Saturday, June 21, 2014

What took ya so long?
The 'Yo' App Everyone Is Talking About Has Been Hacked
Yo has reportedly been hacked and the phone numbers of those using the app could be at risk, according to The Wall Street Journal.
"Security researchers at the Georgia Institute of Technology found a glaring hole...
...The students apparently found a way to access the cell phone numbers of every Yo user, including the founder of the app, Or Arbel. The students, still unidentified, emailed their findings to TechCrunch last night.

"The best laid schemes o' mice an' men / Gang aft agley"
Google Play stares at serious security breach: Study
Using a new tool called PlayDrone, researchers at Columbia Engineering have discovered a crucial security problem in Google Play - the official Android app store where millions of Android users get their apps.
They found that developers often store their secret keys in their app's code, similar to usernames/passwords info.
These can be then used by anyone to maliciously steal user data or resources from service providers such as Amazon and Facebook.
These vulnerabilities can affect users even if they are not actively running the Android apps.
… PlayDrone scales by simply adding more servers and is fast enough to crawl Google Play on a daily basis, downloading more than 1.1 million Android apps and decompiling over 880,000 free applications.
… Google is now using our techniques to proactively scan apps for these problems to prevent this from happening again in the future, he added in a paper presented at the ACM SIGMETRICS conference.

Follow-up for my student Vets and something for my Computer Forensic students. Note that I have skipped a lot of this report. The important thing seems to be that the VA doesn't bother to encrypt patient data. (The “due to being attached” excuse is an outright lie since the laptops were not attached.)
A breach involving the Denver VA center was reported in the VA’s most recent monthly report to Congress. I’m including it here because it shows how thorough the VA can be in investigating breaches – and how time-consuming and labor-intensive it can be when someone neglects security measures like a cable:
Incident Summary
Two biomedical device laptops were discovered missing on 05/20/14. VA Police were notified of the event. The two missing laptops were password protected but not encrypted due to being attached to biomedical devices. The laptops were located on mobile test stations in the Pulmonary Department.

“I'm shocked, shocked I tell you!” (Full text omitted)
Julian Hattem reports:
The federal court overseeing the country’s spy agencies renewed an order Friday allowing the National Security Agency to collect phone records of people in the United States.
The Foreign Intelligence Surveillance Court’s renewal of the contested program, authorized under Section 215 of the Patriot Act, comes as lawmakers continue to debate reform legislation.
“Given that legislation has not yet been enacted, and given the importance of maintaining the capabilities of the Section 215 telephony metadata program, the government has sought a 90-day reauthorization of the existing program,” the Justice Department and Office of the Director of National Intelligence (ODNI) said in a joint statement.
Read more on The Hill.

The Privacy invasion continues! “No wonder you keep your thermostat set so high – you wander around nude!”
Google's Nest to Buy Video-Monitoring Security Startup for $555 Million
Google Inc.'s Nest Labs said it agreed to buy video-monitoring and security startup Dropcam Inc. for $555 million as part of a push to become the dominant operating system for connected devices in and around the home.
Nest, which makes Internet-connected thermostats and smoke detectors, is paying cash for the startup and will work with Dropcam to develop products and services that connect users to their homes...
… Dropcam sells an Internet-connected video-monitoring service that streams live video to mobile apps, sends alerts based on activity that its small cameras sense and lets users communicate with people in their homes while they are away. It markets itself and is often used as a home-security system.

Is Dilbert suggesting a modification to Google Glasses?

Perspective. This is why I'm training the students who will program the robots. (I'll wager the robot doctors will make house calls, the lawyers will speak plain English and the architects will bring a 3D printer...)
UK Guardian – Robot doctors, online lawyers and automated architects: the future of the professions?
… “Last year, reporters for the Associated Press attempted to figure out which jobs were being lost to new technology. They analysed employment data from 20 countries and interviewed experts, software developers and CEOs. They found that almost all the jobs that had disappeared in the past four years were not low-skilled, low-paid roles, but fairly well-paid positions in traditionally middle-class careers. Software was replacing administrators and travel agents, bookkeepers and secretaries, and at alarming rates. Economists and futurists know it’s not all doom and gloom, but it is all change. Oxford academics Carl Benedikt Frey and Michael A Osborne have predicted computerisation could make nearly half of jobs redundant within 10 to 20 years. Office work and service roles, they wrote, were particularly at risk. But almost nothing is impervious to automation. It has swept through shop floors and factories, transformed businesses big and small, and is beginning to revolutionise the professions…”

(Related) On the other hand...
This is Probably a Good Time to Say That I Don’t Believe Robots Will Eat All the Jobs …

Do they have a plan or are they just tossing out some big numbers to impress the peasants?
FCC proposes $1B per year for Wi-Fi in schools
… E-Rate was established in 1996 and is too tied to the technologies of that era, according to Wheeler. His plan calls for a transition in funding from technologies such as dial-up and pagers to broadband and Wi-Fi in order to serve students on tablets and other personal devices. In past years, the program has only been able to support Wi-Fi in 5 percent of schools and 1 percent of libraries, Wheeler said. E-Rate provides a total of $2.4 billion per year in funding.

For my students. No doubt the Apps for other devices will follow.
Meet LinkedIn Job Search: The company’s first standalone app for iOS
In a bid to cash in on the growing mobile traffic, LinkedIn has launched its first standalone mobile app called LinkedIn Job Search. The app can be downloaded for free from the iTunes store.
… The app lets users search and apply for jobs on LinkedIn. The company also ensures that your job search app is private. In its official blog, LinkedIn writes, “Our goal is to help make this process easier for you and to help you be discreet. Everything you do within the app will be completely private and not shared with your network.”
… In October last year, the company had revealed that 38 percent of LinkedIn unique visits now come from mobile devices.

Too cool!
Interactive Model Skeletons
eSkeletons is a great website produced by the Department of Anthropology at the University of Texas at Austin. eSkeletons features interactive models of mammal skeletons. Select a model from the menu on the home page then click on any bone in the model to view it in detail. After select a bone to view you can choose from a menu of viewing angles. In many cases eSkeletons offers a short video display of the bone you've selected from the menu.
Applications for Education
eSkeletons gives students the option to compare bones across models. Select two or more animals from the menu then select a bone and a small gallery of comparative images will be generated. eSkeletons offers a glossary of terms and a legend to help students understand what they are viewing. Even without the models, the glossary is a good resource for anatomy students.

For my students. You can skip the “free laptop” stuff, but the second half of the article is interesting.
Online Colleges That Offer Free Laptops For Students
… Other Ways to Get a Laptop
Finding a school with a laptop program is only one way that a student can reduce his or her tuition bill. If your dream school doesn’t include laptops in its package, several manufacturers offer student discounts on specific products. There are also public organizations, grants, and scholarships across the United States that help students purchase laptops and other college material necessary for success. A few starting points include:
  1. Apple Store for Education is Apple’s discount on specific products designed for the classroom (including Macbook laptops and iPads). The discount is available to students accepted to college, and includes up to $200 for a new Mac laptop or up to $30 off a new iPad.
  2. Dell University, which encompasses discounts and technology for students, offers a free Dell tablet when students purchase a PC that is $699 or more.
  3. Notebooks For Students is a nonprofit founded in 1998. It helps college students and faculty find affordable laptops and technical support. NFS offers refurbished and new laptops, from many different brands, at affordable prices.
Although a large percentage of colleges do not include laptops in their tuition, financial aid offices often know of places to acquire college preparedness scholarships that help students to purchase computers (sometimes offered by the school itself). The best way to find out if such a program exists at your school of choice is to contact the financial aid office directly and speak to an advisor. Additionally, your local library may have resources about organizations and resources for college preparedness in your community.

My weekly amusement. (Okay, not much this week)
… The LAUSD school board has reappointed Stuart Magruder. Magruder, an outspoken critic of the district’s iPad investment, was voted off the panel last month.

Friday, June 20, 2014

A global tragedy?
Facebook global 30-minute outage leaves users frustrated
Facebook today experienced a global outage that left its over 1.2 billion users, including those in India, unable to access the world's largest social networking portal.
For about 30 minutes, users logging into the website saw the message: "Sorry something went wrong. We're working on getting this fixed as soon as we can."
… With Facebook down, netizens took to microblogging site Twitter to vent their frustration.
While many compared the outage to an "apocalypse", others mocked the situation saying "people may now have to talk to each other face to face".

Attention Ethical Hackers. Imagine the fun you could have if your favorite law professor was on sabbatical in (for example) New Zealand. By the time he returned, you could have emptied his office, his house, and his garage! What (hypothetical) fun!
eBay Launches iOS App Called “eBay Valet” Which Will Sell Your Stuff For You
Have you ever wanted to sell stuff on eBay but found you were too lazy to actually do it? Well eBay has filled that niche by introducing an app for iPhone which will do the actual selling for you, in exchange for a 30% cut. It’s called eBay Valet, and seems to be confined to eBay USA for now.
Think of Valet as one of those consignment stores which were really popular some years back. But being eBay, the scale is obviously much bigger, and the organization is much more efficient. The mobile app is an expansion on the web-based version of the service called Sell For Me, and it seems to be designed to make everything as simple as possible.

Don't think of it as a phone, think of it as a sales tool.
Amazon’s Fire Phone might be the biggest privacy invasion ever (and no one’s noticed)
… There’s a lot of gee-whiz gadgetry in the new Fire Phone: a 3-D screen, head sensors, dynamic perspective shifts as you move, and real-time identification of over 100 million objects. That last part, the real-time identification, is the new Firefly function.
Firefly is a seriously impressive combination of hardware, software, and massive cloud chops that delivers an Apple-like simplicity to identify objects like books, movies, games, and more, just by pointing your Fire Phone’s camera at them and tapping the Firefly button.
Lest you noticed a common denominator to those items and get the crazy idea that Firefly is only for stuff you can buy at Amazon, it also recognizes songs (oh, you can buy those on Amazon too) and TV shows (ditto) as well as phone numbers, printed information, and QR codes.
How do you think it recognizes those things, including text on images, for which Amazon says it will offer language translation features later this year?
Well, the Firefly button and the camera button are one and the same. Meaning that whenever you’re using Firefly, you’re using the camera. Plus, of course, you’re turning on audio sensors that capture ambient sound.
… By storing all the photos you’ll ever take with Firefly, along with GPS location data, ambient audio, and more metadata than you can shake a stick at in Amazon Web Services, Amazon will get unprecedented insight into who you are, what you own, where you go, what you do, who’s important in your life, what you like, and, probably, what you might be most likely to buy.
Babies in your pictures? Sell that dame diapers. Lots of old-school hot rods? See if you can sell Billy Bob some NASCAR shwag, or maybe beef jerky. Outdoorsy, are you, with your pictures of remote mountaintops and idyllic forest meadows? Clearly you need hiking boots and granola. Looking at a business card? Perhaps things she likes will be things you’ll like, too.

There are “information systems” and there are “collections of data” – this sounds like the latter. If you can't access your own data what are you paying IT for?
I meant to post this last week, but hey, I’m old, I forget.
Benjamin Herold reports:
Nevada state education officials recently told a parent it would cost him more than $10,000 to access the data the department has collected on his four children, raising a tangled web of questions about everything from the structure of state educational databases to the interpretation of federal student-privacy laws to the implementation of new Common Core State Standards.
Parents have a right to inspect their children’s educational records at no cost to them under FERPA. But those requests are typically made to the Local Educational Agency (LEA), i.e., the child’s school district. In this case, the parent was querying information the state educational agency held in their databases.
The $10k tag would be for the state to develop a system to produce records responsive to his request as they currently have no means to do so. But should they have the means? What if data in a state database became corrupted after it was correctly transmitted by the LEA? Could that eventually cause difficulty for the student? And even if there was no potential for harm to the student, shouldn’t parents have the right to see what information the state has compiled about their children, which often includes parental and family information?
Read more on Education Week.

This is a settlement, but it looks like the bank was not adequately secured.
Oil Co. Wins $350,000 Cyberheist Settlement
A California oil company that sued its bank after being robbed of $350,000 in a 2011 cyberheist has won a settlement that effectively reimbursed the firm for the stolen funds.
TRC Operating Co. Inc., an oil production firm based in Taft, Calif., had its online accounts hijacked after an account takeover that started late in the day on Friday, November 10, 2011. In the ensuing five days, the thieves would send a dozen fraudulent wires out of the company’s operating accounts, siphoning nearly $3.5 million to accounts in Ukraine.
The oil firm’s financial institution, Fresno-based United Security Bank, successfully blocked or recalled all but one of the wires – for $299,000. Nevertheless, TRC later sued its bank to recover the remaining wire amount, arguing that USB failed to offer a commercially reasonable security procedure because the bank offered little more than a user name and password to help secure the account.
… As we seen time and again, a single virus infection can ruin your company. And I wouldn’t count on the lawyers to save your firm from the very real cost of a cyberheist: These court challenges can just as easily end up costing the victim business well more than their original loss (see Ruling Raises Stakes for Cyberheist Victims).
Businesses do not enjoy the same protections against cyberfraud that are afforded to consumer banking customers. If this is news to you, or if you’d just like some tips how to reduce your exposure to online banking fraud, please take a moment to read my recommendations here: Online Banking Best Practices for Businesses.

(Related) Interesting question.
Are Organizations Ready for PCI DSS 3.0?
Businesses that handle payment card data have to become compliant with the Payment Card Industry Data Security Standard 3.0 (PCI DSS 3.0) by December 31, 2014, yet many appear to be unprepared for the challenge.
According to a recent study conducted by NTT Com Security, only 30% of organizations have created a plan for compliance after reviewing requirements, with 70% of those surveyed being unaware of the December 31 deadline. Additionally, 41% of the respondents said they have heard of PCI DSS 3.0, but haven’t laid out a plan for compliance.

I see a market among the right wing anti-government types. No one else would put up with 65 “detection alarms” per minute.
Test a Personal Drone Detection System for $500

If they can't blame “The Internet” who will they blame?
New study finds Internet not responsible for dying newspapers
by Sabrina I. Pacifici on June 19, 2014
“[A] recently published study finds that we may be all wrong about the role of the Internet in the decline of newspapers. According to research by University of Chicago Booth School of Business Professor Matthew Gentzkow, assumptions about journalism are based on three false premises. In his new paper, Trading Dollars for Dollars: The Price of Attention Online and Offline, which was published in the May issue of the American Economic Review, Gentzkow notes that the
first fallacy is that online advertising revenues are naturally lower than print revenues, so traditional media must adopt a less profitable business model that cannot support paying real reporters.
The second is that the web has made the advertising market more competitive, which has driven down rates and, in turn, revenues.
The third misconception is that the Internet is responsible for the demise of the newspaper industry…
Several different studies already have shown that people spend an order of magnitude more time reading than the average monthly visitor online, which makes looking at these rates as analogous incorrect… By comparing the amount of time people actually see an ad, Gentzkow finds that the price of attention for similar consumers is actually higher online. In 2008, he calculates, newspapers earned $2.78 per hour of attention in print, and $3.79 per hour of attention online. By 2012, the price of attention in print had fallen to $1.57, while the price for attention online had increased to $4.24. Gentzkow also points out that the popularity of newspapers had already significantly diminished between 1980 and 1995, well before the Internet age, and has dropped at roughly the same rate ever since. “People have not stopped reading newspapers because of the Internet,” Gentzkow notes.”

Perspective If they wanted to look better they should have included more family and friends than a mere 7%.
Congress hits new low: Only 7% have confidence in the institution

Perspective. Not what I expected. (mostly graphics, I'd like to see the raw data)
The Most Popular Social Network for Young People? Texting

Apparently, I've been going about this all wrong! I need to dumb down my Apps!
App Raises $1M In Funding For Simply Sending The Message 'Yo' Back And Forth
… Allow me to introduce you to new chat app, Yo.
You may have heard of it recently, it has been dominating headlines over the last 24 hours for two reasons. Firstly, its simplicity. The app allows you to message friends with the word “Yo” and that’s it. Nothing else can be said other than sending this innocuous greeting.
Secondly, it has just raised $1m in seed funding from CEO of Mobli, Moshe Hogeg’s angel fund.
… The founder Or Abel told the Financial Times that he coded the app in eight hours, after being asked by his then boss Moshe Hogeg, to make a notification app that could summon his secretary.

For my students. Think outside the box.
Distracted By Google Search? 4 “Search Engines” You Should Not Ignore
Alternative search engines look at search in different ways. Some tout privacy… while some go for specialization.
The four below have a common factor – they are all user-curated platforms. They may not be search engines by the strictest definition, but they are huge reserves of data.

For my students. Start telling your elected officials what you want/need/demand/wish for... And most importantly, where they screwed up!
Sunlight Foundation Announcement – We finally gave Congress email addresses
by Sabrina I. Pacifici on June 19, 2014
Via Tom Lee: “On OpenCongress, you can now email your representatives and senators just as easily as you would a friend or colleague. We’ve added a new feature to OpenCongress. It’s not flashy. It doesn’t use D3 or integrate with social media. But we still think it’s pretty cool. You might’ve already heard of it. Email. This may not sound like a big deal, but it’s been a long time coming. A lot of people are surprised to learn that Congress doesn’t have publicly available email addresses. It’s the number one feature request that we hear from users of our APIs. Until recently, we didn’t have a good response. That’s because members of Congress typically put their feedback mechanisms behind captchas and zip code requirements. Sometimes these forms break; sometimes their requirements improperly lock out actual constituents. And they always make it harder to email your congressional delegation than it should be. This is a real problem. According to the Congressional Management Foundation, 88% of Capitol Hill staffers agree that electronic messages from constituents influence their bosses’ decisions. We think that it’s inappropriate to erect technical barriers around such an essential democratic mechanism. Congress itself is addressing the problem. That effort has just entered its second decade, and people are feeling optimistic that a launch to a closed set of partners might be coming soon. But we weren’t content to wait. So when the Electronic Frontier Foundation (EFF) approached us about this problem, we were excited to really make some progress. Building on groundwork first done by the Participatory Politics Foundation and more recent work within Sunlight, a network of 150 volunteers collected the data we needed from congressional websites in just two days. That information is now on Github, available to all who want to build the next generation of constituent communication tools. The EFF is already working on some exciting things to that end. But we just wanted to be able to email our representatives like normal people. So now, if you visit a legislator’s page on OpenCongress, you’ll see an email address in the right-hand sidebar that looks like or
You can also email to email both of your senators and your House representatives at once. The first time we get an email from you, we’ll send one back asking for some additional details. This is necessary because our code submits your message by navigating those aforementioned congressional webforms, and we don’t want to enter incorrect information. But for emails after the first one, all you’ll have to do is click a link that says, “Yes, I meant to send that email.” One more thing: For now, our system will only let you email your own representatives. A lot of people dislike this. We do, too. In an age of increasing polarization, party discipline means that congressional leaders must be accountable to citizens outside their districts. But the unfortunate truth is that Congress typically won’t bother reading messages from non-constituents — that’s why those zip code requirements exist in the first place. Until that changes, we don’t want our users to waste their time. So that’s it. If it seems simple, it’s because it is. But we think that unbreaking how Congress connects to the Internet is important. You should be able to send a call to action in a tweet, easily forward a listserv message to your representative and interact with your government using the tools you use to interact with everyone else.”

(Related) Here's something Congress could address.
Study: People Harassed Online Have Few Legal Protections
… No doubt there are police out there who have used social media. Still, according to a recent paper from the Center on Law and Information Policy at Fordham Law School, Hess’s experience is not unusual. "Although online harassment and hateful speech is a significant problem, there are few legal remedies for victims," authors Alice Marwick and Ross Miller wrote. Victims who go to the police often find what Hess found; most law enforcement agencies have neither the resources nor the expertise to deal with harassment, and are ill-equipped to even understand the problem, much less take it seriously.

Thursday, June 19, 2014

Perhaps there's an App for that, and I could get in on the fun? Perhaps a bounty for finding cars on the “Repo” list? Or for finding stolen cars?
Tim Cushing writes:
Private companies engaging in large-scale surveillance are pushing back against the push back against large-scale surveillance… by filing lawsuits alleging their First Amendment right to photograph license plates is being infringed on by state laws forbidding the use of automatic license plate readers by private companies.
Now, these laws aren’t saying law enforcement agencies can’t use these readers. They can. What they do say (or did… Utah’s law was amended after a lawsuit by license plate reader company Vigilant) is that private companies, like repossession firms and tow truck services, can’t use these readers. But apparently they do, and those who manufacture and support the equipment would like to continue capturing this market.
Read more on TechDirt.

Is there a real strategy here or is this merely a “me too” project?
Jeryl Bier reports:
The U.S. Postal Service is seeking a company to help develop a program called the Internet of Postal Things. The Risk Analysis Research Center (RARC), part of the Postal Service’s Office of the Inspector General (OIG), is looking for a supplier “who possesses expertise and critical knowledge of the Internet of Things, data strategy and analytics, and the Postal Service’s operations, infrastructure, products and services.” The OIG is exploring ways for the Postal Service to benefit from the technology that provides “virtually unlimited opportunities to collect and process data from any device, infrastructure, machine and even human beings.”
Read more on The Weekly Standard.
[From the article:
The application of sensors and other data collection technologies to the various components of the postal infrastructure (vehicles, mailboxes, machines, letter carriers etc.), combined with powerful software and analytical tools, could help the Postal Service bring data management to the next level. It would create new rich data sources that could help the Postal Service improve operational performance, customer service, create new products and services, and support more efficient decision-making processes. The “Internet of Postal Things” could also have a positive spillover effect on other adjacent non-postal sectors, as the information collected by and for the Postal Service could be useful to others. [Oh, they want to sell the data. Now I get it. Bob]

“For shame, FCC!” See how well that worked?
FCC boss says he'll SHAME broadband firms for fibbing on speeds
Federal Communications Commission boss Tom Wheeler has said that he will issue written warnings to some US broadband carriers following an investigation that found some companies are still not delivering advertised speeds.
Wheeler said that while the broadband market as a whole is doing a better job of offering users promised download speeds, some companies are still not able to give users the levels of performance offered in ads.
Overall, the 2014 Measuring Broadband America report found that providers are delivering at or above their advertised speeds during peak hours. The report noted that DSL companies average 91 per cent of advertised rates during peak hours, while cable services average 102 per cent their advertised rates and satellite service, 138 per cent.

I'm looking for something to do with Big Data, perhaps a joint research project?
Babak Siavoshy writes:
Exposure to technology could of course cut both ways. Perhaps tech savvy judges will be more used to — and therefore more amenable to — daily tradeoffs between privacy and convenience. Or perhaps familiarity with technology simply gives judges more nuanced attitudes towards privacy, but does not affect their overall voting pattern on privacy/tech issues one way or another.
If there are law students out there looking for an interesting research project, it would be fascinating to see if there’s a correlation between judicial age, or other factors reasonably associated with tech savvy, and judicial decision making on legal issues involving privacy and emerging technologies — and if so, which way it cuts. And if readers know of existing work in this area, do share.
Read more on Concurring Opinions.

Poor Kim Dotcom. I don't think anyone likes him.
The High Court has ruled that research material used for a book about internet businessman Kim Dotcom is not protected by the Privacy Act, because the book is not journalism.
The Crown wants access to research material from a book called The Secret Life of Kim Dotcom as it prepares a court case against the internet businessman.
Normally, journalists’ research material is protected from Privacy Act requests, but Justice Winkelmann found the exemption only covers news articles and programmes, not books.
Read more on Radio New Zealand.

Wednesday, June 18, 2014

All kinds of questions here. Did Nokia tell the other phone manufacturers who were leasing their software? Did the bad guys ever modify the code? Should they have told their customers? Interesting that in the “Age of Surveillance” the cops can't track whoever picked up the cash. (Perhaps they should have put a phone in the bag?)
Nokia 'paid millions to software blackmailers six years ago'
Finnish telecoms equipment company Nokia paid several million euros to criminals who threatened to reveal the source code for part of an operating system used in its smartphones some six years ago, Finnish TV station MTV said on Tuesday.
The police confirmed to Reuters that they were investigating a case of alleged blackmail and that the case was still open. Nokia was not immediately available for comment.
… MTV said that the blackmailers had acquired [Interesting choice of words... Bob] the encryption key for a core part of Nokia's Symbian software and threatened to make it public.
Had it done so anyone could then have written additional code for Symbian including possible malware which would have been indistinguishable from the legitimate part of the software, MTV said.
After the blackmail attempt Nokia contacted the police and agreed to deliver the cash to a parking lot in Tampere, central Finland. The money was picked up but the police lost track of the culprits, MTV said.

For my Computer Security students. It's far cheaper to put up a “This site is secure” logo than to actually make the site secure. However this only fools users, since hackers would never read it – we find unsecured sites by running programs (called spiders) that automate the search.
Lessons in insecure SSL courtesy of Hoyts cinemas

The law is clear and has been available for years. Funny how no one cares until it hits the news.
Google and Facebook can be legally intercepted, says UK spy boss
UK intelligence service GCHQ can legally snoop on British use of Google, Facebook and web-based email without specific warrants because the firms are based abroad, the government has said.
Classed as "external communications", such activity can be covered by a broad warrant and intercepted without extra clearance, spy boss Charles Farr said.
The policy was revealed as part of a legal battle with campaign group Privacy International (PI).
… However, he said data collected in this way "cannot be read, looked at or listened to" except in strictly limited circumstances.
… Mr Farr says that actually reading or examining a Briton's communications swept up in this way would still require a domestic, more targeted warrant.

(Related) Or until it's an election year.
Senators Ron Wyden, Mark Udall, and Rand Paul have jointly authored an op-ed in the Los Angeles Times. They write, in part:
Although the bill approved by the House is intended to end bulk collection, we are not at all confident that it would actually do so. The bill would require the government to use a “selection term” to secretly collect records, but the definition of “selection term” is left vague enough that it could be used to collect all of the phone records in a particular area code or all of the credit card records from a particular state. Meanwhile, the bill abandons nearly all of the other reforms contained in the Senate version of the USA Freedom Act, while renewing controversial provisions of the Patriot Act for nearly three more years.
This is clearly not the meaningful reform that Americans have demanded, so we will vigorously oppose this bill in its current form and continue to push for real changes to the law. This firm commitment to both liberty and security is what Americans — including the dedicated men and women who work at our nation’s intelligence agencies — deserve. We will not settle for less.
Read the op-ed on the L.A. Times.

Tools & Techniques. Remember the old (in Internet years) saying: practice “Safe Hex!” Perhaps you should buy one for your CEO and other travelers?
Gear to Block ‘Juice Jacking’ on Your Mobile
… Juice-jacking as a threat probably first crept into the collective paranoia of gadget geeks in the summer of 2011, after I wrote a story about two researchers at the DefCon hacker convention in Vegas who’d set up a mobile charging station designed to educate the unwary to the fact that many mobile devices (particularly Apple devices) are set up to connect to a computer and immediately sync data.
Their proof-of-concept was a reminder that in the (admittedly unlikely) event that a clever attacker managed to hide a small computer inside of a USB charging kiosk, he might be able to slurp up your device’s data.
Since that story, several products have sprung up to help minimize such threats. These small USB pass-through devices are designed to allow charging yet block any data transfer capability. The two products I’ve been using over the past few months include the “USB Condom” and a device called the “Juice-Jack Defender.”
Juice-Jack Defender

...and our government is making it mandatory! How wonderful.
How the U.S. Health Care System Compares Internationally
by Sabrina I. Pacifici on June 17, 2014
The Commonwealth Fund: “The United States health care system is the most expensive in the world, but this report and prior editions consistently show the U.S. underperforms relative to other countries on most dimensions of performance. Among the 11 nations studied in this report—Australia, Canada, France, Germany, the Netherlands, New Zealand, Norway, Sweden, Switzerland, the United Kingdom, and the United States—the U.S. ranks last, as it did in the 2010, 2007, 2006, and 2004 editions of Mirror, Mirror. Most troubling, the U.S. fails to achieve better health outcomes than the other countries, and as shown in the earlier editions, the U.S. is last or near last on dimensions of access, efficiency, and equity. In this edition of Mirror, Mirror, the United Kingdom ranks first, followed closely by Switzerland.”

“Hey, he looked suspicious!”
Last Friday, Judge Sullivan (D.D.C.) dismissed Meshal v. Higgenbotham, a long-outstanding Bivens suit brought by a U.S. citizen who alleged that, while travelling in the Horn of Africa, he was detained for four months, interrogated, and tortured at the direction of–and by–U.S. government officials (tellingly, the government did not claim that the alleged conduct was constitutional). In a thoughtful 37-page opinion setting forth his reasons for dismissing the case, Judge Sullivan offered a fairly candid (and, in my view, accurate) explanation for why Meshal couldn’t recover for conduct that, if proven, would unquestionably constitute “appalling (and, candidly, embarrassing)” violations of his constitutional rights: In a nutshell, it’s the Fourth, Seventh, and D.C. Circuits’ fault.

Tools & Techniques: for lawyers and my Criminal Justice students.
New Way to Look at Law, With Data Viz and Machine Learning
by Sabrina I. Pacifici on June 17, 2014
Wired – [snipped] “As its creators [Daniel Lewis and Nik Reed] see it, Ravel’s visual search offers myriad improvements over the old columns of text results. It better lets you see how cases evolved over time, and potentially lets you see outliers that could be useful in crafting an argument–cases that would languish at the bottom of a more traditional search. The visualization, Reed insists, “tells a lot more of the story of law than the rank ordered list.” (That might be true. When they first showed their visual search to a veteran judge, he looked at the complex map of circles and responded: “This is how my brain works!”).
  • Note – there is a free and a premium version for subscribers. See Robert Ambrogi’s profile of the company to understand more about this new generation of visualization and relational context for online legal research. Ravel’s footprint is still small in comparison to those of LexisNexis and Westlaw, but relevancy is based on deliverables. The very scope of “searching” has transcended the linear into an often overwhelming realm of big data, analysis and visualizations that provides altogether different kinds of “results” to “queries.” These are indeed interesting times, and the legal community is the beneficiary of innovative, results driven technology solutions such as this one.

Is this strategy defensible? Can the lawsuits possibly cost less that the profits? I guess they couldn't work deals with the “New Music” bloggers who have huge followings, so they must have said, “Let's see if we can replicate Apple's mistakes in selling music and Amazon's in selling books.” What they did say was, “Take it or leave it.”
YouTube to block indie labels as it launches paid music service
YouTube is about to begin a mass cull of music videos by artists including Adele and the Arctic Monkeys, after a number of independent record labels refused to sign up to the licensing terms for its new subscription service.
The Google-owned company will start blocking videos “in a matter of days” to ensure that all content on the new platform is governed by its new contractual terms, said Robert Kyncl, YouTube’s head of content and business operations.
Google’s decision to press ahead without some of the best-known artists shows its determination to enter the fast-growing market for music subscription services. Amazon last week launched its own service as part of its Prime subscription bundle, while Apple last month acquired Beats Music through its $3bn purchase of headphone maker Beats Electronics.

Chili's Has Installed More Than 45,000 Tablets in Its Restaurants

A suggestion for my students. It might be amusing to write an App to pull all of this data into one file. Be sure to keep a defibrillator handy if you show the results to your CEO.
How Much Does Google Really Know About You?

For my students who research. Kinda-sorta like electronic Xeroxing.
Never Lose That Webpage Again: 6 Ways To Read It Later On Any Platform
There’s one HUGE problem with Internet bookmarks: if the website goes down or you have no web access, you’re out of luck. Few things are more frustrating than needing a bookmark only to find there’s nothing you can do to visit it. Rest assured, however, because there’s a handy solution.
Instead of bookmarking a web page, consider archiving it. If you download and store a local copy of the web page, you can access it whenever you want – even if the site itself goes down. The downside is that archives use more hard drive space than bookmarks do, but the trade-off is well worth it.

Something to tease my Math students with...
Monkeys Can Do Math
… Rhesus macaques that have been trained to associate numerical values with symbols can get the answer right, even if they haven’t passed a math class. The finding doesn’t just reveal a hidden talent of the animals—it also helps show how the mammalian brain encodes the values of numbers.
Previous research has shown that chimpanzees can add single-digit numbers. But scientists haven’t explained exactly how, in the human or the monkey brain, numbers are being represented or this addition is being carried out. Now, a new study helps begin to answer those questions.

Food for thought. This is what makes changing the “Culture” of an organization so difficult.
Strategy Isn’t What You Say, It’s What You Do
You sometimes hear managers complain that their organization has no strategy. This isn’t true. Every organization has a strategy: its strategy is what it does. Think about it. Every organization competes in a particular place, in a particular way, and with a set of capabilities and management systems — all of which are the result of choices that people in the organization have made and are making every day.
When managers complain that their company’s strategy is ineffectual or non-existent, it’s often because they haven’t quite realized that their strategy is what they’re doing rather than what their bosses are saying.

Tuesday, June 17, 2014

For my Computer Security students. Look at the tools and practices that were ignored or improperly implemented!
Cryptome has uploaded Verizon’s forensic investigation of the Stratfor hack in 2011. Their investigation began in December 2011 and was concluded in February 2012.
You can read the report here (66 pp., pdf).

Over the past few years, I’ve seen more and more references to the idea that if breached entities have their legal counsel arrange for a forensics or breach investigation, the breach investigation would be considered privileged communications or attorney-client work. Needless to say, I am not happy at any end-run around transparency involving breach investigations. While there may well be information in those reports that should be protected lest attackers learn of significant security features or vulnerabilities that could put the entity at future risk, in many cases, companies just want to shield these reports for fear that customers or the public will be appalled at any security lapses or poor practices – or that they will use these reports in litigation against the entity.
Scott Koller of InformationLawGroup addresses the privilege issue and a ruling in U.S. ex rel Barko v Halliburton Co., and then offers some advice for counsel as to how to increase their chances of being able to claim privilege. Read his comments and suggestions on InfoLawGroup.

(Related) What is your data worth? (What if their conclusion is $0.25 per occurance?)
Press Association reports:
Patients whose personal information is misused in the new medical records data-sharing scheme should be able to sue the NHS, a new report suggests.
People whose data is lost or “irresponsibly used” under the initiative should be able to claim compensation through the NHS Litigation Authority, the authors said.
The group of experts established by the Institute of Global Health Innovation at Imperial College London, with a grant from the Peter Sowerby Foundation, said the programme is “essential to improve care”.
Read more on Yahoo! UK & Ireland.

Ali Winston reports that as a lawsuit concerning a stop based on an erroneous license plate reading goes to trial in California, privacy and accuracy concerns continue to grow.
Documents obtained by the Center for Investigative Reporting show that a leading maker of license-plate readers wants to merge the vehicle identification technology with other sources of identifying information. Vigilant Solutions is pushing a system that eventually could help fuse public records, license plates and facial recognition databases for police in the field.
Livermore firm
The Livermore company released facial recognition software last year for use in stationary and mobile devices. The technology uses algorithms to determine whether a person’s face matches that of someone in a law enforcement database. Like license-plate readers, privacy advocates say, the technology can make incorrect identifications that ensnare innocent people.
Read more on SFGate.

See what others have spied on?
– is a Google Maps mashup where you can view YouTube videos of drone coverage. These are not military drones or promotional drones, but rather personal drones belonging to private individuals. All videos are hosted on YouTube, and you can see on the map where the footage was captured. Just click on one to watch the video footage.

Several articles that illustrate different aspects of the Internet of Things. First, a few cautions. What happens in a “cell phone free” zone? Or on airplanes? Or when a “push” update crashes the phone? Or when hackers encrypt the software and demand “ransom?” Now the loss of your smartphone goes from annoying to life threatening.
'Bionic Pancreas' Astonishes Diabetes Researchers
A “bionic pancreas” that uses a smart phone, glucose monitor and insulin pump to automatically control blood sugar levels helped more than two dozen people live free of finger pricks and other troublesome reminders of diabetes, researchers reported Sunday.
And the system controlled their blood sugar levels far better than they could have done on their own, the researchers told a meeting of the American Diabetes Association.
… The team’s been working on making an artificial pancreas for years, and the first human studies started in 2008. Their device monitors blood sugar — standing in for the fingerprick test that people with diabetes must do many times a day. It delivers insulin when needed and in the right amounts — something diabetics must do several times a day either with a syringe or by pressing a button on an insulin pump.
And it does something extra — it delivers another hormone called glucagon, which brings blood sugar back up when it’s too low.
… It was specifically the iPhone 4, with a low-energy Bluetooth signal that could be used to help the various components of the device communicate.

Would you be crushed if no one subscribed? (Would you be stalked if they did?)
Google Glass App Broadcasts Your Life For Cash
A new Google Glass app will allow people to live stream their lives – and even charge people a fee to watch.
Livelens has launched a version of its app for the pioneering device which can share video in real-time from the head-mounted display.
The app includes social features such as commenting on videos, as well as liking them.
Users can also monetise their live streams by charging people to watch their videos, a potential area of income for celebrities.

Will anyone test and certify “Things” or do we rely on the manufacturers?
Nest Protect alarm back on sale, now without the dangerous glitch
After being pulled from shelves due to safety concerns, the Nest Protect smart smoke alarm is now available to buy once again.
The alarm was pulled after Nest discovered a glitch in the Wave feature that could deactivate the alarm without the owner even realising - thus completely defeating the point of a smoke alarm.