Saturday, September 10, 2011



Interesting that this was available online for nearly a year before anyone noticed. Perhaps files should contain a message like: “This file has been stolen from Stanford Univ. hospital. There is a reward for notifying us. There is an even bigger reward for helping us to identify the thief.”
By Dissent, September 8, 2011
Kevin Sack reports:
A medical privacy breach at Stanford University’s hospital in Palo Alto, Calif., led to the public posting of medical records for 20,000 emergency room patients, including names and diagnosis codes, on a commercial Web site for nearly a year, the hospital has confirmed.
Since discovering the breach last month, the hospital has been investigating how a detailed spreadsheet made its way from one of its vendors, a billing contractor identified as Multi-Specialty Collection Services, to a Web site called “Student of Fortune,” which allows students to solicit paid assistance with their school work. Gary Migdol, a spokesman for Stanford Hospital and Clinics, said the spreadsheet first appeared on the site on Sept. 9, 2010, as an attachment to a question about how to convert the data into a bar graph.
[...]
The spreadsheet contained names, diagnosis codes, account numbers, admission and discharge dates, and billing charges for patients seen at Stanford Hospital’s emergency room during a six-month period in 2009, Mr. Migdol said. It did not include Social Security numbers, birthdates, credit-card accounts or other information used to perpetrate identity theft, he said, but the hospital is offering free identity protection services to affected patients.
The breach was discovered by a patient and reported to the hospital on Aug. 22, according to a letter written four days later to affected patients by Diane Meyer, Stanford Hospital’s chief privacy officer.
Read more on The New York Times.
Interesting to note that the letter went out 4 days after they learned of the breach. California law mandates notification within 5 days – something Lucile Salter Packard Children’s Hospital was painfully reminded of when the state fined them for noncompliance with that requirement.


“How dare you call us crooks, “Crooks!”
The best defense is a good offense?
Excellent legal strategy for dealing with “nuisance lawsuits,” but probably unwise when you are guilty.
Paxfire Files $80M Defamation Countersuit Against Web User
September 9, 2011 by Dissent
Wendy Davis reports:
Last month, Web user Betsy Feist alleged in a lawsuit that the company Paxfire and Internet service provider RCN “intercepted, monitored, marketed, and divulged” her search history to a third party.
The claims largely stemmed from a report that RCN and other ISPs were working with Paxfire to divert search traffic by sending some users who queried on brand names directly to marketers’ pages, rather than returning search results for those queries.
Paxfire has now fired back with a $80 million countersuit against Feist.
[....]
In its counterclaim against Feist, the company says she defamed Paxfire with her allegations and also interfered with its business relationships. Paxfire says that it lost several contracts as a result of Feist’s allegations, including deals with LinkShare and the ISP XO Communications.
People typically can’t be sued for defamation based on claims they make in court papers. Paxfire alleges that Feist (or her attorneys and agents) defamed it by making statements about the company to the publication New Scientist and advocacy group Electronic Frontier Foundation.
Read more on MediaPost.
Wow… talk about potentially chilling effects. This is another lawsuit to watch.
Update: I’ve uploaded a copy of Paxfire’s response to Feist’s complaint and counterclaim (30 pp. pdf). Paxfire is countersuing Feist for $30 million in compensatory damages and $50 million in punitive damages.


Instead of “killing the Internet” perhaps a simple “Big Brother is watching” message when you connect?
"In a widely circulated American Political Science Association conference paper, Yale scholar Navid Hassanpour argues that shutting down the internet made things difficult for sustaining a centralized revolutionary movement in Egypt. But, he adds, the shutdown actually encouraged the development of smaller revolutionary uprisings at local levels where the face-to-face interaction between activists was more intense and the mobilization of inactive lukewarm dissidents was easier. In other words, closing down the internet made the revolution more diffuse and more difficult for the authorities to contain."
As long as we're on the subject, reader lecheiron points out news of research into predicting revolutions by feeding millions of news articles into a supercomputer and using word analysis to chart national sentiment. So far it's pretty good at predicting things that have already happened, but we should probably wait until it finds something new before contacting Hari Seldon.


I've been bugging certain friends (you know who you are) that have hundreds of short “How to” guides already put together for students (or fellow teachers), to publish them and make a few bucks. This site seems to make it easy.
There are quite a handful of sites that let people who know how to do something difficult share their knowledge, but not that many of these actually let people generate an income when doing so. And that's where this new resource comes in. HowTo-Guidebook.com allows people to create guides explaining how to do anything tricky that they've mastered, help all those who are stuck and (what's even more interesting) earn money for doing so.
That's made possible because the site features a revenue sharing program that's letting each and every contributor generate a passive income by submitting a guide just once.

Friday, September 09, 2011

As we migrate to online (Cloud) services, the probability of failure decreases. However, the impact of a failure increases exponentially. Rather than knocking 1,000 users offline for a day, we now have the power(?) to knock hundreds of millions of users offline, if only for a few hours.
Microsoft’s Cloud Briefly Evaporates, Leaves Up To 365 Million Users Without Access For Four Hours


Contains a lot of the provisions you would expect. What are the odds it will pass?
New Blumenthal bill would require firms to beef up security and privacy practices
Sen. Richard Blumenthal (D-Conn.) introduced a new bill Thursday aimed at protecting consumers by punishing businesses, individuals and data brokers that misuse or fail to protect their data.
The Personal Data Protection and Breach Accountability Act would require businesses with the personal information of more than 10,000 customers to implement privacy and security programs to ensure the safety of pertinent data.
That includes regular testing of key controls and systems to prevent and respond to intrusions or attacks, with a frequency depending on a risk assessment also required by the law. Companies that allow a user’s data to be breached must foot the bill for two years of credit monitoring and other remedies.
… The Justice Department will be able to fine firms that violate the law $5,000 per violation per day, with a maximum of $20 million per violation. Individuals affected by violations of the law will also have the ability to bring civil actions against the businesses involved.
The bill also includes a data breach notification provision that is designed to amalgamate the patchwork of state laws that currently apply in the event of an attack.
… Finally, the legislation attempts to regulate the practices of data brokers, firms that collect the personal information of more than 5,000 individuals that are not direct consumers. The legislation would give consumers the ability to see their own records for a reasonable fee and request timely corrections to their data.


If BoA is violating the law, we can expect many more lawsuits.
Bank of America Sued Over Privacy Violations Due to Overseas Outsourcing
September 8, 2011 by Dissent
Jim Malmberg writes:
Last month, a new lawsuit was filed in District Court for the District of Columbia against Bank of America Corporation; the nations largest bank holding company. The suit alleges that B of A has been outsourcing certain functions to overseas companies and that as a result has given access to the personal financial records of American citizens to foreign nationals. If the allegation is correct, it would appear that B of A has violated the Right to Financial Privacy Act – a federal law – and could have exposed millions of account holders in such a way that they can easily become victims of financial crimes. Just as importantly, those same account holders may also be targeted for government snooping; no search warrant required.
Read more on GuardMyCreditFile.


I thought we were trying to reduce the population of Guantanamo?
FBI says Anonymous is a potential threat to national security


No doubt we share the same information with other countries...
Canadians denied U.S. entry over mental illness
September 9, 2011 by Dissent
Sarah Bridge reports:
More than a dozen Canadians have told the Psychiatric Patient Advocate Office in Toronto within the past year that they were blocked from entering the United States after their records of mental illness were shared with the U.S. Department of Homeland Security.
Lois Kamenitz, 65, of Toronto contacted the office last fall, after U.S. customs officials at Pearson International Airport prevented her from boarding a flight to Los Angeles on the basis of her suicide attempt four years earlier. [Note: This is from Police records, not medical records Bob]
[...]
So far, the RCMP hasn’t provided the office with clear answers about how or why police records of non-violent mental health incidents are passed across the border.
But according to diplomatic cables released earlier this year by WikiLeaks, any information entered into the national Canadian Police Information Centre (CPIC) database is accessible to American authorities.
Local police officers take notes whenever they apprehend an individual or respond to a 911 call, and some of this information is then entered into the CPIC database, says Stylianos. He says that occasionally this can include non-violent mental health incidents in which police are involved.
In Kamenitz’s case, this could explain how U.S. officials had a record of the police response to the 911 call her partner made in 2006, after Kamenitz took an overdose of pills.
RCMP Insp. Denis St. Pierre says information on CPIC not only contains a person’s criminal record, but also outstanding warrants, missing persons reports and information about stolen property, along with information regarding persons of interest in ongoing cases. It also can contain individuals’ history of mental illness, including suicide attempts.
Read more on CBCnews.


Since only the audio recording is at issue, there is a simple and obvious fix – but I bet they change the law rather than give up the audio. Another “Police are not regular citizens” exemption?
Privacy laws may prevent Seattle police from wearing body cameras
September 9, 2011 by Dissent
Parella Lewis reports:
Could the Seattle Police Department improve its public image by wearing body cameras?
Seattle City Councilmember Bruce Harrell is spearheading a pilot program that could put small cameras on officers by the end of 2012. However, Bob Scales who work at the Seattle City Attorney’s Office, said a few issues under current Washington State privacy laws may stand in the way.
During a city council meeting on September 8, Scales said, “Under the Washington state Privacy Act, it is unlawful to make an audio recording of a private conversation except as authorized by the Act.”
Read more on MyFOX Spokane.


Here is how you do it. Not that it requires anyone to actually do it.
Mozilla issues do-not-track guide for advertisers
September 9, 2011 by Dissent
Loek Essers reports:
Mozilla issued a Do Not Track Field Guide to encourage advertisers and publishers to implement do-not-track (DNT) functionality.
The guide contains tutorials, case studies and sample code to illustrate how companies use the DNT technology. Mozilla aims to inspire developers, publishers and advertisers to adopt DNT and wants to put the control over Internet tracking into the hands of users. The browser maker wants to put a stop to behavioral targeting and pervasive tracking on the Web.
Read more on Computerworld.


Logic, what a concept!
"A file-sharing lawyer admitted this week that IP addresses don't by themselves identify someone accused of sharing copyrighted material online. To figure out who actually shared the pornographic movie at the center of the case, lawyer Brett Gibbs of Steele Hansmeier LLC told the judge (PDF) he would need to search every computer in the subscriber's household." [...and if there is a WiFi link, every computer in the neighborhood and any that happened to drive by... Bob]


Illogic, what a concept!
The Amazon-California tax debacle: We all lose
In this winter, summer, spring, and fall of our discontent, every politician with a larynx is opining on how best to reduce the country's unemployment rate. All the more reason, then, for California to ram through a piece of tax legislation that could cost a lot of new jobs.
So it was that today, Amazon caved, dropping its opposition to California's plan to force cyberretailers to collect taxes on online sales. The plan, originally slated to start in July, now will take effect next year as part of a deal under which Amazon agreed to end its push for a ballot referendum in return for a temporary delay.
Watching the down-to-the-wire maneuvering, the big surprise is that it's taken this long for states to go on the offensive. But a faltering economy has given them added incentive to change the rules. With e-commerce accounting for more than 20 percent of sales of consumer electronics and office supplies, this is expected to turn into a considerable windfall. For instance, California expects to rake in an extra $200 million annually.


The Economics of virtual money...
"Prominent Keynesian economist Paul Krugman has left a note on his blog at NYTimes about his view of Bitcoin, discussing its similarity to the gold standard and suggesting a drop in 'real gross Bitcoin product' as its users hoard the currency rather than spend it."


Well, I suppose it's better than nothing.
September 08, 2011
Early Journal Content on JSTOR, Free to Anyone in World
News release: "On September 6, 2011, we announced that we are making journal content in JSTOR published prior to 1923 in the United States and prior to 1870 elsewhere freely available to anyone, anywhere in the world. This “Early Journal Content” includes discourse and scholarship in the arts and humanities, economics and politics, and in mathematics and other sciences. It includes nearly 500,000 articles from more than 200 journals. This represents 6% of the content on JSTOR. While JSTOR currently provides access to scholarly content to people through a growing network of more than 7,000 institutions in 153 countries, we also know there are independent scholars and other people that we are still not reaching in this way. Making the Early Journal Content freely available is a first step in a larger effort to provide more access options to the content on JSTOR for these individuals. The Early Journal Content will be released on a rolling basis beginning today. A quick video tutorial about how to access this content is also available."


Researching very large datasets.
September 08, 2011
Opensource software framework project makes big business inroads
Bloomberg BusinessWeek: "...Hadoop...helps businesses quickly and cheaply sift through terabytes or even petabytes of Twitter posts, Facebook updates, and other so-called unstructured data. Hadoop, which is customizable and available free online, was created to analyze raw information better than traditional databases like those from Oracle."


For my Ethical Hackers: Why go to the effort of actually hacking when you can have your victims send you their data. (Would that be a viable defense in court?)
Researchers’ Typosquatting Stole 20 GB of E-Mail From Fortune 500
Twenty gigs of data is a lot of data in six months of really doing nothing,” said researcher Peter Kim from the Godai Group. “And nobody knows this is happening.”
Doppelganger domains are ones that are spelled almost identically to legitimate domains, but differ slightly, such as a missing period separating a subdomain name from a primary domain name – as in the case of seibm.com as opposed to the real se.ibm.com domain that IBM uses for its division in Sweden.
Kim and colleague Garrett Gee, who released a paper this week (.pdf) discussing their research, found that 30 percent, or 151, of Fortune 500 companies were potentially vulnerable to having e-mail intercepted by such schemes, including top companies in consumer products, technology, banking, internet communication, media, aerospace, defense, and computer security.


Also for my Ethical Hackers
Rip A DRM’d DVD Disk To ISO Format With BDlot DVD ISO Master [Windows]
BDlot DVD ISO Master is a free piece of software that does what very few free programs can do – bypass the various Digital Rights Management (DRM) technologies used to stop people from ripping DVDs, including Disney’s infamously tricky protection.


Yet another Ethical Hacker project...
DIY flying robo hacker threatens wireless networks
SkyNET combines a toy helicopter and a computer configured to attack Wi-Fi networks. The result is a drone the CIA would be proud of. The nasty little device can compromise computers on wireless networks and dragoon them into botnets. Botnets are widely used for hacking, denial-of-service attacks, and spamming.

Thursday, September 08, 2011


Distressing...
Breaches: Study Shows Over 806.2 Million Records Disclosed, Estimated Cost of $156.7 Billion
September 8, 2011 by admin
I’m still playing catch-up with everything I missed thanks to NatGrid’s profound incompetence in restoring power after a tropical storm knocked us offline. Here’s a press release I had missed:
The Digital Forensics Association announces the release of their second annual data breach report. “The Leaking Vault 2011- Six Years of Data Breaches” analyzes 3,765 data loss incidents, with a known disclosure of 806.2 million records.
Organizations seem to be in the news on a daily basis for disclosing data inappropriately. Hundreds of millions of people’s personal private information has been lost, stolen or otherwise shared with unauthorized parties. The problem of data breaches is one that potentially impacts the economic health of the victim organizations, upstream or downstream partners, and the data subjects who face direct financial consequences.
Key findings include:
The Leaking Vault 2011 presents data gathered from studying 3,765 publicly disclosed data breach incidents, and is the largest study of its kind to date. Information was gleaned from the organizations that track these events, as well as government sources. Data breaches from 33 countries were included, as well as those from the United States.
This study covers incidents from 2005 through 2010, and includes over 806.2 million known records disclosed. On average, these organizations lost over 388,000 people’s records per day/15,000 records per hour every single day for the past six years.
The estimated cost for these breaches comes to more than $156 billion to the organizations experiencing these incidents. This figure does not include the costs that the organizations downstream or upstream may incur, nor that of the data subject victims. Further, it is a low estimate of the cost, due to the fact that 35% of the incidents did not name a figure for records lost.
The Laptop vector remains the leader in incidents, but the Documents vector (printed material) is fast growing and demonstrates the need to manage both electronic data assets as well as printed documents. This vector has been trending upward for several years and is a potential contender for the incident leader if it continues.
The Hacking vector remains the records loss leader, responsible for 48% of the records disclosed in the study. The Drive/Media vector is in second place with the Web vector in third.
Outsiders continue to pose the largest risk in terms of both incidents and records disclosed. When the threat actor is an insider, the incident is significantly more likely to be accidental in nature. While accidental incidents are more prevalent, they also cause the most harm of the insider incidents in terms of records disclosed.
In 65% of the cases, the data disclosed included the data subject’s name, address and Social Security Number. In contrast, only 15% of the incidents disclosed Credit Card Numbers, and 16% disclosed medical information. Medical disclosures saw a significant increase with the addition of the 2010 data. This is more likely due to the reporting requirement of existing regulations going into effect than any actual increase of incidents. The incidents where criminal use of the data was confirmed increased by 58% from the prior report. The two vectors most likely to show criminal use were the Fraud-SE and Hack vectors.
A complete copy of “The Leaking Vault 2011- Six Years of Data Breaches” is available at: http://dfa.squarespace.com/storage/The_Leaking_Vault_2011-Six_Years_of_Data_Breaches.pdf
A quick perusal of the report indicates that its analyses are based on data collected by the Open Security Foundation DataLossDB.org project, the Privacy Rights Clearinghouse, and the Identity Theft Resource Center. This blog, my companion blog for healthcare sector breaches (phiprivacy.net) and I fuel all three of those sources – PRC and ITRC rely heavily on my blogs and I’m a moderator/curator for DLDB. If you’d like to conduct your own analyses of the more than 4,500 breaches in DLDB, contact OSF for licensing arrangements and use.
In the meantime, if you know of a breach I’ve missed – which becomes increasingly likely these days given all the hacks and leaks – please do let me know by email to breaches[at]databreaches.net or tweet it to @pogowasright. Thanks!


When all Health Care system are linked, the number (ans scope) of the breaches will likely skyrocket.
By Dissent, September 7, 2011
The U.S. Department of Health and Human Services Office of Civil Rights has submitted its mandated report to Congress on breach reports it has received. The report covers incidents reported between September 23, 2009 (the date the breach notification requirements became effective), and December 31, 2010. Here are some of the highlights of the report:
Major causes of breaches, as reported to and by HHS:
The breach reports submitted to the Secretary in 2009 described four general causes of incidents: (1) theft; (2) intentional unauthorized access to, use, or disclosure of protected health information; (3) human error; and (4) loss of electronic media or paper records containing protected health information.
[...]
The breach reports submitted to the Secretary in 2010 described five general causes of incidents, four of which were also reported in 2009: (1) theft; (2) loss of electronic media or paper records containing protected health information; (3) unauthorized access to, use, or disclosure of protected health information; (4) human error; and (5) improper disposal. In comparison to 2009, in 2010, the number of individuals affected by the loss of electronic media or paper records was greater than those affected by unauthorized access or human error. Moreover, the reports received in 2010 contained incidents involving an additional category, improper disposal of paper records by the covered entity or business associate… Theft was once again the most common reported cause of large breaches. Among the 207 breaches that affected 500 or more individuals, 99 incidents involved theft of paper records or electronic media, together affecting approximately 2,979,121 individuals.
A more refined analysis is contained in the report.
With respect to the smaller breaches (i.e., those affecting less than 500 individuals):
HHS received approximately 5,521 reports of smaller breaches that occurred between September 23, 2009, and December 31, 2009. These smaller breaches affected approximately 12,000 individuals. HHS received more than 25,000 reports of smaller breaches that occurred between January 1, 2010, and December 31, 2010. These smaller breaches affected more than 50,000 individuals.
The majority of small breach reports in 2009 and 2010 involved misdirected communications and affected just one individual each. Often, a clinical or claims record of one individual was mistakenly mailed or faxed to another individual. In other instances, test results were sent to the wrong patient, files were attached to the wrong patient record, emails were sent to the wrong addresses, and member ID cards were mailed to the wrong individuals.


Useful resources?
Future of Privacy Forum Releases “Privacy Papers for Policy Makers”
September 8, 2011 by Dissent
From FPF:
Future of Privacy Forum is pleased to share the second annual “Privacy Papers for Policy Makers,” showcasing leading analytical thinking about current and emerging privacy issues.
Leading Papers:
  1. Against Notice Skepticism (Forthcoming, 87 Notre Dame Law Review – 2012) *Draft
    Ryan Calo
  2. The Case for Online Obscurity
    Woodrow Hartzog and Frederic Stutzman
  3. Dispelling the Myths Surrounding De-identification: Anonymization Remains a Strong Tool for Protecting Privacy (Seen in the Canadian Law Review, vol. 8, no. 9, August 2011)
    Dr. Ann Cavoukian and Khaled El Emam
  4. The Failure of Online Social Network Privacy Settings
    Michelle Madejski, Maritza Johnson and Steven Bellovin
Notable Mentions:
  1. Flash Cookies and Privacy II: Now with HTML5 and ETag Respawning
    Chris Hoofnagle, Mika Ayenson, Deitrich James Wambach, Ashkan Soltani and Nathan Good
  2. Regulating Privacy by Design
    Ira S. Rubinstein
Download the 2011 Privacy Papers for Policy Makers to read executive summaries and view full papers below.
View the 2010 papers here.


Since it is easier to beg forgiveness than to request permission, I'd bet they are already doing this and now want to acknowledge a small portion of the scope of their monitoring – perhaps to legitimize evidence shared with law enforcement?
The Spy Who Tweeted Me: Intelligence Community Wants to Monitor Social Media
A research arm of the intelligence community wants to sweep up public data on everything from Twitter to public webcams in the hopes of predicting the future.
The project is the brainchild of the Intelligence Advanced Research Projects Activity, or Iarpa, a relatively new part of the spy community that’s supposed to help investigate breakthrough technologies. While other projects exist for predicting political events, the Open Source Indicators program would be perhaps the first that mines data from social media websites.
… The science underlying the project is the notion that early indicators of major social upheavals might be hidden in plain, socially-networked sight. “Some of these changes may be indirectly observable from publicly available data, such as web search queries, blogs, micro-blogs, internet traffic, financial markets, traffic webcams, Wikipedia edits, and many others,” the announcement, published August 25, says. “Published research has found that some of these data sources are individually useful in the early detection of events such as disease outbreaks, political crises, and macroeconomic trends.”
… For those who fear the all-seeing surveillance state, Iarpa says there are some things the program won’t do. It won’t be used to predict events in the United States, for instance. Nor will it be used to track specific individuals. [“We've already got plenty of tools for that.” Bob]

(Related) Amusing, but it also makes clear that “public” areas of Social Networks can easily be monitored.
Robbery suspect's Facebook name: 'Willie Sutton Jr'
… The way the Smoking Gun has fired it up, Hippolite, a 23-year-old New Yorker, came under the suspicion of the police after bank employees gave them the partial license plate of a getaway car after a bank heist.
Being servants of the social interest, the police began monitoring Hippolite's Facebook page. Hippolite had, presumably, found Facebook's privacy settings of little interest. Those things are still tough to find anyway.
In their regular readings of Hippolite's Facebook musings, police reportedly found such thought bubbles as "I Gotta Get That $$$$$ Man!!!!" and the perhaps unfortunate "Crime pays my bills!"
It was on July 29, however, that Hippolite decided his Facebook profile needed a little undercover identity. So he reportedly changed his Facebook name to "Willie Sutton Jr."
Some might admire his enthusiasm for his apparent hero, a man who enjoyed a 40-year career of bank robbery but did, sadly, spend half of his life in jail.
… But he has been arrested for robberies at three Brooklyn branches of Chase and is a suspect in another 16 bank heists that all had a similar modus operandi--in this case, allegedly handing a note to the cashier that read: "GIVE ME ALL THE MONEY OR ELSE EVERYBODY DIES!!! $100s $50s $20s ONLY."
It may not have helped Hippolite's ultimate cause that his profile picture shows him holding what seems like a plethora of $100 bills.

(Related) Doesn't seem to help much with Guidelines...
Labor Board: Fired-For-Facebooking Employees Must Be Rehired
It’s no secret that an employer can, and probably should, do a little check-up on your internet presence before hiring you, and possibly afterwards. But as several unhappy people have found out, sometimes they look pretty hard, and have access to information you thought private. It can result in foot-in-mouth moments and occasionally punitive action. That was certainly the case when five workers were fired for their conduct on Facebook.
The post in question was a complaint about someone else’s complaint, and other employees joined in, including the person being complained about. A few days later, they were sacked; their employer said that the posts constituted harassment.
The workers felt their rights had been violated, and took it to the National Labor Relations Board. And incredibly, an NLRB judge has just ruled that all five must be hired back. I say “incredibly” because judicial comprehension of tech issues is a serious problem. Judge Arthur J. Amchan seems to have a head on his shoulders, though. He stated that the employees had not forfeited the protection of the law in their speech, which was well within the bounds of normal discussion of workplace conditions for which one can’t easily be fired.
The size of the precedent being set isn’t clear. It’s certainly a victory, but to blow it out of proportion would be a mistake. This was a one-time offense with some coffee-break jabbering — a fairly easy thing for the judge to see. But questions abound. What if it was systemic? What if it was in private messages? What if it had been going on for weeks? Months? What if the person being harassed has left the company?
It’s entirely possible that a company could institute a contract policy in which employees essentially do forfeit their right to private communication. And the line past which behavior becomes not just undesirable but a fireable offense isn’t clear at all. Like many other areas where communication is moving to new platforms, the boundaries have to be tested, and this ruling extends the safe zone by a little bit.


“Throw the book at them, Danno” Is there an International Organized Crime treaty?
"The Obama administration wants hackers to be prosecuted under the same laws used to target organized crime syndicates, according to two officials appearing in front of the Senate Judiciary Committee on Wednesday morning. From the article: 'Associate Deputy Attorney General James Baker and Secret Service Deputy Special Agent in Charge Pablo Martinez said the maximum sentences for cyber crimes have failed to keep pace with the severity of the threats. Martinez said hackers are often members of sophisticated criminal networks. "Secret Service investigations have shown that complex and sophisticated electronic crimes are rarely perpetrated by a lone individual," Martinez said.'"


Boys and their toys.
Lawyers and security experts share concerns over app security – ABA Journal
An article in the ABA Journal highlights the concerns that law professionals find with popular apps.
Chicago, September 7, 2011 – A recent article posted on the ABA Journal news site, “App-solutely Perilous? Security of Mobile Apps Spurs Concern” by By Richard Acello, points to findings by viaForensics as a cause for concern over the security of many mobile apps. The article states “lawyers may be especially vulnerable because of the varying levels of technical savvy in the profession, and because the apps in question provide services attractive to them.”
viaForensics provides a free appWatchdog service aimed at providing the public with information about potential insecurity of popular mobile applications. The hope is that developers will be motivated to take all appropriate measures to secure their apps.
In addition to checking out appWatchdog findings, viaForensics recommends other tips that mobile users can do to protect their data on a mobile device.
Read the full ABA Journal article here.

(Related) Does this suggest why Lawyers like the BlackBerry?
South Africa joins the call for BlackBerry messaging keys
September 7, 2011 by Dissent
Bill Ray reports:
South Africa has joined the call for access to the BlackBerry Messaging service, quoting the usual security concerns and pointing out that the UK plans much the same thing.
BBM, the BlackBerry messaging service, has become the medium of choice for the discerning ne’er-do-well, which is strange considering it is a good deal less secure than the email offered by the same handset. But the instant nature of messaging appeals to everyone, prompting the new action from the South Africans:
“There is evidence that criminals are now using BBM to plan and execute crime,” the deputy comms minister told his audience at a London conference on African telecommunications: “We want to review BBM like in the UK and Saudi Arabia.”
Read more on The Register.


A list of free and useful stuff.
"InfoWorld's Peter Wayner provides an in-depth look at the state of open source software and an overview of the best open source software of the year. 'It's easy to find hundreds of other positive signs of open source domination. If the mere existence of a tar file filled with code from the nether regions of a beeping device that's buried deep inside someone's pocket is all you need to feel warm and fuzzy about "open source," you might conclude that open source development is the most dominant form in the increasingly dominant platform of the future,' Wayner writes. 'But anyone who digs a bit deeper will find it's not so simple. Although the open source label is more and more ubiquitous, society is still a long way from Richard Stallman's vision of a world where anyone could reprogram anything at any time. Patents, copyrights, and corporate intrigue are bigger issues than ever for the community, and more and more people are finding that the words "open source" are no guarantee of the freedom to tinker and improve. Some cynics even suggest that the bright, open future is receding as Linux and other open source tools grow more dominant.' Included in the writeup are the best open source applications, best open source desktop and mobile offerings, best open source development tools, and best open source software for datacenters and the cloud."


This could be handy... I did a search on “Privacy” and the first entry in “Find privacy nearby” was the Sturm College of Law at DU.
WDYL: Search All Google Products On A Single Webpage
Google users often find themselves clicking on the “Images”, “Video”, and similar links at the top of the search results page when they use Google. This is done to get search results from different Google products. Fortunately you will no longer have to spend an extra click to get those additional results, all thanks to WDYL “What Do You Love”.
What Do You Love is a new page launched by Google that presents the search results of a query from all Google products. The search results are displayed in individual boxes placed next to one another. Each box has an arrow to browse over to the next result . A box on the far left lets you easily navigate the page.
Also read related articles:


Another handy tool
Google Takeout: Download All Your Google Data
Facebook is not the only online place you store valuable data; you also have important information stored in your Google account. Buzz, Contacts, and Picasa jointly hold a lot of your important information. Realizing that users might want a backup of their online information, Google has now launched a new web service entitled Takeout.
Takeout is a new web service by Google that lets it users download all their data stored in Google accounts. In addition to your Google Profile information, data is downloaded from Picasa, Contacts and Circles, and Google Buzz. The data is compressed into a ZIP archive and made available for download.
Google will gradually be adding more products to Takeout so you can create a backup of all your Google services.


I love technology projects my students can enthusiastically participate in... Now if we can only get past Step One: Empty the can
Boost Your WiFi Signal Using Only a Beer Can

Wednesday, September 07, 2011


At last! An indication that Sony is finally getting serious...
jmobley6030 writes with a bit in Gamer Gaia about Sony pulling out the big guns for their security infrastructure. Quoting:
"Months after the great PlayStation network attack things are starting to get back to normal around the gaming world. While it doesn't seem like another hack attempt will take place anytime soon Sony is fearful that it could happen again. Sony announced today via their corporate news feed that they have hired Philip R. Reitinger, a former Homeland security official, as Chief Information Security Officer at Sony."


How pervasive is it? We may learn , if this isn't appealed.
ACLU Wins Round in Battle Against Warrantless Cell Phone Location Tracking
September 6, 2011 by Dissent
Jay Stanley of the ACLU writes:
Today the ACLU won a significant victory in our battle to ensure that cell phones don’t become Big Brother tracking devices. Following a four-year fight, the U.S. Court of Appeals for the D.C. Circuit has ordered the Department of Justice (DOJ) to comply with our Freedom of Information Act (FOIA) request and turn over the names and docket numbers in numerous cases where the government accessed cell phone location data without a warrant.
Read more on the ACLU’s site and congratulations to the ACLU and EFF on this ruling!


Another case of “We're gonna do this unless you read the fine print...”
National Opt-Out Campaign Informs Parents How to Protect the Privacy of their Children’s School Records
September 6, 2011 by Dissent
Education New York & Information Policy Watch has issued the following release:
As cases of identity theft, database hacking, and the sale of personal information increase daily, the need to protect children’s privacy becomes even more urgent. Schools are a rich source of personal information about children that can be legally and illegally accessed by third parties. That’s why Education New York’s National Opt-out Campaign is alerting parents to their rights under the federal Family Educational Rights Privacy Act (FERPA) to restrict third-party access to their children’s information and encouraging them to review their school’s annual FERPA notification at the beginning of the school year.
You can read the full release on their web site. And while you’re there, take a moment to check out all of the student privacy resources Sheila has compiled, which include state-level bills that may impact your child’s privacy.


Could the data on the silo be used to defend a driver in court? Looks likely.
How AAA Tracks Teen Drivers Without Completely Crashing Their Privacy
September 6, 2011 by Dissent
Kashmir Hill has an interesting column over on Forbes. Here’s a bit of it:
Insurance companies have started offering drivers “roadside assistance” digital devices that can track and locate cars when drivers are in need of help. As Wired notes, State Farm’s On-Star competitor, In-Drive, can do more than just call a tow truck for a stranded driver or locate a stolen vehicle, it can also track driving habits, including “speed, time of day [driven], miles driven, acceleration, braking and the number of left and right turns.” Drivers who subscribe — for $5 to $15 per month — will see their premiums go down if they prove to be safe drivers.
[...]
AAA is currently offering a similar program for teen drivers in California and Texas, but it’s going about it differently. Cletus Nunes, a group manager at AAA in charge of “ACE Teen Pilot Program,” thinks that their competitors’ offerings are overly-invasive. “We’re sensitive to the concerns of our members,” says Nunes. “They’re using this data to rate drivers. They’re collecting information about how you drive. We’re not.”
Read more on Forbes.
[From the article:
AAA members in California and Texas (only states offering the program for now) can choose between two programs: 1) Pay-as-you-drive insurance with roadside assistance, or 2) Teen safety with roadside assistance.
The first collects only mileage, says Nunes, to set insurance rates accordingly (lower for light drivers, higher for heavier ones), and can pinpoint a car’s location when queried, though it doesn’t collect ongoing location info.
“We don’t collect where you are, how fast you’re driving, acceleration, or anything like that,” says Nunes.
The second program for teens, does collect that information, using the same device (it can be switched from one function to the other wirelessly). Nunes says the data is not sent to AAA; it’s instead siloed on a server for parents to access.


Fax machines are “sunk costs” – “It's paid for and it still works.”
"Deep End's Paul Venezia waxes befuddled on the ongoing existence of the fax machine. 'Consider what a fax machine actually is: a little device with a sheet feeder, a terrible scanning element, and an ancient modem. Most faxes run at 14,400bps. That's just over 1KB per second — and people are still using faxes to send 52 poorly scanned pages of some contract to one another. Over analog phone lines. Sometimes while paying long-distance charges! The mind boggles,' Venezia writes. 'If something as appallingly stupid as the fax machine can live on, it makes you wonder how we make progress at all. Old habits die hard. It just goes to show you: Bad technology generally isn't the problem; it's the people who persist in using that technology rather than embracing far superior alternatives.'"

Tuesday, September 06, 2011


Can there be viable crime statistics without facts?
(Update and Commentary): Why are states withholding the names of breached entities?
[Release omitted]
Note that neither the Complaint nor Plea Agreement, both of which I obtained from PACER, reveal the name of the restaurant in Stamford or the restaurant in New York where both defendants also worked. Why not?
Well, it turns out that in this case, we do know the name of the restaurants – because they were revealed in the prosecution of the co-defendant. In March 2010, another U.S. Attorney for Connecticut revealed the restaurants as P.F. Chang’s and Grand Lux Cafe in Connecticut and New York, respectively.
So why does the 2011 press release and court filings carefully omit the restaurants’ names? I’ve commented on this trend a number of times, as I do think we’re seeing a disturbing and growing trend whereby information is intentionally withheld from the public – information that is of public concern and that the public should have a right to know.
Are businesses putting pressure on states not to reveal this information? I have no evidence of that, but it wouldn’t surprise me at all. I do know that states that used to post breach notices online are no longer doing so. Maryland has not updated its site since last year and New York withdrew its site altogether. Budget cuts? Maybe. Coincidence? Maybe. But I’d really encourage all states that retain central depositories of breach notifications to post them online so that we have more usable information about statistics and trends.


Good luck with a new “Geneva convention” since it is highly unlikely that 'script kiddies,” hackers or terrorists will ever read it, let alone agree to it. (GCHQ is the British spelling for NSA...)
Stolen information worth £300m recovered by GCHQ
September 5, 2011 by admin
Duncan Gardham reports:
Details stolen from more than a million credit cards across Europe, worth an estimated £300 million, have been recovered by the GCHQ spy agency, The Daily Telegraph can disclose.
William Hague, the Foreign Secretary, said the agency had joined forces with the Serious and Organised Crime Agency to obtain the information as part of the ongoing cyber war against foreign states and criminals.
Read more on The Telegraph. No indication as to who the data thieves were or where/how the data were recovered.
[From the srticle:
A team of experts at GCHQ is understood to be working with the military to develop internet tools to strike back if states attack infrastructure such as water supplies, electricity and banking.
Mr Hague is seeking to agree new rules for cyberspace with China and Russia in order to put an end to such attacks.
… He is hoping to set up a new Geneva-style convention to govern cyberspace in the same way that a conventional battlefield has rules.


It's not just Homeland Security.
Online anonymity or pseudoanonymity is a threat – but only to businesses’ marketing plans
September 5, 2011 by Dissent
Two articles about online anonymity that you may wish to read: Efic Pfanner’s piece, “Naming Names on the Internet,” in the New York Times and Ben Grubb’s piece, “Death of anonymity online has net users fuming,” in The Age.
As both articles suggest, there is a strong sense in some circles that arguments about accountability are just a smokescreen for an ultimately financial purpose.
South Koreans recently learned the dangers of requiring real names when over half of the population had their personal information acquired by hackers.
As for myself, I never signed up for accounts for MySpace, Facebook, Google+, etc. I use Twitter because it allows me to use my pseudonym. And that’s just fine with me.

(Related) Why Irish Law is important?
Facebook faces major Irish privacy investigation
September 5, 2011 by Dissent
Roisin Burke reports:
Facebook faces a major probe by the Data Protection Commissioner (DPC) following ‘big brother’ type privacy complaints.
Facebook’s Dublin HQ will be subject to a massive audit by the Irish watchdog after a group in Austria lodged 17 complaints, claiming that even after Facebookers delete information the social media giant’s Dublin HQ keeps everything: data on who you’ve poked, tagged, ‘liked’, emailed, phone numbers — even information on sexual orientation and political views. It can amount to thousands of pages of information about you, the group, called Europe Versus Facebook, asserts.
Every Facebook user outside the US and Canada is protected by Irish privacy law as the company’s international headquarters is here.
Read more on Independent.ie


Why bother breaking encrypted email when you can use your own encryption...
Dutch firm linked to many more fraudulent Net certificates
The number of fraudulent security certificates issued by a hacked Dutch firm has ballooned from the 247 reported last week to 531, and the main purpose of the attack appears to have been to spy on Iranian dissidents.
The list of domains for which fraudulent Secure Sockets Layer (SSL) certificates were issued by DigiNotar, a root certificate authority, now includes sites such as the CIA, MI6, Facebook, Microsoft, Skype, Twitter, and WordPress, among others, according to a list released this weekend by the Dutch Ministry of Justice. In the wake of the new revelations, the Dutch government has reportedly expressed a lack of confidence in the Netherlands-based company and taken control of it.
… The Gmail incident affected mostly Iranian users, and it now appears the certificates might have been issued for the purpose of spying on Iranian dissidents, perhaps by the Iranian government.


Ah, to be a fly on the wall of the Boardroom... T-Mobile “lacks” spectrum, but AT&T wants it because of its spectrum... What's really going on?
T-Mobile may miss out on AT&T break-up fee, report says
AT&T may not be on the hook for the fee under certain conditions, a source told Reuters in a story that ran today.
… AT&T and T-Mobile were thrown for a loop last week when the Department of Justice sued to block AT&T's planned acquisition of T-Mobile, citing concerns over the loss of competition in the industry. AT&T has been scrambling to keep the deal alive and is expected to offer up more compromises to get the deal done.
Many in the industry expected AT&T to complete the acquisition, swayed by the unusually large break-up fees. Those fees are typical of M&A deals, ensuring some protection to the seller if the transaction falls through. But the large size, which includes $3 billion in cash and the balance in services, assets, and a roaming agreement, suggested AT&T was confident in its ability to close the deal.
The break-up fee would only be paid if certain conditions were met, Reuters said. The deal has to receive regulatory within a certain time, or the contract is deemed void. The value of T-Mobile also can't fall under a certain level, which could happen if the government requires that parts of the business have to be sold to get the deal approved.
Without the break-up fee, Deutsche Telekom is left with a weakened T-Mobile that has been hurt by the publicity over the pending deal. Despite offering price cuts and promotions, T-Mobile continues to lose its most valuable contract customers at an alarming rate. In addition, it lacks the spectrum to build its own true 4G wireless network.
The deal has proven to be a contentious issue. AT&T has argued that the deal is necessary to increase its spectrum position and allow for a wider deployment of 4G services, and has boasted supported from several states, its unions and technology companies. But opponents such as Sprint Nextel, consumer advocate groups and other wireless companies have argued that the deal would hurt competition and innovation in the industry.


Resource?
University of Michigan Guidelines for the Use of Social Media
The "Guidelines for the Use of Social Media" document provides:
General guidelines for sharing information that is not a matter of public record
Specific guidelines for posting to social media sites as an individual
Specific guidelines for posting on behalf of the University
Safety and privacy tips for social media


I have students and colleagues who use LinkedIn. These might be useful to find those little inconsistencies that contradict your resume...
2 Tools To Turn Your LinkedIn Profile Into A Neat-Looking Resume

Monday, September 05, 2011


What is the goal? We could look for potential terrorists (How can 'looking for trouble' be invasive?) or we could rely on a “politically correct” non-random, statistically invalid selection process that wastes time frisking 3 year-olds and wheelchair bound grandmas.
Is passenger-behaviour observation appropriate?
Canada's Privacy Commissioner is raising concerns about a new plan to bolster airport security.
Responding to the federal government's intention to use passenger-behaviour observation to look for terrorists, Jennifer Stoddart expressed concern that the program is potentially unfair to passengers.
"There is a huge possibility for arbitrary judgments to come into play," she said in an interview with The Canadian Press.
In the program, airport security officers watch for suspicious behaviour like travellers wearing a heavy coat on a hot day, or sweating profusely.


“How to win customers and influence markets” (with apologies to Dale Carnegie)
The Complete Guide To Freemium Business Models
… Most Internet products or services fall into the definition of an Experience Good: a product that needs a period of use before the customer can determine the value they can derive from it.
… There are plenty of academics who looked into the pricing of Experience Goods. In 1983, the Economist Carl Shapiro wrote a fascinating paper about this subject. His conclusion was that since customers tend to underestimate the value of a product, the optimal pricing for an experience good is a low introductory price which is then increased when the customer realizes the value of the product.
… the introductory price is a signaling mechanism. The conclusion? A low entrance price signals that you are confident that your product will create value for the customer.


Interesting problem. Perhaps Amazon should buy them?
http://www.nytimes.com/2011/09/05/business/in-internet-age-postal-service-struggles-to-stay-solvent-and-relevant.html?_r=1&pagewanted=all
Postal Service Is Nearing Default as Losses Mount
The United States Postal Service has long lived on the financial edge, but it has never been as close to the precipice as it is today: the agency is so low on cash that it will not be able to make a $5.5 billion payment due this month and may have to shut down entirely this winter unless Congress takes emergency action to stabilize its finances.
“Our situation is extremely serious,” the postmaster general, Patrick R. Donahoe, said in an interview. “If Congress doesn’t act, we will default.”
… At the same time, decades of contractual promises made to unionized workers, including no-layoff clauses, are increasing the post office’s costs. Labor represents 80 percent of the agency’s expenses, compared with 53 percent at United Parcel Service and 32 percent at FedEx, its two biggest private competitors. Postal workers also receive more generous health benefits than most other federal employees.
… Still, the agency is considering ideas, like gaining the right to deliver wine and beer, allowing commercial advertisements on postal trucks and in post offices, doing more “last-mile” deliveries for FedEx and U.P.S. and offering special hand-delivery services for correspondence and transactions for which e-mail is not considered secure enough.


Just in time for the Christmas shopping season?
Amazon tablet coming in November for $250?

(Related)
"Amazon's not the only big-name company planning on a budget-level tablet release; Lenovo recently announced their Ideapad A1 tablet as competition. I t includes a 1GHz Cortex A8 CPU, along with other features more commonly seen on higher-priced tablets, such as dual cameras, bluetooth, GPS, wifi, and a MicroSD slot. Is this the start of the Android tablet price avalanche?"


Seems to contradict my experience. I use lots of technology to teach Math, with good results in most cases.
September 04, 2011
Technology Spending by Schools Yields Few Calculable Advance
In Classroom of Future, Stagnant Scores: "… In a nutshell: schools are spending billions on technology, even as they cut budgets and lay off teachers, with little proof that this approach is improving basic learning. This conundrum calls into question one of the most significant contemporary educational movements. Advocates for giving schools a major technological upgrade — which include powerful educators, Silicon Valley titans and White House appointees — say digital devices let students learn at their own pace, teach skills needed in a modern economy and hold the attention of a generation weaned on gadgets... Critics counter that, absent clear proof, schools are being motivated by a blind faith in technology and an overemphasis on digital skills — like using PowerPoint and multimedia tools — at the expense of math, reading and writing fundamentals. They say the technology advocates have it backward when they press to upgrade first and ask questions later."