Friday, January 10, 2014

All their FAQ says is that the data was collected in “the normal course of business.” What reasons would they have to collect customer data? Shipping info, contact information for “special orders,” job applications, credit card applications, etc. Also:
How many guests were affected by the additional stolen information?
Up to 70 million individuals may be affected.
I read that as 70 million MORE that the 40 (or 46) million due to use of credit cards. Or am I being too picky?
From their press release of today:
MINNEAPOLIS — January 10, 2014
Target today announced updates on its continuing investigation into the recent data breach and its expected fourth quarter financial performance.
As part of Target’s ongoing forensic investigation, it has been determined that certain guest information — separate from the payment card data previously disclosed — was taken during the data breach.
This theft is not a new breach, but was uncovered as part of the ongoing investigation. At this time, the investigation has determined that the stolen information includes names, mailing addresses, phone numbers or email addresses for up to 70 million individuals.
Much of this data is partial in nature, but in cases where Target has an email address, the Company will attempt to contact affected guests. This communication will be informational, including tips to guard against consumer scams. Target will not ask those guests to provide any personal information as part of that communication. In addition, guests can find the tips on our website.
… To learn more, please go to
You can read the full press release, with Fourth Quarter outlook and other investor-related information here.

(Related) That moves Target into First Place! Congratulations!
2013 Top 20 Breaches
… you’d better browse the following chart.
It collects the most devastating breaches in terms of number of records affected, and has been drawn based on the data collected by during this endless infosec year.

A most amusing rant. If you leave the barn door unlocked, will your insurance company refuse to reimburse you for stolen tractors? (Just updating a metaphor) If not, would the insurance company's stockholders take action?
To what extent is an organisation liable when they get security wrong?
I was amused (and frankly a little bewildered) the other day to see this bloke in the paper:
What he’s holding there is a fine… for leaving his car windows down a little. You see, the police down here took a view that in doing so he was inviting criminals to break into his car by very clearly leaving his security in a compromised state. This, in turn, deserved a $44 fine.
… Which brings me to Snapchat and more specifically, their defence following last week’s breach of 4.6 million accounts:
In an interview last week, a top company executive blamed abuse by hackers — not the company’s own software.
Ah, so not their fault at all, it was those pesky hackers! Obviously they weren’t aware that they’d proverbially left their windows down, right? Well that’s the interesting bit because after the risks were well-documented publicly in August, Snapchat responded… four months later. So they knew about the risks. Then the risks were further detailed just before Xmas and Snapchat responded again:
Theoretically, if someone were able to upload a huge set of phone numbers, like every number in an area code, or every possible number in the U.S., they could create a database of the results and match usernames to phone numbers that way.
“Theoretically”, if you were able to stick your arm through an open window you could open a car door. That’s just theoretical, of course.
Anyway, next thing you know we have 4.6 million phone numbers and usernames out in the wild yet somehow, Snapchat is not to blame. This isn’t just leaving your windows down a bit on one occasion, this is leaving them down and the keys in the ignition for months on end and being warned multiple times about the risk and still thinking you’re not to blame.

(Related) Perhaps this is the year of “Pointing out the obvious!”
Paul Rubens reports:
“The solution to government surveillance is to encrypt everything.”
So said Eric Schmidt, Google’s chairman, in response to revelations about the activities of the US National Security Agency (NSA) made by whistle-blower Edward Snowden.
Schmidt’s advice appears to have been heeded by companies that provide internet-based services. [But not until Snowden kick started a public flap. Bob]
I especially appreciated the following statements in light of a conversation I had recently with a Henry Schein representative about the level of “encryption” their dental software provides:
Using a longer encryption key makes it harder for hackers or governments to crack the encryption, but it also requires more computing power.
But Robert Former, senior security consultant for Neohapsis, an Illinois-based security services company, says many companies are overestimating the computational complexity of encryption.
“If you have an Apple Mac, your processor spends far more time making OS X looks pretty than it does doing crypto work.”
He therefore recommends using encryption keys that are two or even four times longer than the ones many companies are currently using.
“I say use the strongest cryptography that your hardware and software can support. I guarantee you that the cost of using your available processing power is less than the cost of losing your data because you were too cheap to make the crypto strong enough,” he says.
No-one ever got fired for having encryption that was too strong.”
Read more on BBC.

How about this objective metric instead: If the new technology allows surveillance of a type not possible by an normal human (e.g. infrared search for marijuana 'grow lights') it violates a reasonable expectation of privacy.
Ashkan Soltani writes:
The Yale Law Journal Online (YLJO) just published an article that I co-authored with Kevin Bankston (first workshopped at the Privacy Law Scholars Conference last year) entitled “Tiny Constables and the Cost of Surveillance: Making Cents Out of United States v. Jones.” In it, we discuss the drastic reduction in the cost of tracking an individual’s location and show how technology has greatly reduced the barriers to performing surveillance. We estimate the hourly cost of location tracking techniques used in landmark Supreme Court cases Jones, Karo, and Knotts and use the opinions issued in those cases to propose an objective metric: if the cost of the surveillance using the new technique is an order of magnitude (ten times) less than the cost of the surveillance without using the new technique, then the new technique violates a reasonable expectation of privacy. For example, the graph above shows that tracking a suspect using a GPS device is 28 times cheaper than assigning officers to follow him.
Read more on Ashkan Soltani.
You can read the full article on Yale Law Journal Online or download the PDF.

With Great Computing Power Comes Great Surveillance
… We have yet to fully grasp the implications of cheap surveillance. The only thing that is certain is that we will be seeing a great deal more surveillance—of ordinary citizens, potential terrorists, and heads of state—and that it will have major consequences.
… To my mind, there are two broad classes of automated surveillance— participatory and involuntary, and the line that separates them is fuzzy. Participatory surveillance arrived with the widespread use of the Internet. During this period users were actively involved in exposing their information over the Internet when they provided personal information in the course of purchasing products, searching for information, or interacting on social networking sites.
People were voluntary participants in the surveillance process even if they did not fully understand its implications. When they granted companies the right to use their information, they got services of great value in return.
… Involuntary surveillance on a large scale—driven by Moore’s Law—arrived shortly thereafter. Its primary instruments are cellphones, smartphones, GPS, and inexpensive cameras. When these devices are employed, there is no need for users to be actively involved in creating information about their activities. They get little or nothing in return for involuntarily providing valuable information about themselves.

Complete this sentence in 25 words or less: This data must be available to anyone because...
Kaimipono D. Wenger writes:
Did you ever want to know Donny Osmond’s birthday, along with his voter registration status? Now you can find out, through a simple website which has posted the entire Utah state voting roll to the internet in easily searchable form. What if you’re looking in Colorado, Connecticut, or a half dozen other states? Their voter rolls are online too, sometimes with additional information like addresses.
Read more on Concurring Opinions.
[Everyone here:

For my Students (at the risk of being redundant)
How Business Can Help Measure Education Outcomes that Matter
Employers the world over tell us that what truly counts in hiring decisions is not the rote knowledge that helps college students answer examination questions, but skills and competencies that are essential for, and often developed at, work. To be useful, the bricks of modern education need the straw of experience-based skills.
McKinsey’s reports on education-for-employment initiatives drew the same linkages. And research by Ithaka for Innovate+Educate confirms that prior job performance is twice as effective a predictor of future performance as an academic degree; a job tryout is four times as effective; and a cognitive skills assessment, five times as effective as a paper degree.

Because Google bought them!
Timely Alarm Clock (In-app purchase, now totally free!)
First things first: Timely made quite a splash when it launched, and now it got bought up by Google. We know where the story is likely to go from here (i.e, assimilation into some other Google product), but for now, it means that all of the features that used to require in-app purchase are completely free!

No comments: