Saturday, October 26, 2013

Ah the joys of social engineering... This is slower than computerized schemes, but still $3,000 per hour beats minimum wage.
Thieves impersonate Western Union workers, steal money
Western Union is one of the easiest ways to get money and for some crooks one of the easiest ways to steal it.
… Police say the suspects called the store and pretended to work for Western Union and at that point got them to perform a test.
"They call the store ask to speak to the customer service rep that's working the counter where Western Union is and tell them to run a test...and the test is actually sending money instead of running a test," said Charlotte-Mecklenburg Police Fraud Investigator Kevin Jones.
The con artists managed to steal more than 3 thousand dollars from the store; it involved 3 separate transactions and took about 50 minutes.
… Police say it’s the first time they have seen this kind of scam in Charlotte, they are worried it may spread and want employees to be careful.
"Make sure you're following store protocols if you think something is not right check with your store manager call Western Union yourself," said Jones who thinks the suspects may be from out of the country.
“It could be Nigeria, it could be Canadians, it could be the U.K. it could be someone here in the United States.”
Woody works in a mom and pop type store he says this type of scam could be devastating.

Also thought to involve social engineering, well phishing... Would have required quick work after the funds had been transferred.
eSecurity Planet just made aware of a breach disclosed earlier this week:
Posted by the Michigan State University Police on October 20:
On Friday, October 18, two employees reported receiving email confirmation of a change in their direct-deposit designation. Police say that valid credentials (MSU NetID and password) were used by a perpetrator to modify the employees’ banking information on the EBS HR/Payroll (SAP) system. It is believed that the perpetrator gained access to the credentials through a sophisticated “phishing” attack.
There is no indication of a system-wide security breach or exposure of other employee data. As a precaution, the EBS systems were taken offline late Friday afternoon; it is anticipated that the systems will be back online Monday morning at 7:00am.

In some restrictive areas, this is going to be a real concern. Will downloading a template become illegal (or grounds for a visit by the local gun cops?) Can I print a 1/10th scale model of Gatling gun without worrying about black helicopters at 3AM?
Suspected 3D-printed gun found in Manchester gang raid, say police
Police have seized components for what could be the UK's first ever 3D-printed gun in what they called a "really significant discovery".
Greater Manchester police said they believed the parts represented the next generation of firearms, which could be created by gangs in the privacy of their homes and smuggled with ease because they could avoid X-ray detection.
The gun parts were discovered, along with a 3D printer, when officers executed warrants in the Baguley area of the city on Thursday.
Officers found what were thought to be a plastic magazine and trigger which could be fitted together to make a viable gun. They said the haul also included a quantity of gunpowder.
The raid was part of Challenger, the largest ever multi-agency operation to target organised crime in Manchester.
There have been suggestions on some websites that the parts were not gun components but printer parts – a spool holder and a drive block. Police said they were still concerned about the finding because they suspected the parts may have other uses.
A police spokesperson said: "We are aware of this suggestion, and it would be easier if it was cut and dried as to what these items are. But when you take it as a whole, including the discovery of gunpowder, it is disturbing."
A man has been arrested on suspicion of making gunpowder [Not a 3D printer item Bob] and remains in custody for questioning.

Hello. We're your elected representatives. We don't need no stinking intelligence!
Mike Masnick writes:
We already knew that Rep. Jim Sensenbrenner was getting ready to release a major new anti-NSA spying bill called the USA Freedom Act, and Derek Khanna has just revealed many of the details of the bill, scheduled to be introduced in both houses of Congress this coming Tuesday. It will be backed by Sensenbrenner in the House and Pat Leahy in the Senate, and will have plenty of co-sponsors (already about 50 have signed up) including some who had initially voted against the Amash Amendment back in July. In other words, this bill has a very high likelihood of actually passing, though I imagine that the intelligence community, and potentially the White House, will push back on it. For Congress, gathering up a veto-proof majority may be a more difficult task.
The bill appears to do a number of good things, focusing on limiting the NSA’s ability to do dragnet collections, rather than specific and targeted data collection, while also significantly increasing transparency of the activities of the NSA as well as the FISA court when it comes to rulings that interpret the law.
Read more about what the bill includes on TechDirt.

If my mission was to gather intelligence, any time I spent defending my tools and techniques is essentially a waste of my time.
James Ball reports:
The UK intelligence agency GCHQ has repeatedly warned it fears a “damaging public debate” on the scale of its activities because it could lead to legal challenges against its mass-surveillance programmes, classified internal documents reveal.
Memos contained in the cache disclosed by the US whistleblower Edward Snowden detail the agency’s long fight against making intercept evidence admissible as evidence in criminal trials – a policy supported by all three major political parties, but ultimately defeated by the UK’s intelligence community.
Read more on The Guardian.

I'm sure it sounded good when Marketing pitched it...
Tori Floyd reports:
A new feature for LinkedIn users has been unveiled, but it’s drawing more questions over privacy rather than praise for ingenuity.
LinkedIn announced Intro on October 23, a service that shows your LinkedIn profile on emails sent through your iPhone Mail application. In the blog post about the new tool, the company explains that users will be able to see at a glance who an unknown email sender is with a brief bio and link to their LinkedIn account, right in the email client.
But security experts have expressed concern over the new feature, as it requires all of your email to be filtered through LinkedIn’s computers.
Read more on Yahoo!

Yeah, this Snowden thing is a real pain in the butt. Fortunately, everyone who never considered how intelligence was gathered before Snowden will soon forget Snowden and go back to their “Professional” Wrestling shows.
Mark Clayton reports:
A public backlash against reported US surveillance activities in France, Germany, and Italy could lead to tough new laws that put American technology companies in the tough spot of being forced to defy either US authorities or the European Union.
Read more on CSMonitor.

Ends the high speed chase, records the bad guy's illegal driving, lets as many cops as desired zero in on the car once it stops? I like it. Now we need something for runners!
Police firing GPS tracking 'bullets' at cars during chases
… Police in Iowa and Florida, however, seem to have taken the counsel of Q from the "Bond" movies.
Instead of constantly hurtling after potential madmen, they have found an entirely new method of tracking their cars.
It's called Starchase. Essentially, it's a cannon that fires "bullets" that are sticky GPS devices.
CBS 12 offered an example in real life of how it's done.

Perhaps some lawyers will learn technology after all... This may also be a way to “push” research in almost real time.
140 Characters or Less: An Experiment in Legal Research, Patrick M. Ellis - Michigan State University College of Law - October 1, 2013
In 1995, Robert Ambrogi, former columnist for Legal Technology News, wrote about the Internet’s potential to revolutionize the accessibility and delivery of legal information. Almost 20 years later, Ambrogi now describes his initial optimism as a “pipe dream.” Perhaps one of the greatest problems facing the legal industry today is the sheer inaccessibility of legal information. Not only does this inaccessibility prevent millions of Americans from obtaining reliable legal information, but it also prevents many attorneys from adequately providing legal services to their clients. Whether locked behind government paywalls or corporate cash registers, legal information is simply not efficiently and affordably attainable through traditional means. There may, however, be an answer. Although the legal industry appears to just be warming up to social media for marketing purposes, social media platforms, like Twitter, may have the untapped potential to help solve the accessibility problem. This Note attempts to prove that assertion by showing an iteration of social media’s potential alternative use, as an effective and free information sharing mechanism for legal professionals and the communities and clients they serve. Generally speaking, law review editors and other academicians demand that authors support every claim with a citation, or, at the very least, require extensive research to support claims or theses. This Note seeks to fulfill this requirement, with a variation on conventional legal scholarship. Almost all of the sources in this Note were obtained via Twitter. Thus, this somewhat experimental piece should demonstrate social media’s potential as an emerging and legitimate source of legal information. By perceiving and using social media as something more than a marketing tool, lawyers, law schools, and, most importantly, clients, may be able to tap into a more diverse and more accessible well of information. This redistribution of information accessibility may not only solve some of the problems facing the legal industry, but also has the capability to improve society at large.”

I knew we should have moved faster, now the cable guys are horning in...
DirecTV, Time Warner consider Aereo-like service, report says
TV providers DirecTV, Time Warner Cable, and Charter Communications are thinking about capturing free broadcast signals and streaming TV shows over the Internet to get around paying networks, Bloomberg reported Friday.
The new approach would mimic Aereo, an online TV provider at the center of a huge legal battle with the nation's top broadcast networks (including CBS, CNET's parent company). Aereo uses tiny antennas to allow consumers to stream live and local broadcasts over the Internet and store shows in the cloud.
Aereo has been fairly successful in the courtroom so far. If it wins in the end, it could mean TV providers can use the same practice to avoid paying retransmission fees, unnamed sources told Bloomberg. One source goes so far to say that Time Warner Cable, which has been at odds with CBS over fees, has considered buying Aereo.

Think of it as an anti-phishing tool.
– Automatically highlights North American telephone numbers on websites, showing the location (city and state) when you hover over the phone number, based on the area code and exchange. To find out where the phone number is located, you just hover the mouse over the phone number, and it will start a lookup of the location of the phone number.

The education game gets more complex. 107 schools.
Get More Learning Options As 13 New Institutions Join Coursera
… Coursera makes up a large part of the online learning universe. The numbers seem to suggest that it is leading the pack. To add to their ranks, 13 new institutions have signed up to bring the number of international institutions using its platform to deliver online courses to 107. Coursera also reached the milestone of 5 million students enrolled and now offers them more than 500 courses to choose from.
… To commemorate this triple achievement, Coursera released an infographic on its blog which gives you a bird’s eye view of the educational offerings on the website.

Friday, October 25, 2013

Is this really the best we can do?
Kavita Kumar reports:
Schnuck Markets has agreed to a proposed class-action settlement stemming from the breach of its computer systems in which an estimated 2.4 million payment cards were compromised.
The preliminary settlement was presented to St. Louis Circuit Judge David Dowd on Wednesday afternoon. He is expected to rule on it in the coming weeks.
He also is considering a motion to intervene in the case by a lawyer pursuing one of the related federal lawsuits still pending. The lawyer, Matt Armstrong, argued at the court hearing that the proposed settlement may not be a good deal for consumers.
Read more on St. Louis Post-Dispatch. This proposed settlement sounds like a much better deal than most customers usually get in one of these lawsuits as it includes reimbursement (at $10/hour) for up to three hours for time spent dealing with the breach, reimbursement for bank fees, late fees, etc., and instances of identity theft loss. Overall, reimbursing customers $10/per customer doesn’t sound great, but it is better than what we usually see.

A “Meta-Hack” for my Ethical Hackers. Hack a providers system, let them install the malware as part of their “Trusted” service.
Dan Goodin reports:
Maintainers of the open-source PHP programming language have locked down the website after discovering two of its servers were hacked to host malicious code designed to surreptitiously install malware on visitors’ computers.
The compromise was discovered Thursday morning by Google’s safe browsing service, which helps the Chrome, Firefox, and Safari browsers automatically block sites that serve drive-by exploits.
Read more on Ars Technica.

(Related) Government systems are good to hack. They are easily compromised and no one seems to care.
Dana Liebelson reports:
With plagued by technical difficulties, the Obama administration is bringing in heavyweight coders and private companies like Verizon to fix the federal health exchange, pronto. But web security experts say the Obamacare tech team should add another pressing cyber issue to its to-do list: eliminating a security flaw that could make sensitive user information, including Social Security numbers, vulnerable to hackers.
According to several online security experts,, the portal where consumers in 35 states are being directed to obtain affordable health coverage, has a coding problem that could allow hackers to deploy a technique called ”clickjacking,” where invisible links are planted on a legitimate web page.
Read more on Mother Jones.

California will surely “fix” this.
Paul Paray comments on the recent ruling in California involving statutory damages under the CMIA in the event of a breach:
Insurers providing privacy liability coverage were collectively breathing a sigh of relief last week given a decision from the California Court of Appeals. Interpreting the California Medical Information Act (CMIA), the court in Regents of the Univ. of Cal. v. Superior Court of Los Angeles County, No. B249148 (Cal. Ct. App. October 15, 2013) significantly limited the ability of plaintiffs to obtain nominal statutory damages of $1,000 per patient under CMIA. For the past several years, CMIA was pretty much the best game in town when it came to statutory damages involving a data breach. Although enacted in 2008, CMIA was only over the past several years successfully used by plaintiffs’ counsel to obtain settlements previously unattainable post-breach. The CMIA “statutory damages” bonanza reaped by class counsel was significant – the prospect of such damages allowed counsel to overcome Article III and other “lack of injury” arguments, potentially allowed for class certification even with an otherwise uneven plaintiff pool, and created an early incentive to settle on the part of a defendant – and its insurer – given the potential size of an award.
It is no surprise CMIA was the bane of a good number of network security and privacy insurers – it led to significant settlements that would not have otherwise occurred. The Regents decision is noteworthy given it was the first appellate court to decide the availability of CMIA statutory damages and rejected the notion that mere negligence coupled with disclosure could trigger statutory damages. This is a significant departure from how the law was interpreted by the lower courts and instantly dried up a good part of the statutory damages manna drunk by the plaintiffs’ bar.
Read more on InformationLawGroup.

Let me redundantly reiterate my repetition: The NSA listens to EVERYTHING, which part of everything do you not understand?

Actually, it goes back much further than this...

Is this similar to the Hawthorne Effect? Any attention you pay to employees improves productivity? (Since the object of the monitoring, reducing theft, didn't pan out.)
In Praise of Electronically Monitoring Employees

Are secure communications business models illegal?
EFF has filed this amicus brief (pdf) in support of Lavabit. Here is their press release on it:
Federal law enforcement officers compromised the backbone of the Internet and violated the Fourth Amendment when they demanded private encryption keys from the email provider Lavabit, the Electronic Frontier Foundation (EFF) argues in a brief submitted yesterday afternoon to the US Court of Appeals for the Fourth Circuit. In the amicus brief, EFF asks the panel to overturn a contempt-of-court finding against Lavabit and its owner Ladar Levison for resisting a government subpoena and search warrant that would have put the private communications and data of Lavabit’s 400,000 customers at risk of exposure to the government.
For nearly two decades, secure Internet communication has relied on HTTPS, a encryption system in which there are two keys: A public key that anyone can use to encrypt communications to a service provider, and a private key that only the service provide can use to decrypt the messages.
In July, the Department of Justice demanded Lavabit’s private key—first with a subpoena, then with a search warrant. Although the government was investigating a single user, having access to the private key means the government would have the power to read all of Lavabit’s customers’ communications. The target of the investigation has not been named, but journalists have noted that the requests came shortly after reports that NSA whistleblower Edward Snowden used a Lavabit email account to communicate.
“Obtaining a warrant for a service’s private key is no different than obtaining a warrant to search all the houses in a city to find the papers of one suspect,” EFF Senior Staff Attorney Jennifer Lynch said. “This case represents an unprecedented use of subpoena power, with the government claiming it can compel a disclosure that would, in one fell swoop, expose the communications of every single one of Lavabit’s users to government scrutiny.”
EFF’s concerns reach beyond this individual case, since the integrity of HTTPS is employed almost universally over the Internet, including in commercial, medical and financial transactions.
“When a private key has been discovered or disclosed to another party, all users’ past and future communications are compromised,” EFF Staff Technologist Dan Auerbach said. “If this was Facebook’s private key, having it would mean unfettered access to the personal information of 20 percent of the earth’s population. A private key not only protects communications on a given service; it also protects passwords, credit card information and a user’s search engine query terms.”
Initially, Levison resisted the government request. In response, a district court found Lavabit in contempt of court and levied a $5,000-per-day fine until the company complied. After Levison was forced to turn over Lavabit’s key, the certificate authority GoDaddy revoked the key per standard protocol, rendering the secure site effectively unavailable to users.
Since Lavabit’s business model is founded in protecting privacy, Levison shut down the service when it no longer could guarantee security to its customers.
“The government’s request to Lavabit not only disrupts the security model on which the Internet depends, but also violates our Constitutional protections against unreasonable searches and seizures,” EFF Staff Attorney Hanni Fakhoury said. “By effectively destroying Lavabit’s legitimate business model when it complied with the subpoena, the action was unreasonably burdensome and violated the Fourth Amendment.”
The deadline for the government’s response brief is Nov. 12, 2013.
I’m proud to say I’m a member of EFF. And if you value their advocacy for privacy and civil liberties, why don’t you, too, throw them some money to support their work? DONATE.

“Unconcerned with the implications” is all too common in cases involving new technologies.
Orin Kerr writes:
The forthcoming Supreme Court issue of the Harvard Law Review will feature an essay by NYU Law professor Erin Murphy on the Supreme Court’s recent Fourth Amendment case on DNA searches, Maryland v. King. Professor Murphy’s essay, License, Registration, Cheek Swab: DNA Testing and the Divided Court, argues that King is likely to have an unexpectedly large impact on the future of Fourth Amendment law.
In Murphy’s view, King is significant less for what it said than for what it didn’t say. Presented with the major implications of DNA analysis in the parties’ briefs and the amicus briefs, the Court didn’t address them. Instead, Justice Kennedy issued a majority opinion that seemed unconcerned with those implications.
Read more on Concurring Opinions.

Worth a listen...
The National Constitution Center has posted an audio file of Orin Kerr and Marc Rotenberg discussing warrantless surveillance with Jeffrey Rosen. More information and access to the audio file on NCC, here.

I don't worry. My Ethical Hackers would take credit for anything cool I emailed (even more likely, they'd ignore my emails entirely)
Colleen Flaherty reports on a number of cases where a professor’s email to students wound up going viral. The AAUP may want to protect “academic freedom” by treating emails as protected, but free speech advocates think it’s fair game and fair use.
Read more on Slate.

Shouldn't all email services be able to do this?
– A Chrome extension to supercharge your Gmail with mxHero Toolbox, and give power to your emails. Protect your privacy and send self destructing email. Track clicks on attachments & URLs with Click Track. Be reminded of important emails with Remind Later. Delay email delivery with Send Later. Track critical email responses with Reply Timeouts, & more.

For my Computer Security (and Ethical Hacking) students
Red Alert: 10 Computer Security Blogs You Should Follow Today

An alternative to PowerPoint. However, you should watch this: BEFORE you PowerPoint (or anything else)
How Would The World Look Like Without PowerPoint? Projeqt Gives A Clue
You have to give a second glance to a web application which is a 2013 Webby Awards Honoree. Projeqt walked the red carpet to claim not one but two nominations – Best User Experience and Web Services and Applications. So, it seems improper to just start this article and say it is a PowerPoint alternative. It would be better to describe it – as the application sees itself – as a creative storytelling tool.

Yet another way to hassle my students. (Infographic)
Effective Apps And Web Tools For BYOD Classrooms

Thursday, October 24, 2013

Surely, I'm not the only one to notice this. It's one thing to use your computer to automate trading. Being faster than the other guy is just a form of arbitrage. (and trading computers are very fast.) Jumping the gun is at least conspiracy. Imaging what it would be if this was a hack by a foreign power.
Futures spike just before US jobs data raises eyebrows
Call it a Tuesday morning market mystery – why did so many futures prices seem to move before the Department of Labor released the jobs report this morning?
According to Eric Hunsader of Nanex, a wide range of futures moved before the 8:30 a.m. release time of the jobs report.
Some of them moved as much as 500 milliseconds before the news – plenty of time for high-speed computer traders to rake in profits before the rest of the market.

Traders may have gotten last week’s Fed news 7 milliseconds early
Reporting from CNBC and Quartz points to strong circumstantial evidence that one or more traders received an early leak of the Federal Reserve's surprise decision last week not to slow down its bond purchases.
Markets swung rapidly on the 2 p.m. announcement last Wednesday, with stocks, bonds, and the price of gold all skyrocketing. Somebody placed massive orders for gold futures contracts betting on exactly that outcome within a millisecond or two of 2 p.m. that day -- before the seven milliseconds had passed that would allow the transmission of the information from the Fed's "lock-up" of media organizations who get an early look at the data and the arrival of that information at Chicago's futures markets (that's the time it takes the data to travel at the speed of light. A millisecond is a thousandth of a second). CNBC's Eamon Javers, citing market analysis firm Nanex, estimates that $600 million in assets could have changed hands in that fleeting moment.
There would seem to be three possibilities: 1) Some trader was extraordinarily lucky, placing a massive bet just before a major announcement that would make that bet highly profitable. 2) There was a leak, either by a media organization with early access to the data or even someone at the Fed. Or 3) The laws of physics have been violated as the information traveled from Washington to Chicago faster than the speed of light.
You can see why Option 2 looks the most plausible.

Took them long enough...
If you thought the FTC was done with Aaron’s Rent-to-Own when they approved a final order settling charges against rent-to-own companies in April, think again. The FTC just issued this press release yesterday:
Aaron’s, Inc., a national, Atlanta-based rent-to-own retailer, has agreed to settle FTC charges that it knowingly played a direct and vital role in its franchisees’ installation and use of software on rental computers that secretly monitored consumers including by taking webcam pictures of them in their homes.
According to the FTC’s complaint, Aaron’s franchisees used the software, which surreptitiously tracked consumers’ locations, captured images through the computers’ webcams – including those of adults engaged in intimate activities – and activated keyloggers that captured users’ login credentials for email accounts and financial and social media sites.
The software was the subject of related FTC actions earlier this year against the software manufacturer and several rent-to-own stores, including Aaron’s franchisees, that used it. It included a feature called Detective Mode, which, in addition to monitoring keystrokes, capturing screenshots, and activating the computer’s webcam, also presented deceptive “software registration” screens designed to get computer users to provide personal information.
Additional files on the complaint and consent order can be found on the FTC’s web site. And unless I’m missing something, the consent agreement does not require Aaron’s or its franchisees to actually notify customers that their personal data was acquired via the webcam activation.
So how will this consent order impact a potential class action lawsuit filed by Crystal and Brian Byrd against Aaron’s in 2011? Previous coverage of the lawsuit on this blog is linked from here. The lawsuit is ongoing and Aaron’s has moved for dismissal of the third amended complaint. Take a look at the docket for the lawsuit.

Bigger is rarely gooder. code allegedly two times larger than Facebook, Windows, and OS X combined
… The latest controversy revolves around The New York Times' reporting that roughly 1 percent of -- or 5 million lines of code -- would need to be rewritten, putting the Web site's total size at a mind-boggling 500 million lines of code -- a scale that suggests months upon months of work.
Some are naturally skeptical of that ridiculous-sounding number -- as well as the credibility of The New York Times' source, who remains unnamed. Forums of programmers on sites like Reddit have postulated that, if true, it would have to involve mounds of bloated legacy code from past systems -- making it one of the largest Web systems ever built. One developer, Alex Marchant of Orange, Calif., decided to draw an interesting comparison to point that out.

(Related) And she's still employed? I guess it wouldn't be “FAIR” to fire incompetent managers... Even Dilbert wouldn't believe a manager would let this happen.
Sebelius: Obamacare website problems blindsided the President
President Barack Obama knew there would be "glitches" and said ahead of time there would be problems in the October 1 rollout of a key part of his health care initiative, but "there is no question that we did not anticipate the scale of problems with the website," White House spokesman Jay Carney said on Wednesday.
Before it even launched, red flags went up about the Obamacare website. Health insurance companies complained about it, and the site crashed during a test run. But nobody told the President of any of it, the nation's health chief told CNN.

“Who knows what evil lurks in Directive 54?”
From the good folks at EPIC:
A federal court has issued an opinion in EPIC v. NSA, EPIC’s Freedom of Information Act lawsuit concerning the government’s policy for the security of American computer networks. As a result of the lawsuit, EPIC obtained documents that the National Security Agency had withheld from the public. The documents concern NSPD 54, a presidential policy directive outlining the scope of the NSA’s authority over computer networks in the US. EPIC also challenged the NSA’s decision to withheld several other records including the National Security Presidential Directive 54. A federal district court has now ruled that NSPD 54 is not subject to the FOIA because it was not under “the control” of the National Security Agency and the other federal agencies and officials who received the presidential directive. The Court also ordered to the NSA to identify and release other documents to EPIC. For more information, see: EPIC v. NSA – Cybersecurity Authority.

Of course they are. It is much more important to avoid any kind of terrorist incident that to protect your privacy.
The TSA is now searching your personal records before you get to the airport
… The TSA already checks travelers against a terrorist watch list, but the The New York Times reports that the agency will now begin profiling travelers based on their past travel itineraries, property records, car registrations and employment information. The result is a full background check, directing some towards lighter screenings and others towards more invasive bag checks and pat-downs.
The TSA's stated goal is to qualify one in four passengers for lighter screening, which would forgo the typical shoe removal and lighten the agency's workload, but privacy advocates worried the result

Does using cash have an impact on Insurance rates?
Legal, but intrusive and creepy?
David Lazarus reports:
Think you can keep a medical condition secret from life insurers by paying cash for prescription meds? Think again.
A for-profit service called ScriptCheck exists to rat you out regardless of how diligent you are in trying to keep a sensitive matter under wraps.
ScriptCheck, offered by ExamOne, a subsidiary of Quest Diagnostics, is yet another example of data mining — using sophisticated programs to scour databases in search of people’s personal information and then selling that info to interested parties.
Read more on the Los Angeles Times.

US government releases draft cybersecurity framework
The aim of NIST's framework (PDF) is to create guidelines that companies can use to beef up their networks and guard against hackers and cybersecurity threats. Adopting this framework would be voluntary for companies.

We want it now!
– Do people turn to piracy when the movies they want to watch are not available legally? That is the question posed by PiracyData which lists the top 10 most pirated movies of the week, and then researches into whether those movies are available for legal rental, purchase, or streaming. Most movies on the list are currently not available legally which may explain why people turn to illegal methods.

Attention Ethical Hackers! Henceforth you shall be called “Fluffy Kitten Watchers” because apparently you can judge a book by its cover.
Dale Peterson reports on a disturbing court ruling:
The US District Court for the State of Idaho ruled that an ICS product developer’s computer could be seized without him being notified or even heard from in court primarily because he states on his web site “we like hacking things and don’t want to stop”.
Read about the case on Digital Bond.

For my researching students... Also useful for Bloggers?
News Gathering Gets A Fresh Break As Google Launches Google Media Tools
News and media organizations have been using Google for a long time. Google has taken things a bit further by giving journalists a rich set of tools in one centralized hub called Google Media Tools. Google Media Tools is a collection of all Google resources that can help journalists enhance their reporting. Common tools like Google Drive, Google Maps, and Google Search Trends along with many others find a place in the suite. The idea is not to be just a diving-board platform for the Google tools journalists need and use most often. Rather, Google wants this one-stop shop to be a learning center as well so that journalists of all hues and skill levels can create compelling stories with all the tools Google has to offer.
Google Media Tools is designed to cover everything from research to developing to publishing,

I'm always looking for real world applications...
Mathematician works out formula for perfect pizza

Wednesday, October 23, 2013

The pendulum swings again...
Happy to report a great win for the ACLU in U.S. v. Katzin. From the decision issued today by the Third Circuit Court of Appeals:
The instant case … calls upon us to decide two novel issues of Fourth Amendment law: First, we are asked to decide whether the police are required to obtain a warrant prior to attaching a GPS device to an individual’s vehicle for purposes of monitoring the vehicle’s movements (conduct a “GPS search”). If so, we are then asked to consider whether the unconstitutionality of a warrantless GPS search may be excused for purposes of the exclusionary rule, where the police acted before the Supreme Court of the United States proclaimed that attaching a GPS device to a vehicle constituted a “search” under the Fourth Amendment. For the reasons discussed below, we hold that the police must obtain a warrant prior to a GPS search and that the conduct in this case cannot be excused on the basis of good faith. Furthermore, we hold that all three brothers had standing to suppress the evidence recovered from Harry Katzin’s van. We therefore will affirm the District Court’s decision to suppress all fruits of the unconstitutional GPS search.
You can access the full opinion here.

Patients lie. Will reading their Tweets or looking at their Facebook page reveal the truth?
Art Caplan poses an interesting ethical question:
A friend recently brought to my attention a disturbing question from a psychiatrist working with a transplant team: Should she be checking the sobriety claims of liver transplant candidates by looking on their Twitter and other social media sites? That question merits discussion because it’s clear both doctors and patients are entering a new world of uncertain medical privacy due to Twitter, Facebook, Google+ and other outlets.
Read more on NBC.

Would this reduce bullying? After all, unlike the First Amendment, “It's for the children!”
Lorraine Bailey reports:
A mother sued Twitter for the identities of people who impersonated her daughter on the social media site, tweeting in her name “my passion is being fat,” “free hand and blowjobs call me,” and posting her phone number and picture online.
The mother sued Twitter on behalf of her minor daughter, in Cook County Court.
She seeks a court order compelling Twitter to release the identities of people who set up two Twitter accounts.
Read more on Courthouse News. Twitter suspended the two accounts.

Get the government to give your clients money to use your free service? Now that's a business model! (and like Facebook, it has a few “Privacy issues”)
Kashmir Hill writes:
Medical records start-up Practice Fusion has attracted a whopping $134 million in venture capital thanks to its appealing business model: it offers 100,000 (and counting) medical types free, web-based patient management services. The doctors get for free something that’s usually quite expensive, while cashing in on $150 million (so far) in government incentives to adopt electronic health record technology. Practice Fusion gets an attractive platform of doctors that medical labs, hospitals and medical billers pay to access. “Our community drives $100 billion in spend,” says CEO Ryan Howard. The start-up also gets data on 75 million patients’ health conditions and prescriptions, which it de-identifies and then makes available to analysts, pharma companies, and market research types, who also pay. You can see why a VC firm like Kleiner Perkins put $70 million into the start-up this September, valuing it at $700 million. It’s like Facebook but with tons of valuable medical data.
But the start-up could have a big privacy problem thanks to a doctor review site it launched in April. ‘Patient Fusion’ debuted with 30,000 doctor profiles and a stunning two million reviews, all from verified patients of the doctors. The site came as a surprise to some doctors – who knew the start-up emailed their patients appointment and prescription reminders but didn’t realize it had been reaching out to their patients after visits asking for reviews. And it is likely a surprise to some of the patients whose reviews are available publicly on the site. There are candid reviews with sensitive medical data and “anonymous reviews” that contain patients’ full names and/or contact details, suggesting they didn’t realize that what they were writing was going to be made public.
Read more on Forbes.
This sounds like a HIPAA/CMIA/FTC nightmare brewing. Practice Fusion has a lengthy privacy policy that says, in part:
Confidentiality of Health Information: Some of our users – such as healthcare providers – are subject to laws and regulations governing the use and disclosure of health information they create or receive. Included among them is the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), the Health Information Technology for Economic and Clinical Health of 2009 (“HITECH”), and the regulations adopted thereunder. When we store, process or transmit “individually identifiable health information” (as such term is defined by HIPAA) on behalf of a health care provider who has entered a Healthcare Provider User Agreement, we do so as its “business associate” (as also defined by HIPAA). Under this agreement, we are prohibited from, among other things, using individually identifiable health information in a manner that the provider itself may not. We are also required to, among other things, apply reasonable and appropriate measures to safeguard the confidentiality, integrity and availability of individually identifiable health information we store and process on behalf of such providers. To see our Healthcare Provider User Agreement, and to specifically review our business associate obligations, please review Sections 4.1.8 and 9 of that agreement. We are also subject to laws and regulations governing the use and information of certain personal and health information, including HIPAA, when we operate as a business associate of a healthcare provider.
If patients weren’t properly informed about the public nature of their feedback and didn’t provide informed consent, I’d say that Practice Fusion has a whopping HIPAA privacy disclosure breach on its hands. Hopefully, HHS is looking into this whole thing. And if healthcare providers didn’t fully understand how Practice Fusion would be using the information provide, then that’s a second round of complaints/matter to be investigated.

Bad laws never die, they do morph and change names and attract lots of lobbying money.
Dana Liebelson reports:
This summer, when Edward Snowden dropped his bombshell about PRISM, the NSA’s vast Internet spying program, the House had recently passed a bill called the Cyber Intelligence Sharing and Protection Act (CISPA). Widely criticized by privacy advocates, CISPA aimed to beef up US cybersecurity by giving tech companies the legal freedom to share even more cyber information with the US government—including the content of Americans’ emails, with personal information intact. CISPA supporters, among them big US companies such as Verizon and Comcast, spent 140 times more money on lobbying for the bill than its opponents, according to the Sunlight Foundation. But after Snowden’s leaks, public panic over how and why the government uses personal information effectively killed the bill. Now that the dust has settled a bit, NSA director Keith Alexander is publicly asking for the legislation to be re-introduced, and two senators confirmed that they are drafting a new Senate version.
“I am working with Senator Saxby Chambliss (R-Ga.) on bipartisan legislation to facilitate the sharing of cyber related information among companies and with the government and to provide protection from liability,” Sen. Dianne Feinstein (D-Calif.) told Mother Jones in a statement.
Read more on Mother Jones.
Haven’t the big tech companies and providers taken enough of a reputation hit already with the Snowden leaks? Do they really want to come out and support more data sharing without user consent or knowledge?
That a bill could be a Good Thing for cybersecurity has never been disputed by the privacy security. The problems were the lack of meaningful restrictions on use of personally identifiable information. Until we see the language of what Senator Feinstein is proposing, we simply won’t know whether the same privacy concerns will continue or if our concerns will be appropriately addressed. Given that it’s Feinstein who’s the sponsor, however, I am not optimistic.

Interesting that parents (who are not “digital natives”) understand the negative implications of technology when “educators” (and their lawyers?) do not.
John Hildebrand reports:
Angry parents worried about their children’s privacy are fighting New York State’s planned turnover of 2.3 million public school students’ names and records to a private, high-tech corporation that will store and manage the records within a computerized “cloud” service.
The release of data to inBloom Inc., a nonprofit based in Atlanta, will include information on about 400,000 students on Long Island and is set to occur this fall or winter, officials said.
Read more on Newsday (sub. req.). The state, of course, is minimizing/denying parental concerns:
State education officials, who have worked with inBloom since 2011 to establish the “cloud” project, said parents’ fears were unwarranted.
InBloom will never release student information without permission from local districts, state and corporate officials said, and the data cannot be sold. The service will provide a high degree of data security through sophisticated encryption, they said.
Notice that there is no provision for parents to opt-out – or better yet, opt-in – as it is up to others to determine whether data will be shared.
And those in the state who are relying on assurances of data security should spend a week or so reading my blogs, including, to see how many supposedly secure databases get hacked or compromised on a daily basis.

Not so surprising...
Don’t Blame IT for Obamacare’s Tech Troubles
“Many eyes, shallow bugs.” Perhaps the gang that couldn’t code straight had never heard this software mantra. One can’t be sure. The Centers for Medicare and Medicaid Services, the agency overseeing the technically troubled Affordable Care Act exchanges, has done a far better job concealing the details of its systems design, development, and deployment practices than producing working websites. IT experts uncharitably observe that what the President describes as “glitches” are symptomatic of deeper digital dysfunctions. Are they right?

Should I believe this or is this 'The Onion' of Washington DC?
Exclusive: White House Official Fired for Tweeting Under Fake Name
A White House national security official was fired last week after being caught as the mystery Tweeter who has been tormenting the foreign policy community with insulting comments and revealing internal Obama administration information for over two years.

For my students who read...
5 Places To Read Fiction Online – For Free!
Classic Reader Classic Reader is a website dedicated to the classics. This site is a gold mine for lovers of classic literature as well as school students who want to read without having to purchase their own copies.

Tuesday, October 22, 2013

For my Ethical Hackers...
To Move Drugs, Traffickers Are Hacking Shipping Containers
… The plot, which began in 2011, reportedly involved a mix of international drug gangs and digital henchmen: drug traffickers recruited hackers to penetrate computers that tracked and controlled the movement and location of shipping containers arriving at Antwerp's port. The simple software and hardware hacks—using USB keyloggers and more sophisticated purpose-built devices—allowed traffickers to send in drivers and gunmen to steal particular containers before the legitimate owner arrived.

“When a distinguished but elderly scientist states that something is possible, he is almost certainly right. When he states that something is impossible, he is very probably wrong.” Arthur C. Clarke
When someone from Marketing explains technology, they are flat out lying.
Researchers challenge Apple's claim of unbreakable iMessage encryption
A close look at Apple’s iMessage system shows the company could easily intercept communications on the service despite its assurances to the contrary, researchers claimed Thursday at a security conference.
Apple asserted in June, following disclosures about the NSA’s data collection programs, that iMessage, which lets users send texts over Wi-Fi for free, is protected by end-to-end encryption that makes it impossible for Apple or anyone else to descramble the messages.
But researchers at the Hack in the Box conference in Kuala Lumpur showed it would be possible for someone inside Apple, of their own volition or because they were forced to by a government, to intercept messages.

I think I've pointed to this report before, but I don't store that data for 75 years...
Report – What the Government Does with Americans’ Data
What the Government Does with Americans’ Data, by Rachel Levinson-Waldman, Brennan Center for Justice, October 8, 2013.
“After the attacks of September 11, 2001, the government’s authority to collect, keep, and share information about Americans with little or no basis to suspect wrongdoing dramatically expanded. While the risks and benefits of this approach are the subject of intense debate, one thing is certain: it results in the accumulation of large amounts of innocuous information about law-abiding citizens. But what happens to this data? In the search to find the needle, what happens to the rest of the haystack? For the first time in one report, the Brennan Center takes a comprehensive look at the multiple ways U.S. intelligence agencies collect, share, and store data on average Americans. The report, which surveys across five intelligence agencies, finds that non-terrorism related data can be kept for up to 75 years or more, clogging national security databases and creating opportunities for abuse, and recommends multiple reforms that seek to tighten control over the government’s handling of Americans’ information.”

We're going to talk about Big Data this friday. See:
Does Bigger Data Lead to Better Decisions?
Many scholars, from decision scientists to organizational theorists, have addressed this question from different perspectives, and the answer, as for most complex questions, is “it depends.” Big Data can lead to Big Mistakes. After all, the financial sector has been flooded with big data for decades.
A large body of research shows that decision-makers selectively use data for self-enhancement or to confirm their beliefs or simply to pursue personal goals not necessarily congruent with organizational ones. Not surprisingly, any interpretation of the data becomes as much an evaluation of oneself as much as of the data.

Similar to the way government builds roads. A study determines that volume on a given highway will be unacceptable by 2015, so they propose a two year project to add two lanes each way to the highway. Then they debate, delay and deny budget for four years, and the project actually takes three years to complete.
Updating the Statutory Framework for Communications for the Digital Age
CRS – Updating the Statutory Framework for Communications for the Digital Age: Issues for Congress. Charles B. Goldfarb, Specialist in Telecommunications Policy. September 30, 2013
“The statutory framework for the communications sector largely was enacted prior to the commercial development and deployment of digital technology, Internet Protocol (IP), broadband networks, and online voice, data, and video services. These new technologies have driven changes in market structure throughout the communications sector. Technological spillovers have allowed for the convergence of previously service-specific networks, creating new competitive entry opportunities. But they also have created certain incentives for market consolidation. Firms also have used new technologies to attempt to “invent around” statutory obligations or prohibitions, such as retransmission consent and copyright requirements. In addition, firms have developed new technologies that are attractive to consumers because they allow them to avoid paying for programming or allow them to skip the commercials that accompany video programming, but present a challenge to the traditional business model. The expert agencies charged with implementing the relevant statutes—the Federal Communications Commission (FCC) and the Copyright Office—have had to determine if and how to apply the law to technologies and circumstances that were not considered when the statutes were developed. Frequently, this has led parties unhappy with those interpretations to file court suits, which has delayed rule implementation and increased market uncertainty. The courts, too, have had to reach decisions with limited guidance from the statutes.”

“We didn't have the time to do it right, but we'll take the time to do it over.”
Administration Won’t Say Who’s On The Team That’s Supposed To Fix Obamacare Site
President Obama promised Monday that a kind of tech strike force has been activated to help solve the problems plaguing, the digital portal to the Affordable Care Act.

Netflix set to cruise past HBO in subscribers -- analyst

A 7 day free trial, but they are also looking for instructors!
– hosts videos to keep your creative and technical skills current. There’s no need to schedule a class or sit behind a desk: Skillfeed is there for you whenever you need it, on any device you’d like. For less than you’d spend on a single book, get access to hundreds of skills and tutorials.

A bit further along than I thought.
Free Online Courses You Can Study From Anywhere With iversity [Stuff to Watch]
This week we brought you the news that iversity launched with 24 available courses, so now it’s time to bring you a video prospectus of some of the service’s most interesting courses on offer.
Just like Coursera, iversity is a completely free learning experience that delivers the educational goods via video lectures, discussion and assignments; all of which are planned and delivered by lecturers at some of the world’s top universities.