Saturday, July 14, 2012


At last! Will the FTC claim that Best Practices are now Required Practices? How far can they push? My Computer Security students should note that in this case, Lessons Learned = zero.
On June 26, the FTC filed a complaint against Wyndham Worldwide Corporation, a global hotel and resort company, and three of its subsidiaries for violation of Section 5 of the FTC Act. If this case goes to trial – and Wyndham’s comments about intentions to fight the suit suggest it might – it will be the first privacy/security matter fully litigated under Section 5.
The Commission brought the case in the U.S. District Court for the District of Arizona alleging “failure to maintain reasonable and appropriate data security for consumers’ sensitive personal data” after Wyndham faced three data breaches in less than two years.
… According to the complaint, the first breach was a “brute force attack” in which intruders accessed the Phoenix data center’s network by guessing user IDs and passwords. Even though the password guessing caused 212 user account lock-outs before intruders prevailed – a common signal of hacking – the FTC claims Wyndham could not locate the two locked-out computers and only realized four months later that the network had been infiltrated. The FTC alleges the intruders then installed memory-scraping malware to access payment card data, and over 500,000 payment card accounts were compromised and hundreds of thousands of account numbers exported to a domain registered in Russia. The second and third attacks were largely the same, although the FTC claims that in both cases, Wyndham failed to notice the breach on its own – a credit card issuer alerted the company that cards used at its hotels were soon thereafter used for fraudulent transactions. In total, the FTC estimates that over 619,000 consumer payment card accounts were compromised.
[The complaint:


This is an old technique called “Traffif Analysis”
Research: Why Johnny Can’t Browse in Peace: On the Uniqueness of Web Browsing History Patterns
July 13, 2012 by Dissent
Here’s the abstract of a research report by Ɓukasz Olejnik, Claude Castelluccia, Artur Janc:
We present the results of the first large-scale study of the uniqueness of Web browsing histories, gathered from a total of 368,284 Internet users who visited a history detection demonstration website. Our results show that for a majority of users (69%), the browsing history is unique and that users for whom we could detect at least 4 visited websites were uniquely identified by their histories in 97% of cases. We observe a significant rate of stability in browser history fingerprints: for repeat visitors, 38% of fingerprints are identical over time, and differing ones were correlated with original history contents, indicating static browsing preferences (for history subvectors of size 50). We report a striking result that it is enough to test for a small number of pages in order to both enumerate users’ interests and perform an efficient and unique behavioral fingerprint; we show that testing 50 web pages is enough to fingerprint 42% of users in our database, increasing to 70% with 500 web pages. Finally, we show that indirect history data, such as information about categories of visited websites can also be effective in fingerprinting users, and that similar fingerprinting can be performed by common script providers such as Google or Facebook.
Read the whole report on petsymposium.org.


For my Business Continuity class: How would you distinguish this outage from one cause by terrorists?
Explosion, Fire Cause Data Meltdown in Calgary
Downtown Calgary, Alberta, is going into its second day without complete use of government services, after some sort of explosion knocked out internet service provider Shaw Communications and a host of other nearby businesses.
The explosion kicked off a fire on the 13th floor of Shaw’s office building. A spokesman for the Calgary fire department says that it took firefighters some time to gain access to the floor, considering the amount of electrical equipment that had been engulfed by the flames.
… The fire department spokesman could not comment on specifics of what exactly was effected in the fire — and Shaw did not respond to a request for comment — but considering the description and level of outages, the fire was likely located in crucial data transfer and telecommunication areas. Even Shaw’s public website was down as of Friday afternoon, except a simple homepage with updates on restoring service.
The effects spread across the city. The Calgary Herald reports that nearby hospitals lost power and that IBM Canada, which leases three floors in the Shaw building, keeps a data center which provides outsourced services for clients like Service Alberta. IBM did not return calls seeking comment.
The CBC reports that the fire not only knocked out IBM’s offices, but left up to 30,000 landline telephone customers unable to call 911. Exasperating the problem, the city also lost us of its 3-11 informational service which left many customers completely in the dark about when they’d get communication back.
The CBC says the Shaw building was designed with backup networks, but the explosion damaged those as well.


Well, I find it interesting...
The Freedom Stick - be ready for Universal Design next academic year
It is time for every student to be given the opportunity to discover and experiment with a range of tools which can support their own individual differing communication needs – not just in school, but throughout their lives.
One free downloadable package of software allows students the ability to make almost any computer a fully accessible device. Students can convert text to audio, get their ideas down by speaking, They can draw, manipulate photography, create visual or audio-visual presentations, calculate mathematics a variety of ways, organize themselves, try a different keyboard, support their spelling and writing… and most importantly, learn the power of “Toolbelt Theory- the power of learning to choose and use tools well.
The Freedom Stick is a system, it can be downloaded and installed on a 4gb Flash Drive and carried everywhere by the student, plugged into and used on school computers or public library computers, or even employer computers – anywhere any version of Microsoft Windows is installed
The Freedom Stick is a collection of free, open-source programs which provide the widest range of supports for differing student needs. It is also a system supported by a range of learning tools – including a full set of “how to use” videos and presentations. It is easy to adapt to the students own needs, and it works with the supports included in Windows to create a true Universal Solution Set.
The Freedom Stick contains:
  • A full version of Open Office (equivalent to Microsoft Office and all documents adapt to both software programs), including Writer (Word), Impress (PowerPoint), Calc (Excel), Base (Access), plus Scribus (similar to Microsoft Publisher).
  • The Sunbird Calendar and Thunderbird Email systems.
  • Fully accessible versions of the Firefox, Opera, and Chrome web browsers including Text-To-Speech options and translations. Firefox and Chrome both include pre-set bookmark folders, offering access to free Digital and Audio Texts, online calculators (including talking calculators), and a wide range of curriculum supports.
  • A full scientific graphing calculator, a digital periodic table with physics and chemistry calculators built in, Converber – a remarkable unit converter, and X-mind – similar to Inspiration.
  • Balabolka, one of the most sophisticated Text-To-Speech systems available which can convert whole digital books to audio files, read anything with word-by-word highlighting, and which allows students to write and hear their own reading read back to them.
  • PowerTalk Portable, which will read any PowerPoint presentation, if PowerPoint is installed on your computer.
  • Audacity, a digital recorder and player.
  • Software for drawing, painting, photo-editing/manipulation, and computer screen recording.
  • Kompozer for writing html code (for building websites) and Notepad++ for coding (and testing code) in almost any computer language.
  • Screen magnifiers.
  • 7-Zip for creating and unpacking Zip Files.
  • Simulation software including Robot Programming and Home Design.
  • Games including Chess and Sudoku.
You can begin learning about the Freedom Stick, how to use it and individualize it, with these Presentations:

Friday, July 13, 2012


At least it's not your bank account. What ever happened to Best Practices?
"Phandroid's AndroidForums.com has been hacked. The database that powers the site was compromised and more than one million user account details were stolen. If you use the forum, make sure to change your password ASAP. From the article: 'Phandroid has revealed that its Android Forums website was hacked this week using a known exploit. The data that was accessed includes usernames, e-mail addresses, hashed passwords, registration IP addresses, and other less-critical forum-related information. At the time of writing, the forum listed 1,034,235 members.'"


Another “We don't need no stinking Best Practices” breach. Also, the potential to see how much (how little?) security remediation really costs.
Follow-up: Regulators criticize NYSEG for computer security breach
July 12, 2012 by admin
Remember the breach reported by New York State Electric & Gas (NYSEG) and Rochester Gas and Electric (RG&E) back in January? Jeff Platsky reports the results of an investigation into the utilities’ security:
A potential data breach at New York State Electric & Gas Corp. not only drew the ire of customers but is now its drawing criticism from regulators who are telling the utility shore up its computer security practices.
In a statement released on Thursday afternoon, New York Public Service Commissioner Garry Brown said the utility “failed to meet industry standards” in protecting the privacy of its customers. The commission has directed the NYSEG and its sister utility, Rochester Gas & Electric Corp., to immediately address potential vulnerabilities in computer billing and records systems.
Read more on PressConnects.com.
The statement from the NY Public Service Commission reads:
The New York State Public Service Commission (Commission) today received a report from Department of Public Service staff that both New York State Electric & Gas Corporation (NYSEG) and Rochester Gas & Electric (RG&E) failed to adequately protect confidential customer information from unauthorized access by outside parties.
“Our investigation found that NYSEG and RG&E failed to meet industry standards and best practices to protect personally identifiable information of customers,” said Commission Chairman Garry Brown. “As a result, we are directing the companies to immediately take action to address the vulnerabilities on its computer billing and records systems currently used to take and maintain confidential customer information.”
… In addition to the foregoing recommendations, the Commission raised concerns that the issue of costs that both the companies incur in responding to this security breach. The Commission will require the companies segregate and report all of the costs associated with rectifying the security breach, including the customer care costs identified above as well as any incremental investigation and remediation costs, as part of respective 2012 earnings sharing filings, and that the Commission closely scrutinize any proposal to incorporate these costs in the earnings sharing calculation. In this way, the companies will be put on notice that they will be required to justify fully the inclusion of any such expenses in their earnings sharing calculations.


We have moved beyond “English, as she is spoke”
"Spammers used to depend on email recipients to tie the noose around their own necks by inputing their personal and financial information in credible spoofs of legitimate websites, but with the advent of exploit kits, that technique is slowly getting sidelined. Prompted by the rise in numbers of spam runs leading to pages hosting exploit kits, Trend Micro researchers have recently been investigating a number of high-volume spam runs using the Blackhole exploit kit. According to them, the phishing messages of today have far less urgency and the message is implicit: 'Your statement is available online'; or 'Incoming payment received'; or 'Password reset notification.'"
One thing that's long worried me is that the bulk of spammers and malware writers may hire copywriters with a better grasp of English than most of the ones I see now. "I send you this file in order to have your advice" was funny, because it stuck out.


Long, long ago in a galaxy far, far away....
HP’s Operation ‘Kona’ Private Eyes Get 3 Years Probation
Two private investigators who impersonated reporters, Hewlett Packard board members, and their families have been sentenced to three years probation and six months electronic monitoring in the case.
Joseph DePante and his son Mathew DePante were sentenced Thursday in a San Jose, California, federal court. They had pleaded guilty to the charges in February.
The sentencing closes a final chapter in a corporate spying scandal that dates back to the spring of 2005, when HP’s management decided to clamp down on embarrassing boardroom leaks. HP hired a Boston security company called Security Outsourcing Solutions, which in turn hired the DePantes’ Melbourne, Florida, investigation company — Action Research Group — to identify the leakers.


“ This new tool allows us to claim that we care without actually having to care!”
Twitter and Buddy Media have just announced a partnership which will screen the ages of users who try to follow ‘adult’ brands on Twitter that implement a new ‘age-gate’ system. The system was generated as a service that marketers and brands can use on Twitter to ensure that they’re not peddling their wares to illegally young users.
The brands themselves will have to implement the new age-gate, so it wont work out of the box for every adult brand automatically.
… Here’s the basic process:
First, a user sees a brand they’d like to follow. Say, Skinny Girl. They click the Follow button. The brand immediately Direct Messages a link to the user, asking them to confirm their age by visiting age.twitter.com.
They’re presented with a message that requires them to enter their age and accept a set of terms.


The future of social? One of the first news aggregators fades away?
"The once popular social news website Digg.com, which received $45 million in funding, is being sold to to Betaworks for $500,000. From the article: 'Betaworks is acquiring the Digg brand, website, and technology, but not its employees. Digg will be folded into News.me, Betaworks' social news aggregator. This is not the outcome people expected for Digg. In 2008, Google was reportedly set to buy it for $200 million.'"


The world, she is a'changing... Anything you want, instantly!
"A while ago, Amazon caved on paying individual states sales taxes. Now we know why. Amazon is setting up same-day delivery warehouses everywhere. They will put most normal retailers out of business."
If that's a bet, I'll take it.


At least it's not your bank account. What ever happened to Best Practices?
"Phandroid's AndroidForums.com has been hacked. The database that powers the site was compromised and more than one million user account details were stolen. If you use the forum, make sure to change your password ASAP. From the article: 'Phandroid has revealed that its Android Forums website was hacked this week using a known exploit. The data that was accessed includes usernames, e-mail addresses, hashed passwords, registration IP addresses, and other less-critical forum-related information. At the time of writing, the forum listed 1,034,235 members.'"


Another “We don't need no stinking Best Practices” breach. Also, the potential to see how much (how little?) security remediation really costs.
Follow-up: Regulators criticize NYSEG for computer security breach
July 12, 2012 by admin
Remember the breach reported by New York State Electric & Gas (NYSEG) and Rochester Gas and Electric (RG&E) back in January? Jeff Platsky reports the results of an investigation into the utilities’ security:
A potential data breach at New York State Electric & Gas Corp. not only drew the ire of customers but is now its drawing criticism from regulators who are telling the utility shore up its computer security practices.
In a statement released on Thursday afternoon, New York Public Service Commissioner Garry Brown said the utility “failed to meet industry standards” in protecting the privacy of its customers. The commission has directed the NYSEG and its sister utility, Rochester Gas & Electric Corp., to immediately address potential vulnerabilities in computer billing and records systems.
Read more on PressConnects.com.
The statement from the NY Public Service Commission reads:
The New York State Public Service Commission (Commission) today received a report from Department of Public Service staff that both New York State Electric & Gas Corporation (NYSEG) and Rochester Gas & Electric (RG&E) failed to adequately protect confidential customer information from unauthorized access by outside parties.
“Our investigation found that NYSEG and RG&E failed to meet industry standards and best practices to protect personally identifiable information of customers,” said Commission Chairman Garry Brown. “As a result, we are directing the companies to immediately take action to address the vulnerabilities on its computer billing and records systems currently used to take and maintain confidential customer information.”
… In addition to the foregoing recommendations, the Commission raised concerns that the issue of costs that both the companies incur in responding to this security breach. The Commission will require the companies segregate and report all of the costs associated with rectifying the security breach, including the customer care costs identified above as well as any incremental investigation and remediation costs, as part of respective 2012 earnings sharing filings, and that the Commission closely scrutinize any proposal to incorporate these costs in the earnings sharing calculation. In this way, the companies will be put on notice that they will be required to justify fully the inclusion of any such expenses in their earnings sharing calculations.


We have moved beyond “English, as she is spoke”
"Spammers used to depend on email recipients to tie the noose around their own necks by inputing their personal and financial information in credible spoofs of legitimate websites, but with the advent of exploit kits, that technique is slowly getting sidelined. Prompted by the rise in numbers of spam runs leading to pages hosting exploit kits, Trend Micro researchers have recently been investigating a number of high-volume spam runs using the Blackhole exploit kit. According to them, the phishing messages of today have far less urgency and the message is implicit: 'Your statement is available online'; or 'Incoming payment received'; or 'Password reset notification.'"
One thing that's long worried me is that the bulk of spammers and malware writers may hire copywriters with a better grasp of English than most of the ones I see now. "I send you this file in order to have your advice" was funny, because it stuck out.


Long, long ago in a galaxy far, far away....
HP’s Operation ‘Kona’ Private Eyes Get 3 Years Probation
Two private investigators who impersonated reporters, Hewlett Packard board members, and their families have been sentenced to three years probation and six months electronic monitoring in the case.
Joseph DePante and his son Mathew DePante were sentenced Thursday in a San Jose, California, federal court. They had pleaded guilty to the charges in February.
The sentencing closes a final chapter in a corporate spying scandal that dates back to the spring of 2005, when HP’s management decided to clamp down on embarrassing boardroom leaks. HP hired a Boston security company called Security Outsourcing Solutions, which in turn hired the DePantes’ Melbourne, Florida, investigation company — Action Research Group — to identify the leakers.


“ This new tool allows us to claim that we care without actually having to care!”
Twitter and Buddy Media have just announced a partnership which will screen the ages of users who try to follow ‘adult’ brands on Twitter that implement a new ‘age-gate’ system. The system was generated as a service that marketers and brands can use on Twitter to ensure that they’re not peddling their wares to illegally young users.
The brands themselves will have to implement the new age-gate, so it wont work out of the box for every adult brand automatically.
… Here’s the basic process:
First, a user sees a brand they’d like to follow. Say, Skinny Girl. They click the Follow button. The brand immediately Direct Messages a link to the user, asking them to confirm their age by visiting age.twitter.com.
They’re presented with a message that requires them to enter their age and accept a set of terms.


The future of social? One of the first news aggregators fades away?
"The once popular social news website Digg.com, which received $45 million in funding, is being sold to to Betaworks for $500,000. From the article: 'Betaworks is acquiring the Digg brand, website, and technology, but not its employees. Digg will be folded into News.me, Betaworks' social news aggregator. This is not the outcome people expected for Digg. In 2008, Google was reportedly set to buy it for $200 million.'"


The world, she is a'changing... Anything you want, instantly!
"A while ago, Amazon caved on paying individual states sales taxes. Now we know why. Amazon is setting up same-day delivery warehouses everywhere. They will put most normal retailers out of business."
If that's a bet, I'll take it.

Thursday, July 12, 2012


Your email and anything else you use that password on?
"Some 450,000 email addresses and associated unencrypted passwords have been dumped online by the hacking collective "D33Ds Company" following the compromise of a Yahoo subdomain. The attackers said that they managed to access the subdomain by leveraging a union-based SQL injection attack, which made the site return more information that in should have. According to Ars Technica, the dump also includes over 2,700 database table or column names and 298 MySQL variables retrieved during the attack."


Small breach but full password reset (all 28,000,000 users)
Formspring resets 28m passwords after development server hacked and passwords leaked
July 11, 2012 by admin
Kahla Preston reports:
Users of Formspring, a social question and answer website popular among young teenagers, today learned their passwords were disabled by site administrators following a security breach.
Read more on The Age.
In a message on their blog yesterday, Formspring writes:
Urgent: Change Your Formspring Password
We learned this morning that we had a security breach where some user passwords may have been accessed. In response to this, we have disabled all users passwords. We apologize for the inconvenience but prefer to play it safe and have asked all members to reset their passwords. Users will be prompted to change their passwords when they log back into Formspring. This is a good time to create a strong password.
Five hours ago, there was an update:
UPDATE: SECURITY BREACH RESOLVED
We wanted to give an update that the security breach was resolved today and provide background on what happened.
We were notified that approximately 420k password hashes were posted to a security forum, with suspicion from a user that they could be Formspring passwords. The post did not contain usernames or any other identifying information.
Once we were able to verify that the hashes were obtained from Formspring, we locked down our systems and began an investigation to determine the nature of the breach. We found that someone had broken into one of our development servers and was able to use that access to extract account information from a production database.
We were able to immediately fix the hole and upgraded our hashing mechanisms from sha-256 with random salts to bcrypt to fortify security. We take this matter very seriously and continue to review our internal security policies and practices to help ensure that this never happens again.


Will this all go away under the new Health Care rules?
By Dissent, July 11, 2012
Kelly Jackson Higgins writes:
If you are victimized by medical identity theft, chances are you will foot the bill for the fraudulent charges, a new survey finds.
The Ponemon Institute’s Third Annual National Study on Medical Identity Theft, which was commissioned by Experian, found that 45 percent of medical ID theft victims end up paying their healthcare provider or insurer for charges incurred by the thieves because victims don’t typically have any other recourse. Even worse, half of the victims say they know the person who victimized them, and 31 percent say they allow family members to use their IDs to get medical services.
Read more on Dark Reading.


Because a spur of the moment government plan is always better than a plan developed by the folks who designed, built and use the system...
Obama signs order outlining emergency Internet control
A new executive order addresses how the country deals with the Internet during natural disasters and security emergencies, but it also puts a lot of power in the government's hands.
… With the wordy title "Assignment of National Security and Emergency Preparedness Communications Functions," this order was designed to empower certain governmental agencies with control over telecommunications and the Web during natural disasters and security emergencies.


In an effort to improve our security, we're going to make your security fail.
"Starting next month, updated Windows operating systems will reject encryption keys smaller than 1024 bits, which could cause problems for customer applications accessing Web sites and email platforms that use the keys. The cryptographic policy change is part of Microsoft's response to security weaknesses that came to light after Windows Update became an unwitting party to Flame Malware attacks, and affects Windows XP, Windows Server 2003, Windows Server 2003 R2, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2 operating systems."


I want one! So will the paperazzi, so they can tell their readers what their favorite star-du-jour had for breakfast...
Hidden Government Scanners Will Instantly Know Everything About You From 164 Feet Away
July 12, 2012 by Dissent
Here’s another development we’ll likely be hearing more about. From Gizmodo:
Within the next year or two, the U.S. Department of Homeland Security will instantly know everything about your body, clothes, and luggage with a new laser-based molecular scanner fired from 164 feet (50 meters) away. From traces of drugs or gun powder on your clothes to what you had for breakfast to the adrenaline level in your body—agents will be able to get any information they want without even touching you.
And without you knowing it.
The technology is so incredibly effective that, in November 2011, its inventors were subcontracted by In-Q-Tel to work with the US Department of Homeland Security.
Read more on Gizmodo.
[From the article:
The machine is ten million times faster—and one million times more sensitive—than any currently available system. That means that it can be used systematically on everyone passing through airport security, not just suspect or randomly sampled people.
… But the machine can sniff out a lot more than just explosives, chemicals and bioweapons. The company that invented it, Genia Photonics, says that its laser scanner technology is able to "penetrate clothing and many other organic materials and offers spectroscopic information, especially for materials that impact safety such as explosives and pharmacological substances." [PDF]

(Related) Maybe they have stalled while waiting for the better scanner (above)
"About a year ago, the District of Columbia Circuit Court of Appeals ruled on EPIC v. DHS, a lawsuit that sought to end TSA's use of body scanners. The Court found that DHS violated federal law by not seeking public comment before using body scanners as a primary search method. They ordered TSA to take public comment on its body scanning policy but did not require TSA to suspend its use of the scanners during the comment period. Several months later nothing had been done yet. One year later TSA has still done nothing, and even EPIC, the original plaintiff, seems to have given up. Others have apparently picked up the torch, however. Jim Harper, director of information policy studies at the libertarian think tank the Cato Institute, has posted a piece on Ars Technica about TSA's violation of the court order. He also started a petition on Whitehouse.gov asking TSA to comply with the order. An earlier petition ended with a non-response from TSA Administrator John Pistole. Will the latest petition fare any better, even in an election year?"


One time when a cloudy future is good?
July 11, 2012
Department of Defense Cloud Computing Strategy
  • "The DoD Enterprise Cloud Environment is a key component to enable the Department to achieve JIE [Joint Information Environment] goals. The DoD Cloud Computing Strategy introduces an approach to move the Department from the current state of a duplicative, cumbersome, and costly set of application silos to an end state which is an agile, secure, and cost effective service environment that can rapidly respond to changing mission needs. The DoD Chief Information Officer (CIO) is committed to accelerating the adoption of cloud computing within the Department and to providing a secure, resilient Enterprise Cloud Environment through an alignment with Department‐wide IT efficiency initiatives, federal data center consolidation and cloud computing efforts. Detailed cloud computing implementation planning has been ongoing and informs the JIE projected plan of actions and milestones in Capabilities Engineering, Operation and Governance efforts."
  • "DoD Cloud Computing Goal - Implement cloud computing as the means to deliver the most innovative, efficient, and secure information and IT services in support of the Department’s mission, anywhere, anytime, on any authorized device."


Could this be more confusing to us non-lawyers?
Megaupload and the twilight of copyright
Kim Dotcom's business facilitated more online piracy than the mind can conceive. Yet it might have been legal. How did we get here? Is there any way out?
… The lead attorney for Kim Dotcom and Megaupload, Ira Rothken of San Francisco, says that Megaupload was a "cloud storage" business whose technology was "nearly identical" to that used by such legitimate businesses as Dropbox, Microsoft (MSFT) SkyDrive, and Google Drive. "Megaupload appears to be the perfect example of something protected under the Sony doctrine," Rothken says, referring to the landmark 1984 U.S. Supreme Court case Sony Corp. of America v. Universal City Studios. In that case, the court found that Sony, in selling its Betamax videotape recorders, could not be held liable for the fact that some customers might use them to infringe copyrights.

(Related) Sounds interesting.
July 11, 2012
Commentaryy - Reforming Copyright Is Possible
  • "The failure of the Google Book settlement, however, has not killed the dream of a comprehensive digital library accessible to the public. Indeed, it has inspired an alternative that would avoid the risks of monopoly control. A coalition of nonprofit libraries, archives, and universities has formed to create a Digital Public Library of America, which is scheduled to launch its services in April 2013. The San Francisco Public Library recently sponsored a second major planning session for the DPLA, which drew 400 participants. Major foundations, as well as private donors, are providing financial support. The DPLA aims to be a portal through which the public can access vast stores of knowledge online. Free, forever."


Might be an interesting way for my students to share information...
Wednesday, July 11, 2012
Posterous Spaces was bought by Twitter earlier this year, but it appears to still be going strong and hasn't changed at all since it was acquired by Twitter. One of the things about Posterous that I have always liked is the ease with which you can create a group blog.
In Posterous Spaces you can allow people to make contributions to your blog by simply sending an email to "yourblog'sname" @ posterous.com. For example, if I created the blog "awesomeblog.posterous.com" I could allow others to contribute to the blog by simply sending an email to "awesomeblog@posterous.com." You can choose to moderate or not moderate those contributions. From an administrative standpoint, using the email method of contributing to a group blog is much easier than having to enter permissions for each person you want contributing to your group blog.
Accepting email contributions to your Posterous Spaces blog means that don't have to spend time walking students through creating log-in credentials for another service. Simply have students send an email to "yourblog'sname" @posterous.com and their posts can appear on the blog.

Wednesday, July 11, 2012


They failed with the “All your begs in one ask-it” so now we can expect one runny, soft boiled idea at a time.
"While it didn't get nearly as much attention as other parts of SOPA, one section in the bill that greatly concerned us was the massive expansion of the diplomatic corp.'s 'IP attaches.' If you're unfamiliar with the program, basically IP attaches are 'diplomats' (and I use the term loosely) who go around the globe pushing a copyright maximalist position on pretty much every other country. Their role is not to support more effective or more reasonable IP policy. It is solely to increase expansion, and basically act as Hollywood's personal thugs pressuring other countries to do the will of the major studios and labels. The role is literally defined as pushing for 'aggressive support for enforcement action' throughout the world. ... In other words, these people are not neutral. They do not have the best interests of the public or the country in mind. Their job is solely to push the copyright maximalist views of the legacy entertainment industry around the globe, and position it as the will of the U.S. government. It was good that this was defeated as a part of SOPA... but now comes the news that Lamar Smith is introducing a new bill that not only brings back this part, but appears to expand it and make it an even bigger deal."


Something for Statistics class...
"The Economist is reporting on two research teams, one at Harvard and another at the University of Hong Kong, who have developed software to detect what posts to Chinese social media get censored. 'The team has built up a database comprising more than 11m posts that were made on 1,382 Chinese internet forums. Perhaps their most surprising result is that posts critical of the government are not rigorously censored. On the other hand, posts that have the purpose of getting people to assemble, potentially in protest, are swept from the internet within a matter of hours.' Chinese censors may soon have to deal with an unprecedented transparency of their actions."


A bluff, or confidence?
Megaupload’s Kim Dotcom Offers to Surrender to the FBI, at a Price
Kim Dotcom and his Megaupload associates are seeking to break the legal impasse between him and the FBI, by offering to fly to the United States without an extradition hearing in New Zealand.
In return, Dotcom demands a fair trial guarantee and return of money to support their families and to pay legal fees which are thought to be in the millions of dollars after several months of court battles.
Dotcom and seven top employees of MegaUpload are charged by U.S. authorities with operating a criminal conspiracy to violate copyright laws that netted over $500 million in ads and subscription fees. The feds seized MegaUpload’s domains and servers, as well as Dotcom’s bank accounts and fancy cars in January.
The ever-provocative Dotcom tweeted Wednesday: “Hey DOJ, we will go to the US. No need for extradition. We want bail, funds unfrozen for lawyers & living expenses.”


Not in the constitution, nor is it unconstitutional. Perhaps “aconstitutional?”
July 10, 2012
CRS - Health Care: Constitutional Rights and Legislative Powers
Health Care: Constitutional Rights and Legislative Powers. Kathleen S. Swendiman, Legislative Attorney, July 9, 2012
  • "The health care reform debate raises many complex issues including those of coverage, accessibility, cost, accountability, and quality of health care. Underlying these policy considerations are issues regarding the status of health care as a constitutional or legal right. This report analyzes constitutional and legal issues pertaining to a right to health care, as well as the power of Congress to enact and fund health care programs. The United States Supreme Court’s decision in NFIB v. Sebelius, which upheld most of the Patient Protection and Affordable Care Act (Affordable Care Act/ACA), is also discussed. The United States Constitution does not set forth an explicit right to health care, and the Supreme Court has never interpreted the Constitution as guaranteeing a right to health care services from the government for those who cannot afford it. The Supreme Court has, however, held that the government has an obligation to provide medical care in certain limited circumstances, such as for prisoners."


Attention Ethical Hackers. Perhaps you should park in the back?
Gone in 3 Minutes: Keyless BMWs a Boon to Hacker Thieves
You’ve recently spent $64,000 on your flash new BMW with keyless entry. But when you wake up one morning, you discover, in a different kind of flash, that it’s gone, stolen by hacker thieves who used the car’s keyless feature to pinch your luxury ride.
This is the reality for a growing number of BMW owners in the United Kingdom who have recently become victim to a spate of thefts, thanks to a couple of security vulnerabilities in the car’s systems.

Tuesday, July 10, 2012


“Oh yeah, that's in our plan to consider at some future date.” Translation: “We have no clue...”
July 09, 2012
New GAO Report on Electronic Warfare
DOD Actions Needed to Strengthen Management and Oversight, GAO-12-479, July 9, 2012
  • "DOD has taken steps to address a critical electronic warfare management gap, but it has not established a departmentwide governance framework for electronic warfare. GAO previously reported that effective and efficient organizations establish objectives and outline major implementation tasks. In response to a leadership gap for electronic warfare, DOD is establishing the Joint Electromagnetic Spectrum Control Center under U.S. Strategic Command as the focal point for joint electronic warfare. However, because DOD has yet to define specific objectives for the center, outline major implementation tasks, and define metrics and timelines to measure progress, it is unclear whether or when the center will provide effective departmentwide leadership and advocacy for joint electronic warfare. In addition, key DOD directives providing some guidance for departmentwide oversight of electronic warfare have not been updated to reflect recent changes. For example, DOD’s primary directive concerning electronic warfare oversight was last updated in 1994 and identifies the Under Secretary of Defense for Acquisition, Technology, and Logistics as the focal point for electronic warfare. The directive does not define the center’s responsibilities in relation to the office, including those related to the development of the electronic warfare strategy and prioritizing investments. In addition, DOD’s directive for information operations, which is being updated, allocates electronic warfare responsibilities based on the department’s previous definition of information operations, which had included electronic warfare as a core capability. DOD’s oversight of electronic warfare capabilities may be further complicated by its evolving relationship with computer network operations, which is also an information operations-related capability. Without clearly defined roles and responsibilities and updated guidance regarding oversight responsibilities, DOD does not have reasonable assurance that its management structures will provide effective departmentwide leadership for electronic warfare activities and capabilities development and ensure effective and efficient use of its resources."


It's hard to put a value on a Privacy Officer – until after the fact. Do you suppose this was reviewed and approved by Google's Privacy Officer? Do you think the next project will be?
Google may be near record fine to settle FTC privacy charges
The Web giant is expected to pay $22.5 million to settle charges it sidestepped user privacy settings in Apple's Safari Web browser -- the largest penalty the U.S. Federal Trade Commission has ever levied against a single company, unidentified officials told the newspaper.


...as long as it doesn't fall apart until after the election.
Kim Dotcom’s Extradition Hearing Postponed Until March 2013
AUCKLAND, New Zealand — The United States’ court case against Megaupload founders Kim Dotcom, Mathias Ortmann, Finn Batato and Bram van der Kolk for alleged copyright infringement was dealt another setback Tuesday, after the New Zealand extradition hearing for the four was moved to March 2013.
Originally, the hearing was scheduled for August 6 this year, about six months after Dotcom’s home was raided in January, but a series of legal complications have pushed that date forward.
These include a High Court judge invalidating the warrants for seizing Dotcom’s property and funds — thus making the armed raid at dawn illegal. The judge also declared that the FBI shipping cloned hard drive images taken at the raid was unlawful, thanks to the warrants used being too broad and general.
… A hearing in the Federal Court of Virginia before Justice O’Grady is up next in the Megaupload legal saga.
Rothken has filed motions to vacate the orders that led to the seizure of Megaupload’s domain names and servers and says he is optimistic that O’Grady will do so.
He also expects O’Grady to order a hearing around the return of legitimate data belonging to Megaupload users. The users’ data was swept up in the confiscation of Megaupload’s assets by the US authorities, which have since then refused to return it to users.


A blog to envy? At least an example of the value of expertise (no matter how acquired) in the 'information age' Passion for a subject is as valuable as a formal education.
How This Landlubber’s Blog Became the Navy’s Ideas Machine
In January the U.S. Navy announced a crash program to convert the USS Ponce, a 41-year-old amphibious transport, into a floating base for helicopters, minehunters and Navy SEALs in the Persian Gulf. Adm. John Harvey called the ship’s three-month conversion a “remarkable feat.”
Equally remarkable is whose idea it was, though not exclusively. For decades the Navy has occasionally used big, cheap, mostly empty vessels to stage troops, boats and copters in conflict zones. But in recent years these “motherships” have become a core Navy concept, thanks in part to steady cheerleading by a 36-year-old, New York-based civilian IT consultant and part-time blogger with no military experience or college degree.


Education, what a concept!
July 09, 2012
Continuing Professional Development, Life Long Learning and Legal Ethics Education
Devlin, Richard and Downie, Jocelyn, '...And the Learners Shall Inherit the Earth': Continuing Professional Development, Life Long Learning and Legal Ethics Education (2010). (2010) Canadian Legal Education Annual Review 9. Available at SSRN
  • "After many years of debate and resistance the Canadian legal profession is finally accepting that compulsory professional development is a necessity. We argue that as the legal profession begins to design and deliver these programmes it should take into consideration the insights of the educational literature on lifelong learning. By way of a concrete example we explore the ways in which lifelong learning theory can inform the design and delivery of legal ethics education."


This makes sense only if IT become a critical part of their business model. If self-driving, Internet connected cars are in our future, perhaps this is wise.
"GM's new CIO Randy Mott plans to bring nearly all IT work in-house as one piece of a sweeping IT overhaul. It's a high-risk strategy that's similar to what Mott drove at Hewlett-Packard. Today, about 90% of GM's IT services, from running data centers to writing applications, are provided by outsourcing companies such as HP/EDS, IBM, Capgemini, and Wipro, and only 10% are done by GM employees. Mott plans to flip those percentages in about three years--to 90% GM staff, 10% outsourcers. This will require a hiring binge. Mott's larger IT transformation plan doesn't emphasize budget cuts but centers on delivering more value from IT, much faster--at a time when the world's No. 2 automaker (Toyota is now No. 1) is still climbing out of bankruptcy protection and a $50 billion government bailout."


For my Students...
LinkedIn used by 93 percent of recruiters to find job candidates
A recent survey from Jobvite found that 93 percent of job recruiters tap into LinkedIn to find qualified candidates, up from 87 percent last year and 78 percent in 2010. But the other popular social networks are growing in influence as well.
In second place, Facebook is used by 66 percent of the recruiters polled, up from 55 percent last year. And Twitter is on the watch list among 54 percent of those surveyed, up from 47 percent last year.


For my Website students: Not quite a Google hiring 'test' but interesting. (I would never send you to such a boring website.)
Government Agency Recruits Via the Source Code of Its Web Page
The Consumer Financial Protection is looking for a few good technology and design fellows to help them out. Where might they find ideal candidates? Perhaps in the pool of people who go to their website AND want to see the code behind the page. So, they inserted an advertisement for their fellowship program into the source for the site. This is, effectively, a hidden ad targeted only at the kind of nerds who "view source." Very clever.*


Global Warming! Global Warming! My Statistics class starts this week. Some items to chew on: is a 120 year sample adequate? How unlikely (improbable) is a 2 degree above average June?
July 09, 2012
NOAA - State of the Climate National Overview June 2012
Climate Highlights — June: "The average temperature for the contiguous U.S. during June was 71.2°F, which is 2.0°F above the 20th century average. The June temperatures contributed to a record-warm first half of the year and the warmest 12-month period the nation has experienced since recordkeeping began in 1895. Scorching temperatures during the second half of the month led many cities to set all-time temperature records."


On occasion, my students send me a good one. This is supposed to be a true exchange that happened on the edge of the Iraq war.
Iranian Air Defense Site: 'Unknown aircraft you are in Iranian airspace. Identify yourself.'
Aircraft: 'This is a United States aircraft. I am in Iraqi airspace.'
Air Defense Site: 'You are in Iranian airspace. If you do not depart our airspace we
will launch interceptor aircraft!'
Aircraft: 'This is a United States Marine Corps FA-18 fighter.
Send 'em up, I'll wait!'
Air Defense Site: (.... total silence)

Monday, July 09, 2012


Next time your automatic screen saver cuts in, remember this case.
Forgetting to log off gives “tacit authorization” for snooping – NJ court
July 9, 2012 by Dissent
Timothy B. Lee writes:
When Wayne Rogers, a New Jersey teacher, sat down in his school’s computer lab to check his e-mail, he bumped the mouse of the computer next to him. The screen on the adjacent computer came on, and Rogers saw that one of his colleagues, Linda Marcus, had left herself logged into her Yahoo e-mail account. He saw an e-mail thread with the subject “Wayne Update.” Curious, he clicked the e-mail and found it was a private discussion with another teacher of an argument between Rogers and Marcus.
Read more about the case on Ars Technica. There seem to be a number of ways this case could have been argued, but the bottom line is that the jury didn’t believe that the snooping co-worker actually knew he lacked authorization or exceeded authorization to access the emails. [Where are these people from? Mars? Oh, New Jersey... Same thing. Bob] I find it somewhat hard to believe that he didn’t know he shouldn’t be reading a co-worker’s emails, even if she failed to log out of her account, but hey, that’s the jury system at work, I guess.


Perhaps soon they will forget how to tap land lines?
"The New York Times reports: 'In the first public accounting of its kind, cellphone carriers reported that they responded to a daunting 1.3 million demands for subscriber data last year from law enforcement agencies seeking text messages, caller locations and other information in the course of investigations.' One stinging statistic: AT&T gets 230 requests for data per hour, and turns down only 18 per week. Sprint gets 500,000 requests per year. While many requests are backed by court orders, most are not. Some include 'dumps' of tower data, which captures everyone near by at a certain time."


I told you that filming police wasn't smart without your lawyer present... How long before they film themselves busting drug lords or rescuing puppies?
"Ben Fractenberg and Jeff Mays write that the NYPD has created a 'wanted' poster for a Harlem couple who film cops conducting stop-and-frisks and post the videos on YouTube — branding them 'professional agitators' who portray cops in a bad light and listing their home address. The flyer featuring side-by-side mugshots of Matthew Swaye and Christina Gonzalez and the couple's home address was taped to a podium outside a public hearing room in the 30th Precinct house and warns officers to be on guard against them. The couple has filmed officers stopping and frisking and arresting young people of color in Harlem and around New York City, which they post on Gonzalez's YouTube account. They said their actions are legal. 'There have been times when it's gotten combative. There have been times when they [police officers] have videoed Christina,' says Swaye. 'But if we were breaking the law they would have arrested us.' Swaye was part of a group of advocates including Cornel West who were detained at the 28th Precinct in Harlem in October for protesting the stop-and-frisk policy which Mayor Bloomberg strongly defends. "


Oh look, there's an App for that too.
Privacy risk from ads in apps rising: security firm
July 9, 2012 by Dissent
Tarmo Virki reports:
Some advertising networks have over the last year started to secretly collect app users contacts or whereabouts, and could now have access to 80 million smartphones globally, U.S.-based mobile security firm LookOut said.
Over 80 million apps have been downloaded which carry aggressive ads and the problem was rising, LookOut said as it unveiled on Monday the first industry guidelines on how application developers and advertisers could avoid raising consumer angst over too aggressive ads, which could hit badly the $8 billion industry.
Read more from Reuters.


Glad someone is thinking about this.
July 08, 2012
HP - Privacy, Security and Trust in Cloud Computing
Privacy, Security and Trust in Cloud Computing, by Siani Pearson, HP Laboratories, HPL-2012-80R1, June 28, 2012
  • "Cloud computing refers to the underlying infrastructure for an emerging model of service provision that has the advantage of reducing cost by sharing computing and storage resources, combined with an on-demand provisioning mechanism relying on a pay- per-use business model. These new features have a direct impact on information technology (IT) budgeting but also affect traditional security, trust and privacy mechanisms. The advantages of cloud computing - its ability to scale rapidly, store data remotely, and share services in a dynamic environment - can become disadvantages in maintaining a level of assurance sufficient to sustain confidence in potential customers. Some core traditional mechanisms for addressing privacy (such as model contracts) are no longer flexible or dynamic enough, so new approaches need to be developed to fit this new paradigm. In this chapter we assess how security, trust and privacy issues occur in the context of cloud computing and discuss ways in which they may be addressed."


I still deal with organizations that treat IE as their Preferred Browser... How last Century.
"Internet Explorer used to be the most prevalent browser with a market share that peaked at 88% in March of 2003. Now they're down to almost 15% due to stiff competition from Google, Mozilla, and even Apple. What implications does this have for the future of Microsoft?"


For my Website class...
"FrĂ©dĂ©ric Filloux writes that traditional newspapers that move online are losing the war against pure players and aggregators because original stories are getting very little traffic due to the poor marketing tactics of old-fashion publishers while aggregators like the Huffington Post use clever traffic-generation techniques, so the same journalistic item will make tens or hundred times more traffic. Here's an example: On July 5th, The Wall Street Journal runs an editorial piece about Mitt Romney's position on Obamacare and the rather dull and generic 'Romney's Tax Confusion' title for this 1000-word article attracted a remarkable 938 comments. But look at what the Huffington Post did: a 500-word treatment, including a 300 words article plus a 200-word excerpt of the WSJ opinion and a link back (completely useless) but, unlike the Journal, the HuffPo ran a much sexier headline: 'Mitt Romney is 'Squandering' Candidacy With Health Care Snafu.' The choice of words for the headline takes in account all Search Engine Optimization prerequisites, using high yield words such as 'Squandering' and 'Snafu,' in conjunction with much sought-after topics such as 'Romney' and 'Health Care.' Altogether, this guarantees a nice blip on Google's radar — and a considerable audience : 7000+ comments."
"Huffington Post has invested a lot in SEO tools and will even A/B test headlines to random groups. 'I was told that every headline is matched in realtime against Google most searched items right before being posted. If the editor's choice scores low in SEO, the system suggests better terms,' writes Filloux, adding that original stories are getting very little traffic due to the poor marketing tactics of old-fashion publishers. 'Who can look to the better future in the digital world? Is it the virtuous author carving language-smart headlines or the aggregator generating eye-gobbling phrases thanks to high tech tools? Your guess. Maybe it's time to wake-up.'"


Eliza is still around...
July 08, 2012
New on LLRX.com - ChatterBots Resources on the Internet
Via LLRX.com - ChatterBots Resources on the Internet - Marcus P. Zillman's guide is a comprehensive listing of resources on increasingly popular computer projects and programs used to simulate human conversation using "intelligent" agents and text based applications, called chatterbots.


Let me ask a different question: Are grammar rules changing? (Punctuation rules are)
"A lighthearted 4th of July post pointing out how Microsoft Word could help Google CEO Larry Page catch typos in his Google+ posts turned out to be fighting words for GeekWire readers. "Grammar is an important indicator of the quality of one's message," insisted one commenter. "You shouldn't have disgraced yourself by stooping to trolling your readers with an article about what essentially amounts to using a full blown word processor for a tweet. Albeit an rather long example of one," countered another. A few weeks earlier, the WSJ sparked a debate with its report that grammar gaffes have invaded the office in an age of informal e-mail, texting and Twitter. So, does grammar matter anymore?"