Saturday, December 21, 2013

At first reading, the technique is similar to that used at Target.
It’s just hitting the media today that Affinity Gaming was hit by a cyberattack earlier this year that affected customers at its 11 casinos. They were alerted to the breach by the FBI in October, and the critical period for data compromise is March 14 – October 16. Here is the relevant parts of their announcement dated December 20 that describes the breach and a second breach:
Affinity Gaming (“Affinity”) has confirmed an unauthorized intrusion into the system that processes customer credit and debit cards for its casinos, and is issuing this public notice of the data security incident and encouraging individuals who visited its gaming facilities between March 14th and October 16th of 2013 to take steps to protect their identities and financial information. Affinity regrets any inconvenience this incident may cause and has established a confidential, toll-free inquiry line to assist its customers.
Affinity has also confirmed an unauthorized intrusion into the system that processes credit and debit cards at its Primm Center Gas Station in Primm, Nevada. This intrusion began on an unknown date and it ended on November 29, 2013.
On October 24, 2013, Affinity was contacted by law enforcement regarding fraudulent charges which may have been linked to a data breach in Affinity’s system. Affinity immediately initiated a thorough investigation, supported by third-party data forensics experts who determined the nature and scope of the compromise, and confirmed that Affinity’s system has been fully secured and that its customer payments are protected. On November 14, 2013, Affinity posted notice of this incident on its website.
Affinity’s investigation, while ongoing, has also determined that its system became infected by malware, which resulted in a compromise of credit card, and debit card, information from individuals who visited its gaming facilities: Silver Sevens Hotel & Casino in Las Vegas, NV; Rail City Casino in Sparks, NV; Primm Valley Resort & Casino in Primm, NV; Buffalo Bill’s Resort & Casino in Primm, NV; Whiskey Pete’s Hotel & Casino in Primm, NV; Lakeside Hotel- Casino in Osceola, IA; St. Jo Frontier Casino in St. Joseph, MO; Mark Twain Casino in LaGrange, MO; Golden Gates Casino in Black Hawk, CO; Golden Gulch Casino in Black Hawk, CO and, Mardi Gras Casino in Black Hawk, CO. Credit or debit card data was exposed at these locations between March 14th and October 16th of 2013.

Price is a good indication of card quality. If they have 40 million saleable cards and can get $20 per, that really makes a crime like this pay. Note that the banks trust the crooks not to sell copies of the cards they buy back.
Cards Stolen in Target Breach Flood Underground Markets
Credit and debit card accounts stolen in a recent data breach at retail giant Target have been flooding underground black markets in recent weeks, selling in batches of one million cards and going for anywhere from $20 to more than $100 per card, KrebsOnSecurity has learned.
… At least two sources at major banks said they’d heard from the credit card companies: More than a million of their cards were thought to have been compromised in the Target breach. One of those institutions noticed that one card shop in particular had recently alerted its loyal customers about a huge new batch of more than a million quality dumps that had been added to the online store. Suspecting that the advertised cache of new dumps were actually stolen in the Target breach, fraud investigators with the bank browsed this card shop’s wares and effectively bought back hundreds of the bank’s own cards.
Update, 5:20 p.m. ET: In a message to consumers, Target CEO Gregg Steinhafel said Target would be offering free credit monitoring for affected customers.

If the Superintendent wasn't aware of this, who negotiated the deal? (and why do they bother having a Superintendent?) No mention of money, but this could open future cash deals, since “the data is already out there.” Does removing names provide adequate security? If I gave you information on a student named [REDACTED] that lived at 123 Fourth Street, Littleton, CO 80121, was a Senior who played Soccer and had a 3.9 GPA how long would it take to identify him or her?
Ann Dornfield reports:
KUOW has learned that the Washington state education department has signed agreements to share non-public student data with media organizations including The Seattle Times and the Associated Press. Data security experts say the agreements raise serious privacy concerns for the state’s public school students.
Do read more about this agreement and the concerns it raises on KUOW. It sounds like journalists want to do what could be useful investigative analyses and pieces that perhaps the state should be doing. But the journalists (AP and Seattle Times) can’t get the data because of FERPA so they’ve entered into contracts with the state. Very concerning….
[From the article:
The Office of the Superintendent of Public Instruction has so far promised the Times individual student and staff data dating from 2009 to this year, including individual students’ test scores on numerous state assessments, grades, school schedules, absences and discipline information. OSPI told KUOW the data would be "de-identified," meaning it would not include names of students or staff.
"Wow," said Seattle Public Schools Superintendent Jose Banda. "I wasn't aware of [this agreement], and I don’t think any of my staff was aware that this was being considered and approved."

Initial findings from the Office of the National Coordinator for Health Information Technology on ways to match patients with their data do address problems with current HIT systems and data exchanges, notes advocacy organization Patient Privacy Rights.
But there isn’t much else in the findings that the organization agrees with. In testimony at an ONC public meeting in December, PPR noted that “the findings address today’s problems without anticipating where we will be tomorrow; they did not foresee that the HITECH Act and meaningful use requirements can be used to resolve many of today’s problems without patient identity and patient matching.”
Read more on HealthData Management.

Is there a “Judge Guinness book of world records?” If not, why not?
Court Decision in Tronox Bankruptcy Fraudulent Conveyance Case Results in Largest Environmental Bankruptcy Award Ever
by Sabrina I. Pacifici on December 20, 2013
EPA Case Summary: “On December 12, 2013, the U.S. Bankruptcy Court for the Southern District of New York decided against Kerr-McGee Corporation (“Kerr-McGee”) and related companies that are subsidiaries of Anadarko Petroleum Corporation (“Anadarko”) in a fraudulent conveyance case and determined that the defendants “acted to free substantially all [their] assets – certainly [their] most valuable assets – from 85 years of environmental and tort liabilities.” The Court awarded damages between approximately $5.2 billion and $14.2 billion to the plaintiffs which, even at the low end of the damages range, is the largest amount ever awarded in a bankruptcy proceeding for governmental environmental claims and liabilities. Approximately $4.5 billion to $12.4 billion will go toward cleanup at contaminated sites across the country. As referenced in the USAO-SDNY press release, some of the key environmental recoveries for environmental liabilities and for cleanup of environmental sites are estimated to be the following based on the Court’s decision…”

Perspective. Might as well start a “Law MOOC” now and avoid the rush.
Peper – Legal Education in Crisis, and Why Law Libraries are Doomed
by Sabrina I. Pacifici on December 20, 2013
“The dual crises facing legal education—the economic crisis affecting both the job market and the pool of law school applicants, and the crisis of confidence in the ability of law schools and the ABA accreditation process to meet the needs of lawyers or society at large—have undermined the case for not only the autonomy, but the very existence, of law school libraries as we have known them. Legal education in the United States is about to undergo a long-term contraction, and law libraries will be among the first to go. A few law schools may abandon the traditional law library completely. Some law schools will see their libraries whittled away bit by bit as they attempt to answer “the Yirka Question” in the face of shrinking resources, reexamined priorities, and university centralization. What choices individual schools make will largely be driven by how they play the status game.”

Might be an interesting exercise for my Computer Security students to expand on the security portion. I'll leave it to my lawyer friends to think about the legal steps required.
How to Lead During a Data Breach
… One critical concept that we share with the participants in the National Preparedness Leadership Initiative (NPLI) at Harvard is that every crisis includes many situations, each with different contingencies and considerations. In this case, they include security, legal, law enforcement, customer relations, media, shareholder, employee, the board, card issuers and providers, regulatory, and more. While there can be overlap, each of these situations has a distinct (and sometimes conflicting) set of stakeholders, power structures, priorities, perspectives, interests, requirements, and values. For example, Communications may want to be immediately open and transparent while Legal may want to wait to more fully assess the liability exposure that such a stance could create. They each have a legitimate case. Navigating this complex web of interdependent relationships is daunting in routine times. In a crisis of this magnitude, the added pressure and higher stakes can make it overwhelming. How can an executive successfully lead through such a complex morass?

For all my students who read...
Borrow and Lend eBooks Through Open Library
If you're looking for a new-to-you ebook to read during the holidays, take a look at Open Library. The Open Library is a part of the Internet Archive. The Open Library is a collection of more than one million free ebook titles. The collection is cataloged by a community of volunteer online librarians. The ebooks in the Open Library can be read online, downloaded to your computer, read on Kindle and other ereader devices, and embedded into other sites. Some of the ebooks, like Treasure Island, can also be listened to through the Open Library.
Applications for Education
Much like Google Books, the Open Library could be a great place to find free copies of classic literature that you want to use in your classroom. The Open Library could also be a good place for students to find books that they want to read on their own. The audio option, while very electronic sounding, could be helpful if you cannot locate any other audio copies of the book you desire.

Something to look for? Only $38 away from my favorite price point.
Datawind brings a $38 Android tablet to the U.S. — on the heels of India’s cheap Aakash tablet
Datawind’s mission to deliver ultra-cheap tablets for everyone, no matter their income, is finally headed to the U.S.
Today the Canadian company announced that it will offer three of its 7-inch Android UbiSlate tablets in the United States, with the cheapest (the UbiSlate 7ci) running for a mere $38.

...never fails to amuse.
New Jersey governor Chris Christie says he will sign legislation that would allow undocumented immigrants in New Jersey to be eligible for in-state college tuition. [Making it cheaper to come from Guatemala than from Pennsylvania? Bob]
Alabama joins those states (16 in total) that allow computer science classes to count as math credit towards graduation. [Perhaps “Home Economics” could count as Chemistry? Bob]
The tech blog VentureBeat is launching an education vertical, sponsored by a subsidiary of Apollo Education Group (parent company of the University of Phoenix). VentureBeat claims it is the “first major technology news organization to dedicate a channel to how technology is transforming the global education market” which is really a stretch (Chris Dawson ran one for ZDNet for a long time). But hey, with solid research into education history like this, you know the coverage is gonna be stellar!
Students are bored in school, and Amanda Ripley is on it. She monitored Twitter for a list of their grievances. Another look at “bored at school” tweets is here.

God forbid that someday someone will take one of these “threats” seriously and take out Pyongyang. Worst case scenario? One of the drones who have been told all their lives that Kim is almost a God, takes the action he believe his “Great/Dear/Glorious Leader” has commanded.
North Korea sends fax threatening to strike South Korea 'without notice': report
… A South Korean news agency reported Friday that the North has threatened to attack “without notice” in response to anti-North rallies this week — and that it sent the warning by fax.
… The threat was sent by the North Korean military, according to the Yonhap news agency. It arrived, apparently without a paper jam, at the South Korean National Security Council.

Friday, December 20, 2013

One Privacy agreement to rule them all? That should be interesting. Clearly there are several strategic objectives in conflict even in this simple summary.
Mr Moraes’ draft conclusions acknowledge the importance of the Transatlantic Trade and Investment Partnership (TTIP) agreement for economic growth and jobs in both the EU and the US. But European Parliament should consent to the deal only if contains no references to data protection provisions, the draft text adds. “We need to ensure that strong data privacy protections are achieved separately from the TTIP”, Mr Moraes told MEPs involved in the Civil Liberties Committee inquiry.
Clear political signals that the US understands the difference between allies and adversaries are also needed, says the draft document, which urges the US authorities to draw up a code of conduct to guarantee that no espionage is pursued against EU institutions and facilities. [In short, let's go back to Secretary of State Henry L. Stimson, who famously said that: "Gentlemen do not read each other's mail." Words he likely had to eat while serving as Secretary of War from 1040-1945 Bob]
Suspend Safe Harbour and TFTP agreements
The European Commission should suspend the “Safe Harbour” principles (data protection standards that US companies should meet when transferring EU citizens’ data to the US) and re-negotiate new, appropriate data protection standards, the draft says.
The EU’s executive arm is also urged to suspend the Terrorist Finance Tracking Programme (TFTP) deal with the US until a “thorough investigation” is carried out to restore trust in the agreement. The draft also underlines that the consultations recently concluded by the Commission were based solely on US assurances. [What else? Bob]
Let’s go for an EU cloud
The draft also calls for the swift development of an EU data storage “cloud” to protect EU citizens’ data. Any of this data stored in US companies’ clouds can potentially be accessed by the NSA, it notes. An EU cloud would ensure that companies apply the high standards of EU data protection rules and there is also a potential economic advantage for EU businesses in this field, it adds.
Judicial redress for EU citizens
The draft welcomes the Commission’s wish to have the EU-US data protection framework agreement (the so-called “umbrella agreement”) approved by spring 2014, in order to guarantee judicial redress for EU citizens [Are we heading toward a global legal system? Bob] when their personal data is transferred to the US. At present EU citizens do not enjoy full and reciprocal judicial redress rights, because access to US courts is guaranteed only to US citizens or permanent residents. Completing these negotiations would restore trust in transatlantic data transfers, says Mr Moraes.
Reforming data protection rules and protecting whistleblowers
EU member states should start working immediately to achieve a Parliament/Council of Ministers agreement on the data protection reform by the end of 2014 at the latest, says the draft. The text calls for better legal protection of whistleblowers, but also points out that proper oversight “should not depend on journalists and whistleblowers”.
IT security: open source software could help
Disclosures by former NSA contractor Edward Snowden have revealed a huge weakness in the IT security of EU institutions, stresses Mr Moraes. The draft resolution proposes that Parliament’s technical capabilities and options should be properly assessed, including the possible uses of open source software, cloud storage and more use of encryption technologies.
Next steps
MEPs will now have the opportunity to table amendments to the draft resolution. It will be put to the vote by the Civil Liberties Committee at the end of January and Parliament as a whole on 24-27 February.
In the chair: Sophie in ‘t Veld (ALDE, NL) REF.: 20131216IPR31029
SOURCE: European Parliament Press Release

The UN General Assembly has unanimously called on a curb of supernormal surveillance of communications. The resolution drafted by Brazil and Germany was in response to revelations over the eavesdropping conducted by the US on a global scale.
All 193 UN member states agreed “to respect and protect the right to privacy, including in the context of digital communication.”
Read more on RT.

(Related) Can Google comply with every entity promulgating privacy laws or regulations?
Stephanie Bodoni reports:
Google Inc. (GOOG) was fined 900,000 euros ($1.2 million) by Spain’s data-protection watchdog for illegally collecting and using users’ personal data.
Google is guilty of “three serious violations” of Spanish data-privacy law for collecting personal information across nearly 100 services and products in Spain without in many cases giving details “about what data it collects, what it uses it for and without obtaining a valid consent,” the regulator said in a statement today.
Google was fined 300,000 euros for each of the three violations and ordered to take the “necessary measures without any delay to comply with the legal requirements,” said the authority.
Read more on Bloomberg News.
Of course, the fine is just petty cash to Google. The bigger and more interesting aspect is how they will respond to the order to comply with Spanish privacy law by changing their privacy policy.

“Hello, we're from the government and we're here to squelch you.” Actually a very tiny percentage of the billions and billions of ideas being posted every day. Still, it might be amusing to collect the “banned in 'country X'” data for review in other countries...
Carrie Mihalcik reports:
The number of requests Google receives from governments around the world to remove content from its services continue to rise at a rapid pace.
Google received 3,846 government requests to remove 24,737 pieces of content during the first half of 2013, a 68 percent increase over the 2,285 government removal requests the company received in the second half of 2012. Google released the updated numbers Thursday, which cover requests made from January to June 2013, as part of its Transparency Report.
Read more on CNET.

I'm giving good odds that when (not if) Congress does nothing, these lists will return.
If you missed Senator Rockefeller’s hearing on data brokers yesterday, Pam Dixon of the World Privacy Forum made a powerful point in her opening statement about how data brokers have no shame. She cited the fact that brokers were selling lists of rape victims’ names for 7.9 cents per name. It didn’t take look for the Internet and media to react.
The naming and shaming seems to have worked. Elizabeth Dwoskin reports:
A marketing company purporting to sell lists of rape and domestic violence victims removed the lists from its website Wednesday after being contacted by The Wall Street Journal.
Medbase200, a Lake Forest, Ill., company that sells marketing information to pharmaceutical companies, had been offering a list of “rape sufferers” on its website, at a cost of $79 for 1,000 names.
The company also removed lists of domestic violence victims and “peer pressure sufferers” that it had been offering for sale, until it was contacted by the Journal.
Read more on the Wall Street Journal. I think their headline suggesting that their inquiry was responsible for the broker’s reaction is a bit off. All credit goes to Pam Dixon for this one. You can view an archived copy of the hearing here.

Everything on the Internet is accessible forever. Are you surprised to learn that the pointers to data have a shelf life?
Missing Links: Access to Papers' Raw Data Plummets by 17% Each Year
Nature reported today on a study, newly published in the journal Current Biology, that tracked the raw data scientists have gathered that inform the conclusions they reach in their published papers. It was a treasure hunt for the past, basically: The large team of researchers looked for the data that informed 516 papers that were published between 1991 and 2011 in the field of ecology.
… The data-hunters' first task was to get in touch with the papers' authors. They were able to do so only in an astoundingly low 37 percent of cases. Which was in part because of the rapid evolution of contact information: "The likelihood of being able to find a working e-mail address, even after an extensive online search, declined by 7 percent per year," Nature writes.
… And when the researchers were able to get in touch with the authors, their discovery was even more dire: While data for almost all of the studies published as recently as 2011 were still accessible, the chances of them remaining accessible fell by a whopping 17 percent each year. Each year. For research from the not-that-distant early 1990s, data availability dropped to as little as 20 percent.

For those rare times Google is stumped. KWIM?
– are you looking For the meanings of acronyms or internet slang? Acronyms & Slang is the freshest, largest and most comprehensive dictionary of them all. It has more than 3,500,000 descriptions of acronyms, slang, abbreviations and initialisms sorted by categories, and every day even more are added. Check out the “trending terms” to see what’s new.

For my Ethical Hackers. This works on all similar “security.”
How to steal Bitcoin in three easy steps

Thursday, December 19, 2013

No doubt this will solve all our questions and answer all our problems! (Of course, “concrete policy” in New Jersey brings visions of concrete overshoes to mind...)
Thomas Earnest writes on JustSecurity:
This afternoon, the White House released the Report and Recommendations of the President’s Review Group on Intelligence and Communications Technologies. We also have a copy of the report’s executive summary that includes forty-six concrete policy recommendations for reforming the U.S. surveillance programs, including NSA reform. Entitled Liberty and Security in a Changing World, the report itself is long, clocking in at over 300 pages, so it may take time to digest the review group’s recommendations; however, I’m sure we will have have further commentary here on Just Security once we have read the recently released report.
More to follow….

Hackers Steal Credit Card Data From Up to 40 Million Target Customers
Cybercriminals have hit retail store Target with a massive data breach that may have affected 40 million of customers' credit and debit cards accounts.
The breach started around Black Friday, the busiest shopping day of the year in America, and has reportedly affected roughly 40,000 card devices at registers in Target locations around the country.
… In its press release acknowledging the breach, Target said "40 million credit and debit card accounts may have been impacted between Nov. 27 and Dec. 15, 2013."
… The cybercriminals have apparently compromised the software controlling point-of-sale systems, perhaps through a phishing attack or inserting malware with the help of an insider, according to The New York Times. That would have allowed them to intercept the numbers, expiration date, and perhaps even PINs of the cards being swiped at the register.
If that were the case — the details are still murky at this point — the criminals could create counterfeit credit and debit cards to steal money from Target customer's bank accounts, and even use them at ATMs.
Online shoppers, however, were not affected, according to multiple reports.

Definitely need to follow this one.
Sources: Target Investigating Data Breach
Nationwide retail giant Target is investigating a data breach potentially involving millions of customer credit and debit card records, multiple reliable sources tell KrebsOnSecurity. The sources said the breach appears to have begun on or around Black Friday 2013 — by far the busiest shopping day the year.
According to sources at two different top 10 credit card issuers, the breach extends to nearly all Target locations nationwide, and involves the theft of data stored on the magnetic stripe of cards used at the stores.
… The type of data stolen — also known as “track data” — allows crooks to create counterfeit cards by encoding the information onto any card with a magnetic stripe.
… It’s not clear how many cards thieves may have stolen in the breach. But the sources I spoke with from two major card issuers said they have so far been notified by one of the credit card associations regarding more than one million cards total from both issuers that were thought to have been compromised in the breach. A third source at a data breach investigation firm said it appears that “when all is said and done, this one will put its mark up there with some of the largest retail breaches to date.”

At last, Italy came to their senses...
Peter writes:
An eight-year legal saga has now come to an end. Yesterday, in Rome, the Italian Supreme Court (Cassazione) acquitted me, as well as two other Googlers, for violating Italian privacy law in a case that stemmed from a user-generated video.
Read more on his blog.

For my Unix students.
– is a site which explains various Linux commands and what they do. If you install Linux, you have a lot to learn if you want to dive into all the various commands, and this site is a handy reference point that should be bookmarked. Below the search engine is a big list of Linux commands that you might be interested in. Just click on them for an explanation.

For all my students
Make Sure Your Dream Company Can Find You
It used to be that if you wanted to work for a certain company, you went in for an informational interview or waited for a job opening and submitted your resume. These days, you may be better off liking the company on Facebook or joining their Google+ page. That’s because smart companies are no longer waiting for the right candidates to apply. They’re actively seeking them out on social media.
Managers acquiring talent have been using social media to research job applicants for several years now, but they’ve begun to source and engage potential job candidates from social networks as well. Given that over 1 billion people are connected to a social networking site, this is a clever move.
Here are three social media tools forward-looking companies are using to find you.
People Analytics
Mobile Recruiting Apps

Wednesday, December 18, 2013

Who thinks up this stuff? (and why doesn't someone slap them?)
The headline says it all. What could possibly go wrong, right?
Read more on Tech2.

Nothing new, right? Who owns the email system?
From the that’s-not-very-nice-folks dept.:
Matthew Lloyd-Thomas and Adrian Rodrigues report:
Yale students’ email accounts are subject to search without consent or notification by the University, as outlined in a publicly available but little-publicized document.
Under the University’s Information Technology Acceptable Use Policy, the University maintains the right to access not only employee accounts, but students’ accounts as well. While 55 of 73 students interviewed were unsurprised that the University can monitor their correspondences, few were clear on the specifics under which Yale can search their accounts.
Read more on Yale Daily News.
Yeah, students don’t need no stinkin’ privacy or privacy rights.

Think there might be a market for antique cars, like mine?
I’ve covered automobile “black boxes” before and the privacy risks that electronic data recorders, if unregulated, pose. But Amadou Diallo raises some other interesting privacy questions associated with the explosive growth of 4G broadband connectivity and new apps:
But let’s suppose that you’re fine with almost any privacy trade-offs that will allow to check your tire pressure remotely, push navigation directions to your car before leaving the house, or avoid hearing a Celine Dion ballad. When the car is the hotspot, your passengers may be forced to give up anonymity as well. Will they have to weigh privacy concerns against your offer of a ride to the beach? If your riding companion logs in to your car’s hotspot with their phone, the resulting data may make it possible to know not just where you are, but who you’re with.
Read more on Forbes.

Worth reading?
U.S. District Court Judge Opens Door on Fourth Amendment and NSA Metadata Collection
by Sabrina I. Pacifici on December 16, 2013
Politico: A federal judge ruled Monday, December 16, 2013 that the National Security Agency program which collects information on nearly all telephone calls made to, from or within the United States is likely unconstitutional. U.S. District Court Judge Richard Leon found that the program appears to violate the Fourth Amendment ban on unreasonable searches and seizures. He also said the Justice Department had failed to demonstrate that collecting the information had helped to head off terrorist attacks… Judge Leon’s 68-page opinion is the first significant legal setback for the NSA’s surveillance program since it was disclosed in June in news stories based on leaks from former NSA contractor Edward Snowden. For seven years, the metadata program has been approved repeatedly by numerous judges on the Foreign Intelligence Surveillance Court and found constitutional by at least one judge sitting in a criminal case.”

Lawyers don't do anything for free, do they? In a perfect world, legal students would gather and catalog laws & cases.
New on LLRX – Give Open a Chance in Law
by Sabrina I. Pacifici on December 16, 2013
Via - Give Open a Chance in Law - Sarah Glassmeyer’s commentary challenges us to consider a Venn Diagram comprising the current state of legal education; the systematic failures surrounding issues of Access to Justice; and in the third circle is the Reinvent/Innovate/New Law world of individuals attempting to make the practice of law more efficient using technological solutions. Sarah then asks – What lies smack in the center of these circles? The answer – Legal Information. Read on.

(Related) ...and they get to pressure Microsoft.
Google deepens involvement in open-source patent effort
Expanding its involvement in an open-source legal defense effort, Google has joined the board of the Open Invention Network, an organization that cross-licenses patents to try to reduce the risk of lawsuits against those using Linux and another open-source software projects.
Google previously was an OIN associate member but now joins Sony, Red Hat, Novell, IBM, Phillips, and NEC with the higher level of involvement.
"Linux now powers nearly all the world's supercomputers, runs the International Space Station, and forms the core of Android. But as open source has proliferated, so have the threats against it, particularly using patents," said Chris DiBona, director of open source at Google, in a blog post Wednesday. "That's why we're expanding our participation in Open Invention Network, becoming the organization's first new full board member since 2007."

Now that the quarter is over, a free statistics book my students can ignore.
OpenStax College - Free Textbooks for Students
OpenStax College is an initiative whose purpose is to create and distribute free and low-cost college textbooks. The initiative is led by Rice University. Currently, on OpenStax College students can find six free textbooks on the subjects of biology, statistics, sociology, and physics. The books can be downloaded as PDF and ePub files, viewed online, or downloaded through Apple's iBookstore (the iBook version is not free).

For my Data Analysis students...
Open Data GovLab 500
by Sabrina I. Pacifici on December 17, 2013
“The Open Data 500 is the first comprehensive study of U.S. companies using open government data to develop new products and services. The study will identify, describe, and analyze companies that use open government data in their businesses. The Open Data 500 is designed to provide a basis for assessing the value of government data; help encourage the development of new open data companies; and foster a dialogue between government and business on how government data can be made more useful. The Open Data 500 study is being conducted by the GovLab at New York University with funding from the Knight Foundation. The GovLab works to improve people’s lives by changing how we govern. Toward that end the GovLab brings together thinkers and doers who design, implement, and study technology-enabled solutions that advance a collaborative, networked approach to reinvent institutions of governance. It is an action-research center leading an interdisciplinary and global research network. The GovLab operates on the hypothesis that 21st century citizen engagement can make governance more effective and legitimate. As part of its mission, the GovLab studies how institutions can publish the data they collect as open data so that citizens can analyze and use this information to detect and solve problems. In addition to the Open Data 500, several other efforts are under way to describe and understand how civil society and the private sector can use government open data. The GovLab is coordinating work on the Open Data 500 with the World Wide Web Foundation, the Open Data Institute, the McKinsey Global Institute, and others doing important work in this field.”

Teacher stuff...
Rubrics for Blogging and Multimedia Projects
Assessment is one of the things that I'm often asked about in my blogging and website creation workshops. One of the assessment resources that I like to point out is this collection of rubrics from the University of Wisconsin, Stout. In the collection you will find rubrics for assessing student blogging, student wikis, podcasts, and video projects. Beyond the rubrics for digital projects there are rubrics for activities that aren't necessarily digital in nature. For example, you can find rubrics for writing, research, and oral presentations.
Applications for Education
These rubrics might not fit perfectly with the projects you're students are working on, but they could provide a good starting point for creating your own rubrics. Perhaps you could show the rubric you're considering to your students and ask them for their input as to what they think is important to be evaluated in their projects.

For my students with I-stuff...
Tekiki Helps You Find The Best Deals For Good iOS Apps Every Day
… There are many ways to find discounted iPhone and iPad apps — from following your favorite websites for alerts, to apps such as AppsFire (our review) , AppGratis, and other deal-finding apps. But most of these methods suffer from any of the three catches:
  1. They’re show you a bunch of lousy apps you wouldn’t touch with a stick.
  2. They’re annoying to navigate — making you fish for what you’re actually looking for in a sea of deals.
  3. They get taken down by Apple for violating something or other.
If you’re looking for a new way to discover good iPhone and iPad apps that have recently gone free, without drowning in endless options, and without worrying about Apple taking it down, it might be time to try Tekiki.
… Once you find an app you’re interested in, just click or tap the tile to be taken to the app’s page.

For my students to train their students...
The Complete Teenager’s Guide To Online Privacy [Weekly Facebook Tips]
When it comes to giving teenagers advice about online conduct, many adults have no idea what to suggest in terms of protecting their privacy and making good choices about their public image. And frankly, it’s dangerous to let teenagers figure it out entirely for themselves.
All it takes is exposure to a few important scenarios and most teenagers will understand what they need to do to protect themselves. Today we’ll discuss privacy in terms of Facebook, but the lessons will be equally valuable for any social network or activity online.
If you know a teenager who needs a bit of guidance with online privacy, get them to read this post. From now on, I’ll be addressing the teenagers directly. If you’re a parent, here’s a guide to Facebook privacy for parents.

I don't know if this works, but I'll try anything to get my students to RTFM read the freaking book!
– Are you a slow reader? Do you have trouble remembering what you read? Do you want to get more out of your day? Summarize This helps you to read faster, remember more and boost your overall productivity, by providing “just the facts”. Insert the content of text into the box and press the “summarize” button to get just the facts you need.

Tuesday, December 17, 2013

Another “Oops, the employee forgot to encrypt the data.” Here's another question: Does the State of Colorado have locations that can not communicate over the Internet? Why even copy the data to a portable drive?
Jeanne Price reports:
Nearly 19,000 Colorado state workers—both current and former—could have identity protection concerns after a state worker lost a USB or thumb drive containing their personal data including Social Security Numbers (SSN).
“A state employee lost the drive while transporting it between work locations. There is no indication that this information has been misused or stolen,” a press release from the Governor’s Office of Information Techology (OIT) stated.
“The electronic file contained names, Social Security numbers and some home addresses of approximately 18,800 state personnel.
Because the state refused to provide a copy of the individual notification letter, if any of my readers is the unlucky recipient of the notification, please email me a copy of the notification letter (breaches[at] Thanks!
[From the article:
Of the 18,800 individual files determined to be on the missing data device, about 8,000 belong to current employees who will be easy to notify. An additional 10,800 are former personnel whose contact info on file could be out of date.
The drive was first discovered to be missing in late November. Some individuals now getting breach notification letters reportedly thought the letter was a fraud because it contained some questionable info.

Is no one learning from the failure of others? Or from their own failures. Small breaches, but completely avoidable.
It seems that UHS-Pruitt Corporation in Georgia reported that 1,300 patients had PHI on a laptop that was stolen on September 26, 2013.
… On September 26, 2013, a computer laptop belonging to an employee of UHS-Pruitt was stolen from the employee`s locked car.
But wait (as the commercials say), there’s more….
The December 6th press release (pdf) reads, in part:
… On October 8, 2013, the employee’s laptop was stolen from her car at her home.

Unfortunately correct.
Daniel Solove writes:
Fordham School of Law’s Center on Law and Information Policy (CLIP), headed by Joel Reidenberg, has released an eye-opening and sobering study of how public schools are handling privacy issues with regard to cloud computing. The study is called Privacy and Cloud Computing in Public Schools, and it is well worth a read.
Context: Education Privacy
What’s the greatest threat to children’s privacy? Social media sites? Search engines? Children’s sites?
The answer, in my opinion, is none of the above. The greatest threat to children’s privacy is schools.
When it comes to privacy issues, schools are in the Dark Ages. I cannot think of any other industry that is so far behind.
To which I say, “hear, hear!”
Read more on Dan’t column on

Wishful thinking?
Josh Gerstein reports:
A federal judge ruled Monday that the National Security Agency program which collects information on nearly all telephone calls made to, from or within the United States is likely to be unconstitutional.
U.S. District Court Judge Richard Leon found that the program appears to run afoul of the Fourth Amendment prohibition on unreasonable searches and seizures. He also said the Justice Department had failed to demonstrate that collecting the so-called metadata had helped to head off terrorist attacks.
Read more on Politico.
Related: Ruling (pdf).

Monday, December 16, 2013

Sometimes it's “please stay a bit further from my carrier.” Sometimes it's “stay out of my ADIZ.” Sometimes it's “how far are you prepared to go?”
U.S., Chinese warships narrowly avoid collision in South China Sea
… The incident came as the USS Cowpens was operating near China's only aircraft carrier, the Liaoning, and at a time of heightened tensions in the region following Beijing's declaration of an Air Defense Identification Zone farther north in the East China Sea, a U.S. defense official said.
Another Chinese warship maneuvered near the Cowpens in the incident on December 5, and the Cowpens was forced to take evasive action to avoid a collision, the Pacific Fleet said in its statement.

Scam du jour? Dissent's checklist would make an interesting flowchart.
Over on, a number of people are reporting that they have received notification letters for the Maricopa Community Colleges breach, but that they’ve never attended the college and have no idea why they’re receiving letters.
Today, I got an email about a breach reported on this site ( I’m redacting it, but it says:
Dear Dissent,
I found your web site when I was investigating a letter from the above doctor. In the letter, he claims that his laptop was stolen and “my” records may be on his laptop. I don’t know this doc.
In the meantime, the letter offers me free “” services.
This looks like spam, but much classier. Do you know about this?
Thanks for your diligence.
Under HITECH’s breach notification rule, breached entities must include a phone number where you can call for more information about what data a breached entity held on you. If you ever receive a breach notification letter and have no idea who the entity is or why they have data on you, call them and ask. If the phone number is for the credit monitoring service and they can’t answer your question about how the doctor got your information, call the doctor’s office directly and ask them to explain how/why they have information on you. If they won’t tell you, remember that you can file a HIPAA complaint with HHS using HHS’s online complaint system.
And don’t hesitate to google the name of any free credit monitoring service you are being offered if you suspect spam or something evil. The service mentioned in this correspondent’s email is a legitimate service, but if you’re leery that you’re being sent to a site that could steal your personal information, just check first to make sure they’re on the up and up.

You may change your mind, but Facebook never does. You have no privacy on Facebook.
Jennifer Golbeck writes:
…We spend a lot of time thinking about what to post on Facebook. Should you argue that political point your high school friend made? Do your friends really want to see yet another photo of your cat (or baby)? Most of us have, at one time or another, started writing something and then, probably wisely, changed our minds.
Unfortunately, the code that powers Facebook still knows what you typed – even if you decide not to publish it. It turns out the things you explicitly choose not to share aren’t entirely private.
Read more on The Age.

Would a surveillance video taken by a nearby business be an educational record? How about a school video of students patronizing a nearby business?
Copies of footage from surveillance cameras are not confidential educational records, the Society of Professional Journalists’ Utah chapter says. Canyons School District didn’t agree, but the SPJ hopes the Utah Court of Appeals will.
Last week, the Utah Headliners filed an amicus brief with the court, seeking to prevent what it says could be a wrongful expansion of FERPA privacy. FERPA, the Family Educational Rights and Privacy Act,
[From the article:
The plaintiff, Roger Bryner, requested copies of surveillance footage under Utah’s open records law to see if the footage showed his son in a fight with another student. When his request was denied under FERPA, he filed a complaint in district court and lost.
The school district maintains the footage is protected because it is maintained by the district and identifies the students. The Utah Headliners argue the footage is not maintained by an educational institution and is not, in fact, an educational record at all.
A surveillance recording is used to maintain the physical security and safety of an educational institution,” attorney David Reymann wrote in the SPJ chapter’s amicus brief. “It is akin to a law enforcement record, which is expressly excluded from the definition of ‘education record’ under FERPA.”
… “If a surveillance recording is held to be an education record merely because it contains identifiable images of students, so might a videotaped recording of a school play, or footage of a football game, or a byline picture in the school newspaper, or even a yearbook photograph,” Reymann wrote.

Oh goodie, a privacy kerfuffle!
By Divonne Smoyer and Aaron Lancaster write:
The U.S. Federal Trade Commission (FTC) has understandably been the focus of much attention in the data privacy world. The FTC is considered by many to be the primary U.S. data privacy regulator, and this blog has gone so far as calling the FTC the U.S.’s de facto data protection authority (DPA). We respectfully disagree. The FTC is facing unprecedented challenges, while state attorneys general (AGs), who have similar—and in some instances greater—authority, are taking more and more steps to protect the privacy of their citizens.

Any record of students talked out of this type of psychotic event? For my statistics students.
Active Shooter Events 2000-2013 – ABC Action News
by Sabrina I. Pacifici on December 15, 2013
“The FBI defines ‘active shooter’ events as incidents where a gunman arrives on a scene intending to commit mass murder. They can include events that result in no fatalities. The data on this page represents the most complete compilation of events tracked by Texas State University’s Dr. Peter Blair that have been publicly released. [Does this suggest there are some that have not been “publicly released?” Bob] To select data sets – mapped and sortable [Active Shooter Map, Details, Shooting Location, Total Victims Shot By Year, Active Shooters by Age, Increase by Years, Active Shooter Search, Active Shooter Analysis] use the drop down menu for details.”

(Related) For my Criminal Justice students
Paper – Firearms and suicides in US states
by Sabrina I. Pacifici on December 15, 2013
Firearms and suicides in US states, International Review of Law and Economics, Volume 37, March 2014, Pages 180–188. Justin Thomas Briggs and Alexander Tabarrok. Department of Economics, George Mason University, Fairfax, VA.
  • Empirical study of firearm possession and suicides at the state-level over 2000–2009.
  • Firearms are found to be very strongly related to firearm suicides, as expected.
  • Firearms are also found to be strongly related to overall suicides, despite evidence for substantial substitution in method of suicide.
  • There is evidence for a diminishing effect of guns on suicides as ownership levels increase.
  • The results hold using instrumental variables estimation, a variety of measures of gun ownership, and across a variety of sets of controls.
“Firearms play a unique role in public discourse. The US Constitution protects the right to bear arms. For some, this right represents an important safeguard against tyranny. For hunters and sportsmen, firearms enable a vibrant recreation. Firearms also play an important but largely unknown role in self-defence. [You would think the NRA (if no one else) would gather statistics on self defense... Bob] Yet in 2010, the latest year for which there are complete figures, there were 19,392 suicides, 11,078 homicides, and 606 accidental deaths by firearm, in addition to 73,505 non-fatal injuries by firearms (Centers for Disease Control and Prevention, 2012). Unfortunately, even basic information such as how many households own firearms is irregular and partly as a result there is little scientific consensus on how firearms influence violent injuries. Although the effect of firearms on homicides has been a topic of recurring debate, less attention is often given to suicide, despite there being more deaths attributable to suicide than to homicide. This may be in part because people view suicide as a private decision only affecting friends and family of the deceased, although this impact should not be minimized. But many psychological studies find that suicides are frequently impulsive decisions [as are most school shootings? Bob] (e.g. Simon et al., 2002), and that less than 10% of suicide survivors go on to successfully re-attempt suicide over the long term (Owens et al., 2002). Few suicides appear to be considered choices. In this study we specifically explore the relationship between firearm ownership rates and rates of suicide, using a newly constructed dataset covering US states from 2000 to 2009. We utilize all data from the first state-level representative survey of gun ownership, as well as four other proxies thereof, including one new to the literature. In addition, we will develop instruments for firearm ownership rates.”

My competition?
CreativeLIVE Launches Unique 24/7 Live Education Broadcast For Free Classes
CreativeLIVE is taking a lead with its 24/7 live online education broadcast network. What’s more noteworthy about the classes on offer is that they will be completely free. CreativeLive will host live classes on five free channels: Art & Design, Business & Money, Maker & Craft, Music & Audio and Photo & Video. The round-the-clock classes, seven days a week, will help you switch on your learning wherever you are in the world.
Live broadcasts of instructor led classes is just a step away from prominence. Google recently launched Helpouts with live video as the instructional medium; Google’s offering is a mixed bag with both free and priced classes. CreativeLIVE already has an engaged community with 2 million students in 200 countries worldwide who together have consumed 1 billion minutes of free education. The educational site says an average student watches more than 3 hours of content.
The company also has a freemium model – those who miss the live broadcasts can purchase the recorded courses.

A quick way to create a “Here's how” GIF. NOTE: Source code available!
– allows you to record a selected area of your screen and save as a animated GIF. Two versions are available (both included in a single .exe) – Legacy and Modern. The languages are English, Spanish, and Portuguese. If you choose to record with the cursor, remember that, in the editor, the cursor will not appear. Just move the window around to record what you want.