Saturday, December 07, 2013

Small, but so easily preventable. Again.
Ed Beeson reports:
Nearly 840,000 members of Horizon Blue Cross Blue Shield are being notified that their personal information may have been contained on a pair of laptops that were stolen from the insurer’s Newark headquarters last month.
The stolen laptops were password-protected, [Absolutely worthless for securing data Bob] but had unencrypted data, [“What we have here, is a failure to communicate!” Bob] Horizon said in a statement today. A subsequent investigation determined that the computers may have contained files with member information, including names, addresses, dates of birth and, in some instances, Social Security numbers and limited clinical information, the insurer said.

Is there a “Center for Helping Lawyers Deal with Breaches” that provides victims with alternative strategies and a clear picture of the legal risks of each? I often get the impression that lawyers are treating each breach as the first one ever.
The JPMorgan Chase Ucard breach reported previously on this blog affects residents of numerous states. As such, not only do I expect to see lawsuits filed, but state attorneys general will likely jump into the act to protect their respective residents. Did JPMorgan Chase promptly notify their residents and are they offering enough remediation and support? Some may argue that they haven’t in light of media reports that affected cards are not being replaced, and states will be negotiating/posturing to get more for their residents.
Here’s a statement from Connecticut’s State Treasurer. Some snippets that show which way the wind may be blowing:
My office has been advised by JPMorgan Chase that during the two-month period between July and September, certain information entered by cardholders on the UCard website — particularly during the process of activating cards and of transferring balances — was subject to unauthorized access. Such information that could have been exposed includes: name, social security number, bank account number, card number, date of birth, security answer, password, address, phone number and e-mail address.
While JPMorgan Chase represents that it has found no evidence of improper activity on these accounts since September, as a precaution – and at our direction – the company is notifying all affected cardholders that it will provide them two years of credit monitoring free of charge. Nonetheless, I am dismayed that JPMorgan Chase delayed informing my Office of this security breach for two and a half months — from mid-September, when they first learned of it, until this week. They should have picked up the phone immediately and called us. That the company failed to communicate this security breach in a timely manner raises concerns over its culture of compliance and broader governance issues.
Upon learning of this data breach on Tuesday, my Office promptly informed all state agencies affected, and we are now working with JPMorgan Chase to ensure that all affected cardholders are notified immediately. The company will explain to cardholders what specific personal information may have been compromised. My office also has been in contact with Attorney General Jepsen’s office, and has been advised that his office’s privacy task force was recently notified of the breach and will be looking into it.
Note the text I emphasized above. Connecticut insisted JPMorgan Chase offer two years of free credit monitoring. When Louisiana disclosed the breach (they were the first state to issue a statement), they said their residents will be getting one year of free credit monitoring. Will Louisiana now go back to JPMorgan Chase and insist on two years? Will other states? And will some state attorneys general attempt to impose monetary penalties on Chase for failing to notify more promptly?
Oh yeah, this is going to be an expensive breach for JPMorgan Chase….
Update: Here’s the the template for JPMorgan Chase’s notification letter to those affected (pdf). If the hacker accessed passwords & JPMorgan Chase isn’t re-issuing Ucards, it’s odd that they just “recommend” people change their passwords.

“It's for health reasons. We don't want to raise anyone's blood pressure!”
Eric Boehm writes:
Americans who buy health insurance through the federal Obamacare exchange website could have their personal information stolen by hackers and never even know it.
Most of the state-run health exchange websites will be covered by state laws that require notification when government databases are breached by hackers. But there is no law requiring notification when databases run by the federal government are breached, and even though the Department of Health and Human Services was asked to include a notification provision in the rules being drawn up for the new federal exchange, it declined to do so.
Read more on Before It’s News.

E-cubed intelligence gathering. Everyone, Everything, Every day. (Because you expect us to keep you safe.)
Philip Dorling reports:
Australia’s leading telecommunications company, Telstra, has installed highly advanced surveillance systems to “vacuum” the telephone calls, texts, social media messages and internet metadata of millions of Australians so that information can be filtered and given to intelligence and law enforcement agencies.
The Australian government’s electronic espionage agency, the Australian Signals Directorate, is using the same technology to harvest data flows carried by undersea fibre-optic cables in and out of Australia.
Read more on The Age.

Sounds like they have better lawyers than the FTC...
The creator of one of the most popular apps for Android mobile devices has agreed to settle Federal Trade Commission charges that the free app, which allows a device to be used as a flashlight, deceived consumers about how their geolocation information would be shared with advertising networks and other third parties.
Goldenshores Technologies, LLC, managed by Erik M. Geidl, is the company behind the “Brightest Flashlight Free” app, which has been downloaded tens of millions of times by users of the Android operating system. The FTC’s complaint alleges that the company’s privacy policy deceptively failed to disclose that the app transmitted users’ precise location and unique device identifier to third parties, including advertising networks. In addition, the complaint alleges that the company deceived consumers by presenting them with an option to not share their information, even though it was shared automatically rendering the option meaningless.
The settlement with the FTC prohibits the defendants from misrepresenting how consumers’ information is collected and shared and how much control consumers have over the way their information is used. The settlement also requires the defendants to provide a just-in-time disclosure that fully informs consumers when, how, and why their geolocation information is being collected, used and shared, and requires defendants to obtain consumers’ affirmative express consent before doing so.
The defendants also will be required to delete any personal information collected from consumers through the Brightest Flashlight app. [“Including data we already sold to our many customers?” Bob]
The FTC will publish a description of the consent agreement package in the Federal Register shortly. The agreement will be subject to public comment for 30 days, beginning today and continuing through Jan. 6, 2014,

“I believe that you might have done something in Seattle that violated my Privacy here in London. Maybe. Possibly.” Somehow, I don't see this working...
Fiona O’Cleirigh reports:
A British citizen’s UK court action will test the legal right of Microsoft to disclose private data on UK citizens to the US electronic spying organisation, the National Security Agency (NSA).
The case will shine a light on the legality of top secret US court orders which require US technology companies to disclose details of foreign users’ private communications.
Kevin Cahill, a British journalist, has brought the case in the Lord Mayor’s and City of London County Court. The case centres on Cahill’s belief that Microsoft breached the security of his email account.

Another tool for my Intro to Computer Security students...
Telepathwords from Microsoft Research Shows You the Weakness of Your Password
Telepathwords from Microsoft Research is a simple site designed to show you the strength or weakness of your passwords. As you type a password (either one you actually use or one you're thinking of using) into Telepathwords it tries to predict the next character that you will type. Telepathwords shows you the three most common characters that follow that character you typed. When you're done typing you'll see green check marks and red "Xs" above your password's characters. Green means that character is easy to predict and red means it is not easy to predict.
Telepathwords could be a good resource to use with students of all ages when you're trying to illustrate the qualities that go into a strong password.
The following videos offer some good advice about crafting passwords.

Friday, December 06, 2013

Hack Attack: Hackers Steal Over 2 Million Passwords From Facebook, Twitter, Yahoo and Other Sites

What's in your “Hacking Folder?”
How Many Zero-Days Hit You Today?
… Frei pored over reports from and about some of those private vendors — including boutique exploit providers like Endgame Systems, Exodus Intelligence, Netragard, ReVuln and VUPEN – and concluded that jointly these firms alone have the capacity to sell more than 100 zero-day exploits per year.
According to Frei, if we accept that the average zero-day exploit persists for about 312 days before it is detected (an estimate made by researchers at Symantec Research Labs), this means that these firms probably provide access to at least 85 zero-day exploits on any given day of the year.

There are probably hundreds of simple “how to buy technology” models out there. Using any one of them would have prevented this. Note that like all “failing” bureaucracies, no one is responsible...
The rollout of iPads in Los Angeles Unified School District (LAUSD) is becoming a classic case study of what not-to-do when implementing any innovation whether it is high-tech or low-tech. I wrote about the adoption of the innovation six months ago.
What is clear now is that teachers and principals were excluded from the decision-making process. The Total Cost of Operation (TCO) was a mystery to the Board of Education who made the decision. And the initial deployment of the devices was so botched that the pilot project was put on hold. Phase 2 and the eventual distribution of devices to all LAUSD students remains to be decided once errors have been sorted out.

Making life simpler...
Google Data Download
Google users can now download a copy of their Gmail and Google Calendar data. The new feature, built into the Google Takeout service, is being rolled out “over the next month.” Until then Google advocates can obtain an archive file of data from a host of other Google services, including Google+, Google Drive, Google Hangouts, and YouTube. All we need now is for Google to sort out the YouTube comments mess and life will be great once more.

Toeing The Line: 4 Things To Keep In Mind When Web Browsing At Work
cyberslacking (n.) The act of avoiding work and/or other responsibilities by scouring the Internet in search of games or other non-work related amusements. Also known as goldbricking.
Tip #1: You Have No Privacy
Tip #2: Never Download Anything
Tip #3: Avoid Illegal Content
Tip #4: Use Incognito Mode

I'm cheap and I like lists.
Dozens of Web Tools That Don't Require Registration
A couple of nights ago someone on Twitter asked me for recommendations for web tools that her middle school students could use without having to register to use them. My first thought was to consult Nathan Hall's long list of registration-free web tools for students. Nathan's list is divided into twenty-five categories. Some of the categories of most interest to teachers are online whiteboards, survey/ poll tools, chart/ graph tools, annotation tools, document creation tools, and photo & drawing tools.
Applications for Education
Using web tools that don't require registration to use can save you and your students time as you can jump right into an activity without having to struggle with usernames and passwords. The downside to using registration-free web tools is that often you don't have an option for saving your work other than downloading it directly to your computer or sharing it to another service like Evernote or Google Drive which do require registration.

I have no talent in this area, but I have a few students who do...
Advice on Creating Infographics from the Author of Cool Infographics
Infographics are everywhere these days. I post some on this blog from time to time. A well-designed infographic can convey a lot of information in a concise package. An infographic that has a poor design is just a poster. Randy Krum is the president of Info Newt, a firm that specializes in data visualization and infographic design. He's also the author of the blog Cool Infographics and a book of the same name. Randy was kind enough to send me a copy of the book. I devoured the book in two cross-country flights last month.
Business people are the target audience for Cool Infographics, but there are some take-aways from the book that apply to anyone who is thinking about creating an infographic. For example, Randy emphasis the need to identify the one central story that you want to convey with your infographic before you build the infographic. Since his book is targeted to a business audience, I asked Randy what advice he had for teachers interested in having students create infographics.
Cool Infographics contains a chapter devoted to the concept of using infographics as resumes or biographies:
Click here for a sample chapter of Cool Infographics.

(Related) ...and todays more specific advice.
Five Good Online Tools for Creating Infographics
… In his book Randy devotes a chapter to design tools. Many of the tools used by professional designers cost hundreds or thousands of dollars. But you don't have to spend anything if you want your students to try their hands at creating a data visualization in the form of an infographic. Here are five free tools that your students can use to create infographics.

Dilbert explains why I don't Facebook...

Thursday, December 05, 2013

This shouldn't surprise anyone...
Allison Bell reports:
The federal agency that enforces health data security regulations did a poor job of protecting the data it was using in its own investigations.
Officials at the Office of Inspector General at the U.S. Department of Health and Human Services announced that conclusion in this latest report.
Thomas Salmon and other HHS OIG staffers were looking at the efforts of the HHS Office for Civil Rights to enforce the Health Insurance Portability and Accountability Act health data Security Rule.
Read more on Benefits Pro.

Jenna Green reports what’s on the FTC’s wish list for legislation:
Ramirez said she favors making the FTC the sole federal agency in charge of enforcing a uniform set of national data breach notification requirements. Such requirements would compel businesses to notify consumers of a data breach promptly, and also to notify credit bureaus. The FTC has urged Congress to give the agency civil penalty authority against companies that fail to maintain reasonable security.
Ramirez also said she supported making the federal rules supersede state requirements—and to make the rules enforceable by both the FTC and state attorneys general. Further, she said a violation of data breach requirements should be deemed an unfair or deceptive act in commerce, and thus subject to FTC authority under the FTC Act.
Read more on, as there’s much more to their wish list but I’m just focusing on breach notification in this post.
Of course, some of the proposed federal data breach notification laws did make the FTC the responsible federal agency for enforcement, but not all of them do. And as I’ve argued repeatedly for lo, these many years, a federal data breach notification law that supercedes the patchwork of state laws is a great idea – but only if it is as strong as the strongest existing state law so that consumers do not lose protections they currently have. The federal law would also need to encompass data in all formats and clarify who has the responsibility to notify consumers when the data loss or breach occurs at a contractor or vendor. And of course, it needs to have some safe harbor provisions that would encourage entities to implement rigorous security.
And while we’re on the subject, see Adam Greenberg’s report on why breach notification laws are likely to remain state-by-state.

Not voluntary because he was surrounded by cops? How many cops does it take to be intimidated? (One with his gun in hand would probably work for me)
Orin Kerr writes:
Yesterday the Fourth Circuit handed down an interesting Fourth Amendment decision in United States v. Robertson, involving a consent search at a bus shelter. It’s a rare published decision from the Fourth Circuit, with a divided vote, and my tentative view is that the dissent is correct.
As I understand the facts, several officers converged on the bus shelter (which I assume something like this) to try to figure out if any of the people at the shelter knew of a foot chase involving a gun that had just been reported in the area. Robertson was one of the men sitting at the bus shelter, and he was approached by Officer Welch. Welch asked Robinson, “Do you have anything illegal on you?”, but Robertson remained silent. Welch then waved Robertson toward him and said, “Do you mind if I search you?” Robertson stood up, walked two yards towards Officer Welch, turned around, and raised his hands above his head. Welch interpreted that as consent, and conducted a search. The search recovered a firearm, and that led to charges for illegal firearms possession.
Read more on The Volokh Conspiracy.

Well, that's why there is a Supreme Court. OR, does the exemption cover anything I do on a regular basis?
Julia Love reports:
A pair of Silicon Valley judges have dramatically parted ways on how much wiggle room email providers have under federal wiretap laws to gather user information.
In an order issued Tuesday evening, U.S. Magistrate Judge Paul Grewal of the Northern District of California tossed a class action that accused Google of violating users’ privacy by harnessing their personal data across various products. Grewal ruled in In re Google Privacy Policy Litigation, 12-1382, that Google’s practices fall under an exemption in federal anti-surveillance laws for activities conducted by communications service providers in the “ordinary course of business.” Congress crafted that phrase to cover a wide range of activity, he concluded, siding with Google’s lawyers at Durie Tangri.
“The amended complaint fails to allege any interception that falls outside the scope of this broad immunity,” he wrote in a 30-page order.
That philosophy appears to clash with the thinking of U.S. District Judge Lucy Koh, who refused to let Google off the hook in another pending privacy suit.

“We can, therefore we must!” Even if it doesn't really work too well yet.
Glyn Moody writes:
One of the reasons that the total surveillance programs of the NSA and GCHQ are possible is that computers continue to become more powerful and cheaper, allowing ever-more complex analyses to be conducted, including those that were simply not feasible before. Here’s another example of the kind of large-scale monitoring that is now possible, as reported by Nikkei Asian Review:
NEC announced that it has developed the world’s first crowd behavior analysis technology. Based on the simulated behavioral patterns exhibited by people in emergencies, the system is designed to detect any abnormalities in the behavior of congested public places.
Read more on TechDirt.

I'm a sucker for a good infographic...
A Visual History of Computers

Very slick!
Pop Up Archive Transcribes and Tags Sounds, Searches Historical Broadcasts
Initially started as a project at University of California, Berkeley, Pop Up Archive is a new tool to help journalists, media, archivists, historians and others easily find and reuse sound.
As we launch Pop Up Archive publicly, our goal has grown much bigger. We want to make it easy for all storytellers to find and reuse recorded sound. Now, anyone can visit to make audio findable through auto-transcription, auto-tagging, and easy-to-use sound management tools. We’re gathering thousands of hours of sounds from around the world, audio collections large and small — and they’re all waiting to be discovered,” says Anne Wootton, one of the co-founders.
After having made an audio recording, users can upload it to Pop Up Archive, which automatically transcribes it and issues timestamps, making it easy to search for the recordings. The sounds are indexed so they can be recovered by keyword, date, contributor, location and more. Transcribing isn’t new, of course, and tools like Voicebase already offer that.
We’ve done the heavy lifting and tethered lots of services in one place: transcription, cataloging, storage, preservation, a hypermedia API, and a platform for processing large amounts of digital sound,” Pop Up Archive says in its description.
Right now, you can visit the website and search through the archives that it has stored, in partnership with Public Radio Exchange (PRX). You can hear Buster Keaton explaining silent film captioning; Chicago Mayor Rahm Emanuel’s plans for his city; and the future of Bitcoin.
There’s thousands of hours of great audio waiting to be discovered at the Pop Up Archive.

Wednesday, December 04, 2013

This is worth keeping in the “Hacker Folder”
Introducing “Have I been pwned?” – aggregating accounts across website breaches
… As I analysed various breaches I kept finding user accounts that were also disclosed in other attacks – people were having their accounts pwned over and over again. So I built this:
The site is now up and public at so let me share what it’s all about.
Just after the Adobe breach, a number of sites started popping up that let you search through the breach to see if your email address (and consequently your password), was leaked. For example there was this one by Ilias Ismanalijev, here’s another by Lucb1e and even LastPass got on the bandwagon with this one. When I used the tool to check my accounts, I found both my personal and work accounts contained in the breach. I had absolutely no idea why!
The most likely answer is that I did indeed create accounts on Adobe, perhaps as far back as in the days when I was using Dreamweaver to build classic ASP whilst it was still owned by Macromedia. The point is that these accounts had been floating around for so long that by the time a breach actually occurred I had no idea that my account had been compromised because the site was simply no longer on my radar.
But of course Adobe is not the only searchable breach online, there’s also one for Gawker, another for LinkedIn passwords (emails and usernames weren't disclosed) and so on and so forth. Problem is, there’s not a tool to search across multiple breaches, at least not that I’ve found which is why I’ve built

This is worth telling your Computer Security managers about.
Report – Linux Worm Targeting Hidden Devices
by Sabrina I. Pacifici on December 3, 2013
Symantec has discovered a new Linux worm that appears to be engineered to target the “Internet of things”. The worm is capable of attacking a range of small, Internet-enabled devices in addition to traditional computers. Variants exist for chip architectures usually found in devices such as home routers, set-top boxes and security cameras. Although no attacks against these devices have been found in the wild, many users may not realize they are at risk, since they are unaware they own devices that run Linux. The worm, Linux.Darlloz, exploits a PHP vulnerability to propagate itself in the wild. The worm utilizes the PHP ‘php-cgi’ Information Disclosure Vulnerability (CVE-2012-1823), which is an old vulnerability that was patched in May 2012. The attacker recently created the worm based on the Proof of Concept (PoC) code released in late Oct 2013. Upon execution, the worm generates IP addresses randomly, accesses a specific path on the machine with well-known ID and passwords, and sends HTTP POST requests, which exploit the vulnerability. If the target is unpatched, it downloads the worm from a malicious server and starts searching for its next target. Currently, the worm seems to infect only Intel x86 systems, because the downloaded URL in the exploit code is hard-coded to the ELF binary for Intel architectures. Linux is the best known open source operating system and has been ported to various architectures. Linux not only runs on Intel-based computers, but also on small devices with different CPUs, such as home routers, set-top boxes, security cameras, and even industrial control systems. Some of these devices provide a Web-based user interface for settings or monitoring, such as Apache Web servers and PHP servers…”

So,some good is coming out of this mess?
How the Snowden leak is changing the tech landscape
Leading technology firms including Google, Apple, Microsoft and Yahoo have been working to rebuild users' trust after the disclosure that the NSA can access information on their servers. For Google, this has involved announcing efforts to increase the encryption used for data travelling between the company's data centres, which the Washington Post revealed was being accessed by the NSA, as well as joining legal calls for the release of more government information at users' request.
Other technology startups have taken more drastic action. Lavabit, a secure email provider reportedly used by Edward Snowden, the NSA whistleblower, shut down after the government requested a back door into its systems. Another company, Silent Circle, closed its email service shortly afterwards.

(Related) But could we go too far? I see this as an argument based on weak assumptions. We do not need to know what a message contains to know that people who regularly email known terrorists have a connection to that terrorist. Failure to encrypt simply makes determining if our known terrorist is a leader or a follower or someone who regularly writes his mother much easier.
Adam Henschke writes:
Ex-National Security Agency (NSA) employee Edward Snowden’s various leaks – the most recent being a slide showing that the NSA infected 50,000 of computer networks with remote-controlled spyware – confirm that state intelligence agencies around the world have been collecting and analysing people’s behaviour online for years.
Many people now feel that their online privacy and anonymity have been undermined – particularly as major service providers like Google, Facebook and Apple have been compromised. In response, some email service providers (such as Yahoo! last week) are now offering full encryption of users’ data.
While privacy is generally seen as morally desirable, the ethical issues surrounding encryption technologies require some closer investigation. In order to properly assess such things, we need to assess not just the claims but the moral foundations upon which they are based.
What, then, are the main moral justifications for encryption? What are the arguments against it? And finally, what responsibilities do encryption service providers owe their clients and the public at large?
Read more on Business Spectator.

Is it easy to draft a model bill? I doubt it, but it might make for an interesting thought exercise...
Benjamin Herold writes:
An influential legislative-advocacy group’s promotion of a model bill meant to protect the privacy of student data sends a strong signal that the hot-button issue will be debated in statehouses around the country in lawmakers’ 2014 sessions.
The template being provided to state lawmakers by the controversial American Legislative Exchange Council, known as ALEC, would require state school boards to appoint a “chief privacy officer,” create a data-security plan, publish an inventory of all student-level data being collected by the state, make sure that contracts with some vendors include privacy and security provisions, and ensure compliance with federal privacy laws.
Read more on Education Week, but the full article is behind a paywall.

...and in the US you worry about being fired.
North Korean leader's power broker uncle ousted: South Korea
North Korean leader Kim Jong-Un's uncle, seen as his nephew's political regent and one of the most powerful men in the country, has apparently been ousted and several associates executed, South Korea's spy agency said on Tuesday.
… If confirmed, Jang's ouster would mark the most significant purge at the top of North Korean leadership since Kim Jong-Un succeeded his late father Kim Jong-Il in December 2011.
According to the NIS, Jang was "recently ousted from his position and two of his close confidantes - Ri Yong-Ha and Jang Soo-Kil - were publicly executed in mid November", lawmaker Jung Cheong-Rae told reporters.

(Related) ...and here's how they do it in China.
20,000 Chinese officials penalized for being too bureaucratic
The Chinese government has punished over 20,000 officials in the country’s rural areas this year as part of the Communist Party’s nation-wide campaign, aimed at cutting down bureaucracy and excessive ceremony.

Perspective They still have a bit of a way to go to overtake the dollar, but keep watching...
RMB now 2nd most used currency in trade finance, overtaking the Euro
by Sabrina I. Pacifici on December 3, 2013
News release: ‘”Recent SWIFT data shows that RMB (Chinese Yuan) usage in traditional trade finance – Letters of Credit and Collections – grew from an activity share of 1.89% in January 2012 to 8.66% in October 2013, propelling the RMB to the second most used currency in this market. It ranks behind the USD, which remains the leading currency with a share of 81.08%. The RMB overtook the Euro, which dropped from 7.87% in January 2012 to 6.64% in October 2013 and is now in third place. The top 5 countries using RMB for trade finance in October 2013 were China, Hong Kong, Singapore, Germany and Australia. ”The RMB is clearly a top currency for trade finance globally and even more so in Asia, as shown by SWIFT’s business intelligence statistics on the pace at which China’s exporters and importers and their counterparts use the RMB for Letters of Credit”, says Franck de Praetere, Head of Payments and Trade Markets, Asia Pacific, SWIFT. In October 2013, the RMB remained stable in its position as the #12 payments currency of the world, with a slightly decreased activity share of 0.84% compared to 0.86% in September 2013. Overall, RMB payments increased in value by 1.5% in October 2013, whilst the growth for all payments currencies was at 4.6%.”

I could click once and this entire blog would become a book. (There's a App for that) Would it be worth doing?
Are paper books becoming obsolete in the digital age, or poised to lead a new cultural renaissance?
by Sabrina I. Pacifici on December 3, 2013
Papyralysis by Jacob Mikanowski Are paper books becoming obsolete in the digital age, or poised to lead a new cultural renaissance? November 14th, 2013 The following is a feature article from the inaugural issue of the LARB Quarterly Journal.
“WE’RE LIVING IN A WEIRD MOMENT. Everything has become archivable. Our devices produce a constant record of our actions, our movements, our thoughts. Forget memory: if we wanted to, we could reconstruct every aspect of a life with an iPhone and some hard drives. But at the same time, physical archives seem to be fading away. Once, they were supported by a whole ecology of objects and institutions, including prints, presses, notebooks, letters, diaries, manuscripts, and marginalia. Now, each of these is vanishing, one after another. Letters don’t get written. Handwriting’s been forgotten. Presses crumble. Paper molders. And everyone agrees: the book is next to go. Of course it won’t happen all at once. Maybe it isn’t even happening now. Digital books are increasingly popular — but paper books are more popular still. Publishing is a mess — unless you’re a giant multinational or a thriving independent. Readership is in decline — but that depends on what you think ought to be read. Paper is a frustrating anachronism — and our offices and homes are full of it. The clash of technologies that we’re living through is probably less a case of the silents vs. the talkies than of radio vs. TV. However popular e-readers become, paper books will still be able to carve out a space in their shadow, at least in the short term. But how long will the short term last? It used to be possible to imagine books disappearing in the distant future. Now it feels like even money that it’s going to happen within our lifetimes… For almost 2,000 years, a technology called the codex held a monopoly on the physical form of truth. The codex was made popular by members of the early Christian church, who gathered individual scrolls and letters between two covers, creating a bible. With time, the Christian book replaced the pagan scroll, and ever since, our relationship to the format has been tinged by a reverence that’s at once reflexive and frequently denied. The written word has long been held to be close to the sacred. Milton thought that books made better receptacles for human souls than bodies. Jews and Muslims in the Middle Ages refused to throw out any texts, lest they inadvertently destroy the name of G-d. Perhaps the purest expression of the idea that books are a form of life comes in the story told by the Mandeans, an Iraqi people who practice a gnostic religion. One of the Mandeans’ great sages was a creature named Dinanukht, who was half-book and half-man. He sat by the waters between worlds, reading himself until the end of time…”

For my wife, the “Power Shopper”
– instantly compare prices on any product on any site in the US, UK, Germany, France, Canada or Australia.. WindowShopper will present products from more than 50,000 stores including Amazon, eBay, Best Buy, Newegg, Macys, Nordstorm, Overstock, Staples, Target, and Walmart. Our index covers over 200 million products in practically every product category.

I know people who look for people...
FREE EBOOK: Research Your Family Tree Online
Online, PDF, EPUB, Amazon. No password or registration required.

There is no such thing as “too much research.”
Video - How to Use Google Books for Research
Google Books can be a good research tool for students if they are aware of it and know how to use it. In the video below I provide a short overview of how to use Google Books for research. You can also find screenshots of the process here.

Tuesday, December 03, 2013

Monday I reported for Jury Duty. Apparently they didn't think I would make a good juror. (Could have been the “Hang 'em all” T-shirt) However, I was impressed by the security. You could tell the guys working the gate were from the jail next door. The TSA amateurs don't bother to have you remove your wrist watch or to go through your “metal objects” manually before scanning them. At least five times faster too with a smaller crew.

Would you recognize this as bogus? Watch the video. Note how he removes the skimmer, it might prevent theft of your card data!
Simple But Effective Point-of-Sale Skimmer
… A few months back, this blog spotlighted a professionally made point-of-sale skimmer that involved some serious hacking inside the device. Today’s post examines a comparatively simple but effective POS skimmer that is little more than a false panel which sits atop the PIN pad and above the area where customers swipe their cards.

Nicole Tachibana, one of the young (they all look young to me) lawyers developing the Privacy Foundation Blog, sent this interesting observation. I'll just add that it is the best snapshot of a politician's mind I have ever seen!
Sen. Rockefeller has been leading an investigation into the privacy practices of data brokers and websites. I was just wondering what his privacy policy looked like. It is, to be polite, very simple.

We can make people safer by insuring 24 hour surveillance!
CBS New York reports:
The NYPD wants business owners to help solve crime in one Harlem precinct by turning their security cameras to the street.
As 1010 WINS’ Gary Baumgarten reported Saturday, police believe crime has spun out of control in the 32nd Precinct, which is bounded by St. Nicholas and Bradhurst avenues on the west, 127th Street on the south, and the Harlem River on the north and east.
With that in mind, the Precinct Cmdr. Rodney Harrison has asked local businesses to help the NYPD by turning their security cameras outward in an attempt to capture crime and assist police in capturing criminals. The program has been dubbed “Grid Search.”
Read more on CBS.

(Related) As more “personal surveillance tools” come into daily use, Big Brother no longer seems so evil.
Sometimes Joe Cadillic sends me links to articles that infuriate me. This is one of them.
Victoria Woollaston reports:
It’s bad enough checking your partner’s phone when they leave the room, or taking a peek at their Facebook page, yet a new app takes this level of snooping not just a step further, but a giant leap forward.
The mSpy app works on select smartphones including Apple, Android, BlackBerry and Windows Phone and can be used to gain access to an unprecedented level of personal information.
It records phone calls, tracks a person’s location, lets users remotely read texts, Skype, Facebook and Viber messages, view browsing history and even see how much battery the phone has left.
Read more on Daily Mail.
My Spy ( claims that the person doing the spying must own the device being tracked, or the person being tracked must give their permission. And they verify that…. how? Oh, look, here’s their disclaimer on their web site:
My Spy (mSpy) is designed for monitoring your children, employees or others on a smartphone or mobile device that you own or have proper consent to monitor. You are required to notify users of the device that they are being monitored.
Or what? Well, according to their site:
My Spy Legal Agreement
It is a considered federal and/or state violation of the law in most cases to install surveillance software onto a mobile phone or other device for which you do not have proper authorization, and in most cases you are required to notify users of the device that they are being monitored. Failure to do so may result in a violation of federal or state laws, if you install this software onto a device you do not own or if you do not have proper consent to monitor the user of the device.
We absolutely do not endorse the use of our software for illegal purposes.
In order to purchase and download surveillance software from My Spy, you must consent to and agree with the following conditions:
  1. You acknowledge and agree that you are the legal owner of the mobile phone or device onto which the software is installed, or that you have received the expressed, written consent of the device owner granting you the right to be the authorized administrator of the phone, it’s content and its users.
  2. If you install My Spy software onto a phone that is not owned by you, or for which you do not have proper consent, we are obligated to comply with law enforcement officials to the fullest extent of the law in these instances, or any instance where this use is deemed to be illegal by local, state or federal law. This obligation includes providing to the proper authorities any and all requested customer data, and any other purchase-related or product-oriented information.
  3. You agree that you will gain knowledge of all local, state and federal laws to ensure that you are in compliance with all laws and restrictions in your specific geographic region. It may be illegal in your area to monitor other individuals on a device whether or not your own the device. You agree that you will under no circumstances monitor any adult without their expressed prior knowledge and consent.
  4. You agree to the conditions in our End-User License Agreement, and you acknowledge and agree that My Spy is not liable for any incidental damage to you or your device, nor for any litigation or legal action that may arise as a result of the use, abuse or misuse of mSpy.
So it’s a pinky swear privacy protection system, it seems. I wonder how much their business would drop off if they sent a confirming email to the user of the device?

Expect more like this, if anyone bothers to ask...
Nursing Careers Allied Health has an article on patient privacy breaches when health care professionals use social media. Perhaps the most concerning finding of the study they discuss is that most nurses did not even think that what they were doing was a breach of privacy. From the article:
In the Nursing Times study, 27 per cent of nurses revealed they use social media to share stories about working life.
Forty one per cent of nurses in the survey reported their colleagues used social media inappropriately, 32 per cent of those posts contained information about patients and 12 per cent featured photos of patients.
Ms Bickhoff says one of the most common mistakes nurses make is believing their decision not to name a patient means they are not breaching patient privacy.

Perhaps we could send a couple bloggers to report what happens? Or a Professor to set them straight?
Mark your calendars! From the FTC:
This spring, the Federal Trade Commission will host a series of seminars to examine the privacy implications of three new areas of technology that have garnered considerable attention for both their potential benefits and the possible privacy concerns they raise for consumers.
As the tools available to track, market to and analyze consumers – often without their knowledge – grow, businesses are able to meet consumers’ demands more efficiently and effectively. But these tools may also carry significant risks to consumers’ privacy. The seminars, taking place over three months, will shine a light on new trends in Big Data and their impact on consumer privacy. The topics will include:
  • Mobile device tracking – tracking consumers in retail and other businesses using signals from their mobile devices. Mobile Device Tracking – 10 a.m. to noon, Feb. 19, 2014
  • Alternative scoring products – using predictive scoring to determine consumers’ access to products and offers. Alternative Scoring Products – 10 a.m. to noon, March 19, 2014
  • Consumer-generated and controlled health data – information provided by consumers to non-HIPAA covered websites, health apps and devices. Consumer Generated and Controlled Health Data – Date and location TBD

Good on ya, China! Nice to know someone took over when the US dropped out. Perhaps China will let us share some of the benefits, eventually and for a price.
China launches ‘Jade Rabbit’ rover to moon, precursor to manned mission
China took a significant step toward eventually landing a person on the moon with Monday’s successful launch of a rocket carrying its first moon rover, the “Jade Rabbit.”
The rocket blasted off from southwestern China at 1:30 a.m. Monday, a day after India’s maiden Mars orbiter left Earth’s orbit on its journey to the red planet, in what some observers characterize as Asia’s new space race.

Monday, December 02, 2013

Saves me the time and effort. Thanks, EFF.
EFF Introducing a Compendium of the Released NSA Spying Documents
by Sabrina I. Pacifici on December 1, 2013
EFF – “The ongoing NSA leaks, Freedom of Information Act lawsuits and government declassification continue to bring vital information to the public about the the ongoing efforts of the NSA and its allies to spy on millions of innocent people. What started out as news detailing the agency’s collections of users’ calling records, phone calls, and emails now includes NSA’s attack on international encryption standards and breaking into the data center links of companies like Yahoo! and Google. The news reports will continue to come and are often grounded in documents like PowerPoint slides, pictures, and internal government reports. Because of the flood of information, we’ve decided to compile the documents in a chart that will serve as part of our NSA Spying resource. The chart attempts to compile all of the documents released by the newspapers and the government, with the exception of Foreign Intelligence Surveillance Court orders. It lists the date of publication, the original source and a short description of the contents. The key documents will also be toggled on our timeline of NSA spying. Our NSA Spying resource was created last year and is intended to serve as a comprehensive public resource. It links to EFF’s lawsuits challenging the spying, includes an understanding of the NSA’s domestic surveillance programs, provides an interactive timeline, and discusses word games the intelligence community uses. As EFF’s litigation and public advocacy continues, we will keep these pages updated and expand the information included. Our compilation will complement similar efforts by the ACLU and Cryptome.”

This complies with their policies? Does it comply with law? Logic?
Nancy Townsley report:
Last Friday’s arrest of a Brown Middle School eighth-grader sparked a right-to-privacy furor after cell phones belonging to students who recorded the teenager’s outburst were confiscated by district staff.
Read more on Hillsboro Tribune.
[From the article:
Five or six students used their cell phones as recording devices “despite being asked [by staff] to put their phones away, disregarding behavior expectations” at Brown, said Graser. District policy states that students are allowed to have personal communication devices at school as long as their use does not disrupt the learning environment.
In this case, Graser said, Principal Koreen Barreras-Brown and her staff were concerned about the “glorification” of the arrested student’s behavior if video snippets started showing up on Facebook or other social media — while at the same time wishing to preserve the student’s dignity.
“Any kind of student discipline is a private matter,” said Graser.
Students complied when asked by staff for passwords to unlock their phones so their phone activity could be reviewed, she added, and none of them were disciplined.

Do you have to be honest? If so,it will never work.
New on LLRX – UsBook: Toward a family-friendly Facebook alternative to preserve your memories and help future historians
by Sabrina I. Pacifici on December 1, 2013
David Rothman’s commentary focuses on how the Digital Public Library of America is still on track to be a mostly academic creature despite the P word in its name. But David supports innovative, creative and value-added goals that with proper focus, can bolster the DPLA onto the level of a world-class academic digital library system, as opposed to siphoning off badly needed resources and other forms of support from public librarians who should be forming their own e-system.

Does I write right?
A Few Tools That Make It Easy To Analyze Your Writing
One of the traps that many student writers fall into is overusing favorite phrases and adjectives. I've edited and graded enough essays over the years to confirm this. There are a couple of tools that can help students avoid overusing the same phrases and adjectives.
WordCounter is a simple tool that writers can use to identify the words that they use most frequently in their text. To use WordCounter simply copy and paste text into Wordcounter then select how many words should appear in your "frequently used" list. To improve the utility of your "frequently used words" list you can tell Wordcounter to ignore small words (like it or the) and to use only root words.
StoryToolz offers a few tools to help you edit your work. The Cliché Buster analyzes your work to find clichés that you have used in your writing. The Readability tool analyzes your text to estimate a reading level on several scales.
Last spring at the Massachusetts School Library Association's conference Pam Berger presented the idea of using word clouds to help students analyze documents. Wordle is the "old reliable" of word cloud creation tools. Some other options for creating word clouds are Tagul, Tagxedo, and ABCya's Word Cloud Generator.

This could be very useful.
MathDisk - Create and Share Interactive Math Worksheets
MathDisk is a service that teachers can use to develop interactive mathematics worksheets. Through MathDisk's "Math Builder" tool you can design mathematics models that your students can use online. The models and worksheets you develop online can also be downloaded to use offline if you also install the MiBook software on your desktop or on your Android device.
If you don't have time to create new materials, the MathDisk gallery has pages of models and worksheets that you can choose from. Everything in the gallery, like everything you create through MathDisk, can be downloaded and or embedded into your own website or blog.
The video below offers an overview of the MathDisk's features.
MathDisk offers an extensive playlist of tutorial videos for new users. That playlist is embedded below.