Saturday, April 20, 2013

Anti-terrorism strategy? Was this necessary? How much was “to assure the public” and how much was actually needed? They knew roughly where #2 was, why shut down all of Boston? It makes it look like a “free fire” zone – step outside and we'll shoot first and Mirandize your corpse.
It Costs $333 Million to Shut Down Boston for a Day
Much of the Boston area has been shut down to facilitate the manhunt for Dzhokhar Tsarnaev. (Although Dunkin’ Donuts (DNKN), a Boston institution, has remained open at police request to serve emergency response personnel.)

(Related) An interesting question.
Boston lockdown: the new normal?
The unprecedented manhunt in Boston that concluded successfully Friday night earned law enforcement authorities the gratitude of the nation.
But as relief replaces fear, the debate about what this episode means for the future is already beginning. And one of the most unsettling questions is whether the violence-related lockdown of a major U.S. city — an extraordinary moment in American history — sets a life-altering precedent.
There are already worries that the effort to protect the people of Boston contained an element of overreaction. Local authorities told the city and nearby suburbs to “shelter in place” throughout the day and into the evening. They closed businesses, shuttered government buildings and suspended all public transportation in the metro area.
That decision concerned some political leaders and policy experts.
… “If there was some serial killer on the loose, no one would suggest that we do a lockdown of a whole city,” said Cohen, now a fellow at the Century Foundation. “To me, it just plays on our outsized fears of terrorism. … Part of it is just cover your ass business by public officials.”
Keeping city residents off the streets and businesses closed made it easier for Boston to send many of its police officers across the river to Watertown, where the Boston cops joined in house-by-house searches and helped keep up a perimeter so the Tsarnayev couldn’t escape.
… Some critics of the Boston lockdown noted that during a hunt for a suspected cop killer in Los Angeles in February, some specific targets like schools were closed and checkpoints were established, but there was no effort to quarantine the entire metro area.
Following the 9/11 attacks, which were of a far larger scope, all civilian airplane traffic in the U.S. and Canada was grounded until Sept. 13, when service slowly resumed. Reagan National Airport in Washington reopened Oct. 4 under tighter security.
Financial activity shuttered in lower Manhattan with the destruction of the World Trade Center towers on Sept. 11. The New York Stock Exchange closed until Sept. 17, the longest suspension since the Great Depression. Other major landmarks also closed that day, including the Space Needle, Walt Disney World, and the Sears Tower. Major League Baseball postponed all games through Sept. 16, while the National Football League bumped the next Sunday schedule, which in turn meant delaying the Super Bowl by a week. The Emmy Awards — scheduled for Sept. 16 — were also delayed by nearly two months.
Cohen noted that despite the enormous tragedy in New York on Sept. 11, life in many parts of the city continued relatively close to normal. “I remember sitting in SoHo where people were sitting outside having lunch. People were not cowering in fear,” he said.


If there is no requirement for background checks at gun shows (that change to the law was defeated) why do we think having more information in a system that will not be used will keep guns from the mentally ill?
Associated Press reports:
Blocked by Congress from expanding gun sale background checks, President Obama is turning to actions within his own power to keep people from buying a gun who are prohibited for mental health reasons.
Federal law bans certain mentally ill people from purchasing firearms, but not all states are providing data to stop the prohibited sales to the FBI’s background check system.
You can read more of their report on Fox News, but what I really want to call attention to is the advance notice of proposed rule-making posted today by HHS on the HIPAA Privacy Rule and the National Instant Criminal Background Check System. The intention is to lower the HIPAA barriers to providing information to the system:
In particular, we are considering creating an express permission in the HIPAA rules for reporting the relevant information to the NICS by those HIPAA covered entities responsible for involuntary commitments or the formal adjudications that would subject individuals to the mental health prohibitor, or that are otherwise designated by the States to report to the NICS.
One of the most problematic issues has been whether certain state agencies are actually HIPAA-covered entities that might be prohibited under the Privacy Rule from disclosing information in the absence of a state law requiring disclosure. HIPAA already has a provision that permits covered entities to disclose if required to by state law, and some state agencies may qualify as “hybrid entities,” which would permit disclosure, but not all states have mandatory disclosure laws and/or establish certain agencies as hybrid entities. In response, HHS writes:
To address these concerns, the Department is considering whether to amend the Privacy Rule to expressly permit covered entities holding information about the identities of individuals who are subject to the mental health prohibitor to disclose limited mental health prohibitor information to the NICS. Such an amendment might produce clarity regarding the Privacy Rule and help make it as simple as possible for States to report the identities of such individuals to the NICS.
In crafting the elements of an express permission, we would consider limiting the information to be disclosed to the minimum data necessary for NICS purposes, such as the names of the individuals who are subject to the mental health prohibitor, demographic information such as dates of birth, and codes identifying the reporting entity and the relevant prohibitor. We would not consider permitting the disclosure of an individual’s treatment record or any other clinical or diagnostic information for this purpose. In addition, we would consider permitting disclosures for NICS purposes only by those covered entities that order involuntary commitments, perform relevant mental health adjudications, or are otherwise designated as State repositories for NICS reporting purposes.
You can read the advance notice here.


Perhaps we should classify your smartphone as a “mental health professional” and stop worrying about disclosure.
Bob McMillan reports:
All of those questions, messages, and stern commands that people have been whispering to Siri are stored on Apple servers for up to two years, Wired can now report.
Yesterday, we raised concerns about some fuzzy disclosures in Siri’s privacy policy. After our story ran, Apple spokeswoman Trudy Muller called to explain Apple’s policy, something privacy advocates have asking for. (sic)
Read more on Wired.


Come to think of it, I don't recall any stories of Drones searching for the Boston Bombers...
Jaikumar Vijayan reports:
A Florida bill that would impose restrictions on the use of unmanned aerial vehicles, or drones, by state law enforcement officials is one signature away from becoming the first law of its kind in the country.
On Wednesday, Florida’s House of Representatives voted unanimously to approve the Freedom from Unwarranted Surveillance Act, a bill that would require local police to obtain a warrant based on probable cause before using a drone for surveillance purposes. Earlier this month, the Senate voted unanimously to pass the measure.
Read more on Computerworld.


Should have broader implications. Drones, vacuum cleaners, alarm systems, etc.
Who's to blame when a driverless car goes astray?
If you rob a bank and get away in a driverless Prius, will the owner be indicted as the driver? Or will Toyota? Or maybe Google?
If your driverless car decides -- as so many machines do in movies -- that it has a mind of its own, will you be responsible when it decides to mount the curb and plow straight into your favorite donut store? And what if someone hacks into your driverless car and you suddenly end up in Alaska, with an instruction to mow down moose?
You'll tell me this will never happen. I will point you to the fine profits regularly earned by the world's insurance companies.
… On June 11 and 12, Detroit will host a Driverless Car Summit.
Over two days, everything from the law to insurance to, yes, the DMV aspects will be discussed.
Naturally, Google also will be there to present "Google's Perspective On Driverless Cars."
The stated aim of the conference is to make driverless cars "a reality by 2022."


I like it! I'll share this with each of my classes so they can learn that not everyone tolerates rude behavior.
Juror Jailed For Texting During Trial
… When prosecutors were playing a video-taped interview with the defendant, Judge Dennis Graves suddenly halted the trial after noticing a light glow around juror Benjamin Kohler’s chest. The judge, who had previously instructed jurors to pay attention and not to use mobile phones, immediately halted the proceeding and ordered everybody to vacate the courtroom except Kohler, the Sheriff’s Department said.
The authorities said Kohler “had no explanation for his actions.”
The judge declared him in contempt, and ordered the juror jailed for two days at Marion County Jail.


Are they relying on “the wisdom of crowds” or just realizing that predicting public taste is really difficult? One possibility, they don't need to limit themselves to the best show(s) for the timeslots available, they can produce any that look likely to produce an audience.
You Be the Judge of Which Amazon TV Pilot Is Worth Watching
You just replaced Hollywood executives.
Amazon released its first wave of TV show pilots and is pushing them all out to viewers and letting them decide which ones get made. This is in stark contrast to traditional networks, which order a pilot, analyze it to death to ensure it fits the precise demographic audience advertisers want and then shoehorn it into the schedule.
… Both Netflix and Amazon are upping the streaming video service ante with exclusive content. Netflix launched House of Cards in February and it’s new horror drama Hemlock Grove by Eli Roth launched today with all 13 episodes available for streaming. Both companies are betting on the exclusive content to draw more customers to their services.


For my Statistics students, but my lawyer friends might find the “loss of any chance for a profitable future after being branded as 'average'” Class Action lawsuit amusing.
"The New York times reports that statistical scoring by the standardized testing company Pearson incorrectly disqualified over 4700 students from a chance to enter gifted / advanced programs in New York City schools. Only students who score in the 90th percentile or above are eligible for these programs. Those in the 97th or above are eligible for 5 of the best programs. 'According to Pearson, three mistakes were made. Students' ages, which are used to calculate their percentile ranking against students of similar age, were recorded in years and months, but should also have counted days to be precise. Incorrect scoring tables were used. And the formula used to combine the two test parts into one percentile ranking contained an error.' No mention of enlisting the help of the gifted children was made in the Times article, but it also contained a now-corrected error. This submission likely also contains an erro"


Useful, because I can never remember when classes end or when grades are due, etc.
Free Printable Calendars is a free to use online service that does exactly what its name suggests – free printable calendars. When you visit the website you can get started with the calendar creation without having to register for any new accounts. You start by selecting the type of calendar you want. Supported types include a simple calendar marker, a photo calendar, an online calendar, a monthly calendar, a yearly calendar, and a desktop calendar.

Friday, April 19, 2013

Have we gone crazy? Should a minor terrorist act (3 dead vs 3000 on 9/11) spark this kind of reaction? It looks like we're searching for a division of Taliban.
Boston on Lockdown as Residents Are Ordered to 'Shelter In Place' While Cops Sweep Watertown
In an unprecedented move, the city of Boston, in its entirety, is being asked to shelter-in-place, with schools and mass transit closed. Nearby Watertown, where police and federal authorities are searching for the Boston Marathon bomber who is still at large, is in lockdown as Friday's manhunt continues.
At this moment, heavily armed members of the military, assisted by local law enforcement, are going door-to-door in Watertown, searching every house, garage, and shed for bombing suspect Dzhokhar Tsarnaev. CNN indicates that 9,000 members of law enforcement are involved in the effort.
In light of that, town authorities have apparently asked businesses to remain closed. According to the Boston Globe, all vehicle traffic is banned in that city.
… For many, there's nowhere to go, anyway. Taxi service has been suspended. The regional mass transit has been closed; in part, apparently, because authorities don't want crowds of people gathering together.

(Related) Rush to sensationalize. (No need for judgement) We'd rather have “news” than facts. Anything to “scoop” the other guys...
Boston Marathon spectator Salah Barhoum, who was interviewed by authorities following the bombings, swears he 'didn't do it'
… Teenager Salah Barhoum’s face was plastered on the front page of the New York Post Thursday, labeling him and a friend “Bag Men” being sought by authorities investigating the Boston Marathon bombings.
But the FBI later released surveillance of the actual suspects — neither of whom resembled the bag-toting Barhoum and his friend on the tabloid’s cover.
… At 1:30 a.m. Thursday he turned himself in to cops, who spoke to him for about 20 minutes and let him go.
Their only advice: “They said I should delete my Facebook,” Barhoum said.
Nevertheless, The Post reported splashed their faces on its pages and suggested they were suspects.
Even after the FBI cleared the pair, Post Editor-in-Chief Col Allan said, “We stand by our story.”


So who is responsible for Security?
Brian Krebs reports on a lawsuit where Park Sterling Bank (PSB) in Charlotte, North Carolina is suing a former client, Wallace & Pittman PLLC , after the latter was the victim of a fraudulent wire transfer. The breach occurred after a key logger was installed on its system via a phishing attempt and criminals obtained the firm’s login and authorization credentials.
The bank claims it did not reverse the loss, but only temporarily credited the account. The law firm did not repay the bank for the credited amount, and had at one point sued them for not having commercially reasonable security in place. That complaint was later dismissed, and the bank turned around and sued the law firm.
Read his coverage on KrebsonSecurity.com.


What are they thinking? “People hated this last year, but maybe they forgot?” Actions that put government before individuals is a very liberal (Democrat) thing to do, how did this get through a Republican controlled House?
Dave Maass and Mark M. Jaycox of EFF write:
Today, Internet freedom advocates everywhere turned their eyes to the U.S. House of Representatives as that legislative body considered the Cyber Intelligence Sharing and Protection Act.
For the second year in a row, the House voted to approve CISPA, a bill that would allow companies to bypass all existing privacy law to spy on communications and pass sensitive user data to the government. EFF condemns the vote in the House and vows to continue the fight in the Senate.
“CISPA is a poorly drafted bill that would provide a gaping exception to bedrock privacy law,” EFF Senior Staff Attorney Kurt Opsahl said. “While we all agree that our nation needs to address pressing Internet security issues, this bill sacrifices online privacy while failing to take common-sense steps to improve security.”
The legislation passed 288-127, despite a veto threat from Pres. Barack Obama, who expressed serious concerns about the danger CISPA poses to civil liberties.
Read more on EFF.
Not mentioned in their post is the fact that the bill passed by an even wider margin than last year, when it passed 248-168.
Things are going in a very wrong direction.
Very wrong.


“We'll get all the data, then we'll find some use for it.”
Carter Dougherty of Bloomberg reports:
The new US consumer finance watchdog is gearing up to monitor how millions of Americans use credit cards, take out mortgages, and overdraw their checking accounts. Their bankers aren’t happy about it.
The Consumer Financial Protection Bureau is demanding records from the banks and is buying anonymous information about at least 10 million consumers from companies including Experian.
While the goal is to sharpen enforcement and rule-making, banking executives question why the bureau is collecting so much without being more specific about the benefits. [Simple: we can, therefore we must! Bob]
Read more on Boston Globe.


What can the government do?
April 18, 2013
CRS - Cybersecurity: Selected Legal Issues
  • "The federal government’s role in protecting U.S. citizens and critical infrastructure from cyber attacks has been the subject of recent congressional interest. Critical infrastructure commonly refers to those entities that are so vital that their incapacitation or destruction would have a debilitating impact on national security, economic security, or the public health and safety. This report discusses selected legal issues that frequently arise in the context of recent legislation to address vulnerabilities of critical infrastructure to cyber threats, efforts to protect government networks from cyber threats, and proposals to facilitate and encourage sharing of cyber threat information among private sector and government entities. This report also discusses the degree to which federal law may preempt state law. It has been argued that, in order to ensure the continuity of critical infrastructure and the larger economy, a regulatory framework for selected critical infrastructure should be created to require a minimum level of security from cyber threats. On the other hand, others have argued that such regulatory schemes would not improve cybersecurity while increasing the costs to businesses, expose businesses to additional liability if they fail to meet the imposed cybersecurity standards, and increase the risk that proprietary or confidential business information may be inappropriately disclosed."


As I read it, the answer is a definate “Maybe”
April 18, 2013
Submission of Mental Health Records to NICS and the HIPAA Privacy Rule
  • "Questions about the scope and efficacy of the background checks required during certain firearm purchases have gained prominence following recent mass shootings. These background checks are intended to identify whether potential purchasers are prohibited from purchasing or possessing firearms due to one or more “prohibiting factors,” such as a prior felony conviction or a prior involuntary commitment for mental health reasons. Operationally, such background checks primarily use information contained within the National Instant Criminal Background Check System (NICS) and a particular focus of the debate in Congress has been whether federal privacy standards promulgated under the Health Insurance Portability and Accountability Act (i.e., the HIPAA privacy rule) or state privacy laws are an obstacle to the submission of mental health records to NICS."

Thursday, April 18, 2013

It's an 'arms race' and Moore's Law applies.
"Distributed denial of service attacks have increased their bandwidth by 700 percent in the last quarter, according to DDoS specialist Prolexic. the average bandwidth has gone up from 5/9Gbps to 48.25Gbps — and the number of packets-per-second is also up. However, claims of a 300Gbps attack on Spamhaus are almost certainly false."


It's simple! Have your toaster call my coffee maker for full details.
The staff of the Federal Trade Commission is interested in the consumer privacy and security issues posed by the growing connectivity of consumer devices, such as cars, appliances, and medical devices, and invites comments on these issues in advance of a public workshop to be held on November 21, 2013 in Washington, D.C.
The ability of everyday devices to communicate with each other and with people is becoming more prevalent and often is referred to as “The Internet of Things.” Consumers already are able to use their mobile phones to open their car doors, turn off their home lights, adjust their thermostats, and have their vital signs, such as blood pressure, EKG, and blood sugar levels, remotely monitored by their physicians. In the not too distant future, consumers approaching a grocery store might receive messages from their refrigerator reminding them that they are running out of milk.
Connected devices can communicate with consumers, transmit data back to companies, and compile data for third parties such as researchers, health care providers, or even other consumers, who can measure how their product usage compares with that of their neighbors. The devices can provide important benefits to consumers: they can handle tasks on a consumer’s behalf, improve efficiency, and enable consumers to control elements of their home or work environment from a distance. At the same time, the data collection and sharing that smart devices and greater connectivity enable pose privacy and security risks.
FTC staff seeks input on the privacy and security implications of these developments. For example:
  • What are the significant developments in services and products that make use of this connectivity (including prevalence and predictions)?
  • What are the various technologies that enable this connectivity (e.g., RFID, barcodes, wired and wireless connections)?
  • What types of companies make up the smart ecosystem?
  • What are the current and future uses of smart technology?
  • How can consumers benefit from the technology?
  • What are the unique privacy and security concerns associated with smart technology and its data? For example, how can companies implement security patching [Suggests security was not considered at the design phase. Very “old school.” Bob] for smart devices? What steps can be taken to prevent smart devices from becoming targets of or vectors for malware or adware?
  • How should privacy risks be weighed against potential societal benefits, such as the ability to generate better data to improve health-care decisionmaking or to promote energy efficiency? Can and should de-identified data from smart devices be used for these purposes, and if so, under what circumstances?
FTC staff will accept submissions through June 1, 2013, electronically throughiot@ftc.gov or in written form. Paper submissions should be mailed or delivered to: 600 Pennsylvania Avenue N.W., Room H-113 (Annex B), Washington, DC 20580. The FTC requests that any paper submissions be sent by courier or overnight service, if possible, because postal mail in the Washington area and at the Commission is subject to delay due to heightened security precautions.
SOURCE: FTC

(Related) The technology required to gather data like how much milk is in your refrigerator is so cheap, there is no real obsticle to using it to gather data about anyone, anywhere, at any time. We can, therefore we must?
What if Your Boss Tracked Your Sleep, Diet, and Exercise?
… at Citizen — a Portland, Oregon company that designs mobile technology — things are a little different. Employees at the company are now uploading data on how much they exercise, what they eat, and how much they sleep to a central server, as part of an effort to determine whether healthy employees are actually happier and more productive. The ultimate aim is to explicitly show employees how they can improve their work through better personal habits.


If I understand this 'strongly worded letter,” they are saying, “It's perfectly legal, but we'd kind of like you to promise not to do it.” Rather than, “That illegal. Stop it!”
Senators to IRS: Don't snoop on taxpayers' private messages
A dozen senators, including Democrats and Republicans, want the IRS to pledge publicly not to snoop on Americans' Twitter and Facebook messages and other correspondence without a warrant.


Cool! Now let's put signs in front of elected officials' homes...
Sex Offenders in Florida Now Have Warning Signs Outside Their Homes
… Florida statutes say that we must notify the public of any sex offenders in our jurisdiction. We already do that with Facebook and by going out into the area to notify people when the person first moves in, but we realized there was a possible issue with continued notification. For instance, if somebody moves in after we've gone around notifying people, then they're not aware that there's a predator there. We're just trying to do everything we can to make the public aware. And, in a certain sense, it protects the predator from having people, especially children, approaching their residence without being duly notified.


So I could add President Bush to the “Broccoli Lovers” Facebook Group, without his knowledge or permission, and it's his responsibility to control all those “I love broccoli” comments?
"The CBC reports that publicly-elected Gerry Rogers, member of the Provincial Government for Newfoundland and Labrador, 'has been removed from the house of assembly for refusing to apologize for comments made by other users on a Facebook group of which she had been added to as a member.' Rogers was unwillingly added to a Facebook Group which included comments of death threats aimed at Premier Kathy Dunderdale from other users. From the article: 'Dunderdale said her government understands how Facebook groups work, and she said it is up to every MHA to monitor the comments posted on Facebook groups to which they belong.' Facebook's policies for Groups are somewhat clear, even if they don't actually answer the question of 'Can I prevent people from adding me to a new group?'"


One of those cute things iPhone owners love to show off is, “Siri, Where is a good place to bury a body?”
Siri Remembers Your Secrets, But for How Long?
Not everyone realizes this, but whenever you use Siri, Apple’s voice-controlled digital assistant, she remembers what you tell her.
How long does she remember? Apple isn’t saying. And the American Civil Liberties Union is concerned.
… What happens with everything that Siri learns is a big enough concern that last year IBM CIO Jeanette Horan told MIT’s Technology Review that she’d banned Siri outright on IBM’s networks, worrying that what people said to Siri might be stored somewhere.


It wouldn't be “fair” if we didn't treat everyone like an illegal alien... (Guilty, until e-Verified innocent!)
Chris Calabrese of the ACLU writes:
Today’s release of an immigration reform proposal from the Gang of Eight raises a host of civil liberties issues, many of which the ACLU will undoubtedly be commenting on in the coming days and weeks.
Today, I’m focusing on our concerns with one particular program, E-Verify. Currently, E-Verify is a largely voluntary system where employers can check with the Department of Homeland Security to see if someone is allowed to work. Basically it’s a giant list of everyone – immigrants and citizens – legally in the United States.
Read more on ACLU’s blog.
Beat the Chip writes that the bill
is a very noticeable overreach for an employment system used by small businesses. Without much stretch, it really inducts working America into a level of data and intellegence sharing which would match Philip K. Dick’s Minority Report.
It is one of the least trustworthy developments on Immigration reform.


Let me be certain I understand: Stuff that is sold as “explosive” is not regulated, but fertilizer is restricted. We don't teach logic in our schools any more, do we.
FBI Warned in March That ‘Exploding Targets’ Could Fuel Homemade Bombs
… Exploding targets like Tannerite, which consists of a mixture of ammonium nitrate and aluminum powder, are legal; available at sporting-goods stores and websites; and retail for fairly cheap.
… The FBI recently expressed concern that tighter restrictions on common bomb precursor materials like ammonium nitrate fertilizer could lead wannabe domestic extremists to pack their homemade bombs with the stuff.


For my Intro to IT class. I wonder if you could make a living dealing with “Data after Death?”
Alt Text: Your Guide to Data After Death
Google has introduced the “Inactive Account Manager,” which is a polite way of saying “Decide what you want us to do with your data after you’re dead, because we will outlive you and your children and your children’s children.
… Now we all know that Google is rarely the first to do things. It generally takes existing services — search, e-mail, ignoring your privacy settings — and attempts to improve on them. This is no exception. Here are some other services that actually exist to help you deal with your data after you’ve kicked the bit bucket.
Legacy Organiser (iOS app)


My vote for App of the Year!
BeerHunt app wants you to have fun and free beer


Also for my Intro to IT class. (Very cute image)
… There are three basic stages for a search engine: crawling – where content is discovered; indexing, where it is analysed and stored in huge databases; and retrieval, where a user query fetches a list of relevant pages.
… If you found this interesting, you might also like to learn about how image search engines work.


Yep. Another list.
101 Recommended Educational Web Tools

Wednesday, April 17, 2013

...and no one finds this surprising? “After an extensive investigation, we conclude that we have no idea what our computer systems are doing.”
Central Hudson Gas & Electric Corporation has issued a press release updating its customers on the breach disclosed in February that affected 110,000 customers:
(POUGHKEEPSIE, NY) Though New York State and federal law enforcement officials continue to investigate the incident externally, forensic computer experts have completed their internal investigation into the February cyber-security incident that had the potential to involve banking information for approximately one third of Central Hudson Gas & Electric Corporation customers.
Despite an exhaustive review, these cyber-security forensic experts could not confirm if any private banking information for any of our customers was transferred,” said James P. Laurito, Central Hudson’s president. “They also report that it is likely that it may never be possible to document if information was transferred.
[ … ]
The investigation conducted by an expert forensic computer firm on Central Hudson’s internal systems confirmed that the incident was the result of malware that infiltrated Central Hudson’s information systems during or prior to September 2012 but likely lay dormant until earlier this year, Laurito said. “The malware, which Central Hudson personnel discovered and disabled on February 19, 2013, was designed to seek out and export information. While the potential exists that information contained on the front of bank checks was exported, it cannot be confirmed what, if any, information was ever actually transferred,” Laurito said.


How is it that the court will accept “expert testimony” but there is nothing in the literature that allows the court to make an independent evaluation? (Or am I missing something?)
James (Jim) R. McCullagh and Amelia M. Gerlicher of Perkins Cole recap the status and issues in a class action lawsuit against Hannaford Bros:
This is the latest opinion in the ongoing litigation arising out of a massive data breach suffered by Hannaford Bros. grocery stores. In re Hannaford Bros. Privacy Litigation, __F. Supp. 2d __, Case No. 2:08-MD-1954-DBH, 2013 WL 1182733 (D. Me. Mar. 20, 2013).
The litigation arises out of a criminal attack on the payment card systems at the Hannaford Bros. grocery chain in late 2007 and 2008, which potentially affected over 4 million card numbers. The district court initially dismissed the action after the plaintiffs stipulated that none of the plaintiffs had incurred fraudulent charges that had not been reimbursed. The court certified a question to the Maine Supreme Judicial Court, which agreed that in the absence of physical harm, economic loss or identity theft, the time and effort spent to avoid or remediate reasonably foreseeable harm did not constitute cognizable injuries for which damages may be recovered under Maine law.[1]
On appeal, the U.S. Court of Appeals for the First Circuit reversed with regard to two of the claims, finding that the plaintiffs had alleged sufficient injury for their negligence and implied breach of contract claims because “fees for replacing cards and the cost of identity theft protection products were foreseeable costs to mitigate any harm arising from the data breach.”
Finding themselves back before the district court, plaintiffs moved to certify a class consisting of those “Hannaford customers who incurred out-of-pocket costs in mitigation efforts that they undertook in response to learning of the data intrusion.” The court addressed each of the factors provided in Federal Rule of Civil Procedure 23 and ultimately denied certification based only on a finding that plaintiffs’ failure to provide expert testimony supporting its theory of classwide damages meant that common issues would not predominate with regard to damages. The plaintiffs moved for reconsideration on April 4, 2013, further clarifying their theory of damages and asking for 60 days to obtain and tender to the court appropriate expert evidence.[2] Because data breach class actions rarely get to this point, a summary of the court’s review of each element follows.
Read their recap and analysis on Perkins Cole.


It's what you don't know that hurts you...
April 16, 2013
New Internet Security Threat Report from Symantec
  • 42% increase in targeted attacks in 2012.
  • 31% of all targeted attacks aimed at businesses with less than 250 employees.
  • One waterhole attack infected 500 organizations in a single day.
  • 14 zero-day vulnerabilities.
  • 32% of all mobile threats steal information.
  • A single threat infected 600,000 Macs in 2012.
  • Spam volume continued to decrease, with 69% of all email being spam.
  • The number of phishing sites spoofing social networking sites increased 125%.
  • Web-based attacks increased 30%.
  • 5,291 new vulnerabilities discovered in 2012, 415 of them on mobile operating systems."


Perspective
April 16, 2013
Experian reveals a quarter of time online is spent on social networking
Experian reveals a quarter of time online is spent on social networking: London, 16 April 2013 – "Insights from Experian, the global information services company, reveals that if the time spent on the Internet was distilled into an hour then a quarter of it would be spent on social networking and forums across UK, US and Australia. In the UK 13 minutes out of every hour online is spent on social networking and forums, nine minutes on entertainment sites and six minutes shopping."


More perspective.
April 16, 2013
Report - Big Data, Big Brains
"This report on Big Data is the first MeriTalk Beacon, a new series of reports designed to shed light and provide direction on far reaching issues in government and technology. Since Beacons are designed to tackle broad concepts, each Beacon report relies on insight from a small number of big thinkers in the topic area. Less data. More insight. Real knowledge... Mankind created 150 exabytes (billion gigabytes) of data in 2005, and 1,800 exabytes in 2012; growth that only continues to accelerate. Every minute, users: Upload 48 hours of video to YouTube; Send 204 million emails; Spend $207,000 via the web; Create 571 new websites. Within the Federal government; U.S. drone aircraft sent back 24 years worth of video footage in just 2009. Every 24 hours, NASA’s Curiosity rover can send nearly three gigabytes of data, collecting in mere days the equivalent of all human knowledge through the death of Augustus Caesar – from Mars."


I'm sure I must have missed them, but this is the first “Management” publication I recall having ever seen. That may explain a lot.
MANAGING FOR RESULTS
The designation of senior-level officials to key performance management roles with responsibilities under the Government Performance and Results Act Modernization Act of 2010 (GPRAMA) has helped elevate accountability for performance management within federal agencies and ensure high - level involvement, according to officials GAO interviewed. [What are they going to say? “We suck at our jobs!” Bob]


Sounds like a fun addition to the genealogy files...
April 16, 2013
Get Grandpas FBI File.com Website Now Makes Getting FBI Files Easy
News release: "The process for obtaining FBI files about family members who may have been the subject of a federal investigation has just become much simpler with the help of a step-by-step consumer website: GetGrandpasFBIfile.com established by Virginia-based Meme Transmission Enterprises... The Federal Bureau of Investigation maintains billions of pages of records and millions of files -– all compiled using taxpayer dollars. But the clock is ticking. Recently, the FBI has begun destroying the bulk of its historic files to save space. Only a very tiny fraction of its voluminous files will be preserved at the National Archives So time is of the essence in asking for files before they are gone forever. Get Grandpas FBI File makes it easy to get these files by guiding the public through the process of completing a request letter. The website does not ask for any payment, and most requests for FBI files are processed by the FBI without any fees whatsoever."


I really do use this...
Wikispaces Introduces a Brand New Look for Classroom Wikis
Wikispaces has been a great supporter of classrooms for years now. They allow any teacher to use their services to create wikis for free and without advertising. Today, Wikispaces introduced a brand new look for classroom
Wikispaces Classroom is a new, free offering from Wikispaces. From the first look you'll notice that Wikispaces Classroom is quite different from the old Wikispaces format. Wikispaces Classroom simplifies the layout of pages to put only the tools students need in order to edit a page on display and hides the tools students don't need. On the management side of things Wikispaces Classroom is arranged to make it easy for teachers to quickly manage projects, alter settings, and see reports on students' use of the wiki.
Wikispaces is offering some free webinars about the new Wikispaces Classroom. You can get more information about those webinars here.
Applications for Education
Last year I wrote 5 Ways You Can Use Wikis With Students. Included in that list is creating digital reference pages as alternatives to textbooks. That was one of my primary uses of wikis when I taught a ninth grade geography class that didn't have a current textbook. I often started a set of pages and had students finish the pages. The new Wikispaces Classroom has a tool that I wish I had then to quickly see not only when students accessed pages, but also what they did on the pages.

Tuesday, April 16, 2013

Clearly we need to react when mental health professionals flag an individual as dangerous. I see no indication that that happened here. And don't get me started on the argument that the only way the police knew what guns he had were because he had followed the law and registered them.
There was a story from upstate New York that didn’t get my attention when I first read about it. A man was ordered to turn in his guns under New York’s new SAFE Act, allegedly because he had taken anti-anxiety medication and his mental health history made him a danger to himself or others. His guns were returned to him after it was discovered that a mistake had been made and he was not the individual with the mental health history. The case is raising questions as to whom is responsible for investigating before a referral is made to the courts to revoke someone’s permit or have them turn over their guns.
But there’s even more to the story, it seems, and some legislators and the man’s lawyer are raising questions about whether medical records are being scoured without warrants. Capital Tonight reports that the man’s attorney, Jim Tresmond, is filing a lawsuit:
Tresmond claims while investigating the “mistake” he discovered that State police had examined his client’s medical records without a valid search warrant. Tresmond said that’s a clear violation of federal and state privacy laws in addition to the New York State Criminal Procedure Law.
“This is not a simple case of mistaken identity. Mr. Lewis’ medical privacy was invaded and he was publicly defamed and humiliated by New York State officials,” Tresmond said.
Tresmond went a step further, accusing the State of creating a “clandestine HIPAA unit” within the Division for Criminal Justice Services, charged with examining New York residents’ medical records without warrant.
“I believe there are seven officers assigned to this unit, who are assigned to review those HIPAA files. And try to nab those people who are on certain medications, certain treatments, and then pull their licenses across the state,” said Tresmond.
A State Police spokesperson told YNN the accusations are “flat wrong.”
Read more on Capital Tonight.
In related coverage, Dan Roberts discusses the alleged HIPAA unit on AmmoLand, where he repeats a report that the unit was created at the request of Homeland Security. At this point, there’s been no proof or named sources, however, so I’m not sure what we can make of all this.


Wow! And only a couple (three) years after the first reported case.
CBS/The Associated Press reports:
Gov. Chris Christie has signed a measure intended to prevent New Jersey school districts from violating students’ privacy rights by tracking them through school-issued laptops.
Districts that provide students with laptops, cell phones or other electronic devices will now have to provide written notification that the device may track them. The notification also must include a statement that the school won’t violate the student’s privacy rights.
Read more on CBS

(Related) Now perhaps they can think about generalizing that law a bit...
Following a public comment period, the Federal Trade Commission has approved nine final orders settling charges that seven rent-to-own companies and a software design firm and its two principals spied on consumers using computers that consumers rented from them. The companies used software to take screenshots of confidential and personal information, log customers’ computer keystrokes, and in some cases take webcam pictures of people in their own homes, all without the customers’ knowledge.
In settling the FTC’s administrative complaint, the respondents will be prohibited from using monitoring software and banned from using deceptive methods to gather information from consumers. The settlements will prohibit the use of geophysical location tracking without consumer consent and notice, and bar the use of fake software registration screens to collect personal information from consumers. The seven rent-to-own stores will also be prohibited from using information improperly gathered from consumers to collect on accounts. In addition, the software company, DesignerWare, and its principals, Ronald P. Koller and Timothy Kelly, will be barred from providing others with the means to commit illegal acts. All of the proposed settlements contain record-keeping requirements to enable the FTC to monitor compliance with the orders for 20 years.
The respondents, with links to the respective orders and associated public comments, are:
  • DesignerWare, LLC [order | comments];
  • Timothy Kelly and Ronald P. Koller [order | comments];
  • Aspen Way Enterprises Inc. [order | comments];
  • Watershed Development Corp., doing business as Watershed and Aaron’s Sales & Lease Ownership [order | comments];
  • Showplace Inc., d/b/a Showplace Rent-to-Own [order | comments];
  • J.A.G. Rents LLC, d/b/a ColorTyme [order | comments];
  • Red Zone Investment Group Inc., d/b/a ColorTyme [order | comments];
  • B. Stamper Enterprises Inc., d/b/a Premier Rental Purchase [order | comments]; and
  • C.A.L.M. Ventures, d/b/a Premier Rental Purchase [order | comments].
The Commission vote approving the final orders and letters to members of the public who commented on it was 3-0-1, with Commissioner Wright not participating. (FTC File No. 112-3151; the staff contacts are Julie Mayer, 206-220-4475, and Tracy Thorleifson, 206-220-4181.)
Source: FTC
Of course, as regular readers of this blog know, there are ongoing lawsuits against Aaron’s that include allegations that some of the problematic behavior may have continued after the consent orders were first posted for public comment.
I don’t know if you generally read the comments submitted by the public on proposed settlements, but this one generated a lot of public comment – much of it seemingly by employees and rental store owners who are not happy with the FTC and think that the case was misrepresented.


Like Real Estate, the law is all about location, location, location.
From EPIC, yesterday:
In an order today, the U.S. Supreme Court has declined to reviewa decision concerning e-mail privacy. In Jennings v. Broome, the South Carolina Supreme Court held that the federal Electronic Communications Privacy Act (ECPA) does not protect emails stored on remote computer servers. As a result of this case, users in South Carolina have lesser privacy protections than those in California where a federal court reached the opposite conclusion. EPIC, joined by 18 national organization filed an amicus brief, urging the US Supreme Court to clarify the scope of e-mail privacy protections. For more information, see EPIC: Jennings v. Broome and EPIC: Electronic Communications Privacy Act
It’s unfortunate that the court does not explain why it declines to review a case. In the meantime, Congress has failed to update ECPA to clarify and strengthen protections that we need in a digital world.

(Related) Another “exception” to privacy?
From FourthAmendment.com:
Defendant had no reasonable expectation of privacy in his computer from police accessing it via Limewire when he was hooked up to the Internet. He did not create an expectation of privacy from his efforts to hide files on his computer. Warshak has no application to this situation. United States v. Conner, 2013 U.S. App. LEXIS 7437, 2013 FED App. 0365N (6th Cir. April 11, 2013)
Read more about the opinion on FourthAmendment.com.
[From the article:
Warshak does not control this case because peer-to-peer file sharing is different in kind from e-mail, letters, and telephone calls. Unlike these forms of communication, in which third parties have incidental access to the content of messages, computer programs like LimeWire are expressly designed to make files on a computer available for download by the public, including law enforcement.


“We've invited Mr. Fox here to give us a lecture on henhoue protection.” What could possibly go wrong?
Andrea Smith reports:
Facebook and privacy sometimes seems like an oxymoron — words or ideas that contradict one other. Users complain about Facebook’s privacy settings being too difficult to understand and properly implement.
Now, Facebook and the National Association of Attorneys General (NAAG) want to change that through a consumer education program.
Read more on Mashable.


Related to a “Right to be forgotten?” Worth skimming the Comments.
"The last few months a digital inheritance idea has been floating around in my head, and I am sure the thought has crossed your mind as well. With Google talking about the inactive account program it made me wonder, how do I make sure my children get my iTunes, and amazon movies? I have plenty of mp4 movies on my server that will just set itself to admin with no password after I do not log in within a 6 month time frame. But what about the huge amount spent on digital content every year? What's the best way to make sure your "digital inheritance" gets passed down?"


Inside the minds... (Such as they are) “We plan on moving to this new and clearly superior technology, but first we have to be sure we can screw it up with the technology our customers hate.” Not yet to the point where the tail can wag the dog.
Netflix plotting move to HTML5 video - but only if DRM works
… In a blog post on Monday, reps for Netflix – which by some estimates now accounts for around a third of all internet traffic in North America – said the company definitely plans to get off the Silverlight boat before it sinks for good in 2021, and that HTML5 video is probably the solution ... but it's not quite there yet.
The problem? As Netflix cloud architect Adrian Cockcroft candidly explained at the seventh annual Linux Collaboration Summit in San Francisco on Monday, "We're trying to get to the point where we don't need a plugin. But we have to have DRM."
… When asked by a Linux Collaboration Summit attendee what Netflix was doing to help push back against Hollywood's insistence on DRM, the way Amazon and Apple have done for music downloads, Cockcroft was brutally frank.
"Right now what we're basically doing is giving billions of dollars to Hollywood to buy the content, so that they can afford to build more content," he said. "That's basically the business we're in. We're a major source of funds for Hollywood and we're mostly concerned about getting content made and getting it out to our customers."


Plan ahead.
April 15, 2013
OECD - Machine-to-Machine Communications Connecting Billions of Devices You or your institution
Machine-to-Machine Communications - Connecting Billions of Devices, Publication Date, 30 Jan 2012. Bibliographic information No.: 192 Pages. 45. DOI 10.1787/5k9gsh2gp043-en
  • "This document examines the future of machine-to-machine communication (M2M), with a particular focus on mobile wireless networks. M2M devices are defined, in this paper, as those that are actively communicating using wired and wireless networks, are not computers in the traditional sense and are using the Internet in some form or another. While, at the global level, there are currently around five billion devices connected to mobile networks, this may by some estimates increase to 50 billion by the end of the decade. The report provides examples of some of the uses to which M2M is being put today and its potential to enhance economic and social development. It concludes that to achieve these benefits, however, changes to telecommunication policy and regulatory frameworks may be required. Some of the main areas that will need to be evaluated, and implications of M2M assessed, include: opening access to mobile wholesale markets for firms not providing public telecommunication services; numbering policy; frequency policy; privacy and security; and access to public sector information."


Create a virtual library?
Here at MakeUseOf we get a lot of questions on MakeUseOf Answers asking for sources of free eBooks. The benefit of owning a physical, printed book lies in the ability to pick it up, examine it and borrow or loan it to friends and family. It’s no secret that the traditional lending of literature can be achieved using Amazon’s Kindle format, but this is only possible between other Kindle users.
And so that’s where Ownshelf comes in. The service which is currently in beta uses Facebook as a platform for connecting you with people you already know. In reality, it’s like a Dropbox for eBooks and best of all it doesn’t matter which eReader you own or which eBookshop you frequent, provided the format is ePub you can share between platforms.
Once you’ve logged in and approved the app to use your Facebook account you can upload files in ePub format which will then appear on your bookshelf ready to be shared with your friends. You can also browse the shelves of others in your friends list or borrow books with the click of a button, though you might want to tell your eReading buddies to sign up for the Ownshelf service as it feels a little empty on your own.


I may have mentioned that I like lists. This one is not just for teachers...
50 Education Technology Tools You Can Start Using Today
Finding the best education technology tools is a time-consuming task. It may even be viewed as a chore (for some). Typically, one tracks down a handful of useful apps or web tools and puts them through their paces at home. Then you probably don’t use any of them because each tool took far too long to understand, use, become accustomed to, and actually implement in a classroom.
That’s why I was so excited to find this Symbaloo created by user lcobbs detailing 50 great classroom tools that are all easy to implement into just about any classroom. From Animoto to Prezi to Dropbox to Stixy (wait what?), there’s a lot to check out. Don’t know all 50 tools? I didn’t! Click on each icon to get an idea about each tool and learn more.

Monday, April 15, 2013

Medium sized, but worth a mention...
Last month, Schnucks Markets, a multi-state chain of grocery markets, disclosed that customers at some of its stores had become victims of card fraud. I duly entered the reports in DataLossDB.org, but didn’t post anything on this blog.
This past week, I emailed Schnucks to ask for some more details. They declined to answer any specifics, but just today issued a statement that does address some of the questions I had posed to them:
Leaders of St. Louis-based Schnuck Markets, Inc., today announced that between December 2012 and March 29, 2013, approximately 2.4 million credit and debit cards used at 79 of its 100 stores may have been compromised. The company emphasizes that only the card number and expiration date would have been accessed – not the cardholder’s name, address or any other identifying information.
Schnucks has posted a list of the 79 stores and specific dates for each store at www.schnucks.com. In addition, Schnucks has distributed a timeline of the actions taken to investigate, find, contain, and share information about the cyber-attack, as well as a personal video message from Chairman and CEO Scott Schnuck.
“On behalf of myself, the Schnuck family, and all of our 15,000 teammates, I apologize to everyone affected by this incident,” said Scott Schnuck.
… Schnucks has worked with its payment processor to make sure all potentially affected card numbers are sent to the credit card companies so that they may continue sending alerts to the issuing banks. Those banks will then be able to take steps to protect their cardholders, such as adding enhanced transaction monitoring or reissuing a new card. Many banks have already taken these steps.
“Customers have asked me if it is safe to shop at Schnucks,” continued Schnuck. “Yes, we believe it is, and we will work hard to keep it that way.”
… Schnucks provided the Secret Service and FBI with information about the methods and tools used by the attacker and has worked and will continue to partner with law enforcement to apprehend those responsible.
The press release incorporates an FAQ for consumers.
This is an example of good transparency by a breached entity. They disclosed the breach as soon as they became aware of it (even if it took from December to March to become aware of it and even though they had to be told by their card processor to look for a breach), and they updated their reports by revealing more of what they found as they found it, including the numbers affected.


What makes sense and what is legal don't always agree...
V. John Ella of Jackson Lewis writes:
The Fourth District Court of Appeal for the State of California expanded the tort of “public disclosure of private facts” under that state’s common law right to privacy in a case involving a claim by an employee against her supervisor and employer. Ignat v. Yum! Brands, Inc. et al, No. G046434, (Cal. Ct. App. March 18, 2013). The plaintiff in that case suffered from bi-polar disorder and occasionally missed work due to the side effects of medication adjustments. After returning from such an absence, the plaintiff alleged that her supervisor had informed everyone in her department about her medical condition and that, as a result, she was “shunned” and a co-worker asked if she was going to “go postal.” The plaintiff filed suit alleging a single cause of action for invasion of privacy by public disclosure of private facts.
Read more on Lexology. This is a good case for all employers to consider, as the issue of how much co-workers can be told if an employee is out on medical leave or for other personal reasons comes up fairly frequently. To avoid possible legal problems, it would make sense (to me, anyway) for an employer to ask the employee, “Your colleagues are concerned about you – how much do you want me to tell them about what’s going on?”


Now you can't even trust a pigeon...
"SHEPHERD-MIL, a UAV which looks like a native bird with the same flight performance, will be featured at HOMSEC 2013. This UAV is characterized by the glide-ratio and noiseless motor that make it invisible, silent and unobtrusive in sensitive missions. SHEPHERD-MIL is equipped with cameras and geolocation software. The system is especially suitable for border surveillance missions, firefighting, and anti-drug trafficking operations amongst others."


We'll probably need at least one in every state.
"Twenty-five miles due south of Salt Lake City, a massive construction project is nearing completion. The heavily secured site belongs to the National Security Agency. The NSA says the Utah Data Center is a facility for the intelligence community that will have a major focus on cyber security. Some published reports suggest it could hold 5 zettabytes of data. Asked if the Utah Data Center would hold the data of American citizens, Alexander [director of the NSA] said, 'No...we don't hold data on U.S. citizens,' adding that the NSA staff 'take protecting your civil liberties and privacy as the most important thing that they do, and securing this nation.' But critics, including former NSA employees, say the data center is front and center in the debate over liberty, security and privacy."
According to University of Utah computing professor Matthew Might, one thing is clear about the Utah Data Center, it means good paying jobs. "The federal government is giving money to the U.'s programming department to develop jobs to fill the NSA building," he says.


Inevitiable, I suppose. And lots of people who don't know better will welcome this model.
Why Facebook Could Finance Your Next Phone
Facebook Home was released last week for six new high-end smartphones. But Facebook isn’t going to make its mobile platform ubiquitous by targeting pricier devices; it needs to blanket the low end of the market too. Which is why you should expect the social network to start outright subsidizing smartphone and even tablet purchases.
Facebook unveiled its Facebook Home “apperating system” earlier this month, pitching it as a way to move the focus of mobile phone and tablets from software to people. The device should be a boon to users who spend a lot of time chatting and swapping photos on Facebook, but businesses will soon benefit, too: Facebook plans to show advertisements right on the lock screen of the device, interspersed with photos and status updates.
… Here’s how it might work: Facebook could offer to pay mobile subscribers’ out-of-pocket costs for a device like, say, the $200 Samsung Galaxy Note II. In exchange, Facebook Home would be allowed to show advertisements a bit more often on the device and to report back a bit more tracking data than it normally does (Facebook says Facebook Home tracks only the same data as Facebook’s mobile app, plus some anonymized app launching stats on rare occasion).
Facebook wouldn’t be the first company to offer ad-supported discounts on digital devices. Amazon does this already, knocking roughly 30 percent off the price of a Kindle e-reader for those willing to accept ads on the lock screen and holding down the price of its Kindle Fire tablet by showing ads on all of them. If you think about it, the entire ecosystem of devices running the Android operating system is advertising subsidized, since Google only gives away the mobile OS as a way of getting its ads into more smartphones and tablets.


As long as they don't price it like Cable TV...
Prepare Your Eyeballs: E-Book Subscriptions Are Coming
E-books are getting the Spotify subscription model.
Books have long been the last holdout as music, movies, games and even TV shows and magazines have embraced the subscription model. Pay a single monthly fee and you can gorge on all the content you can cram into your eyes and ears. But on Tuesday, Tim Waterstone, the founder of the UK bookstore Waterstones, announced Read Petite, a subscription streaming service for short fiction. It’s a baby step toward a new model that could shake up an industry that has seen traditional books losing ground to e-books, which comprised 22.5 percent of the book market in 2012.
… Waterson’s Read Petite would give readers unlimited access to available book for a few bucks a month. The service will launch this fall, and it will be interesting to see how it is received by readers and, more importantly, publishers.
One publisher that’s already on board is F+W Media. It offers subscriptions for its library of design, writing reference and romance genres — genres that lend themselves to the all-you-can eat subscription model, said Chad Phelps, chief digital officer.
… While specific genres lend themselves to a subscription service, there is a market for the two-three book a week reader. It’s just a question of who will act first and how.


Could this be useful in our programming classes?
"The Internet Archive has a great collection of books, music, visual items and websites but, it had one thing lacking up until now – software. This has changed recently as The Internet Archive now claims to hold the largest collection of software in the world. The expansion at the Internet Archive has come through collaboration with other independent archives like the Disk Drives collection, the FTP site boneyard, Shareware CD Archive, and the TOSEC archive. The archive doesn't hold just the software – it also holds documentation as well."