Saturday, February 15, 2014

Just in case you needed another example of how big this breach was...
The Target breach is having some effects we might not normally anticipate. Stephen Dean reports that the bank that issues debit cards used for state unemployment benefits has been so tied up reissuing credit and debit cards from the Target breach that people waiting for unemployment debit cards have been delayed in receiving them. And the problem is not just confined to Indiana, Dean reports.


As I suggested yesterday, I think a reasonable person, once notified that their personal data may have been taken, would take steps to prevent or at least mitigate future harm. How is this expense not the direct result of the breach?
I had noted the Galaria opinion and order over on databreaches.net, but Judy Selby has a discussion of the ruling in terms of the impact of the Supreme Court’s ruling in Clapper that is worth noting here:
Article III standing has once again proved to be an insurmountable hurdle for data breach class action plaintiffs whose personal information hasn’t been misused. In Galaria v. Nationwide Mutual Insurance Co., an Ohio federal court relied on the United States Supreme Court’s decision in Clapper v. Amnesty Intern. USA, 133 S.Ct. 1138 (2013), and held that the plaintiffs did not sustain an injury sufficient to confer standing to sue Nationwide following a 2012 hacking incident during which their personally identifying information (PII) was stolen.
The plaintiffs alleged that as a result of the breach, they incurred and will continue to incur damages consisting of
(1) the imminent, immediate, and continuing increased risk of identity theft, identity fraud and/or medical fraud;
(2) out-of-pocket expenses to purchase credit monitoring, internet monitoring, identity theft insurance and/or data breach risk mitigation products;
(3) out-of-pocket expenses incurred to mitigate the increased risk of identity theft, identity fraud and/or medical fraud, including the costs of placing and removing credit freezes;
(4) the value of time spent mitigating the increased risk of identity theft, identity fraud and/or medical fraud;
(5) the substantially increased risk of being victimized by phishing;
(6) loss of privacy; and
(7) deprivation of the value of their PII.
The court grouped those alleged damages into three categories:
(1) increased risk of harm/cost to mitigate increased risk;
(2) loss of privacy; and
(3) deprivation of value of PII.
The plaintiffs asserted claims for violation of the Fair Credit Reporting Act (FCRA), negligence, invasion of privacy and bailment, but they did not allege that their PII was misused or that their identity was stolen. Nationwide moved to dismiss the complaint based on lack of standing and failure to state a claim.
Read more on Data Privacy Monitor.


Good on ya, India!
Shalini Singh reports:
The Parliamentary Standing Committee on Information Technology in its report titled “Cyber-Crime, Cyber Security and Right to Privacy”, which was submitted on February 10, has admonished the Government for dragging its feet on a privacy legislation.
[...]
The Committee rejected outright the government’s contention that the IT Act was sufficient to protect the privacy of citizens and human rights. The Committee, after receiving the evidence, not only expressed its “extreme” displeasure, but in fact accused the Government of having “diverted the issue stating that the Department of Personnel and Training is still in the process of evolving legislation to address concerns of privacy, in general, and it is still at drafting stage.”
Read more on The Hindu BusinessLine.


Something my Computer Security students could use.
Apple Publishes Secure Coding Guide for Developers
Apple has published a new guide designed to help developers of Mac OS and iOS applications build more secure programs by design.
“Secure coding is important for all software; if you write any code that runs on Macintosh computers or on iOS devices, from scripts for your own use to commercial software applications, you should be familiar with the information in this document,” Apple advised in the 123-page guide.
The Secure Coding Guide from Apple is available online in HTML format or as a PDF file.


For my students to explore... I'll share just one idea.
7 Really Free Things You Can Do On Amazon Without Spending A Single Dime
… Boost Your Online Visibility
Reputation too. Amazon is a social network under the surface. There may not be friend lists and status updates, but there’s a lot you can do to make your voice heard around the community. It starts with creating a public profile after you log into Amazon.com with an account. Anything you do on Amazon will be tied to this profile. The obvious way to get some online cred is through relevant and responsive reviews. It helps all the more if you can craft the review like a small blog post with helpful hints and tips. Expert online reviewers are a breed of their own and they influence many a buying decision. An interesting study in 2012 found that Amazon consumer reviews are just as good as professional experts when it comes to determining quality of books.
Become a trusted Amazon Vine reviewer and see how you get free stuff from Amazon. You can also create a So You’d Like to… guide to share your advice, experiences, and product recommendations with consumers.


Something for Valentine's Day. True or not?
All Romantic Relationships Are Digital Now
According to a new Pew Internet survey, 72 percent of Americans adults who are seriously partnered—married or otherwise—say the Internet has had “no real impact at all” on their relationship.


Well, I like to read it.
Miami-Dade County says that it’s moving forward with the school district’s plans for a massive 1:1 computing roll-out, starting this spring. The $200,000 initiative will distribute Hewlett Packard and Lenovo Windows 8 devices. More via Education Week.
Linux.com highlights the move of Penn Manor High School in Lancaster, Pennsylvania to laptops that run Ubuntu. “We encourage our students to install software and lift the hood of the system to better understand what makes it tick,” says the district’s IT director.
Meanwhile, in Los Angeles… bwa ha ha ha ha! Oh, and LAUSD school officials “have failed for now in their efforts to get full access to a digital curriculum that the school system purchased in June,” reports The LA Times.
,,, The code-sharing site GitHub announced GitHub for Education with discounts for students and teachers. [Also some free access Bob]

Friday, February 14, 2014

Start grabbing control of military computers by infecting individual users as they drop by public websites, let them carry the infection back to their secure computers.
New IE 10 Zero-Day Used in Watering Hole Attack Targeting U.S. Military
Security researchers from FireEye have discovered a new IE 10 Zero-Day exploit (CVE-2014-0322) being used in a watering hole attack on the US Veterans of Foreign Wars’ website.
FireEye believes the attackers behind the campaign, thought to be operating out of China, are associated with two previously identified campaigns: Operation DeputyDog and Operation Ephemeral Hydra.
According to FireEye, attackers compromised the VFW website and added an iframe to the site’s HTML code that loads the attacker’s page in the background. When the malicious code is loaded in the browser, it runs a Flash object that orchestrates the remainder of the exploit.


“If we had to tell you about every surveillance tool, we'd never have time for donuts!”
Erica Meltzer reports:
Boulder has installed three cameras on the municipal campus and has been continuously videotaping the area between the municipal building and the Main Public Library and the area to the east of the municipal building since the beginning of the year.
Boulder Police Chief Mark Beckner agreed to discuss the cameras after the Camera filed a public records request in response to an accidental mention of them at a City Council meeting Tuesday.
Read more on Daily Camera.


This should be easy to implement, after all it's just “vehicle metadata,” it doesn't reveal anything about the “contents” of the car. (It could be a terrorist or a soccer mom.) Besides, we absolutely need this data because it could be a terrorist or a soccer mom!
Paul Joseph Watson writes:
The Department of Homeland Security is set to activate a national license plate tracking system that will be shared with law enforcement, allowing DHS officers to take photos of any license plate using their smartphone and upload it to a database which will include a “hot list” of “target vehicles”.
The details are included in a PDF attachment uploaded yesterday to the Federal Business Opportunities website under a solicitation entitled “National License Plate Recognition Database.”
Read more on Infowars.com.

(Related) Clearly there is big money in license plate readers. Perhaps their lobbyists convinced the DHS they need them? Perhaps lobbyists write DHS policy! (No one else seems to)
Jack Gillum of Associated Press reports:
The surveillance industry is fighting back. A company that makes automated license plate readers sued Utah’s government Thursday over a new law there intended to protect drivers’ privacy.
Digital Recognition Network Inc. of Fort Worth, which makes license-plate readers that rapidly scan the tags of passing vehicles, argues that a new state ban on license-plate scanning by private companies infringes on its free-speech rights to collect and disseminate the information it captures, and has effectively put it out of business there.
Read more on Telegram.com

(Related) If the same ratio holds, DHS could have 3.8 Billion records in 18 months! Some might even be useful!
As of the 2013 census, Vermont has a population of approximately 626,000.
And yet the Vermont State Police have a database of almost 8 million location records they collected during the period July 2012 – December 2013. The records were compiled from the 61 Automated License Plate Readers (ALPR) in the state, and the data can be requested by state, local, and federal agencies. Federal requests were mostly from the Border Patrol. [Keeping us safe from Canadians! Bob]
You can read more about Vermont’s law, its data retention provisions, and details of data requests and the reasons for them in this report filed by the State Police with the state legislature.


Perhaps the bill for discussing this with your lawyer would constitute “Harm?”
idRADAR reports that (no surprise) Neiman Marcus has moved to dismiss a potential class action lawsuit stemming from its recently disclosed data breach.
Unlike other lawsuits where lead plaintiffs haven’t even experienced any fraudulent use of their data, the plaintiff in this case had incurred fraudulent charges on her card – which she attributes to the Neiman Marcus breach. But because of the card issuer’s zero liability assurances, Neiman Marcus was able to argue in its motion to dismiss that she has not experienced any unreimbursed harm, and therefore has no standing.


There must be some sites/resources that already do this, right? Someone must be collecting “Best Practices” for lawyers.
One of the recurring themes by commenters on this blog is that they got a breach notification that offered them free credit monitoring services, but:
1. They can’t access the site they’re directed to;
2. They are alarmed that the site asks them for their personal information; and/or
3. They have no reason to trust that site or company because there’s nothing on the site that inspires that trust or confidence.
By now, I’d have hoped businesses would have addressed this in their planning and notification letters, but that doesn’t appear to have happened. So in the interest of getting the word out to law firms that help their clients write breach notification letters or entities who are otherwise involved in breach responses:
Try to see this process through the letter recipient’s eyes. Assume they have never heard of the credit monitoring service or company you have made arrangements with and tell the recipients why they should trust them.
Tell them that they will be required to provide that company with personal information such as date of birth and Social Security number – and explain that it really is necessary, and why.
Explain that you are not being lazy and would love to do this for them, but you cannot sign people up for the free service because [insert explanation here].
Ensure that the firm you have contracted with can handle the load on their site and server so that it doesn’t crash repeatedly and frustrate your customers or employees even more.
Ensure that the firm you have contracted with has a web site that explains who the firm is and their background in providing credit monitoring services. Is their contact information prominently posted so that nervous customers can call them easily? Even if it is, do include their phone number in your notification letter for inquiries.
Gee, I would have thought much of the above should be pretty obvious, but apparently it needs to be said – and repeated – until everyone gets the message.

(Related) Does “Notification” need to include “All” the details or just “You may be impacted, stay alert.”
Craig Hoffman and Charlie Shih write:
One of the first questions companies ask us when we are hired to help them respond to a new security incident is how fast they have to notify if the investigation shows that a “breach” occurred. Except for a couple of states that require notification to occur no later than 45 days after discovery, there is not a bright-line, objective answer. Most state breach notification laws require notification to occur as soon as reasonably possible and without undue delay subject to some qualifications.
Read more on Data Privacy Monitor.


For my Computer Security students. If you don't bother to measure, you may be asked in court why your security rated 18 on a scale of 0-100...
Introduction and Welcome - Security Metrics
This is the beginning of a series of postings I'll be doing on security metrics. It's a topic that I don't think we, as a community, have a particularly good grasp of – probably because security, as a field, is only just beginning to professionalize to the point where (in some markets) it's getting more than a nod as a necessary evil.
During the course of this series I'm going to hit on a range of topics from why metrics are important and what they are, to bottom-up analysis of your business process, and top-down analysis of your mission, then the problems of normalization and data-sharing, as well as suggestions on how to present data.


For the Tools & Techniques folder...
Turn Windows Into A WiFi Hotspot & Share Your Internet Connection
The key component in this process is making sure that your Windows computer has a wireless network card. If you have that installed properly, then you can turn your Windows computer into a WiFi hotspot and share your Internet connection.


For my students.
is an easy way to create beautiful presentations. Focus on your content. Slidebean handles the rest. Take your presentation ideas and structure your keynote. Select one of our beautiful presentation templates tailored to the needs of each audience. Present from any web browser on your computer, tablet or smartphone. Slidebean works seamlessly on desktop, tablet and mobile devices.


For some of my students (they know who they are) Also useful for prank calls at 2AM?
is a service where you can schedule a wake-up call. This is useful if you don’t have an alarm clock, or if you need a guarantee that you will wake up on time for an important appointment. Just enter your phone number, the date and time you want the call, and even specify if you want a man or a woman’s voice! You can even be told the weather.


For my students
Hemingway Helps You Analyze Your Writing
Hemingway is a free tool designed to help you analyze your writing. Hemingway offers a bunch of information about the passage you've written or copied and pasted into the site. Hemingway highlights the parts of your writing that use passive voice, adverbs, and overly complex sentences. All of those factors are accounted for in generating a general readability score for your passage.
Hemingway is the kind of tool that I like to have students use before exchanging papers with classmates for peer editing. Hemingway acts as a kind of "virtual peer" before the peer editing process. I would also have students use Hemingway before turning in their final drafts for a grade.
StoryToolz offers a tool similar to Hemingway that you may also want to check out.


For teachers trying to “flip the classroom” and for my students who find that I don't know everything – that's pretty much all of them after the first week of class...
OpenEd Releases an iPad App for Finding and Sharing Educational Videos and Games
OpenEd.io is a free service that launched in October of 2013 for the purpose of offering a huge catalog of educational videos, games, and assessments. One of the services OpenEd.io offers is the option for teachers to create courses and collections of resources to share with their students. This week OpenEd released a free iPad app for teachers and students.
Teachers can use the free iPad app to locate videos, games, and assessments. Teachers can search for materials according to standard, content area, grade level, and material type.
Students can use the free OpenEd iPad app to log into the courses that they are members of and view the materials that their teachers have shared with them.
The OpenEd iPad app is a great complement to everything else that OpenEd offers. As a registered OpenEd user (registration is free and takes less than thirty seconds to complete) you can create courses and playlists of videos and other materials that you find in the OpenEd directory. You can align your courses and playlists to standards. Adding assessments to your courses could be a good way to provide your students with some self-study / self-quiz materials to review before coming into your classroom.


For my Math geeks: I make that enough to power 400,000 DeLorean time machines, since they use a mere 1.21 gigawatts! (Enter “1.21 gigawatts” into WolframAlpha.com)
High-Powered Lasers Deliver Fusion Energy Breakthrough
The power of the sun has edged a little closer to Earth. Under x-ray assault, the rapid implosion of a plastic shell onto icy isotopes of hydrogen has produced fusion and, for the first time, 170 micrograms of this superheated fusion fuel released more energy than it absorbed.
… Employing 1.9 megajoules in slightly more than a nanosecond, the lasers deliver 500 terawatts of power inside the hohlraum (a terawatt is a trillion watts).

Thursday, February 13, 2014

How much do you depend on rapid responses to your customers? What if those responses slowed way, way, way down? Note: One gigabit is 894,784 pages of text so 400 gigabits is 357 million pages – and that happens every second!
John Glenday reports:
The largest computer hack ever conducted has reportedly taken place after servers across Europe were inundated with spam in a concerted effort to bring them down.
Exploiting loopholes in the Network Time Protocol, a system used to synchronise the internet, attackers were able to flood servers with around 400 gigabits of data every second.
Read more on The Drum.
[From the article:
A flaw in this system means that a computer seeking to synchronise itself must make a request to the NTP which will subsequently reply. The amount of data fired back is larger than that sent however, amplifying the effects of any attack.
Hackers are also able to fool the NTP into returning the data to a different computer.
One security analyst, Matthew Prince of Cloudfare, described the attack as ‘the start of ugly things to come’, warning that ‘Someone has a big new cannon’ to smite networks with.


Will this make South Korea more secure?
Yonhap News reports that in addition to some stiff penalties imposed by its financial regulator on credit card firms who suffered data leaks, the government continues to look at ways to strengthen the protection of private data:
In a report to the parliament, FSC chairman Shin Je-yun said the regulator plans to suspend the card firms’ operations for three months, barring them from taking applications for new plastic cards or selling financial products.
Top executives of the credit card firms will face harsher punishment as well, including dismissals,” Shin told legislators.
Following the largest-ever data leak, the government has been working to revise bills on personal information protection. One possible measure is ordering phone operators to block off lines used in illegal financial marketing activities and financial frauds, known as “voice phishing.”
[...]
Also, the financial regulator is pushing to strengthen monitoring of staff at financial companies and their contractors involved in customer data management, and bar financial firms from sharing client data with their affiliates beyond a set limit.
Read more on Yonhap News.


So many “worst practices” in one place, so few people disciplined. Really poor choice of metaphor. Can you imagine a “perfect storm” where no one notices that it is raining? Who designed a system where any individual can bypass all the security? Looks more like there was never adequate security.
David E. Sanger and Eric Schmitt report:
The director of national intelligence acknowledged Tuesday that nearly a year after the contractor Edward J. Snowden “scraped” highly classified documents from the National Security Agency’s networks, the technology was not yet fully in place to prevent another insider from stealing top-secret data on a similarly large scale.
The director, James R. Clapper Jr., testifying before the Senate Armed Services Committee, said Mr. Snowden had taken advantage of a “perfect storm” of security lapses. He also suggested that as a highly trained systems administrator working for Booz Allen Hamilton, which provides computer services to the agency, Mr. Snowden knew how to evade the protections in place.
Read more on New York Times.


Much ado about nothing? How would we define “Success?” “Gentlemen do not read other gentlemen's mail?”
FoxNews reports:
Sen. Rand Paul on Wednesday announced what he described as one of the largest class-action lawsuits in history, taking President Obama and top intelligence officials to court over National Security Agency surveillance.
“This, we believe, will be a historic lawsuit,” the Kentucky Republican said. The suit, joined by conservative advocacy group FreedomWorks, was filed in U.S. District Court in the District of Columbia.
Read more on FoxNews.


From my perspective, these “agreements” (contracts) are far more complicated than the technology they address.
Erin McCann reports:
To all the developers building applications in the cloud that need to comply with HIPAA privacy rules: You’ve just gained a big ally.
Internet behemoth Google recently announced its cloud platform will now be HIPAA-friendly and will support business associate agreements going forward.
Read more on Healthcare IT News.


Another document for my extensive e-collection.
NIST Releases Cyber Security Framework for Critical Industries
The National Institute of Standards and Technology (NIST) issued today the final version of a set of cybersecurity guidelines meant to help critical industries better protect themselves.
The Cybersecurity Framework came out of the executive order issued by President Barack Obama last year that in part directed NIST to come up with a set of voluntary cybersecurity standards for critical infrastructure companies. What NIST has developed however can be applicable to enterprises of all shapes and sizes.


For my students
How To Open Strange File Types In Windows
… Sometimes, both Windows and the user are clueless as to how to open a strange file. A Google search or an online tool like FILExt will quickly shed light on the kind of file you’re dealing with. But what’s the best way to open it?
Warning: Depending on the source, the file you are trying to open could contain malware! If you have doubts about the origin or content, check the file using your malware scanner before you proceed.

Wednesday, February 12, 2014

One of those, “Can this happen here?” questions.
John E. Dunn reports:
A small US law firm has bravely admitted losing its entire cache of legal documents to the Cryptolocker Trojan despite attempting to pay the $300 (£180) ransom in a bid to have them unscrambled.
According to TV reports, Goodson’s law firm in the North Carolina state capital Charlotte [The Law Offices of Paul M. Goodson, P.C.] became the latest victim of a malware menace that was custom-written to lever ransom money from precisely this type of relatively cash-rich but time-poor firm.
Read more on Computerworld UK.

This is not what I expected. Aaron's has settled with the FTC but if they had this software on all the computers they rented, didn't tell their customers, and took 185,000 photos, how is this NOT a class?
Associated Press reports the latest development in a lawsuit I’ve been following on this blog because consumers sued Aaron’s over spyware on their computers:
A federal magistrate has recommended against class-action status for a lawsuit filed over spyware installed on computers leased from furniture renter Aaron’s Inc.
If accepted by a federal judge, the recommendation would mean the lawsuit would be reduced to the original claim filed by Crystal and Brian Byrd of Casper, Wyo.
Read more on New Haven Register.

(Related) ...but this is nothing new.
Back in November 2012, Nationwide Mutual Insurance disclosed an attack on their network that compromised customers’ personal information. The breach turned out to be pretty large, with over 1 million affected.
Two potential class action lawsuits were filed following the breach, including Galaria v. Nationwide and Hancox v. Nationwide. The Hancox case was transferred to the Southern District of Ohio in March and consolidated with the Galaria complaint.
Now Judge Watson has granted Nationwide’s motion to dismiss both suits. To cut to the chase: as other courts have held, unless the named plaintiffs can demonstrate injury-in-fact (e.g., if their information had been misused) or impending as opposed to speculative harm, they’re not going to survive a motion to dismiss.
I’ve uploaded the court’s opinion and order here (pdf), and am trying to find out whatever happened to the California Insurance Commission’s investigation of the breach. I’ll update this post if/when I get an answer from the Commission.


Is this all they can think of?
7 Industries Drones Are Set to Revolutionize
… But I’d like to introduce you to seven industries that are ready and braced to be (mostly positively) impacted – if not revolutionized – by the technological progress that’s surrounding drones right now. While you’re reading, why not think about how drones might impact your own industry?


I usually wait for these to settle into their final form, but this one might be interesting in draft.
HR 3696 the National Cybersecurity and Critical Infrastructure Protection Act of 2013
by Sabrina I. Pacifici on February 11, 2014
H.R. 3696, (Mr. McCaul) To amend the Homeland Security Act of 2002 to make certain improvements regarding cybersecurity and critical infrastructure protection, and for other purposes. The “National Cybersecurity and Critical Infrastructure Protection Act of 2013”. Full text of H.R. 3696, as introduced [PDF]


Interesting article. What would it be worth to prevent/avoid half of a companies lawsuits? Even 10%
PreSuit: How Corporate Counsel Could Use “Smart Data” to Predict and Prevent Litigation


Another “Big Data and the law” article.
UK – Big Data for Law
by Sabrina I. Pacifici on February 11, 2014
“The National Archives has received ‘big data’ funding from the Arts and Humanities Research Council (AHRC) to deliver the ‘Big Data for Law‘ project. Just over £550,000 will enable the project to transform how we understand and use current legislation, delivering a new service – legislation.gov.uk Research – by March 2015. There are an estimated 50 million words in the statute book, with 100,000 words added or changed every month. Search engines and services like legislation.gov.uk have transformed access to legislation. Law is accessed by a much wider group of people, the majority of whom are typically not legally trained or qualified. All users of legislation are confronted by the volume of legislation, its piecemeal structure, frequent amendments, and the interaction of the statute book with common law and European law. Not surprisingly, many find the law difficult to understand and comply with. There has never been a more relevant time for research into the architecture and content of law, the language used in legislation and how, through interpretation by the courts, it is given effect. Research that will underpin the drive to deliver good, clear and effective law. Researchers typically lack the raw data, the tools, and the methods to undertake research across the whole statute book. Meanwhile, the combination of low cost cloud computing, open source software and new methods of data analysis – the enablers of the big data revolution – are transforming research in other fields. Big data research is perfectly possible with legislation if only the basic ingredients – the data, the tools and some tried and trusted methods – were as readily available as the computing power and the storage. The vision for this project is to address that gap by providing a new Legislation Data Research Infrastructure at research.legislation.gov.uk. Specifically tailored to researchers’ needs, it will consist of downloadable data, online tools for end-users; and open source tools for researchers to download, adapt and use.”


For my students, all of whom will get great jobs and earn more money than they can possibly spend.
Pew – The Rising Cost of Not Going to College
by Sabrina I. Pacifici on February 11, 2014
“For those who question the value of college in this era of soaring student debt and high unemployment, the attitudes and experiences of today’s young adults—members of the so-called Millennial generation—provide a compelling answer. On virtually every measure of economic well-being and career attainment—from personal earnings to job satisfaction to the share employed full time—young college graduates are outperforming their peers with less education. And when today’s young adults are compared with previous generations, the disparity in economic outcomes between college graduates and those with a high school diploma or less formal schooling has never been greater in the modern era… The economic analysis finds that Millennial college graduates ages 25 to 321 who are working full time earn more annually—about $17,500 more—than employed young adults holding only a high school diploma. The pay gap was significantly smaller in previous generations. College-educated Millennials also are more likely to be employed full time than their less-educated counterparts (89% vs. 82%) and significantly less likely to be unemployed (3.8% vs. 12.2%).”

Tuesday, February 11, 2014

How big is the biggest breach ever?
Target Breach Cost Credit Unions $30M: NAFCU
The trade organization’s February Economic & CU Monitor survey also found that among those surveyed, the average credit union cost for the Target data breach was $45,000.

(Related)
Banks spent $172m on reissuing credit cards affected by Target breach
The report by CBA highlights that approximately 110,000,000 customers were affected until now, nearly 17,206,844 cards have been replaced, which cost them $172,068,440.

(Related)
Fraud hits one in three data-breach victims
According to a report released Wednesday by market-research firm Javelin Strategy & Research, there was a new identity fraud victim roughly every two seconds in 2013; identity fraud is the “unauthorized use of another person’s personal information to achieve illicit financial gain,” according to the report, and can range from using a stolen credit card to opening a new account in another person’s name. What’s more, there were 500,000 more fraud victims in 2013 than in 2012 (13.1 million vs. 12.6 million)—the second highest number since the study began in 2006.


Can it be done? Certainly. Why would anyone do it? Clearly there is no value in doing this, or companies would already be doing it. Will the government ask companies to voluntarily save the data? Are they that detached from reality? If not, would they be willing to make it profitable to store data? If not, would they (we taxpayers) at least pay the actual costs? (Can I buy all the storage you already have and lease it back to you profitably? Look for Google to offer just that!)
John Ribeiro reports:
The U.S. government has asked industry for information on whether commercially available services can provide a viable alternative to the government’s holding bulk phone records for a program of the National Security Agency.
The government’s collection of bulk phone records under Section 215 of the Patriot Act has been at the center of a privacy controversy since June last year when former NSA contractor Edward Snowden revealed that the agency was collecting bulk telephony metadata in the U.S. from Verizon.
Read more on Computerworld.
Related: RFI – Telephony Metadata Collection Program (Office of the Director of National Intelligence)


“Permissible uses” require you to have the data, so collection is not reduced. I don't see any change, do you?
If you’ll recall last month, in conjunction with his January 17th speech on U.S. signals intelligence reform, President Obama issued Presidential Policy Directive/PPD-28 – Signals Intelligence Activities. Generally speaking, PPD-28 set forth guiding principles for the U.S. signals intelligence collection. If you’re interested in reading more in depth about the directive, Ben Wittes provided a helpful overview of PPD-28 over at Lawfare last month.
Among other things, PPD-28 directed the Director of National Intelligence to “maintain a list of permissible uses of signals intelligence collected in bulk” and further to make the list “publicly available to the maximum extent feasible, consistent with the national security.” Today, at IC on the Record (the Office of the DNI’s official Tumblr page), DNI Clapper publicly released the List of Permissible Uses of Signals Intelligence Collected in Bulk (entire statement is reprinted after the jump). So for what purposes can the government use bulk collected data? Here is the complete list:
  • Espionage and other threats and activities directed by foreign powers or their intelligence services against the United States and its interests;
  • Threats to the United States and its interests from terrorism;
  • Threats to the United States and its interests from the development, possession, proliferation, or use of weapons of mass destruction;
  • Cybersecurity threats;
  • Threats to U.S. or allied Armed Forces or other U.S. or allied personnel; and
  • Transnational criminal threats, including illicit finance and sanctions evasion related to the other purposes named above.


For my geeky students... It's like having a portable desktop computer on your thumb drive. (I prefer option 3)
Running Linux from USB: Are You Doing It Right?
You’ve probably heard about live Linux environments on USB drives, but did you know that you can also keep data persistent or even do a full install on the USB drive? Here are your three options for carrying Linux in your pocket. Find out which method is best for you.
Write a Live ISO to USB
Enable Persistent Data
Do A Full Install to USB


Something to harass my Math students with.
– How good are you at mental arithmetic? That’s what a site like Speedsums aims to find out. It will ask you a rapid-fire set of arithmetic questions, and you have to answer as fast as possible and beat the timer. Apparently anything below 30 is “embarrassing”. It becomes slightly addictive as you go on, and it suddenly makes math interesting.

(Related) An Android App for my students who hate fractions. Shows step-by-step solutions! (We could run these on our desktops using the BlueStacks emulator.
– is a free smart step-by-step fractions calculator that solves any fraction operations in the same way you would do.
Considered the best fractions calculator, DLD Calc develops and simplifies fractions in the best possible way, saving you a lot of time solving extremely large problems. You can use it to solve your mathematics problems in your school.


I don't think they will bankrupt us, but we should keep a Coast Guard ship nearby in case this “Brown Water” navy finds the blue waters of the Atlantic a bit much to handle. (See the picture accompanying this article) Think of them sailing into an ice storm off the Georgia coast.
Iran sending warships close to US borders

Monday, February 10, 2014

Update. This must be very frustrating for the FBI but the stakes seem to be rising also. What happens if the court tosses out their evidence? (Read the article!)
Dennis Wagner reports:
In spring 2008, FBI agents were struggling to identify a criminal who electronically filed hundreds of fraudulent tax returns, ripping off the federal government for more than $3 million.
Investigators and informants started referring to their phantom bad guy as “the Hacker.” Prosecutors persuaded a federal grand jury in Arizona to secretly indict him, even without a name, and agents traced his computer to Northern California.
The Hacker continued to cash in tax refunds using the pseudonym “Travis Rupert,” with help from accomplices who did not know his real identity.
That April, FBI agents arrested one of the associates and persuaded him to help arrange a sting.
Read more on The Republic.
[From the article:
More than five years later, Rigmaiden is still behind bars — battling the Justice Department in a legal odyssey that has questioned the constitutionality of federal surveillance methods and added to a growing national controversy over the government’s willingness to compromise Americans’ privacy in the pursuit of evidence.
… The Justice Department alleges that Daniel Rigmaiden is a crooked computer geek who figured out how to loot the federal Treasury while using multiple aliases. He is accused of filing more than 1,900 phony tax returns and is under indictment on 74 felony counts of wire fraud, identity theft, mail fraud, hacking and conspiracy.
In court, Rigmaiden pleaded not guilty and alleged that FBI agents deceived a federal magistrate, unlawfully infiltrated his computer, smeared him in news releases, destroyed evidence and violated his constitutional rights.
The case is based in Arizona because federal agents initially focused on fraudulent tax refunds sent to a bank account in Phoenix established by co-defendant Ransom Marion Carter III, who already has pleaded guilty.
Rigmaiden’s court docket lists more than 1,100 motions, responses and other entries containing profound legal arguments and mind-numbing discourse about invasive technology. Some search-and-seizure issues are so important that the American Civil Liberties Union supported Rigmaiden’s motion to suppress evidence.
Rigmaiden, who is not a lawyer, has remained incarcerated since his arrest. Early on, he dismissed five successive defense attorneys because he was not satisfied with their work. He now represents himself with support from private investigators and a lawyer-adviser, or “shadow counsel.”
At the Central Arizona Detention Center in Florence, Rigmaiden works on a laptop computer with no e-mail or direct Internet access. When he goes to court, the angular, bearded inmate with thick glasses delivers cogent legal arguments with machine-gun articulation.
Attorneys with no stake in the case show up as spectators.
… The FBI case against Rigmaiden hinges in part on the StingRay — a surveillance tool generically known as an “IMSI catcher” because of its ability to track the International Mobile Subscriber Identity of cellular devices. In simple terms, the StingRay allows police to pinpoint the location of a wireless phone or computer.
The FBI traced the Hacker to Rigmaiden’s apartment complex, but it could not identify the unit or perpetrator. Investigators subpoenaed Verizon to remotely change the program of an air card in the suspect’s computer so that when agents dialed the wireless number, it would disconnect from a regular cell site and ping against their device. StingRay not only determined the computer location, it captured a unique wireless ID number and data.
But the FBI’s technology and tactics have come under challenge for several reasons.
First, StingRay and a similar tool known as KingFish did not just gather information from Rigmaiden’s computer, but from numerous other wireless Verizon customers in the vicinity — even though they were not under suspicion of criminal activity.
Second, agents obtained a court order for surveillance rather than a search warrant, which requires probable cause. According to court filings, their application did not inform the judge that StingRay would be used, explain how it works, or divulge that the privacy of innocent parties would be compromised.
Third, although police use of cellphone locators has been common knowledge in criminal probes for two decades, federal agencies had not previously divulged the breadth of intrusions or the degree of complicity by service providers such as Verizon. Even in Rigmaiden’s case, the FBI affidavit remains sealed, though segments have been quoted in legal filings.


Speculation, anyone?
Flappy Bird Flies The Coop
Flappy Bird is no longer available to download, with the game’s creator Dong Nguyen deciding to pull the game from the iOS and Android app stores. Flappy Bird was released back in May 2013, but gained notoriety after being featured on a popular YouTube channel and consequently shared on social networking sites.
By the end of January Flappy Bird was a mainstream hit sitting atop the free game charts on iTunes and Google Play. By the time Nguyen removed the game on Sunday (Feb 9), it had been downloaded by more than 50 million people. Those who hadn’t yet succumbed to the lure of this maddeningly difficult game have now missed the opportunity to ever experience it.
The reason behind the removal of Flappy Bird remains mystifyingly unclear. In a series of tweets, Nguyen explained that he “cannot take this anymore,” but denied it was due to “legal issues.” He also refused to sell the game to interested parties, but promised to “still make games.Flappy Bird is thought to have been bringing in $50k a day in advertising revenues, making this decision absolutely bewildering.


Works in your browser (Firefox or Chrome)
Tinkercad
Tinkercad is an easy-to-use tool for creating digital designs that are ready to be 3D printed into physical objects. Users are guided through the 3D design process through 'Lessons', which teach the basics before moving on to more complex modeling techniques.
Tinkercad was founded in by Kai Backman and Mikko Mononen in 2011, bringing the first browser-based 3D design platform to the masses. In June 2013 Tinkercad became part of Autodesk, joining the 123D family of products in helping students, makers, and individuals from all walks of life to design and make the things they imagine.


Free math stuff! Books, software, etc.


Even more free stuff?
BookBub
BookBub alerts you to limited-time free and discounted eBooks matching your interests.


Because I like obscure facts...

Sunday, February 09, 2014

From the Dan Rather school of journalism? How does something like this come about? Slow news day? We need some anti-Russian propaganda? It's the way we do business?
Fraud Alert: NBC Sochi hack report is fake, says security expert
The frightening NBC report featuring Robert Engels, a journalist who reported that his smartphone and two computers were hacked in Sochi, is allegedly a fake. Errata Security's Robert Graham wrote a blog post calling the NBC story "wrong in every respect."
Graham accuses Engels of faking the report and intentionally downloading applications that would ensure that his smartphone was hacked almost immediately.
… "The story shows Richard Engel "getting hacked" while in a cafe in Russia. It is wrong in every salient detail.
  1. They aren't in Sochi, but in Moscow, 1007 miles away.
  2. The "hack" happens because of the websites they visit (Olympic themed websites), not their physical location. The results would've been the same in America.
  3. The phone didn't "get" hacked; Richard Engel initiated the download of a hostile Android app onto his phone.
  4. ...and in order to download the Android app, Engel had to disable a lock that prevents such downloads -- something few users do [update]."
Graham argued that NBC exaggerated the danger of being hacked in Sochi.
"Absolutely 0% of the story was about turning on a computer and connecting to a Sochi network. 100% of the story was about visiting websites remotely," Graham wrote. "Thus, the claim of the story that you'll get hacked immediately upon turning on your computers is fraudulent."


Something to watch closely. Remember, it takes two to tangle.
Abe, Aquino Views on China Unhelpful, Says U.S. General Carlisle
Comments by the leaders of Japan and the Philippines drawing parallels between China’s growing assertiveness in the region and events in pre-war Europe are “not helpful,” said the commander of U.S. air forces in the Pacific.
… The recent comments by Japanese Prime Minister Shinzo Abe and Philippine President Benigno Aquino -- two U.S. allies -- have escalated tensions at a time when China is pushing its territorial claims in both the East and South China Seas, and as President Xi Jinping expands the reach of his country’s navy.


Like Infographics? Build your own!
Ease.ly
Infographics Simplified
All you need to do is select a theme, use the set of boxes and tools on offer and create an infographic that is not visual stunner but definitely passable.
The key to this tool is that it helps you visually represent data without having any knowledge of designing whatsoever. You could even ask students to create infographics about a particular project that you’ve just taught them, to assess whether they’ve really understood it or not.