Saturday, January 11, 2014

Maybe Target wasn't the only target?
Neiman Marcus says hackers may have stolen payment card data
Luxury department store chain Neiman Marcus said on Friday that hackers may have stolen customers' credit and debit card information, the second cyber attack on a retailer in recent weeks.
The data breach comes after Target Corp on Friday said an investigation found a cyber attack compromised the information of at least 70 million customers, in the second-biggest retail cyber attack on record.
Neiman Marcus does not know the number of customers affected by the intrusion, company spokesperson Ginger Reeder said.
Neiman Marcus said its credit card processor alerted the retailer in December about potential unauthorized payment card activities and the U.S. Secret Service is investigating.
A third-party forensics firm confirmed the cyber-security intrusion on January 1, the company said.
Reeder declined to comment if the breach was related to the Target cyber attack.

(Related) Another downside of keeping quiet. ...and doing what is expected? (Also lots of comments from knowledgeable people.)
Target: Names, Emails, Phone Numbers on Up To 70 Million Customers Stolen
… the company still has not disclosed any details about how the attackers broke in. This lack of communication appears to have spooked many folks responsible for defending other retailers from such attacks, according to numerous interviews conducted by this reporter over the past few weeks.
… The reason Target is offering ID theft protection as a result of this breach probably has more to do with the fact that this step has become part of the playbook for companies which suffer a data breach. Since most consumers confuse credit card fraud with ID theft, many will interpret that to mean that the breached entity is somehow addressing the problem, whereas experts tell me that this offer mainly serves as a kind of “first response” to help the breached entity weather initial public outrage over an intrusion.

Interesting way to analyze their conclusions. Find several interested parties and ask them for brief articles. Could be a way to collect Blog posts, I'll have to consider it!
Just Security has been holding a “mini forum” on the Report of the President’s Review Group on Intelligence and Communications Technologies. The following list contains the current posts in this series.
  1. Julian Sanchez, How Limited is 702?
  2. Marty Lederman, The “Front-Page Rule”

The full article reads like very “bad scifi” but consider just this snippet...
Rory Carroll describes the future after attending CES 2014:
For those who think the NSA the worst invader of privacy, I invite you to share an afternoon with Aiden and Foster, two 11-year-old boys, as they wrap up a Friday at school. Aiden invites his friend home to hang out and they text their parents, who agree to the plan.
As they ride on the bus Foster’s phone and a sensor on a wristband alert the school and his parents of a deviation from his normal route. The school has been notified that he is heading to Aiden’s house so the police are not called. [Why would the school call the police rather than Mom & Dad? It gets worse... Bob]
Read more on The Guardian.

It allows anyone to become an instant stalker. Instead of “Hey little girl!” now you can say “Hey Sally Jones. Your dad asked me to take you to your dance class.” (I'm sure the cop on the beat would like an App like this.)
Stalker-friendly app, NameTag, uses facial recognition to look you up online
… The makers of a new app, "NameTag," say that their facial-recognition software is actually supposed to make the world a much more connected place, but given that the app can spot a face and wirelessly match it up to social media profiles, all without giving people the option to opt out, let's go with stalker-friendly.
According to the app's developer,
NameTag links your face to a single, unified online presence that includes your contact information, social media profiles, interests, hobbies and passions and anything else you want to share with the world.
… The reason there's no opt-out or opt-in is going to sound familiar to those who've read about other stalker-enabling apps such as Girls Around Me.
Namely, NameTag is drawing on publicly available information.

Oh, good. So far, the government has been immune from such silly laws. Anyone giving odds this will pass the Senate?
Pete Kasperowicz reports:
The House passed the Health Exchange Security and Transparency Act, H.R. 3811, in a 291-122 vote. Sixty-seven Democrats voted for the bill, ignoring arguments from party leaders that the bill was a “messaging” vote meant to discourage people from signing up for insurance.
The one-sentence bill says that no later than two business days after any security breach on an ObamaCare site is discovered, “the Secretary of Health and Human Services shall provide notice of such breach to each individual.” Republicans said that under current law, the government is not required to notify people if their information is put at risk.
Read more on The Hill.

I don't see these as competing Blogs, I see them as resources! This is the broad list of nominees.
7th Annual Blawg 100

Looks like the broadcast TV guys are pushing hard.
Supreme Court to hear case on Aereo's broadcast TV streaming
The U.S. Supreme Court will hear a battle between TV broadcasters and Aereo, a startup that streams television over the Internet, as the final step in a case that could have broad implications for the future of online TV services.
The TV networks and broadcasters asked the Supreme Court to take the case after a federal court in New York ruled last year that Aereo’s service wasn’t breaking copyright law.
… The broadcasters are asking the Court to deny consumers the ability to use the cloud to access a more modern-day television antenna and DVR. If the broadcasters succeed, the consequences to consumers and the cloud industry are chilling,” he wrote.
At present, Aereo is available in New York, Boston, Atlanta, Miami, Salt Lake City, Houston, Dallas, Denver, Detroit and Baltimore. It has plans to expand its US$8-per-month service to additional cities in 2014. The video recording service is available for an additional $4 per month.

(Related) How LA see's the world.
Supreme Court and Aereo: A Betamax ruling for the 21st century?
Having ducked the question once, the Supreme Court on Friday agreed to decide whether the principles outlined in the landmark 1984 Sony Betamax ruling apply when devices in the home give way to services in the cloud.

One of my students just wrote a similar paper, with very different conclusions.
Paper – The Shooting Cycle – A Study of Mass Shootings in America
by Sabrina I. Pacifici on January 10, 2014
The Shooting Cycle - Josh Blackman, South Texas College of Law; Shelby Baird, Yale University, January 5, 2014. Connecticut Law Review, Vol 46, 2014.
“The pattern is a painfully familiar one. A gunman opens fire in a public place, killing many innocent victims. After this tragedy, support for gun control surges. With a closing window for reform, politicians and activists quickly push for new gun laws. But as time elapses, support decreases. Soon enough, the passions fade, and society returns to the status quo. We call this paradigm “the shooting cycle.” This article provides the first qualitative and quantitative analysis of the shooting cycle, and explains how and why people and governments react to mass shootings. This article proceeds in five parts. First, we bring empirical clarity to the debate over mass shootings, and show that contrary to popular opinion, they are fairly rare, and are not occurring more frequently. Second, relying on cognitive biases such as the availability heuristic, substitution effect, and cultural cognition theory, we demonstrate why the perception of risk and reaction to these rare and unfamiliar events are heightened. Third we chronicle the various stages of the shooting cycle: tragedy, introspection, action, divergence, and return to the status quo. During the earlier stages, emotional capture sets in, allowing politicians and activists to garner support for reform. But, after the spike, soon support for reform fades, and regresses to the mean. Fifth, with this framework, we view the year following the horrific massacre in Newtown through the lens of the shooting cycle. We conclude by addressing whether the shooting cycle can be broken.”

For my Math students (and fellow Math teachers)
Wolfram Alpha Examples for Students and Teachers
Colleen Young's Mathematics, Learning and Web 2.0 is a good blog to subscribe to for practical, do-now mathematics instruction ideas. When you visit her blog make sure you click the "Wolfram Alpha" tab under which you will find seven slideshows containing examples of how students can use Wolfram Alpha. The examples correspond to questions posted on her mathematics blog for students.
If you haven't used Wolfram Alpha before or you're trying to introduce it to people who have not used, take a look at the following Planet Nutshell explanation of how Wolfram Alpha works and what makes it different from Google search.
[Be sure to check the slideshows which illustrate many examples. Bob]

The school already has a 3D printer. But I want one of these!
– 3D printing describes a host of technologies that are used to fabricate physical objects directly from CAD data sources. In 3D chocolate printing, chocolate is melted, tempered and deposited into 2D cross-section on a substrate like a printer printing a 2D image onto paper. The substrate is then lowered by a layer thickness and the deposition process repeats layer-by-layer to form a solid 3D chocolate product.

The perfect website!
– is a simple site which features a button entitled “Make Everything OK”. If you are having a particularly bad day or feeling not so well, just click the button, and the site will inform you that it is in the process of “making everything OK”. It is a fun website with no real other use than to amuse if you are not in the best of moods.

News for those of us who are easily amused.
The Obama Administration issued guidelines for student discipline, urging schools to use law enforcement as a “last resort.” The guidelines, reports The New York Times, are “a response to a rise in zero-tolerance policies that have disproportionately increased the number of arrests, suspensions and expulsions of minority students for even minor, nonviolent offenses.”
… The California Institute of Technology has adopted an open access policy for its faculty’s scholarship.
… The LAUSD iPad saga continues! According to KPCC, “only 208 of the district’s 800 schools have the network capacity to support every student and teacher having an iPad.” A great example of the 7 Ps.
The New America Foundation says that the federal government spent a whole $69 billion in 2013 on its hodgepodge of financial aid programs, such as Pell Grants for low-income students, tax breaks, work study funding. And that doesn't even include loans. 

Friday, January 10, 2014

All their FAQ says is that the data was collected in “the normal course of business.” What reasons would they have to collect customer data? Shipping info, contact information for “special orders,” job applications, credit card applications, etc. Also:
How many guests were affected by the additional stolen information?
Up to 70 million individuals may be affected.
I read that as 70 million MORE that the 40 (or 46) million due to use of credit cards. Or am I being too picky?
From their press release of today:
MINNEAPOLIS — January 10, 2014
Target today announced updates on its continuing investigation into the recent data breach and its expected fourth quarter financial performance.
As part of Target’s ongoing forensic investigation, it has been determined that certain guest information — separate from the payment card data previously disclosed — was taken during the data breach.
This theft is not a new breach, but was uncovered as part of the ongoing investigation. At this time, the investigation has determined that the stolen information includes names, mailing addresses, phone numbers or email addresses for up to 70 million individuals.
Much of this data is partial in nature, but in cases where Target has an email address, the Company will attempt to contact affected guests. This communication will be informational, including tips to guard against consumer scams. Target will not ask those guests to provide any personal information as part of that communication. In addition, guests can find the tips on our website.
… To learn more, please go to
You can read the full press release, with Fourth Quarter outlook and other investor-related information here.

(Related) That moves Target into First Place! Congratulations!
2013 Top 20 Breaches
… you’d better browse the following chart.
It collects the most devastating breaches in terms of number of records affected, and has been drawn based on the data collected by during this endless infosec year.

A most amusing rant. If you leave the barn door unlocked, will your insurance company refuse to reimburse you for stolen tractors? (Just updating a metaphor) If not, would the insurance company's stockholders take action?
To what extent is an organisation liable when they get security wrong?
I was amused (and frankly a little bewildered) the other day to see this bloke in the paper:
What he’s holding there is a fine… for leaving his car windows down a little. You see, the police down here took a view that in doing so he was inviting criminals to break into his car by very clearly leaving his security in a compromised state. This, in turn, deserved a $44 fine.
… Which brings me to Snapchat and more specifically, their defence following last week’s breach of 4.6 million accounts:
In an interview last week, a top company executive blamed abuse by hackers — not the company’s own software.
Ah, so not their fault at all, it was those pesky hackers! Obviously they weren’t aware that they’d proverbially left their windows down, right? Well that’s the interesting bit because after the risks were well-documented publicly in August, Snapchat responded… four months later. So they knew about the risks. Then the risks were further detailed just before Xmas and Snapchat responded again:
Theoretically, if someone were able to upload a huge set of phone numbers, like every number in an area code, or every possible number in the U.S., they could create a database of the results and match usernames to phone numbers that way.
“Theoretically”, if you were able to stick your arm through an open window you could open a car door. That’s just theoretical, of course.
Anyway, next thing you know we have 4.6 million phone numbers and usernames out in the wild yet somehow, Snapchat is not to blame. This isn’t just leaving your windows down a bit on one occasion, this is leaving them down and the keys in the ignition for months on end and being warned multiple times about the risk and still thinking you’re not to blame.

(Related) Perhaps this is the year of “Pointing out the obvious!”
Paul Rubens reports:
“The solution to government surveillance is to encrypt everything.”
So said Eric Schmidt, Google’s chairman, in response to revelations about the activities of the US National Security Agency (NSA) made by whistle-blower Edward Snowden.
Schmidt’s advice appears to have been heeded by companies that provide internet-based services. [But not until Snowden kick started a public flap. Bob]
I especially appreciated the following statements in light of a conversation I had recently with a Henry Schein representative about the level of “encryption” their dental software provides:
Using a longer encryption key makes it harder for hackers or governments to crack the encryption, but it also requires more computing power.
But Robert Former, senior security consultant for Neohapsis, an Illinois-based security services company, says many companies are overestimating the computational complexity of encryption.
“If you have an Apple Mac, your processor spends far more time making OS X looks pretty than it does doing crypto work.”
He therefore recommends using encryption keys that are two or even four times longer than the ones many companies are currently using.
“I say use the strongest cryptography that your hardware and software can support. I guarantee you that the cost of using your available processing power is less than the cost of losing your data because you were too cheap to make the crypto strong enough,” he says.
No-one ever got fired for having encryption that was too strong.”
Read more on BBC.

How about this objective metric instead: If the new technology allows surveillance of a type not possible by an normal human (e.g. infrared search for marijuana 'grow lights') it violates a reasonable expectation of privacy.
Ashkan Soltani writes:
The Yale Law Journal Online (YLJO) just published an article that I co-authored with Kevin Bankston (first workshopped at the Privacy Law Scholars Conference last year) entitled “Tiny Constables and the Cost of Surveillance: Making Cents Out of United States v. Jones.” In it, we discuss the drastic reduction in the cost of tracking an individual’s location and show how technology has greatly reduced the barriers to performing surveillance. We estimate the hourly cost of location tracking techniques used in landmark Supreme Court cases Jones, Karo, and Knotts and use the opinions issued in those cases to propose an objective metric: if the cost of the surveillance using the new technique is an order of magnitude (ten times) less than the cost of the surveillance without using the new technique, then the new technique violates a reasonable expectation of privacy. For example, the graph above shows that tracking a suspect using a GPS device is 28 times cheaper than assigning officers to follow him.
Read more on Ashkan Soltani.
You can read the full article on Yale Law Journal Online or download the PDF.

With Great Computing Power Comes Great Surveillance
… We have yet to fully grasp the implications of cheap surveillance. The only thing that is certain is that we will be seeing a great deal more surveillance—of ordinary citizens, potential terrorists, and heads of state—and that it will have major consequences.
… To my mind, there are two broad classes of automated surveillance— participatory and involuntary, and the line that separates them is fuzzy. Participatory surveillance arrived with the widespread use of the Internet. During this period users were actively involved in exposing their information over the Internet when they provided personal information in the course of purchasing products, searching for information, or interacting on social networking sites.
People were voluntary participants in the surveillance process even if they did not fully understand its implications. When they granted companies the right to use their information, they got services of great value in return.
… Involuntary surveillance on a large scale—driven by Moore’s Law—arrived shortly thereafter. Its primary instruments are cellphones, smartphones, GPS, and inexpensive cameras. When these devices are employed, there is no need for users to be actively involved in creating information about their activities. They get little or nothing in return for involuntarily providing valuable information about themselves.

Complete this sentence in 25 words or less: This data must be available to anyone because...
Kaimipono D. Wenger writes:
Did you ever want to know Donny Osmond’s birthday, along with his voter registration status? Now you can find out, through a simple website which has posted the entire Utah state voting roll to the internet in easily searchable form. What if you’re looking in Colorado, Connecticut, or a half dozen other states? Their voter rolls are online too, sometimes with additional information like addresses.
Read more on Concurring Opinions.
[Everyone here:

For my Students (at the risk of being redundant)
How Business Can Help Measure Education Outcomes that Matter
Employers the world over tell us that what truly counts in hiring decisions is not the rote knowledge that helps college students answer examination questions, but skills and competencies that are essential for, and often developed at, work. To be useful, the bricks of modern education need the straw of experience-based skills.
McKinsey’s reports on education-for-employment initiatives drew the same linkages. And research by Ithaka for Innovate+Educate confirms that prior job performance is twice as effective a predictor of future performance as an academic degree; a job tryout is four times as effective; and a cognitive skills assessment, five times as effective as a paper degree.

Because Google bought them!
Timely Alarm Clock (In-app purchase, now totally free!)
First things first: Timely made quite a splash when it launched, and now it got bought up by Google. We know where the story is likely to go from here (i.e, assimilation into some other Google product), but for now, it means that all of the features that used to require in-app purchase are completely free!

Thursday, January 09, 2014

You say, “large collection of data,” I say, “target!”
Hackers use Amazon cloud to scrape mass number of LinkedIn member profiles
LinkedIn is suing a gang of hackers who used Amazon's cloud computing service to circumvent security measures and copy data from hundreds of thousands of member profiles each day.
"Since May 2013, unknown persons and/or entities employing various automated software programs (often referred to as 'bots') have registered thousands of fake LinkedIn member accounts and have extracted and copied data from many member profile pages," company attorneys alleged in a complaint filed this week in US District Court in Northern California.
… With more than 259 million members—many who are highly paid professionals in technology, finance, and medical industries—LinkedIn holds a wealth of personal data that can prove highly valuable to people conducting phishing attacks, identity theft, and similar scams.
The allegations in the lawsuit highlight the unending tug-of-war between hackers who work to obtain that data and the defenders who use technical measures to prevent the data from falling into the wrong hands.
… The unnamed "Doe" hackers employed a raft of techniques designed to bypass anti-scraping measures built in to the business network. Chief among them was the creation of huge numbers of fake accounts. That made it possible to circumvent restrictions dubbed FUSE, which limit the activity any single account can perform.
… The hackers also circumvented a separate security measure that is supposed to require end users to complete bot-defeating CAPTCHA dialogues when potentially abusive activities are detected. They also managed to bypass restrictions that LinkedIn intended to impose through a robots.txt file, which websites use to make clear which content may be indexed by automated Web crawling programs employed by Google and other sites.

Interesting map.
MassPrivateI has a roundup of links on the topic that you may want to read. The article begins:
Law enforcement agencies throughout the nation are increasingly adopting automated license plate recognition (ALPR) technologies, which function to automatically capture an image of the vehicle’s license plate, transform that image into alphanumeric characters, compare the plate number acquired to one or more databases of vehicles of interest, and alert the officer when a vehicle of interest has been observed, all within a matter of seconds.(spying on citizens & tracking our every movement)
Read more here.

Statutory fines do not have a built in “cost of living” adjustment.
Emmanuelle Trecolle reports:
France’s data protection watchdog on Wednesday fined Google 150,000 euros ($205,000) — the maximum possible — for failing to comply with its privacy guidelines for personal data.
The fine, though tiny for a group that made $15 billion in one quarter last year, is the regulator’s biggest ever and follows in the wake of other European nations cracking down on Google’s increasingly controversial privacy polices.
Read more on Yahoo.
Okay, so they fined them. But how does that bring them into compliance with French law? What’s next if Google doesn’t comply with the changes CNIL requested?

Perspective How do I censor thee, let me count the ways...
Trends in transition from classical censorship to Intenet censorship: selected country overviews
by Sabrina I. Pacifici on January 8, 2014
“Censorship is no longer limited to printed media and videos. Its impact is felt much more strongly with regard to Internet related resources of information and communication such as access to websites, email and social networking tools which is further enhanced by ubiquitous access through mobile phones and tablets. Some countries are marked by severe restrictions and enforcement, a variety of initiatives in enforcing censorship (pervasive as well as implied), as well as initiatives to counter censorship.
The article reflects on trends in Internet censorship in selected countries, namely Australia, Chile, China, Finland, Lybia, Myanmar, Singapore, Turkey, and the United Kingdom (UK).
These trends are discussed under two broad categories of negative and positive trends. Negative trends include: trends in issues of Internet related privacy; ubiquitous society and control; trends in Internet related media being censored; trends in filtering and blocking Internet content and blocking software; trends in technologies to monitor and identify citizens using the Internet to express their opinion and applying “freedom of speech”; criminalization of legitimate expression on the Internet; trends in acts, regulations and legislation regarding the use of the Internet and trends in government models regarding Internet censorship; trends in new forms of Internet censorship; trends in support of Internet censorship; trends in enforcing regulations and Internet censorship; trends in Internet related communication surveillance. Positive trends include: trends in reactions to Internet censorship; attempts and means to side-step Internet censorship; trends in cyber actions against Internet censorship; trends in innovative ways of showing opposition to Internet censorship.

Also Perspective. I think most of my students are in group three... Curious, but I may be wrong.
Gallup – Three in 10 in U.S. Own an Array of Consumer Electronics
by Sabrina I. Pacifici on January 8, 2014
“As electronics enthusiasts gather in Las Vegas for the International Consumer Electronics Show this week, a new Gallup analysis finds Americans falling into four groups according to their ownership levels of the electronic devices already available. At one end of the spectrum, 31% are “Super Tech Adopters,” who report broad ownership of the major computing and entertainment devices on the market. At the other extreme, 28% are “Tech-Averse Olders,” who own little more than a basic cellphone and DVD player. Between the extremes, 19% of Americans could be considered “Smartphone Reliants.” These Americans are highly likely to have a smartphone, but far less likely than Super Tech Adopters to own other electronics, particularly other portable devices. Additionally, “Mature Technophiles” — 22% of the public — report broad ownership of a variety of home electronics, but less than half have smartphones.”

One of the (many) surprises at the start of the new quarter were the new touch screen HP Envy Windows 8 computers in the labs. Here's yet another tip for my students.
5 Security Tips To Consider When Using a Microsoft Account
Microsoft wants Windows 8 users to log into their computers with a Microsoft account, not a standard old local user account. You can’t use much of the new user interface without a Microsoft account — you can’t even upgrade to Windows 8.1 without one. Along with this new focus on Microsoft accounts comes new security concerns. The account you use to log into your computer is now an online account and you need to worry about securing it.
There are advantages to using a Microsoft account, as it allows you to sync your settings, files, apps, and other data between your computers. You log into Macs and iPads with an Apple ID, Android devices and Chromebooks with a Google account, and now Windows with a Microsoft account.

As a corollary to “We can, therefore we must!” I give you, “We can, and some fool will pay us to do it!”

For my students...
2014–15 Occupational Outlook Handbook
by Sabrina I. Pacifici on January 8, 2014
“The 2014–15 Occupational Outlook Handbook (OOH) was released today by the U.S. Bureau of Labor Statistics (BLS). The OOH reflects BLS employment projections for the 2012–22 decade. The OOH is one of the nation’s most widely used sources of career information. It provides details on hundreds of occupations and is used by career counselors, students, parents, teachers, jobseekers, career changers, education and training officials, and researchers…. The 2014–15 OOH includes 334 occupational profiles covering 580 detailed occupations, or about 84 percent of total employment in 2012. Each occupational profile describes:
  • What workers do
  • Where they work
  • Typical education and training requirements
  • Wages
  • Job outlook.”

For my ESL students in particular.. Looks trivial, but it is not.
– is a site that gives you the ability to enter any English word, and then be told anything about that word, such as an equivalent noun, adjective, adverb or verb. You can also look up the tenses, pronunciation, rhyming words, words that mean the same, and of course the meaning of the word. It’s a great site to bookmark if you are working with the English language on a regular basis.

The future is “proof of skill by exam.”
The Degree Is Doomed
… Higher education, however, is in the midst of dramatic, disruptive change. It is, to use the language of innovation theorists and practitioners, being unbundled. (Some more of my thoughts on higher-ed unbundling can be found here.) And with that unbundling, the traditional credential is rapidly losing relevance. The value of paper degrees lies in a common agreement to accept them as a proxy for competence and status, and that agreement is less rock solid than the higher education establishment would like to believe.

Wednesday, January 08, 2014

Much more polite than, “So easy, even a caveman could do it!”
Adam Carey reports:
Personal information about public transport users in Victoria has been exposed to potential identity theft because government authority Public Transport Victoria failed to secure its website.
The security flaw in the PTV website was discovered by schoolboy Joshua Rogers, 16, who used a simple hacking technique to unearth a database containing the personal records of customers of the former Metlink online store.
The database includes full names, addresses, home and mobile phone numbers, email addresses, dates of birth, seniors card ID numbers, and nine-digit extracts of credit card numbers.
Read more on The Age.

The government plods, but eventually they'll get around to screwing everything up.
Okay, so HHS decided to give me a migraine by adding no less than 37 breach incidents to its public breach tool today. I suspect, but cannot be certain, that my repeated inquiries to them about breach reports not showing up in a timely fashion – the last such inquiry a few days ago – may have contributed to today’s massive update. Interestingly, a number of the entries refer to breaches well over a year old. Have they been sitting on these reports all this time? And if so, why?
… In the next post, I’ll discuss the newly added breaches we didn’t know about already.

About time a law firm built an App to demonstrate their expertise in Security Breach Law. What other areas could be “claimed” this way?
A law firm has created an app to help counsel comply with the myriad state data breach notification requirements. From their press release:
Features of the Fox data breach app include:
  • State Security Breach Statutes: An alphabetical listing of the 46 states that have data breach laws in place and links to all the relevant notification statutes.
  • HIPAA/HITECH Statutes: Breach notifications rules and other pertinent information related to the loss or theft of personal health information.
  • Resources: Links to credit agencies and credit monitoring services as well as the FTC website. Also, a section on COPPA – the Children’s Online Privacy Protection Act – and relevant information surrounding the mining of data on minors. This section also includes links to Fox’s Privacy Compliance & Data Security Blog and its HIPAA, HITECH and Health Information Technology Blog.
The app is available for free in the iTunes Store. To download it, click here.
Over the past decade, Vernick has developed extensive fluency in the rapidly evolving field of privacy and data security. He routinely counsels multinational and mid-sized businesses on how to mitigate risk and overcome the challenges posed by the current state and federal enforcement environment. For several years, Vernick has contributed to the “Combating Cyberthreats” section to West/Thompson Reuters’s Data Security and Privacy Law guide, and he is also a frequent commentator for national and local media outlets on current issues related to privacy.
The app is a free download.

“Ah to be on a Cyber-Jury, now that Spring is here.”
Firm Bankrupted by Cyberheist Sues Bank
A state-appointed receiver for the now defunct Huntington Beach, Calif. based Efficient Services Escrow has filed suit against First Foundation Bank, alleging that the bank’s security procedures were not up to snuff, and that it failed to act in good faith when it processed three fraudulent international wire transfers totaling $1,558,439 between December 2012 and February 2013.
The lawsuit, filed in the Superior Court for Orange County, is the latest in a series of legal battles over whether banks can and should be held more accountable for losses stemming from account takeovers. In the United States, consumers have little to no liability if a computer infection from a banking Trojan leads to the emptying of their bank accounts — provided that victims alert their bank in a timely manner. Businesses of all sizes, however, enjoy no such protection, with many small business owners shockingly unaware of the risks of banking online.
… Efficient Services and its bank were able to recover the wire to Russia, but the two wires to China totaling $1.1 million were long gone. Under California law, escrow and title companies are required to immediately report any lost funds. When Efficient reported the incident to state regulators, the California Department of Corporations gave the firm three days to come up with money to replace the stolen funds.
Three days later, with Efficient no closer to recovering the funds, the state stepped in and shut the company down. [MTBU = 3 (Maximum Time to Belly Up) Bob]

For my geeks...
FREE EBOOK Guide To KDE: The Other Linux Desktop
No password or registration required. Read online or download PDF, EPUB version free of charge; Amazon version $1

Tuesday, January 07, 2014

None of the possible fixes look permanent. I wonder if clients could force a “Product Recall?”
Richard Chirgwin reports:
The new year begins as the old year ended: with yet more vulnerabilities turning up in consumer-grade DSL modems.
A broad hint for any broadband user would be, it seems, to never, ever enable any kind of remote access to the device that connects you to the Internet. However, the hack published by Eloi Vanderbeken at github, here, resets devices to factory default, enabling a remote attack without the password.
Vanderbeken says the backdoor is confirmed in devices from Cisco (under both Cisco and Linksys brands, the latter since offloaded to Belkin), Netgear, Diamond, LevelOne and OpenWAG. According to a post on HackerNews, the common link between the vulnerable devices is that they were manufactured under contract by Sercomm.
Read more on The Register.

Interesting way to dodge the “Privacy Issue.”
In late December, 2013 the Department of Defense released a database on the military’s controversial Student Testing Program in 11,700 high schools across the country. An examination of the complex and contradictory dataset raises serious issues regarding student privacy and the integrity of the Student Testing Program in America’s schools.
The data was released after a protracted Freedom of Information Act (FOIA) request.
Pat Elder reports, in part:
53% of all students taking the ASVAB across the country did so under Release Option 1. Students and parents may not determine which release option is used; therefore they cannot opt out of releasing the information individually. Just 15% of students taking the ASVAB had Option 8 selected by school officials.
DoD officials wash their hands of the privacy issue. “Whether or not a school official seeks students’ or parents’ or guardians’ permission is entirely up to that school, and we don’t have anything to say about that at all,” said Curtis Gilroy, the Pentagon’s prior Director of Accession Policy during an NPR Interview in 2010.
Read more on Global Research.

The “victims” are tainted. If there is a mug shot, you must be an ax murder! But seriously, why can't they charge whatever they want to remove your photo? If their business is based on the number (completeness) of mugshots, removing any would harm their reputation. On the other hand, if they act like extortionists, perhaps that's their business model.
John Caniglia reports that there’s been a settlement in one of the lawsuits filed over online mug shots sites that require payment for removal of the mug shot:
An Ohio lawsuit that gained national attention over Internet sites that make money off jail booking photos has been settled, though a plaintiff’s attorney says he continues to seek out the owner of a key player in the industry.
Three residents sued companies in U.S. District Court in Toledo, claiming the web sites, including and, post the photos and then charge people — in some cases hundreds of dollars — to take them down.
The lawsuit was one of several filed across the country involving the web sites and their use of the photos. Others have been filed in Florida, Illinois and Pennsylvania.
The notice of the settlement, filed Dec. 27, was signed by U.S. District Judge Jack Zouhary but does not go into any detail.
Joseph Centrich, an attorney for Citizens Information Associates LLC, said the agreement called for his client to pay $7,500 and agree to stop charging for the removal of the photos, something he said the company already had done.
While I’m sure this is good news for the plaintiffs, their suit was not able to address the biggest web site involved,, as they are registered in Belize could not be served in Ohio. And since this is a settlement, we’re still without any precedent as to whether the sites’ conduct was lawful or not – although that might not be a bad thing should it turn out that the First Amendment might protect their offensive behavior.

“There's an App for fat!” Okay, not really an App, but this could be amusing. (From
– allows you to find, track and hopefully eat at the restaurants you see on your favorite Food Network and travel shows like Diners, Drive-Ins and Dives, Man v. Food, Best Thing I Ever Ate, No Reservations, Top Chef and more. With 30 shows and over 2,900 restaurants TV Food Maps is the most comprehensive list of restaurants seen on TV you can find in a single app.

It's what my students do while I'm “flapping my lips.” (From
Console Living Room Now Online
The Internet Archive has added a new section to its Historical Software Collection, with the Console Living Room making hundreds of retro games available to play online directly in a Web browser. The line-up of games includes Pac-Man, Donkey Kong, and Mario Bros, with more due to be added in the future. This will hopefully include some of the classic games that changed the world, but only time will tell.

Monday, January 06, 2014

So, 40,000,000 cards times $9.84 = early retirement!
Deconstructing the $9.84 Credit Card Hustle
Over the holidays, I heard from a number of readers who were seeing strange, unauthorized charges showing up on their credit and debit cards for $9.84. Many wondered whether this was the result of the Target breach; I suppose I asked for this, having repeatedly advised readers to keep a close eye on their bank statements for bogus transactions. It’s still not clear how consumers’ card numbers are being stolen here, but the fraud appears to stem from an elaborate network of affiliate schemes that stretch from Cyprus to India and the United Kingdom.
… But it is difficult to escape the conclusion that this is little more than an elaborate (and probably successful) scam set up to steal little bits of money from lots and lots of people.
By the way, this is not a new type of fraud, nor is this particular fraud a recent occurrence — although the bogus $9.84 charges do appear to have spiked around the holidays. Most of the domains involved in this scheme were registered a year ago or more, and a quick search on the amount $9.84 shows that the fraudsters responsible for this scheme have been at it since at least the first half of 2013.

I'm sure this is a bad idea. Imagine drivers trying to outdo each other. “I took 'dead man's curve' at 72 MPH. I'll bet you $100 you can't do better!”
Corvette will let owners record, share drives
The 2015 Chevrolet Corvette will have a new system that lets owners record their drives and share the video with friends.
The system uses a windshield-mounted camera, a microphone and a recorder to track data. Drivers can edit the videos to include their speed, location, lap times and other stats.

Can we find the same for Android?
– provides effortless locational privacy when sharing photos. Did you know that GPS location data is stored within each photo? This invisible, uneditable geotag data is embedded into every picture and contains the exact coordinates of where the photo was taken. deGeo is a photo sharing privacy utility that removes the geotags from your photos.

My, my, my. A not so subtle dig at the Infographic.
A Million Lines Of Code: Is It A Lot?

Sunday, January 05, 2014

Would they be in a better position to track terrorists if this all happened in India? Or if they were more like the NSA: “We don't need no stinking treaties!”
Naveen Ammembala has a report on DNA of a hack that may or may not have terrorism connections:
Unidentified callers from a West Asian country managed to hack the firewall of an international video conferencing equipment of an IT company in the city, and make calls to Afghanistan.
Police say that the hacking by the West Asia-based callers was obviously an attempt to communicate with their Afghan associates, while avoiding being detected and located. Police are looking at possible terror links, but refuse to make guesses.
Finding who made the calls could be difficult as Indian police are handicapped by the lack of treaties for exchanging information with police forces in many countries, more so in West Asia.
The anonymous callers hacked the phone lines of Sonata Software Limited, situated at Sonata Towers in Global Village in Pattanegere near Kengeri.
Read more on DNA.

So true...
Despite a recent ruling making it harder for plaintiffs to get statutory damages under the California Medical Information Act, lawyers still seem to be eager to file class action lawsuits against California hospitals. Given California’s stricter breach notification requirements, I can almost see why. See this press release recruiting potential plaintiffs or class members as an example of sharks circling in the water should you have a breach. And then ask yourselves again whether maybe it’s time to start encrypting PHI and doing more to prevent laptops with PHI from being stolen from employees’ unattended vehicles…

(Related) Requiring encryption? Probably not.
Kaiser Health News has a roundup of media coverage on the GOP’s intention to propose legislation requiring more security controls for If you’re a supporter of Obamacare, you’ll likely see this as a move to undercut it. But even if you’re a supporter of Obamacare, is there any merit to the proposal?
This may all be political gamesmanship as usual, but wouldn’t requiring breach notification to individuals in the event of a breach actually be a good thing?
And if Congress is willing to require enhanced security controls and breach notification for a site that doesn’t collect a heck of lot of personal information, how about requiring it for sites that do collect a lot of sensitive personal information?
Will we actually get a federal breach notification law out of this or will this be limited to if it passes? I suspect we should keep a close eye on the bill to see if it’s something that might serve a broader purpose.

Perspective (As usual for Harvard, a bit wordy, but some interesting thoughts.)
Internet Monitor 2013: Reflections on the Digital World
by Sabrina I. Pacifici on January 2, 2014
Internet Monitor 2013: Reflections on the Digital WorldUrs Gasser….a collection of essays from roughly two dozen experts around the world, including Ron Deibert, Malavika Jayaram, Viktor Mayer-Schönberger, Molly Sauter, Bruce Schneier, Ashkan Soltani, and Zeynep Tufekci, among others. The report highlights key events and recent trends in the digital space.
“This publication is the first annual report of the Internet Monitor project at the Berkman Center for Internet & Society at Harvard University. Instead of offering a traditional project report, and to mirror the collaborative spirit of the initiative, we compile — based on an open invitation to the members of the extended Berkman community — nearly two dozen short essays from friends, colleagues, and collaborators in the United States and abroad.

Yet another embarrassment of riches. I don't have time to look at every person in detail. If they don't look interesting in 5 seconds, I move on.
100+ Influential Learning Professionals Worth Following
… The below list of influential learning professionals comes via the hard work of Zaid Ali Alsagoff who diligently assembled this list of (at last check) nearly 150 influential learning pros who know a thing or two about the future of education and e-learning.

Humor (sarcasm?) is the best legal defense? I'll wager Starbucks won't push it... Next time I drive east, I'll have to pick up a case or three.
Brewery to Starbucks: Here's $6
A small Missouri brewery has responded to a cease and desist letter from Starbucks by sending the coffee chain giant a check to cover what it calls the profit from use of the word "Frappicino" — a check for $6.
… In his sarcastic response letter, Exit 6 owner Jeff Britton also wrote that the brewery "never thought that our beer drinking customers would have thought that the alcoholic beverage coming out of the tap would have actually been coffee from one of the many, many, many stores located a few blocks away."
Exit 6 posted the letter on its Facebook site and responded with a letter to Kramer and "Mr. Bucks." The letter said Exit 6 would no longer use the term "Frappicino" and would instead refer to its beer as the "F Word."
Britton said in a telephone interview Tuesday that he brewed up a new batch of "The F Word" last Friday. By then, the dispute was already drawing attention on social media, and the beer sold out in three hours.