Friday, March 01, 2013

"The evil that men do lives after them; The good is oft really really hard to find..." (Sorry Will)
The FTC may have settled charges against Aaron’s over the use of DesignerWare LLC software, but the consumers haven’t. Crystal and Brian Byrd are still pursuing a lawsuit against Aaron’s and now there’s another lawsuit filed on behalf of another consumer by the same attorneys. As Associated Press reports:
Spyware installed on computers leased from furniture renter Aaron’s Inc. secretly sent 185,000 emails containing sensitive information _ including pictures of nude children and people having sex _ back to the company’s corporate computers, according to court documents filed Wednesday in a class-action lawsuit.
According to the filings, some of the spyware emails contained pictures secretly taken by the rental computers’ webcams or other sensitive information including Social Security numbers, social media and email passwords, and customer keystrokes, the Federal Trade Commission determined last year.
The attorneys also claimed Atlanta-based Aaron’s hasn’t properly notified at least 800 customers allegedly targeted by spyware made by DesignerWare, a company located in North East, Pa.
Read more on Public Opinion.
With respect to that last point, I went back and looked again at the consent order involving Aaron’s, and it appears that it contains no provision requiring notification of consumers whose images were transmitted. [Oops! Bob] Could the consent order even require that if it allows the respondents to get away with not admitting any guilt or admitting to the facts of the case? Going forward, the FTC needs to consider whether consumers need to be notified of a privacy or data security breach and include some requirement that such notification be made.
Update: I see that ColorTyme is also being sued in another potential class action lawsuit. ColorTyme also one of the companies involved in the FTC’s case. The case files on them can be found here.


Not much for each user and they don't get even that.
Joe Mullin writes:
Internet privacy lawsuits, especially of the class-action variety, have been sprouting up everywhere in the past few years. Some of them have been settled for considerable sums, especially when companies are sued over publicly acknowledged privacy screw-ups that they’ve already taken heat for. One of the most notable was the $9.5 million Facebook settlement over its Beacon program, which broadcast users’ activities from other websites—including what they bought on various shopping sites—in their Facebook news feed.
The number of Facebook users affected by that class-action case was huge—the class was determined to be 3.6 million users at the end of the day. In part due to the large class, the judge allowed a so-called cy pres award, which is when a payment is made to a charity related to the issues in the case rather than to the actual class members. The Facebook settlement will go to a newly created Digital Trust Foundation (DTF), which will fund initiatives related to Internet privacy. $2.3 million of the settlement money will go to fees for the plaintiffs’ attorneys.
Read more about how some conservative judges in the Ninth Circuit are not happy as to how the cy pres award was made on Ars Technica. All Facebook also has more on this as does the Connecticut Law Tribune.


In my Ethical Hacker classes, detection is a 10 point deduction – dropping you to a “B” Where you hack from is less important as long as it looks like you have passed through several countries and dead links...
China claims its military and defense sites were hacked by U.S. attackers
In a move to counter recent reports claiming that a special unit in the Chinese Army is behind repeated cyber attacks on U.S. institutions, the nation Thursday claimed its military and defense ministries websites are routinely hacked from IP addresses originating within the United States.
… "Any kid in a basement can probe a computer in China," Stiennon noted. "For that matter, Google probes every IP address every day, so you can't call that an attack."


Something to plan for...
Kathleen Struck reports:
Hacking into patient medical records can be as easy as tapping into a hospital’s unsecured wireless network from a laptop in the parking lot.
Government auditors proved it “by sitting in hospital parking lots with simple laptop computers” and obtaining “patient information from unsecured hospital wireless networks,” according to Julie K. Taitsman, M.D., J.D., and colleagues from the Office of the Inspector General at the Department of Health and Human Services (HHS).
OK, that’s scary.
Read more on MedPage.

(Related) Not clear in the article, but I suspect these are interrogated via RFID techology. I wonder if they are encrypted?
This Electronic Temporary Tattoo Will Soon Be Tracking Your Health
FitBit too bulky? Why not glue a sensor array to your skin?
The quantified self goes nanoscale with a stick-on silicon electrode network that could not only change the way we measure health metrics, but could enable a new form of user interface. And the researchers behind it aim to have the device available in the next few weeks through a spinoff company, MC10.
The development takes wearable technology to the extreme, designed as a non-invasive diagnostic sensor that could be used to measure hydration, activity, and even infant temperature. It bonds to the skin, somewhat like a temporary tattoo, flexing and bending in sync with your skin the way you wish a Band-Aid would.

(Related) And why would anyone want Medical data?
Marcia Savage reports:
Data security breaches involving third parties are on the rise, particularly in the health-care industry, a panel of security experts said Tuesday at the RSA Conference 2013.
“This is an upward trend,” the panel moderator, James Christiansen, CISO at the Sands Corp., told the audience of security professionals. “If it’s not on your radar, it should be.”
Read more on CRN. One of the panelists, Michael Breummer of Experian Data Breach Resolution provided a real example of how medical ID theft could have had fatal results:
A third party’s office cleaner stole medical records, the boy’s records among them. Someone then bought the records and used the boy’s information to get medical care. That person wasn’t allergic to penicillin, but the boy was. During a subsequent emergency, the boy was nearly treated with penicillin due to an update to his records based on the stolen medical information. Fortunately, the boy’s mother caught the error, he said. As it turns out, the cleaner’s background check was falsified.


It's good to know your local (law school) librarian...
The current issue of Yale Journal of Law & Technology includes two privacy-related articles. Here’s their summary, but it looks like a subscription is required to access the full articles:
Christina P. Moniodis 15 Yale J.L. & Tech. 139
The Supreme Court’s data privacy jurisprudence consists of only two cases, yet these cases have fueled a circuit split on data privacy rights. The Court’s hesitance to foray into data privacy law may be because the nonrival, invisible, and recombinant nature of information causes plaintiffs’ harms to elude courts. Such harms threaten the democratic relationship between citizen and state.
Michael Birnhack 15 Yale J.L. & Tech. 24
Is technology-neutral legislation possible? Technological neutrality in legislation is often praised for its flexibility and ability to apply to future technologies. Yet, time and again we realize that even if the law did not name any technology, it was nevertheless based on an image of a particular technology. When new technologies appear, they expose the underlying technological mindset of the existing law. This article suggests that we read technology-related laws to uncover their hidden technological mindset so that we can better understand the law and prepare for the future.

(Related) Another job for your local librarian.
Shane Harris writes:
More than a decade after the 9/11 terrorist attacks, a set of extraordinary and secretive surveillance programs conducted by the National Security Agency has been institutionalized, and they have grown.
These special programs are conducted under the code name Ragtime, and are divided into several subcomponents, according to the new book Deep State: Inside the Government Secrecy Industry, by Marc Ambinder and D.B. Grady.
Read more on Dead Drop.

(Related)
Craig Hoffman of BakerHostetler writes:
This compendium represents our global experience in this field. While it is not a substitute for legal advice, it is a reference guide that outlines the basic requirements in place when dealing with an international data breach so that you can know what immediate steps to take and what questions you need to ask to minimize your company’s exposure.
BakerHostetler’s International Compendium of Data Privacy Laws is now accessible.
Read more on Data Privacy Monitor.


It would be easier if we had a “National ID Card.” “e-Papers, Citizen!”
Sophia Elson writes:
Earlier today, there was a hearing in the House Judiciary Committee on whether all employers nationwide should be required to use the employment verification system E-Verify to investigate the backgrounds of each new employee they hire.
The hearing was erroneously titled “How E-Verify Works and How it Benefits American Employers and Workers.” As it turns out, mandatory implementation of E-Verify would be disastrous for both of those groups, forcing employers to navigate a costly and time-intensive bureaucratic system and threatening the security of highly sensitive employee data.
EFF has denounced this invasive proposal in the past and now joins the ACLU and forty-three other organizations in signing a coalition letter that opposes its implementation.
Read more on EFF.


“We can, therefore we must?” I sure don't understand this business model. Perhaps I'm getting to old to appreciate being watched 24/7.
Koozoo pitches surveillance for the masses via smartphones
If Koozoo CEO Drew Sechrist has his way, cameras will record every move you make in public -- and make your life better for it.
The San Francisco startup wants smartphone owners to deploy a network of streaming smartphone cameras that are accessible by anyone within the Koozoo network at any time.
… they can sign up to provide a 24-hour stream using an old smartphone. Anyone can jump on the network to watch the feeds.
The idea of being watched by complete strangers sounds creepy, but Sechrist said Koozoo is anything but. It's about empowering people, he said.
"Big Brother is your government one way looking down at you, and this is the exact opposite. This is from the ground looking up from a system that people can all benefit from," Sechrist.
The service is free. The company plans to charge for more premium services in the future, like saving footage from lives feeds or adding notifications to alert that you that certain events are happening.
To cut down on abuse on live streaming feeds (and so unsuspected feed viewers don't have gross ChatRoulette-like moments), Koozoo reviews new feeds before they go live and existing feeds when they get flagged.

(Related)
February 28, 2013
New Documents Reveal U.S. Marshals’ Drones Experiment
"The use of surveillance drones is growing rapidly in the United States, but we know little about how the federal government employs this new technology. Now, new information obtained by the ACLU shows for the first time that the U.S. Marshals Service has experimented with using drones for domestic surveillance. We learned this through documents we released today, received in response to a Freedom of Information Act request. The documents are available here. (We also released a short log of drone accidents from the Federal Aviation Administration as well as accident reports and other documents from the U.S. Air Force.) This revelation comes a week after a bipartisan bill to protect Americans’ privacy from domestic drones was introduced in the House."


...so, what's the counter argument?
Outside of the FISA context, the Court’s decision [in Clapper v. Amnesty International] likely will make it more difficult for private plaintiffs in privacy and data breach litigation cases to establish standing based merely on a dignity interest or potential future harm. The “certainly impending” standard used in Clapper may provide further support for courts to find a lack of standing in privacy and data breach cases lacking evidence of misuse of information and actual financial harm.
Read more on Hogan Lovells Chronicle of Data Protection


An interesting question...
To the casual observer, the e-book revolution has produced two bumper crops: smutty trilogies à la “Fifty Shades of Grey” and lawsuits. First there were the authors (as represented by the Authors Guild), who sued Google Books for digitizing their work without permission. Then the Department of Justice sued five publishers and Apple for adopting a policy known as the agency model. Finally, a trio of independent booksellers filed a class-action suit last week against the six largest book publishers and Amazon, accusing them of collaborating to create a monopoly on e-book sales and shutting small retailers out of the market.
The booksellers — Fiction Addiction of Greenville, S.C., Book House of Stuyvesant Plaza in Albany, N.Y., and Posman Books of New York City — are demanding the right to sell what they term “open-source and DRM-free” e-books, files that can be read on a Kindle or any other e-reading device. The publishers are accused of entering into “confidential agreements” with Amazon making this impossible.


Double secret evidence?
"U.S. prosecutors won a New Zealand court victory Friday in their battle to extradite Megaupload founder Kim Dotcom and three colleagues accused of facilitating massive copyright fraud through the now-defunct online file-sharing site. The appeals court overturned an earlier ruling that would have allowed Dotcom and the others broad access to evidence in the case against them at the time of their extradition hearing, which is scheduled for August. The appeals court ruled that extensive disclosure would bog down the process and that a summary of the U.S. case would suffice. Dotcom says he's innocent and can't be held responsible for those who chose to use the site to illegally download songs or movies."


It looks like they are giving away our secrets, but my Ethical Hackers always find a way... Unfortunately.
Open Source Project Prepackages Kim Dotcom’s Security
When you use a web application, you leave your data at the mercy of the company who runs it. Usually, this isn’t a problem, but not always. Last week, the web-based help desk application Zendesk was hacked, potentially exposing data from users of Twitter, Tumblr and Twitter, which all use the application for customer support.
Part of the problem is that a web app gathers so many eggs in one basket. If someone hacks a service provider, it can affect many different people.
But if each user’s information was encrypted so that only that user could see it — locking out even the service provider — then we could reduce the risk of putting our data in these centralized web services. That’s the aim of Crypton, a new open source project that hopes to make it easier for app developers to add this type of encryption to their applications.
It’s not unlike the approach used by Kim Dotcom’s new service Mega. When you upload a file to Mega, it’s encrypted and the key is stored by the service. But the key itself is encrypted by a passphrase that isn’t stored on Mega. That means even Mega’s staff can’t look at the data without your passphrase.
Mega is doing this to limit their liability in case of piracy, but the same principle could be applied to just about any service that stores user data.
Crypton was created by SpiderOak, a company that operates an online store service that’s similar to Box or Dropbox.


My MBA professors taught me that you can create a market for goods consumers didn't know they wanted. ABM (Always Backward Managers) try to convince themselves that consumers who want something they can't provide, don't really want it.
You Don’t Want Super-High-Speed Internet, Says Time Warner Cable
Time Warner Cable chief technology officer Irene Esteves says you don’t really want the gigabit speeds offered by Google Fiber and other high speed providers.
On Wednesday, at a conference in San Francisco, Esteves downplayed the importance of offering a service to compete with Google, as reported by The Verge. “We’re in the business of delivering what consumers want, and to stay a little ahead of what we think they will want…. We just don’t see the need of delivering that to consumers,” she said, referring to gigabit-speed internet connections.


Print a copy of the NEW Second Amendment: ...the right to print and bear arms.”
Watch the New and Improved Printable Gun Spew Hundreds of Bullets
Late last year, a group of 3-D printing gunsmiths developed a key component for an AR-15 rifle that anyone with a 3-D printer could download and make at home. The problem: It only lasted six shots before snapping apart. Now the group is back with a new and improved receiver that can fire more than 600 rounds.


Worth a look!
Canvas Network Social Media Course
I’ve been working hard on developing an open course for Canvas Network on Social Media. The course is now live and publicly visible. This means you can see all the content pages and modules (but not the discussions or announcements). If you’d like to take a peek, visit Social Media on Canvas Network.


Make it a gradable project for your students?
How To Create An Effective Classroom Website
No doubt you have already have a classroom website or will be required to create one in the very near future. Virtually every classroom teacher around the globe is being caught up in the development of this essential communication tool. Most of the early birds to this challenge went out and used providers such as Teacher Web. Now, more and more districts are implementing a provider that the entire district will use that provides continuity and uniformity. This obviously will have its benefits for staff development but may stifle creativity.
I started about 8 years ago with a variety of services, but about two years ago my district settled on one software host for us all to use. I dove in and decided to embrace the challenge to develop a comprehensive site that would be useful for students, parents, and teachers. Visit my classroom website to see how I have put many of the following ideas into place: The Borgeson Bunch. I would like to share with you some of what I have learned during that journey:

No comments: