Saturday, February 22, 2014

Sounds good, unless someone (Russia) decides to support (with tanks) the elected government. Recent popular revolutions (Egypt, Syria) haven't been supported by all those governments (including ours) that were cheering the protesters on.
Ukraine opposition 'controls Kiev'
Ukrainian protesters have been able to enter the president's official and residential buildings in Kiev, after they were abandoned by police.
They have stationed guards outside the entrances to offices, while the interior ministry has said in a statement that it supports the people.
President Viktor Yanukovych's aides say he is in Kharkhiv, close to Russia.

Something is not quite right here.
South Korea to develop Stuxnet-like cyberweapons
The country's defence ministry wants to develop weapons similar to Stuxnet, the software designed to attack Iranian nuclear enrichment plants.
… The first part of South Korea's plan, which is continuing, is to conduct online propaganda operations by posting to North Korean social networking and social media services.
"Once the second phase plan is established, the cybercommand will carry out comprehensive cyberwarfare missions," a senior ministry official said.
The South Korean cyberwarfare command, which will use the weapons, has been dogged by accusations of using its psychological warfare capabilities on its own population to try to influence voters in the run-up to the 2012 presidential elections.

Strange that this was not an issue until Bloomberg and Bill Gates started to gather student data. Or perhaps not so strange.
Student privacy is becoming a hot issue this year, and we’re seeing more bills intended to protect the security and privacy of student information. In today’s news, there are items from California, Maryland, Wyoming, and Wisconsin of note.
For California, Natasha Singer reported:
A leading California lawmaker plans to introduce state legislation on Thursday that would shore up privacy and security protections for the personal information of students in elementary through high school, a move that could alter business practices across the nearly $8 billion education technology software industry.
The bill would prohibit education-related websites, online services and mobile apps for kindergartners through 12th graders from compiling, using or sharing the personal information of those students in California for any reason other than what the school intended or for product maintenance.
Read more in the New York Times. You can find the senator’s press release on the proposed legislation here.
In Maryland, John Patti reports:
There is a hearing set for today in the Maryland House of Delegates that deals with student privacy.
It would set minimum standards for the collection of information from students by cloud computing providers. These are private companies that promise to help students learn by providing software and online services.
Read more on WBAL and this OpEd by privacy attorney Bradley S. Shear.
In Wyoming, Associated Press reports:
The House Judiciary Committee on Thursday narrowed the focus of a bill that would require parental consent before education and personal data can be collected on children in the Wyoming school system.
The panel approved House Bill 179 with a 7-2 vote. The proposal now heads to the House floor for more debate.
Before passing the bill, the panel amended it to clarify that only data collected by the state Department of Education would require the consent. There were concerns that the original bill could have prevented a local school from collecting student grades and other basic information.
Read more on Billings Gazette.
In Wisconsin, Associated Press reports:
The Wisconsin Assembly has passed a bill that designed to keep student data secure.
Republican Rep. Don Pridemore’s proposal would require the state Department of Public Instruction to post online the data points it collects on students and develop a plan to keep the students’ data secure, including steps for dealing with a breach.
Read more on The Republic.
And earlier this week, in Kansas, Celia Llopis-Jepsen reported:
A proposal to create a Student Data Privacy Act in Kansas drew support Tuesday from the state’s school board association.
Mark Tallman, a lobbyist for the Kansas Association of School Boards, told the Senate Education Committee his group supports the bill in hopes that it will give parents peace of mind concerning data about their children.
Senate Bill 367 would codify restrictions on sharing student data and on collecting biometric data from students, such as their DNA sequences.
These are all encouraging signs. Eventually, I suspect we’ll have the same kind of patchwork quilt problem we have with data breach laws, but this is an important start in protecting sensitive student information and I’m glad to see it, even though I may not agree with all of the bills.

I'm guessing you get lots of “What happens in Guantanamo stays in Guantanamo” ads...
Glyn Moody writes:
By now, most people who shop online are aware of the way in which companies try to tailor their offers based on your previous purchasing and browsing history. Being followed by strangely relevant ads everywhere is bad enough, but what if the government started using the same approach in its communications with you? That’s one of the key ideas explored in an interesting new article by Zeynep Tufekci, strikingly presented on Medium, with the title “Is the Internet good or bad? Yes.”
Read more on TechDirt.

Strange choices, since we know that jihadists tend to stay away from mosques, the Muslim community and radical Imams in particular, to avoid attracting attention.
Adam Serwer reports:
Religious profiling is okay, as long as you have a really good reason.
That’s the logic behind a decision reached by federal judge William Martini Thursday, in dismissing a lawsuit against New York Police Department over the NYPD’s surveillance of Muslim American communities in the region.
“The police could not have monitored New Jersey for Muslim terrorist activities without monitoring the Muslim community itself,” Martini wrote. “The motive for the program was not solely to discriminate against Muslims, but rather to find Muslim terrorists hiding among ordinary, law-abiding Muslims.”
Any harm suffered by Muslims who were spied on, Martini wrote, was not the fault of the NYPD, but of the Associated Press reporters who first revealed the existence of the surveillance effort.
“Nowhere in the Complaint do Plaintiffs allege that they suffered harm prior to the unauthorized release of the documents by the Associated Press. This confirms that Plaintiffs’ alleged injuries flow from the Associated Press’s unauthorized disclosure of the documents,” Martini wrote. “The harms are not ‘fairly traceable’ to any act of surveillance.” The Associated Press declined to comment on the ruling.
Read more on MSNBC.
How many synonyms can you come up with for “outrageous?”

“Combining our data makes our Big Data bigger!”
William Dotinga reports:
A challenge to sealed filings in the massive class action over Gmail privacy will get priority treatment of sorts, a federal judge ruled Friday.
News outlets – including Courthouse News, Gannett, McClatchy and the New York Times - lobbied U.S. District Judge Lucy Koh earlier this week to deny Google’s requests to file under seal, citing public interest in the case involving millions of Gmail users. The sprawling class action dubbed In re Google Inc. – Gmail Litigation claims that the tech giant’s new privacy policies violate federal computer fraud, eavesdropping and wiretap laws.
Read more on Courthouse News.
[From the claims:
Under its old policy, information collected about a consumer through one Google product was segregated from information gleaned from another Google product, plaintiffs say in the class actions.
But they say that all changed March 1, when Google ushered in its new era of digital surveillance: the Era of Commingling.
Under the new policy, data gathered about a consumer through one Google product will be commingled with data collected about that consumer through other Google products, plaintiffs say.

...and Things, don't forget the Things! Like x-ray machines and proctoscopes.
Virtually all software, applications, systems and devices are now connected to the Internet. This is a reality that cybercriminals recognize and are actively exploiting.
Some 94 percent of medical institutions said their organizations have been victims of a cyber attack, according to the Ponemon Institute. Now, with the push to digitize all health care records, the emergence of and an outpouring of electronic protected health information (ePHI) being exchanged online, even more attack surfaces are being exposed in the health care field.
A SANS examination of cyberthreat intelligence provided by Norse supports these statistics and conclusions, revealing exploited medical devices, conferencing systems, web servers, printers and edge security technologies all sending out malicious traffic from medical organizations. Some of these devices and applications were openly exploitable (such as default admin passwords) for many months before the breached organization recognized or repaired the breach.
The intelligence data that SANS examined for development of this report was specific to the health care sector and was collected between September 2012 and October 2013. The data analyzed was alarming. It not only confirmed how vulnerable the industry had become, it also revealed how far behind industry-related cybersecurity strategies and controls have fallen.
Get the full SANS report, “Health Care Cyberthreat Report,” here.

For my iPhone toting students (My selections)
iOS Apps on Sale for 22 Feb
City Maps 2Go Pro ($1.99, now free)
If you’re planning a trip with your iPad or simply don’t want to worry about expensive roaming charges on your iPhone, City Maps 2Go Pro could be just what you need. It allows you to download an unlimited number of maps for offline perusal, with full GPS support and handy tourist information to boot. All included maps use OpenStreetMap data, are highly detailed and completely free.
MathStudio ($19.99, now $4.99)
While it might not be the most exciting-sounding app, MathStudio is the self-proclaimed “most comprehensive math app” on the App Store. While that’s a bold claim, the app oozes depth and complexity and covers a wide range of functions from basic calculator to statistics, algebra and several types of graphing tool – none of which requires an internet connection. Ordinarily costing $20, now is the time to buy!

Will everyone who contributed go to see the movie even once? I'm watching this one.
'Veronica Mars' will launch in theaters and online at the same time
Fans waiting for the theatrical release of Veronica Mars on March 14th now have a few more ways to watch the series' return. According to The Wall Street Journal, the film will also be available to rent and download at the same time as its cinema debut. The move breaks the long-standing "theatrical window" rule that typically governs when major movies are available for home viewing.
Veronica Mars will be distributed on 270 screens across the country, a much bigger outing for what might otherwise be considered an indie effort. Warner Bros. has opted to rent 260 theaters from AMC to show the Kickstarter-backed film, giving the studio the freedom to give it a unique simultaneous release.

Even if I'm the only one amused...
… The US Department of Education has awarded 9 states School Improvement Grants: Connecticut, Florida, Idaho, Iowa, New Jersey, Ohio, Oklahoma, South Dakota, and Wyoming. The funds are aimed at “turning around” low-performing schools. [...because no other state has below average schools? Bob]
… The Georgia Tech Library plans to move its print collection out into an offsite facility. Because “strategic objectives.” [and no one reads print on dead trees any more. Bob]
Harvard and MIT have released visualizations (and open sourced the visualization tools) on their MOOC data. The Harvard tools are here, while those for MIT are here.

Here's one I hope my students don't use to screw with me, but it would be fun to control the big (54 inch) TV from anywhere in the room,
– Turn your mobile phone or tablet into a set of wireless mouse and keyboard. Control your computer anywhere in your room, with either wifi or 3G. Main mouse functionalities featured, including click, double-click, right-click, scroll and drag. Compatible with Windows and Mac.

Friday, February 21, 2014

Does it make a difference how or where fingerprints are stored? What are the rules for accessing the database?
Martin Gijzemijter reports an important update to a case launched by Privacy First that I’ve followed on this blog since 2009:
Dutch authorities have been prevented from storing citizens’ fingerprints in a central database following a ruling this week by the Court of Justice in the Hague.
In the Netherlands, individuals’ fingerprints are gathered by the local municipality when they apply for a new passport. The government had proposed gathering those different sets of fingerprints into a central database, which could then be accessed by police for the purposes of matching fingerprints found in criminal investigations.
Read more on ZDNet.

For my Computer Security students.
Molly Woods describes a number of smartphone apps that can help protect your privacy in this New York Times article. Here are two snippets from her comments:
Android currently has the best options available for secure messaging. My favorite is the free TextSecure from WhisperSystems. It encrypts text messages between users, as long as you both have the app installed and you use it for texting instead of your regular app. The texts are encrypted as they’re sent back and forth and stay encrypted when they are stored on your phone.
If you want encrypted messaging across iOS and Android, try ChatSecure, created by the Guardian Project, a collection of developers, activists and hackers who create tools for more secure communications. This free app doesn’t replace texting; instead, it lets you send encrypted messages over a number of existing chat services like Facebook Chat, Google Talk, Google Hangouts, Jabber and some others.
You must have an account with one of those, and your recipient must also install ChatSecure. But since the app is free and available on virtually any device, it’s a good way to encrypt messaging across some common chat services. ChatSecure is also open source.
Read the full article on NYT.

Perspective. Some of the things banks are doing to stay competitive are interesting. (See, this works both ways) “Change, the only constant!”
Banks’ New Competitors: Starbucks, Google, and Alibaba
It took computer company Apple only five years to become America’s largest music retailer, and just seven to become the world’s largest. In 18 short months, search engine Google erased 85 percent of the market cap of the top GPS companies after launching its mobile maps app. Alibaba, China’s equivalent to Amazon, became a $16 billion lender in less than three years, and China’s largest seller of money market funds in only seven months.
Companies are venturing into other industries for growth with increasing regularity. In an Accenture survey released at Davos this year, 60 percent of executives said their company intends to make these types of moves over the next five years based on alliances, joint ventures and acquisitions.
This represents a major challenge to the banking sector where, in developed markets, growth and profitability are still at about half of pre-crisis levels. As banks recover from the downturn, non-banks are taking advantage by proceeding aggressively with digital innovations and capturing more and more of the banking value chain. Accenture estimates that competition from non-banks could erode one-third of traditional bank revenues by 2020.

Perspective, but only that? It is useful to look at problems from several viewpoints.
Welcome to Algorithmic Prison
Corporations and government are using information about us in a new – and newly insidious – way. Employing massive data files, much of the information taken from the Internet, they profile us, predict our good or bad character, credit worthiness, behavior, tastes, and spending habits – and take actions accordingly.
As a result, millions of Americans are now virtually incarcerated in algorithmic prisons.
Some can no longer get loans or cash checks. Others are being offered only usurious credit card interest rates. Many have trouble finding employment because of their Internet profiles. Others may have trouble purchasing property, life, and automobile insurance because of algorithmic predictions. Algorithms may select some people for government audits, while leaving others to find themselves undergoing gratuitous and degrading airport screening.

For my Ethical Hackers.
Steven Aftergood writes:
For the first time the U.S. Army has produced official doctrine on military activities in cyberspace, including offensive, defensive and network operations.
A new Army field manual “provides overarching doctrinal guidance and direction for conducting cyber electromagnetic activities (CEMA)…. It provides enough guidance for commanders and their staffs to develop innovative approaches to seize, retain, and exploit advantages throughout an operational environment.”
It is “the first doctrinal field manual of its kind.” See FM 3-38, Cyber Electromagnetic Activities, February 2014.
The manual introduces the fundamentals of cyber operations, or “cyber electromagnetic activities” (CEMA), defining terms and identifying important operational factors and constraints.
Read more on FAS’s Secrecy News.

For my Android toting students... Keep up with your spreadsheets.
Android Apps on Sale for 20 February 2014: OfficeSuite Pro, ROM Toolbox Pro, and Ultimate Backup (Yes, Pro)
Each week we scour current Google Play promotions and cherry-pick the best of the best. This week we have a crazy price drop on OfficeSuite Pro 7, as well as nice sales on ROM Toolbox and other utilities.
OfficeSuite Pro 7($14.99, now $1)
Looking for an awesome office suite for Android for free? Well, QuickOffice is entirely free. [and works on iOS, too Bob] OfficeSuite Pro, its competitor, still costs money – but this week we’re seeing a steep, steep discount. It comes with a font pack, supports Open Office, integrates with the Box app, and more.

There is motivation and then there is MOTIVATION!
Tomorrow is Canada vs. USA in the Men's Hockey Semifinal. This is a Billboard in Chicago.

Thursday, February 20, 2014

What security failure would terrorists expect to exploit to be successful? Does TSA not x-ray shoes any more?
Sources: Airlines warned to beware of possible shoe bombs
… The officials stressed there is no specific threat or known plot.

Damning with faint praiser? You really couldn't find a better example?
Seema Mehta reports:
Sen. Dianne Feinstein (D-Calif.) offered a full-throated defense of the government’s collection of data on billions of American phone calls, saying Wednesday that the National Security Agency’s practices have safeguarded the nation without trampling on civil liberties.
“What keeps me up at night, candidly, is another attack against the United States. And I see enough of the threat stream to know that is possible,” Feinstein said at a Pacific Council on International Policy dinner in Century City.
She pointed to a warning Wednesday about potential bombs hidden in the shoes of passengers on flights bound for the United States.
Read more on The Los Angeles Times.

Did they ignore their Privacy Office or not bother to contact them?
Ellen Nakashima and Josh Hicks report:
Homeland Security Secretary Jeh Johnson on Wednesday ordered the cancellation of a plan by the Immigration and Customs Enforcement agency to develop a national license plate tracking system after privacy advocates raised concern about the initiative.
The order came just days after ICE solicited proposals from companies to compile a database of license plate information from commercial and law enforcement tag readers.
Read more on the Washington Post.
[From the DHS Privacy Office mission statement:
We work with every component and program to ensure that privacy considerations are addressed when planning or updating any program, system or initiative.

But it sounded so friendly!
Tinder Leaks Users' Locations For Months, Doesn't Tell Public
Tinder is a great tool if you're on the hunt for a random hookup, or if you'd like the exact geographic location of Your Prey. It turns out a security snafu in the popular dating—sorry, hook-up—app exposed its users' exact locations for several months with nary a word of warning to the public from developers.
According to researchers at Include Security, Tinder was exposing its users' locations down to 100 feet for between "40 and 165 days," Bloomberg Businessweek reports, noting that while the information wasn't exactly broadcasted, it was accessible to anyone with "rudimentary" hacking skills—possibly the same people who possess "rudimentary" breaking-and-entering skills and "rudimentary" kidnapping skills!

So, what does the Privacy Commissioner's website recommend? Look for yourself:
3News reports that NZ’s new privacy commissioner, John Edwards, is concerned – and disturbed – by how people respond to privacy breaches involving others’ information, such as misaddressed mail that they receive.
“No right minded member of the community would think when they stumbled across a wallet containing identifying details and $1000 that they had a right to keep that,” Mr Edwards said.
“We are instilled as children with the moral obligation that we must return this to its rightful owner and not take advantage of that accident.”
However, Mr Edwards said there seems to be an increasing trend that when somebody receives information mistakenly that they are “entitled to give some publicity to it or use it as a mechanism for obtaining some advantage or creating some stress or drama for the organisation with which they may be in conflict”.
“I’m as disturbed by that I think as I am by the weakness at the other end,” he said.
That’s an interesting observation about a shift in behavior, but could there be other explanations or motivations? Yes, some people may be in conflict with an entity and want to exact revenge by embarrassing them publicly, but in other cases, could running to the media to report the breach just be the public’s way of saying that they don’t want privacy breaches swept under a rug or covered up? Certainly we’ve seen cases here and elsewhere where people initially refuse to return documents or files they should not have received. Often it seems their motivation is to simply ensure that the breach will not be ignored.
So… are more New Zealand residents going public in a “naming and shaming” strategy to try to effect more responsible data protection? And is their behavior an almost predictable response to a culture or society in which there’s no law requiring data breach disclosures?
I don’t have any answers, but it’s an intriguing question and it will be interesting to see how Privacy Commissioner Edwards attempts to address his observations.

Someone is thinking? Are we sure this is the FCC?
FCC to rewrite net neutrality rules, won’t appeal court ruling
The Federal Communications Commission said Wednesday it will rewrite sweeping broadband Internet rules known as net neutrality, ending a legal battle that has thrown into question the agency’s ability to protect consumers on the Web.
… The move comes after a federal appeals court last month vacated the FCC’s 2010 Open Internet rules. The U.S. District Court of Appeals for the District of Columbia said the agency overstepped its authority with the rules but also noted that the agency has some oversight over the broadband industry.
FCC Chairman Tom Wheeler said the agency won’t appeal the court’s decision, adding that the court opinion allows for the agency to rewrite net neutrality rules that conform with communications laws. [What a concept! Bob]

Oh swell. Another rehash of Betamax. If I set up an antenna to capture Denver broadcast TV stations and then piped the signal through the Cloud (over the internet, wirelessly to my cellphone) would this be an issue? What if I recorded the evening news so I could watch it at a more reasonable hour (when I was awake) in my hotel in Sapporo, Japan?
Federal court in Utah sides with broadcasters against Aereo
Aereo's streak of legal victories over the broadcasting industry has come to an end.
The startup company, which sends broadcast television signals to consumers via the Internet, will have to shut down its operations in Utah and Colorado thanks to a ruling by the U.S. District Court in Utah.
The ruling, which covers the 10th Circuit, grants a request for preliminary injunction against Aereo that was sought by Fox Broadcasting Co. and other TV station owners.
… The Utah ruling is important because it is the first a court has sided with broadcasters in their fight against Aereo.
… Aereo distributes broadcast signals via a tiny antenna and offers customers access to a cloud-based digital video recorder that holds up to 60 hours of content. The service costs $8 to $12 a month.
… In the 26-page ruling, Judge Dale Kimball said the broadcasters made the case that their fight against Aereo will succeed on the merits.
"Based on the plain language of the 1976 Copyright Act and the clear intent of Congress, this court concludes that Aereo is engaging in copyright infringement of Plaintiffs' programs," Kimball wrote. "Despite its attempt to design a device or process outside the scope of the 1976 Copyright Act, Aereo's device or process transmits Plaintiffs' copyrighted programs to the public."

(Related) See? Harvard agrees with me! (Don't they?)
Understanding the Copyright Wars: Aereo, Google, and GoldieBlox
… Because when copyright protection is granted today, it is granted essentially for an entire century, the scope of copyright protection is among the most contested areas of law. The fight most often comes down to what constitutes unlawful copying and what is fair use.
… Big broadcasters such as ABC are claiming that small tech startups like Aero and TV Catchup, which allow audiences to watch their favorite TV shows on their laptops, tablets, and smartphones, infringe on their copyrighted programs. In this case, like in analogous cases in the past such as the Sony Betamax VCR and the Cablevision DVR, the court should allow new technology to stand as long as the device is capable of substantial non-infringing uses.
… The principle that has been established in this line of cases is that technology providers are not infringing copyright when they aid individual consumer to control the ways in which they privately watch programming. Like with previous technologies, Aero is providing viewers a new way to access content, this time through the Internet. Copyright law was not intended to prevent the introduction of such new technology.

For my “Lets Program a Billion Dollar App” students. (Okay, I haven't taught the class yet, but this should help me get students signed up!)
Facebook to Buy WhatsApp, a Messaging Start-Up, in a $16 Billion Deal
The frenzy to acquire fast-growing technology start-ups reached new heights on Wednesday as Facebook announced its largest acquisition ever, saying it would pay at least $16 billion for WhatsApp, a text messaging application with 450 million users around the world who pay little or no money for it.
WhatsApp Messenger is a cross-platform mobile messaging app which allows you to exchange messages without having to pay for SMS. WhatsApp Messenger is available for iPhone, BlackBerry, Android, Windows Phone and Nokia

Is Facebook Paying Too Much for WhatsApp?
With $19 billion, Facebook could have purchased Sony or Gap or four aircraft carriers. Instead, it bought WhatsApp, a tiny startup that so far had accumulated barely $60M in funding, mostly from Sequoia.
But think about what exactly Facebook is buying:
Young users.
A new business model.
Enhancements to the existing business model.
If you list all these reasons for the deal, and throw in some competitive pressure from the likes of Google, the $19 billion number might not look so silly after all. Time will tell. But regardless of how this deal turns out, the one unambiguous loser, in our opinion, is the telecom industry, which currently enjoys about $100 billion year in revenues from SMS services globally.
Moral of the story: If you don’t create an alternative yourself, others will disrupt your business model for you.

Something for my “Gaming Club” students. (and you can make a political statement at the same time!)
– the Flappy Bird game may now be unavailable but that doesn’t mean that Flappy is gone forever. Flappy Generator is an app which enables you to make your own version. Replace the image and pipe with your own versions, and off you go.

Wednesday, February 19, 2014

What happens in Vegas gets hacked in Vegas. Sounds big, but might not be very significant.
Eduard Kovacs reports:
The hackers that (sic) breached and defaced the websites of several casinos owned by Las Vegas Sands Corp last week have published a video to demonstrate that they’ve stolen 828 Gb of files from the company’s systems.
The data apparently stolen by the hacktivsts hasn’t been published online. They’ve only made the video to show that it’s stored on a local hard drive.
Read more on Softpedia.
[From the article:
It’s difficult to say if the large amount of files obtained by the Anti WMD Team contains any customer information, but it’s clear that the attackers had unrestricted access to at least some of Las Vegas Sands’ servers.

...and we're a long way from done.
From the Credit Union National Association:
Financial institutions continue to respond to the massive data breach at Target. According to data collected by the Consumer Bankers Association (CBA) and the Credit Union National Association the costs associated with the Target data breech (sic) exceed $200 million. CBA estimates the cost of card replacements for its members to have reached $172 million, up from an initial finding of $153 million, CUNA has stated the cost to credit unions has increased to $30.6 million from an original estimate of $25 million.
So far, cards replaced by CBA members and credit unions account for more than half of all affected cards. Between members of the Consumer Bankers Association (CBA) and the Credit Union National Association (CUNA), 21.8 million of the 40 million compromised cards have been replaced.

"Ontogeny recapitulates phylogeny," at least when it comes to technology. Each new generation must re-learn how to secure their users (and the user's data).
Dan Nakaso reports:
App developers are increasingly targeting the more lucrative iOS market, where more than 91 percent of the top 100 apps for Apple devices exposed users to security breaches and other data leaks, according to a study released Tuesday by San Francisco-based Appthority.
By comparison, Appthority found that 83 percent of the top 100 Android-based apps exposed their users to leaks of both personal and company information.
Read more on SiliconBeat.

(Related) The same problem when old technology shows up in new places.
Eduard Kovacs reports:
Security researches from IOActive have identified a number of vulnerabilities in Belkin WeMo home automation devices that allow people to control their electronics from their mobile phones. More than half a million users are said to be impacted.
According to experts, the vulnerabilities can be exploited not only to perform malicious firmware updates, but also to remotely monitor and hijack the devices. Furthermore, the security holes can be leveraged to gain access to local networks.
Once they have access to the local network, the attackers can target laptops, mobile phones and other devices.
IOActive says the vulnerabilities have been reported to CERT, which in turn has notified Belkin. However, the company “was unresponsive.”
Read more on Softpedia.

(Related) An easy way to find those “things” on the Internet.
Shodan Adds Visual Search Results With 'Shodan Maps'
Shodan, the specialized search engine that lets users search for Internet-connected devices rather than web sites, today launched Shodan Maps, a new feature designed to let users see search results on a map instead of a regular (text) listing.
Shodan, which often reveals basic information about a device, such as what kind of system it is, version of software it runs, and other options that are supported, is a powerful tool for enterprise security teams, researchers, and even malicous attackers.

Because surveillance is big business, even surveiling the Internet of Things.
AT&T, IBM in Big Data Tie-up
AT&T and IBM announced plans Tuesday to join forces to help cities, utilities and others use big data analytics to better manage their infrastructure.
The companies said in a joint statement they will "combine their analytic platforms, cloud, and security technologies with privacy in mind to gain more insights on data collected from machines in a variety of industries."
The new project will focus initially on helping city governments and midsize utilities analyze vast quantities of data, including from mass transit vehicles, utility meters, and video cameras.

Log on like a cop and no one cares?
It has now been about two years since I filed a complaint with the FTC to alert them to all the data security breaches involving Experian’s credit report database.
And while I continue to wait to see the FTC take action against Experian over their numerous breaches involving misuse of clients’ login credentials, Experian has reported yet another breach of the same type, it seems.
This time it’s reportedly the Colorado Bureau of Investigation whose login credentials were compromised. The fact that the CBI had their login credentials compromised does not inspire confidence in them, but the fact of the matter is that it doesn’t seem to matter what clients have their login credentials compromised. Login credentials of a client seem to be the keys to the kingdom of Experian’s vast credit report database.

Did someone leak just how bad it was in order to make Vice Adm. Michael Rogers' confirmation hearings more entertaining? (It was his job to clean this up)

Why admit anything when you have a handy culprit for everyone to hate?
On February 4, the Dutch government admitted that it was not NSA that collected 1,8 million metadata from phone calls of Dutch citizens, but actually their own military intelligence service MIVD. They gathered those data from foreign communications and subsequently shared them with partner agencies like NSA.
Just like everyone else, the Dutch interior minister was mislead by how Glenn Greenwald erroneously interpreted the data shown in screenshots from the NSA tool BOUNDLESSINFORMANT. This let him misinform the Dutch public and parliament too, and only after being faced with a lawsuit, he finally disclosed the truth. Here’s the full story.
Read more on Top Level Telecommunications. It’s a lengthy piece, and I’m in no position to verify its accuracy, but it’s certainly interesting and – if NSA wasn’t responsible for the metatadata collection in this case – the record needs to be set straight.

Where you are now is not protected but where you have been is. So don't commit a crime now, do it yesterday...
Today brings a welcome ruling in Commonwealth v. Augustine: people may have a reasonable expectation of privacy in their historical cell location information data and prosecutors may need a warrant based on probable cause – and not just a 2703(d) order under ECPA – to obtain it. The opinion relies on Art. 14 of the Massachusetts constitution and not the Fourth Amendment, but hey, I’ll take it.
Orin Kerr writes:
The Massachusetts Supreme Judicial Court has issued a new decision interpreting the Massachusetts constitution to require a search warrant for access to a two-week span of historical cell-site information. The court divided by a vote of 5-2. Note that the decision did not interpret the Fourth Amendment of the federal constitution, but rather interpreted Article 14 of the Massachusetts Declaration of Rights. This means that the decision is binding on Massachusetts state law enforcement, but it does not apply to federal law enforcement (whether in Massachusetts or outside it).
The decision appears to adopt a mosaic theory for the state constitution, by which the time of surveillance determines what is a state-constitution search.
Read more on WaPo Volokh Conspiracy.

Poor Kim. It looks like he'll have to come here to insult the MPAA.
NZ court rules Megaupload warrant legal, dealing blow to Dotcom
A New Zealand court on Wednesday ruled that the search warrant used in the arrest of Megaupload founder Kim Dotcom on U.S. online piracy charges was legal, dealing a blow to the internet entrepreneur who is fighting extradition to the United States.
… The decision will benefit U.S. prosecutors who say the Megaupload website cost film studios and record companies more than $500 million and generated more than $175 million in criminal proceeds by letting users store and share copyrighted material, such as movies and TV shows.
If Dotcom is extradited, the ensuing copyright case could set a precedent for internet liability laws and, should he win, could force entertainment companies to rethink online distribution methods.
… However, the appeals court upheld an earlier ruling that prosecutors had not been authorized to send clones of seized electronic evidence to the United States.
The decision could pose a setback to a separate case in which Dotcom is seeking damages from the government for its role in the raid on the German-born, New Zealand resident's home.
At the same time, Dotcom could now find it difficult to challenge evidence at his extradition hearing set for July. A Supreme Court decision is pending on whether U.S. prosecutors must disclose evidence to be used in the hearing.
Dotcom's lawyers said they could also appeal to the Supreme Court against Wednesday's ruling.
… Dotcom says Megaupload, which housed everything from family photos to Hollywood blockbusters, was merely an online warehouse and should not be held accountable if stored content was obtained illegally.
The U.S. Justice Department counters that Megaupload encouraged piracy by paying users who uploaded popular content and by deleting content that was not regularly downloaded.
A New Zealand government enquiry in 2012 found the nation's secretive spy agency acted unlawfully by giving information on Dotcom to U.S. authorities before the 2012 raid.

Eight will get you 10, there's an App for that. Could this eliminate a bunch of entry level mob jobs?
Cellphones may accelerate NJ online gambling
Internet gambling analysts and casino executives say the increased use of cellphones to place bets could accelerate the growth of the nascent industry in New Jersey.
"Mobile applications will play an enormous piece of the puzzle in online wagering, which is why we are so positive and see so much upside in months ahead," said Joe Lupo, senior vice president of the Borgata Hotel Casino & Spa, which began offering gambling Monday over Android cellphones on 3G and 4G networks.

Tuesday, February 18, 2014

For what it's worth, this is my 2800th Blog post, according to Google.

Anyone can download hacking tools and for any reason become a cyber-vigilante! Individually, that's no big deal. Do something that catches the attention of many people (worse, organized groups) and this could be the result.
Jeb Boone reports:
Hackers around the world are setting their sights on Venezuela’s government web properties following violent repression against anti-government protesters and instances of internet censorship.
Already, hacker groups have defaced, deleted and waged DDoS (distributed denial of service) attacks on Venezuelan government and military sites.
Spearheaded by South American Anons, as the hackers are known, the large-scale attacks against subdomains began after three people were killed during demonstrations in Caracas last week.
Read more on MinnPost.

Interesting “process.” One person does the hack, another drains the cash!
Skillful Hackers Drained ATMs Using Malware-laden USB Drives
PUNTA CANA - KASPERSKY LAB SECURITY ANALYST SUMMIT - A highly sophisticated gang of criminals inserted infected USB sticks into ATMs and emptied out all the cash inside, a security researcher told SecurityWeek.
The gang looted four ATMs belonging to a single bank using a USB stick containing a DLL exploit payload, Tillmann Werner, a researcher for CrowdStrike, told SecurityWeek in an interview. Werner declined to specify the targeted bank, the brand of the ATM that was compromised, or the country where the attack occurred. Law enforcement officials have thus far made only one arrest in this operation--the money mule who was caught while taking the money out of a compromised ATM.
Considering how much money is kept inside a single ATM, it's likely the gang has already stolen millions of dollars, and the gang is still in operation. It is also possible other banks may be targeted by this attack, Werner warned.

(Related) Are thumb drives treated like phones? If one justification is to find evidence of the crime “for which, the person was arrested” does that automatically place evidence of any other crime off limits?
Orin Kerr writes:
The Supreme Court recently granted cert on two cases about how the Fourth Amendment applies to the search incident to an arrest of a cell phone found on a person arrested. In textual terms, when is a search of a cell phone incident to arrest constitutionally “reasonable”? In this post, I want to lay out some of the possible Fourth Amendment rules that the Court might consider to answer that question. I’ll start with a basic introduction to the rationales of the search incident to arrest exception. I’ll then offer a few possible rules the Court might adopt to answer when a cell phone can be searched under the exception. Next, I’ll turn to possible rules for how broadly a search should extend under the exception if/when such searches are allowed. In future posts, I’ll offer some thoughts on how the Court might choose among the rules.
Read more on WaPo Volokh Conspiracy.

How much can a breach cost you?
Jay Weaver of the Miami Herald has a must-read piece about what Carlos Gomez, a Wachovia Bank customer, went through after becoming a victim of ID theft by a bank employee, and how he’s suing Wachovia, which has since been taken over by Wells Fargo:
Just before dawn, insistent pounding on the front door jolted the ex-Marine and young father out of bed. Federal agents poured into his Kendall home, pushing his wife aside and rushing to his bedroom. They held guns to his face before slapping him in handcuffs.
“I kept asking, ‘What is going on?’ ” recalled Gomez, who works as a driver for UPS. “I was scared for my life.”
Gomez, busted in a money-laundering scheme, would spend nearly two weeks in a federal detention center and another seven months under house arrest.
It took 222 days before federal prosecutors realized it was all a terrible mistake: A rogue bank worker had stolen his identity.
Thanks in part to Gomez’s own sleuthing, prosecutors eventually discovered he had been wrongfully charged. The Wachovia Bank employee had stolen $1.1 million from customers, then swiped Gomez’s identity to create a checking account under the pilfered name to launder portions of the embezzled proceeds.
Now, nearly three years after the ordeal, Gomez is suing Wachovia for “malicious prosecution.”
Read more on Bellingham Herald.
Picture yourself in his situation. Your bank doesn’t protect you from an insider breach and then gives federal investigators false information about you that gets you charged and detained? And then you have to spend your time and money trying to clear your name because of their failures. Wouldn’t you sue them for the misery they put you through? I sure would.
Gomez’s civil lawyers, Jermaine Lee and Eric Hernandez, claim in a lawsuit filed in September in federal court that Wachovia officials were reckless when they failed to protect Gomez’s “confidential” account and to provide “accurate” information about him to federal authorities.
In a key ruling last month, U.S. District William Dimitrouleas rejected the bank’s bid to throw out the civil case, saying Gomez had “sufficiently alleged” that Wachovia violated its “fiduciary duty” to him by allowing an employee and others “to misuse his private and confidential information to launder monies.” As a result, Gomez’s case is headed for mediation and, if still unresolved, trial.
Good luck, Mr. Gomez. And if any court should try to dismiss this case for lack of ability to show harm, then we need a revolution in this country.

What you don't know about your audience can impact your security.
Do Millennials Believe in Data Security?
Millennials have a reputation for being the most plugged-in generation in the workplace. Experts have even suggested “reverse mentoring” so that younger workers can inculcate their “tech-savvy” habits in older generations. But a new survey from Softchoice shows that those may actually be bad habits when it comes to keeping data secure.
For instance, 28.5% of twenty-somethings keep their passwords in plain sight, compared with just 10.8% of Baby Boomers. They’re also significantly more likely to store work passwords on a shared drive or word document that isn’t itself password-protected, and more likely than older workers to forget their passwords.
And it gets worse! They’re more likely to email work documents to their personal accounts, move documents via cloud apps that IT doesn’t know they have, and lose devices that would give whoever found them unrestricted access to company data. Basically, in every way that Softchoice measured, the youngest workers were the most likely to lose data or leave themselves open to hacking.

Somehow I doubt the average citizen will support the tax increase this would require.
Anthony Cuthbertson reports:
Germany and France will carry out talks to discuss a new European communication network that would avoid emails and online data passing through the US. [Even if that is the fastest route? Bob]
German Chancellor Angela Merkel spoke of the new network in her weekly podcast, stating her intention to propose it to French President Francois Hollande when she meets with him on Wednesday.
Read more on ITProPortal.

Posturing? We'd do the same thing if we had the resources? A negotiating tactic?
Indonesia Slams Reported Australian Spying as 'Mind-boggling'
Indonesia Monday described as "mind-boggling" a report that Australian spies targeted Jakarta during a trade dispute with Washington, as a new espionage row erupted during a visit by US Secretary of State John Kerry.
Ties between Canberra and Jakarta have sunk to their lowest point for years in recent months over previous allegations that Australian spies tried to tap the phones of Indonesian President Susilo Bambang Yudhoyono and his inner circle.
Jakarta recalled its ambassador from Canberra and suspended cooperation in several areas, including on the sensitive area of people-smuggling, following the allegations.
"I find that a bit mind-boggling and a bit difficult how I can connect or reconcile discussion about shrimps and how it impacts on Australia's security," Indonesian Foreign Minister Natalegawa told reporters at a press conference alongside Kerry.

Do we have an obligation to protect those to whom we grant asylum from Cyber attacks?
Associated Press reports:
An Ethiopian refugee is urging British authorities to open an investigation after experts found traces of sophisticated surveillance software on his computer.
Tadesse Kersmo accused the Ethiopian government of deploying the software to spy on his Skype calls with other members of the country’s opposition, excerpts of which later ended up on the Internet.
Read more on AP The Big Story.

“I see in your latest email to your cousin George that you think you have no privacy. How can we make you feel more secure?”
New Zealand’s new privacy commissioner gave an interview on his first day in office, and ONE News covered it:
The man charged with safeguarding our privacy says public faith in government agencies needs to be rebuilt.
Privacy Commissioner John Edwards says he wants to help rebuild public confidence that personal information is safe.
“There are rules, and those rules need to be respected,” he said.
Mr Edwards’s comments come as privacy whistleblower Bronwyn Pullar calls for more power and resources for the Privacy Commission.
Read/watch more on TVNZ.

(Related) At least, we'd like some indication that government agencies are aware of events taking place around them.
Tim Cushing reports:
The government’s overclassification problem has turned its redaction efforts into a farce. When not deploying questionable exceptions to avoid returning responsive documents to FOIA requests, government agencies are cranking out amateurishly redacted pages that leave info exposed in one response and covered up in the next. No wonder they fear the“mosaic” approach to FOIA requests. If they’d just come up with some meaningful redaction guidelines, they could avoid this. Instead, things like the following bit of stupidity happen.
Read more on TechDirt.

Something for the “resource folder?”
Handbook on European data protection law
by Sabrina I. Pacifici on February 17, 2014
“This handbook is designed to familiarise legal practitioners who are not specialised in the field of data protection with this area of law. It provides an overview of the EU’s and the CoE’s applicable legal frameworks. The rapid development of information and communication technologies underscores the growing need for the robust protection of personal data – a right safeguarded by both European Union (EU) and Council of Europe (CoE) instruments. Technological advances expand the frontiers of, for example, surveillance, communication interception and data storage; all of these pose significant challenges to the right to data protection. The Handbook on European data protection law explains key jurisprudence, summarising major rulings of both the European Court of Human Rights (ECtHR) and the Court of Justice of the European Union (CJEU). Where no such case law exists, it presents practical illustrations with hypothetical scenarios. In a nutshell, this handbook aims to help ensure that the right to data protection is upheld with vigour and determination.”

Another “finding” that will go nowhere. I really can't understand why China continues to tolerate, let alone support North Korea. I can't see any advantage.
North Korea: UN Commission documents wide-ranging and ongoing crimes against humanity
by Sabrina I. Pacifici on February 17, 2014
UN Commission on Human Rights – “A wide array of crimes against humanity, arising from “policies established at the highest level of State,” have been committed and continue to take place in the Democratic People’s Republic of Korea, according to a UN report released Monday, which also calls for urgent action by the international community to address the human rights situation in the country, including referral to the International Criminal Court. In a 400-page set of linked reports and supporting documents [Report of the commission of inquiry on humanrights in the Democratic People’s Republic of Korea – A/HRC/25/63] based on first-hand testimony from victims and witnesses, the UN Commission of Inquiry on human rights in the DPRK has documented in great detail the “unspeakable atrocities” committed in the country. “The gravity, scale and nature of these violations reveal a State that does not have any parallel in the contemporary world,” the Commission — established by the Human Rights Council in March 2013 — says in a report that is unprecedented in scope. “These crimes against humanity entail extermination, murder, enslavement, torture, imprisonment, rape, forced abortions and other sexual violence, persecution on political, religious, racial and gender grounds, the forcible transfer of populations, the enforced disappearance of persons and the inhumane act of knowingly causing prolonged starvation,” the report says, adding that “Crimes against humanity are ongoing in the Democratic People’s Republic of Korea because the policies, institutions and patterns of impunity that lie at their heart remain in place.” The second more detailed section of the report cites evidence provided by individual victims and witnesses, including the harrowing treatment meted out to political prisoners, some of whom said they would catch snakes and mice to feed malnourished babies. Others told of watching family members being murdered in prison camps, and of defenceless inmates being used for martial arts practice. “The fact that the Democratic People’s Republic of Korea…has for decades pursued policies involving crimes that shock the conscience of humanity raises questions about the inadequacy of the response of the international community,” the report stated. “The international community must accept its responsibility to protect the people of the Democratic People’s Republic of Korea from crimes against humanity, because the Government of the DPRK has manifestly failed to do so.” The Commission found that the DPRK “displays many attributes of a totalitarian State.” [No kidding? Bob]

For my fellow geeks. Let's try to get people looking up.
ISS observation – When can I spot the Space Station?
by Sabrina I. Pacifici on February 17, 2014
Observation of the International Space Station – “The International Space Station can easily be spotted with the naked eye. Because of its size (110m x 100m x 30m) it reflects very much sunlight. The best time to observe the ISS is when it is night time at your location, but the Space Station is sunlit. Such a situation occurs often in the morning before sunrise or in the evening after sunset. Visible passes - You find a list of the next sighting opportunities for your location below. The green bars indicate the brightness of the ISS on its pass. The list contains all visible passes of the ISS during the next ten days. Please select a pass to get more details.” [Enter your city location in the search box for accurate tracking of the ISS]

For some of us, everyday is drink wine day.
February 18, 2014 is Drink Wine Day

How cruel am I? I'm making my Math students write an essay explaining the formulas in an elaborate Excel spreadsheet. Perhaps these tools will help.
13 Browser-Based Tools For Writers

(Related) Something for my students other than a Math essay?
Free Webinar - Digital Storytelling With Comics
Last month I hosted a free webinar on digital storytelling with comics. More than 100 people attended the live session. Next week on February 25th at 7pm I'll be conducting that webinar again. You can register for the webinar here. If you're interested in this topic but you cannot make the live session, please register anyway to have the recording emailed to you. The webinar is sponsored by Storyboard That, but will not be limited to only using Storyboard That. You will also see WeVideo and Widbook in use.
The webinar will be based on my free ebook Digital Storytelling Projects With Comics.