Saturday, July 23, 2011

Careers for my Ethical Hackers? Still looking for a co-author for “A Just Cyber War”...

The Code War Arms Race

"A story in Bloomberg Businessweek gives the first in-depth look at a wave of new start-ups selling cyber weaponry. The story describes this as the evolution of the defense industry in response to a wave of brazen attacks against Google, the Pentagon, the IMF and thousands of companies. It's pretty scary stuff, especially considering that these new weapons are not regulated at all."

[From the article:

Traditional military logic falls apart in the Code War. Deterrence and arms treaties are but philosophical concepts when invisible weapons are involved. Assigning certain blame for an attack may be impossible when it’s conducted through computers in dozens of countries. The fear of retaliation—which kept the Cold War from becoming hot—may not apply.

[Related stuff: (More at: http://www.technolytics.com/downloads.asp)

http://www.technolytics.com/Cyber_Commanders_Handbook_Preview.pdf

Cyber Commander's eHandbook

(Preface and TOC only)

http://www.technolytics.com/Right_to_bear_cyber_arms_CCH9-2.pdf

The Right to Bear Cyber Arms

Legal authorities agree there are gray areas and a fine line between activism on the one hand, and terrorism and hostile action against a government on the other. When you include the use of cyber attacks in the equation, the line quickly expands to an area of gray.



A new argument in the online banking area?

http://www.databreaches.net/?p=19786

How Fast Is Fast Enough to Tell Customers About Data Breaches?

July 22, 2011 by admin

Sue Reisinger writes on Corporate Counsel:

In financial data breaches, timing is almost everything. On June 13 a federal court held Comerica Bank liable for data breach losses even though it notified the customer and stopped all account activity within six hours. Two days later Citigroup Inc. was explaining why it took nearly a month to start notifying 360,000 customers of a breach. While Comerica didn’t act fast enough for the court, experts say Citi’s delay may have been justified.

Confusing? Such disparities can baffle not only companies and consumers, but also lawmakers trying to create a uniform standard for handling breaches.

Read more on Corporate Counsel.

[From the article:

It started with a simple e-mail that landed in the inbox of Experi-Metal Inc.'s controller, Keith Maslowski, in January 2009. The message appeared to come from the company's bank, and Maslowski followed the directions to click on a link and enter confidential log-in data and other codes as part of routine maintenance. The details are laid out in a lawsuit that the small metal shop in Sterling Heights, Michigan, filed against Comerica. Scam artists used Maslowski's codes to initiate more than 85 wire transfers, moving $1.9 million out of the company's account to China, Estonia, Finland, Russia, and Scotland.

It took the bank only six hours to spot the unusual activity, notify the customer, and stop the transfers. But it wasn't good enough for the federal judge. Court documents show that the company had only two prior transfers in two years. On June 13 U.S. district court judge Patrick Duggan in Detroit ruled that Comerica was responsible for the $560,000 that remained unrecovered because the bank didn't act "in good faith." The judge ruled that "a bank dealing fairly with its customer, under these circumstances, would have detected and/or stopped the fraudulent wire activity earlier."



Do you suppose this is based on the Secret Service's requirements for a Presidential BlackBerry?

BlackBerry PlayBook First Tablet To Gain NIST Approval

"Despite its current struggles to win over consumers, RIM has always been strong in the enterprise. The company remained steadfast in its support for corporate environments with the launch of the PlayBook, calling it the only business-grade tablet. The NIST is now ready to back that claim, giving the BlackBerry PlayBook its stamp of approval — meaning it's now the lone tablet that is certified for use in U.S. government agencies."



Upgrading the Google cars? Now they can match you to your house, job, hobby, favorite entertainment, etc.

http://techcrunch.com/2011/07/22/google-acquires-facial-recognition-software-company-pittpatt/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Techcrunch+%28TechCrunch%29

Google Acquires Facial Recognition Software Company PittPatt

PittPatt, a project spawned from Carnegie Mellon University, develops a facial recognition technology that can match people across photos, videos, and more.

… Google has reportedly been exploring adding facial recognition to its products (i.e. Google Goggles) more seriously but has held back because of privacy concerns. As the company told Search Engine Land in March, Google wouldn’t put out facial recognition in a mobile app unless there were very strict privacy controls in place.

But in May, Google Chairman Eric Schmidt said the company is “unlikely to employ facial recognition programs.”

Google issued this statement confirming the acquisition:

“The Pittsburgh Pattern Recognition team has developed innovative technology in the area of pattern recognition and computer vision. We think their research and technology can benefit our users in many ways, and we look forward to working with them.”



Clearly the Judge calculates a “Fair Penalty” but will the defendant keep appealing? Probably.

http://www.wired.com/threatlevel/2011/07/kazaa-verdict-slashed/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+wired%2Findex+%28Wired%3A+Index+3+%28Top+Stories+2%29%29

Judge Slashes ‘Appalling’ $1.5 Million File Sharing Verdict to $54,000

… The decision by U.S. District Judge Michael Davis follows the third trial in the Recording Industry Association of America’s lawsuit against Jammie Thomas-Rasset, the first file sharer to take an RIAA lawsuit to a jury trial. Under the case’s latest iteration, a Minnesota jury dinged her in November $62,500 for each of 22 songs she pilfered on Kazaa.

With the decision, Judge Davis has now overturned the judgments of three separate juries in the case dating to 2007. And Friday’s outcome is not likely to be the last word, either.

Thomas-Rasset, of Brainerd, Minnesota, has repeatedly vowed to appeal what her lawyers said were “excessive damages.” Her first trial ended with a $222,000 judgment, but Davis declared a mistrial, on the grounds that he’d improperly instructed the jury on a point of law. After the second trial, Davis tentatively reduced the award from $1.92 million to $54,000, and ordered a new trial on damages if the parties didn’t agree to that amount or settle. That third trial last year ended in the $1.5 million judgement that Davis overruled Friday.


(Related) PayPal as Judge, Jury and Executioner?

PayPal Joins London Police Effort

"PayPal has joined a music copyright association and the City of London police department's bid to financially starve websites deemed 'illegal.' When presented with sufficient evidence of unlicensed downloading from a site, the United Kingdom's PayPal branch 'will require the retailer to submit proof of licensing for the music offered by the retailer,' said the International Federation of the Phonographic Industry's latest press release."

The press release can be found here.

[From the article:

The real question is whether, at any time in this process, the City of London submits the evidence of infringement or some aspect of the process to a court for review. The ECD has a history of working with the Metropolitan Police Film Piracy Unit, long at the service of the movie industry's Federation Against Copyright Theft.

FACT aided UK law enforcement to prosecute the famous Filesoup file sharing site. The police eventually dropped that case, conceding that the legal basis for a criminal trial wasn't there.



This is the promise of the Internet. Learn anything from the best teacher in the world – not some guy in your neighborhood who thinks he knows what he is doing...

http://www.wired.com/playbook/2011/07/pitching-video-analysis/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+wired%2Findex+%28Wired%3A+Index+3+%28Top+Stories+2%29%29

MLB Coach Offers Video Analysis for Young Pitchers

Don Cooper, pitching coach for MLB’s Chicago White Sox, recently created DonCooperBaseball.com with the intent of providing video analysis for pitchers, no matter their age. His plan might seem ambitious, but the former big league pitcher believes he can leverage his 33 years of professional experience to right the wrongs taught by coaches at various levels of the sport.

“There is a lot of what I feel is poor information being given out there by people who don’t really have the background to be instructing [pitchers],” Cooper told Wired.com.



This looks interesting...

http://www.makeuseof.com/tag/windows-pc-shape-winutilities/

Get Your Windows PC Back Into Shape With WinUtilities

There are lots of tools that will attack part of the mess, like your Internet history files or registry cleaners, but what about fragmented hard drive space, duplicate files or junk registry keys?

The bottom line is that if you’re running Windows and you don’t want to spend all of your time running 100 applications to take care of each of the areas where Windows wastes space, then you’ll want to run a single app that can handle it all. One such free utility is an awesome program called WinUtilities offered by YL Software.

… The free version of this Windows utility has most of the features completely unlocked (at least all of the ones that I tried work 100%).

The application is split up into utility groups like Clean Up & Repair, Optimize & Improve, and Privacy & Security. Each of these areas has its own collection of tools.



At first glance, this looks so dumb it must be brilliant!

Why Waste Servers' Heat?

"A new paper from Microsoft Research (PDF) suggests a radical but slightly mad scheme for dealing with some of the more basic problems of the data centre. Rather than build server farms that produce a lot of waster heat, why not have distributed Data Furnaces, that heat home and offices at the same time as providing cloud computing? This is a serious suggestion and they provide facts and figures to make it all seem viable. So when it gets cold all you have to do is turn up the number crunching ..."



Oh boy, free money! Right?

http://www.lawsuitjackpots.com/index.html

Lawsuit Jackpots

Lawsuit Jackpots.com is a free and independent source of information and news about emerging legal issues, established legal issues, lawsuits filed, lawsuits in progress, settlements, unclaimed property, class actions, mass tort law, law firms, individual lawyers, other legal resources and legal matters of interest to consumers and the entire legal community. Consumers will find the Site helpful for seeking legal remedy for being victimized and lawyers will find the site helpful for disseminating useful information about themselves, their areas of expertise and active legal matters which they are currently handling.


Friday, July 22, 2011

Oh, the horror! My favorite anchovy/sausage pizza at risk! Well, maybe not...

http://www.databreaches.net/?p=19722

Franchises from at least three national pizza chains hacked

July 21, 2011 by admin

Scott Thomas Anderson reports:

The rampant hacking of credit cards and ATM accounts that has hit Amador County is partly the result of “malicious software” installed at a Martell business, according to investigators from Amador County Sheriff’s office. Worse yet, six months of online victimization may not be over for some locals, particularly for those who entered Mountain Mike’s Pizza last winter without cash in their hands.

Sheriff’s officials updated reporters yesterday afternoon about a lengthy investigation into more than 70 cases of ATM/credit card fraud inundating its investigations bureau. Additional cases have also been reported to the Jackson Police Department. Undersheriff Jim Wegner said his detectives had been working closely with fraud units from several banks affected by the string of crimes, which began at the end of 2010 and gained an almost overwhelming momentum by February of this year.

Read more on Ledger Dispatch.

So far, only that one Mountain Mike’s Pizza store in California has been identified as having been breached from that chain, but other national chains have not been so fortunate, it seems.

In March, Extreme Pizza disclosed that the point of sale (POS) systems at a number of its west coast franchises had been compromised beginning in August 2010. Customers’ credit and debit card numbers were reportedly misused between then and January 2011. In an FAQ on its site, the chain said it was first made aware of the breach on February 28, 2011. Sixteen stores in California as well as stores in Colorado and Oregon were affected.

Both the Extreme Pizza and Mountain Mike’s Pizza breaches were on the west coast, where a third national pizza chain, zpizza, is also headquartered. zpizza provided DataBreaches.net with the following statement:

Zpizza was affected by malware on our point of sales system used to process credit and debit card transactions at 12 of our locations. These incidents did not involve an internal security issue within zpizza, and based on investigation, we have sufficient reasons to believe that zpizza is one of many small businesses across the nation that was affected by a computer hacker. Additional details about the issue is on store websites.

Zpizza is working with the Secret Service to address and resolve this issue as quickly as possible. Additionally, we have hired an outside consultant to ensure that our point of sale systems are secure and protected from any further intrusion.

[...]

The notice posted on individual stores’ web sites in mid-May read:

An Important Notice to our Customers

This notice pertains to any customer who used a credit card or debit card at the (LOCATION) zpizza location from September 2010 through and including January 2011. In advance, zpizza apologizes for any inconvenience that you may experience from the circumstances described below.

Zpizza recently discovered that an unauthorized person wrongfully accessed certain point of sale systems that zpizza uses to process credit and debit card transactions. Based upon its investigation to date, zpizza reasonably believes that a computer hacker improperly acquired credit and debit card information. This incident did not involve an internal security issue within zpizza. [Except that it was their “internal security that was breached? Bob] In fact, zpizza has learned that it is one of many small businesses across the nation that has been affected by this computer hacker.

Zpizza has moved swiftly to address this unfortunate incident and is working with the Secret Service to investigate it. zpizza is also working with an outside consultant to ensure that its point of sale systems are secure and protected from any further intrusion.

If you have used your credit card or debit card at this zpizza location from September 2010 through and including January 2011, please consider taking the following immediate steps in order to prevent the unauthorized and unlawful use of your personal information:

[...]

Some of the locations of affected zpizza stores include California, Montana, and Virginia.

Elsewhere, a breach involving a national pizza chain was also rumored to be the source of card fraud reports in the Ohio area, but whether that will pan out (no pun intended) and whether it’s yet another national pizza chain remains to be seen.

Firefly POS Implicated?

At least a few people involved with the situation have been pointing fingers at the Firefly POS software. Over on PMQ.com, a forum for the pizza industry, one owner wrote:

We had a breach of our credit card system. Talked to the bank fraud unit, the local authorities and forensic audit companies. The indication is that the majority of credit card breaches have been with the Firefly/Granbury system from what the people we contacted have said.

Other sources with knowledge of the situation also allege that the breached units of Extreme Pizza and zpizza were all, or almost all, using Firefly. A spokesperson for zpizza confirmed to DataBreaches.net that their breached units were using Firefly.

Whether the Firefly allegations are also correct for Extreme Pizza and other pizza stores could not be confirmed at the time of this posting. Granbury was contacted several times over the past two weeks and asked to respond to the allegations but did not provide answers to questions posed or any statement specifically addressing a number of allegations that have been made.

Charles Hoff, an attorney who has been involved in a number of high-profile cases where restaurants have sued POS vendors and/or their installers replied “No comment” when asked whether he has been asked to file any lawsuits against Firefly, its parent company, Granbury, or any of their authorized installers.

Deja Vu All Over Again?

The breach description for Mountain Mike’s Pizza sounds somewhat like a number of restaurant breaches in 2008 that occurred when login credentials to remote access to the desktop were left in a default state and were exploited by hackers. [Let's hope that isn't the case again! Bob] At least one commenter on PMQ.com indicates that his system was breached by a remote-access account that had been enabled to allow support.

As of 2006, Visa had issued warnings about the risks of enabling remote access software – warnings that it has repeated numerous times since. Despite Visa’s repeated warnings, remote access compromise accounted for 41% of attacks in the merchant category during the period January 2009 – June 2010. As recently as April 19, Visa issued an alert, “Remote Access Vulnerabilities—Most Frequent Attack Method Used by Intruders,” and asked acquirers and processors to share the alert with merchants as soon as possible. But despite repeated warnings, either Level 4 merchants have not gotten the message or they have not understood how to ensure they comply with industry standards on firewalls and the need to change default configurations.

Ultimately, of course, it is the stores that are responsible for the security of customers’ credit card and debit card data, and it is the stores that suffer if customers stop using cards or stop frequenting a store if they’ve suffered fraud as a result of transactions with a merchant. But are the processors, acquirers, vendors, and installers doing enough to help the merchants who pay large fees to get a system that they believe is compliant? It doesn’t seem so if four years later, we are still talking about a lot of POS hacks in the restaurant sector.

In the meantime, if these breaches occurred in August and September of 2010 and there was a rash of fraud, how many other national pizza chains were also affected that we haven’t yet found out about in the media? Hopefully, some of the mainstream journalists will start digging into this a bit more.



I suspect (hope!) they used very weak encryption. I'd hate to think serious encrypting could be easily broken.

http://www.databreaches.net/?p=19760

StudentCity.com hacked; hackers decode encrypted credit card data

July 21, 2011 by admin

I just read a breach disclosure to the New Hampshire Attorney General’s Office with accompanying notification letters to those affected that impressed me favorably. But first, to the breach itself:

StudentCity.com, a site that allows students to book trips for school vacation breaks, suffered a breach in their system that they learned about on June 9 after they started getting reports of credit card fraud from customers. An FAQ about the breach, posted on www.myidexperts.com explains:

StudentCity first became concerned there could be an issue on June 9, 2011, when we received reports of customers travelling together who had reported issues with their credit and debit cards. Because this seemed to be with 2011 groups, we initially thought it was a hotel or vendor used in conjunction with 2011 tours. We then became aware of an account that was 2012 passengers on the same day who were all impacted. This is when we became highly concerned. Although our processing company could find no issue, we immediately notified customers about the incident via email, contacted federal authorities and immediately began a forensic investigation.

According to the report to New Hampshire, where 266 residents were affected, the compromised data included students’ credit card numbers, passport numbers, and names. The FAQ, however, indicates that dates of birth were also involved.

Frustratingly for StudentCity, the credit card data had been encrypted but their investigation revealed that the encryption had broken in some cases. In the FAQ, they explain:

The credit card information was encrypted, but the encryption appears to have been decoded by the hackers. It appears they were able to write a script to decode some information for some customers and most or all for others.

The letter to the NH AG’s office, written by their lawyers on July 1, is wonderfully plain and clear in terms of what happened and what steps StudentCity promptly took to address the breach and prevent future breaches, but it was the tailored letters sent to those affected on July 8 that really impressed me for their plain language, recognition of concerns, active encouragement of the recipients to take immediate steps to protect themselves, and for the utterly human tone of the correspondence.

Kudos to StudentCity.com and their law firm, Nelson Mullins Riley & Scarborough, LLP, for providing an exemplar of a good notification. [About time someone figured it out... Bob]



I thought their security sounded a bit weak... What does this do to the case if everything is already available on the Internet?

http://www.wired.com/threatlevel/2011/07/science-pirate-bay/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+wired%2Findex+%28Wired%3A+Index+3+%28Top+Stories+2%29%29

Huge Trove of Academic Docs Posted Online in Response to Activist Arrest

Just two days after activist hacker Aaron Swartz was charged with hacking for downloading too many academic articles, a giant collection of articles from the same service has been posted to the notorious file sharing search engine, The Pirate Bay.

The documents are allegedly 18,952 scientific articles from the Philosophical Transactions of the Royal Society that were downloaded at some point from the scholarly archive service JSTOR. JSTOR is the same service that Swartz is accused of stealing from for downloading 4 million articles via a guest account at MIT.

But according to the note accompanying the huge download, these are not the files that Swartz is accused of downloading (and returning). Instead, the manifesto says the documents came from another source, and the manifesto is signed by a person identifying himself as Greg Maxwell. The manifesto says the documents date back before 1923, making them public domain — though that contention might not be the case, given the difference between U.S. and U.K. copyright laws.



Stephen Rynerson points me to a service for those of us who don't want to play in TSA's Security Theater. Flying in a small plane means you can't possibly be a terrorist and therefore don't need to go through security. I think this may even be cheaper than Stephen's private jet!

http://blogs.forbes.com/edzitron/2011/06/29/planered/

PlaneRed To Taunt Airlines, TSA

PlaneRed is an all-you-can-eat flight subscription launching around September 1st 2011 that will fly just below the TSA’s radar – using 9-person planes to dodge under their screening of any plane carrying over 10 passengers. The subscriptions will work as such – passengers will pay around $150 a month for access to a booking system much like a city bus, able to book on popular routes on the east coast, serving Atlantic City, New York, Philadelphia, Washington D.C.. They hope to expand quickly to Boston, and then open up new runs in Texas, California, and the Midwest.

… They’re seeking VC investment, but only from those who understand what they’re going for and share the pain of the average airline passenger. “Anything that lets us fly faster, better, and simpler is welcomed around here.”

The first 10,000 signups to PlaneRed’s website will have access to the initial subscription packages.



Still early days, but worth looking at (and trying to educate your Congressman?)

http://www.pogowasright.org/?p=23791

The SAFE Data Act: An admirable attempt that needs expansion



I wonder why they don't already spell this out in their policy... Bad security and bad insurance choices?

http://www.databreaches.net/?p=19747

Sony insurer sues to deny data breach coverage

July 21, 2011 by admin

Ben Berkowitz reports:

One of Sony Corp’s insurers has asked a court to declare that it does not have to pay to defend the media and electronics conglomerate from mounting legal claims related to a massive data breach earlier this year.

Zurich American Insurance Co asked a New York state court in documents filed late on Wednesday to rule it does not have to defend or indemnify Sony against any claims “asserted in the class-action lawsuits, miscellaneous claims, or potential future actions instituted by any state attorney general.”

Read more on Reuters. Chris Dolmetsch of Bloomberg also covers the lawsuit.

I’ve uploaded a copy of the complaint and summons as well as the exhibits.

[From the Reuters article:

Zurich American, in its court papers, said 55 purported class-action complaints have been filed in the United States against Sony.

… Zurich American said its policy only covers the Sony unit for "bodily injury, property damage or personal and advertising injury." It said no such claims have been made in any of the class-action lawsuits.



Some may even be worth watching...

Videos from Health Privacy Summit Now Available

By Dissent, July 22, 2011

Organizers of the June 13th, D.C. Health Privacy Summit, “Getting IT Right: Protecting Patient Privacy in a Wired World” [http://www.healthprivacysummit.org], today announced the release of all videos from the Summit.

… For the full agenda, more information on the panels, and links to each video, see: http://www.healthprivacysummit.org/agenda. [http://www.healthprivacysummit.org/agenda]



Yes. The actual question is “By whom?” and under what circumstances?

http://www.pogowasright.org/?p=23809

Are Student Cell Phone Records Discoverable?

July 21, 2011 by Dissent

Joshua A. Engel reports:

The debate over when officials can search a student’s cell phone is an emerging e-discovery issue. This is illustrated in the recent case N.N. v. Tunkhannock Area School District, Civil Action No. 3:10-CV-1080, U.S. District Court for the Middle District of Pennsylvania.

In this case, a student at Tunkhannock Area High School in Tunkhannock, Pa., violated a school policy requiring cell phones to be turned off and stored in lockers during the school day by placing a call from her cell phone while on school property. A teacher confiscated the phone. School officials then examined the contents of the cell phone and discovered what appeared to be inappropriate photographs stored in the phone’s memory. [Why would they do that? Bob]

Read more on Law Technology News.



For my Computer Security and Ethical Hacking students. First Rule: Protect yourself. Second Rule: Leave no traces. (Eighty-fourth Rule: Send 10% to my Swiss Account)

A Linux Distro From the US Department of Defense

"The Lightweight Portable Security distribution was created by the Software Protection Initiative under the direction of the Air Force Research Laboratory and the U.S. Department Of Defense. The idea behind it is that government workers can use a CD-ROM or USB stick to boot into a tamper proof, pristine desktop when using insecure computers such as those available in hotels or a worker's own home. The environment that it offers should be largely resistant to Internet-borne security threats such as viruses and spyware, particularly when launched from read-only media such as a CDROM. The LPS system does not mount the hard drive of the host machine, so leaves no trace of the user's activities behind."



Gosh, maybe there are legitimate uses for BitTorrent...

http://torrentfreak.com/artists-share-50000-free-music-albums-on-bittorrent-110721/

Artists Share 50,000 Free Music Albums on BitTorrent

With more than 300,000 tracks and 50,000 albums published since its inception, the music publishing website Jamendo holds one the greatest libraries of free music online. A great success story that is in part powered by BitTorrent. From the start the site embraced P2P downloads to save resources and because artists and fans appreciated it.

http://www.jamendo.com/en/



Tools for research?

7 Library Tools Students Would Find Handy

WorldCat

WorldCat.org lets you search the collections of libraries in your community and thousands more around the world. WorldCat is one of the largest network of library content and services which students can use to complete their projects, essays and other school/university related work.

LOC Catalog

LOC Catalog contains a massive library of books, serials, computer files, manuscripts, cartographic materials, music, sound recordings, and visual materials which can be useful for students. They can search for different books to study for their exams, complete assignments and much more.

Smithsonian Institution of Libraries

SIL was founded in 1846 and manage around 20 branches today which contains hundreds of thousands of books and electronic journals which students can check and take help from.

Libweb

Libweb consists of over 8000 pages in over 146 countries which can be used to search libraries, their location, name and other information and can be used by students to find out about libraries in their areas.

National Library of Medicine

The National Library of Medicine (NLM), on the campus of the National Institutes of Health in Bethesda, Maryland, is the world’s largest medical library and collects materials, provides information and research services in all areas of biomedicine and health care.

Library Elf

Elf is a web-based and email tool for library users to keep track of their library borrowings and helps users keep track of what they have on loan from the library.

IPL2

ipl2 is a public service organization which helps students get answers to different academic questions from other students, volunteer library and information science professionals.



Attention all Academic (and other) researchers! Dilbert illustrates (in three frames) why selecting the proper sample increases the odds of a successful survey!

http://dilbert.com/strips/comic/2011-07-22/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+dilbert%2Fdaily_strip+%28Dilbert+Daily+Strip+-+UU%29


Thursday, July 21, 2011

Gary Alexander provides an article that just makes me giggle... I will definitely be using this one in my classes. (Note that studying ethics does not make you ethical...)

http://www.mail.com/scitech/news/571686-feds-harvard-fellow-hacked-millions-papers.html#.571348-stage-related1-3

Feds: Harvard fellow hacked millions of papers

A Harvard University fellow who was studying ethics was charged with hacking into the Massachusetts Institute of Technology's computer network to steal nearly 5 million academic articles.

… In an indictment released Tuesday, prosecutors say Swartz stole 4.8 million articles between September 2010 and January after breaking into a computer wiring closet on MIT's campus. Swartz, a student at the Edmond J. Safra Center for Ethics, downloaded so many documents during one October day that some of JSTOR's computer servers crashed, according to the indictment.

… A spokeswoman for JSTOR said Tuesday that Swartz had agreed to return all the articles so the company can ensure they aren't distributed. [How could either side prove that this happened? Bob]

… Demand Progress's executive director David Segal said on the website that the charges against Swartz don't make sense.

"It's like trying to put someone in jail for allegedly checking too many books out of the library," he said.

… Swartz had legitimate access to JSTOR through Harvard, but the company has usage restrictions that would have prevented such colossal downloads.

… According to the indictment, Swartz connected a laptop to MIT's system in September 2010 through a basement network wiring closet and registered as a guest under the fictitious name, Gary Host, in which the first initial and last name spell "ghost." [Apparently there was no restriction if you registered as “Guest?” Bob] He then used a software program to "rapidly download at extraordinary volume of articles from JSTOR," according to the indictment.

In the following months, MIT and JSTOR tried to block the recurring and massive downloads, on occasion denying all MIT users access to JSTOR. But Swartz allegedly got around it, in part, by disguising the computer source of the demands for data.

In November and December, Swartz allegedly made 2 million downloads from JSTOR, 100 times the number made during the same period by all legitimate JSTOR users at MIT.



Banks can't control how you build and maintain your end of the “secure transaction” link. But should they assume you didn't do it correctly?

http://www.databreaches.net/?p=19738

IL: Crystal Lake District 47 sues Home State Bank to recover hacking losses

July 21, 2011 by admin

Sarah Sutschek reports on another interesting case to follow in the courts:

About two years after losing more than $300,000 when its computer system was hacked, Crystal Lake District 47 is suing Home State Bank.

The lawsuit, filed in McHenry County, seeks $306,014 and “whatever other relief this court deems appropriate.”

According to the lawsuit, filed this week, unknown individuals hacked into the District 47 computer system in June 2009 through a “Clampi virus” and gained access to user names and passwords.

That information then was used to access the online banking system of Home State Bank, where the district had an account used to make direct deposit payroll payments for employees. A total of 46 fraudulent transfers were made.

Read more on Northwest Herald.



A government privacy standard?

http://www.pogowasright.org/?p=23787

NIST proposes new privacy controls for federal information systems and organizations

July 21, 2011 by Dissent

… The new document, Privacy Control Catalog, will become Appendix J of Security Controls for Federal Information Systems and Organizations (NIST Special Publication 800-53, Revision 4). One of the foundational Federal Information Security Management Act (FISMA) documents, SP 800-53 is being updated to Revision 4 in December, 2011. SP 800-53 is also one of the Joint Task Force Transformation Initiative documents that NIST produces with the Department of Defense and the Intelligence Community.

“Privacy and security controls in federal information systems are complementary and mutually reinforcing in trying to achieve the privacy and security objectives of organizations,” said NIST Fellow Ron Ross, project leader of the FISMA Implementation Project and Joint Task Force.

Incorporating privacy controls into SP 800-53 and taking advantage of established security controls to provide a solid foundation for information security helps to ensure that privacy requirements will be satisfied in a comprehensive, cost-effective, and risk-based manner.

[...]

The publication may be found at http://csrc.nist.gov/publications/PubsDrafts.html#SP-800-53-Appendix%20J

Read the full press release.

[From the press release:

The new privacy appendix:

  • Provides a structured set of privacy controls, based on international standards and best practices, that help organizations enforce requirements deriving from federal privacy legislation, policies, regulations, directives, standards and guidance;

  • Establishes a linkage and relationship between privacy and security controls for purposes of enforcing respective privacy and security requirements, which may overlap in concept and in implementation within federal information systems and organizations;

  • Demonstrates the applicability of the NIST Risk Management Framework in the selection, implementation, assessment and monitoring of privacy controls deployed in federal information systems and organizations; and

  • Promotes closer cooperation between privacy and security officials within the federal government to help achieve the objectives of senior leaders/executives in enforcing the requirements in federal privacy legislation, policies, regulations, directives, standards and guidance.



Gee, maybe the People's Republic of Massachusetts doesn't have “Secret” police. Even “activists” can understand the law, why can't the police?

Jury Acquits Citizens of Illegally Filming Police

"The Springfield (MA) Republican reports two men accused of illegally filming the process as they bailed friends out of jail that last summer, were acquitted of all charges Tuesday. Pete Eyre and Adam Mueller initially were granted permission to film the bail process, but later were forbidden by jail officials from recording the procedure. When they continued to digitally recording their encounter with jail officials, they were arrested by police. Eyre and Mueller testified that they never attempted to hide the fact that they were recording at the jail. Not only did they ask permission to film the bail-out process — which initially was granted — but their recording devices were 'out in the open,' Eyre said. The Jury found the defendants not guilty of three criminal counts: Each was acquitted of unlawful wiretapping, while Mueller also was acquitted of a charge of resisting arrest."

[From the article:

The prosecution claimed the defendants recorded law enforcement officials, then posted the nearly 28-minute video clip on the Internet without the officers' knowledge.

Northwestern Assistant District Attorney Jeffrey Banks argued that because the officers were unaware their images were transmitted to a third party and uploaded to the Web, that process took place in secrecy -- a violation of a so-called wiretapping statute forbidding the secret recording or hearing of a conversation, or aiding in the transmission or hearing of that conversation.

[Apparently it would have been Okay to record the officers as long as no one actually looked at the recording... Bob]



Privacy theater. They overlay a neutral image on the scan image. I must assume that the original image is still there and could be saved and retrieved at will.

http://www.wired.com/threatlevel/2011/07/ts/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+wired%2Findex+%28Wired%3A+Index+3+%28Top+Stories+2%29%29

TSA Announces Privacy Overhaul of Nude Airport Scanners

… The announcement came despite a federal appeals court decision last week upholding the government’s right to use the advanced imaging technology, or AIT, scanners. The scanners produce a virtual nude image of travelers before they enter the terminal areas. The software upgrade, which will be installed on all the 250-plus scanners employing millimeter wave technology, will instead show a “generic outline of a person,” the TSA said.



Why yes, now that you point it out, those data centers are completely worthless. But you have to remember, they were built to pay back people who contributed to our campaign fund, not for any useful purpose.

http://news.cnet.com/8301-13578_3-20081384-38/government-shutting-down-hundreds-of-data-centers/

Government shutting down hundreds of data centers

The U.S. government is aiming to pull the plug on hundreds of unneeded data centers over the next few years in an attempt to save the taxpayers some hard-earned cash.

In blog published yesterday, the White House's Office of Management and Budget admitted that instead of consolidating data centers as many businesses have done in recent years, the government went in the opposite direction. Between 1998 and 2010, federal agencies actually quadrupled their number of data centers despite increases in the efficiency of data storage.



It's not hardware, it's not software, it's “Cloudware” (can I register that trademark?)

http://www.wired.com/gadgetlab/2011/07/os-x-10-7-lion-ditches-the-disk-offers-cloud-only-recovery/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+wired%2Findex+%28Wired%3A+Index+3+%28Top+Stories+2%29%29

OS X 10.7 Lion Ditches the Disk, Offers Cloud-Only Recovery

… The very first thing that is impossible to ignore is that Lion only exists in the ether. There are not, nor will there be, physical media carrying the installer. Instead, you have to either buy a new Mac with Lion pre-installed, or download the 3.5GB installer from the Mac App Store. [UPDATE 2011-07-21 09:49:45. Apple will sell a Lion USB thumb drive for $70, starting in August. It will still be a lot cheaper to make your own]

… And what happens if your computer goes belly-up? Is there a recovery disk in the box? Nope. Apple gets around this by partitioning the boot drive and putting a utility called Lion Recovery onto it. When you have trouble, press Command-R when you start up and you’ll be booted into recovery mode. From there you can repair the disk, reinstall Lion or restore from a Time Machine backup.

I know what you’re thinking. What if the drive is completely dead? How do I rescue my Mac then? Well, the news is good and bad. The good is that, even if you slot in a brand-new, bare hard drive, the Mac will boot into “Internet Recovery” mode. This connects to Apple’s servers and grabs a copy of Lion Recovery, and you go from there. This works thanks to firmware installed on Lion-capable Macs bought from now on.



Logically, I wouldn't bother to pirate a copy of something I wasn't interested in (unless I was doing it for someone who was interested) so let's assume “interest” It follows that this report makes sense.

Suppressed Report Shows Pirates Are Good Customers

"The movie and music industry think pirates are criminals and parasites who cost both industries billions of dollars in lost sales. In order to prove this fact a number of studies have been commissioned to help demonstrate the effect a pirate has on sales of entertainment. GfK Group is one of the largest market research companies in the world and is often used by the movie industry to carry out research and studies into piracy. Talking to a source within GfK who wished to remain anonymous, Telepolis found that a recent study looking at pirates and their purchasing activities found them to be almost the complete opposite of the criminal parasites the entertainment industry want them to be. The study states that it is much more typical for a pirate to download an illegal copy of a movie to try it before purchasing. They are also found to purchase more DVDs than the average consumer, and they visit the movie theater more, especially for opening weekend releases which typically cost more to attend."



For my students. I don't care what you use, as long as you use something!

http://www.pcmag.com/article2/0,2817,2388652,00.asp

The Best Free Antivirus Software


(Ditto) Because free is good

http://www.thesofthelp.com/2011/07/ten-great-free-alternatives-to-adobe.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+alisoft7+%28alisoft7%29

Ten Great Free Alternatives to Adobe Acrobat For Editing PDF


(Double Ditto)

Thursday, July 21, 2011

7 Tools for Creating Mind Maps and Outlines Online


Wednesday, July 20, 2011

Maybe not so anonymous? Ah relief. No Ethical Hacking students. (Do we train then well or what?)

http://www.wired.com/threatlevel/2011/07/paypal-hack-arrests/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+wired%2Findex+%28Wired%3A+Index+3+%28Top+Stories+2%29%29

Feds Arrest 14 ‘Anonymous’ Suspects Over PayPal Attack, Raid Dozens More

… In the attacks on the financial-service companies — dubbed Operation Payback — thousands downloaded a tool called the Low Orbit Ion Cannon that joined their computers to the group attack on the target of the moment. However, the tool did nothing to hide a user’s IP address, making it possible for the target website to hand its server logs over to the authorities to track users down by their IP addresses.



Apparently you don't actually need to have evidence before you falsify it...

NH Man Arrested For Videotaping Police.. Again

"Back in 2006, a resident of New Hampshire's second largest city was arrested while at the police station attempting to file a complaint against officers. His crime? He had video tape evidence of the officers' wrongdoings. According to the police, that's wiretapping. After world wide attention, the police dropped the charges. His complaint was found to be valid, but the evidence never saw the light of day. Well, guess what? Round two. There are differing reports, but again the police arrested Mr. Gannon and again, they seized his video camera. This time it's 'falsifying evidence' because he tried to hand off the camera, most likely to protect its contents. If there's the potential of police wrongdoing, how is it that the law permits the police to seize the evidence?"



Intent has no bearing?

Court Allows Webcam Spying On Rental Laptops

"Back in May there was a class action lawsuit filed against the rental company Aaron's, which had secretly installed spying software that would turn on a laptop's webcam, take pictures and then send them back to the company. Overall it seemed like a large invasion of privacy, which should at least warrant an injunction to stop use of the software until the case is settled, right? Not to the judge, who refused to order an injunction on the grounds that the family was no longer in possession of the laptop. As for everyone else still using their Aaron's laptops, the judge had this to say to them (PDF): 'Moreover, it is purely conjecture that the other members of the putative class will be subjected to remote access of personal information.'"



This is the top of that slippery slope that includes: “I won't vote for the guy.”. (Just don't say that with a gun in your hand.)

http://www.wired.com/threatlevel/2011/07/obama-assassination-speech/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+wired%2Findex+%28Wired%3A+Index+3+%28Top+Stories+2%29%29

Urging Obama’s Assassination Is Lawful Online Speech, Divided Appeals Court Says



Who is responsible for protecting your money?

http://www.databreaches.net/?p=19694

Yet Another Bank Sued By A Small Business For Fraudulent Hacker Transfers

July 20, 2011 by admin

Ericka Chickowski reports:

A new court case brought to bear against Professional Business Bank by Village View Escrow Inc. continued the battle waged over who’s to blame for hacking attacks that leave small business accounts drained following online password theft. Filed in late June in the California Superior Court in Los Angeles, the case is the latest in a string of suits filed in U.S .courts by small businesses who believe their banks are to blame for failing to properly protect their accounts from predatory hackers.

Village View’s lawyers say the bank should be on the hook for $465,000 siphoned off by hackers in March 2010, plus bank fees and damages incurred by the loss. Village View told the court that Professional Business Bank led it to believe that the institution employed safe online banking practices when signed with the bank in 2008.

Read more on Dark Reading.



For those of us who still read...

http://www.makeuseof.com/tag/5-websites-alert-book-lovers-book-releases/

5 Websites That Alert Book Lovers About New Book Releases



Does Twitter brand you a Twit? (What does my blog say about me?) Interesting read...

http://www.wired.com/magazine/2011/07/friendship_limits/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+wired%2Findex+%28Wired%3A+Index+3+%28Top+Stories+2%29%29

Facebook: Personal Branding Made Easy



It's been 42 years and we'll have to wait at least another 42 years to go back. Why? Simple, there are no registered voters on the moon...

http://www.wired.com/thisdayintech/2009/07/dayintech_0720/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+wired%2Findex+%28Wired%3A+Index+3+%28Top+Stories+2%29%29

July 20, 1969: One Small Step … One Giant Leap …


Tuesday, July 19, 2011

I'm thinking this won't stand. If it is illegal to look at things in (electronic) plain sight, wouldn't that make what the police want to do illegal too?

http://www.pogowasright.org/?p=23758

Judge Grants Google ‘Street View’ Wiretap Appeal

July 18, 2011 by Dissent

David Kravets reports:

A federal judge sided with Google on Monday, granting the search giant the right to appeal his ruling that packet-sniffing on non-password-protected Wi-Fi networks is illegal wiretapping.

The decision by U.S. District Judge James Ware tentatively sets aside his June 29 ruling in nearly a dozen combined lawsuits seeking damages from Google for eavesdropping on open, unencrypted Wi-Fi networks from its Street View mapping cars. The vehicles, which rolled through neighborhoods across the country, were equipped with Wi-Fi–sniffing hardware to record the names and MAC addresses of routers to improve Google location-specific services. But the cars also secretly gathered snippets of Americans’ data. [If you are looking for the return address on a postcard (i.e. an unencrypted communication) it is unlikely that you would start your recording at the exact bit at which the return address begins. Recording more data is therefore inevitable, even if not intentional. Bob]

Read more on Threat Level.


(Related) It never rains but it pours...

http://www.pogowasright.org/?p=23763

Canadian privacy watchdog takes on Google

July 19, 2011 by Dissent

Vito Pilieci reports:

Canada’s privacy commissioner is preparing to take on Google Inc. over concerns about how the firm collects, retains and uses personal data.

In a little-noticed 46-page report, Jennifer Stoddart has outlined a year-long consultation into issues about online tracking, profiling and targeting. In her review the commissioner found that Google and other Internet giants, including Facebook and FourSquare, are collecting increasing amounts of data about users and not adequately informing people about the data collection or for what it is being used.

Read more on Ottawa Citizen.

This story is referring to the consultations report released in May (accompanying press release from May).


(Related) Would Google have avoided the hassle if they had done this? Or is the the electronic version of “Conspiracy?”

BBC Crowdsources 3G Coverage Map

"The BBC is asking Android users to install an app which will upload information about 3G and 2G coverage, in order to build up a map showing where Britain has signal. The company behind the app, Epitiro, previously worked with the regulator Ofcom to measure 3G speed, and apparently found that O2 is slightly faster."



The boys are back...

http://www.databreaches.net/?p=19676

LulzSec Hacks The Times with Brutal Murdoch Death Notice

July 18, 2011 by admin

Brian Barrett reports:

Well, seems like LulzSec has returned, and moved beyond the DDOS attack! Not content to merely shut down one of Rupert Murdoch’s paper’s websites, the hacking group has instead planted a bizarro-Onionesque account of the mogul’s death-by-palladium on a Times redesign page masquerading as The Sun. Well played, #AntiSec.

Read more on Gizmodo.

As to why I’m covering this hack on my blog, well, the hackers claim to have acquired News of the World executives’ phone numbers and email logins and they’ve started leaking them, with much more promised for tomorrow.

Also on Gizmodo, Sam Biddle writes:

The fruits of today’s Sun UK hack are starting to dangle down: LulzSec (out of retirement?) and Anon are tweeting logins of some serious British media brass. Foremost? Rebekah Brooks, the epicenter of England’s voicemail hacking scandal. Update: phone numbers!

The tweet divulged the email and password info for one Rebekah Wade—Brooks’ maiden name—along with many others from Murdoch’s tabloid upper crust:

Read more on Gizmodo.



Soon, only old codgers like me will have paper books...

http://www.wired.com/epicenter/2011/07/borders-liquidation/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+wired%2Findex+%28Wired%3A+Index+3+%28Top+Stories+2%29%29

Closing the Borders: End of an Era in Bookselling

Borders told a federal bankruptcy court Monday that it will close its remaining 399 stores and liquidate its assets, with store closings starting as soon as Friday.


(Related) The book is not dead

http://www.makeuseof.com/tag/read-hipster-3-libraries-browser/

Read Like A Hipster With These 3 Libraries For Your Browser

Online Novels

As a basic link list, Online Novels does not provide a sexy, decked-out, graphically-oriented website. However, it does exhibit quite a few novels with very detailed and articulate descriptions of each one.

Booksie

Booksie is a community for aspiring writers to publish their work one chapter at a time. This site is a little more user-friendly than its Online Novels counterpart, and it also offers free audiobooks, PDFs, and eBooks.

WeBook

As previously mentioned in MakeUseOf directory, WeBook is like the Texas cage-fighting match of online literature. The premise of the entire site is that authors submit their work, let you read it, and as it gains popularity (by your votes), it will eventually reach an agent who can get it published… and make it mainstream.


(Related) For all my students... Books are readable through the Kindle App on your PC and most other devices...

http://www.thetechherald.com/article.php/201129/7401/Kindle-Textbook-Rental-service-offers-huge-student-savings

Kindle Textbook Rental service offers huge student savings

According to Amazon, the Kindle Textbook Rental platform will enable customers to save up to 80 percent off the usual purchase price of textbooks.

… Tens of thousands of textbooks for the 2011 school year are already available and the service is supported by publishers such as John Wiley & Sons, Elsevier, and Taylor & Francis.


(Related) On the other hand...

http://www.pcworld.com/businesscenter/article/229888/why_ebooks_are_bad_for_you.html?tk=out

Why E-Books Are Bad for You

… current e-reading technology is fundamentally bad for people, says Richard Stallman, founder of the free software movement and the GNU Project. In an article entitled, "The Dangers of E-Books" (PDF), Stallman makes the case that e-books are "a step backward from printed books."

'More Restrictive Than Copyright Law'

Books printed on paper can be purchased anonymously with cash without signing any kind of license that restricts the purchaser's use of the book, Stallman notes. No proprietary technology is required, and it's sometimes even lawful under copyright to scan and copy the book.

Once it's paid, the purchaser owns the book, and no one has the power to destroy it.

Contrast that situation with Amazon e-books, where users are not only required to identify themselves to purchase an e-book, but also to accept "a restrictive license" on their use of it, Stallman notes.

"In some countries, Amazon says the user does not own the e-book," he asserts. "The format is secret, and only proprietary user-restricting software can read it all."

Copying such e-books is "impossible due to Digital Restrictions Management in the player," he adds, "and prohibited by the license, which is more restrictive than copyright law."



Dilbert explains my place in the digital world...

http://dilbert.com/strips/comic/2011-07-19/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+dilbert%2Fdaily_strip+%28Dilbert+Daily+Strip+-+UU%29


Monday, July 18, 2011

For my Intro to IT students

http://mashable.com/guidebook/

Guide Books

The Twitter Guide Book

The Facebook Guide Book


(Related) There is a downside...

NCAA to Tighten Twitter Rules

"Facebook and Twitter have made student athletes more accessible than ever, but Tweets that catch the watchful eye of the NCAA could be all that's needed to bring down a successful college athletic program. Among the allegations leveled against the Univ. of North Carolina by the NCAA is a failure to 'adequately and consistently monitor social networking activity,' which the NCAA argues would have caused the school to detect other violations sooner than they did. To cope with the daunting task of monitoring hundreds of accounts on a daily basis, some sports programs are turning to software like UDiligence, while others are opting for a simpler approach, such as having a coach frequently check on posts from the team's players."



Richard Nixon called it his “Enemies List” but the concept is the same. “Fail to bow to my authority and you are forever doomed to feel my wrath!”

http://www.pogowasright.org/?p=23754

UK: Councils compile databases of over 9,000 ‘troublemaking’ residents

July 18, 2011 by Dissent

Frank Manning writes:

It has been revealed that council bureaucrats have been keeping secret databases of residents who have been involved in disputes with them.

At least 9,000 people are on the lists, kept by more than 40 councils around England. The reasons for placing people on the databases vary from council to council but many of them are exceedingly trivial, such as arguing with a council official or a dustman.

Read more on Big Brother Watch.



“To err is human, to really screw things up takes a computer” I think we should add, “Humans relying on computers raise “Mistake” to a whole new level.”

Facial Recognition Gone Wrong

"John H. Gass hadn't had a traffic ticket in years, so the Natick resident was surprised this spring when he received a letter from the Massachusetts Registry of Motor Vehicles informing him to cease driving because his license had been revoked. It turned out Gass was flagged because he looks like another driver, [This would not have been possible without the computer Bob] not because his image was being used to create a fake identity. His driving privileges were returned but, he alleges in a lawsuit, only after 10 days of bureaucratic wrangling to prove he is who he says he is. And apparently, he has company. Last year, the facial recognition system picked out more than 1,000 cases that resulted in State Police investigations, officials say. And some of those people are guilty of nothing more than looking like someone else. Not all go through the long process that Gass says he endured, but each must visit the Registry with proof of their identity. [I don't suppose a drivers license would be sufficient? Bob] Massachusetts began using the software after receiving a $1.5 million grant from the US Department of Homeland Security as part of an effort to prevent terrorism, reduce fraud, and improve the reliability and accuracy of personal identification documents that states issue."



As I tell my Statistics students, half the world is below average and someone has to be way to the left on the curve...

Sydney Has 10,000 Unsecured Wi-Fi Points

"A bunch of researchers have been driving around Sydney, Australia, and scanning for unsecured Wi-Fi networks. You'd think that in this day and age, with all that we've learned about security, that Wi-Fi security would be almost universal ... but the truth is that about 2.6 percent don't even have basic password protection. Extrapolating a little, that adds up to 10,000 unsecured Wi-Fi networks across Sydney alone."



Worth reading for “the power of defaults” alone!

http://www.wired.com/magazine/2011/06/ff_gamed/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+wired%2Findex+%28Wired%3A+Index+3+%28Top+Stories+2%29%29

How Online Companies Get You to Share More and Spend More