Saturday, January 12, 2013

...and here I thought they were supposed to set a GOOD example. Well, they are a government agency so no matter how poorly managed they are they will face no consequences. Better to spend your day asking for more funding that to manage the operations you are already responsible for.
… On Jan. 2, DJJ reported the theft of a mobile device containing youth and employee records to the Tallahassee Police Department (TPD), which is currently investigating the theft. DJJ has also notified the Office of Information Security.
The device, which was stolen from a secure DJJ office, was not encrypted or password-protected as required by DJJ’s technology policy.
… DJJ confirms that more than 100,000 records may have been compromised, and the agency is currently working to determine the affected individuals.
… DJJ issued emails with a policy reminder and prospective security instructions to all employees and contracted provider programs requiring the immediate encryption of all mobile devices [Why not all devices? Bob] that are not already protected and contain confidential data.


How does one do this? List at least 5 ways... (That's a homework question, Ethical Hackers)
If you eat at Zaxby’s, you should check to see if your location is affected/ by a security breach. Yesterday, the chain announced that some of their stores (108, so far, by their list) had suspicious files found on their systems that may have exfiltrated customer credit and debit card info.
Although the press release does not say that they were definitely breached (the release is couched in “may have’s), the press release states that stores were identified as the common point of purchase by credit card companies investigating fraudulent use of cards.


Dude, I hope you stashed enough to pay for a bunch of lawyers...
"A 24-year-old Algerian man remains in a Thai jail awaiting extradition to the United States, where he is suspected of masterminding more than $100 million in global bank heists using the ZeuS and SpyEye Trojans. Malaysian authorities believe they've apprehended the hacker Hamza Bendelladj, who they say has been jetsetting around the world using millions of dollars stolen online from various banks. He was arrested at a Bangkok airport en route from Malaysia to Egypt. The hacker had developed a considerable reputation as a major operator of ZeuS-powered botnets and bragged about his exploits"
[From the article:
Bendelladj is suspected of stealing funds from 127 U.S. banks in the past six years using ZeuS- and SpyEye-infected machines to drain accounts in minutes. Victims are said to have been compromised through fake financial Web pages between December 2009 and September 2011. The FBI, which has been hunting for the hacker behind the schemes for three years, has not released details of alleged crimes listed in arrest warrants awaiting the man after he is extradicted to the agency's Georgia division.


So much more convenient when the plane lands right in front of your house!
Hackers say coming air traffic control system lets them hijack planes
An ongoing multibillion-dollar overhaul of the nation's air traffic control (ATC) system is designed to make commercial aviation more efficient, more environmentally friendly and safer by 2025.
But some white-hat hackers are questioning the safety part. The Next Generation Air Transportation System (NextGen) will rely on Global Positioning Systems (GPS) instead of radar. And so far, several hackers have said they were able to demonstrate the capability to hijack aircraft by spoofing their GPS components.
The Federal Aviation Administration (FAA) has declared that it already has multiple measures to detect fake signals. But it has so far not allowed any independent testing of the system. [“Hey, you can trust us!” Bob]


Did DHS take Oracles word for it or did they actually do their own testing or did they find it first?
Yesterday, the Department of Homeland Security issued a warning regarding Java, advising users to disable it in their web browsers. Following this was a Critical Patch Update Pre-Release Announcement from Oracle, which suggests that users temporarily disable it because of security issues. Says the advisement, Java leaves the computer open to attack.


What do these people smoke?
Facebook is at it again, folks. The social network giant is testing out yet another new feature, and this time it’s almost too ridiculous to believe. Facebook is testing a new service that charges you $100 to send a message to a stranger. So, instead of having the message land in their “Other” inbox, it will go straight to their main inbox.
… Facebook first began experimenting with this kind of option last month when it first introduced filters, including the “Other” folder. In initial tests, the fee was just $1. However, according to Mashable, Facebook confirms the $100 option is part of that test, and they say they’re testing “some extreme price points to see what works to filter spam.”


Any chance we could get US (or even Colorado) zoning boards to do something similar?
"Only a small number of U.S. cities can boast fiber optic connections, but in China, it's either fiber or bust. China's Ministry of Industry and Information Technology has now ordered all newly built residences to install fiber optic connections in any city or county 'where a public fiber optic telecom network is available.' The new standards will take effect starting on April 1, 2013, and residents will be able to choose their own ISP with equal connections to services. The Chinese government reportedly hopes to have 40 million families connected to fiber networks by 2015."


Helps to understand what information is shared with websites...
… While you could get the detailed information by diving deep into the browser’s properties, a simpler alternative is a website called About My Browser.
About My Browser is a free to use web service that lets you find out more about the web browser you are using. All you have to do is visit the website and it will gather information about your web browser.
Similar tool: Internet Anonymity Test.


I find this amusing...
St. Vrain Valley School district in Colorado plans to implement a GPS-tracking system on students’ bus passes so that the district will be able to tell when and where students get on and off the bus. The system will cost about $131,540. Parents will be able to sign up for messages alerting them to their children’s whereabouts. Train ‘em young to accept the surveillance state, right?
Also at CES, McGraw-Hill demoed its “SmartBook,” a textbook that promises adaptivity to the needs of individual students. According to The Wall Street Journal, “All readers essentially see the same textbook as they read for the first five minutes. But as a reader answers review questions placed throughout the chapter, different passages become highlighted to point the reader to where he or she should focus attention.” McGraw-Hill says the adaptive textbook will be available for about 90 courses in the spring.
Edmodo says it’s updated and clarified the language in its Terms of Service. (Wow, still pretty unclear to me. And it says that schools and not Edmodo are responsible for complying with COPPA — is that right?!)
… Free online graphing calculator Desmos has added a very cool new feature: tables of data. Creating tables of data is an important step in understanding and solving equations, statistics, and so on. And this is definitely something your handheld TI calculator doesn’t do.
The learn-to-code site Codecademy has added new lessons with training on using the YouTube, NPR, Stripe, Bit.ly, and other partner APIs.
… The Chronicle of Higher Education now hosts the data from the Adjunct Project, a crowdsourced project to identify the pay and working conditions for higher education’s mostly adjunct labor force.
… Because it wouldn’t be a weekly news roundup without some MOOC news: Coursera unveiled SignatureTrack — its plans to verify students’ identities so that it could confidently award “certifiable course records” (for a fee). How will it identify you? In part through “your photo ID and unique typing pattern.”
… According to the latest Babson Survey of Online Learning, more than 6.7 milion university students — about a third — took an online course for credit in the fall of 2011. The increase in enrollment — 9.3% — is actually the smallest percentage increase since Babson began tracking this figure a decade ago. And despite all the MOOC-related frenzy from last year, just 2.6% of higher education institutions say they offer one with just 9.4% more saying they’re planning to do so. The full report is available here.

Friday, January 11, 2013

Security Breach, the gift that keeps on giving... (Exerpts from a much more detailed post)
In September, I posted Global Payments’ statement from their quarterly filing that dealt with the costs of a breach disclosed in March 2012. BankInfoSecurity.com has just reported on their most recent filing. Whereas last year, Global Payments estimated the cost of the breach at about $84 million, their current 10-Q filing puts the cost of the breach at $93.9 million. Although the total is up, the overall fraud costs resulting from the incident were significantly lower than what they had estimated last year ($35.9 million vs. $67.4 million). Also of note, they report that their losses due to being removed from PCI-DSS compliant status were “immaterial:”
… The firm provides its updated breakdown of costs:
During the six months ended November 30, 2012, we recorded $9.5 million of expense associated with this incident, bringing the life-to-date total expense to $93.9 million. Of this life-to-date expense, $60.0 million represents costs incurred through November 30, 2012 for professional fees and other costs associated with the investigation and remediation, incentive payments to certain business partners and costs associated with credit monitoring and identity protection insurance. An additional $35.9 million represents our estimate of total fraud losses, fines and other charges that will be imposed upon us by the card networks. We have also recorded $2.0 million of insurance recoveries based on claims submitted to date as discussed below. During the three months ended November 30, 2012, we reduced our estimate of fraud losses, fines and other charges by $31.5 million resulting in a credit of $14.5 million for total processing system intrusion costs for the quarter ended November 30, 2012.


No indication of WHY they decrypt your data.
Phone maker Nokia has confirmed some recent reports that have been circulating claiming that it was decrypting HTTPS traffic originating from some of its smartphones. Nokia confirmed that its Xpress Browser used on the company’s Asha and Lumia smartphones temporarily decrypts the HTTPS traffic as it passes through Nokia servers.
… Nokia also says that there’s no need for people to worry because it would never access the customer’s data.
… The researcher claims that Nokia would have access to clear text information that could include login information for social networks, banking, and anything else transmitted by HTTPS. The researcher also noted that decrypting the information also goes against Nokia’s privacy statement that says it doesn’t collect usernames or passwords during purchase transactions. For its part, Nokia says that it doesn’t store any of the information that passes through its servers.


For my Computer Security students: This is not the best way for your Ethical Hacking friends to stay in touch... (Remember, “Default” is the French word for “Only an idiot would fail to change this” ) In New Jersey, we would say “De fault is yours!”
Trailrunner7 writes with news of the continuing poor state of security for industrial control systems. From the article:
"Never underestimate what you can do with a healthy list of advanced operator search terms and a beer budget. That's mostly what comprises the arsenal of two critical infrastructure protection specialists who have spent close to nine months trying to paint a picture of the number of Internet-facing devices linked to critical infrastructure in the United States. It's not a pretty picture. The duo ... have with some help from the Department of Homeland Security (PDF) pared down an initial list of 500,000 devices to 7,200, many of which contain online login interfaces with little more than a default password standing between an attacker and potential havoc. DHS has done outreach to the affected asset owners, yet these tides turn slowly and progress has been slow in remedying many of those weaknesses. … The pair found not only devices used for critical infrastructure such as energy, water and other utilities, but also SCADA devices for HVAC systems, building automation control systems, large mining trucks, traffic control systems, red-light cameras and even crematoriums."


Technology specific guidelines are nice, but we are at a point where we should be able to look back at laws that have evolved to address issues on mainframes, mini-computers, microcomputers (PCs), and now smartphones. Eventually the laws addressing each of these technologies will address the same issues in the same way. Why not get ahead of the technology and write “Generalized Best Practices?” It would save everyone a lot of effort.
California Attorney General Kamala Harris has issued privacy guidelines for mobile apps. In a statement introducing the guidelines, Ms. Harris writes:
The mobile app industry is growing fast, but it is still in the early stages of development, with practitioners who are not all alert to privacy implications and how to address them. To help educate the industry and promote privacy best practices, the Attorney General’s Privacy Enforcement and Protection Unit has prepared Privacy on the Go: Recommendations for the Mobile Ecosystem. The recommendations, which in many places offer greater protection than afforded by existing law, are intended to encourage app developers and other players in the mobile sphere to consider privacy at the outset of the design process.
Recognizing that the legally required general privacy policy is not always the most effective way to get consumers’ attention, Privacy on the Go recommends a “surprise minimization” approach. This approach means supplementing the general privacy policy with enhanced measures to alert users and give them control over data practices that are not related to an app’s basic functionality or that involve sensitive information.
You can access the full guidelines in Privacy on the Go here.

(Related)
The Internet of Things Has Arrived — And So Have Massive Security Issues
While not devoid of hype and hyperbole, the Internet of Things (IoT) does represent a revolution happening right now. Companies of all kinds – not just technology and telecommunications firms – are linking “things” as diverse as smartphones, cars and household appliances to industrial-strength sensors, each other and the internet. The technical result may be mundane features such as intercommunication and autonomous machine-to-machine (M2M) data transfer, but the potential benefits to lifestyles and business opportunities are huge.
But … with great opportunity comes great responsibility. Along with its conveniences, the IoT will unveil unprecedented security challenges: in data privacy, safety, governance and trust.

(Related) It might also help Judges evaluate the need for a subpoena.
I’ve covered Stingray before, but the general public really really needs to become more aware of its use.
Ryan Gallagher reports:
The FBI calls it a “sensitive investigative technique” that it wants to keep secret. But newly released documents that shed light on the bureau’s use of a controversial cellphone tracking technology called the “Stingray” have prompted fresh questions over the legality of the spy tool.
Functioning as a so-called “cell-site simulator,” the Stingray is a sophisticated portable surveillance device. The equipment is designed to send out a powerful signal that covertly dupes phones within a specific area into hopping onto a fake network. The feds say they use them to target specific groups or individuals and help track the movements of suspects in real time, not to intercept communications. But by design Stingrays, sometimes called “IMSI catchers,” collaterally gather data from innocent bystanders’ phones and can interrupt phone users’ service—which critics say violates a federal communications law.
The FBI has maintained that its legal footing here is firm. Now, though, internal documents obtained by the Electronic Privacy Information Center, a civil liberties group, reveal the bureau appears well aware its use of the snooping gear is in dubious territory.
Read more on Slate.


Another example of new technologies operating in areas we have defined legally before – haven't we? Has no one ever been tracked/stalked before cellphones made it easier?
Natasha Singer reports:
There are three things that matter in consumer data collection: location, location, location.
E-ZPasses clock the routes we drive. Metro passes register the subway stations we enter. A.T.M.’s record where and when we get cash. Not to mention the credit and debit card transactions that map our trajectories in comprehensive detail — the stores, restaurants and gas stations we frequent; the hotels and health clubs we patronize.
Each of these represents a kind of knowing trade, a conscious consumer submission to surveillance for the sake of convenience.
But now legislators, regulators, advocacy groups and marketers are squaring off over newer technology: smartphones and mobile apps that can continuously record and share people’s precise movements. At issue is whether consumers are unwittingly acquiescing to pervasive tracking just for the sake of having mobile amenities like calendar, game or weather apps.
Read more on The New York Times.


Should we not do this? Will we want to expand it to identify school shooters before they shoot?
U.S. Cities Relying on Precog Software to Predict Murder
… New crime-prediction software used in Maryland and Pennsylvania, and soon to be rolled out in the nation’s capital too, promises to reduce the homicide rate by predicting which prison parolees are likely to commit murder and therefore receive more stringent supervision.
The software aims to replace the judgments parole officers already make based on a parolee’s criminal record and is currently being used in Baltimore and Philadelphia.
Richard Berk, a criminologist at the University of Pennsylvania who developed the algorithm, claims it will reduce the murder rate and other crimes and could help courts set bail amounts as well as sentencing in the future.


Just a reminder...
January 10, 2013
Check Your Credit Report Regularly -- It's Free!
"You are entitled to a FREE credit report from each of the three credit reporting agencies (Equifax, Experian, and TransUnion) once every 12 months. You can request all three reports at once, or space them out throughout the year. It's important to review your credit report to ensure that your personal information and financial accounts are being accurately reported and that no fraudulent accounts have been initiated in your name. If you do find an error on your credit report, you can dispute the error."


If the answer contains a number, WolframAlpha might be the best place to ask the question.
If you’ve heard of Wolfram Alpha before, you’ll know that it’s a wealth of knowledge that’s occasionally compared to the likes of the Star Trek computer. There are all sorts of weird and wonderful uses for Wolfram Alpha, including powerful search terms, other searching tips, widgets, a variety of cool uses and other truly powerful uses of Wolfram Alpha. However, even if you know all about these Wolfram Alpha tools, you may still not yet know about their Facebook analytics tool.
With the Wolfram Alpha Facebook analytics tool, you can find out a huge amount of information about your Facebook account. It’s quite fun to see which of your posts or photos are the most popular, who your top commenters are, who is sharing your posts the most and more interesting tidbits. Plus, it’s easy to use this tool and completely free.
Using Wolfram Alpha’s Facebook analysis tool is completely free, so all you need to do is log in using your Facebook credentials and give it access to your account.
… Here’s a video showing how it works.


It's geeky and it goes Bang! What's not to like?
"Astronomer and gamer Scott Manley (more famous for his Kerbal Space program coverage) has created a fantastic video explaining the science behind building guns that could one day be used to launch payloads into space. It's not as easy as simply making a bigger gun, there's a whole host of unorthodox 'gun' designs which work around the limitations of garden variety propellants."


Where is Emily Post when we need her? Posters suitable for framing?
Everybody Should Follow These Rules for Using Their Phone

Thursday, January 10, 2013

It's the damage after the breach you should worry about.
Christine Dobby reports:
Drake International, the Canadian-based job placement firm, confirmed Wednesday that it has been the victim of a hacking scheme by a group seeking to extort payment in exchange for not releasing the personal information of people who have used Drake’s services.
Source: Financial Post.


It's been over ten years now, so we should probably start thinking about considering holding a few planning sessions to kick around some ideas related to developing a process for eventually figuring out how we should be spending all those billions we are spending. Maybe...
January 09, 2013
Defining Homeland Security: Analysis and Congressional Considerations
CRS - Defining Homeland Security: Analysis and Congressional Considerations, Shawn Reese, Analyst in Emergency Management and Homeland Security Policy. January 8, 2013
  • "Varied homeland security definitions and missions may impede the development of a coherent national homeland security strategy, and may hamper the effectiveness of congressional oversight. Definitions and missions are part of strategy development. Policymakers develop strategy by identifying national interests, [I want to be stripped, probed and xrayed at airports bus and train stations! Bob] prioritizing goals to achieve those national interests, and arraying instruments of national power to achieve the national interests. Developing an effective homeland security strategy, however, may be complicated if the key concept of homeland security is not defined and its missions are not aligned and synchronized among different federal entities with homeland security responsibilities. This report discusses the evolution of national and DHS-specific homeland security strategic documents and their homeland security definitions and missions, and analyzes the policy question of how varied homeland security definitions and missions may affect the development of national homeland security strategy. This report, however, does not examine DHS implementation of strategy." [Or lack thereof... Bob]


Fired for stating the obvious? Welcome to Politics young man.
"Tim Lee over at Ars Technica recently interviewed Derek Khanna, a former staffer for the Republican Study Committee. As reported on Slashdot, Khanna wrote a brief suggesting the current copyright law might not constitute free market thinking. He was rewarded for his efforts with permanent time off of work. Khanna continues to speak out about the need for copyright reform as well as its potential as a winning electoral issue and, according to Lee, he's actually beginning to receive some positive attention for his efforts. 'I encourage Hill staffers to bring forth new ideas. Don't be discouraged by the potential consequences,' Khanna told Ars. 'You work for the American people. It's your job, your obligation to be challenging existing paradigms and put forward novel solutions to existing problems.' Would that more in both major parties thought like this."


That's why I have degrees in both computers and business...
January 09, 2013
Internet Users May Search, Pin, Tweet and Like - But Don’t Know How Their Favorite Sites Turn a Profit
"The Search Agency, a global online marketing firm and the largest independent U.S. search marketing agency, today announced wave II results of its 2012 Online User Behavior and Engagement Study, conducted online by Harris Interactive among 2,006 U.S. online adults from August 14-16, 2012. In addition to other findings, the study shows that, while Americans may be tweeting, searching and pinning to their hearts delight, they can’t pinpoint how some of the web’s most popular sites make a dime. Findings Include:
  • We Know How to Post, but Not How They Profit - 70% of U.S. online adults know how to post on someone’s wall, but only 54% understand how Facebook makes money. Males demonstrated a higher understanding around Facebook’s monetization strategies at 57%, vs. females at 51%.
  • Men Tweet, Women Pin - More online men know the character length of a tweet (37%) than online women (27%). When it comes to Pinterest, more women know what it means to “pin” something online (48%) than men (42%).
  • Who is Padding Google’s Pockets? - 22% of U.S. online adults overall reported that they click on search engine ads (e.g. paid search links), but results showed great behavioral variances by region and age. U.S. online adults in the South showed the highest propensity to click on paid links (29%), nearly ten full percentage points greater than any other region: Northeast (20%), West (19%) and Midwest (17%). 30% of Americans ages 18-34 indicated they click on search engine ads, which is almost double the rate of Americans age 35 and older (18%)."


'cause it's the Duke!
… Wayne died in 1979 but his legacy lives on, himself having starred in more than 170 movies. 21 of these movies have been lovingly hosted on the Internet Archive and YouTube, where they can be downloaded, streamed and enjoyed by a new generation of wannabe cowboys.


Backup, backup, backup!
Cobian Backup is a free backup software for Windows.


If it's good enough for Harvard maybe it's good enough for me?
Work Smarter with Evernote
35 pages. Publication date: Dec 18, 2012.


So (in theory) you could move this Blog to your Kindle. Or Kindle for PC?
… Send To Kindle by Klip.me, is a simple browser extension that allows you to easily send articles from your browser to your Kindle.
… In addition to it working for Chrome (here’s the Web Store link), it is currently available as an extension for Safari as well. There is also a bookmarklet, which is compatible with IE, Firefox, Opera, as well as Chrome and Safari.

Wednesday, January 09, 2013

I'll ask this again: What constitutes a CyberWar attack?
Late last year, multiple US banks were attacked online by what was believed to be a hacker group. Now government officials are saying it was actually the work of Iran, possibly in response to cyberattacks it has suffered from the US. This was determined when an investigation revealed that the method used to attack the banks was too sophisticated to be the work a fringe group.


“We don't need no stinking common sense!”
Another data theft in the education sector. And yet again, no one did anything wrong because there was never any policy.
Yesterday I added a breach to DataLossDB involving the Morgan Road Middle School in Georgia. A flash drive with unencrypted student information, including SSNs, was stolen from an teacher’s unattended car. A gradebook was also stolen. In his statement to the media, Richmond County School System Superintendent Frank Roberson said that the information in the teacher’s possession was not unusual. I agree, but why was the District using Social Security numbers instead of non-SSN identifiers? Does a teacher really need to know students’ SSNs? But here’s the part that really rankled:
Dr. Roberson says bottom line, the teacher did not break policy and because of that will not face consequences.
If there was no policy that said “Don’t leave unencrypted student information in unattended vehicles,” then I agree the teacher cannot be disciplined. But the school district should be in pillories.
Then lo and behold, there’s another news story this morning about how 60 Charlotte-Mecklenburg Schools employees in North Carolina have been warned to be on guard against identity theft after files containing their personal data were stolen from a human resource employee’s car.
The personnel files, which contained names, addresses, Social Security numbers, dates of birth and driver’s license numbers, were stolen Nov. 28, when the HR employee stopped for lunch, CMS spokeswoman Tahira Stalberte said. She said a CMS investigation determined that the employee, who was driving from one district office to another, did nothing wrong.
If no one is doing anything wrong by leaving personal information that could be used for ID theft in unattended vehicles, then the school districts are responsible for their failure to implement reasonable security policies, the states are responsible for not auditing the districts and sending a clear message about protection of data, and the U.S. Department of Education is responsible for not promoting regulations that would adequately protect the personal, private and sensitive information of students and employees.
No one’s to blame? I think there’s a lot of blame to go around. And it’s more than high time parents and employees insisted on adequate data security.


Another illustration of my concern with “Push” software updates. Real world impact from the cloud.
"A software update of the California welfare computer system (CalWIN) caused 37,000 Food Stamp recipients to lose their EBT (a credit card paid for by the government) benefits last weekend. According to the article, Hewlett Packard was responsible for the failed update of CalWIN, but at 8:00 a.m. today Xerox (who administers another state welfare system called CalFresh) issued a patch that reactivated the EBT cards."


For my Ethical Hackers. (NTLM = NT LAN Manager)
"Security researcher Mark Gamache has used Moxie Marlinspike's Cloudcracker to derive hashes from captured NTLM handshakes, resulting in successful pass-the-hash attacks. It's been going on for a long time, probably, but this is the first time a 'white hat' has researched and exposed the how-to details for us all to enjoy. 'You might think that with all the papers and presentations, no one would be using NTLM...or, God forbid, LM. NTLMv2 has been around for quite some time. Surely, everyone is using it. Right? Wrong! According to the last data from the W3 Schools, 21% of computers are running XP, while NetMarketShare claims it is 39%. Unless someone has hardened these machines (no MS patches do this), these machines are sending LM and NTLM responses!' Microsoft has posted a little guidance for those who need to turn off NTLM. Have fun explaining your new security project to your management, server admins!"


Don't have a good reason? Make one up!
Police officers have been known to illegally stop someone from recording their actions in public spaces. But police in Ramsey County have offered a new “explanation” and claim that a man recording an incident in public violated HIPAA. Emily Gurnon reports:
Andrew Henderson watched as Ramsey County sheriff’s deputies frisked a bloody-faced man outside his Little Canada apartment building. Paramedics then loaded the man, a stranger to Henderson, into an ambulance.
Henderson, 28, took out his small handheld video camera and began recording. It’s something he does regularly with law enforcement.
[...]
He had been filming from about 30 feet away, he said. Henderson said deputies gave him no warning before Muellner took his camera.
The deputy wrote on the citation, “While handling a medical/check the welfare (call), (Henderson) was filming it. Data privacy HIPAA violation. Refused to identify self. Had to stop dealing with sit(uation) to deal w/Henderson.”
Henderson appeared in Ramsey County District Court on Jan. 2. A pretrial hearing was rescheduled for Jan. 30.
The allegation that his recording of the incident violated HIPAA, or the federal Health Insurance Portability and Accountability Act, is nonsense, said Jennifer Granick, a specialist on privacy issues at Stanford University Law School.
The rule deals with how health care providers handle consumers’ health information.
“There’s nothing in HIPAA that prevents someone who’s not subject to HIPAA from taking photographs on the public streets,” Granick said. “HIPAA has absolutely nothing to say about that.”
Read more on Pioneer Press. Henderson plans to pursue this if the charges against him are not dropped.
I’ve never heard of another case like this, have you?
I would prefer that people choose not to upload films of people having medical problems in public to the Internet, but citing HIPAA as a justification to stop someone from recording in a public space seems just wrong.


Can any nation refuse?
There are days when I envy EU data protections. Then there are days when I’m glad we’re not part of the EU. James Slack reports:
Brussels is demanding that 26 police forces across the EU should have access to the personal details of every motorist in Britain.
The Government is being threatened with fines totalling millions of pounds unless it obeys the ‘Orwellian’ edict.
Foreign police also want open access to the UK’s national DNA database and fingerprint records so they can check them against crime scenes and camera footage.
MPs and civil liberties groups fear identity mistakes will lead to Britons being accused of crimes they have not committed.
Read more on The Daily Mail.


“We do not treat children like cattle. Mooove along.”
Francisco Vara-Orta reports that the Northside Independent School District student who has refused to wear an RFID chipped ID tag on religious grounds has lost her lawsuit, and the district can transfer her to another school in the district that does not use RFID-chipped tags if she continues to refuse to wear one.
Andrea Hernandez had refused to wear the tag, claiming that the chip was the “Mark of the Beast.”
The court’s ruling had nothing to do with any privacy claim but had to do with whether the district had accommodated her religious beliefs. The court held that because the district had accommodated her by removing the chip from the tag she was still required to wear, there was no First Amendment issue before the court.
The Rutherford Institute, who provided legal counsel for the student, issued a statement saying they intend to appeal the ruling.

(Related) “We are not cattle, we are sheep.”
Dan Solove writes:
A recently-released Brunswick Insight survey of parental attitudes about student privacy online is quite revealing. The survey involved more than 1000 American adults with children in grades 1-12, and it was done in August 2012. Overall, the survey revealed that parents are very concerned about their students’ online privacy, especially the tracking of their activities and marketing based on behavioral data.
Parents were generally not aware that their children are subjected to online tracking in schools. Nearly half had heard nothing about it.
Read more on SafeGov.org.


Apparently, he's not a “second class” citizen... (The UK has srtange rules)
How often have you seen me question a pro-privacy ruling? Not often, right? But a ruling in the UK does have me a bit concerned.
Mike Collett-White reports:
British actress Kate Winslet’s husband won a court battle on Tuesday stopping The Sun newspaper printing photographs of him “semi-naked” at a private fancy dress party several years ago.
Lawyers for Ned RocknRoll, 34, who married the “Titanic” star last month, argued that there was no public interest [There is now. See “Streisand Effect” Bob] in the Sun publishing the pictures, that it would be a breach of his privacy and it could lead to Winslet’s children being bullied.
According to the Press Association, the judge at London’s High Court ruled in favor of RocknRoll and ordered The Sun not to publish the pictures pending any trial, adding that he would give the reasons for his decision at a later date.
Read more on Reuters.
What’s interesting about this injunction (to me, anyway) is that the photo had already been publicly available on the Internet for two years. The Drum reports:
RocknRoll, the 34 year old nephew of Sir Richard Branson who changed his name from Edward Abel Smith, sought the injunction after the Sun newspaper attempted to print the image.
He won despite the offending image having been freely available on a friends Facebook page – which had no privacy settings, but have since been removed.
Niri Shan, head of media law at Taylor Wessing, said: “It is the first time that a Facebook page without any privacy settings has been subject of a successful injunction,” he said. “It is surprising that the fact it had been available on a public page for more than two years and could be seen by his 1,500 friends did not carry more weight.
It is a worrying precedent for the media because Facebook is a big source of information for them.”
As much as I am for pro-privacy rulings, I’m not sure this was a good ruling. If courts are going to grant injunctions based on possible embarrassment to the children of the individual, then we are not really dealing with the adult’s privacy rights. Should everyone who wants a paper blocked from printing an embarrassing picture that’s been circulating for years be entitled to an injunction, or only those who have children who could be impacted? Should only children of celebrities matter in terms of possible bullying, or all children?
Suggesting that there could be an injunction for pictures that one did not try to block for two years but suddenly finds problematic may be consistent with an EU notion of “right to be forgotten” or “right to delete,” but courts in the U.S. have generally not gone along with this type of thinking. So while UK privacy advocates may cheer this injunction, I’m not sure U.S. privacy advocates should. Nor do such injunctions properly protect press freedom, as it’s somewhat shocking that the press should not be able to repeat something that has been freely available on the Internet for years.
Justice Briggs said he would reveal his reasons at a later date. I look forward to reading them.


Something my lawyer friends will explain to me, please?
Why Facebook Data Tends to Condemn You in Court
U.S. courts have a structural bias against “guilty” verdicts, but when it comes to Facebook data the situation is reversed: Social media activity is more readily used to convict you in a court of law than to defend you.
That’s because prosecutors generally have an easier time than defense attorneys getting private information out of Facebook and other social networks, as highlighted in an ongoing Portland murder case. In that case, the defense attorney has evidence of a Facebook conversation in which a key witness reportedly tells a friend he was pressured by police into falsely incriminating the defendant.
Facebook rebuffed the defense attorney’s subpoena seeking access to the conversation, citing the federal Stored Communications Act, which protects the privacy of electronic communications like e-mail – but which carves out an exemption for law enforcement, thus assisting prosecutors. “It’s so one-sided … they cooperate 110 percent anytime someone in the government asks for information,” one Oregon attorney told the Portland Oregonian, citing a separate case in which Facebook withheld conversations that could have disproved a rape charge, but turned over the same conversations when the prosecution demanded them.


Introducing a new concept, that I think is unlikely to work as they think...
Over on the always-impressive HawkTalk blog, Chris Pounder of Amberhawk writes:
In a 215 page report, the European Parliament has suggested 350 Amendments to the text of the Data Protection Regulation published last year. This blog gives you an impression of those proposed changes that caught my eye on a “speed read” of the Report (produced by Jan Albrecht, the rapporteur for the European Parliament’s Committee on Civil Liberties, Justice and Home Affairs).
I think the most important proposal is the fettering of the European Commission’s powers. In many instances, many powers found in the Regulation are amended to involve the European Data Protection Board of Data Protection Commissioners (the Regulation’s formal structure for what we now call the Working Party 29 Group of Commissioners).
[...]
The Report has introduced the concept of a not quite personal data; a ‘pseudonym’; I am not sure of the consequences. A ‘pseudonym’ is a “unique identifier which is specific to one given context and which does not permit the direct identification of a natural person, but allows the singling out of a data subject”.
The Report then states that “For the use of pseudonymous data, there could be alleviations with regard to obligations for the data controller undertaking the processing (e.g where personal data are processed only in the form of pseudonyms, consent may be given by automated means)”.
I am not convinced the concept works also and I think it needs a definition of “pseudonymous data” which also considers what other information the data controller has. For instance, suppose I know that mickey.mouse@hotmail.com is really Fred Bloggs. The mickey.mouse email address is pseudonymous data as it does not “not permit the direct identification of a natural person”; but I know who it is.
Read more on HawkTalk


The Economics of the Internet?
"Peter Ludlow writes in the Atlantic that the internet has turned the dating marketplace into a frictionless market that puts together buyer and seller without transaction costs. And that's a bad thing. 'Finding a partner used to be expensive, and the market was inefficient. If you lived in a large city, there were always people looking for partners, but the problem was how to find them.' But one advantage of inefficient dating markets is that in times of scarcity we sometimes take chances on things we wouldn't otherwise try while in times of plenty, we take the path of least resistance (someone who appears compatible) and we forgo difficult and prima facie implausible pairings. Another problem with frictionless online markets (PDF) is that assume we know what we are looking for. But sometimes we simply don't know what we are looking for until we stumble across it in a search for something else, says Ludlow. 'The result is often unexpected and beautiful. So it is with relationships; compatibility is a terrible idea in selecting a partner,' concludes Ludlow. 'We often make our greatest discoveries and acquire our greatest treasures when local scarcity compels us to be open to new and better things.'"


Not sure when most citizens would reference this, but if you are a history buff this is the bomb!
January 08, 2013
Foreign Relations of the United States Released in E-Book Format
"The Office of the Historian at the U.S. Department of State is pleased to announce the release of its Foreign Relations of the United States (FRUS) series in a new e-book format that is readable on popular electronic devices such as the Amazon Kindle and Apple iPad. The e-book edition combines many of the benefits of print and web publications in a new form that is portable and extremely convenient. During the pilot phase of the FRUS e-book initiative, select FRUS volumes are available here. The public is invited to download the new e-books and provide feedback to help improve the FRUS e-book edition. At the conclusion of the pilot phase, the Office will work to offer e-book versions of many more FRUS volumes both through the Office website and on a wide array of e-bookstores. The Office will continue to expand and enhance its e-book offerings, as part of the ongoing FRUS digitization effort."

(Related) History or geneology?
January 08, 2013
Official Register of the United States Now on FDsys
"As part of the U.S. Government Printing Office (GPO) and the U.S. Department of Treasury pilot project to provide permanent public access to the Treasury Library's digital content, the Official Register of the United States is now available on GPO's Federal Digital System (FDsys). The Official Register of the United States: 1829, 1835-1837, 1841-1861; 1879-1891, 1895-1907, 1911-1921, 1925-1926, 1929-1934, 1936-1959, contains information about the Federal workforce, including the name of every employee, their job title, state or country of birth, the location of their post, and their annual salary."


Strange that the Comments don't point to examples of simple programming tools (W3Schools.com? ITTT?) But I did like the comment about searching for "...a big red arrow that points to the answer"
"Adam Wiggins, co-founder of Heroku, agrees with anthropologist Bonnie Nardi that programming isn't just for geeks. The problem, he says, is that today's tools for teaching programming are woefully inadequate. In a commentary, Wiggins argues that there are two major gaps preventing programming tools from being accessible to beginners: 1) they're too fussy, requiring extensive setup, and 2) they're focused on the technology rather than everyday tasks. A good tool for learning programming, Wiggins argues, would emulate an Excel or Google Docs spreadsheet – beginners would be able to fire it up instantly, and would be able to get useful things done right away. (He's dismissive, though, of visual programming tools that 'attempt to hide logic behind a point-and-click interface.') 'Broad programming literacy is crucial in a world increasingly made of computers,' Wiggins says. 'Despite common stereotypes, programming is not out of reach for the average person,' as long as the tools are easy to set up and specialized on the programmer's task."

(Related) ...but the hardware is getting cheaper. Many tablets are already cheaper thant the textbooks I use, but I'm not sure you could load all your textbooks on one.
"One Laptop Per Child is back in the tablet race, announcing a new 7-inch tablet with the Android OS that will be sold commercially and include its learning software. The XO Tablet was announced at the International CES show in Las Vegas. OLPC will license the design to Sakar International, which will sell the tablet in the U.S. through Wal-Mart."


Free stuff, maybe.
"Yesterday, Adobe put up a mysterious webpage from which its now seven-year-old CS2 line of products (Photoshop, Illustrator, InDesign, Acrobat, Premiere and others) could be freely downloaded by anyone. The page even included valid serial numbers that will unlock the CS2 apps for anyone who wants to. This strange 'giveaways' page at Adobe.com quickly went viral on the internet after a few tech bloggers reported on it. An Adobe spokesman said initially that the CS2 downloads are for existing owners of Adobe CS2 software only, who may not be able to activate their software anymore, due to the CS2 activation servers having been shut down by Adobe. But the internet at large took this webpage as meaning 'Free Adobe CS2 Software for Everyone,' which was probably not what Adobe had in mind. It seems that at this point, hundreds of thousands of people have downloaded their 'free' CS2 products and installed them, and started using them. So Adobe is in a bit of a PR pinch now because of this — Do you tell all the thousands of people who have downloaded CS2 products in the last 48 hours that 'you cannot use these products without paying us'? Or do you accept that hundreds of thousands of people now have free access to seven year old Adobe CS2 products, and try to encourage some of them to 'upgrade to the new CS6 products'?"


How NOT to do a online class? I've been pushing a free (or nominal) signup cost, but a charge for tests leading to certification or credit.
"In the shadow of Stanford and Harvard offering free on-line courses, The University of California has been attempting to offer pay-courses for credit. UC online took out a $6.9M loan from UC and spent $4.3M to market these courses. For their efforts, they've been able to quadruple their enrollment year over year. The first year results: only one person not already attending UC paid $1,400 for an online pre-calculus class worth four credits. Now four non-UC are signed up. 'UC Online has to pay back the loan in seven years and expected to sell 7,000 classes to non-UC students for $1,400 or $2,400 apiece, depending on each course's duration. China was thought to be a lucrative potential source of students, but few expressed interest. The U.S. military also fell through.' Methinks head will roll on this one..."


I envision 70,000 fans holding up their phones as they scroll, “Go Broncos!” (in orange LEDs)
… LED Light Fun allows you to display large text messages in bright colours as if you had an LED display board using your Android device.
… Text can be static, scrolling or blinking in various colours against a background of your choosing.
Check out LED Light Fun @ Google Play


Every now and then I do like to try new things...


It's on the Internet, so it must be true!
Got a cold? Have a beer
… Sapporo Breweries, one of the country’s oldest beer makers, funded a study that has discovered that hops – one of beer’s primary ingredients – contain a chemical that could counter the virus that causes cold-like symptoms.


Dilbert explains why you should never let your boss read this blog!

Tuesday, January 08, 2013

...at least, the ones who get caught.
"Software developed by the FBI and Ernst & Young has revealed the most common words used in email conversations among employees engaged in corporate fraud. The software, which was developed using the knowledge gained from real life corporate fraud investigations, pinpoints and tracks common fraud phrases like 'cover up,' write off,' 'failed investment,' 'off the books,' 'nobody will find out' and 'grey area'. Expressions such as 'special fees' and 'friendly payments' are most common in bribery cases, while fears of getting caught are shown in phrases such as 'no inspection' and 'do not volunteer information.'"


Were they ever?
Evan Brown writes:
Keller v. National Farmers Union Property & Cas. Co., 2013 WL 27731 (D. Mont. January 2, 2013)
A federal court in Montana has held that a plaintiff in an insurance dispute was protected from having to turn over all of her social media content to her litigation opponent. The court’s decision helps define the contours of discoverable information in cases involving social media evidence.
Plaintiff was injured in an auto accident and sued defendant insurance company after it refused to pay medical bills. Defendant served a production request seeking, among other things, “a full printout of all of [plaintiff's] social media website pages and all photographs posted thereon . . . from August 26, 2008 to the present.” Plaintiff objected to the request on grounds it was overly burdensome and harassing.
Read more on InformationLawGroup.
It’s a good decision in terms of helping to call a halt to overly broad fishing expeditions. But the outcome might have been very different if there was even one public post or public image that supported the insurance company’s request to get everything. I suspect it’s still prudent for us all to assume that if we’re involved in litigation, there’s a chance anything we’ve posted on social media platforms may become discoverable – even what we seek to protect as “private.”


We seem to be spending a lot of e-Ink on drones. How will they translate to “Officer Friendly?”
General McChrystal on Drones: 'They Are Hated on a Visceral Level'
General Stanley McChrystal cautioned about the use of drones in a recent interview with Reuters. While he applauded what they allowed him to do with his special forces troops, he told the news agency that the people of Afghanistan just hated drones.
Here's what he said in full. It's not the first time that he's sounded such warnings, but it's still remarkable coming from the man who ran the American war (aka counterinsurgency) in the country.

(Related) Where does a lawmaker get off thinking he can control the police?
Yes, I know it’s important to consider the source and any biases, but I reacted when I read a story on New American by Joe Wolverton II:
Wolverton writes that North Dakota State Representative Rick Becker (R-Bismarck), a first-term legislator, is proposing a state law that would limit the use of drones by law enforcement. Here’s the part that caught my attention:
Despite the legislative restrictions he wants to impose on the use of the drones, Becker says he isn’t trying to offend police, but to defend the Constitution.
“It’s a new technology that has really amazing capabilities and can be used in excellent ways for our communities. I don’t want to say that drones can’t be used,” Becker said. “But with the new technology there are also issues, primarily privacy issues, which can come into play.”
Cass County Sheriff Paul Laney resents Becker’s meddling in police business and argues that the new law would, as reported by the Huffington Post, “set a troublesome precedent.”
Yes, I can imagine how a warrant standard for drones used in criminal investigations could set a troublesome precedent for law enforcement. That’s exactly the kind of trouble we need.
Read more of Wolverton’s discussion and commentary on New American. According to a Huffington Post article, “similar legislation will be proposed in many states this legislative session, including California, Florida, Illinois, New Jersey, Oregon, Missouri, Michigan and Indiana. In Virginia, the ACLU/tea party-backed measure is expected to be unveiled this session.”


For my Ethical Hackers. Think of it as Steganography for Audio...
"A group of researchers from the Institute of Telecommunications of the Warsaw University of Technology have devised a way to send and receive messages hidden in the data packets used to represent silences during a Skype call. After learning that Skype transmits voice data in 130-byte packets and the silences in 70-byte packets, the researchers came upon the idea of using the latter to conceal the sending and receiving of additional messages."


Of interest to my Geeks...
"Every January it is traditional to compare the state of the languages as indicated by the TIOBE index. So what's up and what's down this year? There have been headlines that C# is the language of the year, but this is based on a new language index. What the TIOBE index shows is that Java is no longer number one as it has been beaten by C — yes C not C++ or even Objective C."