Saturday, November 16, 2013

When I say, repeatedly, that Intelligence services target everything, did you think I was talking only about the NSA? Perhaps if I say, “Everyone wants to know Everything about Everyone,” you'll get the picture. (This is not only logical, it should be obvious.)
The Department of Energy hack noted previously on this blog may be part of a larger and longer campaign against government agencies by members of Anonymous who exploited an Adobe vulnerability. At least that’s what an FBI memo seen by Reuters seems to suggest:
The hackers exploited a flaw in Adobe Systems Inc’s software to launch a rash of electronic break-ins that began last December, then left “back doors” to return to many of the machines as recently as last month, the Federal Bureau of Investigation said in a memo seen by Reuters.
The memo, distributed on Thursday, described the attacks as “a widespread problem that should be addressed.” It said the breach affected the U.S. Army, Department of Energy, Department of Health and Human Services, and perhaps many more agencies.
Read more on Reuters.

(Related) Increasingly, “everyone” includes parents, girlfriends, and employers.
Tracked Since Birth: The Rise Of Extreme Baby Monitoring

Think of it as knowing you visited certain pages on site vs. knowing everything you did on that site.
Richard Feloni reports:
Google, Microsoft, Apple, and Facebook all have their own tracking systems that may signal impending doom for the traditional cookie. First-party tracking can provide advertisers with much more accurate results than cookies, due to the access these companies have to user data.
Online radio service Pandora recently adopted its own cookie replacement, and it has been pitching its data to ad exchanges for the past few weeks, according to AdAge.
When a user registers for a Pandora account, the (sic) provides his or her age, gender, and zip code. The Internet radio company plans to go through its data and develop demographics it believes advertisers will find more attractive than the imperfect browsing habits collected by cookies.
Pandora has 70 million active users, which places it far ahead of rookie competitor iTunes Radio.
Read more on Business Insider.

Taking photos (or recording video) in public is not the issue. Posting those photos on a website is not an issue. Suggesting that something bad (like Tony Soprano will pay you a visit) will happen to you if your photo is on that website IS an issue.
The Canadian Press reports:
The Supreme Court of Canada on Friday struck down Alberta’s privacy law as unconstitutional in a case where a union photographed and videotaped people crossing a picket line during a long strike.
The United Food and Commercial Workers local representing employees at the Palace Casino at West Edmonton Mall was involved in a 305-day strike in 2006.
The union posted signs near the picket line saying images of people crossing the line might be posted on a website.
Read more on GlobalPost.

One of my Computer Security students was ranting about this just last week. Anyone want to mine that rant for legislative tips?
From the highlights of a GAO report issued in September and just posted today on GAO’s site:
No overarching federal privacy law governs the collection and sale of personal information among private-sector companies, including information resellers. Instead, a variety of laws tailored to specific purposes, situations, or entities governs the use, sharing, and protection of personal information. For example, the Fair Credit Reporting Act limits the use and distribution of personal information collected or used to help determine eligibility for such things as credit or employment, but does not apply to information used for marketing. Other laws apply specifically to health care providers, financial institutions, videotape service providers, or to the online collection of information about children.
The current statutory framework for consumer privacy does not fully address new technologies–such as the tracking of online behavior or mobile devices–and the vastly increased marketplace for personal information, including the proliferation of information sharing among third parties. With regard to data used for marketing, no federal statute provides consumers the right to learn what information is held about them and who holds it. In many circumstances, consumers also do not have the legal right to control the collection or sharing with third parties of sensitive personal information (such as their shopping habits and health interests) for marketing purposes. As a result, although some industry participants have stated that current privacy laws are adequate–particularly in light of self-regulatory measures under way–GAO found that gaps exist in the current statutory framework for privacy. And that the framework does not fully reflect the Fair Information Practice Principles, widely accepted principles for protecting the privacy and security of personal information that have served as a basis for many of the privacy recommendations federal agencies have made.
Views differ on the approach that any new privacy legislation or regulation should take. Some privacy advocates generally have argued that a comprehensive overarching privacy law would provide greater consistency and address gaps in law left by the current sector-specific approach. Other stakeholders have stated that a comprehensive, one-size-fits-all approach to privacy would be burdensome and inflexible. In addition, some privacy advocates have cited the need for legislation that would provide consumers with greater ability to access, control the use of, and correct information about them, particularly with respect to data used for purposes other than those for which they originally were provided. At the same time, industry representatives have asserted that restrictions on the collection and use of personal data would impose compliance costs, inhibit innovation and efficiency, and reduce consumer benefits, such as more relevant advertising and beneficial products and services. Nonetheless, the rapid increase in the amount and type of personal information that is collected and resold warrants reconsideration of how well the current privacy framework protects personal information. The challenge will be providing appropriate privacy protections without unduly inhibiting the benefits to consumers, commerce, and innovation that data sharing can accord. [Or perhaps informing consumers and allowing them to select a level of privacy they are comfortable with? Bob]
You can download the full report (pdf, 61 pp)

(Related) Perhaps a law review article on “Silly Technology Laws?”
Absurd: The Very Basic Thing It's Still Illegal to Do With Your Mobile Phone
Do you own a smart phone? Do you know how easy it is to break the law using only that smartphone?
It’s this easy: After your current contract with your wireless provider (perhaps Verizon) expires, change the software on your phone such that you can use it to make calls with a different provider (say, T-Mobile). There, you just broke the law.

Attention Ethical Hackers: No ethical concerns here, move along.
– If you’ve ever found yourself trying to try a product online which required a credit card, even when you just want to take a look, then you will know why this site is invaluable. It generates random lists of “valid” credit card numbers, but since there is no other corresponding information, they are useless for fraud purposes.

For my students who actually want to learn...
– is a course catalog for online learning. The site helps you find courses for subjects you want to learn and enables you to compare those choices easily and pick the best one for you. They find college courses from all the providers out there and put them in one place. They list all the courses from Massive Open Online Courses (MOOCs) such as Coursera, Udacity, edX, etc.

For my Business Students
Amazon Constantly Audits its Business Model

Another question for my Statistics Class...

Friday, November 15, 2013

Another slice of “Everything”
CIA collecting bulk data on money transfers, reports say
Another secret surveillance effort that sweeps up and stores bulk data on Americans has apparently come to light -- this time involving financial records, and not the NSA but the Central Intelligence Agency.
The CIA program reportedly nabs data from cross-border money transfers handled by US companies such as Western Union in an effort to discover and track the funding of terrorist efforts.
… Western Union also provided the same statement to both papers: "We collect consumer information to comply with the Bank Secrecy Act and other laws. In doing so, we also protect our consumers' privacy."
The Times notes that the CIA program "offers evidence that the extent of government data collection programs is not fully known and that the national debate over privacy and security may be incomplete." [Nonsense. Bob]..

I thought they were following the Israeli model. Apparently they developed their own. Typical government.
TSA’s got 94 signs to ID terrorists, but they’re unproven by science
… In a new report (PDF) released today, the Government Accountability Office (GAO) concluded that "the human ability to accurately identify deceptive behavior based on behavioral indicators is the same as or slightly better than chance." And it dryly noted that programs like SPOT should be "demonstrated to work reliably in their intended environment prior to program deployment."

I can see a “kill switch” being useful in very limited circumstances and for a very short time. It will be interesting to see what DHS sees...
From EPIC:
In a Freedom of Information Act case brought by EPIC against the Department of Homeland Security, a federal court has ruled that the DHS may not withhold the agency’s plan to deactivate wireless communications networks in a crisis. EPIC had sought “Standard Operating Procedure 303,” also known as the “internet Kill Switch,” to determine whether the agency’s plan could adversely impact free speech or public safety. EPIC filed the FOIA lawsuit after the agency failed to produce SOP 303. The federal court determined that the agency wrongly claimed that it could withhold SOP 303 as a “technique for law enforcement investigations or prosecutions.” The phrase, the court explained, “refers only to acts by law enforcement after or during the prevention of a crime, not crime prevention techniques.” The court repeatedly emphasized that FOIA exemptions are to be read narrowly. For more information, see EPIC: EPIC v. DHS (SOP 303) and EPIC: FOIA.
And Joe Cadillic sends along this report from the Washington Free Beacon:
The Department of Homeland Security (DHS) must disclose its plans for a so-called Internet “kill switch,” a federal court ruled on Tuesday.
The United States District Court for the District of Columbia rejected the agency’s arguments that its protocols surrounding an Internet kill switch were exempt from public disclosure and ordered the agency to release the records in 30 days. However, the court left the door open for the agency to appeal the ruling.
Read more on Washington Free Beacon.

I can see this as an interesting research project for law school students. Could even become a regular legal service (pre-pre-nup).
How to check out a potential partner online – without being creepy

Could be an interesting research area... Note that we are two decades after the creation of the WWW. If Paul David is correct ( we should be seeing some fundamental changes in how we do things. Would that include measurement?
Measuring Internet Activity: A (Selective) Review of Methods and Metrics
by Sabrina I. Pacifici on November 14, 2013
Internet Monitor is delighted to announce the publication of Measuring Internet Activity: A (Selective) Review of Methods and Metrics, the second in a series of special reports that focus on key events and new developments in Internet freedom, incorporating technical, legal, social, and political analyses.
Measuring Internet Activity, authored by Robert Faris and Rebekah Heacock, explores current efforts to measure digital activity within three areas: infrastructure and access, control, and content and communities. Two Decades after the birth of the World Wide Web, more than two billion people around the world are Internet users. The digital landscape is littered with hints that the affordances of digital communications are being leveraged to transform life in profound and important ways. The reach and influence of digitally mediated activity grow by the day and touch upon all aspects of life, from health, education, and commerce to religion and governance. This trend demands that we seek answers to the biggest questions about how digitally mediated communication changes society and the role of different policies in helping or hindering the beneficial aspects of these changes. Yet despite the profusion of data the digital age has brought upon us—we now have access to a flood of information about the movements, relationships, purchasing decisions, interests, and intimate thoughts of people around the world—the distance between the great questions of the digital age and our understanding of the impact of digital communications on society remains large. A number of ongoing policy questions have emerged that beg for better empirical data and analyses upon which to base wider and more insightful perspectives on the mechanics of social, economic, and political life online. This paper seeks to describe the conceptual and practical impediments to measuring and understanding digital activity and highlights a sample of the many efforts to fill the gap between our incomplete understanding of digital life and the formidable policy questions related to developing a vibrant and healthy Internet that serves the public interest and contributes to human wellbeing. Our primary focus is on efforts to measure Internet activity, as we believe obtaining robust, accurate data is a necessary and valuable first step that will lead us closer to answering the vitally important questions of the digital realm. Even this step is challenging: the Internet is difficult to measure and monitor, and there is no simple aggregate measure of Internet activity—no GDP, no HDI. In the following section we present a framework for assessing efforts to document digital activity. The next three sections offer a summary and description of many of the ongoing projects that document digital activity, with two final sections devoted to discussion and conclusions.”

Yes! (Now, will they get out of the way?)
EFF – Court Upholds Legality of Google Books
by Sabrina I. Pacifici on November 14, 2013
It’s a good day for fair use and sane copyright law. After years of litigation, Judge Denny Chin has ruled that the Google Books project does not infringe copyright. Readers, authors, librarians and future fair users can rejoice. For years, Google has been cooperating with libraries to digitize books and create massive, publicly available and searchable books database. Users can search the database, which includes millions of works for keywords. Results include titles, page numbers, and small snippets of text. It has become an extraordinarily valuable tool for librarians, scholars, and amateur researchers of all kinds. As the court noted (citing an amicus brief EFF filed jointly with several library associations) librarians use the service for a variety of research purposes. Many librarians reported that they have purchased new books for their collections after discovering them through Google Books. Nonetheless, the Authors Guild argues that its members are owed compensation in exchange for their books being digitized and included in the database – even though blocking Google Book Search’s digitization wouldn’t bring any author any additional revenue.”

For my student entrepreneurs.
FREE EBOOK: How To Start An Online Business, Sponsored By Media Temple
Start your own online store. The latest MakeUseOf manual, sponsored by (mt) Media Temple and written by James Bruce, teaches you everything you need to know in order to sell your wares online – without paying commission to eBay or Amazon.
READ ONLINE or DOWNLOAD: How To Start An Online Business
No password required. Online, PDF, EPUB and Amazon.

For my hard-core App aficionados...
12 Twitter Accounts To Follow If You Like Free Apps
Now, there are ways to find virtually any mobile app for free legally. But the best way is to always know when an app is going on sale, whether as a discount or free for a limited period. And if you’re on Twitter, there are a few accounts you should be following to always keep abreast of these discounts.

Willie rocks!
The Bard Isn’t Hard: 10 Resources For Teaching Shakespeare
[My favorite: Shakespearean insults are the best. This board discusses the history behind the best insults, and includes a Shakespearean insult generator.

Have I mentioned that the school has a 3D printer? Browse models, download, print.

(Related) Sounds like a class project! (Until it actually works, we can call it Congress)
Here is “InMoov”, the first life size humanoid robot you can 3D print and animate. You have a 3D printer, some building skills, This project is for you!!
This is all designed with Blender.
Parts for downloads are licensed under the Attribution – Non-Commercial – Creative Commons license.

(Related) Evidence that a technology has arrived?
Rolls-Royce to 3D print aircraft engine parts

Thursday, November 14, 2013

It's a target that eventually offers personal information on hundreds of millions of Americans. Are they surprised to learn it's a target?
The Chicago Tribune reports:
U.S. authorities are investigating a series of cybersecurity incidents targeting the website at the center of President Obama’s healthcare law, a U.S. homeland security official told Congress on Wednesday.
Roberta Stempfley, acting assistant secretary of the Department of Homeland Security’s Office of Cybersecurity and Communications, said her department was aware of “about 16″ reports from the Department of Health and Human Services – which is responsible for implementing the healthcare law – on cybersecurity incidents related to the website.
Testifying before the House of Representatives Homeland Security Committee, Stempfley also said officials were aware of an unsuccessful attempt by hackers to organize a “denial of service” attack to overwhelm and take down the website.
Read more on the Chicago Tribune.

If it's an elected official, all bets are off.
From, we learn:
Montana has a constitutional right to privacy and right to know. The Montana Supreme Court concludes that lower level employees disciplined for viewing pornography on city time on city computers had a reasonable expectation of privacy not to be publicly disclosed, and disclosure of their identities was not in the public interest. [That alone should be sufficient. Bob] The Fourth Amendment reasonable expectation of privacy analogy was not apt because of the state privacy protection. Billings Gazette v. City of Billings, 2013 MT 334, 2013 Mont. LEXIS 455 (November 8, 2013)*:
Read an excerpt from the ruling on

The deck is truly stacked, thinking thoughtful thoughts won't help?
Orin writes:
DOJ has filed its brief in the Lavabit appeal before the Fourth Circuit. I blogged at length on Lavabit’s brief, so I thought I would offer a few thoughts on DOJ’s brief:
1) In general, it’s a solid brief. It’s going to be extremely unpopular in the IANAL computer nerd world, obviously, but it’s mostly pretty solid on the law.
2) DOJ brings up some provocative facts not found in the Lavabit brief that are not going to help Lavabit before the Fourth Circuit judges.
Read more on The Volokh Conspiracy, while I ponder whether Orin includes me in the “IANAL computer nerd” reference.

Interesting idea: legal justification!
Google, Microsoft, and LinkedIn are requesting oral argument on their motion to be able to be more transparent with users about government requests for user information.
Indeed, they seem to have really come out swinging in response to the government’s September 30th response and declaration, which were submitted ex parte and in camera, with the plaintiffs only getting a highly redacted version of the response.
The tech giants are asking the court to strike all the redacted sections, or in the alternative, to give them greater access to the material so they are fighting this on a level playing field. In their argument, they note that there must be a legal justification for the government to prohibit providers from sharing the data they have already been entrusted with (i.e., the number of orders), and the government has failed to provide that legal justification in the redacted materials available to them.

Something strange here. Granted the defendants exposed the data, but were they specifically targeted or were the police looking at ALL P2P traffic? The article suggests the latter...
Jaikumar Vijayan reports:
There can be no expectation of privacy in data exposed to the Internet over a peer-to-peer file-sharing network, a federal judge in Vermont ruled in a case involving three individuals charged with possession of child pornography.
The three men had argued that police illegally gathered information from their computers using an automated P2P search tool and then used that information to obtain probable cause warrants for searching their computers. Each of the defendants was later charged with possession of child pornography based on evidence seized from their computers.
Read more on Computerworld.
[From the article:
The defendants contended that the initial use of the automated P2P search tool to gather information on the contents of their computers, constituted a warrantless search of their systems. They maintained that police violated Fourth Amendment provisions against unreasonable search by looking at private files on each of their systems using the P2P search tool.
They also argued that several of the statements made by investigators to show probable cause for the search warrants were based on incorrect information.
In a 39-page ruling released Friday, District Court Judge Christina Reiss denied the motion to suppress and held that the defendants had essentially given up privacy claims by making the data publicly available on the Internet over a P2P network.
"The evidence overwhelmingly demonstrates that the only information accessed was made publicly available by the IP address or the software it was using," Reiss wrote. "Accordingly, either intentionally or inadvertently, through the use of peer-to-peer file sharing software, Defendants exposed to the public the information they now claim was private."
The ruling is similar to ones reached by other courts in disputes involving documents exposed on the Internet via peer-to-peer networks. Courts in the 11th Circuit, 10th Circuit and 8th Circuit have all held that there can be no expectation of privacy if the contents of a computer can be accessed freely over the public Internet via a file sharing network.

Interesting. So if (hypothetically) someone did something slightly evil and it was traced back to a certain computer law professor, he could show harm. If thousands of victims have their life savings threatened, they can't?
KATU reports from Clackamas County, Oregon:
A woman who fought to clear her name after her identity was stolen and she was arrested for crimes she did not commit won a lawsuit against the county and has been awarded over $100,000 in damages.
Kimberly Fossen’s story began nearly a decade ago when she lost her purse. She was quick to cancel her credit cards and get new identification, but another woman took her identity and racked up arrests under her name in Miami-Dade and Broward counties in Florida.
Read more on KATU.
Over the years, I’ve read a number of reports of ID theft victims being arrested for crimes they did not commit, despite their best efforts to notify everyone of their victim status and/or despite obtaining documentation to show law enforcement that they are an innocent victim. It’s nice to see law enforcement held accountable for not doing their due diligence before arresting and holding an ID theft victim.

Follow-up to Tuesday's blog post, where they claimed the network wasn't being used.
Following up on a concerning report out of Seattle this week, Brendan Kiley and Matt Fikse-Verkerk report:
The Seattle Police Department just announced that it has begun the process of deactivating its wireless mesh network, a powerful tool for sending vast amounts of data that also has powerful surveillance potential. In theory, the network (built by a California-based company called Aruba Networks) could track and indefinitely log the movements of any wireless device with a MAC address (phones, laptops, tablets) that moves through its coverage area.
The possibility of a police department creating a historical digital map of the city, or using such a system for real-time locating of individuals, without governmental or civilian oversight has some serious implications.
The mesh network, as The Stranger reported this week, was quietly purchased with grant money from the Department of Homeland Security and whisked through the Seattle City Council without any serious process of review and approval.
But, SPD spokesperson Sgt. Sean Whitcomb said this evening, “The wireless mesh network will be deactivated until city council approves a draft policy and until there’s an opportunity for vigorous public debate.” Chief Jim Pugel gave the order to begin the deactivation process today.
Read more on The Stranger.

After all that effort, this is what they came up with?
FAA Releases Drone Roadmap, Privacy Not Required for Test Sites
by Sabrina I. Pacifici on November 13, 2013
EPIC – “In a press release, the Federal Aviation Administration announced the “roadmap” for the integration of drones into domestic airspace. After considering numerous public comments on the privacy impact of aerial drones, the FAA proposed a regulation that requires test site operators to develop privacy policies but does not require any specific baseline privacy protections. The FAA rulemaking came about in response to an extensive petition submitted by EPIC, broadly supported by civil liberties organizations and the general public. EPIC urged the agency to require adherence to the Fair Information Practices, disclosure of data collection and minimization practices, and independent audits. For more information, see EPIC: Domestic Unmanned Aerial Vehicles (UAVs) and Drones.”

So, they want to return to using dial-up modems on the hard wired phone system?
Report – Telecoms plan shielded European Internet
by Sabrina I. Pacifici on November 13, 2013
Via Deutsche Welle: ”Deutsche Telekom says the scandal over US and British eavesdropping has prompted German providers to contemplate an inner-German or inner-European Internet. Data would no longer be routed and stored via other continents. Germany’s state-backed Telekom confirmed on Sunday that German providers were discussing an Internet confined within Europe’s “Schengen” countries. One project code-named “Clean Pipe” would help firms to fend off industrial spies and hackers. Schengen is the Luxembourg border town where in 1985 EU nations initiated a visa-free zone that now encompasses 26 European countries but excludes Britain. A Telekom spokesman told the German news agency DPA that talks were taking place with “diverse, likely partners.” The project would be unveiled on Monday at an information technology (IT) conference in Bonn. According to the news magazine Der Spiegel, Telekom managers see fewer technical setup problems than IT experts had at first anticipated. Germany already has a project entitled “E-Mail made in Germany” in which Telekom, United Internet and Freenet handle messages inside the national border.”

A question for my lawyer friends. If I can show you cases with a high probability of a large settlement, would you send the victims appropriately threatening letters? Oh, wait, the RIAA already has law firms that do that.
Lawyering in the Shadow of Data
by Sabrina I. Pacifici on November 13, 2013
Lawyering in the Shadow of Data, Drury D. Stevenson - South Texas College of Law; Nicholas J. Wagoner - South Texas College of Law Alumni. September 12, 2013
“Attorney bargaining has traditionally taken place in the shadow of trial, as litigants alter their pretrial behavior — including their willingness to negotiate a settlement — based on perceptions of likely outcomes at trial and anticipated litigation costs. Lawyers practicing in the shadow of trial have, in turn, traditionally formed their perception of the likely outcome at trial based on their knowledge of case precedents, intuition, and previous interactions with the presiding judge and opposing counsel in similar cases. Today, however, technology for leveraging legal data is moving the practice of law into the shadow of the trends and patterns observable in aggregated litigation data. In this Article, we describe the tools that are facilitating this paradigm shift, and examine how lawyers are using them to forecast litigation outcomes and reduce bargaining costs. We also explore some of the risks associated with lawyering in the shadow of data and offer guidance to lawyers for leveraging these tools to improve their practice. Our discussion pushes beyond the cartoonish image of big data as a mechanical fortuneteller that tells lawyers who will win or lose a case, supposedly eliminating research or deliberation. We also debunk the alarmist clichés about newfangled technologies eliminating jobs. Demand for lawyers capable of effectively practicing law in the shadow of data will continue to increase, as the legal profession catches up to the data-centric approach found in other industries. Ultimately, this Article paints a portrait of what big data really means for attorneys, and provides a framework for exploring the theoretical implications of practicing law in the era of big data.”

Making research easier?
64 Federal Courts Now Publish Opinions on FDsys
by Sabrina I. Pacifici on November 13, 2013
News release: “A project providing free online access to federal court opinions has expanded to include 64 courts. The federal Judiciary and the Government Printing Office partner through the GPO’s Federal Digital System, FDsys, to provide public access to more than 750,000 opinions, many dating back to 2004. The Judicial Conference approved national implementation of the project in September 2012, expanding participation from the original 29 courts. FDsys currently contains opinions from 8 appellate courts, 20 district courts, and 35 bankruptcy courts. Federal court opinions are one of the most heavily used collections on FDsys, with millions of retrievals each month. Opinions are pulled nightly from the courts’ Case Management/Electronic Case Files (CM/ECF) systems and sent to the GPO, where they are posted on the FDsys website. Collections on FDsys are divided into appellate, district or bankruptcy court opinions and are text-searchable across courts. FDsys also allows embedded animation and audio – an innovation previously only available with opinions posted on a court’s own website or on the Public Access to Court Electronic Records (PACER). While the public already can view federal court opinions for free on PACER, the FDSys project presents just another way to make court-related information more accessible to the public.”

Wednesday, November 13, 2013

Kind of a background article...
How To Bypass Internet Censorship
… I have mentioned VPN and Tor as a workaround to most forms of Internet censorship. However, I need to issue a caveat. Recent developments in China have demonstrated that even VPN can be blocked. In late 2012, it was widely reported that the Great Firewall of China is now able to learn, discover and block encrypted network traffic from several VPN systems (not all). China Unicom, one of the largest ISPs in China, is now terminating connections whenever an encrypted connection is detected.

I'd like to see the algorithm used in this one...
– is the first app in the world that automatically sorts the photos on your phone. You do not have to manually label each and every one of them – Impala “looks” into your images and videos and recognizes what’s inside. For instance, Impala can recognize cats, sunsets, beaches, and so on. Impala then automatically creates photo albums and organizes your photos.

The more you know (measure) the better you can plan. Something for my Statistics students.
How Long Can You Reasonably Expect Your Hard Drive To Last?
According to Backblaze, about one in 20 hard drives fails in the first 18 months. The failure rate drops to just 1.4 percent after this initial break-in period, before jumping up to 11.8 percent annually after 3 years.
Beyond that time period, though, Backblaze doesn’t have much data—they’ve only been around and collecting this data for four years. Still the fact that 74 percent of hard drives that they buy last longer than 4 years strikes me as pretty surprising. It also makes perfect sense that, as Backblaze points out, most available hard drive warranties are either 12 or 36 months.
… As Backblaze doesn’t have any hard drives that are older than its company it can only estimate that, based on the data already collected, the median hard drive life is about six years.

For my innovative students (and a certain Foundation running out of cy-près Funds?)
– Launch your own crowdfunding page without touching a line of code. Currently invite-only, CrowdHoster is open-source, and therefore the code can be viewed on GitHub. It includes a funding progress bar, sharing links, and customizable content areas. Running more than one campaign is also possible. Continue taking preorders even after your campaign ends.

Okay students, sic 'em!
Google Glass Explorer program waiting list quietly goes live
Google Glass is slowly coming within reach of members of the general populace who aren't developers, celebrities, or elite early adopters.
This week, as Google rolled out a Glass software update that adds a new command for listening to music, the company also quietly put a new form online that allows anyone to add themselves to a waiting list for the Glass Explorer program.

Perhaps there will be a market for 3D Templates of things other than guns?
MakerBot wants to put a 3D printer in every US public school
MakerBot wants to put a 3D printer in every school in the United States, and it's drumming up support from the industry and general public to make it happen.
While 3D printing, for now, remains a gimmick to many, it garnered enough attention for President Barack Obama to mention the emerging technology in his recent State of the Union Address. He described 3D printing as having the potential to "revolutionize the way we make almost everything."
… The US government is also supporting MakerBot's efforts. Tom Kalil, deputy director for technology and innovation within the White House Office of Science and Technology Policy, said in prepared remarks: "We all need to think creatively about giving our young people the tools to be 'the makers of things, and not just the consumers of things.'"
And once 3D printers start rolling out to schools? MakerBot insists the devices won't be expensive paperweights. The company is also launching Thingverse, an online 3D digital design community where schoolchildren can design, share, upload, and print designs of their own.
With the initiative launching Tuesday, individuals and corporations can donate funds using, a crowdsourcing site for teachers. Pettis wants those in communities around America to contribute to their local schools. Meanwhile, MakerBot is offering significant discounts to lower the price point of the 3D printing machines.

What hath Apple wrought?
Public at last: Apple II DOS code that launched an empire
… In early 1978, Apple signed a $13,000 contract with Shepardson Microsystems to create the DOS.
… Now, thanks to the help of the DigiBarn, a vintage computer museum in Santa Cruz County, Calif., the Computer History Museum in Mountain View, Calif., has officially published the DOS source code for all to see.
According to Bruce Damer, the founder and curator of the DigiBarn, Apple, which still owns the code, gave its blessing for the documents to be made public.

Tuesday, November 12, 2013

What if polls suggest that Privacy is a major factor in this election? Colorado is looking for a governor too.
I’ve occasionally mentioned that in my opinion, Texas Attorney General Greg Abbott is one of the most activist state AGs when it comes to consumer privacy protection. He’s now running for Governor in Texas, and his platform does include privacy. Aman Batheja reports on a speech he gave:
In the most detailed speech since launching his bid for governor earlier this year, Attorney General Greg Abbott laid out a dozen new policy proposals Monday evening, touching on ethics reform, privacy rights, education, guns and Obamacare.
Abbott also proposed changes to state privacy laws. He described his proposals as pushing back against federal and state efforts to turn government “into Big Brother.”
“Government agencies like the NSA, like the IRS, like the EPA, are increasingly using tools to look at our emails, to tap into our phone calls, to look at our financial information or our health records,” Abbott said.
He said he wanted to bar state agencies from selling Texans’ personal information without their consent. Abbott described the practice as routine at agencies including the Texas Department of Motor Vehicles and the Texas Department of Health Services.
He also proposed creating “a personal property right for your DNA.”
“Your DNA belongs to you, and no one else has the right to access that information without your consent,” Abbott said. “But the reality is that advances in technology are threatening that privacy right… You should have control over how your information about your DNA is used.”
He next waded into the debate over red light cameras, one which he acknowledged pits those arguing the safety value of the devices against those with privacy concerns.
“I believe it should be up to you, the people, to decide whether red light cameras is right for a community,” Abbott said, explaining that he would push to change state law to allow for voters to push for a ballot initiative to repeal a local red light camera ordinance.
Read more on Texas Tribune. The dozens of comments on him and his record under the news story are mainly negative.

My students say, TL;DR (too long; didn't read) I'm saying TL;NH (too logical; never happen) In fact, looking back through my blog, I say it quite frequently. But even if it did, it would only impact the back end, not the collection.
Benjamin Wittes writes:
Over at the Guardian today, Kenneth Roth—executive director of Human Rights Watch—argues for a a worldwide human right of privacy:
It’s time for governments to come clean about their practices, and not wait for the newest revelations. All should acknowledge a global obligation to protect everyone’s privacy, clarify the limits on their own surveillance practices (including surveillance of people outside their own borders), and ensure they don’t trade mass surveillance data to evade their own obligations. Of course it is important to protect security, but western allies should agree that mass, rather than narrowly targeted, surveillance is never a normal or proportionate measure in a democracy.
Washington is finally grappling with the Snowden revelations, holding hearings and considering legislation that might help to rein in the NSA’s seemingly unconstrained power. Some of these bills would limit or end bulk data collection, institute greater transparency, and give the secret court that oversees surveillance requests a more adversarial character. These are important proposals, but none include protection for non-Americans abroad. The US has the capacity to routinely invade the digital lives of people the world over, but it barely recognises any privacy interest of those outside the US (emphasis added).
Roth’s article echoes arguments made recently by David Cole on Just Security (here and here), to which Orin Kerr responded (here and here) on Lawfare. I fully agree with Orin’s response to Cole, which essentially posits that the US government’s obligation to respect the privacy of its citizens and those within its territory stems from a social contract not present with everyone else in the world.
But I’m hung up on an antecedent question in light of Roth’s and Cole’s arguments: What if we were to accept, in Roth’s words, that there is some “global obligation to protect everyone’s privacy”?
Read more on Lawfare.

Of course they will do it, here's were they will go wrong.
David Navetta writes:
Educational institutions at all levels have begun to realize that they hold a treasure trove of student-related information, that if analyzed using “Big Data” techniques, could yield valuable insights to further their educational missions.
Of course, as one can imagine, Big Data projects using student-related information can implicate significant privacy issues. Schools are regulated under the Family Educational Rights and Privacy Acts Statute, and depending on a school’s specific activities may be subject to GLB and HIPAA. In addition, many educational institutions have internal policy and public-facing privacy policies that apply to, and may limit, the collection, use and disclosure of student personal information. The impact of applicable privacy laws and existing privacy-related policies should be taken into account well before engaging in a Big Data project. We have looked at Big Data privacy issues generally before, and the following is a framework for analyzing high level legal considerations and action items for educational institutions considering Big Data projects involving student-related information.
I won’t say that I’m tired, but I just read his first sentence as “to further their educational mistakes.” Freud is having a field day…
You can read David’s actual framework as he wrote it on InfoLawGroup.

Another example of Educators thinking they know better than parents? Imagine being a parent and finding out that your child's name is on this list.
Matthias Gafni reports on another case where a school district cited FERPA as a reason for not complying with a request to disclose information about alleged assaults on students:
In May, about a month into her investigation of molestation allegations against a Woodside Elementary School teacher, a Concord police detective hit a roadblock. A Mt. Diablo school district attorney refused to turn over a key internal report on previous abuse allegations against popular fourth- and fifth-grade teacher Joseph Martin.
The detective, as recorded in portions of a police report obtained by this newspaper, was trying to identify potential victims of Martin when she was told she would need a search warrant to get a version of the 2006 report without key information blocked out. Detective Tamra Roberts reminded Deputy District Counsel Deborah Cooksey that the district was required by law to report child abuse suspicions and the names of potential victims. Only then did the district hand over the unredacted report.
Read more on Contra Costa Times.

Why would a Police Department pay for a tool, pay to have it installed, and then not use it?
David Ham reports:
In February, the Seattle Police Department announced it bought what’s called a “mesh network,” that will be used as a dedicated wireless network for emergency responders. What SPD did not say is that the network is capable of tracking anyone with a device that has a Wi-Fi connection. “They now own a piece of equipment that has tracking capabilities so we think that they should be going to City Council and presenting a protocol for the whole network that says they won’t be using it for surveillance purposes,” said Jamela Debelak of the American Civil Liberties Union.
A spokesperson for Seattle Police said the network is not being used right now. A draft policy is being reviewed by the city attorney’s office and will eventually go before the City Council.
Read more on KIRO TV.
[From the article:
The network includes 160 wireless access points that are mounted on poles across Seattle. Every time a device looks for a Wi-Fi signal and the access point recognizes it, it can store that data. The manufacturer of the network points out in a manual that the mesh network can store IP addresses, device types, applications used by the devices, current location, and historical location. This information can be stored and connected for the last 1,000 times a person is connected with a specific device. The network shows up online in public places usually as intersections in the city such as, "4th&Pike," "4th&University" and "3rd&Union."
… Council member Bruce Harrell pointed out the need for SPD to be able to collect some of this information. "While I understand that a lot of people have concerns about the government having access to this information, when we have large public gatherings like the situation like in Boston and something bad happens, the first thing we want to know is how are we using technology to capture that information," said Harrell. [It does no good to turn this on AFTER a terrorist incident. Bob]
The network was bought with a Homeland Security grant for $2.6 million. [Apparently, DHS has a line called “Big Brother Tools” in their budget. Bob]

I enjoy reading about lawyers analyzing other lawyers' little failures. Sorry, I'm just built that way.
I splurged and purchased a copy of the transcript of Thursday’s oral argument in FTC v. Wyndham. You can download it here (PDF, 561kB, 186 pp.). Consider it an early holiday gift from to you.
I look forward to reading everyone’s reactions after we’ve all had time to read it. I did a quick read, and here are my first impressions on some of the issues:

Who, exactly, would this advocate represent?
Introducing a Public Advocate into the Foreign Intelligence Surveillance Act’s Courts
by Sabrina I. Pacifici on November 11, 2013
Introducing a Public Advocate into the Foreign Intelligence Surveillance Act’s Courts: - Select Legal Issues. Andrew Nolan, Legislative Attorney; Richard M. Thompson II, Legislative Attorney; Vivian S. Chu, Legislative Attorney, October 25, 2013.
“Recent revelations about the size and scope of government foreign surveillance efforts have prompted some to criticize the level of scrutiny that the courts – established under the Foreign Intelligence Surveillance Act of 1978 (FISA) – currently provide with respect to the government’s applications to engage in such surveillance. In response to concerns that the ex parte nature of many of the proceedings before the FISA courts prevents an adequate review of the government’s legal positions, some have proposed establishing an office led by an attorney or “public advocate” who would represent the civil liberties interests of the general public and oppose the government’s applications for foreign surveillance. The concept of a public advocate is a novel one for the American legal system, and, consequently the proposal raises several difficult questions of constitutional law.”

An article for my Ethical Hackers too consider. How much would it cost to encrypt everything? Look at the list of hints and see if you can figure out how to “guess” the password.
Adobe credentials and the serious insecurity of password hints
Adobe had a little issue the other day with the small matter of 150 million accounts being breached and released to the public. Whoops. So what are we talking about? A shed load of records containing an internal ID, username, email, encrypted password and a password hint. Naked Security did a very good write up on Adobe’s giant-sized cryptographic blunder in terms of what they got wrong with their password storage so I won’t try to replicate that, rather I’d like to take a look at the password hints.
This is an interesting one from an application security perspective and the rationale basically goes like this: In order to help people remember their passwords, you give them the ability to create a “hint” or in other words, record a piece of information that will later help them recall their password. Password hints are an absolutely ridiculous security measure. The whole premise that the secret that is the password can be unlocked by referring to a retrievable user-generated piece of text is just completely nonsensical.
The other thing that’s completely nonsensical is this: Whilst Adobe encrypted their passwords (even though done poorly), password hints had absolutely no security whatsoever. Right, so protect the password but don’t protect the data that helps you determine the password!

When you visit “” what other sites (e.g. Advertisers) see that connection?
– is a Firefox add-on that enables you to see the first and third party sites you interact with on the Web. Using interactive visualizations, Lightbeam shows you the relationships between these third parties and the sites you visit. As you browse, Lightbeam reveals the full depth of the Web today, including parts that are not transparent to the average user.

Talking to my students, perhaps this isn't as obvious as I thought. (They never heard how Kennedy raised the minimum wage in Massachusetts and drove the shoe industry out of the state.)
Wharton – The Complex Economics of America’s Minimum Wage
by Sabrina I. Pacifici on November 11, 2013
Wharton Public Policy commentary – “One of the most powerful arguments for raising the minimum wage is the notion of creating a “livable wage” that enables people to have the dignity of working a job that pays enough to live on and support their family. Today a person working full-time for the entire year on minimum wage earns roughly $15,000, which puts them below the poverty line for a two-person household. Raising the minimum wage purely as a poverty reduction strategy is not as straightforward as it seems, however, observers note. For one, most working-age people who live in poverty don’t have a job, and so consequently they would not benefit from such an increase. Second, many people who earn the minimum wage live in households above the poverty threshold, including high school students earning extra pocket money, retirees supplementing their Social Security and others working part-time to add to their family’s income.”

Please God, don't let my wife read my blog. Seriously, when this guy lists resources on the Internet, he lists everything.
New on LLRX – ShoppingBots and Online Shopping Resources 2014
by Sabrina I. Pacifici on November 11, 2013
Via - ShoppingBots and Online Shopping Resources 2014 - Marcus Zillman’s timely and information packed guide to ShoppingBots and Online Shopping Resources is a comprehensive listing of shoppingbot and online shopping/coupon resources and sites on the Internet. Marcus also provides a value-added section of Notes and Suggestions for Virtual Shopping to assist you with safe, effective tools, techniques and sources to ensure your online shopping will be successful in all its facets!

Monday, November 11, 2013

It can't hurt.
After the Adobe hack was disclosed, I received some emails from concerned consumers asking if there was some way they could check to find out if their details were involved.
LastPass has set up a page where you can input your email address and LastPass checks the database that was dumped online to determine if your email address was in it. Of course, we don’t know if the data dump of over 152 million records was everything the hackers had acquired, but it might be of some help. When in doubt, reset your password and do NOT use “123456.”

Great images for any PowerPoint on Surveillance.
Shanghai police crowd more than 60 surveillance cameras on single overhead bar watching one road; demolish most of them after media attention
Authorities in Shanghai's Baoshan District have installed more than 60 surveillance cameras on one four-lane section of Youyi Road, according to a NetEase report.
… Locals told reporters that in April, the poles only had 24 cameras attached, in the last few months authorities added an extra 36.
Local Shanghai English news portal Shanghai Daily later on Nov. 6th, Tuesday reported that the more than 60 cameras were installed by Shanghai Baokang Electronics Company in order to conduct equipment tests. The company removed all the cameras after attention was drawn to the apparent excessive surveillance being carried out on that one road.

Something for my Statistics students (all my Math students actually) Prepare yourselves for the horror of having Big Money offered for your Big Data skills.
The Big Data Brain Drain: Why Science is in Trouble
Regardless of what you might think of the ubiquity of the "Big Data" meme, it's clear that the growing size of datasets is changing the way we approach the world around us. This is true in fields from industry to government to media to academia and virtually everywhere in between. Our increasing abilities to gather, process, visualize, and learn from large datasets is helping to push the boundaries of our knowledge.
But where scientific research is concerned, this recently accelerated shift to data-centric science has a dark side, which boils down to this: the skills required to be a successful scientific researcher are increasingly indistinguishable from the skills required to be successful in industry. While academia, with typical inertia, gradually shifts to accommodate this, the rest of the world has already begun to embrace and reward these skills to a much greater degree. The unfortunate result is that some of the most promising upcoming researchers are finding no place for themselves in the academic community, while the for-profit world of industry stands by with deep pockets and open arms.