founder of digital currency system Liberty Reserve has been indicted in the United States along with six other people in a $6 billion money-laundering scheme, in what authorities are calling the largest international money-laundering case ever prosecuted, according to documents unsealed today.
Dubbed the “financial hub of the cyber-crime world,” authorities say Liberty Reserve had more than 1 million users worldwide and processed more than 12 million transactions annually as the favored money-laundering service for carders, hackers and other cybercriminals in the digital underground who used it to transfer money around the world effortlessly and anonymously.
According to the indictment (.pdf), Liberty Reserve was used to launder more than $6 billion in criminal proceeds.
… Liberty Reserve required only a valid email address to open an account and initiate transactions. It charged a 1 percent fee for each transaction and, for an additional 75 cents, offered to hide a user’s account number in transactions.

Online research tool
Scrible - Bookmark, Annotate, and Create Bibliographies
Scrible is a free service offering a nice set of tools for highlighting, annotating, and bookmarking webpages. Scrible offers browser bookmarklets for Firefox, Chrome, Safari, and Internet Explorer. With the Scrible bookmarklet installed, anytime you're on a page just click the bookmarklet to launch a menu of bookmarking tools. The Scrible tool set includes highlighters, sticky notes, and font change tools. When you annotate and bookmark a page in Scrible it is saved as it appeared to you when you were done altering it. And as you would expect from a web-based bookmarking tool, you can share your bookmarked pages with others. Students can get a free Scrible account that has double the storage capacity of the standard free account.
Scrible recently added an options for formatting bibliographies as you bookmark. Scrible also has a new feature that allows you to compile your article clippings into one package.
… The benefit of using a tool like Scrible is that students can take notes on their bookmarks and bookmark only the parts of a website that they need to reference in their reports. Saving bookmarks in this manner saves time when you go back to visit a site because you'll immediately see what it was that promoted you to bookmark it in the first place.

Tuesday, May 28, 2013

Think of it as “Target Identification.” There is no sense wasting a perfectly good cruise missle on a cafeteria when you could hit the “comms network” or the server farm.
"In an embarrassing revelation today it appears as though the blueprints to the new Australian federal intelligence agency ASIO headquarters have been stolen, reportedly by a cyber attack originating from China. Several other governmental departments have been reported as being breached also. The blueprints which have been compromised include the security system, comms network, floor plan and server locations of the new ASIO headquarters located in the Australian capital city, Canberra."

(Related) It has ever been thus...
Confidential report lists U.S. weapons system designs compromised by Chinese cyberspies
Designs for many of the nation’s most sensitive advanced weapons systems have been compromised by Chinese hackers, according to a report prepared for the Pentagon and to officials from government and the defense industry.
Among more than two dozen major weapons systems whose designs were breached were programs critical to U.S. missile defenses and combat aircraft and ships, according to a previously undisclosed section of a confidential report prepared for Pentagon leaders by the Defense Science Board.

“Those who have not studied The Streisand Effect are doomed to experience it.” The facts are true, they don't like people calling them names...
"PETA is incensed over an article in the Huffington Post that details that organization's unsettling practice of euthanizing animals in a Virginia facility that many have assumed is a no kill shelter. According to the New York Post, PETA wants to sue some of the people who have left comments on the article. The problem is that, following the practice of many on the Internet, many of the comments are under assumed names or are anonymous. PETA is attempting to discover the true identities of their critics so that it can sue them for defamation."

This is exactly what I'm worried about. “So easy, even a caveman can do it,” does not give me that warm fuzzy feeling...
This Pentagon Project Makes Cyberwar as Easy as Angry Birds
The target computer is picked. The order to strike has been given. All it takes is a finger swipe and a few taps of the touchscreen, and the cyberattack is prepped to begin.
For the last year, the Pentagon’s top technologists have been working on a program that will make cyberwarfare relatively easy. It’s called Plan X. And if this demo looks like a videogame or sci-fi movie or a sleek Silicon Valley production, that’s no accident. It was built by the designers behind some of Apple’s most famous computers — with assistance from the illustrators who helped bring Transformers to the silver screen.
… But you can’t expect the average officer to be able to understand the logical topology of a global network-of-networks. You can’t expect him to know whether its better to hook a rootkit into a machine’s kernel or its firmware. If cyberwar is going to be routine, Darpa believes, the digital battlefield has to be as easy to navigate as an iPhone. The attacks have to be as easy to launch as an Angry Bird.

Interesting that there is no indication in the article that they ever stopped using this tool...
David Fisher reports that the NZ government is also having its own problems with lack of transparency over domestic surveillance. More than a decade after it was allegedly deployed, the public is first finding out about ThinThread:
A high-tech United States surveillance tool which sweeps up all communications without a warrant was sent to New Zealand for testing on the public, according to an espionage expert.
The tool was called ThinThread and it worked by automatically intercepting phone, email and internet information.
ThinThread was highly valued by those who created it because it could handle massive amounts of intercepted information.
Read more on New Zealand Herald.
[From the article:
ThinThread automatically anonymised the collected data so the identities stayed hidden "until there was sufficient evidence to obtain a warrant". [I read this as tool that looks at everything and searches everyone's communications for “patterns” that indicate you might be a “Person of Interest.” Bob]

Clearly not perfect. Perhaps they should have asked the Privacy Foundation for advice...
Joy Pullmann reports:
Oklahoma Gov. Mary Fallin will consider a student privacy bill Oklahoma lawmakers passed by large margins this month. Its state-level protections are first of their kind in the nation, said John Kraman, executive director of student information at the Oklahoma Department of Education, and may provide a model for other states as privacy concerns rise.
House Bill 1989 passed the House 88-2 on May 16 and the Senate 41-0 on May 22.
[From the article:
HB 1989 requires the state Board of Education to inventory and publicly post what student-specific data the state collects, create a detailed data security plan and student privacy policies, and send no student-specific information outside the state except for specific circumstances such as out-of-state student transfers or contracts with testing companies. And it requires the board to get legislative approval for any new data it wants to collect.
… “Nothing in the act really protects children from excessive data collection. It just prevents it from going across state lines.”
HB 1989 also automatically opts all students into data collecting, rather than requiring parent consent beforehand.
“Some districts have told parents they can't opt out,” White noted.

Gutenberg cubed? 3-D Printing opens an entirely new can of worms. If Smartphones “enabled” the “Arab Spring,” what will the ability to “print” your own weapons (or more smartphones, see the next article) bring to the mix?
An Insider’s View of the Myths and Truths of the 3-D Printing ‘Phenomenon’
From a major VC firm’s recent $30 million investment in the industrial-grade 3-D printing space to the news that Staples will become the first major U.S. retailer to sell consumer-friendly 3-D printers, it’s clear that 3-D printing has reached its inflection point.
And perhaps its hype point, too.
… 3-D printing is indeed an important fabrication technology, because it has the marvelous ability to make anything regardless of the complexity of the form. Other fabrication techniques, honed over decades of industrialization, struggle with geometric complexity — where 3-D printers can print either the most intricate shapes or simplest cube with equal ease.
… Where 3-D printing may be unfettered by complexity, it is constrained by volume.
Everything from cost and time to amount of material increases exponentially: specifically, to the third power.
So if we want something twice as big, it will cost 8 times as much and take 8 times as long to print. If we want something three times as big, it will cost about 27 times more and takes 27 times longer to print. And so on.
… Large industrial printers can now print metal, rubber, and ceramics in addition to plastic.

Your Smartphone, Made of Cement
… A collective of researchers from the U.S., Finland, Germany, and Japan, working with the U.S. Department of Energy, has developed a way to make metal out of the straw of the contemporary world: cement. The process they discovered, published yesterday in Proceedings of the National Academy of Sciences, transforms liquid cement into a kind of glass-metal fusion that is exceptionally good at conducting heat and electricity. The resulting hybrid, the scientists say, can be used as a semiconductor in electronics: it offers good conductivity, low energy loss in magnetic fields, better resistance to corrosion than traditional metal, less brittleness than traditional glass, and fluidity for ease of processing and molding.

(Related) “For want of a nail the shoe was lost. ” The 3-D printer may help the Navy avoid the modern equivalent.
US Navy looks to 3D printing to turn its city-sized aircraft carriers into mobile factories

And as long as we are looking at changing perspectives...
The Rise of the Mobile-Only User
One of the most persistent misconceptions about mobile devices is that it's okay if they offer only a paltry subset of the content available on the desktop. Decision-makers argue that users only need quick, task-focused tools on their mobile devices, because the desktop will always be the preferred choice for more in-depth, information-seeking research.
… The rise of smartphones means that more and more people are going online from a mobile device. According to Pew Internet, 55 percent of Americans said they'd used a mobile device to access the internet in 2012. A surprisingly large number — 31 percent — of these mobile internet users say that's the primary way they access the web.
… But mobile-only usage isn't limited to these demographics. Amazon, Wikipedia, and Facebook all see about 20 percent of their traffic from mobile-only users, according to comScore. A whopping 46 percent of shoppers reported they exclusively use their mobile device to conduct pre-purchase research for local products and services. Internal data from some finance, healthcare, and travel providers show similar mobile-only usage.

Is this the not-so-obvious way to go?
Marissa Mayer Is Bringing Back the Internet Portal. Here’s Why
Since Marissa Mayer took over as CEO of Yahoo last year, there’s been a lot of talk about how the famously detail-oriented ex-Googler will “refocus” the company. But it’s becoming increasingly clear that Mayer is broadening, not narrowing, Yahoo’s scope, cementing its once passé reputation as the original internet “portal.”
The latest sign of this trend came just this past weekend, when multiple reports had Mayer in talks to acquire the online television hub Hulu. Less than one week earlier, Yahoo announced it would pay $1.1 billion for microblog network Tumblr. Two months ago, the company paid a reported $30 million to buy news digest app Summly from a British teenager. The common thread: Yahoo keeps expanding into new areas, even though it was already a sprawling internet conglomerate when Mayer took control, with everything from movie listings to stock quotes to a photo-sharing social network to a news hub to a search engine.
Yahoo’s mission creep is a useful case study in why web companies like Google and Facebook continue to grow their functionality and why startups keep selling to the seemingly bloated leviathans, even though tech advances have made it cheaper and easier than ever for software companies and web services to go it alone, and despite the fact that consumers are migrating to highly specialized mobile apps.

For my Ethical Hackers (and most of my other students)
MightyText … can be summarized rather succinctly: send and read SMS messages through your Android phone by using a computer or tablet.
… you can control many different aspects of your phone: SMS, contacts, call logs, camera, sensors, file manager, or even direct remote control of the device. Just be sure to note that remote control requires your Android to be rooted.
… lets you remote control your Android phone through the Android SDK.

Another for my Ethical Hackers: Since it took him “Hours” (plural) he would have failed miserably.
Anatomy of a hack: How crackers ransack passwords like “qeadzcwrsfxv1331”
In March, readers followed along as Nate Anderson, Ars deputy editor and a self-admitted newbie to password cracking, downloaded a list of more than 16,000 cryptographically hashed passcodes. Within a few hours, he deciphered almost half of them. The moral of the story: if a reporter with zero training in the ancient art of password cracking can achieve such results, imagine what more seasoned attackers can do.
… While Anderson's 47-percent success rate is impressive, it's miniscule when compared to what real crackers can do, as Anderson himself made clear.
… Even the least successful cracker of our trio—who used the least amount of hardware, devoted only one hour, used a tiny word list, and conducted an interview throughout the process—was able to decipher 62 percent of the passwords. Our top cracker snagged 90 percent of them.

This could be handy in the computer labs...
Generally, when you want to share your screen with someone, you might turn to a projector or remote desktop application. Many of the solutions for sharing a screen are cumbersome and not the easiest thing in the world to get up and running.
With TiffanyScreens, the process happens automatically and you can be sharing your screen in a matter of seconds.
There is absolutely no configuration since the app automatically detects other devices running the software on your network.
The app comes with a free option that lets you share your screen with one other computer … but for businesses looking to use this in place of a projector, a paid license is available that lets you share the screen with more computers.
Find TiffanyScreens on the Mac App Store and @

Even my students need to do serious writing...
… An outline is nothing but a hierarchical breakdown of what you plan to write or create. Arranged according to levels of importance and flow, and marked by numbers, roman numerals, headings-subheadings, indentations, or any other format.
Basically any note-taking application can be set up as an outliner. But using tools with outlining capabilities gives you more hands-on control, especially if you use the process regularly.
Microsoft OneNote
The MSDN blog has a detailed page on using OneNote for outlining.
Microsoft Word
WorkFlowy also has a free iOS app which works offline. An Android app is available which works like a proxy for the web app.
Wikipedia has a page that lists quite a few outliner applications out there.