Saturday, August 30, 2014

How many of these will we see? Does JPMorgan know what happened to it?
Julia O’Donoghue reports:
The personal information of Louisiana residents could be at risk because of another data breach involving state-issued debit cards.
JPMorgan Chase has notified Louisiana’s government that someone had broken through the company’s security system and the personal information of residents using debit cards provided by three state agencies could be exposed. People who may be affected include those who receive their tax refunds, child support or unemployment benefits on a prepaid debit card issued by the state.
[From the article:
"The company said it does not know if or to what extent information on Louisiana citizens may have been exposed," said Byron Henderson, communications director for the Louisiana Department of Revenue.

I suspect we'll see a change in how insurance coverage is written...
Joshua Mooney of White and Williams discusses court rulings involving insurance coverage for data breaches:
…. General liability policies are the most popular candidate. The policies define “personal and advertising injury” in part as injury arising out of “oral or written publication, in any manner, of material that violates a person’s right of privacy,” as in ISO Form CG 00 01 12 07, Section V.17. Whether a data breach implicates personal and advertising injury coverage thus depends upon whether there has been a “publication” that violates the “right of privacy.” Easy? Well, no. These issues are not always straightforward.
You can read his article on The Legal Intelligencer, where he reviews a number of relevant court cases. As Mooney discusses, “The issue of whether data breaches involve a violation of a right of privacy has been litigated less.”

Gosh, it might be useful if the judge knew of a that didn't have this fault (and was extremely good at managing it's money!)
The proposed $8.5 million settlement in In re Google Referrer Header Privacy Litigation may not be approved. Joel Rosenblatt reports:
Google Inc. (GOOG)’s settlement of a privacy lawsuit probably won’t win approval because it includes a donation to an Internet research center at Harvard University and to other schools that attorneys who brought the case attended, a judge said.
U.S. District Judge Edward Davila voiced his concerns at a hearing today in San Jose, California, over the settlement of a suit claiming the company transferred personal information contained in user searches to third parties including marketers and data brokers.
Read more on Bloomberg.
Privacy organizations had objected to the settlement, as John M. Simpson of Consumer Watchdog explains in discussing yesterday’s hearing.

Interesting. Might be useful for some politicians I know.
Visualization of US data on race and income
by Sabrina I. Pacifici on Aug 29, 2014
Visualize race and income data for your community, county, and country. Includes tools for data journalists, bloggers and community activists.”

You can't make this stuff up!
Late last week, several LA news organizations obtained and published emails between LAUSD, Apple, and Pearson officials. The emails reveal that Superintendent John Deasy began meeting with these companies to discuss the hardware/curriculum purchase almost a year before the multimillion dollar contract went out to bid.
The district agreed last year to purchase 700,000 iPads — one for every student in the district. The devices would come pre-loaded with curriculum created by Pearson. The expected cost of this project, including upgrades to the district’s WiFi: over $1 billion.
Following the release of the emails — alongside a highly critical report from the district technology committee, Deasy announced he would cancel the contract with Apple. The district will reopen the bidding process.
No surprise, the ongoing saga is this week’s “What You Should Know This Week” over on EML.
Oh and bonus: now the district says that an audit has found it is missing $2 million in computers, mostly iPads. Oops.
The judge in Vergara v California affirmed his decision this week (that is, five state statures governing teacher employment, tenure, and seniority are unconstitutional as they deny students access to a quality public education). Defendants now have 60 days to file an appeal.
A judge in Texas has affirmed his decision that the state’s school funding model is unconstitutional.
Adjuncts at the University of the District of Columbia have voted to unionize.

Apparently I get older (and more out of touch) every year.
Beloit Mindset List

For my forgetful students. Android
– intelligently locks and unlocks your phone for you. Just drop your phone in your pocket and it locks. Pocket Lock keeps your phone locked until you take it out, then it unlocks, allowing for easy use and preventing accidental activity in your pocket. Pocket Lock is great for phones with broken power buttons or flip cases.

(Related) ...and here's a bunch of free and low cost Apps & games.
Grid Diary & Swipe Input Are Free, Dragon Quest VIII Also On Sale [iOS Sales]

Friday, August 29, 2014

It has been a few years (Okay, decades) since I worked the “Russian Problem” but this seems very familiar. Think of this as a military strategy and ask yourself how significant sanctions can be.
Ukraine: Vladimir Putin's military action reveals a wider plan
Alarm is growing in Kiev and the West over Russia's role in eastern Ukraine. But what is Russian President Vladimir Putin trying to achieve? [Annexation of the Ukraine. Bob]
The indications are clear that Russia is being more confident and less discreet about the presence of its troops and equipment in eastern Ukraine.
As well as sightings of Russian tanks, and reports of Russian paratroopers not only captured by Ukraine but also killed "while carrying out their duties", statements by separatist leaders have changed too.
After months of calling for assistance from Russia, separatist leaders now say that they can "do without outside help".
All this could indicate that Russian planners felt the military situation of Russian-backed separatists was severe enough to need more direct assistance.
Equally, it could be that Russia is simply less concerned at this stage about discretion and deniability.

(Related) Is retaliation for sanctions an act of war? Perhaps JPMorgan should conduct their “routine checks” more frequently?
JPMorgan Hack Said to Span Months Via Multiple Flaws
Hackers burrowed into the databanks of JPMorgan Chase & Co. (JPM) and deftly dodged one of the world’s largest arrays of sophisticated detection systems for months.
The attack, an outline of which was provided by two people familiar with the firm’s investigation, started in June at the digital equivalent of JPMorgan’s front door, an overlooked flaw in one of the bank’s websites. From there, it quickly developed into any security team’s worst nightmare.
The hackers unleashed malicious programs that had been designed specifically to penetrate JPMorgan’s corporate network. Using these sophisticated tools, the intruders reached deep into the bank’s infrastructure, silently siphoning off gigabytes of information, including customer-account data -- uninterrupted until mid-August.
Only then did a JPMorgan team conducting a routine scan trigger an alarm. They discovered a breach, now being traced and evaluated, which investigators believe originated in Russia.
Evidence of advanced planning and the access to elaborate resources, as well as information provided by the FBI, led some members of the bank’s security team to tell outside consultants that they believed the hackers had been aided by the hidden hand of the Russ ian government, possibly as retribution for U.S.- imposed sanctions.

A case study for my Computer Security students.
Report Examines Unanswered Questions Around Target Attack
Cybersecurity startup Aorato has published a report around the data breach suffered in 2013 by Target, which investigates some of the techniques used by the attackers to gain access to the company's networks.
based on publicly available information, Aorato has reviewed the steps taken by the attackers, from the HVAC (heating, ventilation, and air conditioning) contractor breach up to the theft of sensitive information from the retailer's networks.
The report.
… Researchers highlight the fact that in such credit card-oriented attacks, cybercriminals don't invest too much in infrastructure and automation. As in the case of Target, many operations are carried out manually with the aid of various tools; the only automated tasks are performed by the piece of malware used in the attack. In this particular attack, unlike many other APT attacks, the cybercrooks had not created a command and control (C&C) infrastructure, and instead operated everything manually from within the network.

This should be part of your security budget calculation.
2014 Cost of Data Breach: Global Analysis
by Sabrina I. Pacifici on Aug 28, 2014
News release: “Throughout the world, companies are finding that data breaches have become as common as a cold but far more expensive to treat. With the exception of Germany, companies had to spend more on their investigations, notification and response when their sensitive and confidential information was lost or stolen. As revealed in the 2014 Cost of Data Breach Study: Global Analysis, sponsored by IBM, the average cost to a company was $3.5 million in US dollars and 15 percent more than what it cost last year. Will these costs continue to escalate? Are there preventive measures and controls that will make a company more resilient and effective in reducing the costs? Nine years of research about data breaches has made us smarter about solutions. Critical to controlling costs is keeping customers from leaving. The research reveals that reputation and the loss of customer loyalty does the most damage to the bottom line. In the aftermath of a breach, companies find they must spend heavily to regain their brand image and acquire new customers. Our report also shows that certain industries, such as pharmaceutical companies, financial services and healthcare, experience a high customer turnover. In the aftermath of a data breach, these companies need to be especially focused on the concerns of their customers. As a preventive measure, companies should consider having an incident response and crisis management plan in place. Efficient response to the breach and containment of the damage has been shown to reduce the cost of breach significantly. Other measures include having a CISO in charge and involving the company’s business continuity management team in dealing with the breach. In most countries, the primary root cause of the data breach is a malicious insider or criminal attack. It is also the most costly. In this year’s study, we asked companies represented in this research what worries them most about security incidents, what investments they are making in security and the existence of a security strategy.”

As long as your “Thing” only monitors your vitals, you are safe from hackers. If your pacemaker is connected to the Internet, hackers could turn you off.
Doctors and nurses need to take their Internet of Things pills
THE INTERNET OF THINGS (IoT) has the potential to reshape a number of industries, none more so than the healthcare sector.
According to the results of a recent survey we ran, questioning IT professionals on their attitudes to the IoT, healthcare is the biggest potential market for connected devices and technology. Fifty-four percent of readers said that tools like heart-rate monitors were a top benefit of the Internet of Things.
The results show a clear interest among users in how their health, and healthcare in general can be improved by the IoT. This is reflected in recent research, which has indicated that remote patient monitoring is predicted to save an average of $12,000 per patient in the US and significantly reduce hospital-acquired diseases, a figure likely to be achievable in the UK and across Europe too.

Reasonable? Doesn't leave me warm and fuzzy.
The Foreign Intelligence Surveillance Court declassified an opinion today which, although highly redacted, illuminates the way at least one Judge is interpreting his mandate to protect the First Amendment activities of Americans who the FBI seeks to investigate under USA PATRIOT Act Section 215, codified at 50 USC 1861.
Essentially, the question the judge, John D. Bates, confronts is when are international terrorism investigations involving Americans based “solely upon activities protected by the first amendment to the Constitution.” Judge Bates concludes that so long as a international terrorism investigation is premised on some unprotected activity, the FBI can nevertheless investigate law-abiding US persons.

Worthy of a quick read.
The pace of technological change and rise of social media “may make it inevitable” that UK privacy laws need to be revised and updated, the country’s most senior judge has said.
In a speech at the Hong Kong Foreign Correspondents’ Club (9-page / 157KB PDF), Supreme Court president Lord Neuberger said that “astonishing developments” in technology had created “enormous challenges for people involved in the law and people involved in the media”.

Is Apple reserving the right to sell your data to their Apps only?
Kevin Rawlinson reports:
Apple has tightened its privacy rules relating to health apps ahead of next month’s product launch, which is expected to see the unveiling of an updated iPhone and could include new wearable technology.
The technology firm has told developers that their apps, which would use Apple’s “HealthKit” platform on the forthcoming products, must not sell any personal data they gather to advertisers. The move could stave off concerns users might have around privacy as Apple seeks to move into the health data business.
Read more on The Guardian.

I suppose this could work with any online document, but flagging changes to policies is a worthwhile start.
– is a free service that allows you to track changes made to online documents that affect your privacy or your personal information, like Privacy Policies, Terms and Conditions or User Agreements. Pick the websites you’re interested in, and the site will notify you when an update has been made and show you exactly what has changed.

Soon, drones will be armed to shoot down competitor's drones. At minimum, they will have cameras for real time updating of Google maps.
Google reveals the drones that will battle Amazon for control of our skies
… The hope is to one day use these drones for delivering goods to our homes. And if this all sounds familiar, it's because Amazon is doing the same with its Prime Air delivery drones, also in the development phase.

Cars can be drones too.
Terence P. Jeffrey reports:
The National Highway Traffic Safety Administration, part of the Department of Transportation, published last week an ” advanced notice of proposed rulemaking on “vehicle-to-vehicle communications.”
What NHTSA is proposing could begin a transformation in the American transportation system that makes our lives better and freer — or gives government more power over where we go and when.
Read more on CNS News.

Apparently this was not elementary.
Judge Posner Solves Sherlock Holmes Copyright Case
by Sabrina I. Pacifici on Aug 28, 2014
Rita Yoon, McDermott Will & Emery: “The original character of the famous detective Sherlock Holmes, along with his sidekick, Dr. John H. Watson, are no longer subject to copyright protection. In an opinion by Judge Richard A. Posner, the U.S. Court of Appeals for the Seventh Circuit held that copyright protection in these century-old literary characters cannot be extended simply by changing their features in later stories. When the original story expires, the characters covered by the expired copyright are “fair game” for follow-on authors. Klinger v. Conan Doyle Estate, Ltd., Case No. 14-1128 (7th Cir., Jun. 16, 2014) (Posner, J.).”

Curious. Does each lawyer add these to their Kindle or does the firm's librarian keep all the copies?
Free Federal Rules books from LII and CALI
by Sabrina I. Pacifici on Aug 28, 2014
Via Sarah Glassmeyer, Center for Computer-Assisted Legal Instruction: “The 2015 versions of the Federal Rules of Evidence, Criminal Procedure and Civil Procedure are now available. These books are powered by the Legal Information Institute at Cornell University Law School and distributed by the Center for Computer-Assisted Legal Instruction’s eLangdell Press. The books come in .epub format, which is compatible with iPads, Nooks, Android devices and basically everything but kindles. These editions of the books include:
  • The complete rules as of December 1, 2014 (for the 2015 edition).
  • All notes of the Advisory Committee following each rule.
  • Internal links to rules referenced within the rules.
  • External links to the LII website’s version of the US Code.
And yes, all totally free. You are more than welcome to download as many copies as you’d like and add to digital collections. Here are the direct links to the books:
While you are at the eLangdell Press bookstore, you may want to take a look at the growing collection of primary law (including the Federal Rules of Bankruptcy Procedure) and Appellate Procedure and legal classics available, as well as our open law school casebooks.”

For the Computer Security lab.
Netflix Releases Internally Developed Security Tools
Netflix has released two applications used by the company's security team to monitor the Web for potential threats.
… Two of the security-related applications used by Netflix's security team are Scumblr and Sketchy, which the company released on Monday as open source.
Scumblr, a Web app developed in Ruby on Rails, enables users to search the Internet for content of interest. Its built-in plugins are designed for searches on seven popular websites, including Google, Facebook and Twitter. However, new plugins can easily be created for manual or automatic searches on other sites, the company said.
… Sketchy … is capable of saving HTML, capturing screenshots and scraping text, all of which can be stored locally or in the cloud (AWS S3 bucket).
Scumblr, Sketchy and Workflowable are available on Netflix's page on GitHub.

Skyfence Launches Free Cloud App Usage Visibility Tool
Cloud-based applications can be highly useful for an organization, but monitoring them could prove challenging for IT departments. According to Skyfence, enterprise IT teams can use Skyfence Cloud Discovery to monitor Software-as-a-Service (SaaS) applications and services, and determine, based on risk information generated by the tool, which of them could pose a security threat.
Skyfence Cloud Discovery, which is part of the Skyfence Cloud Gateway product suite, can be downloaded for free and used to generate an unlimited number of reports.

Well, I find it amusing.
Pinging The Whole Internet
The image included in the tweet above shows what happens when you ping “all devices on the Internet.” Or at least the devices that answered when a company called Shodan, which bills itself as the “world’s first search engine for internet-connected devices,” attempted the feat.
There are no real surprises in terms of hot-spots but it is, nonetheless, a beautiful visualization of how we are all connected to each other by this series of tubes we call the Internet.

For my students. What can you make better?
The Coolest Cooler breaks Kickstarter records
A beachside drinks and food cooler for the digital generation is now officially the most successful Kickstarter campaign of all time, raising an incredible US$10.36mil (RM32.63mil) in pledges, and the campaign is yet to close.
… What makes the Coolest Cooler so cool? After all, the concept of the cooler predates the refrigerator.
Its creator, Ryan Grepper, will point to the fact that it's a cooler for the 21st century so as well as insulating perishables from the elements, it has an integrated battery-powered blender for smoothies and cocktails, a water-resistant Bluetooth speaker, a built-in chopping board, a USB charger for keeping smartphones powered up and chunky tires for easy rolling over the sand.

Thursday, August 28, 2014

Can we tell the intentions of hackers? CyberWar or Cyber-Fooling-Around? Isn't it rather important to know where the hacking is coming from (after a month?)
JPMorgan and Other Banks Struck by Cyberattack
A number of United States banks, including JPMorgan Chase and at least four others, were struck by hackers in a series of coordinated attacks this month, according to four people briefed on a continuing investigation into the crimes.
The hackers infiltrated the networks of the banks, siphoning off gigabytes of data, including checking and savings account information, in what security experts described as a sophisticated cyberattack.
… It was not clear whether the attacks were financially motivated, or if they were collecting intelligence as part of an espionage effort.
JPMorgan has not seen any increased fraud levels, one person familiar with the situation said.
… The intrusions were first reported by Bloomberg, which indicated that they were the work of Russian hackers. But security experts and government officials said they had not yet made that conclusion.
Earlier this year, iSight Partners, a security firm in Dallas that provides intelligence on online threats, warned companies that they should be prepared for cyberattacks from Russia in retaliation for Western economic sanctions.

Are we seeing a random rise in the number of DDoS attacks, or are these more coordinated?
Twitch Knocked Offline in Latest Online-Gaming Attack
The Twitch videogame-streaming service went offline for several hours last night (Aug. 26), possibly as a result of a distributed denial-of-service (DDoS) attack, which would make it the latest in a series of attacks on online gaming services.
A hacker group called Lizard Squad claimed credit for last night's disruption via its Twitter feed. On Sunday (Aug. 24), the same crew said it was behind outages of Sony's PlayStation Network and Sony Online Entertainment services, as well as connectivity problems with Blizzard's and Microsoft's Xbox Live.

Government health care: Like a roach motel, once the data enters it never leaves. Perhaps this lady should sue for “fraudulent amputation?”
Federal medical-privacy law frustrates ID theft victims
Linda Weaver had two good feet when she opened her mailbox one day in 2005. So she was surprised to find a bill for the amputation of her right foot.
Weaver, who runs a horse farm in Florida, soon discovered that it wasn't just a mix-up. According to the Los Angeles Times, her stolen identity and insurance information had been used to get surgery. She was stuck with the bill—and with a medical record full of incorrect, potentially dangerous information.
Weaver was one of a growing number of medical identity theft victims whose identity was stolen to make false health care claims. A 2013 study from the Ponemon Institute, an independent research organization in Traverse City, Michigan, that focuses on privacy and security, found the crime grew by 19 percent between 2012 and 2013. The Identity Theft Resource Center, a nonprofit working on prevention and victim assistance, said in March that medical records breaches made up 43.8 percent of all breaches reported to the federal government last year.
Medical identity theft creates some of the same financial complications as identity fraud. After Weaver convinced her insurance company that an imposter had the amputation, the insurer wouldn't cover it. So the hospital socked Weaver with the whole bill, even after she sent a notarized photo of her feet. Collection agencies weren't interested in Weaver's story, so the debt kept getting resold, creating multiple false entries on her credit report. Clearing this up became a 40-hour-a-week job, Weaver told the newspaper.

Is it so surprising that the country that invented Big Brother finds itself forced to live in his world?
Manchester Gazette reports:
UKIP Deputy Leader, Paul Nuttall, has warned that all new cars are set to be fitted with tracking devices under new EU Rules.
Since the EU passed plant to fit new cars with tracking devices that work similar to mobile phone technology, the UK Government has admitted it cannot do anything to stop British drivers having to comply.
The EU claim the devices can be set to send out an SOS to the emergency services should the car’s airbag be deployed, potentially saving 2,500 lives a year across the continent.
“This is an absolute disgrace,” said Mr Nuttall, UKIP deputy leader.
Read more on Manchester Gazette.
[From the article:
“It is a very convenient step toward being able to charge drivers per mile, and cement car driving as a luxury only the well-off can enjoy.
“Manufactures will want to recoup the extra cost of fitting these devices and may well offer to sell the tracking data to insurance companies.”

Interesting idea however it seems they are not trying to educate the police but rather how to combat surveillance.
Learn how police and intelligence agencies can access your data, and how the law (might) protect you! Hackers, attorneys, and concerned citizens are all welcome.
Jonathan Mayer of Stanford will be offering a free online course on surveillance law. Here’s the Syllabus:
I. Introduction
We will begin with a brief overview of how surveillance fits into the American legal system. We will also discuss how surveillance issues can be litigated.
II. The Basics of Surveillance Law
Next, we will review established police surveillance procedures. Using telephone technology as a simple starting point, we will work through various sorts of data that investigators might seek to access—and the constitutional and statutory safeguards on that data.
III. Applying Surveillance Law to Information Technology
Having learned the basics, we will turn to more modern technologies. We will discuss snooping on email, web browsing, and mobile phone location, as well as hacking into devices.
IV. Compelled Assistance to Law Enforcement
What happens when data is technically protected? In this section, we will talk about the government’s (limited) ability to mandate backdoors and to require decryption.
V. The Structure of Foreign Intelligence Surveillance Law
The law that applies to foreign intelligence activities runs parallel to the law that applies to police activities. We will compare the two systems of law and review key distinctions. The section places particular emphasis on Section 215 of the USA PATRIOT Act, Section 702 of the FISA Amendments Act, and Executive Order 12333.
VI. Controversial NSA Programs
In the final section, we will review the conduct and legality of controversial National Security Agency programs. We will discuss in detail the domestic phone metadata program, PRISM, and “upstream” Internet monitoring.
Read more on Stanford.

For my programming students?
Kano's Alejandro Simon: If This, Then Do That
Imagine a world where playing Pong and Minecraft gives people the power to program their computers. That world is Kano.
A crowdfunded startup, it took the idea behind Lego to teach computer programming by playing first-generation computer games.
… The innovative programming language lets kids drag and drop blocks into the code window to create Python or JavaScript code. The Kano Kit is powered by the Debian Linux derivative distro and a suite of apps.
The Kano Kit comes with a Raspberry Pi, a custom case, covers, a wireless keyboard with trackpad, HDMI and MicroUSB cables for display and power, a USB WiFi dongle, power sockets, and an 8-GB SD card carrying the Kano OS.

For the student Book Club.
Go On A Reading Buffet: 4 Top eBook Subscription Services Compared
Internet-based subscription services look to be the future. For video, you’ve got Netflix, the king. For music, you’ve got big man Spotify. If there was an Internet subscription for literature, that would complete the trifecta, wouldn’t it? Well, look no further because ebook subscription sites are finally here.
For not much money at all, you can unlock an entire world of literature just waiting to be read at your convenience. Indeed, in the long run, ebook subscriptions tend to be far cheaper than buying them at retail prices. Should you subscribe? If so, which site is best?
… For those who don’t read often, you may want to check your local public library first. Most libraries nowadays offer ebook rentals for free, which is the way you want to go for one-off reads. Obscure genre readers and those who need to read new releases are probably better off making straight purchases.

For my statistics students. Does this suggest why football is America's most popular sport?
What Baseball Fans Really Love: Doubt About the Outcome
In major league baseball’s first half-century, game attendance was entirely determined by teams’ winning percentages, but in recent decades fans have been increasingly attracted by stadium quality, batting performance, and outcome uncertainty, raising the importance of competition-enhancing policies such as player free agency, say Seung C. Ahn of Arizona State University and Young H. Lee of Sogang University in South Korea. When a league policy enhances competitive balance enough to increase doubt about game outcomes and about consecutive-season dominance by 1 standard deviation, attendance increases by 4% in the American League and 7% in the National League.

Something to think about for my spreadsheet class. I usually teach my students to do this, but without the predefined templates.
– is an Excel add-in that connects your spreadsheets with APIs. Data keys are used by the SpreadCloud data partners to provide you with access to their data. Use the Request Builder to build requests from scratch or start with one of the pre-built templates that are ready to use. All data is saved with your spreadsheet so you can use it offline or share with others.

Wednesday, August 27, 2014

Interesting hacker strategy. Delay reporting, increase the number of cards stolen?
DQ Breach? HQ Says No, But Would it Know?
Sources in the financial industry say they’re seeing signs that Dairy Queen may be the latest retail chain to be victimized by cybercrooks bent on stealing credit and debit card data. Dairy Queen says it has no indication of a card breach at any of its thousands of locations, but the company also acknowledges that nearly all stores are franchises and that there is no established company process or requirement that franchisees communicate security issues or card breaches to Dairy Queen headquarters.
… The situation apparently developing with Dairy Queen is reminiscent of similar reports last month from multiple banks about card fraud traced back to dozens of locations of Jimmy John’s, a nationwide sandwich shop chain that also is almost entirely franchisee-owned. Jimmy John’s has said it is investigating the breach claims, but so far it has not confirmed reports of card breaches at any of its 1,900+ stores nationwide.

Might be fun (i.e. Cruel and usual) to have my Computer Security students create a US version of this guide.
The Office of the Australian Information Commissioner has released Data breach notification guide: A guide to handling personal information security breaches. Some excerpts:
Preventing data breaches — obligations under the Privacy Act
Security is a basic element of information privacy.4 In Australia, this principle is reflected in the Privacy Act in the APPs
Agencies and organisations are required to take reasonable steps to protect the personal information they hold from misuse, interference and loss, and from unauthorised access, modification or disclosure. This requirement is set out in APP 115 (see Appendix A for APP 11).
Sections 20Q and 21S of the Privacy Act imposes equivalent obligations on credit reporting agencies and all credit providers. Similarly, guideline 6.1 of the statutory TFN guidelines6 requires TFN recipients to protect TFN information by such security safeguards as are reasonable in the circumstances.
Depending on the circumstances, those reasonable steps may include the preparation and implementation of a data breach policy and response plan. Notification of the individuals who are or may be affected by a data breach, and the OAIC, may also be a reasonable step (see page 9).
Responding to data breaches: four key steps
Data breaches can be caused or exacerbated by a variety of factors, affect different types of personal information and give rise to a range of actual or potential harms to individuals, agencies and organisations.
As such, there is no single way of responding to a data breach. Each breach will need to be dealt with on a case-by-case basis, undertaking an assessment of the risks involved, and using that risk assessment as the basis for deciding what actions to take in the circumstances.
There are four key steps to consider when responding to a breach or suspected breach:
Step 1: Contain the breach and do a preliminary assessment
Step 2: Evaluate the risks associated with the breach
Step 3: Notification
Step 4: Prevent future breaches
Each of the steps is set out in further detail below.
You can access the guide (49 pp, pdf) here.

Is it possible to write evidence gathering guidelines in the form: “You need a warrant or subpoena for all evidence except: … ” Seems to me that would be simpler.
Drones at Home: Domestic Drone Legislation – A Survey, Analysis and Framework
by Sabrina I. Pacifici on Aug 26, 2014
Zoldi, Dawn M. K., Drones at Home: Domestic Drone Legislation — A Survey, Analysis and Framework (July 9, 2014). Available at for download SSRN:
Can the government employ drones domestically without running roughshod over personal privacy? In an effort to preemptively rein in potential government overreach, most states have proposed legislation that restricts or forbids government drone use. The intent is to prevent drone use for warrantless information and evidence collection. Ironically, many of these proposals will have the opposite affect intended. State-by-state drone legislation may lead to consequences such as the erosion of Fourth Amendment jurisprudential principles, losses of life and property, procedural windfalls to criminals, and deleterious effects on the military. Lawmakers should take a nuanced approach to government drone use rather than selectively revising constitutional protections. A nuanced approach would allow the federal government to use drones to their full potential while also protecting personal privacies. There are four principles that should guide drone legislation:
(1) apply the Fourth Amendment agnostically;
(2) ensure operational purpose language distinguishes between law enforcement and non-law enforcement professionals;
(3) focus new regulations focus on information collection, dissemination, and retention;
(4) develop narrowly tailored remedies that deter specific behavior consistent with their historical purpose.
Drone legislation drafted with these principles in mind will protect our national security and our civil liberties.”

Is there anything here we really didn't expect? Details are “secret” only to avoid public backlash.
Ben Grubb reports:
It’s the secret industry consultation paper the federal government didn’t want you to see.
Produced by the Attorney-General’s Department and distributed to telecommunications industry members on Friday, the nine-page document attempts to clarify what customer internet and phone records the government wants companies such as Telstra, Optus and iiNet to store for the purpose of law enforcement and counterterrorism.
The requirement is part of a proposed data retention regime, which has been given “in principle” approval by the Abbott government. It seeks to continue to allow law enforcement and spy agencies to access customer identifiable data without a warrant as prescribed by law, but would ensure the data is not deleted for a mandated period of two years.
The paper, stamped “confidential” and marked for “preliminary consultation only” raises more questions than it solves.
Read more on Sydney Morning Herald.

Insurance companies creating specific exclusions suggests they have some idea what each of those scenarios costs them. Can I get that information for my classes on risk? Worth exploring.
Hunton & Williams write:
On August 7, 2014, the United States District Court for the Eastern District of Virginia held in Travelers Indemnity Company of America v. Portal Healthcare Solutions, LLC, No. 1:13-cv-917 (E.D. Va. Aug. 7, 2014), that online posting of patient medical information constituted “publication,” whether or not it was viewed by a third party, and therefore triggered the insurer’s duty to defend its insured against a class action seeking damages for breach of privacy claims.
Read more on Lexology.
But do note that Law360 reports:
Insurers are rushing to tack on recently released data breach exclusions to commercial general liability policies, hoping to substantially narrow their exposure to privacy risks. Here, experts provide policyholders the essentials on these game-changing provisions.
The Insurance Services Office Inc., which develops standard insurance contract language, in May unveiled an exclusion that is aimed at wiping out coverage for personal and advertising injuries stemming from the disclosure of personal information. The exclusion applies to a variety of damages, including notification costs, credit monitoring expenses and public…
Law360′s full story is behind a paywall.

To me, Labor Law is “a whole 'nother country.”
Scott McIntyre and Erika Spears write:
The grocery business may be “fresh and easy,” but drafting a confidentiality and data protection policy that withstands the scrutiny of the current National Labor Relations Board (NLRB) is not. The NLRB, in its recent 2-1 Fresh & Easy Neighborhood Market and United Food and Commercial Workers International Union decision, 361 NLRB No. 8 (July 31, 2014), ruled that the company’s “confidentiality and data protection” rule violated Section 8(a)(1) of the National Labor Relations Act (the Act). This decision is a reminder that businesses acting proactively to avoid data breaches and comply with privacy laws must also consider the NLRB’s view of employee rights if an employee may be implicated in wrongdoing, regardless of the context or label placed on the workplace rule.
Read more on Baker Hostetler Data Privacy Monitor.
[From the article:
The Code’s section entitled “Confidentiality and Data Protection” mandated that employees:
Keep customer and employee information secure. Information must be used fairly, lawfully and only for the purpose for which it was obtained.
In May 2012, charges were filed by the United Food and Commercial Workers International Union challenging the data protection rule, alleging that it was unlawful because employees could reasonably construe it as prohibiting the sharing of information by employees to improve terms and conditions of employment.

Making Law School cheaper? Interesting idea. I wonder if the Math Club would be interested in creating a “Guide to Math” online textbook?
Open Intellectual Property Casebook
by Sabrina I. Pacifici on Aug 26, 2014
“Duke’s Center for the Study of the Public Domain is announcing the publication of Intellectual Property: Law & the Information Society—Cases and Materials by James Boyle and Jennifer Jenkins. This book, the first in a series of Duke Open Coursebooks, is available for free download under a Creative Commons license. It can also be purchased in a glossy paperback print edition for $29.99, $130 cheaper than other intellectual property casebooks. This book is an introduction to intellectual property law, the set of private legal rights that allows individuals and corporations to control intangible creations and marks—from logos to novels to drug formulae—and the exceptions and limitations that define those rights. It focuses on the three main forms of US federal intellectual property—trademark, copyright and patent—but many of the ideas discussed here apply far beyond those legal areas and far beyond the law of the United States. The book is intended to be a textbook for the basic Intellectual Property class, but because it is an open coursebook, which can be freely edited and customized, it is also suitable for an undergraduate class, or for a business, library studies, communications or other graduate school class. Each chapter contains cases and secondary readings and a set of problems or role-playing exercises involving the material. The problems range from a video of the Napster oral argument to counseling clients about search engines and trademarks, applying the First Amendment to digital rights management and copyright or commenting on the Supreme Court’s new rulings on gene patents. Intellectual Property: Law & the Information Society is current as of August 2014. It includes discussions of such issues as the Redskins trademark cancelations, the Google Books case and the America Invents Act. Its illustrations range from graphs showing the growth in patent litigation to comic book images about copyright. The best way to get some sense of its coverage is to download it. In coming weeks, we will provide a separate fuller webpage with a table of contents and individual downloadable chapters. The Center has also published an accompanying supplement of statutory and treaty materials that is available for free download and low cost print purchase.”

For my Ethical Hackers: How can we selectively flip this switch? How can we flip the switches on all phones of a given manufacturer? (This could be so much fun I'm already starting to giggle.)
California Requires All Smartphones to Have a Kill Switch
California has just passed a law that will require all smartphones to be equipped with a function that can allow users to wipe their data if their phone is stolen or lost.
The new law will go into effect on July 1, 2015 and applies to phones manufactured after this date.
… Not only will the kill switch be able to wipe users data but it will also lock the phone, rendering it useless. Only the owner of the phone will have control over the switch however the police can also use the tool. [So, “only” every cop in California and the phone's owner? Bob]
This means that the police could cut off phone service in certain situations however, this would require a court order unless their is an emergency that poses immediate danger of death.

Should work for Math lectures as well as those rocky-roll songs.
– is a Digital Video Recorder (DVR) that records MP3s of your favorite YouTube videos and SoundCloud tracks. Peggo’s packed with great features like integrated search, automatic silence removal, audio normalization, subtrack offsets, and artist and title tags. In addition, Peggo also normalizes the volume of every recording to the same, comfortable level.
… For users in the United States, and countries with similar laws, Peggo is perfectly legal.
Peggo is a Digital Video Recorder (DVR) that lets you make personal recordings of publicly available online media for later use, also known as time-shifting, and is protected by the Supreme Court's Betamax ruling (Sony Corporation of America vs Universal City Studios).

Tuesday, August 26, 2014

Lesson to learn: If you are going to rely on your Security procedures, make certain they are reliable. (How would anyone gain access to your offsite backups without your knowledge? They write blank “backups” and over time older backups are deleted.)
Victim Company Refuses to Pay DDoS Extortion Fee and Is Permanently Forced Out of Business
… Code Spaces experienced a DDoS attack accompanied by a ransom demand. Code Spaces assumed it could handle the attack on its systems, which were hosted on Amazon Web Services (AWS). When the attackers didn’t get their payoff to end the DDoS attack, it is presumed they directed their vengeance toward gaining access to Code Spaces’s Amazon EC2 control panel and then deleting most of the company’s data, backups, machine configurations and offsite backups.

That's 100,000 won more than US breach victims typically get. I wonder how they did it?
Yonhap News reports:
South Korea’s No. 2 mobile carrier KT Corp. was ordered by a local district court Friday to pay 100,000 won (US$97) in compensation to each customer who had personal data leaked in 2012.
The Seoul Central District Court’s ruling came after some 28,000 KT users filed a lawsuit against the mobile carrier for the leak of sensitive personal information, demanding compensation of 500,000 won per person.
Read more on Global Post.

I expect nothing less. Why would the NSA have all that data and no way to search for the specific bits they need? (The “Intercept” link has some great images for your next presentation, specifically the one illustrating “billions and billions of records”)
NSA built 'Google-like' search engine for metadata
The National Security Agency built a "Google-like" search engine to give domestic and international government agencies access to details of billions of calls, texts and instant messages sent by millions of people, according to The Intercept.
The search engine, called ICReach, had behind it roughly 850 billion pieces of metadata in 2007 on calls made largely but not exclusively by foreign nationals, the report said.
Metadata is the data the surrounds a communication but not the contents of the message or telephone call itself. In the case of ICReach, the program includes the date, time and duration of calls, the number of the caller and destination, and, in the case of a mobile telephone, the unique IMEI number of the handset being used, according to a document published earlier this year by the American Civil Liberties Union.

Do you suppose everyone knew they could be monitored at this level?
Jawbone Looks At UP Data To See How Many Were Woken Up By The Napa Earthquake
Jawbone has shown one of the more interesting ways data gathered on its platform might be used for large-scale population studies: The fitness tracker company looked at its cumulative UP data to find out where wearers of its fitness bands were woken up by the South Napa earthquake that happened yesterday morning, and where people slept through the ground shaking.
Jawbone found that, unsurprisingly, those living closest to the epicenter of the quake were the ones who woke up most reliably, at around 3:20 AM when it originally struck. 93 percent of UP wearers in Napa, Sonoma, Vallejo and Fairfield woke up almost instantly, while just over half of UP wearers in San Francisco and Oakland were awoken.

At some point, failure to check your facts with Google (or similar repositories of the accumulated wisdom of mankind) will be considered an indication that the speaker/writer is either certifiably crazy or a politician.
Google’s fact-checking bots build vast knowledge bank – New Scientist
by Sabrina I. Pacifici on Aug 25, 2014
“GOOGLE is building the largest store of knowledge in human history – and it’s doing so without any human help. Instead, Knowledge Vault autonomously gathers and merges information from across the web into a single base of facts about the world, and the people and objects in it. The breadth and accuracy of this gathered knowledge is already becoming the foundation of systems that allow robots and smartphones to understand what people ask them. It promises to let Google answer questions like an oracle rather than a search engine, [With vague language, subject to multiple interpretations? Bob] and even to turn a new lens on human history. Knowledge Vault is a type of “knowledge base” – a system that stores information so that machines as well as people can read it. Where a database deals with numbers, a knowledge base deals with facts. When you type “Where was Madonna born” into Google, for example, the place given is pulled from Google’s existing knowledge base. This existing base, called Knowledge Graph, relies on crowdsourcing to expand its information. But the firm noticed that growth was stalling; humans could only take it so far. So Google decided it needed to automate the process. It started building the Vault by using an algorithm to automatically pull in information from all over the web, using machine learning to turn the raw data into usable pieces of knowledge. Knowledge Vault has pulled in 1.6 billion facts to date. Of these, 271 million are rated as “confident facts”, to which Google’s model ascribes a more than 90 per cent chance of being true. It does this by cross-referencing new facts with what it already knows… Google’s Knowledge Graph is currently bigger than the Knowledge Vault, but it only includes manually integrated sources such as the CIA Factbook. Knowledge Vault offers Google fast, automatic expansion of its knowledge – and it’s only going to get bigger. As well as the ability to analyse text on a webpage for facts to feed its knowledge base, Google can also peer under the surface of the web, hunting for hidden sources of data such as the figures that feed Amazon product pages, for example. Tom Austin, a technology analyst at Gartner in Boston, says that the world’s biggest technology companies are racing to build similar vaults. “Google, Microsoft, Facebook, Amazon and IBM are all building them, and they’re tackling these enormous problems that we would never even have thought of trying 10 years ago,” he says.”

For The First Time, More People Will Watch Streams On Devices Than Desktops
On August 26, 2002, Major League Baseball streamed its first live video of a game to the web — a tiny, grainy little player that looks laughable in comparison to today’s HD streams you hold in your palm.
This month, 12 years later, the MLB says that it projects that over 51 percent of its monthly live streams will be watched on ‘connected’ and mobile devices in August. It says that this is a first for any live sports video product on the Internet.

The future looks bright for my Computer Security students.
Global Cybersecurity Spending to Reach $76.9 Billion in 2015: Gartner
As organizations worldwide become more and more aware of the risks posed by the lack of protection against cyber threats, information security spending will continue to increase, Gartner forecasts.
According to the IT research and advisory firm, global IT security spending will reach $71.1 billion this year, which represents an increase of 7.9% compared to 2013. Next year, spending will grow even more, reaching $76.9 billion.
The use of security solutions will be driven in the next couple of years by the rapid adoption of mobile, cloud, social and information technologies, which often interact with each other, Gartner said.

(Related) The same for my Data Analysis students. Perhaps our students could volunteer at some of these nonprofits as interns?
Recruiting Data Scientists to Do Social Good
We know that data scientists are a hot commodity. Businesses can’t get enough of them. That’s great for tech companies that attract talent with stock and benefits, but less so for social initiatives and non-governmental organizations (NGOs) who could use their talent too. Short of asking nonprofits to drain their coffers to make expensive hires, can we find a way to staff their projects? I think so, if we can create a better mechanism to connect people to opportunities.
The going rate for data scientists has obviously soared.

It's not that strange. For years I have been explaining fractions using pizza.
Proper Punctuation Explained With Bacon
… So how can you learn to use punctuation marks properly without making dumb grammar mistakes? Simple. Bacon is the answer.

Always interesting to see how they plan to “solve” education.
How Computer Technology Will Transform Schools Of The Future
In the 1800′s, students sat in a classroom, listened to a teacher and took tests. In 2014, students do exactly the same thing, with maybe the addition of a pocket calculator and some slides.
Nearly every other industry has been changed beyond recognition by the invention of computers. Why not education, arguably one of the industries with the most to gain?
… Today, we’re going to be talking about the five biggest ideas that are going to change education more than you’d believe.

(Related) Clever, but very tricky.
Digital textbooks adapt to your level as you learn
… "We want to be able to create the perfect book for every person," says Richard Baraniuk, director of the OpenStax project at Houston's Rice University, which is behind the books. "Ultimately, we want a system that turns reading the book into an exploration of knowledge."
OpenStax already offers an array of online and printed textbooks on subjects including economics, biology and history. For the past three years, researchers have tracked how students in 12 US schools use the books in their studies, including information on how they scored on questions.
That work is now being used to train machine-learning algorithms that give OpenStax's biology and physics textbooks the ability to adapt to individuals. If a reader seems to be struggling with a particular topic – acceleration, say – the book will slot in additional explanations and practice questions, and increase emphasis on related subjects, such as centripetal force, that could otherwise trip that person up.
Salt Lake Community College, which has more than 60,000 students and is the largest higher-education institution in Utah, wants to pilot OpenStax's algorithm-enhanced textbooks next year in political science, business and mathematics classes. Jason Pickavance, director of educational initiatives at the college, says he is curious to see whether the books improve student performance.
… Whether the books are successful will depend on teachers, says Ben du Boulay, who works on artificial intelligence at the University of Sussex, UK. They are the ones who will ensure that students make the most of their books – for instance, by working out what to do when the books identify a common problem area among their students.

I post this for my female students with absolutely no comment.
Women Surpass Men as Kickstarter Fundraisers
Women may be heavily underrepresented in the start-up world, but they’re doing well on Kickstarter. In one study, two-thirds of technology ventures led by women reached their fundraising goals on the crowdfunding site, compared with 30% of those led by men, according to the Wall Street Journal. Female-founded start-ups attract support from women who are activists and want to help other women, the researchers say.