Your email and anything else you use
that password on?
"Some 450,000
email addresses and associated unencrypted passwords have been dumped
online by the hacking collective "D33Ds Company"
following the compromise of a Yahoo subdomain. The attackers said
that they managed to access the subdomain by leveraging a union-based
SQL injection attack, which made the site return more information
that in should have. According to Ars Technica, the dump also
includes over 2,700
database table or column names and 298 MySQL variables retrieved
during the attack."
Small breach but full password reset
(all 28,000,000 users)
Formspring
resets 28m passwords after development server hacked and passwords
leaked
July 11, 2012 by admin
Kahla Preston reports:
Users of
Formspring, a social question and answer website popular among young
teenagers, today learned their passwords were disabled by site
administrators following a security breach.
Read more on The
Age.
In a message
on their blog yesterday, Formspring writes:
Urgent:
Change Your Formspring Password
We learned this
morning that we had a security breach where some user passwords may
have been accessed. In response to this, we have disabled all users
passwords. We apologize for the inconvenience but prefer to play it
safe and have asked all members to reset their passwords. Users will
be prompted to change their passwords when they log back into
Formspring. This is a good time to create a strong password.
Five hours ago, there was an update:
UPDATE:
SECURITY BREACH RESOLVED
We wanted to give
an update that the security breach was resolved today and provide
background on what happened.
We were notified
that approximately 420k password hashes were posted
to a security forum, with suspicion from a user that they could be
Formspring passwords. The post did not contain usernames or any
other identifying information.
Once we were able
to verify that the hashes were obtained from Formspring, we locked
down our systems and began an investigation to determine the nature
of the breach. We found that someone had broken into one of our
development servers and was able to use that access to extract
account information from a production database.
We were able to
immediately fix the hole and upgraded our hashing mechanisms from
sha-256 with random salts to bcrypt to fortify security. We take
this matter very seriously and continue to review our internal
security policies and practices to help ensure that this never
happens again.
Will this all go away under the new
Health Care rules?
By Dissent,
July 11, 2012
Kelly Jackson Higgins writes:
If you are
victimized by medical identity theft, chances are you will foot the
bill for the fraudulent charges, a new survey finds.
The Ponemon
Institute’s Third Annual National Study on Medical Identity Theft,
which was commissioned by Experian, found that 45
percent of medical ID theft victims end up paying their healthcare
provider or insurer for charges incurred by the thieves because
victims don’t typically have any other recourse. Even
worse, half of the victims say they know the person who victimized
them, and 31 percent say they allow family members to use their IDs
to get medical services.
Read more on Dark
Reading.
Because a spur of the moment government
plan is always better than a plan developed by the folks who
designed, built and use the system...
http://news.cnet.com/8301-1023_3-57469950-93/obama-signs-order-outlining-emergency-internet-control/
Obama
signs order outlining emergency Internet control
A new executive order addresses how the
country deals with the Internet during natural disasters and security
emergencies, but it also puts a lot of power in the government's
hands.
… With the wordy title "Assignment
of National Security and Emergency Preparedness Communications
Functions," this order was designed to empower certain
governmental agencies with control over telecommunications and the
Web during natural disasters and security emergencies.
In an effort to improve our security,
we're going to make your security fail.
"Starting next month, updated
Windows operating systems will reject
encryption keys smaller than 1024 bits, which could cause
problems for customer applications accessing Web sites and email
platforms that use the keys. The cryptographic policy change is part
of Microsoft's response to security weaknesses that came to light
after Windows Update became an unwitting party to Flame Malware
attacks, and affects Windows XP, Windows Server 2003, Windows Server
2003 R2, Windows Vista, Windows Server 2008, Windows 7, and Windows
Server 2008 R2 operating systems."
I want one! So will the paperazzi, so
they can tell their readers what their favorite star-du-jour had for
breakfast...
Hidden
Government Scanners Will Instantly Know Everything About You From 164
Feet Away
July 12, 2012 by Dissent
Here’s another development we’ll
likely be hearing more about. From Gizmodo:
Within the next
year or two, the U.S. Department of Homeland Security will instantly
know everything about your body, clothes, and luggage with a
new laser-based molecular scanner fired from 164 feet (50 meters)
away. From traces of drugs or gun powder on your clothes to what you
had for breakfast to the adrenaline level in your body—agents will
be able to get any information they want without even touching you.
And without you
knowing it.
The technology is
so incredibly effective that, in November 2011, its inventors were
subcontracted
by In-Q-Tel to work with the US Department of Homeland Security.
Read more on Gizmodo.
[From the article:
The machine is ten million times
faster—and one million times more sensitive—than any currently
available system. That means that it can be used
systematically on everyone passing through airport
security, not just suspect or randomly sampled people.
… But the machine can sniff out a
lot more than just explosives, chemicals and bioweapons. The company
that invented it, Genia
Photonics, says that its laser scanner technology is able
to "penetrate clothing and many other organic
materials and offers spectroscopic information, especially for
materials that impact safety such as explosives and pharmacological
substances." [PDF]
(Related) Maybe they have stalled
while waiting for the better scanner (above)
"About a year ago, the District
of Columbia Circuit Court of Appeals ruled on EPIC
v. DHS, a lawsuit that sought to end TSA's use of body scanners.
The Court found that DHS violated federal law by not seeking public
comment before using body scanners as a primary search method. They
ordered
TSA to take public comment on its body scanning policy but did
not require TSA to suspend its use of the scanners during the comment
period. Several months later nothing
had been done yet. One
year later TSA has still done nothing, and even EPIC, the
original plaintiff, seems to have given up. Others have apparently
picked up the torch, however. Jim Harper, director of information
policy studies at the libertarian think tank the
Cato Institute, has posted a piece on Ars Technica about TSA's
violation of the court order. He also started a petition
on Whitehouse.gov asking TSA to comply with the order. An
earlier
petition ended with a non-response from TSA Administrator John
Pistole. Will the latest petition fare any better, even in an
election year?"
One time when a cloudy future is good?
July 11, 2012
Department
of Defense Cloud Computing Strategy
- "The DoD Enterprise Cloud Environment is a key component to enable the Department to achieve JIE [Joint Information Environment] goals. The DoD Cloud Computing Strategy introduces an approach to move the Department from the current state of a duplicative, cumbersome, and costly set of application silos to an end state which is an agile, secure, and cost effective service environment that can rapidly respond to changing mission needs. The DoD Chief Information Officer (CIO) is committed to accelerating the adoption of cloud computing within the Department and to providing a secure, resilient Enterprise Cloud Environment through an alignment with Department‐wide IT efficiency initiatives, federal data center consolidation and cloud computing efforts. Detailed cloud computing implementation planning has been ongoing and informs the JIE projected plan of actions and milestones in Capabilities Engineering, Operation and Governance efforts."
- "DoD Cloud Computing Goal - Implement cloud computing as the means to deliver the most innovative, efficient, and secure information and IT services in support of the Department’s mission, anywhere, anytime, on any authorized device."
Could this be more confusing to us
non-lawyers?
Megaupload
and the twilight of copyright
Kim Dotcom's business facilitated more
online piracy than the mind can conceive. Yet it might have been
legal. How did we get here? Is there any way out?
… The lead attorney for Kim Dotcom
and Megaupload, Ira Rothken of San Francisco, says that Megaupload
was a "cloud storage" business whose technology was "nearly
identical" to that used by such legitimate businesses as
Dropbox, Microsoft (MSFT)
SkyDrive, and Google
Drive. "Megaupload appears to be the perfect example of
something protected under the Sony doctrine," Rothken says,
referring to the landmark 1984 U.S. Supreme Court case Sony Corp. of
America v. Universal City Studios. In that case, the court found
that Sony, in selling its Betamax videotape recorders, could not be
held liable for the fact that some customers might use them to
infringe copyrights.
(Related) Sounds interesting.
July 11, 2012
Commentaryy
- Reforming Copyright Is Possible
Reforming
Copyright Is Possible - And it's the only way to create a national
digital library, by Pamela Samuelson
- "The failure of the Google Book settlement, however, has not killed the dream of a comprehensive digital library accessible to the public. Indeed, it has inspired an alternative that would avoid the risks of monopoly control. A coalition of nonprofit libraries, archives, and universities has formed to create a Digital Public Library of America, which is scheduled to launch its services in April 2013. The San Francisco Public Library recently sponsored a second major planning session for the DPLA, which drew 400 participants. Major foundations, as well as private donors, are providing financial support. The DPLA aims to be a portal through which the public can access vast stores of knowledge online. Free, forever."
- See also David H. Rothman's commentaries on the DPLA via LLRX.com
Might be an interesting way for my
students to share information...
Wednesday, July 11, 2012
Posterous
Spaces was bought by Twitter earlier this year, but it appears to
still be going strong and hasn't changed at all since it was acquired
by Twitter. One of the things about Posterous that I have always
liked is the ease with which you can create a group blog.
In Posterous
Spaces you can allow people to make contributions to your blog by
simply sending an email to "yourblog'sname" @
posterous.com. For example, if I created the blog
"awesomeblog.posterous.com" I could allow others to
contribute to the blog by simply sending an email to
"awesomeblog@posterous.com." You can choose to moderate or
not moderate those contributions. From an administrative standpoint,
using the email method of contributing to a group blog is much
easier than having to enter permissions for each person
you want contributing to your group blog.
Accepting email contributions to your
Posterous Spaces blog means that don't have to spend time walking
students through creating log-in credentials for another service.
Simply have students send an email to "yourblog'sname"
@posterous.com and their posts can appear on the blog.
No comments:
Post a Comment