LOCAL “On the Internet, everybody
knows you're a victim.” Privacy of victims is apparently not on
the DA's checklist.
Survivors of the
Colorado movie theater massacre have been harassed by conspiracy
theorists who posted victims’ addresses and phone numbers online,
prosecutors said in a motion
to have the victims’ names redacted.
James Holmes is
charged with murder and attempted murder in the midnight shooting
that killed 12 people and wounded 58 others during the premiere of a
Batman movie, “Dark Knight Rises.”
Arapahoe
County Judge William Sylvester in November ordered
names released of those injured and killed.
The media had
claimed there would not be “any danger to the physical safety of
any witnesses, or the substantial probability of attempted witness
tampering.”
But Arapahoe
County District Attorney George Brauchler said in his new motion last
week that the victims’ personal information has made the rounds on
the Internet, at the hands of skeptics who doubt that the July 20,
2012 shootings happened as reported.
“Since the time
this case was filed, unforeseen events continue to adversely affect
the lives of the victims and witnesses in this case,” Brauchler
wrote in a Motion
for Reconsideration.
Read more on Courthouse
News.
Should the court shield survivors’
names because of conspiracy theorists or those who might use the
disclosure to contact victims’ friends and family or survivors in
ways that may be experienced as harassing? The prosecutors cite
Colorado’s Victims’ Rights Act as their justification for the
request.
It’s balancing act time, it seems.
Which way do you think the balance should tip in this case?
[Don't blame the judge for releasing
the names:
The original criminal complaint filed
against Holmes contained a list of the names and addresses of dozens
of witnesses and victims of the shootings.
I can't let this go unanswered. This
can only happen if you have no control over your operating
environment. It requires that you have no way to identify who is
doing what in your system. Us MBA-types call this “really bad
management!”
Dan Raywood has a piece in SC
Magazine about how long it takes to detect breaches:
Companies are
still failing to detect data breaches and hacking incidents, with
outsiders getting access and sitting on the corporate network for up
to two years in some cases.
According to the
Trustwave 2013 global security report, organisations fail to detect
attacks and breaches and EMEA Trustwave Spiderlabs director John Yeo
said that this ‘exacerbates the data breach’. He said: “This
is the point where an intrusion leads to a data breach, our
investigation found that sometimes, attackers spent two years living
in the environment and exposing data records.”
Read more on SC
Magazine.
I wonder how/whether the Trustwave and
Verizon DBIR findings might be used in the lawsuit
naming Trustwave for their role in the South Carolina Department of
Revenue breach. The court is currently considering dismissing them
as a defendant. Their findings might also be relevant should they be
sued for their role in the more recent Jetro/Restaurant
Depot breach.
As always, I guess we’ll have to wait
to see.
How bad was it?
Risk Based Security and the Open
Security Foundation released a report this morning, Data
Breach QuickView: An Executive’s Guide to Data Breach Trends in
2012. The report summarizes some of the major statistics for
2012, based on analysis of the incidents compiled in OSF’s
DataLossDB. As most readers know by now, I am involved in DataLossDB
project, and I contributed to the writing of this report.
From the 2012 at a Glance:
- The 2,644 incidents represent a 117.3% increase over the previous high mark recorded in 2011.
- Over 267 million records were exposed. Over 150 million records were exposed in a single incident (Shanghai Roadway), setting a new record for number of records exposed in a breach or data loss incident.
- The Business sector accounted for 60.6% of reported incidents, followed by Government (17.9%), Education (12.0%), and Medical (9.5%).
- The Business sector accounted for 84.7% of the number of records exposed, followed by Government (12.6%), Education (1.6%), and Medical (1.1%).
- The Data Services industry accounted for just 0.3% of incidents, but 56.2% of exposed records.
- 76.8% of reported incidents were the result of external agents or activity outside the organization:
- Hacking accounted for 68.2% of incidents and remained the #1 breach type for the second consecutive year. Hacking accounted for 22.8% of exposed records in 2012.
- 7.3% of reported incidents involved a third party. These incidents accounted for 6.2% of the exposed records.
- Insiders accounted for 19.5% of incidents and 66.7% of exposed records:
- Insider wrong-doing accounted for 7.1% of reported incidents and 56.8% of exposed records.
- Insider errors accounted for 8.9% of incidents and 5.1% of exposed records.
- Breaches involving U.S. entities accounted for 40.7% of the incidents reported and 25.0% of the records exposed.
- Individuals’ names, passwords, email addresses, and other miscellaneous data were exposed in nearly 45% of reported incidents. In combination, this data is more than enough information to commit identity fraud on a large scale.
- 14.4% of breaches included a Social Security Number or Non-US Equivalent.
- After removing the single incident of 150 million and any incidents for which we do not have the number of records exposed, on average, 55,863 records were exposed per incident in 2012.
You can download the report here.
A more detailed analysis of the 2012 incidents will be available in
a fuller report to be released next month.
Some of the statistics may appear to
conflict with others’ reports or findings. As always, differences
in methodology are important to appreciate, as is the impact of state
laws on breach disclosures. As one example, the majority of state
breach notification laws often only apply to electronic records, not
paper. The 2012 statistics, then, may be a significant
underestimate for breaches involving paper records and for sectors
such as the Education sector where FERPA does not require
breach notification and where state laws may or may not require
notification under a “harm” threshold.
They keep saying this. It is clearly a
rather amateurish attempt to “justify” new and intrusive “spying
on Americans” laws.
U.S.
said to be target of massive cyber-espionage campaign
A new intelligence assessment has
concluded that the United States is the target of a massive,
sustained cyber-espionage campaign that is threatening the country’s
economic competitiveness, according to individuals familiar with the
report.
The National Intelligence Estimate
identifies China as the country most aggressively seeking to
penetrate the computer systems of American businesses and
institutions to gain access to data that could be used for economic
gain.
Would Google extend this courtesy to
me?
The New York Times reports that several
journalists who cover Myanmar may have had their email accounts
hacked by "state-sponsored attackers." Journalists in the
country say that warnings from Google began appearing last week, and
the Times says some journalists speculate that the attack could be
linked to a conflict in the northern region of the country, where
government troops have fought rebels for control of territory.
Myanmar has only recently opened up restrictions on news media, which
was tightly controlled during decades of military rule; the Times
notes that the country now has successful weekly publications that
have begun to report on topics that could make the government
uncomfortable.
Amazingly hard to get students to plug
numbers into the formulas in their textbooks. “It can't be that
simple!”
"Children in the Baltic state
will learn statistics based less on computation and doing math by
hand and more on framing and interpreting problems, and thinking
about validation and strategy. From the article: 'Jon McLoone is
Content Director for computerbasedmath.org, a project to redefine
school math education assuming the use of computers. The company
announced a deal Monday with the Estonian Education ministry to trial
a self-contained statistics program replacing the more traditional
curriculum. “We are re-thinking computer education with
the assumption that computers are the tools for computation.,”
said Mr. McLoone. “Schools are still focused on teaching hand
calculating. Computation used to be the bottleneck. The hard part
was solving the equations, so that was the skill you had to teach.
These days that is the bit that computers can do. What
computers can’t do is set up the problem,
interpret the problem, think about validation and strategy. That is
what we should be teaching and spending less time teaching children
to be poor computers rather than good mathematicians.”'"
(Related)
"The January edition of
Science, Technology & Human Values published an article titled,
Technological Change and Professional Control in the
Professoriate, that details interviews with 42 faculty
members at three research-intensive universities. The research
concludes that faculty
have little interest in the latest IT solutions. 'I went to [a
course management software workshop] and came away with the idea that
the greatest thing you could do with that is put your syllabus on the
Web and that's an awful lot of technology to hand the students a
piece of paper at the start of the semester and say keep track of
it,' said one. 'What are the gains for
students by bringing IT into the class? There
isn't any. You could teach all of chemistry with a whiteboard. I
really don't think you need IT or anything beyond a pencil and a
paper,' said another."
Another research resource?
FindPDF is a free to use website that
gives you access to many publicly available PDF files. You simply
enter the name of the document that you are looking for. If you do
not have the exact name, then you can type in a few words and a
keywords search is executed. Results are shown and you can click on
them to view the documents online. Original documents can be
downloaded as well from the website.
No comments:
Post a Comment