Who guards the guardians?
Apparently, DHS was not auditing this vendor nor did the vendor keep
access logs. Does not make me feel secure...
Jason Miller reports:
Tens of thousands
of current and former Homeland Security Department employees are at
risk of identity theft after officials discovered a
vulnerability in the vendor’s system for processing
background investigations.
All
DHS employees working in the headquarters office, for the
Customs and Border Protection and for the Immigration and Customs
Enforcement components from 2009 to 2013
are the most affected, according to an internal notice sent to
employees, which was obtained by Federal News Radio and confirmed by
a DHS spokeswoman.
“As a result of
this vulnerability, information including name, Social Security
numbers (SSN) and date of birth (DOB), stored in the vendor’s
database of background investigations was potentially accessible by
an unauthorized user since July 2009,”
the internal notice stated.
[From Federal News
Radio:
A DHS spokeswoman emphasized there is
no evidence [No logs? Bob]
that any employee data was stolen or lost.
… DHS said it found
out about the breach from a law enforcement partner [DHS didn't
detect the breach? Bob] and is investigating if the
vendor had any data stolen.
Faster detection by the
organizaton itself. See DHS, this is how it should be done.
Krister Rollins reports:
The Maine Attorney
General’s office is issuing an alert for people who may have used
an out-of-state service for buying tickets for shows and other forms
of entertainment recently.
The service,
Venidini (sic), Inc., has been hacked, exposing financial information
for tens of thousands of customers.
Vendini sent a
letter to Maine’s Attorney General about the breach. Vendini’s
letter says that on March 29th, someone broke into a server that
contains the names, addresses, email addresses, credit
card numbers and credit card expiration dates of tens of
thousands of people, 22,900 Mainers among them.
Read more on
WCSH.
A statement on Vendini’s blog, posted yesterday, reads:
… We regret to inform you that on
April 25, 2013, Vendini, Inc. detected an
unauthorized intrusion into its systems.
This is new.
Sue Reisinger writes:
Earlier this month
the U.S. Equal Employment Opportunity Commission filed—
and
quickly settled—its first lawsuit accusing an employer of
gathering illegal genetic information during a job
applicant’s medical exam. The agency followed it up
last Thursday by
filing
its first class action suit against another employer on similar
grounds.
The
Genetic
Information Nondiscrimination Act went into effect in 2009, and
some individuals have sued companies under it. But not until this
month did the government take official action to enforce GINA, as the
law is called.
“Employers need
to be aware that GINA prohibits requesting family
medical history,” said David Lopez, general counsel of
the EEOC, in a statement. “When illegal questions are required as
part of the hiring process, the EEOC will be vigilant to ensure that
no one be denied a job on a prohibited basis.”
[From the article:
And, according to the law, it
doesn’t matter if a company doesn’t know about the medical
examiner’s request. In other words, it
is the company’s responsibility to make sure any third-party
medical examiner it hires doesn’t ask an illegal question.
However, GINA provides a “safe
harbor” for employers if they attach language to any request for
information from a health care provider that tells the applicant not
to answer questions about family or genetic information.
There seem to be a few holes in the
planned coverage...
Travelers visiting
the US may have to prepare for more hassles at customs: All foreign
nationals leaving the country at 30 airports must have their
fingerprints taken, according to a new amendment to a planned
immigration reform bill.
The amendment,
which was approved by the Senate Judiciary Committee in a 13-5 vote,
will see departure terminals at major US airports – including JFK,
LaGuardia and Newark Liberty – equipped with high-tech systems for
fingerprinting foreign nationals and scanning their passports and
visas.
[From RT:
Currently, foreigners are only required
to submit their fingerprints when entering the United States.
Not tracking exits is “a hole in
the system,” said Senator Orrin Hatch (R-UT), one of the
amendment’s proponents. "Biometric
data provides the government with certainty that travelers (and not
just their travel documents) have or have not left the country,"
the Senator’s office said in a statement, according to the Salt
Lake Tribune.
The new departure
procedure is being introduced in order to prevent foreigners from
overstaying their visas. [I must be missing the “prevention”
part... Bob]
… Advocates for the provision cite
the recent high-profile case of Azamat Tazhayakov. A Kazakhstani,
Tazhayakov was a friend of Dzhokhar Tsarnaev, a Boston Marathon
bombing suspect, and was charged with obstruction of justice after he
allegedly attempted to dispose of possessions belonging to Tsarnaev.
Tazhayakov reportedly entered the United States in
January on an invalid visa. [Why was it undetected? Shouldn't we fix
that hole first? Bob]
Perhaps a new area of
Psychology: Data Breach Distress Experts?
From Out-Law.com:
In a recently
published judgment, the Court said that the Data
Protection Act (DPA) does not oblige businesses to pay individuals
compensation for distress that causes damage where the distress
caused is not attributable to a breach of the Act.
Under section 13
of the DPA a person is generally entitled to compensation if they
suffer damage as a result of violations of a section of the DPA by
organisations that hold their personal data. Individuals are also
generally entitled to compensation from those data controllers if
they suffer distress that causes damage.
More coverage than ship based radar,
more detail than satelites.
Navy’s
High-Flying Spy Drone Completes Its First Flight
… The MQ-4C Triton took off today
for the first time from a Palmdale, California airfield, a major step
in the Navy’s Broad Area Maritime Surveillance program.
… The idea is for the Triton to
achieve altitudes of nearly 53,000 feet — that’s 10 miles up —
where it will scan 2,000 nautical miles at a single robotic
blink. ... Its sensors, Northrop boasts, will “detect and
automatically classify” ships, giving captains a much broader view
of what’s on the water than radar, sonar and manned aircraft
provide. Not only that, Triton is a flying communications relay
station, bouncing “airborne communications and information sharing
capabilities” between ships. And it can fly about 11,500 miles
without refueling.
It's always easier to sell a bad idea
if you can introduce a bit of misdirection.
"Supporters of the
Communications Data Bill (also known as the Snooper's Charter) have
lost no time in calling
for the Bill to be revived, in response to yesterday's brutal
murder of a soldier on the streets of Woolwich, South London.
The Bill would have allowed monitoring of all online communications —
including who people contact and what websites they visit — but was
shelved after Deputy
Prime Minister Nick Clegg opposed it, effectively splitting
Britain's coalition government on the issue. Now the fear of new
terrorism could rekindle support, based on the
argument that even 'lone wolf' attackers use the Internet."
Even a non-lawyer can see the
government will fight this one tooth and nail...
May 22, 2013
"EFF
Takes FOIA Fight Over Secret Wiretaps to the Foreign Intelligence
Surveillance Court"
"Today, EFF filed a
motion
in a secret court. This secret court isn’t in a developing nation,
struggling beneath a dictatorship. It’s not in a country
experimenting for the first time with a judiciary and the rule of
law. And, as Wired recently
noted,
it’s “not in Iran or Venezuela, as one might expect.” No, the
court is here, in the United States (it’s in Washington, D.C., in
fact). It’s called the
Foreign
Intelligence Surveillance Court (or the FISC), and it reviews the
federal government’s applications to conduct surveillance in
national security cases. It’s comprised of 11 district court
judges from around the country, and its opinions and orders are the
law of the United States, like other federal courts. But the FISC is
different from typical courts in one fundamental way: almost
everything about the FISC is secret. In fact, just being able to
publicly say that we filed a motion with the FISC is unusual. Most
proceedings are done ex parte (in this context, meaning just with the
government and the judge), and any non-governmental parties involved
in proceedings are typically forbidden from ever disclosing it.
Even
when the FISC finds that the government has acted illegally, so far,
that illegality has been been kept hidden from public scrutiny and
accountability. EFF is trying to change that. We
filed
a lawsuit under the Freedom of Information Act (FOIA) after the
Department of Justice refused to disclose a FISC opinion we
requested. The FISC opinion held that the government engaged in
surveillance that was unconstitutional and violated the spirit of
federal surveillance laws. We only know the opinion exists because
Senators, like Ron Wyden and Mark Udall,
essentially
forced the government to publicly acknowledge its existence."
Interesting perspective
What
Google Glass Reveals About Privacy Fears
Marketing professionals have learned
the hard way that no matter what they do or do not plan to do with
consumer information, privacy matters. In part, that's because
marketing has always been something of a black art. When an ad
appears to speak to a consumer directly, of course, it's likely to be
most effective. But that's also the moment when the
creepy
response kicks in.
How did they know what I wanted, perhaps
even before I did?
Couple the lack of transparency of
marketing generally with the shock of new technology, and you get
anxiety over information use that increasingly translates into calls
for legislation or regulatory intervention.
Our favorite 'character' in the wacky
world of Copyright disputes now becomes a patent troll?
Nyder writes
Techdirt points out that Dotcom isn't
just
asking for financial help: Instead,
he's
asking companies which use two-factor authentication "to help
fund his defense, in
exchange for not getting sued for the patent. He
points out that
his actual funds are still frozen by
the DOJ and (more importantly) that his case actually
matters a great deal to Google, Facebook and Twitter, because the
eventual ruling will likely set a precedent that may impact them --
especially around the DMCA."
Update: 05/23 14:23 GMT by
T : Why is
this relevant to Twitter? If you're not an active Twitter user, you
might not realize that (after some well publicized twitter-account
hijackings), the company is trying to regain some ground on security.
Nerval's Lobster writes "Twitter is
now
offering two-factor authentication, a feature that could help
prevent embarrassing security breaches. Twitter users interested in
activating two-factor authentication will need to head over to their
account settings page and click the checkbox beside 'Require a
verification code when I sign in.'"
Not sure I understand what is going on
here
"According to an announcement
on a French government website, police have stopped
current searches for missing adults and will not accept new search
requests. 'Such 'searches in the interests of the family' were
conducted under an administrative procedure almost a century old,
introduced to help families separated during the upheavals of World
War I to find missing relatives,' according to the French Ministry of
the Interior. In a letter
to police chiefs announcing the changes, the Ministry advised them to
instead 'direct people towards social networks on the Internet, which
offer interesting possibilities.'"
[From the article:
… unless there are signs that the
person is in danger.
… Requests for the searches have
fallen considerably in recent years, and are now most often used to
find those behind on alimony payments
… Searches will continue for
minors, and for those who disappear in worrying circumstances -- for
example those with suicidal intent, or victims of a crime -- as they
are conducted under a different procedure.
Might be fun to take a
peek...
May 22, 2013
Congress.gov,
currently in beta test, to eventually replace THOMAS
Library of Congress Magazine: "The
Law Library and CRS, working with the Library's web services experts,
maintain THOMAS, the Internet-accessible database that makes
legislative information-bills, resolutions, treaties and the
Congressional Record-available to Congress and the public.
Congress.gov, a beta website
operated jointly by the Library of Congress, the House, the Senate
and the other legislative branch sources, provides the same
information through mobile devices and
eventually
will replace THOMAS. The Law Library responds to all
queries related to THOMAS and the Congress.gov beta site. "Since
the launch of the public legislative information system known as
THOMAS in 1995, Congress has relied on the Library to make the work
of Congress available to the public in a coherent, comprehensive
way," said Rep. Gregg Harper (R-Miss.) at the September 2012
launch of the Congress.gov beta site. "The Library staff has a
strong working relationship with the House, Senate and the Government
Printing Office, which will enable the Library to successfully
develop the next generation legislative information website."
For my Ethical Hackers. Remember to
documant your hacks – they may have 'historical significance”
some day.
May 22, 2013
Scanned
PDFs of about 800 historical documents related to phone phreaking are
now available on the Exploding The Phone web site
"While researching the
book...
Exploding the
Phone...
Phil
Lapsley amassed a
bibliographic
database of roughly 1,000 documents related to phone phreaking
history. You can search this database by typing search terms into
the box below. Many (but alas, not all) of the documents are
available as scanned PDFs. For more information on what is and isn't
in the database, and tips on searching it, please see the
search
help page."
For my Geeks. Republish government
data for fun or profit! Worth reviewing the list. There is a
Federal Register searh app, for example. Even some limited PACER
access.
May 22, 2013
NextGov:
Massive Catalog of Streaming Government Data Set to Launch
NextGov:
"Government data officials have nearly completed an exhaustive
list of nearly 300 application programming interfaces that
will
allow outsiders to stream up-to-date information from government
agencies straight to their computers, websites and mobile apps.
The final version of the federal API catalog will be released
Thursday on the government dataset trove
Data.gov
to mark the one-year anniversary of the White House’s
federal
digital strategy, the site’s administrator Jeanne Holm told
Nextgov by email Wednesday. A
nearly
complete
version of the API catalog includes hyperlinks to about 280
government APIs, listed individually and broken down by federal
department and agency. Holm called the current site a “transparent
work in progress.” Officials will continue to add more APIs to the
list after Thursday as agencies launch them, she said.
An API is
essentially computer code that allows one machine to automatically
gather updated information from another. A community
organization could use the API for a national farmers’ market
database
recently
launched by the Agriculture Department, for instance, to stream
information about local farmers’ markets on its website. APIs were
a key component of the digital strategy, which required agencies to
have at least two of them up and running by the strategy’s one-year
anniversary. (The official deadline arguably won’t come for
several months because it was also tied to the six-month anniversary
of a
government
open data policy, due in November 2012, that wasn’t published
until earlier this month). A major goal for the API program is that
private sector and non-profit
developers will build
mobile apps and other products off of streaming government
data about home prices, health outcomes and other topics,
either
to serve the public, to
turn a profit or both.
One
model for the initiative is the multi-billion industry built off
government-gathered Global Positioning System data, which is used by
industries ranging from airlines to mobile app developers."
I normally don't teach 'lit-er-a-chore'
but I can see myself incorporating one of these into my classes. See
if you can guess which one.
5
Good Resources for Teaching & Learning About Shakespeare
Shakespeare
Uncovered … a nice resource for helping students understand the
things that influenced Shakespeare's writing.
Shakespeare
Animated … Some of the animated plays that appear in the
Shakespeare Animated playlist are
Romeo and Juliet, Hamlet,
MacBeth, and
The Taming of the Shrew.
Insults
by Shakespeare … In addition to explaining the insults used by
Shakespeare the lesson also explores some of Shakespeare's other uses
of dialogue.
Shakespeare's
Original Pronunciations could be a good resource to support
classroom readings of some of Shakespeare's works. Take the guess
work out of the pronunciations by hearing them.
For my Intro to IT
students: This is Convergence.
… Our gadgets have also replaced a
significant amount of physical objects, to the point where many of us
wouldn’t consider buying a product when there is an equivalent
piece of software that is up to the task.
In light of this here are a list of
things many of you might not consider purchasing ever again.
Calculator
Scanner
The Diary
Remote Controls
Radio
Trackpad &
Mouse
Alarm Clock
The Landline
Notebooks &
Scrap Paper
Magazines
Another onerous task for
my Intro to IT students.
… now it’s time to list the best
playable Google Doodles released to date. Good Guy Google doesn’t
delete these games, so they remain playable long after they appear on
the Google homepage