Saturday, March 21, 2015

I'm not sure most organizations could meet this standard. Perhaps it is time for a shared security function – outsource your security into a “Group Buying Club?”
Paula Stannard reminds us:
As a result of recent breaches – including breaches of health information and information held by health insurers – a great deal of attention has recently been focused on state data breach notification requirements. Most States have general data breach notification requirements that apply to all data breaches, including those involving health information. A few States have specific data breach laws applicable to health information or to certain types of entities in the health care/health insurance industry. California is one of such States – and it has made several significant revisions to its statute, California Health and Safety Code § 1280.15, effective January 1, 2015 (A.B. 1755).
If you keep thinking that you have 60 days to notify under HIPAA and HITECH, think again if you do business in California, because you only have 15 days to notify the state and patients.
Read more on Alston & Bird’s Privacy & Data Security Blog.

(Related) How long would it take you to check a full year of logs (do you keep them that long?) for any possible victim of a breach? Is China everywhere or is the FBI finding there software everywhere?
Elizabeth Shim reports:
The FBI is probing into possible Chinese military involvement in a data breach of Register.com, a network that manages more than 1.4 million website addresses.
The Financial Times reported the cyber attack on the U.S. company included theft of employee passwords and unauthorized access to Register’s network during a yearlong breach that did not cause disruptions or theft of client data.
Read more on UPI.
[From the article:
However, a company spokesman said to The Financial Times the firm is building security protocols and tools to monitor and curb hacking threats. [Apparently they didn't have them before. Bob]
… In February The Washington Post reported the Chinese government was linked to a hack of health insurance company Anthem.
In that breach, a U.S. cyber security firm concluded the malware used was identical to the code used against a small U.S. defense contractor. The malware originated from China, according to the FBI.


“Well golly gee willikers, it's the government – what could be wrong with giving them anything they want?
Papers, Please! Writes:
The first “interim” release of documents responsive to our FOIA request for records of police and other government access to Amtrak reservation data show that Amtrak is not only giving police root access and a dedicated user interface to mine passenger data for general state and local law enforcement purposes, but also lying to passengers about this, misleading Amtrak’s own IT and planning staff about the legal basis for these actions, and violating Canadian if not necessarily US law.
Read more on Papers, Please!


Your camera as evidence? (Be sure to photograph a stack of bills with “Past Due” stamped on them.)
Mike Carter reports:
Federal prosecutors have taken the rare step of challenging the appointment of publicly funded lawyers to represent accused Russian hacker Roman Seleznev and have asked a judge to order Seleznev to reimburse the government for his defense.
[…]
As proof, the government provided the court with photographs of stacks of cash and luxury cars found on Seleznev’s phone and computer when he was arrested on July 5 while vacationing in the Maldives, a tiny chain of islands in the Indian Ocean.
Read more on The Seattle Times.
Well, sure, if he can afford a tropical vacation


“We can, therefore we must!” Software for parents who don't know how to parent?
GM Teen Driver Technology A Safe Bet To Limit, Monitor Young Drivers And Create Serious Teen Angst
… Teen Driver is meant to promote safe driving behavior for teens when they don’t have adult supervision in the car to make them “straighten up and fly right.”
A parent can enable Teen Driver in the MyLink Settings menu and create a PIN, which is then registered to the teen’s key fob. Once that step is taken, parents have full control over a number of in-vehicle features, performance capabilities, and even alert systems for their teen driver.
… One such “nanny” feature is the ability to mute the radio until front seat passengers have fastened their seat belts. Parents also have full control over the maximum volume of the radio, so don’t think that you’re gonna go cruising down the street, windows down, with death metal cranked all the way up.
And if you’re thinking about blasting down the highway at 100 mph in daddy’s new Malibu, guess again. Your old man can set a maximum driving speed anywhere the range of 40 to 75 mph lest you get any wild ideas. If a teen were to attempt to fly past those limits, alarm bells would start ringing in the vehicle’s cabin.
… Teen Driver will allow parents to keep track of the maximum speed driven, over-speed alerts, distance traveled (thinking about ditching school to make a quick road trip; guess again), and any instances where the antilock brakes or stability control had to kick in.


Every week, as welcome a sunshine.
Hack Education Weekly News
… Phil Hill offers a round-up of news and analysis about Rutgers University and ProctorTrack, “which costs students $32 in additional fees, accessing their personal webcams, automatically tracks face and knuckle video as well as watching browser activity.” He adds, Student privacy is a big issue, and students should have some input into the policies shaped by institutions.”
Via Go To Hellman: “16 of the top 20 Research Journals Let Ad Networks Spy on Their Readers.”
The University of Rochester is demanding that Yik Yak turn over “the names, email addresses and other information that would help the college identify UR students who might have posted racially offensive and threatening language.”
… Pacific Standard has several recent articles exploring adjunct labor on college campuses: “The Professor Charity Case” and “Survey: The State of Adjunct Professors.”


How strange. Perhaps education in immoral?
Internet Seen as Positive Influence on Education but Negative on Morality in Emerging and Developing Nations


Perfect timing. This is the last day of class (all papers are due) and we've been developing ways to do this all quarter.
How to Follow a #Hashtag Across Multiple Social Networks
A few weeks ago I wrote a post about using Tagboard to follow a hashtag across multiple social networks. As I wrote back then, the beauty of Tagboard is that I can follow a hashtag and see all of the Tweets, Instgram, Facebook, and Google+ posts about it in one place. This enables me to quickly catch up with what people are sharing about an event or saying in a chat like #edchat. In the video embedded below I provide an overview of how to use Tagboard.


For my Android toting students.
Productivity Problems? Check Out This Productivity Android App Guide
… Want more on productivity? Check out our whole Self Improvement section which will provide you with all kinds of tools and skills you can use to work smarter. While you’re at it, don’t forget the Android section that covers everything from the hottest devices to the newest apps!
Via TopApps


My students might find these useful too.
Two New Apps That Are Great for Recording Audio Interviews
This week I tested two new apps for recording audio interviews. Both of these apps can be used by students without creating any kind of new online accounts. Neither one is entirely perfect, but they're both quite good.
Opinion is a free iPad app for creating short audio recordings. To record simply open the app and tap the big red recording button at the top of the screen. When you're done talking, tap the recording button again to stop the recording. You can chop your recording into smaller pieces by tapping on your recording then tapping the scissors icon to cut your recording. Opinion recordings can be shared to a variety of places on the web including SoundCloud and Evernote. Opinion limits you to ten minutes of recording before you have to either upgrade or eliminate older recordings.
StoryCorps has a new app called StoryCorps.me that Larry Ferlazzo raved about earlier this week. The app is available for iPhone (it will also work on iPads, it's just a little grainy looking) and Android devices. StoryCorps.me will try to force you to create a StoryCorps account, but you can use it without creating an account. Creating an account will allow you to publish your recordings on the StoryCorps website.
StoryCorps.me is designed to help people conduct and record great interviews. The app includes a set of questions that you can use in your interview. The question sets are varied depending upon the relationship that you do or don't have with your interviewee. While recording your interview you can swipe through the questions to help you keep the interview on track. Completed recordings can saved on your device and or shared with the StoryCorps community.

Friday, March 20, 2015


I always discuss this kind of article with my Computer Security students. If someone in senior management or the on the Board of Directors should stumble across this article, they might ask their Computer Security manager how long it would take them to detect an attack or a breach. On the flip side, expressing your current status in terms of “time to detect” might be very useful at budget time.
Data Breach Detection Takes Days or Longer For Many Businesses: Survey
Seconds count when dealing with a security incident. A new survey from Osterman Research however has found that many companies believe it would take hours or more for them to detect a breach – with nearly 30 percent stating it would take days, weeks or longer.
The statistics come from a report entitled 'Dealing with Data Breaches and Data Loss Prevention'. The report – which was sponsored by Proofpoint - fielded responses from 225 large and midsized organizations in the U.S. and Canada. According to the survey, just 24 percent felt they could detect a breach within minutes or seconds. Thirty-seven percent believe they could detect a breach within hours, while 28 percent said it would take days or weeks. One percent said it would take even longer than that, and nine percent weren't sure.
"However, it is important to note that preparedness is only part of the story," according to the report. "For example, Target was quite well prepared for its now-infamous data breach: the company had deployed a robust anti-malware solution to protect against data breaches, it maintained a team of security personnel in India that were focused on detecting anomalous behavior in the corporate network, and it had a security team in Minneapolis that were focused on dealing with a data breach and other security incidents. Target’s security solution worked as it was designed, its Indian security team notified its counterparts of the breach in Minneapolis, but for some reason that final link in the chain did not respond appropriately." [Does not seem to match the next article Bob]

(Related) Update. (I thought it would take longer.) Looks like there were a few standard security measures not part of Target's repertoire.
My suspicious mind suggests that the costs saved by this settlement allowed Target to raise employee wages.
Steve Karnowski and Michelle Chapman of AP report:
A Minnesota judge has endorsed a settlement in which Target Corp. will pay $10 million to settle a class-action lawsuit over a massive data breach in 2013.
U.S. District Judge Paul Magnuson said at a hearing Thursday in St. Paul, Minnesota, that he would grant preliminary approval of the settlement in a written order later in the day. The move will allow people to begin filing claims ahead of another hearing for final approval.
[…]
The settlement would also require Minneapolis-based Target Corp. to appoint a chief information security officer, keep a written information security program and offer security training to its workers. It would be required to maintain a process to monitor for data security events and respond to such events deemed to present a threat.
Read more on FindLaw.


Sometimes you just have to take the abuse.
Timothy Cornell of Clifford Chance US LLP has an interesting write-up on the Wyndham case that really details the time and labor costs of responding to a government investigation following a data breach. Here’s an example:
On April 8, 2010, the FTC began to investigate Wyndham Worldwide and three of its subsidiaries (collectively “Wyndham”), sending Wyndham a voluntary request for information. The FTC’s investigatory focus, as stated in that April 8, 2010 letter, was to determine: “whether Wyndham’s information security practices comply with Section 5 of the [FTC] Act, which prohibits deceptive or unfair acts or practices, including misrepresentations about security and unfair security practices that cause substantial injury to consumers.”[2] The FTC’s request contained 14 detailed inquiries (most with subparts) and sought information about Wyndham’s IT architecture, cybersecurity policies, and the three data breaches that occurred. It took Wyndham more than five months to locate all responsive documents. [3]
During 2010 and the first half of 2011, the FTC sent three supplemental requests for information and documents, and also posed oral requests at meetings between the parties. In total, 29 document requests and 51 information requests were issued to Wyndham prior to December 2011.[4] Wyndham produced over 1 million pages of documents and written responses that totaled 72 pages single spaced. In addition, Wyndham Worldwide’s CFO and head of Information Security – along with attendant inside and outside counsel – attended seven in-person meetings with the FTC.[5] The time and cost associated preparing for each of those meetings was likely significant.
Wyndham estimated that its response cost exceeded $5 million in legal and vendor fees. [6] And that estimate did not include the time employees spent responding to the requests or the business disruption caused thereby, nor the costs associated with preparing for meetings with the FTC.


No surprise. New technology means ignoring old security solutions.
Companies Find It Difficult to Secure Their Mobile Apps: Survey
A new Ponemon Institute study sponsored by IBM shows that many organizations neglect security when building mobile applications for their customers.
The report shows that nearly 40 percent of the 400 organizations that took part in the survey, 40 percent of which are Fortune 500 companies, potentially expose their customers’ data because they don’t scan the code for vulnerabilities.
When asked about why mobile apps contain vulnerable code, many of the respondents cited rush-to-release pressures, lack of training on secure coding practices, lack of quality assurance and testing procedures, and the lack of internal policies that clarify security requirements.
According to the report, organizations spend an average of $34 million per year on mobile app development, but only $2 million, or 5.5 percent of the annual budget, on mobile app security.


I don't want my Ethical Hackers penetrating systems to leave a “Kilroy was here!” If they really want to probe, we have a formal authorization procedure.
Cyber Attackers Leaving Warning 'Messages': NSA Chief
Attackers hacking into American computer networks appear to be leaving "cyber fingerprints" to send a message that critical systems are vulnerable, the top US cyber-warrior said Thursday.
Admiral Michael Rogers, director of the National Security Agency and head of the Pentagon's US Cyber Command, made the comments to a US Senate panel as he warned about the growing sophistication of cyber threats.
"Private security researchers over the last year have reported on numerous malware finds in the industrial control systems of energy sector organizations," Rogers said in written testimony. "We believe potential adversaries might be leaving cyber fingerprints on our critical infrastructure partly to convey a message that our homeland is at risk if tensions ever escalate toward military conflict."


All data is targeted actually, the priority changes depending on the value of the data and the amount of security.
The Next Cybersecurity Target: Medical Data
… Calhoun points out that healthcare breaches aren't unheard of: In fact, according to Intel Security and the Atlantic Council's latest report on cyber risks, about 44 percent of all registered data breaches in 2013 targeted medical companies, with the number of breaches increasing 60 percent between 2013 and 2014. Those numbers may seem larger than expected—how often do healthcare breaches make the news?—but Calhoun tells me that these reported medical-company breaches happen on smaller scales, affecting far fewer people than attacks on banks and government data.
… "Advanced cybersecurity defenses are still a relatively new idea to many healthcare organizations," said Greg Kazmierczak, the CTO of data-security company Wave Systems Corporation. "Big banks and large financial firms, on the other hand, have been dealing with these issues internally and in the public eye for the past decade or so with the large-scale breaches of JP Morgan and Bank of America."
In other words, as more attacks happen, more victims will beef up their cybersecurity. [Only if they ask “Could that happen to me?” Bob] So, with the Premera breach, it's the healthcare industry's turn to rethink data security.


Typical government doubletalk? If “law enforcement” is buying it, we certify it. But it's not about who buys it? Once law enforcement has it, it passes out of the FCC's regulatory environment?
Chairman: FCC has minimal jurisdiction over surveillance tool
The Federal Communications Commission (FCC) lacks oversight of so-called stingray surveillance devices once they are in the hands of law enforcement, Commissioner Tom Wheeler said Thursday.
Wheeler said the commission certifies the devices, which collect location information from cellphones, if they are being made for law enforcement use. [If they are made for other users, they are not certified? Bob]
"And then from that point on, its usage was a matter of law enforcement, not a matter of the technological question of whether or not the piece of hardware interfered with other [radio frequency] devices," he said.
… Wheeler did say the commission could have authority over the "unauthorized use" of the device, such as one that was sold illegally outside law enforcement circles.
… our jurisdiction and our authority is to certify the electronics of the RF components of such devices for interferences questions. And that if the application was being made in conjunction with law enforcement, then we would approve it. This is for the technology, this is not for who buys it."


Shrink wrap, click wrap, psycho rap. What did the user mean when he clicked that “I Agree” button?
Aaron R. Gelb and James R. Glenn of Vedder Price write:
Since December 2014, retail giant Michaels Stores, Inc. (Michaels) has been hit with two class action lawsuits regarding its background-check process. The lawsuits allege that Michaels violated the Fair Credit Reporting Act (FCRA) by having job applicants click an “I Agree” box consenting to the terms and conditions of an online job application, which include an authorization to obtain a consumer report on the applicant.
Employers utilizing a third party to obtain background checks for use in the hiring process (and other employment decisions) must comply with a number of requirements set forth in the FCRA, including that the employer give job applicants a written authorization form that includes a “clear and conspicuous” notice that a consumer report may be obtained for employment purposes. This disclosure and authorization must be part of a separate or “stand-alone” document consisting of the disclosure and nothing else. The employer must obtain the individual’s authorization before a consumer report is procured.
Read more on National Law Review.

(Related)
Wendy Davis reports:
Yahoo is asking a judge to deny class-action status to a group of people who are suing the company for scanning their email messages.
The company argues in new court papers that the lawsuit doesn’t lend itself to class-action treatment because one of the key unresolved issues turns on whether Web users consented to the scans. Yahoo says that users’ consent needs to be litigated on a case-by-case basis.
Read more on MediaPost.


Interesting timing. Probably had nothing to do with Google's support for Obama in 2012. Probably. It's just that people from tech firms cross into government positions just like people from defense firms do.
Google threatened to remove websites from its search engine unless they let Google use their content
The Wall Street Journal on Thursday published excerpts from a 2012 Federal Trade Commission document. The document was part of the FTC's investigation of Google after complaints from competitors. It was never meant to be public but was accidentally sent to The Journal after a Freedom of Information Act request.
… Eventually, Google offered to let websites opt out of including their content in Google's search results, and made some other changes. In 2013, the FTC commissioners unanimously voted 3-0 to drop the investigation.
The FTC probably won't reopen an investigation just because this report was leaked. This isn't news to the FTC.
However, it could give new fodder to European investigators.

(Related) See what I mean?
Facebook exec becomes White House IT head
The former top engineer at Facebook is taking over as the White House’s first-ever director of information technology, the Obama administration announced Thursday.
David Recordon will be responsible for making sure President Obama’s office is using the most updated and secure technology, the White House explained in a blog post.
… Last year, the president created the new U.S Digital Service to replicate the government’s success turning around the early troubles of HealthCare.gov all across the government.
That effort is led by former Google executive Mikey Dickerson, and on Thursday it helped unveil a new tool for the public to keep track of how people visit government websites.


For our Big Data students.
Understanding Small Business Web Analytics
You can find a slew of powerful Web analytics tools that you can use to see how well your small business website, social media feeds, email blasts and pay-per-click ad campaigns are performing. But those tools won't help much unless you understand which numbers matter most and what they mean.


I wonder... Could we use this App to allow our students to “test out” of certain tech skills?
Smarterer Announces Free Access to Its Skill Assessment API
Smarterer, a skill assessment engine, has announced that the Smarterer REST API is now free for companies and individuals to utilize. With the API, companies and individuals can embed hundreds of crowdsourced skill assessments directly into products, apps, and websites. Prior to this announcement, the API came with a charge to use the service; but, Smarterer and its parent company, Pluralsight, decided to open the service for anyone to freely use.
Smarterer was created after founder, Dave Balter, discovered that the skills needed to fill job openings in today's rapidly changing, technology-driven marketplace where difficult to uncover but necessary to adequately choose a candidate. Smarterer is built upon a crowdsourced set of skill tests (currently over 400 tests exist).
For more detailed information on the API, check out the API docs.


Perhaps I should expand my idea of students writing their own textbook to the creation of links to all the educational tool you will ever need. (Then use them to conquer the world!)
Book Preview - Deeper Learning Through Technology
Ken Halla writes the US History Educators Blog. I've been following that blog for years so when Ken had his first book published I agreed to share the news here. Ken's book preview is posted below. On a related note, Ken and I are planning to offer an online course together this summer.
For the better part of 14 months I (Ken Halla) have devoted a great deal of time to my new book Deeper Learning Through Technology: Using the Cloud to Individualize Instruction. If you follow my blogs on content, pedagogy and technology (US history, economics, government and world history) you know that I have definite research based beliefs to change that needs to occur in our classrooms. My book discusses these needs, outline the technology needed for higher level thinking and for more personalized learning and then gives you step by step instructions for how to use it all.
… my favorite part of the book is that after giving you reasons why and then showing you how, I give you actual examples of how each is being implemented in the classroom. To ensure you follow through I give you and your PLC five action items to start doing in each chapter so you can change your classroom.

(Related) Even we have Luddites.
Convincing Skeptical Employees to Adopt New Technology
… According to a study by MIT Sloan Management Review and Capgemini Consulting, the vast majority of managers believe that “achieving digital transformation is critical” to their organizations. However, 63% said the pace of technological change in their workplaces is too slow, primarily due to a “lack of urgency” and poor communication about the strategic benefits of new tools.


For my Excel students. If MakeUseOf.com keeps producing these guides, I'll keep pointing to them for my students!
Mini Excel Tutorial: Using Advanced Counting and Adding Functions in Excel

Thursday, March 19, 2015

Interesting precedent.
Target hack victims could get up to $10,000
Target is proposing to pay customers who suffered from a 2013 data breach up to $10,000 each in damages.
The proposal is part of a $10 million offer by Target to settle a class action lawsuit. Victims able to prove they were harmed by the breach, which affected up to 110 million customers, will be eligible for up to $10,000 each.
… In addition, Target (TGT) is required to improve its data security, including the designation of a chief information security officer. The company must also provide security training to its employees.
… Under the terms of the proposed settlement, Target customers who can prove they were damaged by the data breach will get the first shot at the $10 million. For example, victims will be reimbursed for unauthorized credit card charges, bank fees or costs related to replacement IDs -- so long as they are documented.
After those claims are paid, any remaining settlement funds will be evenly distributed to class members without documentation.

(Related)
… While it's yet to be formally signed off, the settlement documentation is thorough—enough to include a draft of the form that victims will fill in to make a claim


Not what you want your breach victims to hear. However the audit states (kind of) that Premera does have adequate security management. We will have to wait to see if anything the auditors found is related to the breach.
Mike Baker reports:
Three weeks before hackers infiltrated Premera Blue Cross, federal auditors warned the company that its network-security procedures were inadequate.
Officials gave 10 recommendations for Premera to fix problems, saying some of the vulnerabilities could be exploited by hackers and expose sensitive information. Premera received the audit findings April 18 last year, according to federal records.
Read more on Seattle Times.
I’m waiting for someone to discuss whether if OCR had been more actively auditing covered entities, the Anthem and Premera breaches would have occurred.
[From the article:
The auditors also found that several servers contained software applications so old that they were no longer supported by the vendor and had known security problems, that servers contained “insecure configurations” that could grant hackers access to sensitive information, and that Premera needed better physical controls to prevent unauthorized access to its data center.
[The audit report:


Another example of words you don't want your breach victims (or their lawyers) to hear. Also interesting, the words you don't hear form Anthem.
Sarah Ferris reports:
Leaders of the Senate’s health committee are accusing insurer giant Anthem of failing to inform millions of people who may have been affected by a massive data breach last month.
Committee chairman Lamar Alexander (R-Tenn.) and ranking member Patty Murray (D-Wash.) said Wednesday that 50 million customers who may have been impacted by the cyberattack still have not been informed.
Read more on The Hill.
And count me among the 50 million who still have not received a notification letter, so I’m not exactly unbiased here.
[From the article:
A spokesperson for Anthem defended the company's response to the data breach. Because the company expected a lengthy process to inform all of the impacted customers, it set up a website and a hotline for customers. [That has nothing to do with notification. Bob]
"Over the last few days, we have also accelerated our member notification mailings. Approximately 2.4 million letters are mailed daily. [Clearly not starting six weeks ago, so when did it start and how many letters have been mailed? Bob] We are working continuously to complete that process as soon as possible," the company wrote in a statement.


This could be interesting. I wonder if the ACLU will take the argument nationwide?
Cyrus Farivar reports:
According to a judicial ruling issued Tuesday, the Erie County Sheriff’s Office (ECSO) in Northwestern New York state must turn over a number of documents concerning its purchase and use of stingrays. The 24-page order comes as the result of a lawsuit brought by the New York Civil Liberties Union (NYCLU) and marks a rare victory in favor of transparency of “cell-site simulators,” which are often shrouded in secrecy.
Read more on Ars Technica.


Apparently flying a drone while drunk (DWI – Droneing While Impaired?) is not a crime in DC? Also provides my Ethical Hackers with guidance: Do you surveillance, cut the connection, get drunk.
No charges for man accused of crashing drone at White House
… The U.S. Attorney’s office for the District of Columbia said on Wednesday that a Secret Service investigation of the incident found the pilot of the craft — reported to be an employee of a federal intelligence agency who had been drinking — lost control of the flying machine around 3 a.m. on January 26.
… “A forensic analysis of the drone determined that it was not operating under the direction of its controller when it crashed at the White House,” the U.S. Attorney’s office said. [Is that why there were no charges? Bob]
… Despite the decision by the U.S. Attorney’s office, the Federal Aviation Administration is reviewing the incident and may impose an action of its own.
… In response, the manufacturer of the $1,000, 2-pound Phantom quadcopter instituted new restrictions to prevent the machine from flying around downtown Washington.

(Related) Drones for cheap...
SKEYE Nano Drone on Sale For 41% off – Now Just $34.99


At the bottom of a slippery slope?
Elizabeth Goitein and Faiza Patel write:
The Foreign Intelligence Surveillance (FISA) Court is no longer serving its constitutional function of providing a check on the executive branch’s ability to obtain Americans’ private communications. Dramatic shifts in technology and law have changed the role of the FISA Court since its creation in 1978 — from reviewing government applications to collect communications in specific cases, to issuing blanket approvals of sweeping data collection programs affecting millions of Americans.
Under today’s foreign intelligence surveillance system, the government’s ability to collect information about ordinary Americans’ lives has increased exponentially while judicial oversight has been reduced to near-nothingness. This report concludes that the role of today’s FISA Court no longer comports with constitutional requirements, including the strictures of Article III and the Fourth Amendment. The report lays out several steps Congress should take to help restore the FISA Court’s legitimacy.
Read the Brennan Center report:


I sometimes wonder what planet the French are from. Clearly their brains function quite unlike human brains.
Glyn Moody writes:
Techdirt has been charting for a while France’s descent from a bastion of enlightenment values to a country that seems willing to give up any freedom in the illusory hope of gaining some security. According to a story in Le Figaro, even worse is to come in the shape of a new law (original in French, found via @gchampeau):
[the proposed law] wants to force intermediaries to “detect, using automatic processing, suspicious flows of connection data”. Internet service providers as well as platforms like Google, Facebook, Apple and Twitter would themselves have to identify suspicious behavior, according to instructions they have received, and pass the results to investigators. The text does not specify, but this could mean frequent connections to monitored pages.
Read more on TechDirt.


I'm just saying...
Feds acknowledge power to act on Web rates
Federal regulators on Wednesday acknowledged that new net neutrality regulations could allow the government to interfere with how much companies charge for Internet service.


Clearly, I'm out of touch. Do we need 1 hour delivery? It suggests to me that we can no longer plan ahead. Why Miami and Baltimore? Do those cities lead the pack when ordering fast delivery?
Amazon expands one-hour delivery to Miami and Baltimore
… Amazon (AMZN, Tech30) said that its service, Prime Now, expanded to "select Baltimore and Miami zip codes" on Thursday and will soon expand to wider neighborhoods in those cities.
Amazon said the service is available to Prime members (costing $99 a year) and can be accessed through an app on iOS and Android devices. One-hour delivery costs $7.99 and two-hour delivery is free. The service is available from 8 a.m. to 5 p.m., seven days a week.


Interesting article, but now I have even more questions.
Why the U.S. does nothing in Ukraine
The ongoing war in Ukraine recently passed the first anniversary of the highly dubious referendum that split Crimea off from Ukraine and eventually saw it attached to Russia.
… For a recent paper, Krickovic and I interviewed a number of foreign policy experts here in Moscow to understand the extent of Russian strategic interests. The interview subjects clearly indicated that the war in Ukraine is a symptom of greater dissatisfaction with the post-Cold War international order. As Evgeny Lukyanov, the Deputy Secretary of Russia’s Security Council, has said, “We need to sit down [with the United States] and renegotiate the entire post-cold War settlement.” [Russia calls it a “settlement,” the US calls it a collapse. Bob]
… This places Obama in a different position relative to formulating strategy regarding a rising challenger like China that needs to be accommodated or challenged because the latter is dissatisfied with the international distribution of benefits. Russia is instead a declining challenger (by its own standards) that offers the United States a third policy course of maintaining the status quo and waiting to negotiate later from a position of greater strength.


An article for my next Computer Security class.
Common Mobile Application Security, Privacy Challenges
Last fall, the Gartner analyst firm predicted that through 2015, 75 percent of mobile applications would fail basic tests related to security and enterprise policy.
A separate survey from Frost & Sullivan of 300 enterprises found that 83 percent have at least one mobile app for employees to use on their devices, with roughly one-in-three having 11 or more.
Both these surveys underscore a basic reality for IT - the adoption of mobile apps has made secure development practices critical.
"Mobile application security is one of the fastest growing problem areas for developers and ultimately C-Level executives today,"


Skills for my students.
Learning Google Script: 5 Best Sites & Tutorials to Bookmark
… Google Apps Script is perhaps one of the most useful tools you can have in your technological toolbelt. It allows you to tie Google services together in a way that’s reminiscent of IFTTT. But it’s way more than that.
It’s an IDE (Integrated Development Environment), that runs in the browser. No installs necessary. Google Apps Script also offers a platform to run your code on, much like the ScraperWiki Platform, or Amazon Web Services, or Heroku does. The most obvious advantage of this is that it allows you to run your code from the cloud, and to be able to work from a variety of devices. It’s truly platform agnostic.


Timers for the toolkit?
6 Useful Timers and Clocks For Your Computer or Phone

Wednesday, March 18, 2015


This suggests that Premera might have asked the question, “Could that happen to us?” If so, they are virtually unique. Who else has been hacked but has yet to ask that question?
Major US Health Insurer Hacked, Affecting 11 Million
Premera Blue Cross said Tuesday its computer network had been hacked, potentially exposing data from 11 million people, in the second recent such attack on a major US health insurer.
Premera said in a statement it discovered on January 29 "that cyberattackers had executed a sophisticated attack" to get into its computer network.
An investigation found that the initial attack occurred on May 5, 2014. The company said hackers may have been able to access members' name, dates of birth, social security numbers, email addresses, bank account data and medical claims information.
The announcement by Premera came six weeks after a similar disclosure from Anthem Blue Cross, which said as many as 80 million customer records may have been compromised.


Update on another health related hack. This is the downside of failure to pay ransom.
As they had threatened to do if Labio did not pay them €20,000, the hacker collective known as Rex Mundi has started dumping/disclosing identifiable patient data. The dump was announced on Twitter by the @RexMundi2015 account.
DataBreaches.net confirmed that the records appear to be the results of lab tests performed on patients whose names, dates of birth, referring doctor, and test results are now publicly exposed.
As of the time of this posting, there is still no mention of the incident on Labio’s web site, and the firm has not yet responded to an inquiry from DataBreaches.net earlier today as to whether they have notified affected patients or intend to notify them.
Labio joins 16 other firms who have had their client or patient data revealed after refusing to pay Rex Mundi’s extortion demands. So far, none of the firms appear to be U.S. – based.
When asked what percent of firms do pay them, a spokesperson for Rex Mundi informed DataBreaches.net that over 50% of the entities they have hacked have paid the demanded monies to keep the hack quiet and to avoid having their clients’, employees’, or patients’ personal information publicly dumped.


"Ontogeny recapitulates phylogeny" It's not exactly true in biology, but it is true in Computer Security. We constantly find exactly the same security issues in each new generation of technology. (Perhaps I should hit the thesaurus to come up with a suitably obtuse phrase?)
Insecurity in the Internet of Things
Symantec – Insecurity in the Internet of Things – Mario Ballano Barcena, Candid Wueest, March 12, 2015.
… “The Internet of Things (IoT) market has begun to take off. Consumers can buy connected versions of nearly every household appliance available. However, despite its increasing acceptance by consumers, recent studies of IoT devices seem to agree that “security” is not a word that gets associated with this category of devices, leaving consumers potentially exposed. To find out for ourselves how IoT devices fare when it comes to security, we analyzed 50 smart home devices that are available today. We found that none of the devices enforced strong passwords, used mutual authentication, or protected accounts against brute-force attacks. Almost two out of ten of the mobile apps used to control the tested IoT devices did not use Secure Sockets Layer (SSL) to encrypt communications to the cloud. The tested IoT technology also contained many common vulnerabilities. All of the potential weaknesses that could afflict IoT systems, such as authentication and traffic encryption, are already well known to the security industry, but despite this, known mitigation techniques are often neglected on these devices. IoT vendors need to do a better job on security before their devices become ubiquitous in every home, leaving millions of people at risk of cyberattack.”


Interesting. Who gets the data?
Talking Barbie Says Hello, Parents Say Goodbye
… Mattel plans to bring out Hello Barbie in time for Christmas.
However, Campaign for a Commercial Free Childhood has organized an online petition calling on Mattel CEO Christopher Sinclair to stop production of the toy.
Here's how Hello Barbie works: A kid presses on the doll's belt buckle and speaks into a microphone in the doll's necklace. An artificial intelligence system processes and analyzes that speech in the cloud. Responses are then streamed back to the doll, who replies to the kid -- all over a secure WiFi connection to the Internet.
… Hello Barbie will use technology from San Francisco-based startup ToyTalk, which is also behind the Winston Show -- a kids' iPad game app that interacts with players -- and the SpeakaLegend mobile iOS app.
… ToyTalk's privacy policy is what has people stirred up.
Essentially, it says that using any of the company's services constitutes giving ToyTalk permission to collect, use and disclose personal information. Further, those who let others (say, children) use their account to access the service confirm they have the right to consent on their behalf to ToyTalk's collection, use and disclosure of their personal information.
… ToyTalk's data collection and use is not very different from what online sites do, really, except that the users are kids.

(Related) Perhaps everyone gets your data?
Siri Is Listening: Has iOS Privacy Been Blown Open?
Another week, another accusation of a major technology company spying on you. This week, it’s Apple’s turn, with the tech giant accused of recording everything – absolutely everything – you say to Siri, and passing it on to a third-party.
The allegations were made in a Reddit post by someone who goes by the name of FallenMyst. The pseudonymous poster purports to be a recent employee of Walk N’Talk Technologies, where her job is to listen to audio recordings of people using Siri, and rate how closely they match computer generated transcriptions.
… These latest allegations come not long after Samsung was pilloried for privacy-unfriendly behavior in their latest Smart TVs, where they listened to anything said in their vicinity, and then relayed them to a third-party.


I would like to sic my Business Intelligence students on these emails. Hillary has stated that there was nothing “classified” in the emails, so all we should get is the equivalent of a bunch of online pizza orders, but it might be amusing to map volumes to a timeline of the events the State Department should have been talking about.
Anti-secrecy groups demand feds review Clinton emails
A dozen anti-secrecy groups are demanding that the State Department and National Archives independently verify that all official emails from former Secretary of State Hillary Clinton are accounted for.
Citing fears of setting “a dangerous precedent for future agency appointees,” the organizations told Secretary of State John Kerry and Archivist David Ferriero to do checks of their own to ensure that all workplace emails sent or received by Clinton during her time in office are on federal servers — not her own personal machine.
“[T]he task of determining which emails constitute federal records should not be left solely to Mrs. Clinton’s personal aides,” the groups, including the Sunlight Foundation, the Electronic Frontier Foundation and OpenTheGovernment.org, wrote in a letter on Tuesday.


Perhaps “Free” will trump an upgrade? Remains to be seen.
Microsoft says pirated versions of Windows will also get a free upgrade to Windows 10
… According to Microsoft's Terry Myerson, Windows 10 is a free upgrade for all Windows 7 and Windows 8.x users, regardless of whether your install is genuine or not. This looks to be a way to convince everybody to move to Windows 10, and if pirates also get a free upgrade why would they refuse?


Another article for my Data Management class.
The Quantified Workplace: Despite the Hype, Not All That Useful Yet

(Related) A little nerdy, but my statistics students will understand the problem. I suspect the impact in business could be quite significant.
The Extent and Consequences of P-Hacking in Science
Head ML, Holman L, Lanfear R, Kahn AT, Jennions MD (2015) The Extent and Consequences of P-Hacking in Science. PLoS Biol 13(3): e1002106.. doi:10.1371/journal.pbio.100210
“A focus on novel, confirmatory, and statistically significant results leads to substantial bias in the scientific literature. One type of bias, known as “p-hacking,” occurs when researchers collect or select data or statistical analyses until nonsignificant results become significant. Here, we use text-mining to demonstrate that p-hacking is widespread throughout science. We then illustrate how one can test for p-hacking when performing a meta-analysis and show that, while p-hacking is probably common, its effect seems to be weak relative to the real effect sizes being measured. This result suggests that p-hacking probably does not drastically alter scientific consensuses drawn from meta-analyses.”


Next, let's try for 100 times cheaper. (Interesting video)
3-D Printing Just Got 100 Times Faster
… Instead of printing objects by stacking thin layers on top of one another—a process that can take days, depending on what you’re printing—they built a device that produces a complete object from a pool of goop.


For my programming students.
Learn to Code with These 7 Courses from Microsoft and edX
edX is one of the biggest providers of Massively Online Open Courses (MOOCs), with over three million students, and over three hundred courses. They offer University-level professional education, at a fraction (or none) of the cost, and boast courses in everything from computer skills, to history, to hard science.
Hallowed institutions of learning, from MIT to Berkeley, the Smithsonian to the University of Delft, offer courses on the site, and now so too does Microsoft.
They’re offering seven instructor-taught courses, all starting between March and April. Here’s what’s on offer.


For my geeky students. Let's hope no one on the Death Star notices how much fun these are.
Star Wars + Drones = Dreams Come True