Saturday, August 25, 2012

They could match your Microsoft Product Code to the applications you install, creating a dossier. Or they could build a database of “typical” or “trending” applications. Or they could ignore all that useful information and just help you avoid malware.
Microsoft denies Windows 8 app spying via SmartScreen
August 24, 2012 by Dissent
Iain Thomson reports:
Microsoft has moved to quell fears that Windows 8 is building up a detailed record of all applications stored on client machines via its SmartScreen application.
An analysis by security researcher Nadim Kobeissi noticed a potential privacy violation in Windows 8′s SmartScreen system, which checks applications that the user wants to install against a database of known dodgy code and warns the user if Redmond’s records suggest there may be a problem.
Read more about the researcher’s claims and Microsoft’s response on The Register.
In other Microsoft news, David Burt writes that he has uploaded a two-page Issue Backgrounder on Microsoft’s revised privacy statements. You can download that here.


Why would this surprise anyone? And it is probably “secret” only in the sense that they have not held a press conference explaining it in detail. You could as my Data Mining students why any candidate should be doing this – I'm trying to train them to answer such questions without sounding too condescending.
AP uncovers secret data-mining by Romney campaign
August 24, 2012 by Dissent
Jack Gillum reports:
Building upon its fundraising prowess, Mitt Romney’s campaign began a secretive data-mining project this summer to trove through Americans’ personal information — including their purchasing history and church attendance — to identify new and likely wealthy donors, The Associated Press has learned…. For Romney’s data-mining project, which began as early as June, the Republican candidate quietly turned to a little-known but successful analytics firm that previously performed marketing work for a colleague tied to Bain & Co., the management-consulting firm that Romney once led.
Read the AP report on AP.


Secure(?) communications?
You may think that sending an IM or an e-mail is private or secure, but at the end of the day, these can be forwarded, archived, copied and pasted, or viewed in history. DueIM is a simple website that negates all this by letting you send password-protected messages that are instantly deleted after they are read.
Similar Tools: Burn Note, Destructing Message, and Quickforget.


Fortunately, I have some lawyer friends (shocking, I know.) who can explain these verdicts to me.
What the Apple v. Samsung Verdict Means for the Rest of Us
The jury in the landmark intellectual property case Apple v. Samsung ruled overwhelmingly in favor of Apple on Friday, awarding the iPhone maker approximately $1.05 billion in damages. Although that figure is impressive on its own, the jury’s Apple-friendly design and utility patent rulings could have an even larger effect on the mobile industry and the world’s consumers. That means you.
Samsung was quick to issue a comment to that effect. “Today’s verdict should not be viewed as a win for Apple, but as a loss for the American consumer,” Samsung said in an official statement. “It will lead to fewer choices, less innovation, and potentially higher prices.”

(Related)
South Korean Court Rules Apple and Samsung Both Owe One Another Damages
Apple and Samsung’s international courtroom tribulations took a slight turn for the worse for all parties involved Friday. A South Korean court ruled that both companies infringed on one another’s intellectual property and owe each other damages.
The Seoul Central District Court ruled that Samsung violated one of Apple’s utility patents, over the so-called the “bounce-back” effect and slide-to-unlock features in iOS, and that Apple was in violation of two of Samsung’s wireless patents. Apple’s claims that Samsung copied the designs of the iPhone and iPad were denied.


For my Business Continuation students. Apparently, the city owns the power buses...
"On Aug. 23, Mayor Mike McGinn of Seattle informed residents that the city would partially shut down its municipal data center for five days including the Labor Day weekend. As a result, city residents will be unable to pay bills, apply for business licenses, or take advantage of other online services. In a Webcast press conference, McGinn isolated the issue as a failure in one of the electrical 'buses' that supplies power to the data center. Because that piece of equipment began overheating, the city had to begin taking servers and applications offline to prevent overloading the system. The maintenance will cost the city $2.1 million of its maintenance budget. A second power bus will remain operational, supplying enough electricity to power redundant systems for critical life and fire safety systems, including 911 services and fire dispatch. The city's Web sites should also be up and running in some capacity."


This is good enough for the President of the United States. I think with a little effort, we could make it work to poll students?
'We the People' goes open-source
The Obama administration's "We the People" online petitions platform has been open-sourced, allowing other individuals or groups to tailor the system for their own use.
The "We thePeople" code was released under the GNU General Public License yesterday, and is now available on GitHub.


Online video, the new Homework!
If you are a fan of TED Talks or Khan Academy, you may know that there are other websites which offers engaging talks, lectures, and presentations. Keen Talks is another one that curates the knowledge of the web, touching on a broad range of topics categorized by subject area and speaker.
… What’s most interesting about Keen Talks is that its collection covers from various sources, compared to TED Talks where you are only limited with TED’s material. It also goes beyond the lecture and speech format, as you can also watch the best conferences, debates, and interviews.
Similar Tools: Khan Academy, Talkminer, and Academic Earth


My students keep asking if I have Skype installed. Perhaps they have moved beyond the phone and email? Why would I need to see them (or them, me) to answer questions?
In the age of Yahoo IM!, Skype, Google Chats, instant messaging and video chat are hardly a big deal for most computer and Internet savvy users. But the cross platform application, QuicklyChat aims to make video connections more instant but with a feature for warding off interruptions when users are busy.
QuicklyChat works almost like a walkie-talky, but with video, in that users can keep it open while at their computers, and when a co-worker wants to talk it’s a simple matter of inviting a user for a chat, rather than say walking to his or her office down the hall.
QuicklyChat works on Mac and PC, and requires a quick registration.
… QuicklyChat was released this August and will be available for free in beta for a couple of months or more.


Teachifying stuff I find interesting...
...The California State University system – the largest public university system in the U.S. – is outsourcing its online education offerings to Pearson.
...Jon Becker and I have rolled out the first draft – hey, let’s call it a launch! – of our collection Hack(ing) School(ing).
...SkilledUp officially opened its doors this week. The startup offers a directory of more than 40,000 online courses from over 200 providers, organized in such a way to make it easier to find what you’re looking for: price, course direction, instructor, and so on.
...It’s 2012 and college students still don’t like digital textbooks. More details from The Chronicle of Higher Education.
...The Beloit Mindset List – what the Class of 2016 has “always known.” [Humor? Bob]


Dilbert explains why I have cut the price of this blog by 50%

Friday, August 24, 2012

Oh yeah! I think... Was this a contract dispute? (I know, read the opinion.)
DSW Shoe Warehouse wins dispute with Chartis unit over data theft coverage
August 23, 2012 by admin
Judy Greenwald reports:
A federal appellate court ruled Thursday that shoe retailer DSW Shoe Warehouse Inc. was entitled to insurance coverage of more than $6.8 million in stipulated losses and prejudgment interest from a Chartis Inc. unit in connection with a 2005 computer breach.
In an incident widely reported at the time, DSW, a subsidiary of Columbus, Ohio-based Retail Ventures Inc., reported that data on transaction information involving 1.4 million credit cards had been stolen.
Read more on BusinessInsurance. The case is Cincinnati in Retail Ventures Inc. et. al. v. National Union Fire Insurance Co. of Pittsburgh Pa. According to the background provided in the Sixth Circuit’s opinion:
In the wake of the data breach, plaintiffs incurred expenses for customer communications, public relations, customer claims and lawsuits, and attorney fees in connection with investigations by seven state Attorney Generals and the Federal Trade Commission (FTC). The FTC’s inquiry was resolved administratively with a consent decree requiring, inter alia, that plaintiffs establish and maintain a comprehensive information security program designed to protect the security, confidentiality, and integrity of personal information collected from or about consumers. In the Matter of DSW, Inc., No. C-4157, 2006 WL 752215 (FTC Mar. 7, 2006). The largest share of the losses—more than $4 million—arose from the compromised credit card information: namely, costs associated with charge backs, card reissuance, account monitoring, and fines imposed by VISA/MasterCard. That amount was determined by the settlement of plaintiffs’ contractual obligations with credit card processor, National Processing Company, LLC (a/k/a BA Merchant Services, LLC).
Although DSW was hacked in 2005 and settled the FTC action in 2006, it did not notify affected consumers until August 2008. The delayed notification also occurred for customers of some other big firms hacked by Albert Gonzalez. In November 2008, California’s Assembly Judiciary Committee invited DSW and seven other companies to a hearing on the failure to notify. DSW and the others did not attend. It is not clear to me whether the government had asked the companies not to notify consumers or if the companies just elected not to.
As part of the 2009 sentencing of Albert Gonzalez, some of the court documents were made public. The pre-sentencing report indicated that DSW had reported $6.5 million – $9.5 million in losses as a result of the breach.


“Your entire life, over time.” (Not the most convincing video I've ever watched.)
The Program
August 23, 2012 by Dissent
Filmmaker Laura Poitras profiles William Binney, a 32-year veteran of the National Security Agency who helped design a top-secret program he says is broadly collecting Americans’ personal data. You can read her op-doc on the New York Times. Here’s the video:


Very cool. How do you say “anonymous” in Korean?
S. Korea court rejects law banning false IDs on Internet
August 23, 2012 by Dissent
AFP reports:
South Korea’s Constitutional Court on Thursday effectively killed off a law which bans Internet users from using false IDs, ruling it a breach of freedom of expression.
Authorities in 2007 started enforcing the law aimed at curbing the country’s notorious cyber-bullying by preventing Internet users from hiding behind false IDs when they write postings on websites.
Eight judges in a unanimous decision ruled the law is unconstitutional.
“The legal phrases related to enforcing the use of real names restrict the freedom of expression guaranteed by the constitution and obstruct the formation of free opinions which form the basis of democracy,” it said.
Read more on MSN.
Not only is this a good ruling for freedom of expression, but the government discovered how bad a real-name strategy was in the wake of some very high profile hacks where millions of consumers had their real names and registration numbers (equivalent to our Social Security numbers) stolen.


It's not mind reading, yet. But if this takes 5 minutes to cross the boarder, will the next act of Security Theater take 10?
Border Patrol kiosk detects liars trying to enter U.S
August 23, 2012 by Dissent
The U.S. Customs and Border Protection (CBP) is using border crossing stations in Arizona to test new technology to detect liars as they attempt to enter the country; travelers are subjected to a 5-minute interview with the kiosk, while microphones monitor vocal pitch frequency and quality, an infrared camera monitors eye movement and pupil dilation, and a high definition camera monitors facial expression.
The Automated Virtual Agent for Truth Assessments in Real-Time (AVATAR) kiosk interviews travelers while searching for signs of deception.
Read more on Homeland Security Newswire. Background on the research and additional details can be found on www.arizona.edu.

(Related) If this is how they implemented the Israeli program, they screwed it up. How much more complex can they make boarding a plane?
Steve Gunn: Just say no when the TSA asks you to ‘chat’
August 24, 2012 by Dissent
Steve Gunn describes what happened to him at Detroit Metropolitan Airport when a TSA agent started asking him questions as part of a “chat-down.”
At first she simply seemed chatty and friendly. She looked at my airline boarding pass and noted that I was coming from Denver. Then she mentioned that I was headed from Detroit to Grand Rapids.
“Talk to my travel agent,” I grumbled.
At that point she asked me what my business would be in Grand Rapids.
“I’m headed home,” I replied.
Then she wanted to know where home was. That’s when the mental alarms went off and I realized I was being interrogated by Big Brother in drag.
I asked her why the federal government needed to know where I was going and what I would be doing. She explained that the questions were part of a new security “pilot program.”
I then told her I am an American citizen, traveling within my own country, and I wasn’t breaking any laws. That’s all the federal government needed to know, and I wasn’t going to share any more.
Read about it on MLive. These chat-downs or attempts at behavioral detection have become just more of the intrusive and ineffective “security theater” law-abiding citizens are expected to endure.
Some of us will not and do not endure them willingly. With one exception, I have not flown at all since November 2010. And yes, as I wrote at that time, I’ve foregone some trips I would have otherwise taken. The airlines lost my business as did the conferences or vacation spots I might have flown to. I had hoped that this country would come to its senses about air travel, but it seems to have gotten worse instead of better. Shame on Congress for not reining in these needless and insulting intrusions on Americans’ privacy. [Second! Bob]


Yes, along with everyone else.
"A Cambridge academic is arguing for regulations that allow software users to sue developers when sloppy coding leaves holes for malware infection. European officials have considered introducing such a law but no binding regulations have been passed. Not everyone agrees that it's a good idea — Microsoft has previously argued against such a move by analogy, claiming a burglary victim wouldn't expect to be able to sue the manufacturer of the door or a window in their home."


The new English? So would “Call me Ishmael.” become “Call me the guy who narrates Moby Dick.?”
The way a writer structures and manages his article plays an important role. They should be easy to understand, SEO friendly and properly structured.
… The free version of Inbound Writer allows users to optimize up to 8 documents a month. If you want to edit and manage more than 8 documents, you can buy the premium plan which is available for $19.95 per month.


This might be useful...
August 23, 2012
Save your Google search settings to Google Account
Via Google+: "You asked, we listened—having the ability to save search settings in a way that provides a more consistent search experience was one of the top requests we heard from our users. Now you can save your search settings, such as your language preference or having Google Instant on or off, to your Google Account, enabling you to search with your preferences wherever you're logged in, even if you're searching across different browsers or computers. You can save your search preferences for your Google Account. Read more about search settings in our help center."

Thursday, August 23, 2012

Here's one for my Ethical Hackers to dissect.
"The Windows version of the Crisis Trojan is able to sneak onto VMware implementations, making it possibly the first malware to target such virtual machines. It also has found a way to spread to Windows Mobile devices. Samples of Crisis, also called Morcut, were first discovered about a month ago targeting Mac machines running various versions of OS X. The Trojan spies on users by intercepting e-mail and instant messenger exchanges and eavesdropping on webcam conversations. Launching as a Java archive (JAR) file made to look like an Adobe Flash Installer, Crisis scans an infected machine and drops an OS-specific executable to open a backdoor and monitor activity. This week, researchers also discovered W32.Crisis was capable of infecting VMware virtual machines and Windows Mobile devices."


“Just because all you hackers think it's not secure doesn't mean we won't go ahead as planned!” After all, they have a long tradition of bureaucratic incompetence to live up to.
"The FAA's NextGen Air Traffic Control (ATC) modernization plan is at risk of serious security breaches, according to Brad Haines (aka RenderMan). Haines outlined his concerns during a presentation (PDF) he gave at the recent DefCon 20 hacker conference in Las Vegas, explaining that ADS-B signals are unauthenticated and unencrypted, and 'spoofing' (video) or inserting a fake aircraft into the ADS-B system is easy. The FAA isn't worried because the system has been certified and accredited."


For my Computer Security students. Reminds me of a neighbor who used to leave a note on his door that said, “Your damn rattlesnake has escaped again. Call me when you find it. Call 911 if it finds you first.”
"Softpedia reports that Global Link Security Solutions are offering a product that doesn't actually do anything to alert an owner of a break-in to their home or business, but it displays "one hell of a laser show in an attempt to scare potential crooks into thinking that they have no chance of breaking in without triggering the alarm." According to the security firm, LaserScan has four lines of protection: a number of lasers that move along the walls and floors (video), an LED which indicates that there's a "link" to a satellite, a beeping alert, and a sticker placed on the front door. Although the company claims that none of their current customers has reported break-ins since the system has been installed, security guru Bruce Schneier highlights that the product only works if the product isn't very widely known."


Local. Just because you have a cop in your class?
University of Colorado-Boulder tells faculty no class cancellations over guns
University of Colorado Chancellor Phil DiStefano is telling faculty members they have no right to cancel classes if one of their students is lawfully carrying a gun.
The warning comes a day after Professor Jerry Peterson said he plans to cancel class if he ever learns any of his students are carrying firearms.
According to the Boulder Daily Camera, DiStefano warned Tuesday that any faculty members who do so will be in violation of their contracts and could face disciplinary action.
The Colorado Supreme Court has ruled that students with conceal-carry permits are allowed to bring guns into classrooms and labs.
Peterson said Tuesday he still stands by his classroom policy because a student with a gun would be a classroom distraction.


I'm sure this list covers every conceivable point... Perhaps we could write up a list of things your privacy policy (and practices) should address?
7 reasons the FTC could audit your privacy program
… What did I find out? A shortlist of seven practices that will put a bull's eye on your company.
1. Secretly tracking people
2. Not regularly assessing and improving data security
3. Not honoring opt-outs
4. Not collecting parental consent
5. Not providing complete and accurate privacy policies
6. Disclosing consumer data without consent
7. Not assessing vendor and client security


Are the state laws cutting edge? If so, what parts should be adopted by the Feds?
State Privacy Laws Evolve While Congress Remains Stalemated
August 22, 2012 by admin
New legislation governing data breaches and privacy issues is popping up in states across the country. Most recently, Connecticut, Vermont, and Illinois have enacted new laws in these areas.
You can find a nice summary of the three new laws on CyberInquirer.


Does AT&T no longer have a legal department or is this just a strategy I can't understand? (Or, “We can screw with it until we are force to stop. Maybe that will be enough to allow our inferior products to catch up.”)
AT&T’s App-Blocking Defense Is Weak and Anti-Consumer
Amid a wave of backlash about its plans to block FaceTime over mobile, AT&T Senior Vice President for Regulatory Affairs Bob Quinn took to the company’s policy blog on Wednesday to defend its plans to block the popular app on its network unless users pony up extra cash for its new, expensive “Mobile Share” plans.
AT&T’s defense? The carrier asserts that it can block FaceTime all it wants, because the app comes preloaded on the iPhone and is not downloaded by the user.
But the rules adopted by the Federal Communications Commission to prevent carriers from blocking access to applications and websites over mobile connections are crystal clear: Mobile broadband providers cannot “block applications that compete with the provider’s voice or video telephony services.”


Are they using this because many evil doers won't fight back? Where does that leave the innocent sites?
Feds Expand Domain Seizures to Mobile-App Pirate Sites
The U.S. government for the first time has seized internet domains of online sites accused of selling pirated mobile applications, in this instance, Android apps.
Seizing domains is nothing new under the President Barack Obama administration. Usually, however, sites are shuttered for offering gambling, hawking counterfeit goods, or providing links to or streaming unauthorized movies and sporting events, or selling unauthorized copies of software. The government has seized more than 750 domains in the past two years under a program called “Operation in Our Sites.” (.pdf)


“We're moving as fast as we want to...”
Oops! Venture Capital Rebirth Delayed by Third Blown Deadline
The Securities and Exchange Commission now says it needs at least another week before it can detail its proposal to rescind longstanding prohibitions against startups advertising that they are seeking investors.
The SEC had been scheduled to consider the changes at its open meeting today following a delay last week. Prior to missing this week’s deadline and last week’s deadline, both self imposed, the commission missed a July 4 deadline spelled out in the JOBS Act, a recently approved piece of legislation that, among various other securities rules, loosens restrictions on how startups can raise money from venture capital funds and other wealthy “accredited investors.” The commission is now slated to discuss the so-called general solicitation rules at a meeting Aug. 29.


Jobs for my Ethical Hackers?
Darpa Looks to Make Cyberwar Routine With Secret ‘Plan X’
The Pentagon’s top research arm is unveiling a new, classified cyberwarfare project. But it’s not about building the next Stuxnet, Darpa swears. Instead, the just-introduced “Plan X” is designed to make online strikes a more routine part of U.S. military operations. That will make the son of Stuxnet easier to pull off — to, as Darpa puts it, “dominate the cyber battlespace.”
Darpa spent years backing research that could shore up the nation’s cyberdefenses. “Plan X” is part of a growing and fairly recent push into offensive online operations by the Pentagon agency largely responsible for the internet’s creation. In recent months, everyone from the director of Darpa on down has pushed the need to improve — and normalize — America’s ability to unleash cyberattacks against its foes.

(Related) More jobs?
"Google, which has come under fire for years for its privacy practices and recently settled a privacy related case with the Federal Trade Commission that resulted in a $22.5 million fine, is building out a privacy 'red team,' a group of people charged with finding and resolving privacy risks in the company's products. The concept of a red team is one that's been used in security for decades, with small teams of experts trying to break a given software application, get into a network or circumvent a security system as part of a penetration test or a similar engagement. The idea is sometimes applied in the real world as well, in the form of people attempting to gain entry to a secure facility or other restricted area."


Something to amuse my Statistics class? (If this was reliable, we're looking at a landslide.)
Amazon’s Political Heat Map Colors Book-Buying Preferences
Amazon has introduced a heat map of the political books sold in the U.S. An overwhelming lean toward red hues suggests that conservative-themed books are outselling left leaning ones coast to coast.
Amazon is quick to point out that the system isn’t scientific. The map presents a rolling 30-day average of book-buying data and classifies them as red or blue depending on promotional materials and customer classifications. And there’s no sliding scale. A book is either red or blue, so there’s no nuance for centrists. “Just remember, books aren’t votes,” Amazon says on the heat map site. “ So a map of book purchases may reflect curiosity as much as commitment.”


Perspective


Something for my Data Miners?
Google’s Mind-Blowing Big-Data Tool Grows Open Source Twin


Cheap is good, if you can't find free


A nifty online resource for my Excel students...
30 Excel Functions in 30 Days

Wednesday, August 22, 2012

Local Oops.
Thousands receive a letter about a possible information breach at Colorado State U. – Pueblo
August 21, 2012 by admin
Lacey Steele reports that Colorado State U. – Pueblo has notified over 19,000 students and applicants of what they believe is a low-threat breach:
A few students accidentally gained access [Usually an indication that the files were unprotected. Bob] to some files containing personal information, but they told school authorities immediately and the problem was fixed.
Read more on KOAA.


Interesting. I assume driving into Mexico is viewed as at least as risky as parking your car in Boston (Car theft capital of the US) Would the government give/sell the information to other warranty issuers?
U.S. Customs Tracks Millions Of License Plates, Shares Data With Insurance Firms
August 21, 2012 by Dissent
Andy Greenberg reports:
It may come as little surprise that every time you cross the border, cameras record your license plate number and feed it into a database of driver locations. More disturbing, perhaps, is the fact that the government seems to share that automobile surveillance data with an unexpected third party: insurance companies.
Documents obtained through a Freedom of Information Act request and released Tuesday by the Electronic Privacy Information Center (EPIC) catalogue just how pervasive automatic license plate readers have become at the Mexican and Canadian borders, with cameras placed in dozens of U.S. cities each capturing images of millions or tens of millions of plates a year. But the FOIA’d records (PDF here) also include memos outlining the sharing of that license plate data between the Department of Homeland Security’s Customs and Border Protection, the Drug Enforcement Agency, and most significantly, the National Insurance Crime Bureau, an Illinois non-profit composed of hundreds of insurance firms including branches of Allstate, GEICO, Liberty, Nationwide, Progressive, and State Farm.
Read more on Forbes.


...and the pendulum that had swung to “we needed to look for potential Columbine shooters” swings back the other way. Maybe.
California passes legislation to protect college students’ social media privacy
August 21, 2012 by Dissent
Sam Laird reports:
California’s Senate on Tuesday unanimously approved legislation to bar colleges and universities from requiring students to provide administrators with access to their social media usernames and passwords. Governor Jerry Brown now must sign or veto the bill by Sept. 30.
California is not the first state to pass legislation protecting social media privacy for students. In March, Maryland’s Senate passed a bill to prevent public colleges and universities in the state from requiring students including athletes to provide access to their social accounts.
Read more on Mashable.

(Related) You know you have a problem when the school board strategy matches the vendors sales pitch word for word.
EPIC Supports Moratorium on RFID Student Tracking
August 22, 2012 by Dissent
From EPIC.org:
EPIC, along with Consumers Against Supermarket Privacy Invasion and Numbering (CASPIAN) and other leading privacy and civl liberties organizations, issued a Position Paper on the Use of RFID in Schools. Radio Frequency Identification is an identification tracking technology “designed to monitor physical objects,” such as commercial products, vehicles, and animals. Some school districts are proposing to use RFID ID tags to monitor students, teachers, and staff. The report warns of significant privacy and security risks. If RFID techniques are adopted, the groups urge that schools adopt robust privacy safeguards. In 2006 and 2007, EPIC submitted comments to federal agencies recommending against the use of RFID technology to track air travelers. The State Department subsequently made changes to the “e-Passport,” to address privacy and security concerns. For more information, seeEPIC: Radio Frequency Identification (RFID) Systems and EPIC: Student Privacy
Chipping students is a topic I’ve blogged about a number of times, and the schools that are using it are, for the most part, using it to (1) boost school revenues by gaining better attendance records for state reimbursement or (2) claiming that the tracking provides another layer of safety by knowing where the student is. While some parents have objected to the tracking, many others report that they like the idea. Personally, I think it’s a terrible idea as it inoculates youth to feeling that they are under constant surveillance.


...and thus are hairs split, re-split and made absolutely frizzy.
Web Sites Accused of Collecting Data on Children
August 22, 2012 by Dissent
Natasha Singer reports:
A coalition of nearly 20 children’s advocacy, health and public interest groups plans to file complaints with the Federal Trade Commission on Wednesday, asserting that some online marketing to children by McDonald’s and four other well-known companies violates a federal law protecting children’s privacy.
The law, the Children’s Online Privacy Protection Act, requires Web site operators to obtain verifiable consent from parents before collecting personal information about children under age 13. But, in complaints to the F.T.C., the coalition says six popular Web sites aimed at children have violated that law by encouraging children who play brand-related games or engage in other activities to provide friends’ e-mail addresses — without seeking prior parental consent.
At least one company, however, said the accusation mischaracterized its practices, adding that the law allows an exception for one-time use of a friend’s e-mail address.
Read more on New York Times.


So it's like a Consumer Group but without any pesky consumers?
Smart Grid Advocacy Group Seeks to Refute Privacy and Data Security Concerns
August 22, 2012 by Dissent
Shelton Abramson writes:
The Smart Grid Consumer Collaborative (SGCC) recently published a fact sheet and released a web video to refute privacy and data security critiques of smart meter technology. SGCC is a non-profit that seeks “to advance the adoption of a reliable, efficient, and secure smart grid.” Its membership includes electric utility and technology companies, universities, government agencies, and environmental advocacy groups. Privacy and data security concerns have led some consumers to oppose the installation of smart meters, and even inspired lawsuits in states such as Maine and Illinois. SGCC’s recently published materials suggest that many of these concerns are based on “myths” and “urban legend.”
Read more on Covington & Burling InsidePrivacy.


Not sure I understand this logic either...
The Fourth Circuit decided a very interesting Fourth Amendment case last week on the constitutionality of DNA testing, the scope of the plain view exception, and the scope of the exclusionary rule. The case is United States v. Davis, decided August 16. ... I’ll run though the facts, then turn to the law, and then offer some thoughts.

(Related) Flying with the Fourth...
Does the Fourth Amendment have a Posse (Comitatus)?
August 21, 2012 by Dissent
Ryan Calo writes:
Earlier this month, U.S. News & World Report ran the following headline: “Court Upholds Domestic Drone Use In Arrest Of American Citizen.” The article goes on to explain that a man was arrested in North Dakota with air support from a Predator B drone on loan from the Department of Homeland Security. His attorney filed a motion to dismiss on the basis that local police had not secured a warrant to use a drone in his arrest. The court, understandably, denied the motion. As I and others have observed, the Fourth Amendment does not restrict the use of drones to assess whether a perpetrator is dangerous. It would only be implicated if, for instance, one person were followed around for a long time, or the entire population were placed under constant aerial surveillance. And even then the outcome of a challenge is uncertain.
Read more on Stanford CIS.


Dilbert perfectly illustrates my point about the perils of long software development projects. (Like the government seems to prefer.)

Tuesday, August 21, 2012

From the Ethical Hacker toolkit: Is this why the President keeps texting me?
iPhone users, beware: a recently discovered flaw in iOS makes it possible for anyone to fake the number you’re receiving an SMS message from. This means that an SMS message might seem to come from a trusted source like your friends, family, or even your bank, when in fact it is coming from some unknown source.
The flaw, discovered by pod2g, is said to have been around since the first iteration of iOS on iPhone, and is also present in the latest version of iOS 6, Beta 4. While the problem actually lies with SMS protocols in general, the iPhone’s interface makes it harder to ensure who the SMS is really coming from, and makes it easier to fake the reply-to number. So when you hit reply, you might actually be replying to a different person than the one you think.


All this because a judge in San Francisco rejected the Facebook settlement? We can only hope!
Foretelling the end of money-for-nothing class actions
August 20, 2012 by Dissent
Alison Frankel writes:
A year ago, representing the “victims” of corporate privacy breaches seemed like a decent business model. In a very instructive chart Reuters prepared in June of 2011, my colleague Terry Baynes detailed the outcome of six privacy breach settlements, in which class action lawyers sued companies whose customer information was hacked. Most of the settlements involved payments to name plaintiffs ranging from $250 to $10,000. Other class members usually received no cash — but their lawyers were awarded between $500,000 and $6.5 million. Yes, we all know the lawyers had to work for their money. They filed complaints, probably withstood motions to dismiss, and negotiated settlements that included some kind of promise that defendants would change troublesome behavior. They also had to have their fees approved by federal judges.
But I believe Baynes’ chart may well represent the high point for contingency-fee lawyers who engineer settlements with no tangible benefit for class members.
Read more on Thomson Reuters


If the only difference is electronics rather than paper, why was this ever a question?
In a Blow to Hulu, Judge Rules Video Privacy Law Applies Online
Hulu could be on the hook for potentially millions of dollars in damages for allegedly transmitting consumer viewing habits to third parties, after a federal magistrate ruled that online video watching is protected by U.S. privacy law.
In a proposed class-action against Hulu, U.S. Magistrate Laurel Beeler ruled the Video Privacy Protection Act of 1988 applies to Hulu.

(Related) Maybe it's because legal opinions vary. More likely, it's because it is easier to ask forgiveness that permission.
AT&T's FaceTime limits might conflict with FCC rules
Some people have raised red flags regarding AT&T's limits on the use of FaceTime on the upcoming iOS, alleging the restrictions could go against Federal Communications Commission rules.
"Over-the-top communications services like FaceTime are a threat to carriers' revenue, but they should respond by competing with these services and not by engaging in discriminatory behavior," senior staff attorney at Public Knowledge John Bergmayer said in a statement. Public Knowledge is a nonprofit organization that works on Internet law.
The "discriminatory behavior" that Bergmayer is alluding to is AT&T's newly announced rules on how its subscribers can use FaceTime's video call service. Last week, the network released a statement confirming that users on its upcoming Mobile Share plan can run FaceTime over its cellular network. But other plans still require Wi-Fi to use the video service.


Now we're getting into legal strategy. Perhaps we'll get some interesting options, but I rather doubt it.
"RapidShare has said that the U.S. government should crack down on linking sites rather than punishing file-sharing sites and strangling innovation. The file-sharing site is understandably a little worried about the recent crackdowns on sites involved in or found to be promoting piracy. Daniel Raimer, RapidShare's Chief Legal Officer, is to meet with technology leaders and law enforcement at the Technology Policy Institute forum. [In Aspen CO Bob] Responding to a public consultation on the future of U.S. IP enforcement, the company emphasized that linking sites are the real problem. It wrote, 'Rather than enacting legislation that could stifle innovation in the cloud, the U.S. government should crack down on this critical part of the online piracy network.'"


This seems very wrong to me. Haven't we already tested this? If potential readers/clients can't find you in the net, how does that become an advantage? Sort of the electronic equivalent of asking for compensation to be listed in the phone book.
"Al Jazeera is reporting on the current state of plans by the German government to amend the national copyright law. The so-called 'Leistungsschutzrecht' (neighboring right) for publishers is introducing the right for press publishers to demand financial compensation if a company such as Google wants to link to their web site. Since the New York Times reported on this issue in March this year, two draft bills have been released by the Minister of Justice and have triggered strong criticism from the entire political spectrum in Germany, companies and activist bloggers.(Full disclosure: I am being quoted by Al Jazeera in this article)"


Perhaps if they taught a course on Privacy? What questions should parents (students) ask?
Colleges need schooling on privacy law
August 21, 2012 by Dissent
Lisa Black reports:
At college registration this summer, the room went silent when a dad asked the department dean a question that lurked in the back of all our minds:
What if our kid doesn’t adjust well? How will we know, short of acting like the dreaded hovering helicopter parent, if our teen is struggling with serious anxiety or depression and won’t admit it?
I found the dean’s answer that day to be candid, chilling and — as I realized later — ill-informed.
Read more on Chicago Tribune.
While Ms. Black’s reporting focuses on permissible disclosures, it would be nice to see more reporting on how schools fail to keep information protected and sell or share information that students and/or their parents would not want shared – including directory information. That day, when parents were asking questions, did anyone ask how to prevent the school from sharing information? And if not, did the school voluntarily raise the issue of opting out?


Go to law school, learn how to do extortion right.
Porn pirates set to be outed by German law firm
August 21, 2012 by Dissent
From the what-could-possibly-go-wrong dept.:
A German law firm is threatening to publish a list of people it is accusing of breaching pornography copyright in order to advertise its services – and will start with police stations and church rectories.
Using the driest possible legalese, the Urmann and Colleagues (U+C) firm announced on its website on Tuesday that from September 1, visitors to their site would find a list of people who had been involved in disputes over illegal porn internet downloads.
The firm, based in the southern German town of Regensburg, is one of the country’s biggest copyright law firms and represents a number of pornographers.
Read more on The Local (De).
Apart from the issue of whether such posting would be legal, which is something I’m clearly not qualified to comment on, what if this law firm is just plain wrong in their accusations? What damage might they do if they name and shame innocent parties? And what recourse will such individuals have?
Companies are quick to go after individuals who make negative public comments about them. Let’s see if individuals will be as quick to go after law firms that make negative public assertions about them.

(Related) From the Ethical Hacker toolkit:
If you have ever downloaded multiple files from sites like Rapidshare, you will find that your waiting times get increasingly larger as you download files. Sites like these detect you by your IP address and place download and waiting time restrictions on you. Here to help you bypass those restrictions is a tool called Hideman that masks your network’s IP address.

Monday, August 20, 2012

Some good news and some bad news. But my Ethical Hackers might like a copy of this one...
"Researchers have recently discovered a new sophisticated and resilient mobile threat targeting Android phones that is said to have infected about 500,000 devices, mainly in China. Called 'SMSZombie,' the malware is stubborn and hard to remove, but users outside of China have little to worry about with this latest discovery. The prime function of the mobile malware is to exploit a vulnerability in the mobile payment system used by China Mobile, [Not a US issue Bob] making it of little value to the fraudsters outside of China. The malware takes advantage of a vulnerability in the China Mobile SMS Payment process to generate unauthorized payments to premium service providers, and can also remotely control the infected device. [That sounds like fun! Let's get a copy. Bob] It has been spread via wallpaper apps that sport provocative titles and nude photos, and can only be removed using a lengthy process beyond the skills of a typical android user."


The escalation ladder has passed through drones to ultra lights – can 747's be far behind?
Feds Drop $100 Million to Spot Flying, Homebrew Cocaine Mules
Stopping drug smugglers on the ground is one thing. You can build a fence, send more Border Patrol agents and put up more cameras. But it’s a whole other thing to stop Mexico’s cartels from using tiny planes that are nearly impossible to catch.
That’s why the U.S. Customs and Border Protection (CBP) is spending $100 million on new sensors that can detect ultralight aircraft. The giant contract — awarded to New York defense company SRCTec earlier this month — comes as the cartels have been using more of the planes to elude Border Patrol agents. The cartels also seem to have become pretty good at it. The Air Force has chased them with jets, and the Border Patrol has pursued them with Black Hawk helicopters.


“We've concluded that we don't violate your privacy. Deal with it.”
Maine Supreme Court Upholds Dismissal of Smart Meter Privacy Challenge
August 19, 2012 by Dissent
Shelton Abramson writes:
The Maine Supreme Court recently upheld a state agency’s dismissal of a privacy challenge to the installation of smart meter technology in Maine homes and businesses. Smart meters use wireless technology to collect and transmit data to utility companies about how and when customers use electricity. While smart grid advocates argue that the use of smart meters will promote energy efficiency and customer savings, privacy advocates have raised concerns about the nature of the data that is collected.
Read more about Friedman v. Public Utilities Commission et al. on Covington & Burling InsidePrivacy.


A question we should ask ourselves. But if Privacy implications aren't clear, shouldn't someone ask why?
Privacy’s Memory Lane: From Furor to Fail in Eight Years
August 20, 2012 by Dissent
Stewart Baker writes:
Privacy groups put much of their effort into attacking new technologies for a reason. They’re afraid that, once we see a technology in action, we won’t be scared by its hypothetical risks, while its benefits will be easier to assess. Once that happens, imposing new privacy laws gets a lot harder.
To see just how fast that cycle can run, let’s take a trip down privacy’s memory lane.
Read Stewart’s commentary on The Volokh Conspiracy, where he uses privacy advocates’ reactions to G-mail in 2004 as an example of why maybe we shouldn’t rush to criticize or try to block new services or technologies.


I remind my Computer Forensics students that this is a great illustration of the downside...
Announcing the e-Discovery Team’s Second “Clever Words Award” for Excellence in Judicial Opinion Writing
… Again, I suggest you read the thirty-page opinion for the laundry list of e-discovery errors, if nothing else it serves as a warning for things to avoid in complex commercial litigation. Judge Cooke summarizes her findings at page 23:
Based on my review of all of the evidence, and considering the pattern of discovery abuses before, during, and after trial, I find that …. acted negligently in failing to comply with its discovery obligations in this case, and … Bank acted willfully in failing to comply with its discovery obligations and assist its outside counsel to properly litigate this case in accordance with the Federal Rules of Civil Procedure and the Federal Rules of Evidence.
… As for the higher purpose of appeal-proofing, note how the sanctions entered not only taxed defendant with plaintiff’s fees and costs, but also established the existence of key facts:
I will therefore direct that the facts that … Bank’s monitoring and alert systems were unreasonable and that … Bank had actual knowledge of Rothstein’s fraud be taken as established for purposes of this action.


Interesting question for the Tax Lawyers. How do you structure your organization to avoid taxes? Have telecommuters work for a Cayman Island corporation? Should telecommuters work through a Brazilian temp agency?
August 19, 2012
The Mobile Workforce and Telecommuter Tax Acts
Combining the Mobile Workforce and Telecommuter Tax Acts, Edward A. Zelinsky. Yeshiva University - Cardozo Legal Studies Research Paper No. 371 State Tax Notes, Vol. 65, No. 319, August 2012 [via SSRN]
  • "Mobile Workforce State Income Tax Simplification Act of 2012 (“the Mobile Workforce Act”) and the Telecommuter Tax Fairness Act of 2012 (“the Telecommuter Act”) each respond to the pressing national need to rationalize the states’ income taxation of nonresident workers in light of modern technology and the work patterns such technology facilitates. Both Acts must be passed to create a comprehensive framework for the states’ income taxation of nonresident workers in the 21st century. The Mobile Workforce Act addresses the question today generally denoted as nexus, that is, who can tax. The Telecommuter Act addresses the question which is today denominated as apportionment, namely, how much can be taxed. Congress must answer both inquiries properly, lest multiple and excessive state tax burdens on nonresident workers unnecessarily interfere with the efficient work patterns of a modern economy."


Is Congress signaling that they would like more campaign “donations?” If so, the DMA just signaled back, “Hell no! Bring on your legislation!”
DMA urges Congress to back off on regulating direct marketers
August 19, 2012 by Dissent
The Direct Marketing Association (DMA) is dismissing congressional privacy concerns about the mass aggregation of consumer data.
A bipartisan group of US House members sent letters to major data brokers about the privacy implications of data aggregation of consumer data.
“By combining data from numerous offline and online sources, data brokers have developed hidden dossiers on almost every U.S. consumer. This large scale aggregation of the personal information of hundreds of millions of American citizens raises a number of serious privacy concerns”, the lawmakers wrote in the letter quoted by The Hill newspaper.
In its response, the DMA said that data brokers are engaged in “legitimate commercial data practices that are essential to America’s job creation, economic growth and global leadership…unnecessary restrictions on marketing could undermine economic and job growth.”
Read more on Infosecurity Magazine.


Perspective:
U.S. viewers watched 36.9 billion online videos in July
People in the U.S. have an insatiable appetite for watching online videos.
According to new numbers released by market research firm ComScore, 85.5 percent of people in the U.S. with Internet access watched online videos in July -- that's 184 million people who watched a total of 36.9 billion online content videos in only one month. For comparison, that is equal to every single person on Earth watching at least five videos each.


Beware of Huns bearing EMP devices... OR How to make it into the Internet Hall of Fame
Alexandria 2.0: One Millionaire’s Quest to Build the Biggest Library on Earth
… Kahle took the library of libraries — the internet — and made a couple of copies of it, and keeps making copies. One he keeps in servers in San Francisco, the other in mirror servers in Alexandria, where the world’s most famous library burned 2,000 years ago. (His data survived the Egyptian revolution unscathed.)
Through the Wayback Machine, you can see what the web looked like in 1996. And 1997. And 2011.
It’s just one arm of Kahle’s ambitious goal to provide the world with universal access to all knowledge.
His vehicle is the Internet Archive, a nonprofit organization Kahle founded in 1996, the same year he started analytics firm Alexa Internet, a pioneer in collaborative filtering, which he sold in 1999 to Amazon for $250 million.
Since selling Alexa, Kahle has grown the Internet Archive, which he refers to as Alexandria 2.0, into a massive digital repository that has not only made copies of the internet, but has made available 200,000 e-books (and digitizes 1,000 more each day), 100,000 concert recordings, and some 700,000 films.
All are available online for free.
… Take, for instance, the 200,000 e-books housed in the Open Library, an offshoot of the Internet Archive. Here, users digitally borrow the donated and purchased books scanned into the system either by Kahle’s team or by participating libraries. But only one person is given access to each book for up to two weeks, unless rights have been purchased for multiple copies. It’s a seemingly antiquated system, but it keeps the rights holders from mutiny.


Always looking for the next Olympic event (or at least a fund raiser) A video suggests that heavy drinking is the best training.
"In this year's annual mobile-phone throwing contest held in Finland Ere Karjalainen has smashed the world record by throwing his phone 101.46 meters. The event, being held every year since 2000 in the town of Savonlinna, saw quite a few mobile-phone throwers participate. 2nd place went to Jeremy Gallop, a South African who managed to throw his phone 94.67 meters. Contest organizers are of the opinion that users can vent their anger on their phones and that this offers a unique opportunity to 'pay back all the frustrations and disappointments caused by this modern equipment.'"