Tuesday, November 29, 2011


Are these little “extras” for subscribers(?) anything that concerns management? Perhaps they are viewed as so trivial, so removed from 'journalism' that they are not even monitored?
Globe and Mail online classroom hacked – again and again? Wake up, Globe and Mail!
November 28, 2011 by admin
Well, I posted this to DataLossDB.org the other day, but seem to have forgotten to have posted it here.
Globe and Mail, the Canadian newspaper, had their online classroom site hacked (globeclassroom.ca). The hack was disclosed on Pastebin on November 22, at which time I created an entry for it on DLDB. I then tried to notify Globe and Mail’s online classroom site that over 600 users’ names, e-mail addresses, clear-text passwords, job title, school, and school contact details had been acquired and dumped on the Internet. They did not respond to my courtesy notification, but one paste was removed. Another one, that I had missed, remained.
The removal triggered a response by a hacker, who re-posted the original paste and then pointed me to the the second data dump. I dutifully updated the entry on DLDB.
But now, digging into things a bit more, I see that this same site had been hacked back in July by a hacker who identified himself as part of #AntiSec:
Hi! I’m sepo. For today my target was http://globeclassroom.ca/. It was hacked by a simple SQL Injection. All the data (login email, password, first & second name, adress, school etc.) is dumped to one of my virtual server’s. I was thinking about a deface, but this wasn’t a good idea. Your sec sux! Your data can be stolen! This is a part of #Antisec.
Expect us!
The database reportedly held 4,000 users’ data.
So the site was hacked back in July and again in November. Does Globe and Mail even know? How many hackers have to point out to them that their site is insecure before they get the message? And how would all these users feel if they knew that their passwords were out there with their e-mail addresses?
Hacks like this one have become a common occurrence this year, and it is disturbing that so many sites that have been hacked do not seem to know it and do not check all their e-mail when people do try to notify them.
Maybe if I tweet it?


Attention Ethical Hackers: To really bring this home to judges in the US and Canada, I propose that we create detailed dossiers on each judge. Now, they may find this irritating so we don't want to have it traced back to us. We need an alias. I know this Professor at the Law School...
http://www.pogowasright.org/?p=25942
Judges out of touch on privacy issues, says Ontario privacy czar
November 28, 2011 by Dissent
Vito Pilieci reports:
Canadian judges and politicians have grown too old and out of touch with the reality of today’s digital world to be trusted to make sound policy decisions, according to Ontario’s Privacy Commissioner.
Speaking at the Privacy & Information Security Congress 2011 conference in Ottawa on Monday, Ann Cavoukian expressed her frustration with recent judicial decisions that she believes trivialize Canadian privacy rights.
Read more on Ottawa Citizen

(Related) What say you, your honor? No harm, no foul?
Courts Grapple with Concept of “Harm” in Online Privacy Suits
November 28, 2011 by Dissent
Glenn G. Lammi is clearly not a fan of the type of class action lawsuits we’ve been seeing on a weekly basis:
The fundamental legal principle that only those who have been “harmed” can sue in U.S. courts is being put to the test by the ever-evolving, subjective concept of “privacy” in the equally organic online world.
U.S. Supreme Court rulings on so-called Article III standing reflect that a harm must be 1) concrete, particularized, actual, and imminent; 2) fairly traceable to defendant’s actions; and 3) likely redressed by a favorable decision. If a party fails to meet this test, the court will dismiss the suit for lack of jurisdiction.
Plaintiffs’ lawyers, eager to add online privacy “violations” to their lucrative book of business, have been advancing broad theories of injury through class action lawsuits. Their claims of harm routinely center around either emotional or economic injury. Those efforts so far, with a few exceptions, have met resistance from federal judges.
Read more on Forbes.
I tend to agree with Glenn and think that most of these lawsuits are misplaced. If we want to discourage certain behavior, then we either withhold our business, try to effect change, or punt to the legislature. While the costs of litigation might dissuade businesses from engaging in certain conduct, for monster companies like Facebook, it just becomes part of the cost of doing business. In the meantime, we tend to clog up courts, and the only ones who make any money are the lawyers.


What;s going on here? Does Twitter need tools to break through corporate firewalls? (Send sensitive data out from within?) I know of no reason they would need to shut down their service – does anyone?
Twitter Adds Team Who Created Privacy Tools for Activists, But Was it at the Expense of Activists?
November 28, 2011 by Dissent
Amir Efrati reports:
Twitter on Monday announced the acquisition of a two-person startup called Whisper Systems, whose technology protected people’s mobile-phone calls and text messages from being obtained by third parties such as governments.
The deal terms weren’t disclosed. The acquisition led to speculation about what Twitter, an online-messaging service, might do with Whisper Systems founders Moxie Marlinspike and Stuart Anderson–who are well-known in computer security circles–and the technology they built exclusively for devices running on Google’s Android software.
Whisper Systems created a suite of services for human-rights activists or other privacy-conscious individuals, which were used by activists during the recent “Arab spring” actions. In a blog post, Marlinspike and Anderson said the services they created will “live on” though they had to temporarily shut them down.
Read more on WSJ.
Dan Goodin also covers the acquisition on The Register, and also covers concerns raised by privacy and security research Chris Soghoian:
Twitter’s acquisition of San Francisco-based Whisper Systems came on Monday, the same day Egyptian citizens participated in their nation’s first parliamentary elections since the ouster of Hosni Mubarak, whose repressive regime ruled the country for three decades. That means Egyptian dissidents who relied on Whisper Systems RedPhone to encrypt voice calls made with their Android smartphones abruptly lost the ability to protect calls from government-controlled eavesdroppers at a time they might need it most.
It was only nine months ago that Whisper Systems said it was rushing out an international version of the encryption software to support the historic protests that were then sweeping the African nation’s populace.
The timing is atrocious,” said Chris Sogohian, a privacy researcher with the Open Society Foundations. “Today is Egypt’s first election after it threw out its old regime, and the only encrypted voice communication tool for Android goes dark. This couldn’t have happened at a worse time for people in Egypt.”
I really wish Twitter would be more forthcoming about its timing and its plans. I tend to give them the benefit of doubt, but Chris has raised some pointed criticisms about them – and not just over Whisper Systems. Chris has also publicly challenged Twitter to make HTTPS the default connection. And again, no response from Twitter. The same platform that fought to at least notify its users about a court order to compel production of their records seems to be falling behind its competitors in terms of other privacy protections.
So, Twitter, because I use you and like you, how about you agree to make HTTPS the default connection by Christmas, and you explain how your acquisition of Whisper System and its talented founders are going to benefit human rights activists, privacy, and free speech.

(Related) Does Twitter take this crackdown seriously enough to want a tool that hides their interaction with users in Europe? Technology they could sell to the other big Behavioral Advertising companies? And notice that the EU Commission does not fully understand Facebook.
EU: Facebook faces a crackdown on selling users’ secrets to advertisers (updated)
November 28, 2011 by Dissent
This has the potential to be huge.
Jason Lewis reports:
The European Commission is planning to stop the way the website “eavesdrops” on its users to gather information about their political opinions, sexuality, religious beliefs – and even their whereabouts.
Using sophisticated software, the firm harvests information from people’s activities on the social networking site – whatever their individual privacy settings – and make it available to advertisers.
However, following concerns over the privacy implications of the practice, a new EC Directive, to be introduced in January, will ban such targeted advertising unless users specifically allow it.
Even though most of the information it harvests is stored on computers in the USA, if Facebook fails to comply with the new legislation it could face legal action or a massive fine.
The move threatens to damage Facebook’s plans to float on the Wall Street stock exchange next year, by undermining the way it makes money.
Read more on The Telegraph. Then contrast that to what happened here in the Fourth Circuit when a judge ruled that Twitter users gave up some of their privacy when they signed up for Twitter and accepted their TOS and privacy policy. Of course, everyone other that judge knows that no one really reads those policies, but that judge would probably rule that Facebook users have consented to have their data sold to advertisers – even if they didn’t understand or wade through Facebook’s 4000 word policy.
Will EU do for Americans’ privacy what the American Congress has failed to do and what businesses have failed to do by self-regulation? We’ll have to wait and see.
Update: A report by ReadWriteWeb raises some questions about what will really be proposed in the EU and how it might affect Facebook.


At some point, Big Brother will point to Facebook and say, “You have volunteered to allow everything you complain that I do!”
How to stop Facebook from sharing your location
Facebook is at it again, releasing yet another feature that I never had the opportunity to politely opt out of: location sharing.
When Facebook decided to withdraw efforts from its short-lived check-in service, Places, it quickly implemented a more passive location-sharing feature that doesn't even have a name. It's just there. And it's creepy.
Now, every time you compose a post on a mobile device or desktop computer, you'll see a light gray location in the lower left of the status box.
Facebook sneakily grabs your location via GPS or Wi-Fi router, and attaches it to your post, so your friends can enjoy a more in-depth stalking experience.


“...and we shall name him Little Brother.”
The UK could get a Privacy Commissioner
November 28, 2011 by Dissent
Dave Neal reports:
The United Kingdom could get a dedicated Privacy Commissioner, according to a tabled discussion in the House of Lords.
We learned of the tabled amendment via Privacy International, which pointed followers towards the document on Twitter and told the INQUIRER that such a change is needed in the UK, due to what is a poor data protection situation for UK citizens.
“If successful, the UK could have a real privacy regulator rather than a weak one that merely oversees data protection,” it said.
Read more on The Inquirer.
So let’s get this straight – they’d have a data protection agency AND a privacy commissioner while over on this side of the pond, we have neither?
This is just so depressing. And infuriating.


Fighting certain doom? Granted it is embarrassing. What's true and what's opinion based on hearsay? (I doubt “everyone does it” and “It's not a big deal” are sufficient for acquittal.)
Feds Withholding Evidence Favorable to Bradley Manning, Lawyer Charges
The civilian lawyer for Bradley Manning, the Army private who allegedly leaked tens of thousands of classified U.S. government documents to WikiLeaks, is seeking to question the severity of the leak by requesting the government’s own internal damage assessments that reportedly contradict statements that Manning irreparably damaged national security.
… Published information about the various reports put them at odds with each other, Coombs notes. One assessment conducted by the Defense Intelligence Agency concluded that all of the information allegedly leaked was dated, represented low-level opinions, or was already commonly known due to previous public disclosures, while an official at another government office indicated that the leaks had caused damage to national security.
… “The defense requests any e-mail, report, assessment, directive, or discussion by — to the Department of Defense concerning this case in order to determine the presence of unlawful command influence,” the sentence reads.
At a press conference last week, members of the Bradley Manning Support Network, which has raised money for Manning’s defense, argued that public comments that President Obama made earlier this year suggesting that Manning is guilty constituted illegal command influence on the military court from the nation’s commander in chief.
Obama told an audience in April, “If I was to release stuff, information that I’m not authorized to release, I’m breaking the law.”
“I can’t imagine a juror who wants to have a future in the military … going against the statement of [guilty] made by his or her commander-in-chief,” said Kevin Zeese, a legal advisor to the Bradley Manning Support Network.
… In order to make the case that Manning wasn’t the only soldier to install unauthorized programs on classified networks, Coombs requested forensic images of each computer from the Tactical Sensitive Compartmented Information Facility (T-SCIF) and the Tactical Operations Center (TOC) at Forward Operating Base Hammer in Iraq, where Manning allegedly downloaded the data that was passed to WikiLeaks. Coombs is hoping to prove “it was common for soldiers to add unauthorized computer programs” to government systems, that apparently helped the soldiers do their work.


IT Governance Think this will catch on?
"Thierry Breton, CEO of Atos, Europe's Largest IT Company, wants a 'zero email' policy to be in place in 18 months, arguing that only 10 per cent of the 200 electronic messages his employees receive per day on average turn out to be useful, and that staff spend between 5-20 hours handling emails every week. 'The email is no longer the appropriate (communication) tool,' says Breton. 'The deluge of information will be one of the most important problems a company will have to face (in the future). It is time to think differently.' Instead Breton wants staff at Atos to use chat-type collaborative services inspired by social networking sites like Facebook or Twitter as surveys show that the younger generation have already all but scrapped email, with only 11 per cent of 11 to 19 year-olds using it. For his part Breton hasn't sent a work email in three years. 'If people want to talk to me, they can come and visit me, call or send me a text message. Emails cannot replace the spoken word.'"


Might be interesting to play with...
"Free software activists have released a peer-to-peer search engine to take on Google, Yahoo, Bing and others. The free, distributed search engine, YaCy, takes a new approach to search. Rather than using a central server, its search results come from a network of independent 'peers,' users who have downloaded the YaCy software. The aim is that no single entity gets to decide what gets listed, or in which order results appear. 'Most of what we do on the Internet involves search. It's the vital link between us and the information we're looking for. For such an essential function, we cannot rely on a few large companies and compromise our privacy in the process,' said Michael Christen, YaCy's project leader."


Oh goodie, now I can research why my Mother's ancestors were banished from Ireland.
British Library scans 18th and 19th-Century newspapers
Four million pages of newspapers from the 18th and 19th Centuries have been made available online by the British Library.
… The archive is free to search, but there is a charge for accessing the pages themselves.


What does Anatomy have to do with Health Care? Isn't that all about Billing customers?
Monday, November 28, 2011
Eleven days ago I mentioned a free and open Computer Science 101 course being offered through Stanford University. Today, through Open Culture, I learned that Stanford is offering thirteen other free and open online courses during the spring semester. One of the courses that might be appropriate for high school juniors and seniors interested in pursuing college programs in healthcare is an introductory anatomy course. The course description promises quizzes that students can use for self-assessment and self-pacing through the course.


Toys for my Ethical Hackers
"Although Barnes & Noble receives a lot of credit from the slashdot community for standing up to Microsoft and for allowing the nook to be so easy to root, but perhaps Amazon releasing the source code to the Kindle will help it gain back supporters it lost after remotely removing ebooks."

Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)