Saturday, December 28, 2013

How important is it to get your facts (and the potential risks) correct? Is it better to say, “I don't have that information in front of me, let me check and get back to you?” In every “incident” I was involved with as an Auditor, we started by documenting how data flowed through the processes involved. Later we could look at each step and the potential for something inappropriate to happen.
Four days after a computer was stolen from Inspira Medical Center Vineland, the hospital still can’t say whether there was any patient data on it?
That’s absurd. Just ask the staff who were using it whether they entered patient data on it. If they say “Yes, we used it for every radiology patient,” then you have your answer. You may not know which patients or what data yet, but at least you’d be able to say whether patient data was on it or not. Significantly, perhaps, the employee who reported the theft to the police told them that patient data was on the computer.
If HHS investigates this incident, I expect they’ll want to know how it is that after four days, the hospital couldn’t say whether any patient data were on a computer. Doesn’t that suggest a lack of inventory or safeguards at the very least?

First they said it wasn’t, now they say it was but not to worry…. read Chris Welch’s report on The Verge.
[From the article:
Class action lawsuits accusing Target of not doing enough to protect consumer data are already starting to pile up.

There is a problem in believing that what you can see (or what you read in a newspaper) is everything there is to see.
Reuters reports:
A U.S. judge has concluded that the National Security Agency’s sweeping collection of telephone data is lawful, rejecting a challenge by the American Civil Liberties Union to the program.
U.S. District Judge William Pauley in Manhattan on Friday said there was no evidence that the government had used any of the so-called “bulk telephony metadata” it had collected for any reason other than to investigate and disrupt terrorist attacks.
Read more on Reuters. The AP covers the ruling here.
You can read the ruling here (pdf).
There’s a lot there to digest, none of it good news for privacy advocates from the parts I’ve skimmed so far. Of note, Judge Pauley found that Congress had ratified the Section 215 program as interpreted by the Executive Branch when they reauthorized FISA after having the opportunity to review a classified document that noted that it required the collection of “substantially all” telephone calls. The judge noted that not all members of the House had read the document, but concluded that the Executive branch has fulfilled its obligation by providing the memo.
So… we have members of Congress to thank for failing to read what they could have read? Would they have blocked the reauthorization of FISA had they been paying more attention?

NEW YORK – A federal court issued an opinion and order in ACLU v. Clapper, the ACLU’s challenge to the constitutionality of the NSA’s mass call-tracking program, ruling that the government’s bulk collection of phone records is lawful under Section 215 of the Patriot Act and under the Fourth Amendment. The court denied the plaintiffs’ motion for a preliminary injunction and granted the government’s motion to dismiss the case. Judge Pauley’s ruling conflicts with last week’s ruling by a federal judge in Washington, D.C., that the mass call-tracking program violates the Fourth Amendment. The ACLU plans to appeal the ruling to the Second Circuit Court of Appeals.
The plaintiffs filed the lawsuit on June 11, 2013, less than a week after the mass call-tracking program was revealed by The Guardian newspaper based on documents obtained from NSA whistleblower Edward Snowden.
“We are extremely disappointed with this decision, which misinterprets the relevant statutes, understates the privacy implications of the government’s surveillance and misapplies a narrow and outdated precedent to read away core constitutional protections,” said Jameel Jaffer, ACLU deputy legal director. “As another federal judge and the president’s own review group concluded last week, the National Security Agency’s bulk collection of telephony data constitutes a serious invasion of Americans’ privacy. We intend to appeal and look forward to making our case in the Second Circuit.”

Why clutter the intelligence space with useless data? The answer is, they don't! If there is no evidence that they stopped a terrorist attack, ask what value they do find in this data? How would you use the data?
Ryan Goodman has a post on Just Security that is part of an ongoing dialogue* about the report by the President’s Review Group. Ryan writes:
The question I consider in this post is whether the Group’s assessment will, and should, signal the effective demise of the program. I examine the strongest claims that proponents of the program may still raise; and I propose some analytic tools for considering the issue of effectiveness, so that we might all (proponents, opponents, and others alike) candidly assess this particular program’s potential security benefits.
Read his commentary on Just Security.
*[Editor’s Note: Just Security is holding a “mini forum” on the Report by the President’s Review Group on Intelligence and Communications Technologies. Others in the series include a post by Marty Lederman analyzing the Report’s highlights, post by Julian Sanchez examining the scope of the NSA's section 702 program, a post by David Cole and Marty Lederman analyzing how metadata is used under section 215, and a post by Jennifer Granick discussing the implications for non-US persons (with a follow-up post by Jennifer).]

For my students. (I'm curious to see how the government thinks we should calculate...)
Get Calculators and Worksheets to Evaluate Your Finances
by Sabrina I. Pacifici on December 27, 2013
“Calculators are an essential tool to help you evaluate your current financial situation, and to get you where you want to be in the future. They can tell you if you are in the “ballpark” for retirement, and help you analyze fees associated with mutual funds and 529 Plans. Here are just a few of the tools you’ll find on
  • 401(k) and IRA Required Minimum Distribution Calculator: After age 70½, you are generally required to start withdrawing money from your IRAs and 401(k)s. Find out the minimum amount you’ll need to withdraw, depending on your age and the value of your accounts.
  • Compound Interest Calculator: Find out how much your money can grow, using the power of compound interest.
  • Social Security Retirement Estimator: Get personalized benefit estimates to help you plan for retirement.
  • Worksheet for Determining Your Net Worth: Use this worksheet to list your assets and debts.
  • Worksheet for Tracking Your Income and Expenses: Keeping track of your income and expenses will help you stay on track with your financial goals.”

For my students who read (There are some!) NOTE: I did skip a couple... Load these into Calibre to organize and move to various devices.
Supercharge Your eBook Reading With IFTTT
… As you probably already know, IFTTT is just the hack you’re looking for. This great automation service can be used for anything from superpowering Google Calendar to making money, and yes, it can also be used to supercharge your eBook reading. From finding eBook deals to automatically sending articles to your Kindle, these are all the recipes you need.
This recipe is based on the website FreeBooksHub — a website dedicated to finding Kindle deals.
This recipe takes any RSS feeds you’re interested in, and sends any new items to your Kindle. Who said your Kindle is just for books?
… define a Dropbox subfolder in your Public folder (for example, public/kindle), which automatically transfers files to your Kindle.
Readability has a feature that lets you connect your Kindle to your Readability reading lists. You can check out this help page to find out more about setting it up.
This recipe monitors the Gold Box feed for the “Kindle” keyword, and emails you only when a relevant deal appears. When using the recipe, you can change the keyword to anything you want, so if it’s not Kindle you’re interested in, the recipe is still very useful.

For my Android toting students...
– draws the attention of people who care about you at times of need, and makes it easier for them to find you. Create response groups based on locations you visit frequently, and add people who care about you to each group. Whenever you don’t feel safe, start SafeSpot.

I can't help thinking that I could make more money selling individual “How to” lessons at $1 per, than I could teaching full time.
From Cooking To Coding: Learn And Teach Lessons On
If you have the time and inclination to explore a new hobby, prepare a gourmet meal, learn how to code, or pick up a few health and beauty tips, the online learning site and mobile app,, offers hundreds of free or low cost video tutorials on a wide range of topics. launched last summer and is similar to Khan Academy, Udemy,, and other online course sites. Its online platform was recently expanded into an iPhone app, followed by its iPad version which released this August.
… Each Curious lesson is broken down into interactive sections with a few multiple-choice review questions at the end of each lesson. Some lessons may include PDF handouts, links to other resources, and a feature for leaving comments and asking questions.
… Curious includes a Curious Lesson Builder platform for creating lessons, and uploading video content to the site. Instructors get their own individual web page (, and for paid lessons, teachers receive 70% and Curious gets 30% of the paid tuition. Lessons can easily be shared to social networks, and all uploaded content remains non-exclusive and owned by the instructors.

Well, I find it amusing...
A judge has ruled that Sherlock Holmes (and the other characters and elements of Arthur Conan Doyle’s series) is no longer covered by US copyright law and is now in the public domain.
A judge has ruled that the Douglas County (Colorado) school district “violated the state’s Fair Campaign Practices Act when it hired Rick Hess to author a positive report about school reforms that it later e-mailed to 85,000 subscribers in the weeks before the November election.” All’s fair in

Friday, December 27, 2013

Haven't I been saying this?
Alan Dershowitz rips Edward Snowden: ‘We have an absolute right’ to spy on other countries
… In particular, Dershwoitz slammed Snowden for bringing to light the agency’s surveillance activities against other countries, saying they “raise some questions, but [were] not unconstitutional.
“We have an absolute right under our Constitution to listen to the prime minister of Israel, to listen to the chancellor of Germany,” Dershowitz said. “That is not a constitutional issue, and yet he disclosed — or people working on his behalf — the fact that we are using surveillance abroad, outside the country, where the Constitution does not apply.”

Interesting. Are we back to the same “anti-Iran” agreements we had before Sadam invaded Kuwait?
U.S. sending missiles and surveillance drones to Iraq to help combat Al-Qaeda-backed violence: NYT
The United States is sending Iraq dozens of missiles and surveillance drones to help it combat a recent surge in Al-Qaeda-backed violence, the New York Times reported on Thursday.
The weapons include a shipment of 75 Hellfire missiles purchased by Iraq, which Washington delivered to the country last week, the Times reported.
The daily wrote that 10 ScanEagle reconnaissance drones — smaller versions of the larger Predator drones that once were frequently flown over Iraq — are expected to be sent by March. [Meanwhile, they can hand deliver the missiles Bob]

Looks like telecom is in the contraction phase already.
Report: Owners of Sprint in final stages of deal for T-Mobile
Sources say that SoftBank will make a $19 billion bid for 70 percent of T-Mobile.
On Wednesday, the Nikkei news agency cited unnamed sources who said that SoftBank, the company that owns a majority of Sprint, was “in the final stages of talks with T-Mobile's German parent, Deutsche Telekom.” News of a merger between Sprint and T-Mobile hit in early December, with the Wall Street Journal reporting that Sprint’s parent company was wary of trying to merge with T-Mobile like AT&T had years earlier, only to see its efforts thwarted by the Department of Justice and the Federal Communications Commission.

I'm not sure my students plan over much, but if they do, this looks interesting.
– Convert your Basecamp Project, Google Calendar or Trello Board to a Gantt Chart. Explain your plans to others using one simple chart. See how all your activities relate in time and find bottlenecks in a matter of seconds. It is free and there is no need to register.
… Ganttify is provided to you by Tom's Planner. Tom's Planner is an online Project Planning tool used by more than 150k users worldwide.
(To create a Gantt chart from scratch check out!)

Thursday, December 26, 2013

For my Computer Security and Ethical Hacking students. You can see that keeping our “academic efforts” below a couple of million BPS won't even make their list.
Digital Attack Map displays global DDoS activity on any given day
by Sabrina I. Pacifici on December 25, 2013
“The Digital Attack Map is a live data visualization of DDoS attacks around the globe, built through a collaboration between Google Ideas and Arbor Networks. The tool surfaces anonymous attack traffic data to let users explore historic trends and find reports of outages happening on a given day.”

Another fine nit to pick. Sic 'em, lawyers!
Orin Kerr discusses an interesting question and ruling:
A recent case, United States v. Young (D. Utah, December 17, 2013) (Campbell, J.), touches on a novel, interesting, and quite important question of Fourth Amendment law: Assuming that e-mail account-holders generally have Fourth Amendment rights in the contents of their e-mails, as courts have so far held, when does a person’s Fourth Amendment rights in copies of sent e-mails lose Fourth Amendment protection?
To understand the question, consider Fourth Amendment rights in postal letters. Before a letter is sent, only the sender has rights in the letter; during transmission, both the sender and recipient have rights in the letter; and once the letter is delivered at its destination, the recipient maintains Fourth Amendment rights but the sender’s rights expires. But how do you apply this to an e-mail? By analogy, a sender loses Fourth Amendment rights in the copy of the e-mail that the recipient has downloaded to his personal computer or cell phone. But does the sender have Fourth Amendment rights in the copy of the e-mail stored on the recipient’s server after the recipient has accessed the copy? And does the sender have Fourth Amendment rights in the copy of the e-mail stored on the recipient’s server before the recipient has accessed the copy? At what point does the sender’s Fourth Amendment rights in the sent copy expire?
Read more on The Volokh Conspiracy.

Hotels don't have to, but they can. All that suggests is that hotels could sell the data to anyone who wanted it. (Police, paparazzi, divorce lawyers) Perhaps asking police to pay for records would limit the gathering?
Joe Palazzola reports:
While federal courts in New York and Washington mull the constitutionality of the National Security Agency’s bulk collection of phone records, a panel of judges in California has answered another weighty Fourth Amendment question: Do we have an expectation of privacy in our hotel guest records?
No, we do not, the Ninth U.S. Circuit Court of Appeals ruled Tuesday.
But hotels do have an interest in keeping their records private, and so, in a gift to privacy advocates, the appeals court struck down a Los Angeles ordinance that required operators to produce information about their guests to police officers, upon request, without a warrant. The information included a guest’s name and address, the number of people in the party, vehicle information, arrival and checkout dates, rooms number and method of payment.
Read more on WSJ.
I’m glad we got something, but I still detest the third party doctrine that says we lose our expectation of privacy by turning over our information to a business. The business has a property interest/privacy expectation, but we don’t. That needs to change.

(Related) Not sure I agree that gathering “suspicious activity reports” is ever a bad idea. It's what happes after the tip that could be a waste of time.
New Report: Police Intelligence Gathering Lacks Standards, Threatens National Security and Civil Liberties
by Sabrina I. Pacifici on December 25, 2013
“Gaps in local-federal intelligence sharing systems jeopardize national security investigations and threaten Americans’ civil liberties, according to a new Brennan Center report. National Security and Local Police, the most comprehensive survey of counterterrorism policing since 9/11, finds that police are operating without adequate standards and oversight mechanisms, routinely amassing mountains of data – including personal information about law-abiding Americans – with little or no counterterrorism value. The Brennan Center’s findings are based on dozens of freedom of information requests, in addition to surveys and interviews with police departments, Joint Terrorism Task Forces, and data sharing centers nationwide. The Brennan Center’s new report shows how the lack of consistency and oversight in local counterterrorism programs directs resources away from traditional police work, violates individual liberties, undermines community-police relations, and causes important counterterrorism information to fall through the cracks. The Boston Marathon bombing exemplifies how critical information can get lost in a din of irrelevant data.”

My interest in how poorly the “Music Industry” (actually music labels) has incorporated technology is matched by how smart individual bands seem to be... Note that this makes no money for the music label, only for the band itself.
How Iron Maiden found its worst music pirates -- then went and played for them
… A U.K. company called Growth Intelligence aggregates data on U.K. companies to offer them a real time snapshot of how their company is performing. They capture everything from real-world data, like hiring of employees, to online indicators like email to online discussion.
Its stats were compiled for the London Stock Exchange "1000 Companies That Inspire Britain" list. On that list were six music firms that outperformed the music sector, one of them being Iron Maiden LLP, the holding company for the venerable heavy metal band.
… Enter another U.K. company called Musicmetric, which specializes in analytics for the music industry by capturing everything from social media discussion to traffic on the BitTorrent network. It then offers this aggregated information to artists to decide how they want to react. Musicmetric noticed Iron Maiden's placement and ran its own analytics for the band.
… In the case of Iron Maiden, still a top-drawing band in the U.S. and Europe after thirty years, it noted a surge in traffic in South America. Also, it saw that Brazil, Venezuela, Mexico, Colombia, and Chile were among the top 10 countries with the most Iron Maiden Twitter followers. There was also a huge amount of BitTorrent traffic in South America, particularly in Brazil.
Rather than send in the lawyers, Maiden sent itself in. The band has focused extensively on South American tours in recent years, one of which was filmed for the documentary "Flight 666." After all, fans can't download a concert or t-shirts. The result was massive sellouts. The São Paolo show alone grossed £1.58 million (US$2.58 million).
And in a positive cycle, Maiden's online fanbase grew. According to Musicmetric, in the 12 months ending May 31, 2012, the band attracted more than 3.1 million social media fans. After its Maiden England world tour, which ran from June 2012 to October 2013, Maiden's fan base grew by five million online fans, with a significant increase in popularity in South America.

A real exercise for my Computer Security students. If you really want to understand your “Internet footprint” this will help.
How To Make Yourself Disappear Online Completely
If you’re looking to drop from the Webosphere completely in an attempt to remain anonymous, we can help. The process is arduous and there are several key steps you’ll need to take along the way.

I need more time!
The Best Free Education Web Tools Of 2013
… Thankfully, the folks over at Edublogs have put together this great that is filled to the brim with the best education tools, and the best part is that they’re all free!

Wednesday, December 25, 2013

It's that time of year again. Rather than a heartfelt “Bah, Humbug!” allow me to offer you..


Please accept with no obligation, implied or implicit, our best wishes for an environmentally conscious, socially responsible, low stress, non-addictive, gender neutral, celebration of the northern hemisphere winter solstice, practiced within the most enjoyable traditions of the religious persuasion of your choice, or secular practice of your choice, with respect for the religious/secular persuasions and/or traditions of others, or their choice not to practice religious or secular traditions at all. And a fiscally successful, personally fulfilling and medically uncomplicated recognition of the generally accepted calendar year 2014, but not without due respect for the calendars of choice of other cultures whose contributions to society have helped make our country great, and without regard to the race, creed, color, age, physical ability, religious faith, sexual orientation or choice of computer platform and operating system of the wishee.

By accepting this greeting, you are accepting these terms:

1. The greeting is subject to clarification or withdrawal.
2. It is freely transferable with no alteration the original greeting.
3. It implies no promise by the wisher to actually implement any of the wishes for her/himself or others.
4. It is void where prohibited by law, and
5. It is revocable at the sole discretion of the wisher.

This wish is warranted to perform as expected with the usual application of good tidings for a period of one year or until the issuance of a subsequent holiday greeting, whichever comes first, and warranty is limited to replacement of this wish or issuance of a new wish at the sole discretion of the wisher.

[This is what happens when you hang out with lawyers. Bob]

Let me repeat. You really don't need to know the names to establish that “Known Terrorist #402” is repeatedly calling a cell phone in New Jersey and that cell phone is then calling three other phones.
Research – MetaPhone: The NSA’s Got Your Number
by Sabrina I. Pacifici on December 24, 2013
by Jonathan Mayer, a grad student at Stanford - Co-authored with Patrick Mutchler – via the Web Policy Blog
“MetaPhone is a crowdsourced study of phone metadata. If you own an Android smartphone, please consider participating. In earlier posts, we reported how automated analysis of call and text activity can reveal private relationships, as well as how phone subscribers are closely interconnected.
“You have my telephone number connecting with your telephone number,” explained President Obama in a PBS interview. “[T]here are no names . . . in that database.” Versions of this argument have appeared frequently in debates over the NSA’s domestic phone metadata program. The factual premise is that the NSA only compels disclosure of numbers, not names. One might conclude, then, that there isn’t much cause for privacy concern. This line of reasoning has drawn sharp criticism. In a declaration for the ACLU, Ed Felten noted:
“Although officials have insisted that the orders issued under the telephony metadata program do not compel the production of customers’ names, it would be trivial for the government to correlate many telephone numbers with subscriber names using publicly available sources. The government also has available to it a number of legal tools to compel service providers to produce their customer’s information, including their names.”
When Judge Richard Leon granted a preliminary injunction against the program last week, he expressed a similar view:
The Government maintains that the metadata the NSA collects does not contain personal identifying information associated with each phone number, and in order to get that information the FBI must issue a national security letter (“NSL”) to the phone company. . . . Of course, NSLs do not require any judicial oversight . . . meaning they are hardly a check on potential abuses of the metadata collection. There is also nothing stopping the Government from skipping the NSL step altogether and using public databases or any of its other vast resources to match phone numbers with subscribers.
(Senator Dianne Feinstein issued a statement in response, reiterating that “no names” are coerced from the phone companies in bulk.)
So, just how easy is it to identify a phone number? Trivial, we found. We randomly sampled 5,000 numbers from our crowdsourced MetaPhone dataset and queried the Yelp, Google Places, and Facebook directories. With little marginal effort and just those three sources—all free and public—we matched 1,356 (27.1%) of the numbers. Specifically, there were 378 hits (7.6%) on Yelp, 684 (13.7%) on Google Places, and 618 (12.3%) on Facebook. What about if an organization were willing to put in some manpower? To conservatively approximate human analysis, we randomly sampled 100 numbers from our dataset, then ran Google searches on each. In under an hour, we were able to associate an individual or a business with 60 of the 100 numbers. When we added in our three initial sources, we were up to 73. How about if money were no object? We don’t have the budget or credentials to access a premium data aggregator, so we ran our 100 numbers with Intelius, a cheap consumer-oriented service. 74 matched. [The results we obtained from Intelius were seemingly spottier than from Yelp, Google Places, and Facebook.] Between Intelius, Google search, and our three initial sources, we associated a name with 91 of the 100 numbers. If a few academic researchers can get this far this quickly, it’s difficult to believe the NSA would have any trouble identifying the overwhelming majority of American phone numbers.”

Is buying data stolen from an individual (or an organization that individual deals with) a Fourth Amendment violation? I would say it was clearly unethical, yet we see it a lot. Both Germany and France paid for stolen Swiss banking records, for example.
Fred Grimm comments:
Major League Baseball, in its zeal to nail A-Rod and other accused juicers, paid thousands for stolen medical records.
Not that we don’t relish the prospect of overpaid jocks getting their comeuppance, but there’s a small problem with trafficking in stolen property. It’s stolen.
Florida law’s not fuzzy about the legality of “dealing in stolen property.” A state statute puts it bluntly. “Any person who traffics in, or endeavors to traffic in, property that he or she knows or should know was stolen shall be guilty of a felony of the second degree.”
The legislature, in writing the statute, failed to include an exception for Major League Baseball. No worries. It has become apparent, as this latest baseball doping scandal unfolded, that MLB investigators are allowed to operate beyond legal restraints that hamper less exalted elements of society.
Read more on Miami Herald.

A discussion point for my Intro to Business students.
Sell Your Product Before It Exists
… The most recent standout in the class of “vaporgoods” is Coin, which straddles the divide between software and hardware. If you haven’t seen the promos yet, Coin is a new device that aggregates all of your information from credit, debit, and even loyalty cards and can be swiped just like a regular credit card. Coin’s makers first launched a $50,000 crowdfunding campaign and, after hitting their goal inside of 40 minutes, are continuing to take pre-orders at half the future retail price. It’s unknown how many units of the device have now been pre-sold. However, the real success isn’t in the amount of cash Coin raises; it’s that the minds behind Coin have proven there’s a market demand for their product using the only research method that counts: the market itself.

This could be very handy for my next book. (My next one will be my first) Also for my website students.
– is a free converter tool for documents produced by Microsoft Word and similar office software. Word to clean HTML strips out invalid or proprietary tags, leaving clean HTML behind for use in webpages and eBooks. Simply paste your text into the box then click the “convert to clean HTML” button.

Tuesday, December 24, 2013

Something my Ethical Hackers should consider. Will we look back at Syria as the first true “Digital Battlefield,” even though it is very one sided (that we can prove) and targeted at non-combatants as well as the “rebels.” No violation of the “laws of war” (Is it?) but how do you counter?
Social Engineering and Malware in Syria: EFF and Citizen Lab’s Latest Report on the Digital Battlefield
by Sabrina I. Pacifici on December 23, 2013
“More than two years into the Syrian conflict, the violence continues both on the ground and in the digital realm. Just as human rights investigators and weapons inspectors search for evidence of chemical weapons, EFF, and the University of Toronto’s Citizen Lab have been collecting, dissecting, and documenting malicious software deployed against the Syrian opposition. Citizen Lab security researchers Morgan Marquis-Boire and John Scott-Railton and EFF Global Policy Analyst Eva Galperin today published their latest technical paper, Quantum of Surveillance: Familiar Actors and Possible False Flags in Syrian Malware Campaigns. The report outlines how pro-government attackers have targeted the opposition, as well as NGO workers and journalists, with social engineering and “Remote Access Tools” (RAT).”

Very nice summary.
Really really helpful post over on 451 Security. Here’s the intro:
I’ve written this post for two reasons. First, the recent Target breach has led to some confusion, which I will try to clear up here. Second, I wanted to create an easily referenced educational resource on how credit cards are designed to work. I’m hoping this will help people understand the intricacies of credit card fraud and how some credit card features attempt to limit it.
Here is the TL;DR version: CVV codes were compromised and should not be stored post-authorization, but the CVV codes compromised are not the codes printed on the card that we get asked for when making online purchases. There are actually two separate security codes: one to prove possession of the card when it is swiped (stored on the magnetic strip) and another printed on the card, to prove possession of the card when it is used in card-not-present transactions, like e-commerce or over the phone. The same value is not used for both codes.
Read more on 451 Security.
[From the article:
Based on what we know about the breach, it sounds like track data was either potentially stored by Target (against PCI DSS rules), was captured in transit or was captured pre-authorization (PCI says you can’t store track data after authorization). If full track data was compromised, the primary threat of consumer fraud from this breach will be for stolen data to be copied to fake credit cards and used in-person.

Just up the road, but also available globally via Live Stream.
This sounds like a not-to-be-missed event. Wish I could get there to attend, but I’ll have to console myself with watching the live stream.
Friday, January 17, 2014; 9:00 AM – 5:30 PM
@ University of Colorado Law School, Room 101
Live Stream: to view, click here
What harms are privacy laws designed to prevent? How are people injured when corporations, governments, or other individuals collect, disclose, or use information about them in ways that defy expectations, prior agreements, formal rules, or settled norms? How has technology changed the nature of privacy harm?
These questions loom large in debates over privacy law. Often, they are answered skeptically. The President of the United States justifies massive NSA surveillance programs by arguing that non-content surveillance is not very harmful. Advertisers resist calls for aggressive forms of Do Not Track by arguing that the way they track online behavior creates little risk of harm. Judges dismiss lawsuits brought by users suing services that suffer massive data breaches, for lack of harm.
Meanwhile, many privacy law scholars and advocates do not speak consistently, if they speak at all, about privacy harm. Some prefer to talk about “problems” or “conflicts” not harms. Others point primarily to abstract, societal harms such as chilling effects or harms to dignity or individual autonomy. Many of these people have tried to move the conversation away from harm and what they see as crabbed, tort-centric approaches to privacy protection.
It is time to revisit old conversations about harm. New practices and technologies raise new threats of harm. [Or automate existing ones? Bob] The fear of Big Data techniques (for example in the public debate over the pregnancy prediction program of the retailer Target) have inspired new theories of harm. Economists and computer scientists have developed new ways of measuring privacy harm. Regulators have adopted new ways of talking about harm.
Join the Silicon Flatirons Center for Law, Technology, and Entrepreneurship on Friday, January 17, 2014, from 9:00 AM – 4:15 PM as we venture into the New Frontiers of Privacy Harm. We will assemble thought leaders and top practitioners and regulators for a diverse and rich set of conversations about privacy harm.
You can see the great line-up of presenters and discussants, and access the day’s schedule here.

(Related) Interesting article!
From a recent article by Woodrow Hartzog in Ohio State Law Journal, Vol. 74, p. 995, 2013:
As online social media grow, it is increasingly important to distinguish between the different threats to privacy that arise from the conversion of our social interactions into data. One well-recognized threat is from the robust concentrations of electronic information aggregated into colossal databases. Yet much of this same information is also consumed socially and dispersed through a user interface to hundreds, if not thousands, of peer users.
In order to distinguish relationally shared information from the threat of the electronic database, this essay identifies the massive amounts of personal information shared via the user interface of social technologies as “social data.” The main thesis of this essay is that, unlike electronic databases, which are the focus of the Fair Information Practice Principles (FIPPs), there are no commonly accepted principles to guide the recent explosion of voluntarily adopted practices, industry codes, and laws that address social data.
This essay aims to remedy that by proposing three social data principles — a sort of FIPPs for the front-end of social media: the Boundary Regulation Principle, the Identity Integrity Principle, and the Network Integrity Principle. These principles can help courts, policymakers, and organizations create more consistent and effective rules regarding the use of social data.
You can download the full article from SSRN. You may also wish to see the other articles in the same issue of the Ohio State Law Journal

I doubt most people even think about why privacy is of concern to magazines like Forbes.
Over on Forbes, Kashmir Hill writes:
Forget “twerking” and “selfies.” dubbed “privacy” the word of the year in 2013. Here at The Not-So Private Parts, it feels a little like the unknown indie band we’ve been obsessed with for years just won best album at the Grammys. So why did the plight of our personal data achieve Arcade Fire-level fame this year?
Read more on Forbes.

(Related) Illogical or merely ignorant?
Liz Gannes reports:
When asked to choose which is more important to them, protecting their personal information online or protecting their online behavior, respondents to a recent survey said hacking is a bigger concern than tracking.
Some 75 percent of those surveyed said they are worried about hackers stealing their personal information, while 54 percent are worried about their browsing history being tracked by advertisers.
Read more on AllThingsD.

These are common failings in all industries. Managers do not like to spend money or resources on things like logs that are only useful in the unlikely event they are breached. Rational or irrational?
From the Executive Summary of a newly released report:
Nearly all hospitals with EHR technology had RTI-recommended audit functions in place, but they may not be using them to their full extent. In addition, all hospitals employed a variety of RTI-recommended user authorization and access controls. Nearly all hospitals were using RTI-recommended data transfer safeguards. Almost half of hospitals had begun implementing RTI-recommended tools to include patient involvement in anti-fraud efforts. Finally, only about one quarter of hospitals had policies regarding the use of the copy-paste feature in EHR technology, which, if used improperly, could pose a fraud vulnerability.
We recommend that audit logs be operational whenever EHR technology is available for updates or viewing. We also recommend that ONC and CMS strengthen their collaborative efforts to develop a comprehensive plan to address fraud vulnerabilities in EHRs. Finally, we recommend that CMS develop guidance on the use of the copy-paste feature in EHR technology. CMS and ONC concurred with all of our recommendations.
You can access the full report here (pdf, 30 pp.)

Sign up an you can be among the first to know you've been had. Possibly even before the breachee.
Have you been pwned? Now you can be automatically told when you are!
Just under three weeks ago now, I launched Have I been pwned? which could tell you if you owned one of 154 million email addresses that had been caught up in recent data breaches. Subsequently, the site turned out to be wildly popular and as with such things, a lot of good ideas came up in terms of features people would like to see.
Without doubt, the number one request was for notifications. Searching for accounts that may have been pwned up to the current date is one thing, but the real value is in being automatically notified when you get pwned in the future. So I built it – oh and I’ve made it a free service.
Signing up for notifications
Let me talk you through it: First of all, jump over to and search for your email address. You can always just hit the “Notify me” link in the nav but I suspect most people will want to kick off by looking at whether they’ve already been compromised.
This is pretty much business as usual, except now you’ve got a “Notify me if my address gets pwned in the future” hyperlink just above the social media icons. Click that guy and you’ll get a little window:

I like lists like this, because I always try to steal learn from the best! Many more blogs listed at the site.
Announcing the 2013 Blawggie Awards – Tenth Edition
2013 Blawggie Award Categories and Winners.
1. Best Overall Law-Related Blog – 3 Geeks and a Law Blog
2. The “Marty Schwimmer” Best Practice-Specific Legal Blog – Sharon Nelson’s Ride the Lightning
3. Best Law Practice Management Blog – Adam Smith, Esq.
4. Best Law-related Blog Category – Law Librarian Blogs BeSpacific Blog
5. The “Kennedy-Mighell Report” Best Legal Podcast – The Return of the Legal Talk Network
6. The “Sherry Fowler” Best Writing on a Blawg Award – Sharon Nelson’s Ride the Lightning
7. Best Law Professor Blog – Legal Skills Prof Blog
8. The “DennisKennedy.Blog” Best Legal Technology Blog – V. Mary Abraham’s Above and Beyond KM
9. Best New Blawg – Jerry Lawson’s NetLawTools

For my Apple toting students...
Year in Review: 5 Most Notable New iOS Apps of 2013

For my Ethical Hackers
… why not steal away by yourself for a few hours and work on the SANS Institute’s 10th annual Holiday Hacking Challenge?
… The learning opportunity comes into play when you don’t already understand something you encounter in the packet capture file. You are expected to do your own research to understand the artifact well enough to explain it in your response. Given that this year’s scenario is based on a virtual city’s critical infrastructure, Skoudis says there will be some protocols that network professionals probably aren’t familiar with. It’s a chance to stretch your knowledge a bit and build some in-demand skills in a fun way.
Since this is the 10th year for the competition, some of the previous years’ challenges and answers are posted online.
… For a look at the 2012 Holiday Hacking Challenge and the winning and honorable mention responses, click here.
Details about the Holiday Hacking Challenge, which is now live, can be found here. You have until January 6, 2014 to send your results to Good luck!

Monday, December 23, 2013

Well, that's something I suppose.
Target CEO offers credit monitoring, discount and four-part video apology
After last week's massive data breach, Target is offering customers free credit monitoring and a 10 percent discount. CEO Gregg Steinhafel also issued a four-part video apology to customers.
He reassured shoppers that they will not be held financially responsible for any credit card or debt card fraud. Target will contact customers who are eligible for the credit monitoring "soon," he said.
Read more here.
Watch the video apology here.

Section 8, subsection 4, page 81, paragraph 41, line 16, micro-line 58, and I quote: “Whereas and who-as and when-as the party of the twenty-second part did authorize, condone and allow by use of the data of party two, we herewith, hereby and hereto declare, 'You ain''t got no privacy!' Welcome to California.”
Hogan Lovells’ Bret Cohen writes:
On January 1, 2014, California Assembly Bill 370 will go into effect, requiring operators of websites and other online services, including mobile applications, to provide new disclosures in their website privacy policies about online tracking. Operators will be required to disclose whether third parties collect certain information about California residents over time and across different websites when those residents use the operators’ sites and services. The law also requires that operators disclose how they respond to do-not-track signals or other mechanisms designed to provide consumers with choices relating to such activities. Although the law is limited to online services directed to California, it provides a de facto national standard for websites that do not provide separate privacy disclosures based on location.

Interesting idea. Let's hope it works better that the credit card industry's certification.
Lynn Sessions and Cory J. Fox of Baker Hostetler write:
The Texas Health Services Authority (THSA) recently announced its selection of the Health Information Trust Alliance (HITRUST) Common Security Framework (CSF), the most widely adopted information privacy and security framework in the U.S. healthcare industry, to form the basis of the Texas Covered Entity Privacy and Security Certification Program, setting the stage for Texas to become the first state in the nation to implement a formal certification program that incorporates state and federal privacy and security regulations, including HIPAA and the Texas Medical Records Privacy Act (TMRPA).
Read more on Lexology.
[From the article:
HB 300 also amended the TMRPA to include a list of mitigating factors Texas courts must consider in determining the appropriate penalty for a covered entity that violates the TMRPA, including its compliance history and whether it was certified at the time of the violation.

Big Data. I find these amusing. After carefully reading all 8 pages, I'd like to buy a vowel.
Quantitative Analysis of Culture Using Millions of Digitized Books
by Sabrina I. Pacifici on December 21, 2013
Quantitative Analysis of Culture Using Millions of Digitized Books, Jean-Baptiste Michel, et al. Science 331, 176 (2011); DOI: 10.1126/science.1199644
“We constructed a corpus of digitized texts containing about 4% of all books ever printed. Analysis of this corpus enables us to investigate cultural trends quantitatively. We survey the vast terrain of ‘culturomics,’ focusing on linguistic and cultural phenomena that were reflected in the English language between 1800 and 2000. We show how this approach can provide insights about fields as diverse as lexicography, the evolution of grammar, collective memory, the adoption of technology, the pursuit of fame, censorship, and historical epidemiology. Culturomics extends the boundaries of rigorous quantitative inquiry to a wide array of new phenomena spanning the social sciences and the humanities.”

When your eyes get tired from staring at your monitor, try these. They really scare my students!
– When your eyes get tired and you start feeling the eye strain, but still have some work to do, use the Exercises For Eyes. Regular eye exercises can help you to improve eyesight and prevent eye diseases such as nearsightedness and farsightedness. Follow the instruction step by step making twenty-second breaks between exercises.

Okay, it's a bit geeky, but my Cryptography students might enjoy it.
Professor Edward Frenkel discusses the mathematics behind the NSA Surveillance controversy.
[Or watch the video on Youtube:

Sunday, December 22, 2013

Ignore the man in the White House. (We do.) Forget what every journalist is saying. When it comes to the law, our pill is best taken with our Kool-Aid.
A press release from EFF:
San Francisco – U.S. government intelligence officials late last night released some previously secret declarations submitted to the court in Jewel v. NSA – EFF’s long-running case challenging the NSA’s domestic surveillance program – plus a companion case, Shubert v. Obama. The documents were released pursuant to the court’s order.
Surprisingly, in these documents and in the brief filed with them, the government continues to claim that plaintiffs cannot prove they were surveilled without state secrets and that therefore, a court cannot rule on the legality or constitutionality of the surveillance. For example, despite the fact that these activities are discussed every day in news outlets around the world and even in the president’s recent press conference, the government states broadly that information that may relate to Plaintiffs’ claims that the “NSA indiscriminately intercepts the content of communications, and their claims regarding the NSA’s bulk collection of … metadata” is still a state secret.
… The newly released declarations are the first time the government has declassified a description of the origins and history of the NSA’s illegal and unconstitutional surveillance programs. However, these declarations – and the reissued state secrets claims – represent only a very slight shift in the government’s tactics in this case.
… Earlier this week, a Washington D.C. federal court judge ruled that NSA telephone records collection was “probably unconstitutional” in DC federal court. In July, based on documents filed before the Snowden revelations, the judge in the Jewel v. NSA ruled against the government’s state secrets claims. Now we look forward to the California federal court finally ruling on the legality of the “upstream” interception of internet content and the telephone records program.
For this release:

Even a brief reading leaves me with many questions, but again it could just be poor writing. If one file could have multiple links (a technique to avoid duplication) a request to delete an “infringing” link should not automatically delete the file and all legitimate links, yet that seems to be what the FBI (MPAA?) expects. (and that's only page 3!)
Fury over US release of Dotcom 'evidence'
Kim Dotcom's legal team have been left furious after the United States skirted local court suppressions to release what they say is a "cherry-picked" summary of their case against the piracy-accused.
A detailed summary of the evidence against the Megaupload founder was made public in the US yesterday for the first time since the case began almost two years ago.
The evidence is suppressed in New Zealand by way of a ruling from Judge David Harvey made in the early stages of the court process against Dotcom.
The Sunday Star-Times understands Dotcom's legal team wanted it to remain secret until trial to give their client a fair chance, as they have not been given access to the documents the summary is based on, and believe the US account is one-sided and could create prejudice.
However, the FBI sought leave from a court in Virginia to release what it says is a "new" summary of the evidence to allow alleged victims to come forward and make claims against the estimated $80 million seized from the company.
A US judge ruled the documents could be "unsealed" on Friday, despite the ongoing New Zealand suppression.
… So far, Dotcom has had several victories against prosecutors, including rulings that searches at his home breached the law, and that he was spied on illegally by the Government Communications Security Bureau.
His lawyers have repeatedly accused the US of a heavy-handed approach against him, backed by movie moguls and politicians rather than legitimate legal grounds.
… "The DOJ release today is made up of ‘recycled allegations' that don't point to criminal copyright infringement," he said. Rothken had filed an application fighting the summary's release, but he was not heard in court.

Have I mentioned this one before? Sounds familiar..
is a free text-to-speech plugin for Microsoft Word that creates audio files from any document written in Word. It can speak the text of the document and highlight as it goes, enabling visually impaired users to read documents online. It also offers a number of programmable keyboard shortcuts, helping many types of users (for example, students who have trouble holding a mouse) to have an adapted, useful device. It is also great for students with reading difficulties, who may benefit from both reading and hearing the text they’re working with.

I don't assign a lot of papers in my Math classes, but I'll save this for my next Computer Security students.
The Impact of Digital Tools on Student Writing and How Writing is Taught in Schools
by Sabrina I. Pacifici on December 22, 2013
The Impact of Digital Tools on Student Writing and How Writing is Taught in Schools - Kristen Purcell, Director of Research, Pew Research Center’s Internet & American Life Project; Judy Buchanan Deputy Director, National Writing Project; Linda Friedrich Director of Research and Evaluation, National Writing Project. july 16, 2013.
“In a survey of Advanced Placement and National Writing Project teachers, a majority say digital tools encourage students to be more invested in their writing by encouraging personal expression and providing a wider audience for their work. Most also say digital tools make teaching writing easier, despite an increasingly ambiguous line between formal and informal writing and students’ poor understanding of issues such as plagiarism and fair use.” [We have an App for that. Bob]

Humor? Dilbert's pointy hair manager demonstrates another downside of drones.