Saturday, July 06, 2013

It's more important to have a story than a fact?

Daily Report: Snowden Trained as Hacker While With N.S.A., Résumé Says

NY Times Story on Snowden Way Off the Mark
The current NY Times story on Snowden is such garbage. Snowden was a systems administrator with the keys to the kingdom. He had root access to servers and other devices whereby he could enable, disable, bypass and gain access to most anything stored on those devices. He was no master hacker or elite for anything.
He just happened to take classes in hacking and other IT topics.
If Booz had enabled proper change and release management procedures as well as separation / segregation of duties per standard, foundational IT activities, this would never have happened.

For my CS students...
… what if I told you that right now, by using VirtualBox, you can download a free Virtual Machine featuring a full, free version of Windows XP? It’s absolutely true – you can download Windows XP.
… You can use this system to not only test out what your website looks for people running older versions of Internet Explorer (IE) on an older operating system, but you can also use it to test applications on XP if you’re an application developer, or to run older programs that only run on Windows XP. The version of XP gives you a temporary use license, but if you need to use it longer, you could always reinstall it or activate it with a valid XP license you may have already purchased but aren’t using on any of your computers anymore.
… At the Virtual Machine download page, you’ll need to choose the options to download a Windows OS Virtual Machine, and choose which version of IE you want to test.

For all my students. Automating citations so I don't use my automated flunking machine...
When the time comes to write a paper, one of the biggest pains can be citing your sources.
… First, you need to make sure you are backing up what you are stating with proper facts. Second, your professors need to make sure you aren’t plagiarizing, and backing up your claims with sources can go a long way towards making this happen.
Thankfully, the Internet makes this arduous part of the paper writing process a little easier. The following websites streamline it a great deal. Of course, you are still going to have to do a little work, but these websites will help you learn how to cite sources in the quickest way possible.

For my amusement...
Google has released the latest version of its MOOC software Course Builder. New features include a WYSIWYG question editor (so you don’t need to use Javascript to build a course).
… Textbook publisher Cengage Learning has filed for bankruptcy. The New York Times has the Chapter 11 filing for your perusal. [Even charging those outragous textbook prices? Bob]

See what happens when you practice what you love?
Sleepy Man Banjo Boys: Bluegrass virtuosity from ... New Jersey?

Friday, July 05, 2013

Quelle surprise!

Angelique Chrisafis reports:
France runs a vast electronic surveillance operation, intercepting and stocking data from citizens’ phone and internet activity, using similar methods to the US National Security Agency’s Prism programme exposed by Edward Snowden, Le Monde has reported.
An investigation by the French daily found that the DGSE, France’s external intelligence agency, had spied on the French public’s phone calls, emails and internet activity.
Read more on The Guardian.

Apparently when the FBI could not find the person who sent the first anthrax letters, someone said, “Do whatever it takes” and cost/benefit analysis was tossed out the window. Is this why the Post Office is going bankrupt?
NYT- Postal Service Is Watching, Too: Outside of All Mail Is Recorded
Postal Service Is Watching, Too: Outside of All Mail Is Recorded,” by Ron Nixon: “Under “the Mail Isolation Control and Tracking program…Postal Service computers photograph the exterior of every piece of paper mail that is processed in the United States – about 160 billion pieces last year. It is not known how long the government saves the images… The Mail Isolation Control and Tracking program was created after the anthrax attacks in late 2001 that killed five people, including two postal workers. Highly secret, it seeped into public view last month when the F.B.I. cited it in its investigation of ricin-laced letters sent to President Obama and Mayor Michael R. Bloomberg. It enables the Postal Service to retrace the path of mail at the request of law enforcement… Law enforcement officials need warrants to open the mail… In the past, mail covers were used when you had a reason to suspect someone of a crime,” said Mark D. Rasch, who started a computer crimes unit in the fraud section of the criminal division of the Justice Department and worked on several fraud cases using mail covers. “Now it seems to be, ‘Let’s record everyone’s mail so in the future we might go back and see who you were communicating with.’ Essentially you’ve added mail covers on millions of Americans.”

Interesting. Not only use the company's computers for private browsing but store personal data on them as well. How difficult would it be to store your private stuff on a thumb drive?
Larry Page of Davis LLP discusses a case in which an employee was fired for cause for snooping/improper accessing of a file:
In a recent decision of the British Columbia Supreme Court, the Court upheld the termination for cause of a help desk analyst in the IT department who had been employed for over 20 years at Coast Capital Savings Credit Union. (Steel v. Coast Capital Savings Credit Union, 2013 BCSC 527)
Employees at Coast were permitted to have a personal folder in which they would keep confidential business documents. Under the privacy policy at Coast, the files in the personal folder could only be read or edited by the employee who had the folder. Help desk employees were allowed to access personal folders but could only do so to resolve a technical problem and only if the employee who had the personal folder first gave permission to the help desk to access the folder.
Read more about the case on Mondaq.

What, you thought Texas had a sense of humor?
… In the state of Texas, a 19-year-old man named Justin Carter sits in prison, ruthlessly stripped of his freedom for making an offensive joke. After a Facebook friend with whom he played video games described him as “crazy” and “messed up in the head,” Carter replied — sarcastically, one imagines — “Oh yeah, I’m real messed up in the head, I’m going to go shoot up a school full of kids and eat their still, beating hearts.” He added “lol” and “jk” for good measure. For this he was arrested by Austin police, charged with making a “terroristic threat,” and thrown into prison. He may languish there until the start of the next decade.

So the settlement was, “Fix it and try not to do it again?” Wow, harsh!
Following a public comment period, the Federal Trade Commission has approved a final order settling charges that HTC America Inc. failed to take reasonable steps to secure the software it developed for its smartphones and tablet computers, introducing security flaws that placed sensitive information about millions of consumers at risk.
The settlement with HTC America, announced by the FTC in February 2013, requires the company to develop and release software patches to fix vulnerabilities in millions of the company’s devices. The company is also required to establish a comprehensive security program designed to address security risks during the development of HTC devices and to undergo independent security assessments every other year for the next 20 years.
In addition, the settlement prohibits HTC America from making any false or misleading statements about the security and privacy of consumers’ data on HTC devices. Violations of the consent order may be subject to civil penalties of up to $16,000 per violation.
The Commission vote approving the final order and letters to members of the public who commented on it was 3-0-1, with Commissioner Ohlhausen recused. (FTC File No. 122-3049; the staff contact is Nithan Sannappa, Bureau of Consumer Protection, 202-326-3185.)
SOURCE: FTC. Case documents are available on their site, here.

Each service must have a policy for each country and they must be up to date.
An ICO spokesperson said:
“We have today written to Google to confirm our findings relating to the update of the company’s privacy policy. In our letter we confirm that its updated privacy policy raises serious questions about its compliance with the UK Data Protection Act.
“In particular, we believe that the updated policy does not provide sufficient information to enable UK users of Google’s services to understand how their data will be used across all of the company’s products.
“Google must now amend their privacy policy to make it more informative for individual service users. Failure to take the necessary action to improve the policies compliance with the Data Protection Act by 20 September will leave the company open to the possibility of formal enforcement action.”
Read the full press release on the ICO’s site.

I posterd this back on June 18th, but their website was screwed up until yesterday. If you want one of these, now you can actually order one.
Get a Kobo Mini e-reader for $39.99

Dilbert points out one minor risk when using the Cloud.

Thursday, July 04, 2013

Clearly there is a class of lawyers who love class actions.

David F. McDowell, D. Reed Freeman Jr., and Jacob M. Harper, Morrison & Foerster LLP write:
While we have seen a new wave of privacy class actions, the issues facing the federal courts are the same: how to reconcile an inarticulable discomfort with data methods asserted in privacy class actions with their constitutional mandate to address only plaintiffs with standing: the requirement that courts remedy only “concrete” and “particularized” injuries.
This article addresses how federal courts are dealing with notions of privacy harm in the online tracking context. While courts have historically told privacy plaintiffs to seek redress elsewhere—Congress, agencies, the states—district judges have been increasingly open to new notions of harm that allow them, rather than other government bodies, to address the growing but amorphous conception that something about the way their gadgets work does not feel right. The U.S. Supreme Court’s recent decision in Clapper v. Amnesty Int’l USA, which held that fear of injury in context of government surveillance does not constitute a cognizable injury,8 may cause those courts to reverse once again and dismiss such suits.
Read their review and discussion on Bloomberg Law.

If the RIAA/MPAA “Voice of Doom” is correct, they will be out of business by the end of the week.
Walking Dead publisher drops DRM
The publisher of the Walking Dead, Saga, Witchblade, and the Savage Dragon announced on Tuesday that it's closing the book on digital rights management. New books from Image Comics are now available for digital download from its online store without DRM.
Readers can purchase new books from in several platform-agnostic formats: PDF, EPUB, CBR, and CBZ. Previous publishing agreements haven't changed, so people who prefer to buy from proprietary apps such as Comixology, Amazon, and Apple will still be able to do so.
Ron Richards, Image Comics' marketing honcho, told the comics news site ComicBookResources that the DRM-free books would benefit comics creators the most. "There's no cut for Comixology or Apple or any other piece getting taken out," he said. "Ideally for a creator, sales through the Image Web site gets them the most money per sale."

For all my students: Being able to touch type makes everything else easier...
I’ve found a Chrome typing extension that makes the progression feel easier and more natural. It’s called Type Fu.
… Type Fu has a feature called auto-adjust difficulty level, which analyzes your performance over the course of multiple type lessons and automatically graduates you to the next level when you meet the criteria. This criteria is based on words-per-minute and typing accuracy.
You can always view your progress with speed charts, accuracy charts, as well as most typed keys and most mistyped keys charts.
… I’m having a blast with Type Fu and it’s the best free typing tutor that I’ve encountered.

New Shakespeare discovered! For the intellectual improvement of my students. I alread have this one on hold at my local library.
William Shakespeare's Star Wars
Need I say more?

Wednesday, July 03, 2013

Interesting contract twist.

As I’ve noted before, the Vendini breach, reported previously on this blog, appears to fairly large, but has generally flown under national mainstream media attention. Instead, I see bits and pieces in local media or on organizations’ web sites as entities report that their patrons or members were affected (cf, reports involving Purple Rose Theatre, Baldwin Theatre, Stagecrafters, The Farmington Players , Lexington Children’s Theatre, Caterpillar Visitors Center, Touchstone Theatre, Cedar Crest College, Lehigh Valley Charter High School for the Arts , Valdosta State University, East Central College (notice), Ashville Community Theatre, St. Louis Classical Guitar Society, Winchester Little Theatre, Thalian Hall, Butler University, Wildey Theatre, Pacific Aviation Museum, The Arts & Science Center for Southeast Arkansas, Wartburg College, Oregon University System (Southern Oregon University Foundation, Western Oregon University, and Oregon State University), The Friends of Chamber of Music (cached), , and University of Michigan). And there are undoubtedly more that are not listed above.
Vendini’s reports to New Hampshire and California are available online, but I recently sent a FOI request to North Carolina, which requires entities to report breaches to the state.
In response, they sent me the breach notifications they’ve received so far, which I am uploading here:
Butler University – 411 affected
Asheville Community Theatre – approximately 20,000 North Carolina residents affected
Kirby Cultural Arts Complex – 147 affected
Central Piedmont Community College – approximately 12,000 affected
South Orange Performing Arts Center – 6,619 affected
Thalian (part 1), part 2 – 6,000 affected
Why Vendini is allowing this to dribble out instead of just being more upfront about the numbers involved escapes me. But significantly, a number of their clients were unpleasantly surprised to discover that their contracts with Vendini did not require Vendini to make the patron notifications and that it was on them to do so. [Surely someone read the contract before signing? Bob] This serves as a useful reminder to check your contracts to ensure that if a vendor or contractors has a breach, they are responsible for notifying your customers or paying for you to do so.
Update to the update: I’ll just add other organizations as I come across them:

A “don't hire these people” database?
Gov. Jay Nixon vetoed a workers’ compensation bill on Tuesday that he said would have “invaded Missourians’ privacy, required creation of new government database.”
The rhetoric came in the midst of a battle between Nixon and a Republican-led opposition critical of his administration’s Department of Revenue’s former practice of scanning personal documents, where Republicans accused Nixon of doing essentially the same thing.
The bill, Senate Bill 34 which was sponsored by Sen. Mike Cunningham, would have called on the government to establish a database of all Missouri workers who have filed for workers’ compensation claims for on the job injuries. The database would have been accessible to Missouri employers.
Read more on PoliticMo.

This is a bit aggressive, isn't it? Is it an act of war? Isn't it like invading an embassy? Would we do that to Putin's plane?
Bolivia angered by search of president's plane, no sign of Snowden
VIENNA (Reuters) - Bolivia accused Austria of an act of aggression by searching President Evo Morales' plane on Wednesday and blamed Washington for its forced landing in Vienna over suspicions that former U.S. spy agency contractor Edward Snowden was on board.
Morales' plane was stranded at Vienna airport for several hours after Portugal and France abruptly canceled air permits for it to fly through their airspace, but eventually resumed its flight home form an energy meeting in Moscow.

CRS – Criminal Prohibitions on the Publication of Classified Defense Information
Criminal Prohibitions on the Publication of Classified Defense Information – Jennifer K. Elsea, Legislative Attorney, June 24, 2013
“The publication of classified information related to National Security Agency (NSA) surveillance activity is the latest in a series of leaks to the press that has riveted Congress’s attention. Press reports describing classified U.S. operations abroad have led to calls from Congress for an investigation into the source of the leaks, and Attorney General Holder appointed two special prosecutors to look into the matter. The online publication of classified defense documents and diplomatic cables by the organization WikiLeaks and subsequent reporting by the New York Times and other news media had already focused attention on whether such publication violates U.S. criminal law. The suspected source of the WikiLeaks material, Army Private Bradley Manning, has been charged with a number of offenses under the Uniform Code of Military Justice (UCMJ), including aiding the enemy, while a grand jury in Virginia is deciding whether to indict any civilians in connection with the disclosure. A number of other cases involving charges under the Espionage Act, including efforts to extradite Edward Snowden in connection with the leak of NSA documents pertaining to certain surveillance programs, demonstrate the Obama Administration’s relatively hardline policy with respect to the prosecution of persons suspected of leaking classified information to the media. This report identifies some criminal statutes that may apply to the publication of classified defense information, noting that these have been used almost exclusively to prosecute individuals with access to classified information (and a corresponding obligation to protect it) who make it available to foreign agents, or to foreign agents who obtain classified information unlawful while present in the United States.”

As long as we're talking about surveillance... This expands on my “We can, therefore we must!” meme.
Commentary – Technology, Not Law, Limits Mass Surveillance
“Recent revelations about the extent of surveillance by the U.S. National Security Agency come as no surprise to those with a technical background in the workings of digital communications. The leaked documents show how the NSA has taken advantage of the increased use of digital communications and cloud services, coupled with outdated privacy laws, to expand and streamline their surveillance programs. This is a predictable response to the shrinking cost and growing efficiency of surveillance brought about by new technology. The extent to which technology has reduced the time and cost necessary to conduct surveillance should play an important role in our national discussion of this issue. The American public previously, maybe unknowingly, relied on technical and financial barriers to protect them from large-scale surveillance by the government. These implicit protections have quickly eroded in recent years as technology industry advances have reached intelligence agencies, and digital communications technology has spread through society. As a result, we now have to replace these “naturally occurring” boundaries and refactor the law to protect our privacy. The ways in which we interact has drastically changed over the past decade. The majority of our communications are now delivered and stored by third-party services and cloud providers. E-mail, documents, phone calls, and chats all go through Internet companies such as Google, Facebook, Skype, or wireless carriers like Verizon, AT&T, or Sprint. And while distributed in nature, the physical infrastructure underlying the World Wide Web relies on key chokepoints which the government can, and is, monitoring. This makes surveillance much easier because the NSA only needs to establish relationships with a few critical companies to capture the majority of the market they want to observe with few legal restrictions. The NSA has the capability to observe hundreds of millions of people communicating using these services with relatively little effort and cost.

Who expects the government to be smarter on social media than they are on foreign policy?
State Department bureau spent $630,000 on Facebook 'likes'
State Department officials spent $630,000 to get more Facebook "likes," prompting employees to complain to a government watchdog that the bureau was "buying fans" in social media, the agency's inspector general says.
… "Many in the bureau criticize the advertising campaigns as 'buying fans' who may have once clicked on an ad or 'liked' a photo but have no real interest in the topic and have never engaged further," the inspector general reported.
… Despite the surge in likes, the IG said the effort failed to reach the bureau's target audience … Only about 2 percent of fans actually engage with the pages by liking, sharing or commenting.

For my Data Analysis students. Read free online...
Report – Frontiers in Massive Data Analysis
“From Facebook to Google searches to bookmarking a webpage in our browsers, today’s society has become one with an enormous amount of data. Some internet-based companies such as Yahoo! are even storing exabytes (10 to the 18 bytes) of data. Like these companies and the rest of the world, scientific communities are also generating large amounts of data-—mostly terabytes and in some cases near petabytes—from experiments, observations, and numerical simulation. However, the scientific community, along with defense enterprise, has been a leader in generating and using large data sets for many years. The issue that arises with this new type of large data is how to handle it—this includes sharing the data, enabling data security, working with different data formats and structures, dealing with the highly distributed data sources, and more. Frontiers in Massive Data Analysis presents the Committee on the Analysis of Massive Data’s work to make sense of the current state of data analysis for mining of massive sets of data, to identify gaps in the current practice and to develop methods to fill these gaps. The committee thus examines the frontiers of research that is enabling the analysis of massive data which includes data representation and methods for including humans in the data-analysis loop. The report includes the committee’s recommendations, details concerning types of data that build into massive data, and information on the seven computational giants of massive data analysis.”