I'll ask this again: What constitutes
a CyberWar attack?
Late last year, multiple US banks were
attacked online by what was believed to be a hacker group. Now
government officials are saying it was actually the work of Iran,
possibly in response to cyberattacks it has suffered from the US.
This was determined when an investigation revealed that the method
used to attack the banks was too sophisticated to be
the work a fringe group.
“We don't need no stinking common
sense!”
Another data theft in the education
sector. And yet again, no one did anything wrong because there was
never any policy.
Yesterday I added a breach to
DataLossDB involving the
Morgan Road Middle School
in Georgia. A flash drive with
unencrypted
student information, including SSNs, was stolen from an teacher’s
unattended car. A gradebook was also stolen. In his statement to
the media, Richmond County School System
Superintendent
Frank Roberson said that the information in the teacher’s
possession was not unusual. I agree, but why was the District using
Social Security numbers instead of non-SSN identifiers? Does a
teacher really need to know students’ SSNs? But here’s the part
that really rankled:
Dr. Roberson says
bottom line, the teacher did not break policy and because of that
will not face consequences.
If there was no policy that said “Don’t
leave unencrypted student information in unattended vehicles,” then
I agree the teacher cannot be disciplined. But the school district
should be in pillories.
Then lo and behold, there’s
another
news story this morning about how 60
Charlotte-Mecklenburg
Schools employees in North Carolina have been warned to be
on guard against identity theft after files containing their personal
data were stolen from a human resource employee’s car.
The personnel
files, which contained names, addresses, Social Security numbers,
dates of birth and driver’s license numbers, were stolen Nov. 28,
when the HR employee stopped for lunch, CMS spokeswoman Tahira
Stalberte said. She said a CMS investigation determined that the
employee, who was driving from one district office to another, did
nothing wrong.
If no one is doing anything wrong by
leaving personal information that could be used for ID theft in
unattended vehicles, then the school districts are responsible for
their failure to implement reasonable security policies, the states
are responsible for not auditing the districts and sending a clear
message about protection of data, and the U.S. Department of
Education is responsible for not promoting regulations that would
adequately protect the personal, private and sensitive information of
students and employees.
No one’s to blame? I think there’s
a lot of blame to go around. And it’s more than
high time parents and employees insisted on adequate data security.
Another illustration of my concern with
“Push” software updates. Real world impact from the cloud.
"A software update of the
California welfare computer system (CalWIN) caused
37,000 Food Stamp recipients to lose their EBT (a credit card
paid for by the government) benefits last weekend. According to the
article, Hewlett Packard was responsible for the failed update of
CalWIN, but at 8:00 a.m. today Xerox (who administers another state
welfare system called CalFresh) issued a patch that reactivated the
EBT cards."
For my Ethical Hackers. (NTLM = NT LAN
Manager)
"Security researcher Mark
Gamache has used Moxie Marlinspike's Cloudcracker to derive
hashes from captured NTLM handshakes, resulting in successful
pass-the-hash attacks. It's been going on for a long time,
probably, but this is the first time a 'white hat' has researched and
exposed the how-to details for us all to enjoy. 'You might think
that with all the papers and presentations, no one would be using
NTLM...or, God forbid, LM. NTLMv2 has been around for quite some
time. Surely, everyone is using it. Right? Wrong! According to
the last data from the W3 Schools, 21%
of computers are running XP, while NetMarketShare claims it is 39%.
Unless someone has hardened these machines
(no MS patches do this), these machines are sending LM and NTLM
responses!' Microsoft has posted a little guidance
for those who need to turn off NTLM. Have fun explaining your
new security project to your management, server admins!"
Don't have a good reason? Make one up!
Police officers have been known to
illegally stop someone from recording their actions in public spaces.
But police in Ramsey County have offered a new “explanation” and
claim that a man recording an incident in public violated HIPAA.
Emily Gurnon reports:
Andrew Henderson
watched as Ramsey County sheriff’s deputies frisked a bloody-faced
man outside his Little Canada apartment building. Paramedics then
loaded the man, a stranger to Henderson, into an ambulance.
Henderson, 28,
took out his small handheld video camera and began recording. It’s
something he does regularly with law enforcement.
[...]
He had been
filming from about 30 feet away, he said. Henderson said deputies
gave him no warning before Muellner took his camera.
The deputy wrote
on the citation, “While handling a medical/check the welfare
(call), (Henderson) was filming it. Data privacy HIPAA violation.
Refused to identify self. Had to stop dealing with sit(uation) to
deal w/Henderson.”
Henderson appeared
in Ramsey County District Court on Jan. 2. A pretrial hearing was
rescheduled for Jan. 30.
The allegation
that his recording of the incident violated HIPAA, or the federal
Health Insurance Portability and Accountability Act, is nonsense,
said Jennifer Granick, a specialist on privacy issues at Stanford
University Law School.
The rule deals
with how health care providers handle consumers’ health
information.
“There’s
nothing in HIPAA that prevents someone who’s not subject to HIPAA
from taking photographs on the public streets,” Granick said.
“HIPAA has absolutely nothing to say about that.”
Read more on
Pioneer
Press. Henderson plans to pursue this if the charges against him
are not dropped.
I’ve never heard of another case like
this, have you?
I would prefer that people choose not
to upload films of people having medical problems in public to the
Internet, but citing HIPAA as a justification to stop someone from
recording in a public space seems just wrong.
Can any nation refuse?
There are days when I envy EU data
protections. Then there are days when I’m glad we’re not part of
the EU. James Slack
reports:
Brussels is
demanding that 26 police forces across the EU should have access to
the personal details of every motorist in Britain.
The Government is
being threatened with fines totalling millions of pounds unless it
obeys the ‘Orwellian’ edict.
Foreign police
also want open access to the UK’s national DNA database and
fingerprint records so they can check them against crime scenes and
camera footage.
MPs and civil
liberties groups fear identity mistakes will lead to Britons being
accused of crimes they have not committed.
“We do not treat children like
cattle. Mooove along.”
Francisco Vara-Orta
reports
that the Northside Independent School District student who has
refused to wear an RFID chipped ID tag on religious
grounds has lost her lawsuit, and the district can
transfer her to another school in the district that does not use
RFID-chipped tags if she continues to refuse to wear one.
Andrea Hernandez had refused to wear
the tag, claiming that the chip was the “Mark of the Beast.”
The court’s ruling
had nothing to do with any privacy claim but had to do
with whether the district had accommodated her religious beliefs.
The court held that because the district had accommodated her by
removing the chip from the tag she was still required to wear, there
was no First Amendment issue before the court.
The Rutherford Institute, who provided
legal counsel for the student, issued a
statement
saying they intend to appeal the
ruling.
(Related) “We are not cattle, we are
sheep.”
Dan Solove writes:
A
recently-released
Brunswick Insight survey of parental attitudes about student
privacy online is quite revealing. The survey involved more than
1000 American adults with children in grades 1-12, and it was done in
August 2012. Overall, the survey revealed that parents are very
concerned about their students’ online privacy, especially the
tracking of their activities and marketing based on behavioral data.
Parents
were generally not aware that their children are subjected to online
tracking in schools. Nearly half had heard nothing about
it.
Apparently, he's not a “second class”
citizen... (The UK has srtange rules)
How often have you seen me question a
pro-privacy ruling? Not often, right? But a ruling in the UK does
have me a bit concerned.
Mike Collett-White reports:
British actress
Kate Winslet’s husband won a court battle on Tuesday stopping The
Sun newspaper printing photographs of him “semi-naked” at a
private fancy dress party several years ago.
Lawyers for Ned
RocknRoll, 34, who married the “Titanic” star last month, argued
that there was no public interest [There is now. See
“Streisand Effect” Bob] in the Sun publishing the
pictures, that it would be a breach of his privacy and it could lead
to Winslet’s children being bullied.
According to the
Press Association, the judge at London’s High Court ruled in favor
of RocknRoll and ordered The Sun not to publish the pictures pending
any trial, adding that he would give the reasons for his decision at
a later date.
What’s interesting about this
injunction (to me, anyway) is that
the photo had
already been publicly available on the Internet for two years.
The
Drum reports:
RocknRoll, the 34
year old nephew of Sir Richard Branson who changed his name from
Edward Abel Smith, sought the injunction after the Sun newspaper
attempted to print the image.
He won despite the
offending image having been freely available on a friends Facebook
page – which had no privacy settings, but have since been removed.
Niri Shan, head of
media law at Taylor Wessing, said: “It is the first
time that a Facebook page without any privacy settings has been
subject of a successful injunction,” he said. “It is
surprising that the fact it had been available on a public page for
more than two years and could be seen by his 1,500 friends did not
carry more weight.
“It
is a worrying precedent for the media because Facebook is a big
source of information for them.”
As much as I am for pro-privacy
rulings, I’m not sure this was a good ruling. If courts are going
to grant injunctions based on possible embarrassment to the children
of the individual, then we are not really dealing with the adult’s
privacy rights. Should everyone who wants a paper blocked from
printing an embarrassing picture that’s been circulating for years
be entitled to an injunction, or only those who have children who
could be impacted? Should only children of celebrities matter in
terms of possible bullying, or all children?
Suggesting that there could be an
injunction for pictures that one did not try to block for two years
but suddenly finds problematic may be consistent with an EU notion of
“right to be forgotten” or “right to delete,” but courts in
the U.S. have generally not gone along with this type of thinking.
So while UK privacy advocates may cheer this
injunction, I’m not sure U.S. privacy advocates should.
Nor do such injunctions properly protect press freedom, as it’s
somewhat shocking that the press should not be able to repeat
something that has been freely available on the Internet for years.
Justice Briggs said he would reveal his
reasons at a later date. I look forward to reading them.
Something my lawyer friends will
explain to me, please?
Why
Facebook Data Tends to Condemn You in Court
U.S. courts have a structural bias
against “guilty” verdicts, but when it comes to Facebook data the
situation is reversed: Social media activity is more readily used to
convict you in a court of law than to defend you.
That’s because prosecutors generally
have an easier time than defense attorneys getting private
information out of Facebook and other social networks, as
highlighted
in an ongoing Portland murder case. In that case, the defense
attorney has evidence of a Facebook conversation in which a key
witness reportedly tells a friend he was pressured by police into
falsely incriminating the defendant.
Facebook rebuffed the defense
attorney’s subpoena seeking access to the conversation, citing the
federal
Stored
Communications Act, which protects the privacy of electronic
communications like e-mail – but which carves out an exemption for
law enforcement, thus assisting prosecutors. “It’s so one-sided
… they cooperate 110 percent anytime someone in the government asks
for information,” one Oregon attorney told the Portland
Oregonian,
citing a separate case in which Facebook withheld conversations that
could have disproved a rape charge, but turned over the same
conversations when the prosecution demanded them.
Introducing a new concept, that I think
is unlikely to work as they think...
Over on the always-impressive HawkTalk
blog, Chris Pounder of Amberhawk writes:
In a 215 page
report,
the European Parliament has suggested 350 Amendments to the text of
the Data Protection Regulation published last year. This blog gives
you an impression of those proposed changes that caught my eye on a
“speed read” of the Report (produced by Jan Albrecht, the
rapporteur for the European Parliament’s Committee on Civil
Liberties, Justice and Home Affairs).
I think the most
important proposal is the fettering of the European Commission’s
powers. In many instances, many powers found in the Regulation are
amended to involve the European Data Protection Board of Data
Protection Commissioners (the Regulation’s formal structure for
what we now call the Working Party 29 Group of Commissioners).
[...]
The
Report has introduced the concept of a not quite personal data; a
‘pseudonym’; I am not sure of the consequences. A
‘pseudonym’ is a “unique identifier which is specific to one
given context and which does not permit the direct identification of
a natural person, but allows the singling out of a data subject”.
The Report then
states that “For the use of pseudonymous data, there could be
alleviations with regard to obligations for the data controller
undertaking the processing (e.g where personal data
are processed only in the form of pseudonyms, consent may be given by
automated means)”.
I am not convinced
the concept works also and I think it needs a definition of
“pseudonymous data” which also considers what other information
the data controller has. For instance, suppose I know that
mickey.mouse@hotmail.com
is really Fred Bloggs. The mickey.mouse email address is
pseudonymous data as it does not “not permit the direct
identification of a natural person”; but I know who it is.
The Economics of the Internet?
"Peter Ludlow writes in the
Atlantic that the
internet has turned the dating marketplace into a frictionless market
that puts together buyer and seller without transaction costs. And
that's a bad thing. 'Finding a partner used to be expensive, and the
market was inefficient. If you lived in a large city, there were
always people looking for partners, but the problem was how to find
them.' But one advantage of inefficient dating markets is that in
times of scarcity we sometimes take chances on things we wouldn't
otherwise try while in
times of plenty, we take the path of least resistance (someone
who appears compatible) and we forgo difficult and prima facie
implausible pairings. Another problem with frictionless
online markets (PDF) is that assume we know what we are looking
for. But sometimes we simply don't know what we are looking for
until we stumble across it in a search for something else, says
Ludlow. 'The result is often unexpected and beautiful. So it is
with relationships; compatibility is a terrible idea in selecting a
partner,' concludes Ludlow. 'We often make our greatest discoveries
and acquire our greatest treasures when local scarcity compels us to
be open to new and better things.'"
Not sure when most citizens would
reference this, but if you are a history buff this is the bomb!
January 08, 2013
Foreign
Relations of the United States Released in E-Book Format
"The Office of the Historian at
the U.S. Department of State is pleased to announce the release of
its Foreign Relations of the United States (FRUS) series in a
new
e-book format that is readable on popular electronic devices such
as the Amazon Kindle and Apple iPad. The e-book edition combines
many of the benefits of print and web publications in a new form that
is portable and extremely convenient. During the pilot phase of the
FRUS e-book initiative, select FRUS volumes are available here. The
public is invited to download the new e-books and provide feedback to
help improve the FRUS e-book edition. At the conclusion of the pilot
phase, the Office will work to offer e-book versions of many more
FRUS volumes both through the Office website and on a wide array of
e-bookstores. The Office will continue to expand and enhance its
e-book offerings, as part of the ongoing FRUS digitization effort."
(Related) History or geneology?
January 08, 2013
Official
Register of the United States Now on FDsys
"As part of the U.S. Government
Printing Office (GPO) and the U.S. Department of Treasury pilot
project to provide permanent public access to the Treasury Library's
digital content, the Official Register of the United States is now
available on
GPO's Federal Digital
System (FDsys). The Official Register of the United States:
1829, 1835-1837, 1841-1861; 1879-1891, 1895-1907, 1911-1921,
1925-1926, 1929-1934, 1936-1959, contains information about the
Federal workforce, including
the name of every
employee, their job title, state or country of birth, the location of
their post, and their annual salary."
Strange that the Comments don't point
to examples of simple programming tools (W3Schools.com? ITTT?) But
I did like the comment about searching for "...a big red arrow
that points to the answer"
"Adam Wiggins, co-founder of
Heroku, agrees with anthropologist Bonnie Nardi that programming
isn't just for geeks. The problem, he says, is that today's
tools for teaching programming are woefully inadequate.
In a commentary, Wiggins argues that there
are two major gaps preventing programming tools from being accessible
to beginners: 1) they're too fussy, requiring extensive setup, and 2)
they're focused on the technology rather than everyday tasks. A good
tool for learning programming, Wiggins argues, would emulate an Excel
or Google Docs spreadsheet – beginners would be able to fire it up
instantly, and would be able to get useful things done right away.
(He's dismissive, though, of visual programming tools that 'attempt
to hide logic behind a point-and-click interface.') 'Broad
programming literacy is crucial in a world increasingly made of
computers,' Wiggins says. 'Despite common stereotypes, programming
is not out of reach for the average person,' as long as the tools are
easy to set up and specialized on the programmer's task."
(Related) ...but the hardware is
getting cheaper. Many tablets are already cheaper thant the
textbooks I use, but I'm not sure you could load all your textbooks
on one.
"One Laptop Per Child is back
in the tablet race, announcing
a new 7-inch tablet with the Android OS that will be sold
commercially and include its learning software. The XO Tablet was
announced at the International CES show in Las Vegas. OLPC will
license the design to Sakar International, which will sell the tablet
in the U.S. through Wal-Mart."
Free stuff, maybe.
"Yesterday, Adobe put up a
mysterious webpage from which its now seven-year-old CS2 line of
products (Photoshop, Illustrator, InDesign, Acrobat, Premiere and
others) could
be freely downloaded by anyone. The page
even included valid serial numbers that will unlock the CS2 apps for
anyone who wants to. This strange 'giveaways' page
at Adobe.com quickly went viral on the internet after a few tech
bloggers reported on it. An Adobe spokesman said initially that the
CS2 downloads are for existing owners of Adobe CS2 software only, who
may not be able to activate their software anymore, due to the CS2
activation servers having been shut down by Adobe. But the internet
at large took this webpage as meaning 'Free Adobe CS2 Software for
Everyone,' which was probably not what Adobe had in mind. It seems
that at this point, hundreds of thousands of
people have downloaded their 'free' CS2 products and installed them,
and started using them. So Adobe is in a bit of a
PR pinch now because of this — Do you tell all the thousands of
people who have downloaded CS2 products in the last 48 hours that
'you cannot use these products without paying us'? Or do you accept
that hundreds of thousands of people now have free access to seven
year old Adobe CS2 products, and try to encourage some of them to
'upgrade to the new CS6 products'?"
How NOT to do a online class? I've
been pushing a free (or nominal) signup cost, but a charge for tests
leading to certification or credit.
"In the shadow of Stanford and
Harvard offering free on-line courses, The
University of California has been attempting to offer pay-courses for
credit. UC online took out a $6.9M loan from UC and spent $4.3M
to market these courses. For their efforts, they've been able to
quadruple their enrollment year over year. The first year results:
only one person not already attending UC paid $1,400 for an online
pre-calculus class worth four credits. Now four non-UC are signed
up. 'UC Online has to pay back the loan in seven years and expected
to sell 7,000 classes to non-UC students for $1,400 or $2,400 apiece,
depending on each course's duration. China was thought to be a
lucrative potential source of students, but few expressed interest.
The U.S. military also fell through.' Methinks head will roll on
this one..."
I envision 70,000 fans holding up their
phones as they scroll, “Go Broncos!” (in orange LEDs)
… LED Light Fun allows you to
display large text messages in bright colours as if you had an LED
display board using your Android device.
… Text can be static, scrolling or
blinking in various colours against a background of your choosing.
Every now and then I do like to try new
things...
It's on the Internet, so it must be
true!
Got
a cold? Have a beer
… Sapporo Breweries, one of the
country’s oldest beer makers, funded a study that has discovered
that hops – one of beer’s primary ingredients – contain a
chemical that could counter the virus that causes cold-like symptoms.
Dilbert explains why you should never
let your boss read this blog!