Hack 'em all, blame it on Anonymous!
"Earlier this week, the newly
minted head of the United States' Cyber Command team and NSA head
General Keith Alexander told assembled lawmakers that the U.S. has
created an offensive cyberwarfare
division designed to do far more than protect U.S. assets from
foreign attacks. This is a major change in
policy from previous public statements — in the
past, the U.S. has publicly focused on defensive actions and
homegrown security improvements. General Alexander told the House
Armed Services Committee, 'This is an offensive team that the Defense
Department would use to defend the nation if it were attacked in
cyberspace. Thirteen of the teams that we're creating are for that
mission alone.' This is an interesting shift in U.S. doctrine and
raises questions like: What's proportional response to China probing
at utility companies? Who ought to be blamed for Red October?
What's the equivalent of a warning shot in cyberspace? When we
detect foreign governments probing at virtual borders, who handles
the diplomatic fallout as opposed to the silent retribution?"
(Related) How do you know when the cry
“Wolf!” is true? ...and they might be fun to practice on, with
or without cause.
North
Korea Accuses Enemies Of 'Persistent and Intensive' Cyber Attack
North
Korea on Friday accused the United States and South Korea of carrying
out a "persistent and intensive" cyber attack against its
official websites in recent days.
A number of
official North Korean websites, including those of the Korean Central
News Agency (KCNA), the daily Rodong Sinmun newspaper, and Air Koryo
airline became inaccessible early Wednesday.
… Charges
of state-sanctioned hacking have usually flowed in the opposite
direction.
South Korea accused the North of being
behind large-scale cyber attacks on the websites of its government
agencies and financial institutions in July 2009 and March 2011.
Seoul also denounced North Korea for
jamming the GPS systems of hundreds of civilian aircraft and ships in
South Korea in April and May last year.
“We're the government. We don't
follow no stinking rules!” (My tax dollars at work!)
Rebekah Kearn of Courthouse News
reports:
John Doe Company
sued 15 John Doe IRS agents in Superior Court.
“This is an
action involving the corruption and abuse of power by several
Internal Revenue Service (‘IRS’) agents (collectively referred to
as ‘defendants’ herein) during a raid of John Doe Company, in the
Southern District of California, on March 11, 2011,” the complaint
states. “In a case involving solely a tax matter involving a
former employee of the company, these agents stole more than
60,000,000 medical records of more than 10,000,000 Americans,
including at least 1,000,000 Californians.
“No search
warrant authorized the seizure of these records; no subpoena
authorized the seizure of these records; none of the 10,000,000
Americans were under any kind of known criminal or civil
investigation and their medical records had no relevance whatsoever
to the IRS search. IT personnel at the scene, a HIPPA [sic:
recte HIPAA] facility warning on the building and the IT
portion of the searched premises, and the company executives each
warned the IRS agents of these privileged records. The IRS agents
ignored and discarded each of these warnings, ignored their own
published and public-reliant rules and governing ethical
requirements, and ignored the limitations of the court’s search
warrant authorization, seizing the records under threat of destroying
company property.”
So what company is John Doe Company?
The complaint gives us little clues as to their identity except that
it’s a HIPAA-covered entity in the Southern District of California.
From the description in the complaint, I think it’s likely to be
either a large insurance company or a data center for same, as only 1
million of the 10 million individuals allegedly affected are in
California.
According to the complaint, the March
11, 2011 raid was related to an IRS investigation into the financial
records of a former employee and agents were not authorized to seize
any health records of anyone:
The search warrant
authorized the seizure of financial records related principally to a
former employee of the company; it did not authorize any seizure of
any health care or medical record of any persons, least of all third
parties completely unrelated to the matter.
The complaint alleges that a lot of
sensitive information was removed improperly by IRS agents:
In spite of
Defendants’ knowledge that John Doe Company was a HIPAA secure
facility, in spite of Defendants’ knowledge that the records they
demanded to be searched and seized were medical records of other
Americans, Defendants told the company’s IT personnel to transfer
several servers of the medical records and patient records to the IRS
for search and seizure, otherwise they would “rip” the servers
out of the building entirely.
The records contained a lot of
sensitive information:
These medical
records contained intimate and private information of more than
10,000,000 Americans, information that by its nature includes
information about treatment for any kind of medical concern,
including psychological counseling, gynecological counseling, sexual
or drug treatment, and a wide range of medical matters covering the
most intimate and private of concerns.
The complaint was filed in San Diego
Superior Court on March 11. I’ve uploaded a copy of it here
(pdf).
So… did the John Doe Company notify
all 10 million people that their records had been acquired by the
IRS? Was HHS notified? Under the prior HITECH regulations, if the
John Doe Company believed that there was a substantial risk of harm
from these records being in the hands of IRS agents in a less secured
environment, did they have an obligation to report and notify?
I emailed the attorney for the John Doe
Company to put a few questions to him but did not get a reply by
publication time. I will update this entry if I get a reply.
I guess you can try anything at a
try-al (Not being a lawyer, I can say things like that) In essence,
if there were no government standards, they didn't need to make an
effort to create their own?
I occasionally check the docket for
FTC’s
lawsuit against Wyndham over the multiple breaches they
experienced. A story in my news reader today about how Ben Rothke of
Wyndham Worldwide gave a talk on “The five habits of highly secure
organizations” struck me as somewhat ironic, and I decided to see
where the lawsuit stood. Of note, Wyndham recently argued that the
President’s Executive Order on Improving Cybersecurity for Critical
Infrastructure and accompanying Presidential Policy Directive support
their motion to dismiss the FTC’s
complaint that they failed to live up to their privacy policy and
that their inadequate data security resulted in harm to many
consumers.
In their Notice, Wyndham Worldwide
Corporation states, in large part:
As relevant here,
the Executive Order requires the National Institute of Standards and
Technology (“NIST”) to lead the creation of a baseline set of
standards for reducing cyber risks to critical infrastructure —
what the Executive Order calls the “Cybersecurity Framework.”
Cybersecurity EO § 7(a). The Cybersecurity
Framework will establish a “set of standards, methodologies,
procedures, and processes” for addressing cybersecurity
threats, id., and will include “guidance for measuring the
performance of an entity in implementing” those standards, id. §
7(b).
… The method
of regulation laid out in the Cybersecurity Executive Order starkly
contrasts with the approach the Federal Trade Commission has taken to
regulating cybersecurity under Section 5 of the FTC Act. The
FTC has not issued any “standards, methodologies, procedures, [or]
processes” for complying with Section 5, id. § 7(a); it
has not established “guidance for measuring the performance of an
entity in implementing” data-security protections that might comply
with the statute, id. § 7(b); it has not identified specific
“information security measures and controls” that a business
might adopt, id. § 7(b); and it has not “engage[d] in an open
public review and comment process,” id. § 7(d).
… So will a presidential order on
cybersecurity make a damned bit of difference in a lawsuit involving
Section 5 of the FTC Act? I don’t think it should, but I guess
we’ll have to wait and see.
London already has a system like this,
but they use it to tax cars entering the city. Could this be next
for visitor to New York?
The ring of steel
is expanding. New York City Police Department Commissioner Raymond
W. Kelly announced a “major project” at a budget hearing on
Tuesday to install license plate reader cameras “in every lane of
traffic on all of the bridges and tunnels that serve as entrances and
exits to Manhattan.”
Soon, no one will
be able to drive onto or off of the island without potentially being
recorded.
Read more on Huffington
Post.
I’m a tad surprised to learn that
this wasn’t already in place. After 9/11, so much surveillance was
added that I’ve pretty much assumed that all bridge and tunnel
crossings were already monitored and recorded. [I'll
bet the terrorists assume the same. Bob]
“We disagree, therefore he must be a
terrorist!”
An 88-year-old
campaigner has won a landmark lawsuit against police chiefs who
labelled him a “domestic extremist” and logged his political
activities on a secret database.
The ruling by
three senior judges puts pressure on the police, already heavily
criticised for running undercover operatives in political groups, to
curtail their surveillance of law-abiding protesters.
The judges decided
police chiefs acted unlawfully by secretly keeping a detailed record
of John Catt’s presence at more than 55 protests over a four-year
period.
Read more on The
Guardian.
Doesn't everyone already do this?
It’s 2013 – stop paying for a land
line. If you’ve got broadband Internet you can set up Skype,
pay for a subscription and and keep your total home phone bill
under $5 a month – long distance to phones throughout North
America included (rates vary for other countries).
… Of course, if even Skype’s low
rates are too steep for you, you can make
free calls from Gmail – Google expanded free calls through
2013, in North America only.
Free is good.
Thursday, March 14, 2013
Twice in the last week I've been asked
for a list of free alternatives to either PowerPoint or Keynote.
I've written a couple of these lists over the last five years, but
some of the alternatives I've shared in the past have either gone out
of business or started charging a fee. Here's my updated list of
free alternatives to PowerPoint and Keynote.
Empressr
is a fully functional, high quality, online slide show presentation
creation and sharing service. Empressr
has a couple of features differentiating it from its competitors.
The first feature of note is the option of embedding video from
multiple sources into your slide show. The second feature of note is
Empressr's editor which allows
users to draw, create, or edit images inside their slides. Empressr
slideshows can be embedded anywhere.
Slide
Rocket is a web based presentation creator similar to
Empressr.
Slide Rocket has some very nice features like 3D transitions and a
collaboration feature for sharing the creation process with other
users. Slide Rocket's
interface is user friendly making it easy to include videos,
pictures, or third party plug-ins. Slide
Rocket also has a Google Drive app.
Prezi
is a popular online tool for creating slideshows that don't have to
appear in the linear format typically used in slideshows. This week
Prezi
introduced the option to include sound in your presentations.
Check out the Prezi embedded below to learn about the new audio
option.
Until Google Slides came along the
slideshow tool in Open Office was the slideshow creation tool that I
used instead of PowerPoint. Open
Office's Impress's development is still supported and
available to download for free.
Google
Slides is the slideshow creation tool that I use to create
roughly half of all of my slideshows (the other half I make in
Keynote). I like using Google Slides for collaborating with
colleagues and for commenting on students' slideshows. The
publishing tool in Google Slides makes it very easy to embed your
slideshows into your blog or website.
If your students have iPads, you have
to try Haiku
Deck. Haiku Deck is a fantastic free alternative to Keynote.
The key feature of Haiku Deck that stands out is the integrated
image search tool. When students type a word into Haiku Deck a set
of Creative Commons licensed images will be shown to the students to
use in their presentations.
(Related) ...and one more.
Thursday, March 14, 2013
Last month I shared a new
service called Narrable that lets you create short, narrated
slideshows in your web browser. One of the key features of Narrable
is that you can add narration through your computer's microphone,
through a phone call, or by uploading a separate audio file.
A few days ago Narrable
launched a free iPhone app that you can use create audio
slideshows. The free app allows you to record up to five minutes of
narration for each of your projects.
Applications
for Education
I initially learned about Narrable
through Wes
Fryer. Wes recently recorded a podcast with the one of the
founders of Narrable to talk about how the service might be used for
digital storytelling. The first part of the podcast is about the
founding of Narrable after that it gets into a discussion of
education. I recommend listening
to the podcast here.
Narrable projects can be shared via
email, Facebook, or by embedding them into a blog. Narrable
could be a good way to get students to tell a short story by adding
narration to pictures that they have taken or found online. Have
students search for some Creative Commons licensed images arranged
around topics that they're studying then record a short slideshow
about them.
For all my students (Remember your
poor old professor)
In January, the same month that Ian
Hecox and Anthony Padilla's YouTube channel Smosh
passed Ray
William Johnson's to become the most popular channel on YouTube,
Forbes estimated
the brand brought in $10 million in revenue the previous year.
They did it by thinking of YouTube
itself as channel, carrying fans to their website, Smosh.com,
where the real money comes in through display ads and merchandise
sales.
"YouTube is the second largest
search engine in the world by itself, and that is the way that we
look at it," said Barry Blumberg, president of Smosh (and EVP of
Smosh's parent company, Alloy Digital). "It does generate
significant revenues for our business, but it is one aspect of our
business, and we use it to drive to other aspects of our business and
to expose our content to the largest possible audience."
No comments:
Post a Comment