Monday, July 02, 2012


Spin me a story that doesn't include self-contradictory statements.
San Jose State University officials deny hacker’s data theft claims
July 2, 2012 by admin
Robert Salonga reports:
San Jose State University officials are denying a computer hacker’s claims he stole a wealth of sensitive personal data from its largest student-run campus enterprise.
Monday, a hacker going by “S1ngularity” announced via Twitter that he infiltrated a server for the Associated Students of SJSU, a student-run nonprofit that oversees a host of campus services. It is separate from the university, with its own IT infrastructure, meaning no school data was affected.
The university acknowledged an intrusion occurred but has not corroborated [Not the same as “can not” or “can definitely refute” Bob] the hacker’s boasts of posting information like students’ Social Security and driver’s license numbers.
Read more on The Mercury News.
[From the article:
New York-based data security firm Identity Finder plucked the announcement from the obscurity of Web forums and alerted media organizations, saying it analyzed nearly four gigabytes of unencrypted data the hacker posted, including email addresses, passwords, and perhaps most disturbingly, 10,000 Social Security numbers.
Aaron Titus, the firm's chief privacy officer, said the numbers were valid but not accompanied by names.
The university reached a similar conclusion.
"We have found no evidence to suggest (Social Security numbers) have been compromised," [Except of course the 10,000 numbers that were compromised. Perhaps they mean they can't (haven't yet?) matched them to students? Bob] Harris said.


Looks like a new case study for their Class Action class...
University of Florida notifies former law students about privacy breach
July 2, 2012 by admin
This sounds very much like the incident University of North Florida reported last month, but it’s a new/separate announcement from the University of Florida:
University of Florida officials are notifying 220 former law school students and applicants who had sought a roommate online [Where does the SSAN come in here? Bob] in the early 2000s through the Levin College of Law that their Social Security numbers were accessible on the Web.
Discovered in May, the information was removed immediately from the UF servers. Also, Google has since removed the files where the information was cached.
Roommate-matching software required Social Security numbers for access, [So the login system was compromised, not the ads for roommates Bob] but that information was not visible to anyone using the software or roommate database. The College of Law stopped using the software in the mid-2000s.
The university does not know whether the information was accessed for unlawful purposes. Florida law requires the university to notify individuals if a potential loss of personal identification information has occurred so that protective steps can be taken. Some guidelines to safeguard personal identification information is provided on UF’s privacy website at http://privacy.ufl.edu.
“It is regrettable that this instance occurred,” said Susan Blair, UF’s chief privacy officer. “We are working diligently to purge and protect the personal identifying information of our students and prospective students.”
Letters were mailed June 25 to nearly all of the individuals with personal information listed in the database, but contact information was not available for two law school applicants. Concerned individuals may call UF’s Privacy Office Hotline toll-free at 1-866-876-HIPA.


“You were serious about that?” Joe Pesci as Vinny Gambini in that great courtroom drama, My Cousin Vinny
Cybercrime disclosures rare despite new SEC rule
July 2, 2012 by admin
Embedded in revisions to a proposed cybersecurity law are some provisions on mandatory breach notification. Richard Lardner reports:
The chairman of the Senate Commerce, Science and Transportation Committee, Sen. Jay Rockefeller, D-W.Va., is adding a provision to cybersecurity legislation that would strengthen the reporting requirement. The SEC’s cybersecurity guidance issued in October is not mandatory. [Apparently not, Vinny Bob] It was intended to update for the digital age a requirement that companies report “material risks” that investors want to know.
Rockefeller’s measure would direct the SEC’s five commissioners to make clear when companies must disclose cyber breaches and spell out steps they are taking to protect their computer networks from electronic intrusions.
“It’s crucial that companies are disclosing to investors how cybersecurity risks affect their bottom lines, and what they are doing to address those risks,” Rockefeller said riday.
Read more from AP.


Police invent the “e-Oops!” There is a big difference between “We can do it” and “We know what we're doing” (Don't they know you should never believe what you read on the Internet?)
Police intercept online threat, raid wrong house
… please place yourself inside the stomach of 18-year-old Stephanie Milan as she sat at home watching the Food Network and was overtaken by a harsh queasiness.
For her door was broken down and in walked a SWAT team, which was not in the mood to make her a burrito.
The Evansville Courier-Press offers that the ingredients of this raid were somewhat confused.
The SWAT team was looking for computer equipment, which, if you're a SWAT team, you tend to search by breaking doors down.
This computer equipment, police believed, had been used to post threats (including references to explosives) against the police and members of police officer's families, via Topix.com.
This computer, police believed, was at the Milan family's Evansville, Ill., house.
Actually, what the police believed was that the threats had been posted using Milan's Wi-Fi. Hence the draconian manner of entry.
… However, local police Chief Billy Bolin said the police had no way of knowing if Milan's Wi-Fi had been appropriated by persons unknown. [Hence the “Guilty until proven innocent” raid? Bob]
… The police, though, claim they now know who the miscreants might be and have agreed to repair the front door. A grenade they tossed inside seems to have caused a little carpet-staining, too.
The police are still in possession of Stephanie Milan's computer, and one can only hope that the case is resolved soon.


Undoubtedly a topic we should explore at a future Privacy Foundation seminar...
July 01, 2012
Pew - The Future of Smart Systems
The Future of Smart Systems, by Janna Anderson, Lee Rainie. June 29, 2012
  • "By 2020, experts think tech-enhanced homes, appliances, and utilities will spread, but many of the analysts believe we still won’t likely be living in the long-envisioned ‘Homes of the Future.’ Hundreds of tech analysts foresee a future with “smart” devices and environments that make people’s lives more efficient. But they also note that current evidence about the uptake of smart systems is that the costs and necessary infrastructure changes to make it all work are daunting. And they add that people find comfort in the familiar, simple, “dumb” systems to which they are accustomed. [Or in using smart systems in dumb ways Bob] Some 1,021 Internet experts, researchers, observers, and critics were asked about the “home of the future” in an online, opt-in survey. The result was a fairly even split between those who agreed that energy- and money-saving “smart systems” will be significantly closer to reality in people’s homes by 2020 and those who said such homes will still remain a marketing mirage."


Something to consider, students.


I gotta think about this...
Privacy Is the Problem: United States v. Maynard and a Case for a New Regulatory Model for Police Surveillance
July 2, 2012 by Dissent
A new article by Matthew Radler: Privacy Is the Problem: United States v. Maynard and a Case for a New Regulatory Model for Police Surveillance 80 Geo. Wash. L. Rev. 1209 (2012) [PDF]
Abstract:
Inescapably, the debate in the United States about law enforcement’s use of electronic surveillance is defined in terms of privacy. Whether discussed by courts, commentators, or legislators, the principal and often the only justification put forth for regulating the use of a given technology by the police is that it invades an interest somehow described as private. But as surveillance technology has extended to conduct that takes place on public property and in plain view of society at large, this rationale for regulation has become incapable of justifying the rules that result. This demand for privacy-based rules about public-conduct surveillance reached its apex (thus far) in 2010 in United States v. Maynard, the appellate decision affirmed on other grounds by the Supreme Court’s property-based ruling in United States v. Jones. Maynard’s theory of privacy rights in the context of police use of tracking devices—that they are violated by the mere aggregation of data—is so vulnerable to circumvention by police agencies that its efficacy as a basis for regulation is questionable at best. This Note proposes an alternative rationale for regulation of public-conduct surveillance, as well as a theory of institutional harm and an alternative rulemaking authority—an administrative agency—to address public-conduct surveillance issues.
In an era when police action is the primary determinant of who is con victed of crimes, without meaningful review via trial, unchecked surveillance renders the judiciary a rubber stamp for local executive power; the demand for an ex ante record restores the supervisory role of the courts over police conduct. Preserving that institutional role, instead of protecting an increasingly difficult-to-justify notion of individual privacy in public behavior, provides a durable rationale, and ensuring that it is given full effect will require administrative, rather than judicial or legislative, oversight.


This is clever!
Is There a Breach in the Dam Holding Back Damage Actions for Alleged Privacy Breaches?
July 2, 2012 by Dissent
Christopher Wolf writes:
Two recent federal cases alleging privacy violations in the mobile context have been allowed to proceed based on novel damages allegations. While neither cases recognized a property interest in personal information per se, the courts allowed cases involving mobile devices and alleged privacy violations to proceed, finding allegations sufficient that
(a) the plaintiffs paid more for their devices than they would have paid had they known their personal information would be misused, and
(b) that the battery and data usage costs arising from unwanted collection and sharing of personal information constitutes actionable damages.
Thus, these cases may open the door for more novel indirect financial injury claims arising from the allegedly improper collection and use of personal information. The long-standing presumption that mere exposure of personal data is insufficient for standing and damage actions may become irrelevant if plaintiffs are able to link the exposure to increased costs of device usage.
Read more on Hogan Lovells Chronicle of Data Protection.


Encrypted communications double, still not a problem since they could read everything...
"Federal and state court orders approving the interception of wire, oral or electronic communications dropped 14% in 2011, compared to the number reported in 2010. According to a report issued by the Administrative Office of the United States Courts a total of 2,732 wiretap applications were authorized in 2011 by federal and state courts, with 792 applications by federal authorities and 1,940 applications by 25 states that provide reports. The reduction in wiretaps resulted primarily from a drop in applications for intercepts in narcotics offenses, the report noted."
[From the report:
In 2011, encryption was reported during 12 state wiretaps, but did not prevent officials from obtaining the plain text of the communications.


No good deed goes unpunished. Security (or privacy) actions have reactions. This is fertile ground for hackers.
"Twitter is going to clamp down on abuse and 'trolling' according to its CEO Dick Costolo. Actions could include hiding replies from users who do not have any followers or biographical information. The difficulty is that moves to stop trolling could also curtail the anonymous Tweets which have been useful for protest in repressive regimes."


A backup for GPS?
"BAE Systems has developed a positioning solution that it claims will work even when GPS is unavailable. Its strategy is to use the collection of radio frequency signals from TV, radio and cellphone masts, even WiFi routers, to deduce a position. BAE's answer is dubbed Navigation via Signals of Opportunity (NAVSOP). It interrogates the airwaves for the ID and signal strength of local digital TV and radio signals, plus air traffic control radars, with finer grained adjustments coming from cellphone masts and WiFi routers. In any given area, the TV, radio, cellphone and radar signals tend to be at constant frequencies and power levels as they are are heavily regulated — so positions could be calculated from them. "The real beauty of NAVSOP is that the infrastructure required to make it work is already in place," says a BAE spokesman — and "software defined radio" microchips that run NAVSOP routines can easily be integrated into existing satnavs. The firm believes the technology could also work in urban concrete canyons where GPS signals cannot currently reach."


The problem with squeezing this into one page is, you need the page to be at least wall size to read it...
July 01, 2012
A Visual Guide to NFIB v. Sebelius
Follow up to The Health Care Law - Government Resources, Commentary and Analysis, see A Visual Guide to NFIB v. Sebelius: Competing Commerce Clause Opinion Lines 1789-2012, Colin P. Starger, University of Baltimore School of Law, June 30, 2012 - Download via SSRN.
  • Though Chief Justice Roberts ultimately provided the fifth vote upholding the Affordable Care Act (ACA) under the Tax Power, his was also one of five votes finding the ACA exceeded Congress’ power under the Commerce Clause. The doctrinal basis for Roberts’ Commerce Clause analysis was hotly contested. While Roberts argued that the ACA’s purported exercise of Commerce power “finds no support in our precedent,” Justice Ginsburg accused the Chief Justice of failing to “evaluat[e] the constitutionality of the minimum coverage provision in the manner established by our precedents.” These diametrically opposed perspectives on “precedent” might prompt observers to ask whether Roberts and Ginsburg considered the same cases as controlling. This Visual Guide shows that though the justices agreed on relevant cases, they disagreed on which opinions within those cases properly stated the law. Both Roberts and Ginsburg implicitly adopted the reasoning of prior dissents and concurrences as well as majority opinions. The map illustrates how competing lines of Commerce Clause opinions constitute a long-running doctrinal dialectic that culminated – for now – in NFIB v. Sebelius. This Visual Guide is a single-page PDF "poster" designed to serve as quick reference to the doctrinal debate."


Perspective: What Google thinks are the keys to competing in the Cloud?
"The Compute Engine announcement at Google I/O made it clear that Google intends to take Amazon EC2 head on. Michael Crandell, who has been testing out Compute Engine for some time now, divulges deeper insights into the nascent IaaS, which, although enticing, will have a long road ahead of it in eclipsing Amazon EC2. 'Even in this early stage, three major factors about Google Cloud stood out for Crandell. First was the way Google leveraged the use of its own private network to make its cloud resources uniformly accessible across the globe. ... Another key difference was boot times, which are both fast and consistent in Google's cloud. ... Third is encryption. Google offers at-rest encryption for all storage, whether it's local or attached over a network. 'Everything's automatically encrypted,' says Crandell, 'and it's encrypted outside the processing of the VM so there's no degradation of performance to get that feature.'"


This could be huge!
"Graphene once again proves that it is quite possibly the most miraculous material known to man, this time by making saltwater drinkable. The process was developed by a group of MIT researchers who realized that graphene allowed for the creation of an incredibly precise sieve. Basically, the regular atomic structure of graphene means that you can create holes of any size, for example the size of a single molecule of water. Using this process scientist can desalinate saltwater 1,000 times faster than the Reverse Osmosis technique."
[From the article:
Desalination might sound boring, but it’s super important. Around 97% of the planet’s water is saltwater and therefore unpotable, and while you can remove the salt from the water, the current methods of doing so are laborious and expensive. Graphene stands to change all that by essentially serving as the world’s most awesomely efficient filter. If you can increase the efficiency of desalination by two or three orders of magnitude (that is to say, make it 100 to 1,000 times more efficient) desalination suddenly becomes way more attractive as a way to obtain drinking water.

No comments: