Saturday, March 15, 2014

Not the kind of thing you want to see in a 10-K.
Target warns in filing that data breach could be worse than reported so far
  • Target (TGT) warned that last year's security breach could have been more extensive than reported so far and lead to further losses, the retailer discloses today in its annual 10-K filing.
  • TGT says it cannot predict the length or extent of any ongoing impact to sales, or how long it might take to restore the company's reputation in the wake of the breach.
  • So far, TGT has said ~40M payment card records were stolen along with 70M other customer records.

Local! Suggests that they found the “virus.” That's good, but very unusual. If they had the tools in place, why did it take them 4 months?
Roger Adams of Aspen Public Radio reports that Valley View Hospital in Glenwood Springs was the target of computer hackers who managed to insert a virus on the hospital’s system in September.
A statement prominently linked from the hospital’s homepage explains that after identifying the virus in January, they brought in a forensic team who was able to learn that the virus had captured screen shots of Internet web pages and stored these images in an encrypted, hidden folder on the Valley View Hospital system. This folder could have been accessed by an outside entity. Upon this discovery on January 23, 2014, the hospital immediately shut down incoming and outgoing Internet traffic to quarantine all information. Steps were taken to remove the virus from the system.
On January 25, 2014, the firm reported the detailed contents of the encrypted, hidden folder. The information in each folder varied for each affected individual but included individual names and in some cases addresses, date of birth, telephone numbers, social security numbers, credit card information, admission date, discharge date and patient visit numbers. No medical information was included. The hospital has been unable to confirm whether any data was improperly accessed by or transmitted to an outside entity.
Notification letters will be going out to affected patients on March 17 and patients will be informed about free identity and credit protection services.
The hospital has already launched an upgrade to its information technology and security.

Is this the future of Privacy Policies? Understandable policies? Can we do better.
Ric Velez writes:
Goodbye, terrible, jargon-filled, tiny-font legalese we like to call a privacy policy. Today, we’re launching Private Parts, an open-sourced, customizable toolkit to help developers implement visual, user-friendly privacy policies. And yes, you can use it today.
Instead of a mystifying wall of text, we wanted to create broad industry change and transform privacy policies into a clear, simple design that uses visual cues to allow users to understand how an app collects and shares their data.
Read more on Lookout, with a reminder that me posting something here does not constitute an endorsement.

What could possibly go wrong? Is this because we are feeling guilty that we have an effective intelligence community?
U.S. to relinquish remaining control over the Internet
U.S. officials announced plans Friday to relinquish federal government control over the administration of the Internet, a move likely to please international critics but alarm many business leaders and others who rely on smooth functioning of the Web.
… The practical consequences of the decision were not immediately clear, but it could alleviate rising global complaints that the United States essentially controls the Web and takes advantage of its oversight role to help spy on the rest of the world.

Weekly chuckles.
… The defense has begun to make its case in Vergara vs. California, a lawsuit brought by StudentsMatter that charges that tenure and seniority rules prevent students from having effective teachers and as a result from getting a quality education.
… There’s a new law in Texas that requires (~$100) graphing calculators for eighth-grade standardized tests. (Gee, I wonder which company lobbied for that rule?) According to the Austin American-Statesman, school officials would like to use a cheaper mobile app (~$15) instead. Good grief. Use Desmos. It's free. It works on that wonderful thing, the World Wide Web, and doesn’t require you buy everyone an iPad (which last time I checked is still more expensive than a graphing calculator). [I wonder if they asked any Math teachers? Bob]
… The Supreme Court has refused Easton Area School District’s request to review a lower court decision that had struck down the district’s ban on students wearing I ♥ boobies breast cancer awareness bracelets.
Cengage’s reorganization plans have been approved, so the company can emerge from Chapter 11.
A study has found that managers looking for someone with math skills are twice as likely to hire a man over a woman, even when women are equally skilled

Friday, March 14, 2014

What would stop Putin if he chose to invade? Is anyone other than Russia moving troops? (We did move some F16s to Poland.)
Russia ships troops into Ukraine, repeats invasion threat
Russia shipped more troops and armor into Crimea on Friday and repeated its threat to invade other parts of Ukraine, showing no sign of listening to Western pleas to back off from the worst confrontation since the Cold War.
Russia's stock markets tumbled and the cost of insuring its debt soared on the last day of trading before pro-Moscow authorities in Crimea hold a vote to join Russia, a move all but certain to lead to U.S. and EU sanctions on Monday.

I feel so much better! But after scanning a dozen articles, I still have a few questions: Did he actually speak to the President or just a White House operator? If he did, why would the President waste time talking to Zuckerberg? (Oh yeah, campaign contributions) Would any of this have an impact on anything?
Mark Zuckerberg calls Obama to complain about NSA
Facebook founder Mark Zuckerberg on Thursday said he called President Obama to express frustration about the government's spying and hacking programs.
"When our engineers work tirelessly to improve security, we imagine we're protecting you against criminals, not our own government," Zuckerberg wrote in a Facebook post Thursday afternoon.
His concerns are based on the latest reports from investigative reporters at The Intercept, which reveal that the National Security Agency has weaponized the Internet, making it possible to inject bad software into innocent peoples' computers en masse.
The report is based on documents provided by ex-NSA contractor Edward Snowden.

Since they are “completely unregulated” perhaps my Ethical Hackers could demonstrate what they can do by gathering information on members of the state legislature... Just a suggestion. (Could we sell it to local news outlets?)
Lynda Lye writes:
Local law enforcement agencies across the Bay Area have so-called stingray devices, a powerful cellphone surveillance tool, and more are planning to acquire the technology, according to public records recently obtained by Sacramento News10. The devices are highly intrusive and completely unregulated. Although the Wall Street Journal reported in 2011 that they were being used by the federal government, the News10 records reveal for the first time that these devices are also in widespread use by local authorities stretching from San José to Sacramento. The revelations are troubling. Once again, we see the proliferation of powerful new surveillance tools, but without any rules to constrain their use. The acquisition of these devices is shrouded in secrecy and driven by federal grant money, which undermines local democratic oversight. Their actual use by local law enforcement reflects the all too common phenomenon of mission creep: Although the justification for acquiring these devices is “fighting terrorism,” agencies seem to be using them for ordinary criminal law enforcement.
Read more on ACLU

Speaking of regulation, have we every investigated a regulatory agency for failing to do their job? (Remember, the SEC was warned about Bernie Madoff several times.) Only fair if we want to point the finger of shame at Target for ignoring security warnings.
While South Korea’s Financial Supervisory Service (FSS) continues to deal with massive breaches in the financial sector, the Board of Audit and Inspection of Korea will now be investigating them:
The Board of Audit and Inspection of Korea began an inspection of the country`s financial watchdog agency Wednesday over a large-scale theft of customer information from some of local financial institutions. The state inspectors plan to investigate whether the Financial Supervisory Service (FSS) properly supervised financial institutions after some local credit card companies had 140 million cases of customer information stolen and sold to marketing firms in the country`s largest-ever data theft case. The move came after civic groups` petition last month for an inspection.
After taking office in March last year, Choi Soo-hyun, chairman of the FSS, failed to take proper follow-up measures after a theft of 140,000 cases of customer data from Citibank Korea and Standard Chartered Bank Korea, letting a much bigger theft happen. The FSS is responsible for the latest data theft case because it went no further than sending a letter of warning to financial companies involved in the incident. Nevertheless, the FSS rejected a civil petition for an inspection into the companies last week, saying that there is “nothing exceptionally new or major” in the case.
Read more on Donga.

(Related) Speaking of warnings being ignored, what would be the consequences of ignoring these?
HITRUST Announces Threat Briefings, Cyber Alerts for Healthcare Industry
The Health Information Trust Alliance (HITRUST) announced on Thursday that it will conduct monthly cyber threat briefings in partnership with the U.S. Department of Health and Human Services, and will warn organizations when HITRUST’s Cyber Threat Intelligence and Incident Coordination Center (C3) identifies high probability and impact cyber threats targeted at the healthcare industry.
The new efforts are designed to help organizations better understand current and probable cyber threats relevant to organizations in the healthcare industry and share best practices for cyber defense and incident response.
According to a recent survey from the SANS Institute, a staggering 94 percent of all healthcare organizations said they have been victims of data breaches at some point. In its “Health Care Cyberthreat Report,” released Feb. 21, SANS said that despite the high number, organizations that have been breached but haven't disclosed the incidents, or haven't discovered it yet, aren't included in the tally.

These are becoming so common I keep thinking I've reported this case before, but apparently it was only a bunch of very similar cases..
Erin McAuley reports:
A high school unconstitutionally suspended a freshman for a harmless comment he wrote at home on his Facebook page, the boy and his family claim in court.
R.L., a 15-year-old from Manchester, Pa., and his parents, Jill and Michael Lordan, sued Central York School District, its Superintendent Michael Snell and Central York High School assistant principal Jeffrey Hamme, in Federal Court.
The Lordans say the defendants used “unconstitutionally vague rules as a basis for discipline” and exceeded their authority by punishing the boy for conduct that was off-grounds and out-of-school.
Read more on Courthouse News.
We’ve seen lawsuits like this before, of course. Anyone care to venture a guess how it turns out?

Their intent should have been to write down exactly what they meant to say.
Ralph C. Losey of Jackson Lewis writes:
The Computer Fraud and Abuse Act (“CFAA”) is an anti-hacker statute that prohibits unauthorized access, or the exceeding of authorized access, of computers connected to interstate commerce. 18 U.S.C. § 1030. Violators are subject to both criminal and civil liability. Employers have long taken advantage of the CFAA’s civil remedies to “sue former employees and their new companies who seek a competitive edge through wrongful use of information from the former employer’s computer system.” P.C. Yonkers, Inc. v. Celebrations the Party and Seasonal Superstore, LLC, 428 F.3d 504, 510 (3d Cir. 2005).
A majority of courts have to date construed the meaning of “unauthorized access” in the CFAA to include access for unauthorized purposes, such as to steal an employer’s information. They applied the anti-hacker statute even though the employee was authorized to access the computer system, just not for purposes of theft. Now a growing number of courts are stepping back from the expansive construction of what it means to be a “hacker” under the statute. They are instead limiting the CFAA to situations where the access to the computer itself was unauthorized, and disregarding whether or not the access was for a permitted use.
Read more on National Law Review.

You have phones owned by a company, issued to employees (with or without personal data) Employee owned phones used for the employers benefit (BYOD) And evey combination or variation you can think of...
Ronald K. L. Collins writes:
There has been quite a bit of news lately, along with general commentary on this blog, about the legality of police searches of the contents of an arrestee’s cell phone. The issue raised in United States v. Wurie, which the Court has agreed to review, is whether the Fourth Amendment permits the police, without obtaining a warrant, to review the call log of a cellphone found on a person who has been lawfully arrested. (The Court has also agreed to hear a companion case out of California: Riley v. California.) But there is more here than meets the constitutional eye, or so maintains Robert Corn-Revere, a noted First Amendment lawyer who is a partner at the Washington, D.C. office of Davis Wright Tremaine. Yesterday, he filed an amicus brief on behalf of the National Press Photographers Association and thirteen media organizations in support of the Petitioner in the Wurie case. What is interesting about this brief is the First Amendment argument Mr. Corn-Revere offers up to buttress the Fourth Amendment claim at stake in these cases.
Read more on Concurring Opinions.
[From the article:
Here is the media interest in all of this: “Of particular concern to Amici, media outlets increasingly rely on issuing reporters smart phones to take photographs and to record other story elements. Cell phone cameras are capable of taking high quality photographs and audio-visual recordings. And, because smart phones can connect to the Internet, it is easy for journalists to upload photo, video, audio, or text files to the Internet to file reports.” So opens this amicus brief.
Here is the problem for the media: “These new technologies have greatly expanded the ability to gather and report news, but the same capabilities that make them a boon to journalists create a grave threat if they are subject to unrestricted warrantless searches incident to arrest.

A challenge for my students: How do you make money on rapidly falling prices?
Google's Drive SLASH: Can a Cloud BURST be far behind?
Google has slashed its online Drive storage prices so fast, it undercuts all of its rivals – and its own products. The Reg suspects the web king will dramatically lower its infrastructure-as-a-service storage prices as well in two weeks.
The dramatic price cut for Google Drive was announced on Thursday: storing 100GB of data in its systems per month has fallen from $4.99 to $1.99. Storing a terabyte now costs $9.99 a month versus $49.99 previously, and 10TB will set you back $99.99 per month.
… (You can still pick up a decent 1TB drive for about 60 dollars, working out to the low price of $5 a month over a year versus Google's $9.99.)
What may get IT admins rubbing their hands with glee is that this Drive price cut also falls far below the prices charged by typical infrastructure-as-a-service providers for barebones storage. Amazon Web Services's S3 service costs $8.50 per 100GB per month, and Microsoft's Windows Azure charges $6.80 for 100GB of locally redundant stored data a month.
More intriguingly, the Drive price cut undercuts the $6.30 Google charges for storing 100GB in its mainstream infrastructure-as-a-service Google Cloud Storage.

Perhaps so. Best I've seen anyway.
The World’s Greatest Azure Demo
… I’m going to cover 14 discrete topics all stitched up into one superdemo. The plan was to take about an hour per the title in the website you see above (this is a real live website I setup in the demo and push out to by the way), but I got, uh, a bit carried away. Only by another 22 minutes, but sometimes there’s just a story that wants to get out and it’s hard to hold it in.

For all my students. You can't write cursive, now you can forget how to type. (Requires Chrome)
– With Dictation, you can use the magic of speech recognition to write emails, narrate essays and long documents in the browser without touching the keyboard. To get started, just connect the microphone to your computer and click the Start Dictation button. Dictation uses your browser’s local Storage to save all the transcribed text automatically as you speak.

Depressing! $9.99 per month? With so many free books and free readers available? Still, if it works it may be worth it.
is an all-you-can-read eBook service for kids, designed to get kids to love reading. With Epic!, kids can access thousands of high-quality books, instantly at their fingertips. All books are carefully selected by children’s publishing experts, teachers and parents. Well-known titles, classics, and books from award-winning authors and illustrators are added weekly.

Students: More for your toolkit?
Discovery, Discussion, Demonstration - A Selection of My Favorite Resources
This afternoon at the Literacy Promise conference in Salt Lake City I gave a presentation on how I think about educational technology and some of my favorite resources that can be used in a wide variety of settings. The slides from that presentation are embedded below.

For my students. See what you can do without a Smartphone?
Toby Shapshak: You don't need an app for that
Are the simplest phones the smartest? While the rest of the world is updating statuses and playing games on smartphones, Africa is developing useful SMS-based solutions to everyday needs, says journalist Toby Shapshak. In this eye-opening talk, Shapshak explores the frontiers of mobile invention in Africa as he asks us to reconsider our preconceived notions of innovation.

Students: This is why we say you have it good, quit complaining!
4 Classic Operating Systems You Can Access In Your Browser
You can try Windows 1.0, Mac System 7, Amiga OS and DOS – along with a few games – without leaving your browser.
Welcome to the world of online emulators.
The history of computers is fascinating, but reading will only get you so far. If you really want to know what, say, Windows was like in 1985, you don’t need to find a computer from that age. A variety of enthusiasts have used existing emulators to offer classic systems on the Web. Here’s where to find them.
Would you prefer to see Windows 3.0? That’s the system most people are familiar with, and there’s an emulator for that, too.
Want a more recent nostalgia trip? Head to This site doesn’t offer emulators, but you might not even be able to tell. You’ll see interactive screenshot tours of Windows and Mac systems. Everything works as you’d expect: click start, see the menu.

Thursday, March 13, 2014

I've been arguing that poor monitoring by management leads to security “surprises.” This is a brief overview article – you can see what I'm talking about.
Security Metrics: What is a "Metric"?
There are many important and useful tools related to the metrics landscape; let's take a look at some of them and how they fit together. For the sake of this discussion, I'll stick with the definition of “metrics” that I offered previously:
A metric is some data and an algorithm for reducing and presenting it to tell a story.

(Related) Lawyers: Have we reached that “Target is doomed” level yet?
I’m watching Josh Tyrangiel of Bloomberg on CBS News this morning reporting that prior to its massive breach, Target ignored the warning alerts generated by its FireEye system. Target hasn’t responded to Bloomberg’s questions as to why the warning e-mails generated by the system were ignored.
Interestingly, we heard something similar in the Neiman-Marcus breach where hackers kept triggering alarms, but the almost 60,000 alarms were ignored by personnel who viewed them as false positives.

The question is always how sophisticated the encryption is. If “Dali Lama” always encrypts to “p3ujd msk9d,” this is no big deal.
Google is encrypting search globally. That’s bad for the NSA and China’s censors.
… China’s Great Firewall, as its censorship system is known, has long intercepted searches for information it deemed politically sensitive. Google’s growing use of encryption there means that government monitors are unable to detect when users search for sensitive terms, such as “Dalai Lama” or “Tiananmen Square,” because the encryption makes them appear as indecipherable strings of numbers and letters.

What is the equivalent “disruptive technology” in your industry?
Craigslist Saved Consumers a Lot of Money While Crippling Newspapers
Craigslist, the online-ad site, saved the placers of classified advertisements $5 billion from 2000 through 2007, according to an analysis by Robert Seamans of New York University and Feng Zhu of Harvard Business School. It also had a profound impact on U.S. local newspapers, siphoning off classified advertisers and leading to decreased classified-ad rates, increased subscription prices, reduced circulation, and declines in display advertising. It also set up a consumer expectation that classified advertising would be free.

Has Harvard just blessed Wikipedia?
Harvard's Looking for a 'Wikipedian in Residence'
The Houghton Library on the Harvard campus holds the university's collection of rare books.
… Yesterday, John Overholt, Houghton's Curator of Early Modern Books & Manuscripts, posted a job listing. He's hiring a Wikipedian in Residence—someone who can serve as a kind of liaison between Wikipedia and the academic, cultural, and intellectual institutions whose source material its entries rely on. In this case, Harvard.
The Wikipedian in Residence will, according to the job announcement, help to "expand coverage on Wikipedia of topics relevant to Houghton collections." He or she will add sources for existing Wikipedia pages and create new pages "on notable topics." The person will also "provide appropriate formatting and metadata (and OCR cleanup in the case of texts) to upload public domain content to Wikimedia and Wikisource, and facilitate the use of such materials by other Wikipedia users."

Another tool for my students.
Stay Protected From Every Type Of Malware With Avast Free Antivirus
Virtually every computer user understands that they need protection from online threats. But what is still a common misconception is that you must pay loads of money for it. Norton, McAfee or any of the other big name antivirus companies aren’t the only options. In fact, many reputable free antivirus programs are just as effective as the ones you would pay for, and avast! Free Antivirus is definitely one that we feel stands with the best Windows antivirus programs.

For my Computer Security majors... (and any other students considering a switch)
High Demand Pushes Average Cyber Security Salary Over $93,000
The number of job postings for cyber-security positions grew twice as fast as the number for overall IT job postings in 2013, Burning Glass Technologies found in its latest installment of the Job Market Intelligence report.
… In comparison, the average salary for all IT job postings was $77,642.

Wednesday, March 12, 2014

Shouldn't these “settlements” answer at least a few questions? Did Aaron do all the things they are banned from doing in future, but didn't officially admit to doing?
From the FTC:
Following a public comment period, the Federal Trade Commission has approved a final order settling charges thatAaron’s Inc., a national rent-to-own retailer, knowingly played a direct and vital role in its franchisees’ installation and use of software on rental computers that secretly monitored consumers, including taking webcam pictures of them in their homes.
Under the terms of a consent agreement, first announced in October 2013, Aaron’s is prohibited from using monitoring technology to gather consumers’ information from rental computers, or receiving, storing or communicating such information, except to provide technical support at a consumer’s request. The terms of the settlement also bar the company from gathering information from any consumer product via geophysical location tracking technology without clearly notifying and obtaining express consent from consumers at the time of rental. Aaron’s is further prohibited from installing or activating such technology on rental computers that does not clearly notify consumers of its presence immediately before each use, including via a prominent icon on the computer.
The order further bars Aaron’s from deceptively gathering information about consumers, and from using improperly obtained information to collect debt, money or property as part of a rent-to-own transaction. The company must delete or destroy any information it has collected improperly, and can transmit information obtained via monitoring or location tracking only if it is encrypted. In addition, the order requires Aaron’s to conduct annual monitoring and oversight of its franchisees for compliance with the terms of the agreement, act immediately to ensure compliance, and terminate any franchisee that fails to comply.
The Commission vote approving the final order and letters to members of the public who commented on it was 4-0. (FTC File No. 1123264; the staff contact is Julie Mayer, 206-220-4475.)
Looking at the comments submitted during the public comment period, there are a few themes: (1) customers who wanted to know how they could determine whether the spyware had been installed on their computer, (2) customers who asked if they could be part of the FTC settlement, (3) those who wanted the Commission to prosecute Aaron’s criminally, and (4) those who wanted the Commission to impose a heavy monetary penalty. One correspondent objected to the “no admission of liability” clause in the settlement.
In response to the commenters, the FTC responded that it did not have the authority to impose monetary penalties, nor was there any monetary settlement for consumers to participate in. They also explained that they did not have the authority to prosecute Aaron’s criminally. They somewhat side-stepped the question of determining if the consumer had been spied on by saying that Aaron’s agreed to delete all files.
No privacy advocacy or consumer groups commented on the settlement.

Why not?
Deven Desai writes:
Privacy law does not exist, but it should be taught at every law school. There is no one law of privacy. That is why I love teaching Information Privacy (Solove and Schwartz (Aspen) is the text I use). The class requires students to reengage with and apply torts, Constitutional law (First and Fourth Amendment at least), and statutory interpretation. It also lends itself to learning about sectoral approaches to regulation in health, finance, commerce, and education. Given that the idea and problems of privacy are everywhere, there are jobs in them thar hills. Yet, schools often see the course as a luxury or somehow part of IP. That is a mistake.
Read more on Concurring Opinions.

Beware of ill considered ire! Would they prefer that North Korea was the “world's leading spy-er” and no one in the 'Free World' knew how to defend its citizens?
'Free World' Governments Among Worst for Online Spying: Watchdog
In the latest installment of the "Enemies of the Internet" report, wholesale spying by "free world" services -- much of it exposed by US intelligence contractor Edward Snowden --- is offered no distinction from the unabashed surveillance carried out by the world's worst dictatorships.
To RSF, agencies such as the US National Security Agency, Britain's GCHQ and the Centre for Development Telematics in India embrace the worst methods of snooping in the name of governments that purportedly hold freedom of speech as a national priority.

Something beyond training caught my eye... (Good little article)
How Facebook and Twitter Built the Best Employee Training Programs in Silicon Valley
Training employees and managers is essential for at any company but particularly for startups. Yet many avoid it because it seems too hard or expensive.
“A lot of companies think their employees are so smart that they require no training,” Andreesen Horowitz co-founder Ben Horowitz writes in his recent book. “That’s silly.”
Horowitz told Quartz that two companies that do some of the best training are, Facebook, on the engineering side, and Twitter for management. (Andreessen Horowitz has invested in both companies)
… As of 2007, the company didn’t really train people, Horowitz says.
“It caused a lot of misunderstandings in the product architecture, which caused performance issues, which caused a pretty large crisis in the company,” Horowitz says.
The following year, Facebook began a program led by engineer Andrew Bosworth called Facebook Bootcamp. It’s a seven week on-boarding program for new engineers and project managers. They’re immersed in the company’s code, and start working on projects that end up live on the site within a week of their start date. [Compare this to the multi-year boondoggles our government throws money at... Bob]

Yeah, that's New Jersey. See what all the smart states are doing, then screw it up. But if you think that's bad, you should look at their liquor laws.
Tesla, New Jersey clash over direct sales to customers
Elon Musk wants to keep selling electric cars directly to the public in New Jersey, but on Tuesday the state said no, insisting instead that Tesla Motors Inc offer its cars through an auto franchise rather than its own stores.
New Jersey Governor Chris Christie's administration approved a rule requiring sales of all new cars to go through franchises.

For my student gamers... Perhaps success came at too great a cost?
Creator of Flappy Bird's Reasons For Canceling Game
Nguyen tells Rolling Stone that his reason for taking the game down was its addictive property.
… He also went on to explain that before making $50,000 dollars a day from Flappy Bird, he studied computer and science and worked for a company that made cellphone games.
Many rumors followed Nguyen's cancelling of Flappy Bird, like some of the false reasons he cancelled the game: A lawsuit by Nintendo to a theory that Nguyen had taken his own life, yet he breathes soundly and well.
His two main reasons for taking the game down were because he believed it made his simple life a media circus and because some people had claimed the game was making their lives worse.

When I complain about my lazy 2.14 MBPS service, this is what I suspect any of the large services could provide if there is a bit of competition. 400 times faster than DSL?
Shelby-based company bringing ultra high-speed internet to NC
A company in Shelby announced it plans on bringing a 100-gigabit fiber network and a la carte TV programming to North Carolina.
… RST plans to offer uncompressed 4K television, online education, telemedicine, HD video security/surveillance, a la carte movies and programming and smart grid connectivity/transport.
The release from RST comes on the heels of a March 5 announcement from Google saying the Triangle is one of nine metro areas around the country that could get Google Fiber.

Is this really free?
– is a US telecom company that aims to protect your privacy from hackers, government agencies and spyware. Ensure your Internet, voice calls & texts are secure and encrypted. FreedomPop currently offers customers free 4G mobile phone service, free wireless internet, and free home broadband.

For my students.
How To Choose The Right Dashcam For Your Car
… One of our authors, Christian Cawley, wrote an extensive piece on how to turn your smartphone into a dashcam. Why buy a separate camera when you can just use your phone?

Tools for students.
FREE EBOOK: Learn To Build With PHP, A Crash Course
You’ve heard of PHP. This is the language that Facebook, WordPress and Wikipedia use to serve billions of requests, daily. It is the de-facto language used for teaching people to program for the Web. It’s beautifully simple, but brilliantly powerful.
And in this guide, Matthew Hughes is going to teach you how you can use it to build your own websites – starting with a basic clone of Twitter.
FREE EBOOK: Learn To Build With PHP: A Crash Course
Read online or download PDF, EPUB version free of charge; Kindle version $1

Tuesday, March 11, 2014

I'm sure Target would like everyone to believe the attack was overwhelmingly superior to any possible defense. I've never seen one that truly was...
Security firm report says Target data hack was low tech
The U.S. Secret Service has called the criminals behind Target Corp.’s monster security breach well-organized, “highly technical” and “sophisticated.”
But cybersecurity firm McAfee Inc. said in a report out Monday that the heist was anything but exotic, describing the attack as a Breach 101 operation.
The thieves used easily modified off-the-shelf malware, common methods to hide the malware inside Target’s point of sale system and didn’t encrypt either the instructions on where to send the stolen card data or the card information itself as it was being transmitted out of Target to a remote server, a data stream that should have been detected and caught,
… “As an attack, it is extremely unimpressive and unremarkable.”
… McAfee’s report, however, paints a picture of a run-of-the-mill attack.
The BlackPOS-based malware may have been customized for Target’s systems, but it was“far from ‘advanced,’” it said: “The BlackPOS malware family is an “off-the-shelf” exploit kit for sale that can easily be modified and redistributed with little programming skill or knowledge of malware functionality.”
The methods the thugs used to hide the malware on Target’s system were nothing new either, it said, calling it “standard practice” for criminals to evade the anti-malware and controls companies use for protection.
Thieves can easily get software online to test a company’s defenses and evade them, it said. [Security teams can use these tool too! Bob]
… The report names multiple retailers that suffered point of sale attacks in 2013 including Neiman Marcus, Michaels Stores, hotel manager White Lodging Services Corp., Harbor Freight Tools, Easton-Bell Sports and sandwich chain ’Wichcraft.
Probably the biggest issue in this attack is that they lacked the situational awareness to identify anomalous occurrence in their environment,” Walter said. [Translation: They were not adequately monitoring their systems. Bob]

Simply harassment, or the first shot in a true CyberWar? (How can you tell?)
Ukraine's Computers Targeted by Powerful Malware: Experts
Dozens of computer networks in Ukraine have been infected by an aggressive new cyber weapon called Snake, according to expert analysis.
The cyber weapon has been increasingly used since the start of this year, even before protests that led to the overthrow of president Viktor Yanukovych, British-based BAE Systems said in a report published Friday.
… Although its origins are unclear, its developers appear to operate it in the same timezone as Moscow -- GMT plus four hours -- and some Russian text is embedded into the code, BAE says.

If you are into that kind of stuff...
Watch Edward Snowden talk at the SXSW in a rare public appearance

Are drones so radical that the government can't figure out what to do?
From EPIC:
A federal judge has ruled that commercial drones are legal, stating that the Federal Aviation Administration has not issued an enforceable regulatory rule that governs commercial drone operation. The FAA plans to appeal the decision. In 2012, Congress told the Agency to implement a plan to integrate drones into the National Airspace by 2015. Shortly after, EPIC joined by over 100 other organizations, experts, and members of the public petitioned the FAA to address privacy as part of the integration. As a result, the Agency published a notice with proposed privacy requirements for drone operators. EPIC submitted comments in response to the notice, urging the Agency to mandate minimum privacy standards for drone operators. After considering numerous public comments on the privacy impact of aerial drones, the FAA proposed a regulation that requires test site operators to develop privacy policies but does not require any specific baseline privacy protections. Several states have passed drone privacy laws and bills are also pending in Congress. For more information, see EPIC: Domestic Drones.

Nicer than an email... Perhaps my students should write Apps for other platforms.
Sick Of eCards? Send Real Cards With Ink By Sincerely
With Ink, the Android app from Sincerely, sending cards to your loved ones is simple and easy. And not those boring old e-cards, but actual physical cards. (It’s true, they still exist!)
There are many apps out there for sending virtual cards, but Ink takes that to another level by actually printing out a physical card for the user and mailing it. It’s as simple as it gets, and it only costs $1.99 per card, less than you would otherwise pay for a card and stamps.

Something to hang over my desktop.

Monday, March 10, 2014

Something for Economics (and Ethical Hacking) students.
How To Explain Bitcoin To Anyone
The concept of cryptocurrency isn’t easily understood. How can one use their computer to “mine” coins? Where does the money come from? Who controls it?
We’ve published a manual on the subject of Bitcoin and even taught you how to mine it. But if you ever need to explain the basics on Bitcoin and other cryptocurrencies, this infographic by WhoIsHostingThis is quite helpful.

Perhaps it's not the technology, but the users.
Yik Yak chat app stirring up trouble in high schools
From Chicago, to Georgia, to Southern California, a new social media application is causing problems on middle school and high school campuses across the United States.
It's called Yik Yak, a location-based app that creates an anonymous social chat room where up to 500 nearby users connect through GPS tracking on their phones. Less than 4 months old, Yik Yak has "a couple hundred thousand users, mainly in Southeast/East coast campuses," its co-founder Brooks Buffington said.
… "The app was made for college-age users or above, for college campuses and to act as a virtual bulletin board, so it acts as local Twitter for their campus," Buffington told CNN.
… School administrators in Chicago said teens in some of their schools have used the free app for cyberbullying. Others have made anonymous bomb threats that have led to school lockdowns.
… Some students have compared it to a virtual bathroom wall where users post vitriol and hate.
"One of the things we were planning to do is to essentially geo-sense every high school and middle school in America, so if they try to open the app in their school, it will say something like 'no, no no, looks like you are trying to open the app on a high school or middle school and this is only for college kids,' and it will disable it and the app won't work," Buffington told CNN.

For modern Willie Suttons, here's “Where the money is.”
Junk Justice: A Statistical Analysis of 4,400 Lawsuits Filed by Debt Buyers
by Sabrina I. Pacifici on March 9, 2014
Holland, Peter A., Junk Justice: A Statistical Analysis of 4,400 Lawsuits Filed by Debt Buyers (2014). Loyola Consumer Law Review, Vol. 26, No. 1, 2014. p. 179; U of Maryland Legal Studies Research Paper No. 2014-13. Available at SSRN:
“Debt buyers have flooded courts nationwide with collection lawsuits against consumers. This article reports the findings from the broadest in-depth study of debt buyer litigation outcomes yet undertaken. The study demonstrates that in debt buyer cases,
(1) the vast majority of consumers lose the vast majority of cases by default the vast majority of the time;
(2) consumers had no lawyer in ninety-eight percent of the cases; and
(3) those who filed a notice that they intended to defend themselves without an attorney fared poorly, both in court and in out of court settlements.
This study challenges the notion that there is an “adversary system” within the context of debt buyer lawsuits. The findings suggest that no such adversary system exists for most defendants in consumer debt cases. Instead, these cases exist in a “shadow system” with little judicial oversight, which results in mass produced default judgments. The procedural and substantive due process problems which are endemic in debt buyer cases call for heightened awareness and remedial action by the bench, the bar, and the academy. As lawyers who are “public citizens, with a special responsibility for the quality of justice,” the profession can do better. This article proposes suggestions for further study, and several common sense reforms.”

Dilbert explains the philosophy of life I aspire to.

Sunday, March 09, 2014

Maybe they have it right?
Ukraine: Goodbye Cold War, hello globalised economy
While most observers claim that the current conflict over Ukraine is reminiscent of the Cold War, a political economy analysis of the last three days would au contraire underline how liberal economic interdependence has modified the rules of the game.
If the sound of boots on the ground is still very real in Crimea, the Ukrainian conflict proved the incapacity of countries to engage in military conflict without being vulnerable to exogenous economic forces or having to suffer the consequences of capital flight and currency exchange rate fluctuations.
The reaction from oligarchs in Ukraine as well as the impact that the prospect of war had on both the Russian stock exchange and currency are solid proof that countries cannot operate bluntly as they did during the Cold War without closely monitoring global economic dynamics.

(Related) for my visual learning students... Note the pipeline maps.
Ukraine Crisis in Maps

Food for thought.
Jeanne Price of idRADAR interviewed a University of Maryland spokesperson about their recent breach. The interview provides a nice insider’s perspective on breach response, and you may wish to read it all here. Perhaps the most startling revelation was this one:
UMD did not have a data breach crisis plan in place before the event, which continues to be under investigation.
In this day and age, how can any university not have a data breach crisis response plan in place? How often does this happen? And what, if anything, should the U.S. Education Department do to foster better data security and planning at the post-secondary level? Have they conducted a survey that asks about security, risk assessment, and preparations for a breach? I suspect the situation is much worse on the k-12 level than on the post-secondary level, but post-secondary institutions may collect and retain significantly more individuals’ data than k-12.
For years, we’ve known that universities are targets of hackers, as university databases contain a wealth of information that can often be used for ID theft. Those suggesting that universities are a new target or the “next target” in the wake of the UMD breach and a few other recent reports simply haven’t been paying attention.
But given that we’ve known for years, when will it be time to do something?
The Federal Trade Commission currently does not have the authority to enforce data security in non-profits (which most universities are). The U.S. Education Department does not enforce. Pretty much, no one enforces.
Is it any wonder, then, that we continue to see massive breaches at the post-secondary level?

EPIC – After Weakening Privacy Law, Education Department Proposes “Best Practices” for Student Data
by Sabrina I. Pacifici on March 8, 2014
“The Education Department has issued recommendations for schools that transfer student records to online educational service providers. Following the Department’s changes to a federal student privacy law, private companies and government agencies have access to student records without obtaining student consent. In the recommendations, the agency explained that the current regulations do not require written agreements for schools to disclose student information to private companies. The Education Department recommended that schools establish policies for approving online educational services, create written contracts with private companies for the use of student data, and explain to parents and students how schools collect, use, and disclose student information. The agency warned that student data held by private companies may not be protected under federal privacy laws. EPIC had earlier sued the Education Department for weakening the privacy rule that prevented companies from getting access to student data. On March 13, 2014, the Education Department will hold a webinar on its student privacy best practices. For more information, see: EPIC: Student Privacy and EPIC: EPIC v. Dept. of Education.”

Not clear who provided the grant. Also, not the most objective article I've ever read.
Big Brother: Milwaukee To Give Away 2,000 Surveillance Cameras for Citywide NSA Spy Grid
The city of Milwaukee will be giving away 2,000 security cameras to south side businesses. A grant has been provided to the city and they are eager to get started.
… These cameras will come with facial recognition and subsequently will track your behaviors. They will also be able to collect meta data on your habits, cell phone conversations, what you buy and who you associate with. This information will be collaborated with your cell phone id and facial recognition software provided by these cameras to monitor your voyage around town and record your trends.
This information will be trolled by the Milwaukee Fusion spy center, used to track your internet, cell phone activity and behaviors. Stored and saved for future reference indefinitely.

For my Ethical Hackers, who love a challenge – no matter how small.
Google Says User Data Is Protected From Government
Speaking at the South by Southwest festival in Austin Texas, Google CEO Eric Schmidt assured his audience by saying he was “pretty sure,” that the company’s user data was protected from “prying eyes,” which included the U.S government. In response to the Edward Snowden incident, where large volumes of classified information were released to the public, the company has upgraded their encryption process. Without divulging too much information, especially about the specifics of these new encryption systems, Mr. Schmidt stated that the only way to protect user data was to essentially “encrypt more.” In addition to the increased encryption levels the company also claims to have upgraded many of their digital security systems.

Online CLEs?
Virtual LegalTech show
by Sabrina I. Pacifici on March 8, 2014
Via Wilhelmina Randtke: ”For anyone who is interested, there is a virtual tech show version next week by the hosts of Legal Tech NY back in Feb. The URL for the virtual tech show is here It’s set up in INXPO, which is OK for interaction, if you are in a session with chat enabled, and better than most online platforms that try to simulate a conference. Still pretty close to a… webinar.”

There's an App for that? (coming to KickStarter soon!)
Vineyard not required: The Miracle Machine lets you make wine on your kitchen counter
Want to be a winemaker? With the new Miracle Machine, it's easier than you think.
There's no need to buy a winery. All you need are a few ingredients, the soon-to-launch Miracle Machine smartphone app and the Miracle Machine. It's a tabletop device that turns grape concentrate, yeast and a couple other ingredients into wine.
… Using wi-fi connector Bluetooth, sync your machine to the app and the Miracle Machine's fermentation chamber gets to work making the wine. It uses electric sensors, transducers, heaters and pumps to create a controlled environment for the first and second fermentation stages.

Because I don't want my students reading their textbooks while driving to school.
Read Aloud As Google Text To Speech Gets New High Quality Voices For English
Google has just come out with Version 3 of its text-to-speech Android app. It is a significant update with a better interface, natural sounding voices in English, and support for more languages. If you like to read your eBooks aloud, then this news should be pleasant to the ears. The new version of Google Text-to-Speech is rolling out on Google Play.

I'm thinking, “Math Guy!”
5 Ideas for Teaching With Comics and 5 Free Online Tools for Creating Them

4 Powerful Tools For Making Your Own Interactive Content
Many teachers today are using infographics, both in their classrooms and for their own professional development. There are so many tools out there to make your own infographics. In the education realm, most people I chat with say that they use Piktochart because it is free and very simple to use. One of the (newer) trends we’ve been noticing lately has been that more and more infographics are interactive.
StatSilk is a company that offers several different programs to make interactive content.
ManyEyes is a free data visualization software by IBM that allows creation of different types of charts, graphs, maps, and visual text analysis.
You can use Google Public Data and either upload your own dataset and create a visualization, or explore and adapt visualizations of already collected data (such as data on world economic factors) to have them suit your needs.

Amusing. Note: Khan Academy is moving too quickly to measure?
… On stage at the College Board announcement was Sal Khan as Khan Academy will now offer free SAT test prep, arguing that this will enable a “future determined by merit, not money.” (As it currently stands, students whose parents have higher incomes score higher on the SAT.)
… The anti-plagiarism software company Turnitin has launched a new product Grade Anything. According to Campus Technology, it’s a tool “to assess ”virtually any type of assignement,“ including presentations, spreadsheets, designs and calculations, according to a company news release, and provides a grading template for assessing assignments such as performances and recitals.” I wonder if Grade Anything makes the same sweeping copyright claims to student content that the essay-checking stuff does…
… Edu wiki provider Wikispaces has been acquired by TSL Education.
Maine governor Paul LePage has vetoed a bill that would stop the creation of virtual schools in his state.
… The Kansas State Supreme Court ruled this week that the state’s funding system violated the Kansas Constitution. More on the ruling in The New York Times.
… SRI International has finally released its research on the use of Khan Academy in Schools. (And do note, it said “usage” and not “effectiveness,” which was I totally thought the research was supposed to examine. But hey.) (PDF) Research was conducted on Khan Academy implementations at 9 school sites, but as the report notes,
“During the study, Khan Academy worked with schools participating in the study to update and refine its tools and resources. Simultaneously, teachers and students were using Khan Academy tools and resources in considerably different ways across the nine study sites, and some of the sites also changed the ways they used it during the course of the two-year study. For these reasons, it was methodologically unsound to conduct a rigorous evaluation of Khan Academy’s impact on learning during the study period, including any use of randomized control trials, which would have required Khan Academy tools and resources to remain unchanged during the study and for teachers and students to use Khan Academy the same way. Moreover, at all but one of the sites, Khan Academy was principally used as a supplementary tool—not as the core primary curriculum—so the effects of Khan Academy cannot be separated from those contributed by other elements of the math curriculum.”
Khan Academy has released demographic data about students who complete its CS material. Across all of Khan Academy, users are 48% female and 52% male; but when it comes to the CS content, 34% are female and 66% are male. 86.2% of males complete the first coding challenge; 86.7% of females complete the first coding challenge.