Friday, March 15, 2013

Hack 'em all, blame it on Anonymous!
"Earlier this week, the newly minted head of the United States' Cyber Command team and NSA head General Keith Alexander told assembled lawmakers that the U.S. has created an offensive cyberwarfare division designed to do far more than protect U.S. assets from foreign attacks. This is a major change in policy from previous public statements — in the past, the U.S. has publicly focused on defensive actions and homegrown security improvements. General Alexander told the House Armed Services Committee, 'This is an offensive team that the Defense Department would use to defend the nation if it were attacked in cyberspace. Thirteen of the teams that we're creating are for that mission alone.' This is an interesting shift in U.S. doctrine and raises questions like: What's proportional response to China probing at utility companies? Who ought to be blamed for Red October? What's the equivalent of a warning shot in cyberspace? When we detect foreign governments probing at virtual borders, who handles the diplomatic fallout as opposed to the silent retribution?"

(Related) How do you know when the cry “Wolf!” is true? ...and they might be fun to practice on, with or without cause.
North Korea Accuses Enemies Of 'Persistent and Intensive' Cyber Attack
North Korea on Friday accused the United States and South Korea of carrying out a "persistent and intensive" cyber attack against its official websites in recent days.
A number of official North Korean websites, including those of the Korean Central News Agency (KCNA), the daily Rodong Sinmun newspaper, and Air Koryo airline became inaccessible early Wednesday.
Charges of state-sanctioned hacking have usually flowed in the opposite direction.
South Korea accused the North of being behind large-scale cyber attacks on the websites of its government agencies and financial institutions in July 2009 and March 2011.
Seoul also denounced North Korea for jamming the GPS systems of hundreds of civilian aircraft and ships in South Korea in April and May last year.


“We're the government. We don't follow no stinking rules!” (My tax dollars at work!)
Rebekah Kearn of Courthouse News reports:
John Doe Company sued 15 John Doe IRS agents in Superior Court.
“This is an action involving the corruption and abuse of power by several Internal Revenue Service (‘IRS’) agents (collectively referred to as ‘defendants’ herein) during a raid of John Doe Company, in the Southern District of California, on March 11, 2011,” the complaint states. “In a case involving solely a tax matter involving a former employee of the company, these agents stole more than 60,000,000 medical records of more than 10,000,000 Americans, including at least 1,000,000 Californians.
“No search warrant authorized the seizure of these records; no subpoena authorized the seizure of these records; none of the 10,000,000 Americans were under any kind of known criminal or civil investigation and their medical records had no relevance whatsoever to the IRS search. IT personnel at the scene, a HIPPA [sic: recte HIPAA] facility warning on the building and the IT portion of the searched premises, and the company executives each warned the IRS agents of these privileged records. The IRS agents ignored and discarded each of these warnings, ignored their own published and public-reliant rules and governing ethical requirements, and ignored the limitations of the court’s search warrant authorization, seizing the records under threat of destroying company property.”
So what company is John Doe Company? The complaint gives us little clues as to their identity except that it’s a HIPAA-covered entity in the Southern District of California. From the description in the complaint, I think it’s likely to be either a large insurance company or a data center for same, as only 1 million of the 10 million individuals allegedly affected are in California.
According to the complaint, the March 11, 2011 raid was related to an IRS investigation into the financial records of a former employee and agents were not authorized to seize any health records of anyone:
The search warrant authorized the seizure of financial records related principally to a former employee of the company; it did not authorize any seizure of any health care or medical record of any persons, least of all third parties completely unrelated to the matter.
The complaint alleges that a lot of sensitive information was removed improperly by IRS agents:
In spite of Defendants’ knowledge that John Doe Company was a HIPAA secure facility, in spite of Defendants’ knowledge that the records they demanded to be searched and seized were medical records of other Americans, Defendants told the company’s IT personnel to transfer several servers of the medical records and patient records to the IRS for search and seizure, otherwise they would “rip” the servers out of the building entirely.
The records contained a lot of sensitive information:
These medical records contained intimate and private information of more than 10,000,000 Americans, information that by its nature includes information about treatment for any kind of medical concern, including psychological counseling, gynecological counseling, sexual or drug treatment, and a wide range of medical matters covering the most intimate and private of concerns.
The complaint was filed in San Diego Superior Court on March 11. I’ve uploaded a copy of it here (pdf).
So… did the John Doe Company notify all 10 million people that their records had been acquired by the IRS? Was HHS notified? Under the prior HITECH regulations, if the John Doe Company believed that there was a substantial risk of harm from these records being in the hands of IRS agents in a less secured environment, did they have an obligation to report and notify?
I emailed the attorney for the John Doe Company to put a few questions to him but did not get a reply by publication time. I will update this entry if I get a reply.


I guess you can try anything at a try-al (Not being a lawyer, I can say things like that) In essence, if there were no government standards, they didn't need to make an effort to create their own?
I occasionally check the docket for FTC’s lawsuit against Wyndham over the multiple breaches they experienced. A story in my news reader today about how Ben Rothke of Wyndham Worldwide gave a talk on “The five habits of highly secure organizations” struck me as somewhat ironic, and I decided to see where the lawsuit stood. Of note, Wyndham recently argued that the President’s Executive Order on Improving Cybersecurity for Critical Infrastructure and accompanying Presidential Policy Directive support their motion to dismiss the FTC’s complaint that they failed to live up to their privacy policy and that their inadequate data security resulted in harm to many consumers.
In their Notice, Wyndham Worldwide Corporation states, in large part:
As relevant here, the Executive Order requires the National Institute of Standards and Technology (“NIST”) to lead the creation of a baseline set of standards for reducing cyber risks to critical infrastructure — what the Executive Order calls the “Cybersecurity Framework.” Cybersecurity EO § 7(a). The Cybersecurity Framework will establish a “set of standards, methodologies, procedures, and processes” for addressing cybersecurity threats, id., and will include “guidance for measuring the performance of an entity in implementing” those standards, id. § 7(b).
… The method of regulation laid out in the Cybersecurity Executive Order starkly contrasts with the approach the Federal Trade Commission has taken to regulating cybersecurity under Section 5 of the FTC Act. The FTC has not issued any “standards, methodologies, procedures, [or] processes” for complying with Section 5, id. § 7(a); it has not established “guidance for measuring the performance of an entity in implementing” data-security protections that might comply with the statute, id. § 7(b); it has not identified specific “information security measures and controls” that a business might adopt, id. § 7(b); and it has not “engage[d] in an open public review and comment process,” id. § 7(d).
… So will a presidential order on cybersecurity make a damned bit of difference in a lawsuit involving Section 5 of the FTC Act? I don’t think it should, but I guess we’ll have to wait and see.


London already has a system like this, but they use it to tax cars entering the city. Could this be next for visitor to New York?
The ring of steel is expanding. New York City Police Department Commissioner Raymond W. Kelly announced a “major project” at a budget hearing on Tuesday to install license plate reader cameras “in every lane of traffic on all of the bridges and tunnels that serve as entrances and exits to Manhattan.”
Soon, no one will be able to drive onto or off of the island without potentially being recorded.
Read more on Huffington Post.
I’m a tad surprised to learn that this wasn’t already in place. After 9/11, so much surveillance was added that I’ve pretty much assumed that all bridge and tunnel crossings were already monitored and recorded. [I'll bet the terrorists assume the same. Bob]


“We disagree, therefore he must be a terrorist!”
An 88-year-old campaigner has won a landmark lawsuit against police chiefs who labelled him a “domestic extremist” and logged his political activities on a secret database.
The ruling by three senior judges puts pressure on the police, already heavily criticised for running undercover operatives in political groups, to curtail their surveillance of law-abiding protesters.
The judges decided police chiefs acted unlawfully by secretly keeping a detailed record of John Catt’s presence at more than 55 protests over a four-year period.
Read more on The Guardian.


Doesn't everyone already do this?
It’s 2013 – stop paying for a land line. If you’ve got broadband Internet you can set up Skype, pay for a subscription and and keep your total home phone bill under $5 a month – long distance to phones throughout North America included (rates vary for other countries).
… Of course, if even Skype’s low rates are too steep for you, you can make free calls from Gmail – Google expanded free calls through 2013, in North America only.


Free is good.
Thursday, March 14, 2013
Six Free Alternatives to PowerPoint and Keynote
Twice in the last week I've been asked for a list of free alternatives to either PowerPoint or Keynote. I've written a couple of these lists over the last five years, but some of the alternatives I've shared in the past have either gone out of business or started charging a fee. Here's my updated list of free alternatives to PowerPoint and Keynote.
Empressr is a fully functional, high quality, online slide show presentation creation and sharing service. Empressr has a couple of features differentiating it from its competitors. The first feature of note is the option of embedding video from multiple sources into your slide show. The second feature of note is Empressr's editor which allows users to draw, create, or edit images inside their slides. Empressr slideshows can be embedded anywhere.
Slide Rocket is a web based presentation creator similar to Empressr. Slide Rocket has some very nice features like 3D transitions and a collaboration feature for sharing the creation process with other users. Slide Rocket's interface is user friendly making it easy to include videos, pictures, or third party plug-ins. Slide Rocket also has a Google Drive app.
Prezi is a popular online tool for creating slideshows that don't have to appear in the linear format typically used in slideshows. This week Prezi introduced the option to include sound in your presentations. Check out the Prezi embedded below to learn about the new audio option.
Until Google Slides came along the slideshow tool in Open Office was the slideshow creation tool that I used instead of PowerPoint. Open Office's Impress's development is still supported and available to download for free.
Google Slides is the slideshow creation tool that I use to create roughly half of all of my slideshows (the other half I make in Keynote). I like using Google Slides for collaborating with colleagues and for commenting on students' slideshows. The publishing tool in Google Slides makes it very easy to embed your slideshows into your blog or website.
If your students have iPads, you have to try Haiku Deck. Haiku Deck is a fantastic free alternative to Keynote. The key feature of Haiku Deck that stands out is the integrated image search tool. When students type a word into Haiku Deck a set of Creative Commons licensed images will be shown to the students to use in their presentations.

(Related) ...and one more.
Thursday, March 14, 2013
Narrable Adds an iPhone App for Creating Audio Slideshows
Last month I shared a new service called Narrable that lets you create short, narrated slideshows in your web browser. One of the key features of Narrable is that you can add narration through your computer's microphone, through a phone call, or by uploading a separate audio file.
A few days ago Narrable launched a free iPhone app that you can use create audio slideshows. The free app allows you to record up to five minutes of narration for each of your projects.
Applications for Education
I initially learned about Narrable through Wes Fryer. Wes recently recorded a podcast with the one of the founders of Narrable to talk about how the service might be used for digital storytelling. The first part of the podcast is about the founding of Narrable after that it gets into a discussion of education. I recommend listening to the podcast here.
Narrable projects can be shared via email, Facebook, or by embedding them into a blog. Narrable could be a good way to get students to tell a short story by adding narration to pictures that they have taken or found online. Have students search for some Creative Commons licensed images arranged around topics that they're studying then record a short slideshow about them.


For all my students (Remember your poor old professor)
How To Make $10 Million On YouTube
In January, the same month that Ian Hecox and Anthony Padilla's YouTube channel Smosh passed Ray William Johnson's to become the most popular channel on YouTube, Forbes estimated the brand brought in $10 million in revenue the previous year.
They did it by thinking of YouTube itself as channel, carrying fans to their website, Smosh.com, where the real money comes in through display ads and merchandise sales.
"YouTube is the second largest search engine in the world by itself, and that is the way that we look at it," said Barry Blumberg, president of Smosh (and EVP of Smosh's parent company, Alloy Digital). "It does generate significant revenues for our business, but it is one aspect of our business, and we use it to drive to other aspects of our business and to expose our content to the largest possible audience."

No comments: