Saturday, June 29, 2013

Can you say, “Clueless?”
Mitch Carr reports:
The State Alcoholic Beverage Control Commission revealed Thursday that credit card information for customers at ABC stores in Greensboro and elsewhere had been compromised.
In an email , public affairs director Agnes Stevens said, “It appears that an outside scammer has hacked into the computer/sales system used by Greensboro and several other local ABC boards.”
Stevens went on to say that along with Greensboro, stores within the Triad ABC Board’s jurisdiction had been compromised, too. That board runs stores in Winston-Salem and Forsyth County as well as one store in Yadkinville and one store in Oak Ridge.
Stevens did not respond to a follow-up email asking specifically which stores had lost information or if information from every one of those stores was in jeopardy.
[...]
In an update, he adds that the manager of Greensboro’s ABC stores says they found evidence of malware at some of the Greensboro stores.
Read more on Fox8.
[From the article:
The malware has been removed and additional software was installed in an effort to prevent any similar issues from reoccurring. [Anti-virus software? Bob]
Fred McCormick, the general manager for Greensboro’s ABC stores said they had known about a potential data compromise for “four or five weeks” and that they involved law enforcement when they discovered it.
McCormick said his board waited to stop taking credit and debit cards – a move the board made Wednesday morning – because it made the decision when law enforcement told the board that was the best course of action. [It's not negligence, it's stupidity. Bob]


For my Risk Management students
How to Have the IT Risk Conversation
I run a course at the MIT Sloan School called Essential IT for Non-IT Executives. Every time my colleagues and I come to the end of the course, we ask people what they considered the most important thing they learned. Surprisingly, many people say it was "how to have the IT risk conversation."
As one CFO told me, the phrase "IT Risk" contains two dirty words. The word risk makes him feel uncomfortable. And the word IT makes him feel incompetent. Not a good way to feel ready for a productive dialogue. But being able to talk about IT risk is essential if you are going to make the right decisions about how you use technology in your business.
From a business standpoint, IT risks affect four key objectives:
  • Availability: Keeping business processes running, and recovering from failures within acceptable timeframes
  • Access: Providing information to the right people while keeping it away from the wrong people
  • Accuracy: Ensuring information is correct, timely, and complete
  • Agility: Changing business processes with acceptable cost and speed


As if we didn't have enough to worry about?
When the Black Death exploded in Arabia in the 14th century, killing an estimated third of the population, it spread across the Islamic world via infected religious pilgrims. Today, the Middle East is threatened with a new plague, one eponymously if not ominously named the Middle East respiratory syndrome (MERS-CoV, or MERS for short). This novel coronavirus was discovered in Jordan in March 2012, and as of June 26, there have been 77 laboratory-confirmed infections, 62 of which have been in Saudi Arabia; 34 of these Saudi patients have died.
… This fall, millions of devout Muslims will descend upon Mecca, Medina, and Saudi Arabia's holy sites in one of the largest annual migrations in human history. In 2012, approximately 6 million pilgrims came through Saudi Arabia to perform the rituals associated with umrah, and this number is predicted to rise in 2013.


Might make an interesting Privacy Foundation speaker.
Josh Meyer reports:
The first week on the job for Nicole Wong, dubbed by many as the US’s first chief privacy officer, has been fairly, well, private. The White House has named Wong, 44, a former top lawyer for Google and Twitter, as the new deputy US chief technology officer in the Office of Science and Technology Policy. But the appointment came with little fanfare or official communication about her role, even though Wong could have influence far and wide—not only on internet issues, but on foreign policy, trade and human rights. Here’s why.
Wong is serving as a top deputy to the White House’s chief technology officer, Todd Park, according to OSTP spokesman Rick Weiss. Beyond that, Weiss wouldn’t elaborate on what Wong will be doing. He did say, however, that characterizing her simply as a “chief privacy officer” doesn’t fully describe her role.
Read more on Quartz.
[From the article:
Wong has a stellar reputation for aggressively protecting individual privacy rights, earned during many battles she fought against the Bush and Obama administrations during her eight years as Google’s vice president and deputy general counsel. She joined Twitter as its legal director just seven months ago. Friends and former colleagues say she has mastered the complexities of cutting-edge internet and social media technologies and how the law should or shouldn’t apply to them.


Is “Quixote-esque” a word?
EPIC – EU Officials Recommend Do Not Track by Default
Via EPIC: “The International Working Group on Data Protection released a white paper on online behavioral advertising. The group of leading privacy experts from around the world noted that web tracking allows companies to “monitor every single aspect of the behavior of an identified user across websites.” The Working Group also observed that the current efforts of the W3C to develop a DNT track standard could “remain a sugar pill instead of being a proper cure and would such be useless.” The Working Group recommended “the default setting should be such that the user is not tracked” and that there be no invisible tracking of users. Senator Rockefeller, the Commerce Committee Chairman, has introduced legislation to regulate the commercial surveillance of consumers online. For more information, see EPIC: Online Tracking and Behavioral Advertising and EPIC: Federal Trade Commission.”


Sounds like a “Drone authorization” bill.
Salvador Rizzo reports that the New Jersey Senate passed S2702 by a vote of 36-0 on Thursday.
The Senate measure (S2702) would let state, county and local police and fire departments and offices of emergency management deploy the drones, with some restrictions.
Officials would be able to use the devices in criminal investigations and events that “substantially endanger the health, safety and property of the citizens of this state,” including high-risk and missing-person searches, fires and forest fires, hurricanes, floods, droughts, explosions, acts of terrorism and civil disorder.
In each case, the agency chief would have to approve the drone’s use. Departments would have to log each time they used a drone and for what purpose, and submit that information yearly along with maintenance reports to the state attorney general.
Read more on NJ.com. The bill goes to the Assembly now.


If we make then write often, we should give them some useful technology. (Far cheaper than a textbook) They even offer a free trial.
MakeUseOf recently published Your Guide to Scrivener—a how-to manual for the popular writing program. Scrivener has been around since 2006, and it is a favorite application amongst novelists and screenwriters. As a full-time non-fiction tech writer, I can’t recommend Scrivener enough for actually starting and drafting writing projects. There are two versions of the application, one for the Mac OS X ($45.00) and the other for Windows PC ($40.00).
Scrivener is not a desktop layout application like Word and Pages, but it helps you organize and export your documents to other applications. In addition to being useful for full-time writers, I think Scrivener could be very useful to students and professors who write research papers, anyone who has plans to write a book, and even bloggers looking for an application to draft and manage blog posts.


Screen sharing when using your browser. Might be interesting in my Intro classes. Or answering student questions from home...
The act of sharing your screen usually involves installing a client, connecting to a server and inviting some people to join you (who might also need to install some software too) before it works. There are a few simpler solutions – such as using Google+ Hangouts, but that involves your audience having Google+ accounts and you’re limited by the maximum party size. Luckily there’s now an even easier way of sharing your screen, and it’s an extension for Google’s Chrome browser.
Dead Simple Screen Sharing is exactly as the name suggests – a very easy and straightforward way of sharing your screen with other people. Simply install the extension, click the button in the top right corner of your browser and you will be given a unique URL. You can then share this URL with other people, who will be able to see what you’re doing online without the need for plugins or extra software.


Somehow, I'll work this into my Statistics class. Interesting comparisons, % of degrees vs % in age group.
As More Attend College, Majors Become More Career-Focused
A popular article by Verlyn Klinkenborg last week in The New York Times Sunday Review lamented the decline of English majors at top colleges and universities.
… I am sympathetic to certain parts of Mr. Klinkenborg’s hypothesis: for instance, the potential value of writing skills even for students who major in scientific or technical fields, and the risks that specialization can pose to young minds that are still in their formative stages.
But Mr. Klinkenborg also neglects an important fact: more American students are attending college than ever before. He is correct to say that the distribution of majors has become more career-focused, but these degrees may be going to students who would not have gone to college at all in prior generations..


For my amusement...
… The non-profit Common Sense Media has launched a new tool for teachers called Graphite that will share ratings on education apps and websites. The ratings include grade level, subject area, platform, price, and teacher reviews. (There’s still a huge gap here in addressing Terms of Service and data ownership issues of education products.)

Friday, June 28, 2013

Who decides what to disclose?
Jam Kotenko reports:
When Facebook came clean about a recent security bug that caused the exposure of 6 million users’ personal information to their contacts, they softened the blow by saying that the effect of the bug was probably minimal, since the people who likely received their friends’ data could have already had access to the contact info in the first place. Facebook users were outraged nonetheless, and it turns out they had reason to be: According to Sophos, the Facebook info leak is actually much worse than we were told and that the researchers who initially discovered the existence of shadow profiles are saying that the numbers don’t match up.
Read more on Digital Trends.
[From the article:
In one case, they stated 1 additional email address was disclosed, though 4 pieces of data were actually disclosed. For another individual, they only told him about 3 out of 7 pieces of data disclosed. It would seem clear that they did not enumerate through the datasets to get an accurate total of the disclosure.
Facebook claimed that information went unreported because they could not confirm it belonged to a given user. Facebook used its own discretion when notifying users of what data was disclosed, but there was apparently no discretion used by the ‘bug’ when it compiled your data. It does not appear that they will take any extra steps at this point to explain the real magnitude of the exposure and we suspect the numbers are much higher.


More articles, but less shocking.
Glenn Greenwald and Spencer Ackerman disclose more from files leaked by whistleblower Edward Snowden:
The Obama administration for more than two years permitted the National Security Agency to continue collecting vast amounts of records detailing the email and internet usage of Americans, according to secret documents obtained by the Guardian.
The documents indicate that under the program, launched in 2001, a federal judge sitting on the secret surveillance panel called the Fisa court would approve a bulk collection order for internet metadata ”every 90 days”. A senior administration official confirmed the program, stating that it ended in 2011.
The collection of these records began under the Bush administration’s wide-ranging warrantless surveillance program, collectively known by the NSA codename Stellar Wind.
Read more on The Guardian.
And see their other report, “How the NSA is still harvesting your online data.”
[Interesting language in the order:
"communications with at least one communicant outside the United States or for which no communicant was known to be a citizen of the United States".
[I would take that to mean that if I couldn't see (didn't have a copy of) their birth certificate, it was okay to listen in... Bob]


Well, it's a start.
Casey Seller reports:
The state Court of Appeals has decided that the attachment of a GPS device on the personal vehicle of Michael Cunningham, a Department of Labor employee suspected of padding his time reports, was “unreasonable” in its scope. The use of the GPS device in the state Inspector General’s probe, the court concludes, crossed a line when it extended beyond the workday, when Cunningham used his car for official business.
While the decision to reverse a lower court’s action was unanimous, the judges split 4-3 on the question of whether the state could use such a device to track an employee during work hours.
Read more on Capitol Confidential.
Update: Orin Kerr comments on the decision on The Volokh Conspiracy.


Sound bites. Fluff. This is addressing the collected data rather than the collection (or collectors) of data. See the article on PII below.
Commissioner Julie Brill’s keynote speech at CFP yesterday is well worth reading. Here’s a small part of it where she addresses ideas apart from legislation:
I would suggest we need a comprehensive initiative – one I am calling “Reclaim Your Name.” Reclaim Your Name would give consumers the knowledge and the technological tools to reassert some control over their personal data – to be the ones to decide how much to share, with whom, and for what purpose – to reclaim their names.
Reclaim Your Name would empower the consumer to find out how brokers are collecting and using data; give her access to information that data brokers have amassed about her; allow her to opt-out if she learns a data broker is selling her information for marketing purposes; [Probably not possible unless this “opt-out” turns off all of the “opt-in” switches, Internet wide. Bob] and provide her the opportunity to correct errors in information used for substantive decisions – like credit, insurance, employment, and other benefits.

(Related) ...and mostly in her mind?
Kate Kaye writes that marketers were caught off-guard by FTC Commissioner Julie Brill’s “Reclaim Your Name” initiative, described in her keynote address as CFP this week:
The Direct Marketing Association was caught off guard by Commissioner Brill’s announcement. “DMA has been in discussion with Commissioner Brill regarding ways to increase transparency in the ‘data broker’ industry, but was surprised to see her announcement of this new initiative,” said Rachel Thomas, VP of government affairs at DMA. “The FTC’s Section 6B inquiry into ‘data brokers’ is still ongoing, and the Commission has yet to articulate a specific problem that would justify a call for congressional action in this area,” she continued in an emailed statement.
Ms. Brill indicated that the FTC believes mobile device IDs are personally-identifiable. Many of the companies using device IDs to track in-store shopping behavior and other location-based interactions hold that they are not. “Information linked to specific devices is, for all intents and purposes, linked to individuals,” she said.
Read more on Ad Age.


Again, collections vs collecting.
Daniel Solove and Paul Schwartz write:
We recently released a draft of our new essay, Reconciling Personal Information in the European Union and the United States, and we want to highlight some of its main points here.
The privacy law of the United States (US) and European Union (EU) differs in many fundamental ways, greatly complicating commerce between the US and EU. At the broadest level, US privacy law focuses on redressing consumer harm and balancing privacy with efficient commercial transactions. In the EU, privacy is hailed as a fundamental right that trumps other interests. The result is that EU privacy protections are much more restrictive on the use and transfer of personal data than US privacy law.
Numerous attempts have been made to bridge the gap between US and EU privacy law, but a very large initial hurdle stands in the way. The two bodies of law can’t even agree on the scope of protection let alone the substance of the protections. The scope of protection of privacy laws turns on the definition of “personally identifiable information” (PII). If there is PII, privacy laws apply. If PII is absent, privacy laws do not apply.
Read more on LinkedIn. [Interesting choice of forum Bob]


I note that the Privacy Foundation is not listed. That's a pretty significant omission.
New on LLRX – Privacy Resources and Sites on the Internet 2013
Via LLRX.com - Privacy Resources and Sites on the Internet 2013 - - Marcus P. Zilman’s guide is a comprehensive, timely and actionable resource inclusive of a wide range of privacy resources for individuals as well as organizations. His guide includes references to associations, indexes, search engines as and topical websites and sources that provide current applications, information and resources on the salient topic of privacy and how it relates to your use of the internet and social media.


It must be Audio week at MakeUseOF...
Audacity can be a fantastic audio recording and editing tool, especially because of its cross platform and open source nature. For example, you can make your own home music recordings with Audacity or use Audacity in ten other creative uses that you may not have thought of.
… here are four recommended tools you can use that are free and completely compatible with each other.
And even if these three don’t meet your needs somehow, there are still plenty of others available such as these 6 suggested Audacity alternatives, especially if you use a Mac.

(Related)
Format Factory promises to convert anything at all to any other format.
Not only does it work, but it’s free.


The world of IT is changing...
IT in the Cloud Era
An interview with Aaron Levie, cofounder and CEO of Box. Follow him on Twitter at @levie.


There are markets and there are black markets... The Internet enables them all.
Inside Atlantis, The New Amazon For Illegal Things
… Atlantis, which is accessible through the anonymity-enabling Tor network, lists among its product categories Drug, Forgeries, Money, and Lab Supplies.


For my students
CRS – Financial Aid for Students: Online Resources
Financial Aid for Students: Online Resources, Laura L. Monagle, Information Research Specialist, June 17, 2013
This report identifies various online sources for planning and acquiring funds for postsecondary education. Students themselves are often in the best position to determine which aid programs they may qualify for and which best meet their needs. This list includes both general and comprehensive sources, as well as those targeted toward specific types of aid and circumstances (e.g., non-need-based scholarships; female and minority students; students studying abroad; or veterans, military personnel, and their dependents). The selection of a resource for inclusion in this report is based upon a multitude of criteria, including long-standing history in publishing print guides on financial aid and other college information guides (e.g., College Board, Peterson’s, Princeton Review, Reference Service Press) and information on selected topics (e.g., specialized educational disciplines or students). The references in this report are examples, not an all-inclusive list, of resources to consult.”


For my students who complain my tests are “too hard.” This is similar to what I saw in Japan.
The IIT Entrance Exam
The admissions test for the Indian Institutes of Technology, known as the Joint Entrance Examination or JEE, may be the most competitive test in the world. In 2012, half a million Indian high school students sat for the JEE. Over six grueling hours of chemistry, physics, and math questions, the students competed for one of ten thousand spots at India’s most prestigious engineering universities.
When the students finish the exam, it is the end of a two plus year process. Nearly every student has spent four hours a day studying advanced science topics not taught at school, often waking up earlier than four in the morning to attend coaching classes before school starts.
… Government subsidies make it possible for any admitted student to attend IIT. [Would be nice if the US did the same. Bob]

Thursday, June 27, 2013

Will someone please swat this gnat! North Korea does this because we let them get away with it. At some point, their anoying little jabs will hit a real nerve and we'll wind up shooting at each other again.
Edward Smith reports:
Cyber-attacks were staged on Tuesday, 25 June, marking the anniversary of the start of the Korean War in 1950. The hackers compromised the websites of South Korea’s presidential office and several local newspapers.
The unidentified hackers claimed to have obtained personal data belonging to two million South Korean workers and 40,000 US military troops, including that of some 28,000 troops currently stationed in the country.
Read more on International Business Times. Other coverage on Information Age. Both outlets cite a Reuters story. I note that there is no official confirmation of the authenticity of the claim or leaked data as of the time of this posting.


Another example of failed management. It's hard for my Computer Security students to believe that this is a common failure.
Rod Boshart reports:
Iowa Department of Human Services officials issued an alert Wednesday to former patients at the Mental Health Institute in Independence and hundreds of state employees there and at other state facilities concerning a possible breach of their confidential information.
Officials say the information was stored on a backup computer tape that went missing April 30 cannot be located. A search for the tape continues at the Independence facility, DHS spokesman Roger Munns said in a news release, and officials believe it is likely that the tape was inadvertently destroyed or discarded. Access to information on the tape requires specialized and outdated equipment.
Read more on WCF Courier. This breach represents a useful example of what happens if you fail to purge old, historical data:
The historical data had not been purged from the computer system and continued to be backed up on a monthly basis, Dave said. He noted that the computer system requires the use of specialized equipment that is no longer serviced by the manufacturer, [but no one reviewed the process to see if it was impacted by the change? Bob] and that the backup system has been changed to eliminate the unnecessary retention of personally identifiable information.
So… wasn’t any of this considered or discussed when the agency conducted its risk assessment?

(Related) Another procedure that suggests management isn't in control. Shouldn't someone in the DA's office sign off on any evidence destruction?
Aurora Police Say DNA Evidence In 48 Alleged Sex Cases Destroyed In Error
… The problem came to light after a detective who found a DNA match in a 2009 case found that other evidence was gone, the police department said.
A subsequent investigation found that in 30 cases, an injured officer assigned to light duty apparently destroyed evidence in error, Oates said. In 18 other cases, after a lead detective determined evidence could be destroyed, a technician in the property and evidence unit didn’t follow department protocol and review that recommendation to see whether it was allowed under the law.


Another “You won't like what we're doing” system?
As the FBI is rushing to build a “bigger, faster and better” biometrics database, it’s also dragging its feet in releasing information related to the program’s impact on the American public. In response, the Electronic Frontier Foundation (EFF) today filed a lawsuit to compel the FBI to produce records to satisfy three outstanding Freedom of Information Act requests that EFF submitted one year ago to shine light on the program and its face-recognition components.
Read more on EFF.


Today, encrypted phone calls, tomorrow fingerprint checking at every traffic stop?
FingerQ adds fingerprint sensor to Android phones
FingerQ, a company based in Hong Kong, has made a series of Android cases that come with biometric fingerprint sensors for added security. The sensors don't replace the built-in security features of your Android phone (unlocking your smartphone still uses the passcode or pattern unlock), but adds another layer of protection for chats and applications.
The FingerQ system will be available as an accessory called the PrivacQ case and caters to phones such as the Samsung Galaxy S3, S4, and Note 2, as well as the HTC One. The fingerprint sensor is just one part of the equation, as the company's software also needs to be installed on the handset for the system to work.
The primary use of the case is through the FingerQ Chat application. The app lets you communicate with another FingerQ user securely by encrypting the messages sent. To read an encrypted message, you have to first swipe a finger that has been initially linked to your case. [Will boarder security require access to your finger? Bob] It lets you send a photo the same way.
Because the PrivacQ case is bound to a phone, you lose access to the encrypted messages and photos if the case is removed or lost. This also means if your phone gets stolen, the thief cannot simply remove the case to read your FingerQ Chat messages or photos.


Will there be lawsuits? Probably not. The average consumer would be bored and befuddled.
Pandora calls artist royalties flap an orchestrated 'lie'
Pandora struck back against critics Wednesday, calling accusations that the streaming radio service is trying to shortchange musicians "a lie."
In a blog post Wednesday, Pandora co-founder Tim Westergren accused the Recording Industry Association of America, the organization charged with defending the interests of musicians, of orchestrating and funding a "misinformation campaign" involving well-known artists.


For my Computer Security students. New devices, same old problems.
How Zombie Phones Could Create a Gigantic, Mobile Botnet
You've heard of the "botnet"—a collection of enslaved, malware-infested computers that act together to pump out spam and DDoS attacks, often unbeknownst to their owners. For the past decade, botnets have mostly been a problem for the PC world. But, according to a new report on mobile malware, it may not be long before we start seeing botnets built out of an increasingly sophisticated type of device: cell phones.
"It's only a matter of time before that's pervasive," said Karim Toubba, a vice president at Juniper Networks, the publisher of the study.
Google's Android operating system is by far the most vulnerable to outside attackers. Unlike Apple, which forces its iPhone apps through an infamously strict approval process before storing them in a single app store, Android phones are capable of downloading and installing apps from third-party websites.
… More than a third of all Android devices haven't been updated since February 2011. More than a quarter of Android devices haven't been updated since Dec. 2011.


How long before this site gets sued?
… Youzeek. It is a web app that lets you easily find and listen to popular songs of any artist from its catalog featuring over 700,000 artists and 30 million songs. To listen to a song, simply find it and click play to start streaming it. You don’t even have to register or sign in. You will have to sign in with Facebook, though, if you want to create playlists or do social sharing. It is truly free music streaming service with no limitations or interruptions.
Another nice part is that once you found the artist, it displays the most played songs by that artist instead of simply displaying the full catalog of songs. Songs are ordered by popularity based on the total number of plays a song received. Most of the songs are available in video format, usually from YouTube or Vevo.
Related services – TuneCrawl, Listen Music.


For all my students. (Be sure to look up the “ohnosecond”)
The Computer Desktop Encyclopedia
The Computer Desktop Encyclopedia: “The Computer Language Company was founded in 1978 by husband-wife team Alan Freedman and Irma Morrison. When Freedman couldn’t find a computer dictionary that would meaningfully augment the computer literacy classes he taught to Fortune 500 companies, he set out on a quest to purchase his first computer and write this “glaringly missing” reference. The year 1980 was explosive for personal computers, and buzzwords were everywhere. The self-published 300-term, 60-page The Computer Glossary was a huge success in hundreds of seminars. Within a few years, writing the dictionary became a full-time job, and after 30 years, 300 terms grew to more than 25,000.”


Infographic. May be true, but no source cited... Support for my “students should create their own textbook” idea?
How Students Are Using The Internet For Studying


Wednesday, June 26, 2013

This will be interesting. If it actually happens, I'll work up a “What to look for” guide for my students and scare the bejessus out of them.
Finally You'll Get To See The Secret Consumer Dossier They Have On You
For the first time ever, the big daddy of all data brokers is nearly ready to show consumers their intimate personal dossiers, a move aimed at staving off public fears of Big Brother and government regulation.
… What exactly does Acxiom know about you? Their files record where you live and who else lives there, your phone numbers, often including cell, general financial situation and interests. Your file might include race, ethnicity, religious affiliation, education, political affiliation and occupation. They might list what credit cards you use, as well as some health topics of interest to you such as diabetes or arthritis.
… The company has information on nearly one billion online users and matches 90 percent of all U.S. social profiles, CEO Scott Howe told investors last month.
… Acxiom had hoped to start letting individuals see their consumer files by mid summer but has run into delays. “It’s enormously difficult to do this,” said Suther, who has overseen the company’s global marketing, strategy and business development activities. “The reason for it is that all the systems that have been built up over the years have been built up with an eye for serving marketers, and marketers are not coming to Acxiom saying, gee, can you please give me this individual record about Adam Tanner. It’s not affordable, they are not interested. What they are interested in is doing that en mass so the systems have been built over the years to accomplish that.”


Each new generation of technology (perhaps even “generations” that exist only in the minds of the Marketing Dept.) MUST address the same secutity issues as all previous generations, but typically start life with no security whatsoever.
Rethinking Security for the Internet of Things
… The growing Internet of Things — the connection of physical devices to the internet — will rapidly expand the number of connected devices integrated into our everyday lives. From connected cars, iPhone-controlled locks (versions of which here, here, and here are in or close to production), to the hypothetical "smart fridge" that will one day order milk for me when I've run out, these technologies bring with them the promise of energy efficiency, convenience, and flexibility.
… As consumer demand for connected devices increases (and projections from Cisco and others suggest that there will be 50 billion connected devices by 2020), traditional manufacturers will, en masse, become manufacturers of connected devices. As these devices become subject to the same cyber threats with which software developers have long been familiar, companies will need to take steps to integrate security considerations into their designs and design processes right from the start.


No need to “forget” anything, ever...
Google cannot be obliged to delete sensitive information from its search index, a key adviser to the European Court of Justice has said.
It follows a Spanish case which challenged Google to remove outdated financial details about an individual.
The opinion of advocate general Niilo Jaaskinen could influence a wider EU debate over whether people have “the right to be forgotten”.
Read more of this story on BBC.


Interesting. Better than it was, but no where near what it should be?
… In physical searches, if the government comes across evidence unrelated to the search it is lawfully conducting, the government can seize that evidence as long as its incriminating nature is immediately apparent. I have argued that this rule is troublesome in the context of digital searches because everything comes into plain view in computer searches. A computer warrant for anything becomes a warrant for everything, making every computer warrant a general warrant in practice. To counter that dynamic, I have argued that the plain view exception should not apply to digital searches. See Orin Kerr, Searches and Seizures in a Digital World, 119 Harv. L. Rev. 531 (2005).
The Fourth Circuit rejected that argument in United States v. Williams, 592 F.3d 511 (4th Cir. 2010), where it held that the plain view exception should apply in the same way to digital searches as it applies to physical searches. As I understand the Fourth Circuit’s view, the government can look for anything on a hard drive if it has a warrant and keep anything that comes up. Opening any file is permitted because it might contain evidence in the warrant, and all evidence can be used because it has come into plain view under the traditional plain view test.
… I was very interested to see the Second Circuit’s decision today in United States v. Galpin. First, the opinion agrees that the scope of computer searches raises special problems:
… After ruling that the warrant in that case was in valid and remanding for further proceedings, the Second Circuit offered the district court guidance on how to apply the plain view exception on remand:
… It’s hard to know exactly what to make of this language. But if we take it seriously, the Second Circuit appears to be saying that there is some sort of heightened standard for when an agent is allowed to conduct a search through a computer. Some of the words suggest at least a subjective test (thus the focus on whether the “search was even directed” at the evidence), which is what the Tenth Circuit adopted in United States v. Carey, 172 F.3d 1268, 1273 (10th Cir. 1999). Other parts of the passage suggest some sort of heightened scrutiny beyond subjective intent. Parts suggest a necessity test: Would a proper search have “necessitated” the opening of a particular file? And other parts of the passage suggest a “possible evidentiary connection” test, which I gather would be ess strict than a necessity test.


Any attempt is welcome.
From the Executive Summary of this new white paper:
… According to a 2011 World Health Organization report, governments cite issues related to data privacy and security and the protection of individual health information as two of the top barriers to the expansion of mHealth.
… The results of this review show that the world of privacy law is roughly divided into three major camps: (1) omnibus data protection regulation in the style of the European laws that regulate all personal information equally; (2) U.S.-style sectoral privacy laws that address specific privacy issues arising in certain industries and business sectors, so that only certain types of personal information are regulated; and (3) the constitutional approach, whereby certain types of personal information are considered private and inviolate from a basic human rights perspective but no specific privacy regulation is in place otherwise.
Read the report here (pdf).

Tuesday, June 25, 2013

I haven't seen anything to suggest that Snowden was involved in policy decisions or strategic decisions, so why would he have access to “everything NSA does?” Sounds more like a sales pitch than reality.
U.S. worried about security of files Snowden is thought to have
The ability of contractor-turned-fugitive Edward Snowden to evade arrest is raising new concerns among U.S. officials about the security of top-secret documents he is believed to have in his possession — and about the possibility that he could willingly share them with those who assist his escape.
… The NSA has teams of analysts scouring systems that they think Snowden may have accessed, officials said. Analysts are seeking to retrace his steps online and to assemble a catalogue of the material he may have taken. [I find that difficult to believe. It suggests that no one has control of Top Secret materials. Bob]
“They think he copied so much stuff — that almost everything that place does, he has,” said one former government official, referring to the NSA, where Snowden worked as a contractor for Booz Allen Hamilton while in the NSA’s Hawaii facility.


Perhaps they have another law that they interpret as allowing them to lie to mere citizens or to Congress unless in closed sessions?
Today, Senators Wyden and Udall wrote to General Alexander requesting corrections in a recent NSA fact sheet on surveillance authorities.
“In our judgement this inaccuracy is significant, as it portrays protections for Americans’ privacy being significantly stronger than they actually are,” wrote Wyden and Udall.
The Senators could not state exactly what those inaccuracies are because it relates to classified information, but they appended specifics in a classified attachment.


Sort of a summary. I haven't seen anyone specalizing in this area, but it should merit at least a class in law schools by now.
While the Internet has already provided for ways to remove your deceased loved one’s digital accounts, there is occasionally the need to access them. Sometimes it’s for will information – other times it has to deal with financial reasons.
… Below are a few tips to get you started in the right direction for gaining access to your deceased relative’s digital account. I can’t guarantee success, but I can say that these are good ways to move forward.


Security is making its way into the Boardroom...
The Escalating Cost of Software Malice
Malicious attacks by hackers: At first they were an irritating oddity, but they've surged so much over the past few years that now they're the most common cause of data breaches among U.S. companies. Because these incidents are hard to discover and combat, they're also now the most costly form of loss.
As part of HBR's "Data Under Siege" Insight Center, we present a few charts that show just how quickly malicious attacks, and their costs, are mounting. The most recent data comes from a 2013 study by the Ponemon Institute and Symantec of 277 companies that experienced losses or thefts of protected personal data.

(Related) We just graduated a few I can recommand...
Cyber Security Depends on Education
We're facing an eyebrow-raising talent shortfall in cyber security. Consider the findings of a recent inquiry by the UK's National Audit Office. Its report stressed not only that the current pool of security-educated graduates and practitioners falls far short of demand, but also that "it could take up to 20 years to address the skills gap."
(See our recent report here: Cybersecurity Education for the Next Generation.)


Is this what my students do, rather than homework?


Hey, it can't hurt!
The Federal Registry for Educational Excellence (FREE) has partnered with the Learning Registry to provide educators, parents, and students in the U.S. with more than 200,000 freely available resources online.

Monday, June 24, 2013

Some thought on the subject (at last)
Commentary – Calling It ‘Metadata’ Doesn’t Make Surveillance Less Intrusive
By Geoff Nunberg: “Metadata” was bound to break out sooner or later, riding the wave of “data” in all its forms and combinations. “Big data” and “data mining” are the reigning tech buzzwords these days, and university faculties are scrambling to meet the surge in demand for courses in the hot new field of data science. It’s as if “data” is usurping “information” as a byword. Up to now, “data” has played a supporting role in the information age. There’s a popular definition of data as the raw material that becomes information when it’s processed and made meaningful. That puts information at the center of the modern tech world, but it isn’t how anybody actually uses the two words… But the shift in focus from information to data reflects a genuine difference between the two. “Information” brings to mind the knowledge that’s gathered in libraries, encyclopedias, newspapers and journals — stuff that has an independent existence in the world. “Data” is always connected to particular things and events. It comes from experiments, sensors, official records. Or it’s the scuff marks we leave behind as we click on websites, make calls, go through the E-ZPass tollbooths, visit an ATM. It’s all out there, accumulating in ginormabytes, overflowing the server farms… Whether or not you think the government should be sweeping this stuff up, calling it metadata doesn’t make the process any less intrusive. Tell me where you’ve been and who you’ve been talking to, and I’ll tell you about your politics, your health, your sexual orientation, your finances. Why don’t we just let the word “metadata” sink back into the nerdy cubicles it came from? When it comes to privacy, the “meta-” doesn’t matter. In the post-information age, it’s just data all the way down.”

(Related) What happens when your strategic vision changes from “Make the world safe for democracy” to “We gotta do something!”
Paper – NSA Spying Under Section 215 of the PATRIOT Act
Follow up to previous posting, Council on Foreign Relations Backgrounder – U.S. Domestic Surveillance, a new CDT Paper: “The FBI and NSA have abused Section 215 of the PATRIOT Act to compel disclosure of phone records of calls made to, from, and within the United States. This surveillance is not permitted by the statute, and was hidden from the public by deception. The legal basis for the program should be disclosed, and the program should be replaced by targeted phone call collection that focuses on suspected terrorists and spies.”


Coming soon: Leaked documents for your Kindle? Perhaps jobs for my student/vets?
Is the Amazon $600 million contract to build a “private cloud” for CIA moving forward?
Follow up to previous posting, FCW Reports on Bid Protest Over Amazon Cloud Contract for CIA, news that Amazon “is staffing up to meet the demand the new contract will require. Specifically, Amazon is looking for engineers who already have a “Top Secret / Sensitive Compartmented Information” clearance, or are willing to go through the elaborate screening process required to get it. TS/SCI is the highest security clearance offered by the US government, and getting it requires having your background thoroughly vetted.”


Interesting? Funny? Fair use? Even if there is no serious legal issues, it could make my students think a bit...
Student sues after school uses Facebook bikini pic in seminar
… should you be 17 and a school administrator uses your Facebook bikini image to tell a story of how photos live online forever, you would surely sue for $2 million.
… Her attorney, Pete Wellborn, said he's suing for $2 million, so that the claim is taken seriously. He also declared that he sees breaches of federal and state law -- and the Constitution.
When asked if publicly available photographs aren't, well, exactly that, his response was quite fascinating: "That sounds an awful lot to me like the horrible old cliche of 'well, that's how she dressed, she got what's coming to her.'"
… It seems the essence of the escalation here is that Chaney was offended the school didn't ask for her permission to use the shot. Subsequent discussions with the school clearly yielded nothing.
Still, I can't also help wondering about the school district's director of technology.


How to classify students? Since this combines Statistics and some :Big Data” concepts, I might find a use for it. (Or maybe I'll just print it as a poster)
Can you call yourself a “geek” or a “nerd” just because you feel like it? If you’re wondering if geeks and nerds are the same, they’re not. Geeks may be loosely defined as enthusiasts, obsessed with cool and trendy things. Nerds, on the other hand, are more intellectual and painstakingly focus on acquiring knowledge in a particular topic or field.
To prove this distinction, Burr Settles — data scientist, software engineer, and author of Active Learning — published the results of his experiment which illustrated words that accompany the terms geek and nerd.
Words that accompany the term geek were plotted on the y axis, and nerdy words on the x axis. In general, orange words are geeky, blue words are nerdy. The affinity for these words to their terms increases further along the axes — that is to say that “culture” is more often associated with geeks than “collections”; “biochemistry”, “neuroscience” and “salary” are nerdier words compared to “exams” and “teachers”. Words along the x=y plotted line are just as geeky as they are nerdy.
Read Burr’s breakdown of his experiment on his blog, Slackpropagation.


For my amusement...
The Board of Education for the Los Angeles Unified School District, the second largest school district in the US, has approved a $30 million contract with Apple to buy iPads for students in 47 schools. As part of the Common Core Technology project, iPads will cost $678 (higher than the normal price because it includes a case and pre-loaded software, including some from Pearson). Education professor Larry Cuban weighs in with some important critical questions about the plan, noting that no journalists called him for a comment. But hey, Apple issued a press release, so there ya go. This is phase 1 of a $500 million plan to equip every kid in the district with a device. [$500,000,000 for 662,140 students = $755 per student Bob]
… Florida’s Miami-Dade County School District approved a $63 million plan to lease computing devices to its students, part of its plan to go entirely make sure every student in the district has a laptop or tablet by 2015.


Sunday, June 23, 2013

And so another 'digital age' comedy begins, with every country that enjoys tweeking the US adding their two cents to the story.
Hong Kong lets Snowden leave to Moscow, with Cuba among possible destinations
Edward Snowden left for Moscow on Sunday and his final destination may be Cuba, Ecuador, Iceland or Venezuela, according to various reports. The move is bound to infuriate Washington, wherever he ends up.


Another perspective.
The Surveillance-Marketing Complex, Coming Soon to a Computer Near You
… As James Risen and Nick Wingfield reported yesterday in the New York Times, the interests of tech companies and the NSA have been converging over the past decade in two ways. The first way is fairly prosaic: Lots of Silicon Valley companies are in the business of selling stuff to the NSA: storage hardware, sophisticated communications equipment, data analytics software, and more.
… But there's a second way that the interests of Fort Meade and Santa Clara County have converged: These days, they're fundamentally in the same business. The NSA calls it surveillance, and all the rest of us just call it spying. Silicon Valley, conversely, wouldn't be caught dead calling it that. They call it "targeted advertising" or "monetizing the social network." But it's pretty much the same thing.


Welcome to the “World Wide Web,” where exceptions are the rule!
Google News in Germany asks publishers to opt-in for indexing, sidesteps copyright fees
Despite its "Defend Your Net" campaign last year, Google was unable to fully put the brakes on changes to German copyright law that may mean it has to pay up for news excerpts it indexes. As a result, the company announced that unlike the other 60 countries where Google News operates by relying on sources to opt out of inclusion by request, robots.txt file or meta tags, it's requiring German publishers to opt-in. According to Google, it's pushing six billion visits per month to publishers worldwide as a free service, not something it should have to pay for. As TechCrunch points out, the issue comes as a result of the new German law that allows search engines to continue to publish snippets of news without paying, but isn't clear about just how much information that can include.


Interesting for a discussion starter, but totally impractical as a regulation.
Joseph J. Lazzarotti writes:
Most breach notification mandates require a notice be provided without unreasonable delay. In some cases, such as under HIPAA, the same standard applies but also with an outside date to provide the notice – 60 days. Proposed regulations under the Affordable Care Act would require notification to the Department of Health and Human Services in one hour!
In §155.280(c)(3) we propose that [Federally-facilitated Exchanges or FFEs], non-Exchange entities associated with FFEs, and State Exchanges must report all privacy and security incidents and breaches to HHS within one hour of discovering the incident or breach. We also propose that a non-Exchange entity associated with a State Exchange must report all privacy and security incidents and breaches to the State Exchange with which they are associated.
Read more on Lexology.


Perhaps something for my next Statistics class?
What do consumers expect in the way of data security and privacy protections when they sign up for a premium subscription service?
I was reading up on the class action lawsuit against LinkedIn following their breach last year, and discovered that the plaintiff had retained Serge Egelman, who conducted two new surveys in April on this question. His survey methodology and results were submitted to the court as exhibits, and I’ve uploaded the whole filing here (Exhibit A starts on p. 32, Exhibit A-2 with methodology begins on p. 43). In his declaration, Egelman states:
First, through a review of the existing academic literature, I determined that consumers incorporate data security and privacy concerns, costs, and benefits into their purchasing and consumption decisions, and that consumers are often willing to pay a premium for information security.
Second, through a survey I conducted the week of April 1, 2013, I determined that when consumers pay for a “premium” social networking service, they expect their information to be protected with a heightened level of security, and that, at a bare minimum, industry-standard security protocols will be used to guard their information.
Third, through a survey conducted the week of April 22, 2013, I determined that an internet service using industry-standard security practices has higher utility to consumers than a service with substandard security. I also determined that when consumers are evaluating the utility of a website or internet service, privacy and security concerns factor heavily into that evaluation, and that consumers will choose a website or internet service with industry-standard security practices over an otherwise identical service with substandard security.
Reading his methodology and results, I think his data support a conclusion that when thinking about data security and privacy is prompted (as by the wording of survey response alternatives), consumers will consider a business’s security standards and expect – and be willing to pay more for – better data security. These two surveys do not, however, show that consumers actually consider data security at all in making their decisions about a premium subscription service, outside of a structured survey. Then, too, the correlations he reports for some findings, while statistically significant, do not actually account for much of the variance in respondents’ answers (effect sizes were not reported, but are easily estimated for Pearson correlations). Egelman addresses the fact that many people do not actually read privacy policies or security assurances in his discussion, where he notes how when security or privacy concerns are noted by experts or the media, the word spreads quickly and people will voice their concerns or put pressure on businesses. He uses this to argue that had LinkedIn not overstated their data security, their allegedly substandard security would have been noted, discussed publicly, and would have influenced subscribers’ decisions as to whether to pay for premium services. I suspect he’s probably right on that.
The litigation aside, I think it’s unfortunate that his research on consumer expectations is first being presented as a court exhibit instead of in a privacy or security forum where it might receive greater discussion, and I hope this blog post serves to make others aware of his research so we can discuss it.