I feel a rant coming on...
Virginia
Commonwealth University alerts 176,567 faculty, staff, students and
affiliates to hacking incident
November 11, 2011 by admin
A notice
was posted today on Virginia Commonwealth University’s web site:
To the VCU and VCU
Health System communities:
A security
incident has resulted in unauthorized access to a Virginia
Commonwealth University computer server containing files with
personal information on current and former VCU and VCU Health System
faculty, staff, students and affiliates. We believe the likelihood
is very low that any personal data on the individuals in the files
was compromised, but it is impossible to be
completely certain, [because we don't bother to record what happens
on our servers? Bob] so we are notifying all involved via
email and first-class mail.
On
October 24, routine monitoring
of servers supporting a VCU system uncovered
suspicious files on one of the devices. The server was
taken offline and a forensic investigation was
launched [to see if we could figure out what the missing logs would
have told us instantly Bob] to identify what unauthorized
activities had taken place and the vulnerabilities that led to the
compromise. The vulnerabilities have been corrected, and it has been
determined that this server contained no personal data.
Five
days later, VCU’s continuing investigation revealed two
unauthorized accounts had been created on a second server, which also
was taken offline. Subsequent analysis showed the intruders had
compromised this device through the first server. [Apparently the
“forensic examination' did not discover this... Bob]
The intruders were on the server a short period of time and appeared
to do nothing other than create the two accounts.
Files on this
second server contained data on 176,567 individuals. Data items
included either a name or eID, Social Security Number and, in some
cases, date of birth, contact information, and various programmatic
or departmental information.
Our
investigation was unable to determine with 100 percent certainty that
the intruders did not access or copy the files in question. [...since
there was no log. Bob] We believe the likelihood that
they did is very low. However, because this data was potentially
exposed, we are proactively informing of this event and subsequent
actions affected individuals can take to monitor personal
information.
… VCU
continues its investigation and is working with local and federal law
enforcement agencies.
… VCU is
reviewing its information technology security measures and procedures
and will make improvements to prevent this type of incident from
happening again. [But we still won't bother with
logs... Bob]
It’s a good description but I wish
they wouldn’t rush to minimize risk. The fact is, as they say,
that they don’t know. Under such circumstances, why not just tell
people what you do know and let them form their own assessment of
their risk so they can decide what to do, if anything?
h/t, CBS6
and Richmond
Times-Dispatch.
Previous breaches involving VCU can be
viewed on DataLossDB.org.
[Gibberish from the
CBS6 article:
The
hackers infected one of the servers with some type of virus
that allowed the, to download 16 minutes worth
[It's not a TV show.. Bob] of confidential
information including name or id, date of birth, and even social
security numbers.
"We can't be 100 percent certain
that these files were not acessed," said VCU Chief Information
Officer Mark Willis. "But we were able to
attract
[Track? Bob] the activities of the intruders very well.
So, we know what they were up to, what they were doing."
Willis believes the
information that could have been compromised goes back as far as to
2005. [and this was needed online, why? Bob]
What other facts are not correct?
The
Twitter Wikileaks case: how an outdated law makes a researcher’s
impressive analysis somewhat irrelevant
November 12, 2011 by Dissent
Over on Slight Paranoia, privacy and
security researcher Chris Soghoian does a brilliant job of delving
into a section of the recent opinion
in the Twitter Wikileaks case.
In the opinion issued this week, Judge
O’Grady addressed the issue of whether three people associated with
Wikileaks had any reasonable expectation of privacy in their IP
addresses. In a nutshell, after reviewing Twitter’s privacy policy
and the “I agree” button that they had to click to obtain their
Twitter accounts, the judge decided that they had no reasonable
expectation of privacy with respect to their IP addresses.
In his blog
post, Chris criticizes the judge’s analysis on a few grounds.
Importantly, the privacy policy that the judge quoted
in explaining his ruling was not the privacy policy that was in place
at the time the three users first signed up for their accounts.
Big oops, yes. Chris argues that the version in effect at signup
would have given the users a reasonable expectation of
privacy in their IP addresses – assuming that any of them had even
read it. As everyone except the judge seems to
recognize, almost no one actually reads privacy policies.
[Apparently, lawyers didn't read it either Bob]
Although the judge did cite and analyze
the wrong version of the policy, it is not clear that this is the
judge’s error as we do not know whether counsel for the three
individuals ever submitted the version that was in effect when they
signed up. If they didn’t, that is unfortunate, although it
wouldn’t have any bearing on the issue of whether people actually
read the privacy policy or any updates to it.
Chris writes:
If the judge were
to examine the privacy policy that existed when these three targets
signed up for a Twitter account, he might decide that they do in fact
have a reasonable expectation of privacy and that the government
needs a warrant to get the data.
I disagree with Chris on that. Even if
the judge had acknowledged that Twitter’s privacy policy at the
time of signup created a reasonable expectation of privacy, the court
could still simply point out that a company’s
privacy policy cannot trump a 2703(d) order. Application
for a 2703(d) order does not involve demonstrating that the target
had no reasonable expectation of privacy. It only requires that “the
governmental entity offers specific and articulable facts showing
that there are reasonable grounds to believe that the contents of a
wire or electronic communication, or the records or other information
sought, are relevant and material to an ongoing criminal
investigation….”
Not only does a privacy policy does not
exempt the provider from complying with an order under existing law,
but the judge also cites Third Party Doctrine: (Order at p. 28)
(Order at p. 30)
Game over. And I don’t blame the
judge who is just applying existing law. The problem is with
existing laws that desperately need updating.
ECPA needs to be updated so that a
warrant is required to obtain users’ data from online providers.
And we need to throw out outdated Third Party Doctrine and recognize
that users have and are entitled to have a reasonable expectation of
privacy for much of their online activities.
The Twitter Wikileaks case also reminds
us – as if we needed more proof – that businesses that collect
and retain data for months or years increase the risk to our privacy.
Lawyers for the three individuals have
not yet announced any decision as to whether to appeal Judge Liam’s
ruling. Frankly, I don’t think they can prevail. Not because
they’re wrong, but because the law is wrong. And Congress needs to
fix that.
Another outdated set of laws? An
interesting take on why pirating continues...
How
litigation only spurred on P2P file sharing
Do you remember back in 2001 when
Napster shut down its servers? US courts found Napster Inc was
likely to be liable for the copyright infringements of its users.
Many of Napster's successors were also shut down.
Aimster and its controversial CEO were
forced into bankruptcy, the highest court in the US strongly
suggested that those behind Grokster and Morpheus ought to be held
liable for "inducing" their users to infringe, and Kazaa's
owners were held liable for authorisation by our own Federal Court.
Countless others fled the market in the wake of these decisions with
some, like the formerly defiant owners of Bearshare and eDonkey,
paying big settlements on the way out.
By most measures, this sounds like an
emphatic victory for content owners. But a funny thing happened in
the wake of all of these injunctions, shutdowns and settlements: the
number of P2P file sharing apps available in the market exploded.
… I would argue pre-P2P era law was
based on a number of "physical world" assumptions. That
makes sense, since it evolved almost exclusively with reference to
physical world scenarios and technologies. However, as it turns out,
there is often a gap between those assumptions and the realities of
P2P software development.
Four such physical world assumptions
are particularly notable in explaining this phenomenon.
The first is that
everybody is bound by physical world rules.
that it is
expensive to create distribution technologies that are capable of
vast amounts of infringement.
that distribution
technologies are developed for profit.
that rational
developers of distribution technologies won't share their secrets
with consumers or competitors.
Dr Rebecca Giblin is a member of
Monash University's law faculty in Melbourne. Her new book Code Wars
tells the story of the decade-long struggle between content owners
and P2P software providers, tracing the development of the fledgling
technologies, the attempts to crush them through litigation and
legislation, and the remarkable ways in which they evolved as their
programmers sought ever more ingenious means to remain one step ahead
of the law.
… Visit codewarsbook.com
where you can read the first chapter in full. Physical copies can be
ordered online from stores like Amazon
and Book
Depository, and electronic copies are available via Google
books at a heavily discounted price. [What?
No P2P sharing? Bob]
(Related) How to alienate just about
everyone...
"In a court case between
Hotfile.com and Hollywood studios, Warner Brothers admitted they sent
takedown orders for thousands
of files they didn't own or control. Using an automated takedown
tool provided by Hotfile, Warner Brothers used automated software
crawlers based on keywords to generate legal takedown orders. This
is akin to not holding the Post Office liable for what people mail,
or the phone companies liable for what people say. But the flip side
is that hosters must remove files when receiving a legal takedown
notice from the copyright holder — even when the copyright holders
themselves don't know what material they actually own."
In contrast to those who fight
consumers to control content, these people make money by giving
content away.
"Cryptic Studios, the developer
of the Star Trek Online MMO, announced that
they are switching to a
Free-to-Play model on January 17th. Free subscribers to the game
will be able to play, but will
not get the same benefits as paying subscribers still get. Free
accounts will be Silver, while paid accounts will be called Gold.
Silver accounts will be able to pay for features that Gold members
will get as part of their paid subscription. These features include
but are not limited to respecs and extra character slots."
EverQuest II is jumping
on the free-to-play bandwagon as well.
Who pushes technology adoption?
"Britain's biggest ISPs are
struggling
to convince customers to upgrade to superfast broadband. Of the
six million customers who can get fiber broadband from BT, Britain's
biggest ISP, only 300,000 have done so — a conversion rate of only
5%. Only 2.3% of Virgin Media customers, meanwhile, have upgraded to
50Mbits/sec or 100Mbits/sec connections. The chief of Ofcom,
Britain's telecoms regulator, admits that take-up is 'still low' and
says only families with teenage children are
bothering to upgrade to fiber."
Perspective
People
Now Watch Videos Nearly 30 Percent Longer On Tablets Than Desktops
It may come as no surprise, but
Americans are watching more and more online video. In fact, they’re
practically jonesin’ for it. According
to comScore’s numbers, 182 million Americans watched online
video content in September (for an average of 19.5
hours per viewer), while the U.S. video audience tallied a
total of 39.8 billion video views. But what may be a bit more
surprising is the extent to which people are now watching their video
on tablets.
Ooyala,
the provider of online video technology and services just released
its first quarterly review, which
you can find here.
For my Ethical Hackers (don't forget my
finder's fee)
"There's a thriving trade in
zero-day vulnerabilities, predicated on keeping knowledge of these
vulnerabilities out of the public domain. For security researchers
with knowledge of a bug that's not worth much, or for researchers who
question the ethics of selling any bug information, there are
alternatives. Vulnerability information service Secunia launched its
Secunia Vulnerability Coordination Reward Program, which formalizes
what Secunia says it's been doing informally for some time: It acts
as a go-between for security researchers that have discovered a
vulnerability in a product, and the vendor of that product. Do such
practices jeopardize
security for the many, while safeguarding just the few? It's
still unclear whether Stuxnet's authors discovered the zero-day
vulnerabilities themselves, procured them from a legal market, or
bought them on the black market. If you're going to cash in, you
face some tough ethical questions."
I want one. Is it too early to send
Santa a Tweet?
"Designer Chris Hoffmann
developed the Ryno, a heavy
duty electric unicycle with a top speed of 25 mph, a range of up
to 30 miles and an impressive 25-inch thick tire. The cost for a
pre-production Ryno is a whopping $25,000, and Hoffmann already has
five orders, but he expects the market
model to cost about $3,500."
A whole bunch of interesting stuff...
...Idaho
will become the first
state to mandate that all high school students take at least 2
credits online in order to graduate. The move has been very
controversial, with the Idaho Education Association blasting the
Board of Education’s decision.
...The Department
of Education and the Department of Defense launched the Learning
Registry this week. The site is a joint effort between
the two departments, the White House and numerous other federal
agencies. The Learning Registry is meant to serve as an online
clearinghouse of sorts for educational content. (That content
includes information from various publishers and organizations,
including the National Archives, the Smithsonian, PBS Learning Media,
and OER Commons.) But it’s not a portal or a website that
educators will visit per se. Rather it’s both an open technology
platform that will allow for the exchange of data about learning
resources (metadata, ratings, reviews, and so on), their usage, their
standards alignment, and so on. The aim of the Learning Registry is
to help remove some of the silos for educational resources.
...Codecademy
added a new course to its learn-to-program website: jQuery. The
startup also added a “scratchpad,” an “in-browser JavaScript
editor that allows you to play around with what you’ve learned.”
...The University
of Texas at Austin announced
this week that it plans to give its 450,000 alumni lifetime access to
their @utexas.edu email accounts. The university switched to Google
Apps for Education last year.