Friday, June 01, 2012


For my Ethical Hackers. An “excerpt” timed to help promote his book? Something to consider in light of “A Just CyberWar”
Obama Order Sped Up Wave of Cyberattacks Against Iran
… Mr. Obama decided to accelerate the attacks — begun in the Bush administration and code-named Olympic Games — even after an element of the program accidentally became public in the summer of 2010 because of a programming error that allowed it to escape Iran’s Natanz plant and sent it around the world on the Internet. Computer security experts who began studying the worm, which had been developed by the United States and Israel, gave it a name: Stuxnet.


Did the breach occur at all four locations simultaneously, or at some third-party processor? Will the state even bother to follow up and find out?
A Six-Figure Credit Breach at Five Guys
June 1, 2012 by admin
I hate it when we only find out about data breaches from lawsuits, but at least we find out. Marlene Kennedy of Courthouse News reports:
Five Guys burger joints failed to safeguard their data, giving hackers access to the accounts of debit-card-paying customers, a bank claims in court.
Trustco Bank says the hackers racked up more than $89,800 in charges on the accounts of clients who visited Five Guys restaurants in Albany, Schenectady, Warren and Saratoga counties.
The defendants in the complaint, filed in Schenectady County Supreme Court, are RSVT Glenmont LLC, RSVT Niskayuna LLC, RSVT Queensbury LLC and RSVT Saratoga Springs LLC. Each operates a Five Guys restaurant in the communities listed in their names.
[...]
The unauthorized transactions – Trustco counted 376 – occurred in November and December 2011, according to the complaint.
Read more on Courthouse News. Kennedy reports that according to the complaint, the affected restaurants “never provided notification to … customers of the security breach,” as required by New York law.
So what will NYS do, if it even knows about this lawsuit?


“It's not that we dislike “public debate,” we just don't see any reason to help it along.”
"The House Appropriations Committee is considering a draft report that would forbid the Library of Congress to allow bulk downloads of bills pending before Congress. The Library of Congress currently has an online database called THOMAS (for Thomas Jefferson) that allows people to look up bills pending before Congress. The problem is that THOMAS is somewhat clunky and it is difficult to extract data from it. This draft report would forbid the Library of Congress from modernizing THOMAS until a task force reports back. I am pretty sure that the majority of people on slashdot agree that being able to better understand how the various bills being considered by Congress interact would be good for this country."


“We don't want them screwing up the Internet, that's our job!”
"In a rare show of bipartisan agreement, lawmakers from both sides of the aisle warned this morning that a United Nations summit in December will lead to a virtual takeover of the Internet if proposals from China, Russia, Iran, and Saudi Arabia are adopted. Called the World Conference on International Telecommunications, the summit would consider proposals including '[using] international mandates to charge certain Web destinations on a "per-click" basis to fund the build-out of broadband infrastructure across the globe' and allowing 'governments to monitor and restrict content or impose economic costs upon international data flows.' Concerns regarding the possible proposals were both aired at a congressional hearing this morning and drafted in a congressional resolution (PDF)."


What does it take to convince Congress? (Nothing. Their mind are already made up.)
May 31, 2012
EFF - Review House Hearing on Warrantless Wiretapping and the FISA Amendments Act
News release: "This morning, the House Judiciary Committee held an important hearing on the FISA Amendments Act (FAA) and the scope of the NSA’s warrantless wiretapping program. The FAA, which gutted privacy protections governing the interception international phone calls and e-mail to and from the United States, is set to expire at the end of the year, and Attorney General Eric Holder says it is his “top priority” to see it renewed."


This does not extend to inconsequential Blogs... Also, Just because they are in the minority makes no difference?
Judge says authors can sue Google
A judge filed a ruling today that gives authors, photographers, and illustrators the green light to sue Google.
The ruling allows the drawn-out court case -- over Google Books' practice of scanning book out of print and copyrighted content for Web searches -- to move forward. The suit will now determine if Google's argument that it has a fair-use defense has any merit.
… Google had tried to argue that the Authors Guild and an illustrators and photographers' group should be taken off the suit. According to the suit, Google said a class action suit is not justified because many authors wanted their books scanned. The company points to a survey in which over 500 authors, or 58 percent of those surveyed, "approve" of Google scanning their work for search purposes.
"Google's argument is without merit," Chin wrote. "The lead plaintiffs are adequate representatives of the class."
Read the entire ruling, posted by the Public Index, here.


The problem with “We don't like you” lawsuits...
Judge Frees Google’s Android From Oracle Copyrights
The federal judge refereeing the billion-dollar fight between Oracle and Google over the Android operating system has dismissed Oracle’s claim that the Java APIs used by Android are subject to copyright.
The APIs are application program interfaces, code that lets one piece of software talk to another. The general assumption has long been that APIs aren’t subject to copyright. But in suing Google over Android, Oracle insisted that they were, and after a six-week trial, the company’s efforts to win serious damages from Google came down to this single point.
But on Thursday, Judge William Alsup ruled that Oracle does not have the exclusive rights to the structure, sequence, and organization the 37 Java APIS in question.
To accept Oracle’s claim would be to allow anyone to copyright one version of code to carry out a system of commands and thereby bar all others from writing their own different versions to carry out all or part of the same commands,” read the ruling from Alsup. “No holding has ever endorsed such a sweeping proposition.”

(Related) Watch out when a judge does his homework! (I just love these little 'smack downs.')
Judge William Alsup: Master of the court and Java
… Alsup acknowledged during the trial that he had learned about Java coding to better prepare for the case, and it showed. On a daily basis, he would deftly query the lawyers and expert witnesses on the structure, sequence, and organizations of APIs to assist the jury in understanding the key facets of the copyright phase of the trial.
In one episode, Oracle's star lawyer, David Boies, who bested Bill Gates in U.S. v. Microsoft case and represented Vice President Al Gore in Bush v. Gore in front of the Supreme Court, was arguing that Google copied the nine lines of rangeCheck code to accelerate development to gain faster entry into the mobile phone market.
Alsup told Boies, "I have done, and still do, a significant amount of programming in other languages. I've written blocks of code like rangeCheck a hundred times before. I could do it, you could do it. The idea that someone would copy that when they could do it themselves just as fast, it was an accident. There's no way you could say that was speeding them along to the marketplace. You're one of the best lawyers in America --how could you even make that kind of argument?"
Oracle plans to appeal Alsup's ruling. The company faces an uphill battle given the judge's ruling is rich in context, with detailed deconstructions of the Java language and APIs, as well as the expected legal citations and examples. It will likely serve as a textbook for future cases involving intellectual property rights and computer programming languages.


Something like the Nature Conservancy for music?
"Following Tuesday's story about MuseScore releasing its open source recording of the Goldberg Variations, the Musopen project has released ProTools files from its open source recording project. The final edited recordings are still being worked on but it seems we're living in very interesting times regarding open source classical music."
[From Kickstarter:
Musopen is a non-profit dedicated to providing copyright free music content: music recordings, sheet music and a music textbook. This project will use your donations to purchase and release music to the public domain. Right now, if you were to buy a CD of Beethoven's 9th symphony, you would not be legally allowed to do anything but listen to it. You wouldn't be able to share it, upload it, or use it as a soundtrack to your indie film- yet Beethoven has been dead for 183 years and his music is no longer copyrighted. There is a lifetime of music out there, legally in the public domain, but it has yet to be recorded and released to the public.


For my Ethical Hackers...
"Apple has released a detailed security guide for its iOS operating system, an unprecedented move for a company known for not discussing the technical details of its products, let alone the security architecture. The document lays out the system architecture, data protection capabilities and network security features in iOS, most of which had been known before but hadn't been publicly discussed by Apple. The iOS Security guide (PDF), released within the last week, represents Apple's first real public documentation of the security architecture and feature set in iOS, the operating system that runs on iPhones, iPads and iPod Touch devices. Security researchers have been doing their best to reverse engineer the operating system for several years and much of what's in the new Apple guide has been discussed in presentations and talks by researchers. 'Apple doesn't really talk about their security mechanisms in detail. When they introduced ASLR, they didn't tell anybody. They didn't ever explain how codesigning worked,' security researcher Charlie Miller said."


Might be just what I need to have my computer up and running each morning when I start my Blogging... (How's your German?)
Sleep Timer … allows you to have your computer turn off, restart or go to sleep whenever you need it to.
The program is super easy to use, and it takes up almost no memory. The application requires no installation, so you can run it from a flash drive and take it with you. You can set it to make your computer restart, go into hibernation mode or shut down completely, and they are all easy to set up.

Posted by at No comments:

Thursday, May 31, 2012


Is this why some breach victims keep silent?
If There is Credit Card Fraud, There Must Have Been a Breach
May 31, 2012 by admin
Craig Hoffman writes:
As we reported in December 2010, after an online merchant suffered chargeback losses of almost $12,000 on nine fraudulent orders, it sued the bank that issued the nine cards that were fraudulently used alleging that the most likely cause of the fraud was a data security breach at the bank that the bank ignored.
E-Shops Corp. v. U.S. Bank National Association worked its way through the courts, but the merchant found no joy. Read Hoffman’s discussion of the case and ruling on Data Privacy Monitor.
[From the article:
Rather, the court stated that the merchant was required to describe the circumstances surrounding the breach—“the who, what, when, where and how U.S. Bank’s conduct amounted to false, deceptive, or misleading conduct.”


An exploration of the failure of Universities to practice what they teach. Points to a few million student victims to make the point...
New Math, data breaches version


Wait till he finds out they can carry weapons! (Is there such a thing as “manned drones?”
"During a radio interview, Virginia governor Bob McDonnell suggested that using unmanned drones to assist police would be 'great' and 'the right thing to do.' 'Increased safety and reduced manpower are among the reasons the U.S. military and intelligence community use drones on the battlefield, which is why it should be considered in Virginia, he says. ... McDonnell added Tuesday it will prove important to ensure the state maintains Americans' civil liberties, such as privacy, if it adds drones to its law enforcement arsenal.' Is this the next step toward militarizing our law enforcement agencies? How exactly can they ensure our privacy, when even the Air Force can't?"


Amazing what the founding fathers foretold...
Sex offenders battle state courts for Facebook accounts
Tens of thousands of registered sex offenders have been purged from social networks like Facebook and MySpace over the past several years -- banned by state laws prohibiting them from using chat rooms, social networks, or instant messaging.
However, some of these registered sex offenders are now trying to turn the tables in state courts. Legal battles over the right to use social networks have ensued across the U.S., from Indiana to Nebraska to Louisiana, according to the Associated Press.
The position of the registered sex offenders and civil liberties groups is that the state bans violate free speech and the individual right to join in online discussions, according to the Associated Press. Civil liberties advocates argue that the Internet and social networking is now so widespread that using it has become necessary for free speech. [Blogs ain't speech? Bob]


Rather than assume I want no data collection, how about letting me decide how much to collect, how long to keep it, and where I want it stored?
Consumer group says self-driving cars pose privacy risk
May 30, 2012 by Dissent
Jerry Hirsch reports:
A consumer group says a bill that would allow self-driving cars on California’s roads does not do enough to protect privacy.
The bill, SB 1298, sponsored by Sen. Alex Padilla (D-Pacoima), has passed the California Senate and is awaiting Assembly consideration in June. It establishes guidelines for “autonomous vehicles” to be tested and operated in California.
It has flown through the Legislature, passing the Senate unanimously.
[From the article:
“Without appropriate regulations, Google’s vehicles will be able to gather unprecedented amounts of information about the use of those vehicles. How will it be used? Just as Google tracks us around the Information Superhighway, it will now be looking over our shoulders on every highway and byway,” Court said in a letter to Assembly Speaker John A. Perez (D-Los Angeles).


“Clearly laws don't work. Let's pass another law.” What's wrong with this logic?
By Dissent, May 30, 2012
Associated Press reports:
U.S. Sen. Al Franken said Wednesday he plans to pursue legislation or federal regulations requiring encryption of all laptops containing private medical information, after presiding over a hearing on aggressive debt collection practices in several Minnesota hospitals.
Read more on Washington Examiner.
Why stop at laptops? What about other mobile devices? Security should be based on the type and sensitivity of the data, not the type of mobile device.


If everyone agrees this is a problem, why don't we have a national law?
Bill banning warrantless cellphone tracking clears California Senate
May 30, 2012 by Dissent
Michelle Maltais reports:
California is one step closer to banning law enforcement from tapping the data from the tracking device in your palm, pocket or purse without a warrant.
The state Senate passed a bill Wednesday that requires a warrant to seek access from wireless carriers to the near-constant data stream coming from our cellphones.
Read more on The Los Angeles Times.


Bringing IP law into the 3D world...
Clive Thompson on 3-D Printing’s Legal Morass
Last winter, Thomas Valenty bought a MakerBot — an inexpensive 3-D printer that lets you quickly create plastic objects. His brother had some Imperial Guards from the tabletop game Warhammer, so Valenty decided to design a couple of his own Warhammer-style figurines: a two-legged war mecha and a tank.
He tweaked the designs for a week until he was happy. “I put a lot of work into them,” he says. Then he posted the files for free downloading on Thingiverse, a site that lets you share instructions for printing 3-D objects. Soon other fans were outputting their own copies.
Until the lawyers showed up.

(Related) Extending IP law into the Outer Limits
"Simply giving your mother an e-book for her birthday could constitute patent infringement now that the USPTO's gone and awarded Amazon.com a patent on the 'Electronic Gifting' of items such as music, movies, television programs, games, or books. BusinessInsider speculates that the patent may be of concern to Facebook, which just dropped a reported $80 million on social gift-giving app maker Karma Science."


For my overwhelmed students. (Worth reading just for the quotable numbers.)
Information Overload Is Not a New Problem
There is a wonderful essay in The Hedgehog Review about the promise and perils of information overload. Titled Why Google Isn’t Making Us Stupid…or Smart, this essay written by Chad Ellmon explores the history of information overload and explores its implications. But Ellmon also spends some time demonstrating that information overload is far from a new problem:
These complaints have their biblical antecedents: Ecclesiastes 12:12, “Of making books there is no end”; their classical ones: Seneca, “the abundance of books is a distraction”; and their early modern ones: Leibniz, the “horrible mass of books keeps growing.”


Why students should bathe... Indication of a new tool for biometrics?
Age can be detected by smell, study finds
Catching a whiff of someone's body odour is enough to tell you whether they are young, middle aged or elderly without having seen them, researchers found.
Elderly people's smell was the most distinctive but contrary but was also judged by volunteers to be less intense and unpleasant than that of younger people.


What to do if your thumbs are in a cast?
Twitter Voice is a handy Android application for Twitter users who want to tweet quickly without having to type anything. A great application for people on the move, for example, people who want to tweet as they drive the car. [“I'm driving” “I'm turning right” “I'm Okay, but the other guy may need an ambulance” Bob]


I wonder what the equivalent was in my day...
… For those of you who don’t know what this is (but it’s pretty obvious from the word itself), it’s when you send a text message to someone with either sexually explicit text, a sexually explicit picture, or both.
… According to today’s infographic, two-thirds of US students have sent sexually suggestive messages via their mobile phone.


Might make an interesting project for my Intro to Computing class...
Windows PCs are notoriously junk-filled out-of-the-box. Buy a Microsoft Signature PC from a Microsoft Store (yes, Microsoft has a handful of stores across the US) and you’ll find it free of the usual junk. Soon, Microsoft will offer to turn any PC into a Microsoft Signature PC with its “Signature Upgrade” service – as long as you pay $99.
A typical PC might come with a pile of additional desktop shortcuts, system tray applications, and other bloatware. Software developers pay computer manufacturers to preload their software, reducing the price of the computer by a few dollars. Microsoft realizes that this makes Windows look bad and their response is Microsoft Signature, a fancy name for PCs without the junk. But there are steps you can take yourself that will save you from paying that $99.


Free is good. Granted the target audience is K-12 students, but there are many useful thingies here. Blank Music sheets, Free e-Books, create your own comics (useful for presentations to the CEO), etc.
One of the common obstacles to using many Web 2.0 tools in elementary school and middle school classrooms is the registration requirement that those tools have. Fortunately, there are many good Web 2.0 tools that do not require registration. Nathan Hall has started to put together a Diigo list of Web 2.0 tools that do not require registration. When I saw the list yesterday it had 60 items. When I looked at the list this morning there were 101 items on the list. Take a look at Nathan's list and I think you'll find some new-to-you tools, I did.

Posted by at No comments:

Wednesday, May 30, 2012


Perhaps DoJ should hire some lawyers?
"A judge in New Zealand has ordered the U.S. government to hand over evidence seized in the Megaupload raid so Kim Dotcom and his co-defendants can use it to prepare a defense for an extradition hearing. The judge wrote, 'Actions by and on behalf of the requesting State have deprived Mr. Dotcom and his associates of access to records and information. ... United States is attempting to utilize concepts from the civil copyright context as a basis for the application of criminal copyright liability [which] necessitates a consideration of principles such as the dual use of technology and what they be described as significant non-infringing uses.' Once the defense attorneys have gathered and presented their evidence, the judge must decide whether the U.S. can make a reasonable case against Dotcom."


Cloud computing: Something we clearly need to address.
Is the Cloud Too Risky for Some Purposes?
“Forrester says that sometime this year we will have reached the point where 50 percent of companies are using some form of SaaS. The Yankee Group says that 41 percent of large companies already have or will deploy Platform as a Service technology in the next 12 months. VMWare and the Cloud Industry Forum (CIF) estimates cloud adoption to be at 48 percent of businesses in the UK.”
But Weisinger notes in his post for the enterprise content management (ECM) firm Formtek too a Wisegate report that found “50 percent of organizations think that the cloud is still too risky for handling most data and are only comfortable with using it for ‘commodity’ applications like CRM and email.”

(Related)
PCI DSS Compliance in the Cloud: Challenges and Tactics
Perhaps the largest point of confusion with regards to the Payment Card Industry Data Security Standard (PCI DSS) and cloud computing is the question of upon whose shoulders does compliance fall? In 2011, several cloud providers began asserting that their clouds were validated as PCI DSS compliant. That’s all well and good, but unfortunately this validation does not trickle down to the providers’ customers who deploy servers within the provider’s infrastructure. If your organization wants to migrate PCI DSS in-scope systems to public cloud, there are several things to consider.
First and foremost, a cloud provider’s platform is just that – a platform. Physical servers are not certified PCI compliant by the hardware manufactures; just as operating system vendors are not. The platform and software employed serves as a medium upon which businesses can operate. It should be noted, however, that PCI certification for a provider does not just cover material, but process as well.


Apparently, “Ignorance of the Constitution” is a defense.
No Constitutional Issue in Shared Autopsy Photos
May 29, 2012 by Dissent
Tim Hull reports:
Despite a clear constitutional right to control death images of relatives, a district attorney is not liable for sending an autopsy photograph to the press, the 9th Circuit ruled Tuesday.
In the first decision of its kind, the federal appeals court in San Francisco found that “the common law right to non-interference with a family’s remembrance of a decedent is so ingrained in our traditions that it is constitutionally protected.”
Read more on Courthouse News.
Related: Opinion in Marsh v. County of San Diego  (via Venkat Balasubramani).
[From the Courthouse News article:
The panel found that Brenda Marsh had a clear right to control her son's death images, but since that right was not clearly established when Coulter released the photographs, he has qualified immunity.
… This intrusion into the grief of a mother over her dead son-without any legitimate governmental purpose-'shocks the conscience' and therefore violates Marsh's substantive due process right."


A bit of a follow up... “Papers, student!” I assume the students will be required to have their IDs on them at all times. What happens if the ID is in school but the student isn't?
Arphid Watch: schoolkids in Houston and San Antonio TX
A school district in San Antonio, Texas, plans to put RFID chips in student ID cards. A spokesperson for the Northside Independent School District said, “We want to harness the power of technology to make schools safer, know where our students are all the time in a school, and increase revenues.”
The RFID chips will reportedly work only while the students are on school property. [Want to bet? Bob]

(Related)
Texas school district to track kids through RFID tags
It does seem a shame that money is mentioned in all of this. One might have been able to understand it if this was purely a safety issue, but clearly it isn't. Indeed, in Houston, two school districts already enjoy this technology and it has reportedly brought them hundreds of thousands of extra dollars.
The Northside district, Kens 5 News says, loses $175,000 a day because of late or absent kids.
… However, after cases such as the one in Philadelphia were a school was sued for allegedly spying on a student off-campus (the school settled for around $600,000), some parents will surely be concerned that the kids will be snooped upon.
It's not as if this sort of tagging offers absolute security. What if an ID is stolen? What if the system is hacked and someone with evil purpose can quite literally track the movements of all the kids?

(Related)
Students will be tracked via chips in IDs
… Chip readers on campuses and on school buses [Which do leave school property Bob] can detect a student's location but can't track them once they leave school property. Only authorized administrative officials will have access to the information, Gonzalez said.
… He said officials understand that students could leave the card somewhere, throwing off the system. They cost $15 each, and if lost, a student will have to pay for a new one.
… The district plans to spend $525,065 to implement the pilot program and $136,005 per year to run it, but it will more than pay for itself, predicted Steve Bassett, Northside's assistant superintendent for budget and finance. If successful, Northside would get $1.7 million next year from both higher attendance and Medicaid reimbursements for busing special education students, he said.


Incontrovertible proof that Economists live in a world of fiction?
Economist Paul Krugman Is a Hard-Core Science Fiction Fan
If you follow the news at all, you’ve probably seen Paul Krugman — Princeton professor, New York Times columnist, and Nobel Prize-winning economist — championing the idea that government spending can lift us out of the economic crisis. What you may not know is that Krugman is also a huge science fiction fan.
“I read [Isaac Asimov’s] Foundation back when I was in high school, when I was a teenager,” says Krugman in this week’s episode of the Geek’s Guide to the Galaxy podcast, “and thought about the psychohistorians, who save galactic civilization through their understanding of the laws of society, and I said ‘I want to be one of those guys.’ And economics was as close as I could get.”
… “If you read Ender’s Game, his brother and sister actually end up shaping planetary debate through their online aliases, and the debates they have with each other under assumed names,” Krugman says. “So all of this was prefigured, which is why science fiction is good for your ability to think about possibilities.”


For my Statistics students Still a long way from a true “Reality Test.”
"The Global Economic Intersection reports on a project to statistically measure political bias on Wikipedia. The team first identified 1,000 political phrases based on the number of times these phrases appeared in the text of the 2005 Congressional Record and applied statistical methods to identify the phrases that separated Democratic representatives from Republican representatives, under the model that each group speaks to its respective constituents with a distinct set of coded language. Then the team identified 111,000 Wikipedia articles that include 'republican' or 'democrat' as keywords, and analyzed them to determine whether a given Wikipedia article used phrases favored more by Republican members or by Democratic members of Congress. The results may surprise you. 'The average old political article in Wikipedia leans Democratic' but gradually, Wikipedia's articles have lost the disproportionate use of Democratic phrases and moved to nearly equivalent use of words from both parties (PDF), akin to an NPOV [neutral point of view] on average. Interestingly, some articles have the expected political slant (civil rights tends Democrat; trade tends Republican), but at the same time many seemingly controversial topics, such as foreign policy, war and peace, and abortion have no net slant. 'Most articles arrive with a slant, and most articles change only mildly from their initial slant. The overall slant changes due to the entry of articles with opposite slants, leading toward neutrality for many topics, not necessarily within specific articles.'"

(Related) Think of it as “Behavioral Advertising” The candidates are “products”
"The Romney and Obama campaigns are spending heavily on television ads and other traditional tools to convey their messages. But strategists say the most important breakthrough this year is the campaigns' use of online data to raise money, share information and persuade supporters to vote. The practice, known as 'microtargeting,' has been a staple of product marketing. Now it's facing the greatest test of its political impact in the race for the White House. ... The Romney team spent nearly $1 million on digital consulting in April and Obama at least $300,000. ... Campaigns use microtargeting to identify potential supporters or donors using data gleaned from a range of sources, especially their Internet browsing history. A digital profile of each person is then created, allowing the campaigns to find them online and solicit them for money and support."

(Related) Toward an “automated congress?” True democracy? Politics by and for the Internet connected?
"Having read pretty heavily on the topic, weighed the pros and cons, and seen a few relevant slashdot articles, I wondered why an elected representative couldn't use online and in-person polling of constituents to decide the way he or she votes. Though we are living in the 'information age' and have rich communications media and opportunities for deep and accessible deliberation, we are getting by (poorly) with horse-and-buggy-era representation. In the spirit of science and because I think it's legitimately a better way of doing things, I recently announced my candidacy for Vermont's State Senate in Washington County."
How do you think such polling could be best accomplished? Do you think it's worth trying? Whether or not you buy into it, it's something that's only been made feasible in recent times with modern technology.


Perspective
Rise Of The Machines: IP Traffic Is Poised To Quadruple By 2016, Driven By An Influx Of New Devices
The latest VNI forecast shows a massive uptick in data usage, from the 369 Exabytes of IP traffic used worldwide in 2011 to approximately 1.3 zettabytes in 2016. According to Cisco, that rapid growth in data traffic will be driven by a proliferation of connected devices, ever-increasing broadband connectivity, and greater adoption of IP video worldwide.


Perspective
Walking Around Naked On The Internet’: McAfee Says 17% Of PCs Globally Lack Malware Protection
Some eye-opening stats out today from McAfee, the Intel-owned IT security company: a study of 28 million computers in 24 countries has found that 17 percent of all PCs do not have any form of security at all on them against viruses, worms, spyware and other Internet malware – a transgression that McAfee compares to “walking around naked on the Internet.”
But McAfee notes that while the average worldwide figure for unsecured PCs works out to one out of every six users, some countries are taking their security more seriously than others…


For my Infograph loving friends...
Infogram is an amazing new web tool platform for creating infographics quickly and easily. The tool is very simple to use and offers a whole host of unique WYSIWYG editing options from dragging content around to in-tool data table formatting.
… The site is free, robust, and going to be getting some more customized features and more templates soon. Looks like a great place for teachers and students to play with the art of visual explanation.


e-Textbooks are coming – deal with it.
iPad Only No More: Inkling Debuts HTML5-Powered E-Book App For The Web
Inkling, the San Francisco-based startup that’s known for making super slick interactive digital versions of college textbooks and other educational titles for the iPad, has debuted its first ever platform for the web browser.
‘Inkling for Web’ requires no Flash or other plug-ins, and is powered entirely by technologies such as HTML5, CSS and Javascript,


Something for my website students
Learn to Code With Mozilla’s ‘Thimble’ Editor
Mozilla Thimble is a new web-based code editor, part of the company’s recently unveiled “Webmakers” project. Thimble is designed to give novice webmakers an easy-to-use online tool to quickly build and share webpages.
You can check out Thimble over at the new Mozilla Thimble website. Keep in mind that Mozilla hasn’t formally launched Thimble; the company is still testing, fixing bugs and iterating the app.
Thimble is slightly different than other online code editors you may have tried, putting the emphasis on teaching HTML to newcomers rather than catering to advanced users. Thimble offers side-by-side code editor and code output panels which help new users see immediate results.
… Thimble can also load pre-made project templates to help users get started with some content that’s ready to build on. Currently the featured projects section of the Thimble homepage is still awaiting content, but among the coming projects is a tutorial on editing and creating your own Tumblr theme, as well as others from Mozilla’s various Webmaker partners.
To help new users get their Thimble-created projects on the web Mozilla has also bundled a publishing function directly into the editor. Once you’ve got your Thimble page looking the way you’d like it, just hit the “Publish” button and Thimble will output and host your page, offering up a URL to share with friends and another to edit your page if there’s something you need to change.

Posted by at No comments:

Tuesday, May 29, 2012


Initial reports were that only 30,000 students were impacted. They don't know what was downloaded, which strongly suggests they have no logs of user activity. Didn't bother with encryption... Way too much data accessible over the Internet... I wonder what else they did wrong?
University of Nebraska breach needs to reverberate in Washington, D.C.
May 28, 2012 by admin
The University of Nebraska disclosed a breach last week, which I dutifully entered on DataLossDB. The breach sounded like it could be huge, despite the university’s statement that it had no evidence (at that time) that any data had been downloaded:
The NeSIS database includes Social Security numbers, addresses, grades, transcripts, housing and financial aid information for current and former NU students as well as student applicants who may or may not have attended NU. The database includes information for alumni as far back as spring 1985.
The financial aid information included bank account data.
Today, as the university continues to investigate the hack, it disclosed more details. And while the thrust of the latest update, reported by Maggie O’Brien of Omaha World-Herald, is that the university is closer to identifying the hacker, what struck me was the sheer magnitude of the breach and how avoidable it all was:
The computer database holds 654,000 Social Security numbers as well as other personal information. It serves all four NU campuses — one in Lincoln, two in Omaha and one in Kearney — and includes alumni information from as far back as 1985.
At stake is not only personal information such as grades, but potentially critical information like Social Security numbers — which can be used for identity theft — and, in some cases, bank account numbers.
Mauk said that as of Sunday, officials had not been notified of any identity theft cases stemming from the breach. Even so, 21,000 people whose bank account information was on the student information system have been alerted.
What were 654,000 Social Security numbers doing being connected to the Internet? Why wasn’t the old data going back 25 years moved offline? Why weren’t the SSN converted to non-sensitive identification numbers? Is there really any justification for 21,000 bank account numbers to still be in an accessible database?
The U.S. Department of Education has never been firm enough in prohibiting the use of SSN as student identifiers. And this is what happens.
It’s time for the U.S. Department of Education and/or Congress to act. Data such as bank account numbers should not be retained/stored past its intended use or freshness date. And SSN should be replaced with unique identifiers that even if stolen, could not be used for fraud or ID theft.
Enough is enough. Attending a university shouldn’t put students and their parents at needless risk of ID theft.
[From the website NU established:
What happened?
On May 23, 2012, a staff member of the Computing Services Network detected a security breach in the Nebraska Student Information System, indicating that an individual had gained access to the database. This was a sophisticated and skilled attack on our system that was discovered and shut down within hours of its discovery. [No indication when the breach happened. Bob]
Is the data in the NeSIS encrypted?
… However, we are confident that the type of attack we experienced would have bypassed any encryption that was in place. [In other words, there was no encryption. And probably the hacker logged in as an authorized user. Bob]
[From the Omaha World article:
Mauk has said only a short time elapsed between the breach and its discovery.
Sunday, he declined to say whether the suspected hacker acted alone or was part of a group. Whoever did it was a skilled hacker whose intent was elaborate and malicious, Mauk said. [“We know what he intended because we can read his mind!” Bob]


For my Computer Security students. This technique has implications for avoiding Denial of Service attacks too.
"Last week The Pirate Bay added a new IP address which allows users to circumvent the many court-ordered blockades against the site. While this proved to be quite effective, the Hollywood backed anti-piracy group BREIN has already been to court to demand a block against this new address. But that won't deter The Pirate Bay, who say they are fully prepared for an extended game of whac-a-mole using the hundreds of IP addresses they have available. Courts all around the world have ordered Internet providers to block subscriber access to the torrent site, and the end is still not in sight."


I wonder what is left after the lawyers get theirs?
By Dissent, May 28, 2012
Emily Jackson reports:
A proposed settlement in a class action lawsuit against Durham Region Health puts a $5.99 price tag on the patient data doctors are privy to.
The lawsuit was filed against Durham Region after a nurse lost a USB key laden with the unencrypted personal information of 83,524 people in December 2009.
According to the proposed settlement, which still must be approved by a judge but was signed by lawyers for both parties on May 3, the region will pay $500,000 in costs, disbursements and taxes.
Read more on Toronto Star.


“Insecurity by design” because no one ever check to see that chips are manufactured as designed? Yesterday it was “Flame” so today is a good time to sell your malware detector...
"Information Age reports that the Cambridge University researchers have discovered that a microprocessor used by the US military but made in China contains secret remote access capability, a secret 'backdoor' that means it can be shut off or reprogrammed without the user knowing. The 'bug' is in the actual chip itself, rather than the firmware installed on the devices that use it. This means there is no way to fix it than to replace the chip altogether. 'The discovery of a backdoor in a military grade chip raises some serious questions about hardware assurance in the semiconductor industry,' writes Cambridge University researcher Sergei Skorobogatov. 'It also raises some searching questions about the integrity of manufacturers making claims about [the] security of their products without independent testing.' The unnamed chip, which the researchers claim is widely used in military and industrial applications, is 'wide open to intellectual property theft, fraud and reverse engineering of the design to allow the introduction of a backdoor or Trojan', Does this mean that the Chinese have control of our military information infrastructure asks Rupert Goodwins? 'No: it means that one particular chip has an undocumented feature. An unfortunate feature, to be sure, to find in a secure system — but secret ways in have been built into security systems for as long as such systems have existed.'"
Even though this story has been blowing-up on Twitter, there are a few caveats. The backdoor doesn't seem to have been confirmed by anyone else, Skorobogatov is a little short on details, and he is trying to sell the scanning technology used to uncover the vulnerability.


“We need more fingers in more pies.”
May 27, 2012
FTC Testifies on Efforts to Protect Consumer Privacy
News release: "The Federal Trade Commission testified before Congress about the agency’s efforts to protect consumer privacy, including the FTC’s support for implementation of a “Do Not Track” mechanism that would allow consumers to control the tracking of their online activities across websites, and other approaches recommended in its recent privacy report. In delivering Commission testimony before the Senate Committee on Commerce, Science and Transportation, FTC Chairman Jon Leibowitz said the current time is a “critical juncture” for consumer privacy, and described the FTC’s recent privacy report, including its call for final implementation of a Do Not Track mechanism. The testimony notes that the Commission recommends Congress consider enacting general privacy legislation, and that it enact data security and breach notification legislation and targeted legislation to address data brokers."


It only took 64 complaints to change the rules? Are they complete wimps or did they realize the rule was unenforceable?
"Privacy watchdog, the Information Commissioner's Office, has already received 64 complaints under the UK's Cookie Law, which requires sites to get permission to track users with cookies. The law only came into effect on Saturday, and many sites do not expect to comply soon. To make life more complicated, the ICO has updated its advice, apparently allowing 'implied consent' instead of actually making a user click a box to give permission for cookies."
(updated PDF version here)
[From the article:
“For implied consent to work there has to be some action taken by the consenting individual from which their consent can be inferred,” the updated cookies guidance read. “This might, for example, be visiting a website, moving from one page to another or clicking on a particular button. The key point, however, is that when taking this action, the individual has to have a reasonable understanding that by doing so they are agreeing to cookies being set.”


If they could be made cheaply enough, we could cover the world and then access the data on our cellphones.
This Rock Could Spy on You for Decades
Palm-sized sensors, developed for the American military, will remain littered across the Afghan countryside — detecting anyone who moves nearby and reporting their locations back to a remote headquarters. Some of these surveillance tools could be buried in the ground, all-but-unnoticeable by passersby. Others might be disguised as rocks, with wafer-sized, solar-rechargeable batteries that could enable the sensors’ operation for perhaps as long as two decades, if their makers are to be believed.


“We have this big book that we use with our 100 hour class on 'How to watch TV' that will allow us to learn about events like Hurricane Katrina almost as soon as they happen! And we kinda spy on your Facebook page...
May 28, 2012
DHS National Operations Center Media Monitoring Capability Desktop Reference Binder 2011
Via EPIC FOIA release, Analyst’s Desktop Binder 2011 Redacted, Department of Homeland Security National Operations Center Media Monitoring Capability, Desktop Reference Binder.
  • "MMC [media monitoring capability] coverage focuses primarily on providing information on incidents of national significance, which are usually defined as catastrophic events that result in wide-scale damage or disruption to the nation’s critical infrastructure, key assets, or the Nation’s health; and require a coordinated and effective response by Federal, State, and Local entities. For the most part, coverage of international incidents is limited to that of terrorist activities and infectious diseases that impact a wide population of humans or animal stock, such as mad cow disease or H5N1, and catastrophic weather events around the globe (Category 5 Hurricanes, Tsunami, and Large Magnitude Earthquakes). An Item of Interest (IOI) is generated whenever an MMC search or alert produces information about an emergent incident that should be brought to the attention of the NOC [National Operations Center]."
  • Related - UK Mail Online - "The Department of Homeland Security has been forced to release a list of keywords and phrases it uses to monitor social networking sites and online media for signs of terrorist or other threats against the U.S."


Great background music for Blogging...
"MuseScore, the open source music notation editor, and pianist Kimiko Ishizaka have released a new recording and digital edition of Bach's Goldberg Variations. The works are released under the Creative Commons Zero license to promote the broadest possible free use of the works. The score underwent two rounds of public peer review, drawing on processes normally applied to open source software. Furthermore, the demands of Bach's notational style drove significant advancements in the MuseScore open source project. The recording was made on a Bösendorfer 290 Imperial piano in the Teldex Studio of Berlin. Anne-Marie Sylvestre, a Canadian record producer, was inspired by the project and volunteered her time to edit and produce the recording. The project was funded by a successful Kickstarter campaign that was featured on Slashdot in March 2011."


So why aren't we using them more?
Google Apps For Business Gets ISO 27001 Certification
Google just announced that its Google Apps for Business service has earned ISO 27001 certification. This certifies that Google is following the standard ISO information security management protocols and best practices “for the systems, technology, processes and data centers serving Google Apps for Business.”


It's easy to hate PowerPoint, it's much more difficult to find a useful replacement...
Death To Powerpoint! Piccsy Rethinks The Pitchdeck, Gets Tons Of Pageviews
Your Powerpoint pitchdeck is so boring. So. Freaking. Boring. Although tech bloggers aren’t sent startup’s actual pitchdecks as often as investors are (thankfully), we’re still walked through them on dreadful, “let me read to you from my Powerpoint” phone calls more often than should be socially acceptable. That’s why when image aggregator Piccsy, which is simultaneously a competitor to Pinterest as well as a top 20 content source for the site, pinged us to take a look at its pitch deck, we were pleasantly surprised. A pitchdeck that’s actually fun to read? Can such a thing exist?
Piccsy.com/investors hosts the company’s public pitchdeck, and it’s a striking, visual representation of the data that would be typically found in bullet-pointed slideshows. The format leads you to wander through content and explore, much like Piccsy itself does.
The full site is here.

Posted by at No comments:

Monday, May 28, 2012


Like a Mission Impossible script... Cheaper than nukes. Harder to determine the source?
Meet “Flame”, The Massive Spy Malware Infiltrating Iranian Computers
A massive, highly sophisticated piece of malware has been newly found infecting systems in Iran and elsewhere and is believed to be part of a well-coordinated, ongoing, state-run cyberespionage operation.
The malware, discovered by Russia-based anti-virus firm Kaspersky Lab, is an espionage toolkit that has been infecting targeted systems in Iran, Lebanon, Syria, Sudan, the Israeli Occupied Territories and other countries in the Middle East and North Africa for at least two years.
Dubbed “Flame” by Kaspersky, the malicious code dwarfs Stuxnet in size – the groundbreaking infrastructure-sabotaging malware that is believed to have wreaked havoc on Iran’s nuclear program in 2009 and 2010.
… The researchers say that Flame may be part of a parallel project created by contractors who were hired by the same nation-state team that was behind Stuxnet and its sister malware, DuQu.
… Early analysis of Flame by the Lab indicates that it’s designed primarily to spy on the users of infected computers and steal data from them, including documents, recorded conversations and keystrokes. It also opens a backdoor to infected systems to allow the attackers to tweak the toolkit and add new functionality.
… Flame appears to have been operating in the wild as early as March 2010, though it remained undetected by antivirus companies.
… He noted that there are clues that the malware may actually date back to as early as 2007, around the same time-period when Stuxnet and DuQu are believed to have been created.
… Among Flame’s many modules is one that turns on the internal microphone of an infected machine to secretly record conversations that occur either over Skype or in the computer’s near vicinity; a module that turns Bluetooth-enabled computers into a Bluetooth beacon, which scans for other Bluetooth-enabled devices in the vicinity to siphon names and phone numbers from their contacts folder; and a module that grabs and stores frequent screenshots of activity on the machine, such as instant-messaging and email communications, and sends them via a covert SSL channel to the attackers’ command-and-control servers.
The malware also has a sniffer component that can scan all of the traffic on an infected machine’s local network and collect usernames and password hashes that are transmitted across the network. The attackers appear to use this component to hijack administrative accounts and gain high-level privileges to other machines and parts of the network.
… “It was obvious DuQu was from the same source as Stuxnet. But no matter how much we looked for similarities [in Flame], there are zero similarities,” Gostev said. “Everything is completely different, with the exception of two specific things.”
One of these is an interesting export function in both Stuxnet and Flame, which may turn out to link the two pieces of malware upon further analysis, Gostev said. The export function allows the malware to be executed on the system.
Also, like Stuxnet, Flame has the ability to spread by infecting USB sticks using the autorun and .lnk vulnerabilities that Stuxnet used. It also uses the same print spooler vulnerability that Stuxnet used to spread to computers on a local network. This suggests that the authors of Flame may have had access to the same menu of exploits that the creators of Stuxnet used.
Unlike Stuxnet, however, Flame does not replicate automatically by itself. The spreading mechanisms are turned off by default and must be switched on by the attackers before the malware will spread.
… The researchers say they don’t know yet how an initial infection of Flame occurs on a machine before it starts spreading. The malware has the ability to infect a fully patched Windows 7 computer, which suggests that there may be a zero-day exploit in the code that the researchers have not yet found.
… At least one component of Flame appears to have popped up on machines in Europe on Dec. 5, 2007 and in Dubai on Apr. 28, 2008.
… The malware has no kill date, though the operators have the ability to send a kill module to it if needed. The kill module, named browse32, searches for every trace of the malware on the system, including stored files full of screenshots and data stolen by the malware, and eliminates them, picking up any breadcrumbs that might be left behind.
“When the kill module is activated, there’s nothing left whatsoever,” Gostev said.


Brief, but interesting.
May 27, 2012
Open Forum Academy Report - The Cloud Computing Workshop
OFA Report - The Cloud Computing Workshop - "The cloud will happen; the question is whether it will happen to us, with us, or by us": "This report is prepared by the rapporteur, Dr. E. Altsitsiadis, for Open Forum Academy (OFA) in support of the Cloud Computing Workshop. The summaries of the speaker presentations and panel discussions in this report are based on the rapporteur’s notes. The workshop brought together high-level experts to discuss three broad aspects of cloud computing; the economic impact, the legal aspects and the way to move forward. The economic opportunity is irrefutable - If you live in a multi-device world, you simply need the cloud. The cloud will have a significant impact on our entire economy; from the micro level and the numerous benefits it brings to supply and demand alike, to the positive macro-effects in new job creation and GDP contribution. There are serious obstacles though in claiming these benefits, from practical operational limitations to misconceptions, distrust and a legal framework that is largely fragmented and complicated. The speakers broadened our understanding of these weak points, downplaying some issues that are overly considered important, while pointing out others that are crucial, yet evade our attention. The workshop illustrated that there are a lot of misconceptions but also a lot of common ground and it is becoming apparent that the way forward passes through better communication and collaboration, whether at the level of EU-US governments, Industry-Policymakers or Providers-Users."


Cloudy, with a chance of surveillance?
May 27, 2012
Governmental Access to Data in the Cloud - A comparative analysis of ten international jurisdictions
  • "This White Paper examines the extent to which access to data in the Cloud by governments in various jurisdictions is possible, regardless of where a Cloud provider is located. “Governmental access,” as that term is used here, includes access by all types of law enforcement authorities and other governmental agencies, recognizing that the rules may be different for law enforcement and national security access. Governments need some degree of access to data for criminal (including cybercrime) investigations and for purposes of national security. But privacy and confidentiality also are important issues. This paper does not enter into the ongoing debate about the potential for excessive government access to data and insufficient procedural protections. Rather, this White Paper undertakes to compare the nature and extent of governmental access to data in the Cloud in many jurisdictions around the world."


Interesting that the London School of Economics finds that organizations can save money using “free” software. That's not as simple an answer as you may think.
May 27, 2012
Total cost of ownership of open source software: a report for the UK Cabinet Office
"The Cabinet Office and London School of Economics (LSE) have published research into the Total Cost of Ownership of Open Source Software, by Maha Shaikh and Tony Cornford, Version 8.5 Final, November 2011, Unclassified. The report has beejointly financed by the Cabinet Office and OpenForum Academy, together with some of its supporters, including Alfresco, Deloitte, IBM and Red Hat."


For my Business Continuity students...
Five years after Estonia's cyber attacks: lessons learned for NATO?
By Peggy Garvin Source: NATO Defense College
From the report:
In April 2007 a series of cyber attacks targeted Estonian information systems and telecommunication networks ... Lasting twenty-two days, the attacks were directed at a range of servers (web, email, DNS) and routers.
The 2007 attacks did not damage much of the Estonian IT infrastructure ... However, the attacks were a true wake-up call for NATO, offering a practical demonstration that cyber attacks could now cripple an entire nation dependent on IT networks.


Incentive for my CS majors to also grab an MBA?
"The IT industry is hurting for women. Currently only 11% of IT companies are owned by women. The Women-Owned Small Business (WOSB) Federal Contract program requires 5% of all IT jobs to go to female-owned integration companies, but there must be at least 2 female bidders. There are so few female bidders that women-owned IT firms are ineligible for the contracts. From the article: 'Wendy Frank, founder of Accell Security Inc. in Birdsboro, Pa., wishes she had more competitors. It's not often you hear any integrator say that, but in Frank's case, she has good reason. The current Women-Owned Small Business (WOSB) Federal Contract program authorizes five percent of Federal prime and subcontracts to be set aside for WOSBs. While that might sound fair on the surface, in order to invoke the money set aside for this program, the contracting officer at an agency has to have a reasonable expectation that two or more WOSBs will submit offers for the job. “We could not participate in the government’s Women-Owned Small Business program unless there was another female competitor,” says Frank. “Procurement officers required that at least two women-owned small businesses compete for the contracts, even in the IT field, where women-owned businesses are underrepresented.”'"


Trend spotting? It also shows that “correlation” is not the same as “connected”
To make use of this tool, it is best that we define correlation first. A correlation is a mutual relationship or interdependence of two or more things. In this case, Google answers the question – which keywords have the most comparable pattern of search activity?


Sort of an illustrated explanation of “Why the Privacy Foundation exists”

Posted by at No comments:

Sunday, May 27, 2012


Not much on the blogs today, you'd think it was a holiday or something...


Thank God Maury Nichols sent me this article or I wouldn't have anything interesting to blog about.
Judge Orders Drug Evidence Suppressed in Warrantless GPS Tracking Case
A federal judge in Kentucky this week upheld a lower court's decision to throw out crucial evidence in a drug case because the evidence was gathered with the help of a GPS tracking device that was installed without a warrant on the suspect's vehicle.
In a 19-page ruling Tuesday, Judge Amul Thapar of the U.S. District Court for the Eastern District of Kentucky wrote that Robert Lee's constitutional rights were violated when drug enforcement agents illegally tracked his car and then seized 150 pounds of marijuana from it.
Thapar granted Lee's motion to suppress the evidence, noting that it had been obtained purely as the result of a fishing expedition. "In this case, the DEA agents had their fishing poles out to catch Lee.," Thapar wrote. "Admittedly, the agents did not intend to break the law. But they installed a GPS device on Lee's car without a warrant 'in the hope that something might turn up,'" he said.


Can you believe the New York Times has a cartoon section? This one is on NYPD Drones...


Who says lawyers don't have a sense of humor? (Almost everyone, actually.) Perhaps a new legal specialization: Zombie Law
What are the tax implications of the zombie apocalypse?
Chodorow, a professor at Arizona State University's Sandra Day O'Connor College of Law, authored the paper "Death and Taxes...and Zombies," which will appear in a forthcoming issue of the Iowa Law Review. Chodorow notes that, while the CDC is ready for the zombie apocalypse, the United States Congress has shown no such foresight, leaving us to question whether zombies, vampires, and other members of the undead class will have their estates transferred upon undeath or be able to collect income tax. To rectify that oversight, Chodorow looks, in all earnestness, to existing legal precedent.


For my Math students. All their work is online and I don't want their brains to explode...
… The two key elements of being able to manage your day in the browser are being able to actually see how you’re spending your time, and then being able to force yourself to manage that time more effectively. Mind the Time does the former and Time Limiter does the latter.
Mind the Time achieves a very simple goal for the user:
Keep track of how much time you spend on the web, and where you spend it. A ticker shows (1) time spent at the current site and (2) total time spent on the web today. A summary page shows data for today and the past seven days.
You’re able to pay attention to your remaining time if you’ve set up a lock rule. The time remaining is displayed in the title bar. When your time is up, the page is immediately blocked


For all my students.
If you are having issues allocating time to different tasks and getting distracted easily, give BringFocus a try.
… Once installed, select the time you want to spend on one task and the reason for using the time. You must finish the task before the timer runs down to zero. It also tracks the total amount of time spent on all tasks, so that you will know how much time you’ve worked.
Similar tools: Tasskr, Any.Do, ListDid.me and Workflowy.

Posted by at No comments:
Subscribe to: Posts (Atom)