Saturday, August 10, 2013

Think about what had to happen here. This isn't a case of clicking “Reply All” rather than “Reply.” This took some serious screwing up to accomplish.
James Moore reports:
The Serious Fraud Office is engulfed by a new scandal after it admitted that thousands of pages of evidence as well as tapes and data files from 58 separate sources were sent back to the wrong owner.
The enormous volume of evidence related to its long-running corruption investigation into defence giant BAE Systems which finally ended in 2010 with the company agreeing to pay almost £300m in the US and UK.
Read more on The Independent.
[From the article:
The data constituted fully 3 per cent of the total evidence accumulated as part of the case, and included 32,000 document pages and 81 audio tapes in addition to electronic media.
Frantic efforts were underway to contact the sources of that evidence and other people who might be affected by the leak, which occurred between May and October last year. [Suggesting more than one incident? Suggesting it took them several months to notice? Bob]
The Independent understands that the information was leaked to an unnamed individual, rather than an organisation.


On a broader scale...
The Information Commissioner’s Office has provided an interesting breakdown of breach reports for the first quarter of their fiscal year. The data are provided by incident type and sector, here.
Not surprisingly, the largest incident type was “disclosed in error.” The healthcare sector and local government reported the most breaches, but then, not every entity has to report breaches, so their numbers may be a bit misleading in terms of relative losses.


Did they tell the court they wanted to do the same thing Google was doing to gMail? Computer scanning it for keywords? Google is looking to place appropriate ads, NSA is looking to place appropriate Mavrick missiles.
emptywheel writes:
Finally! The backdoor!
The Guardian today confirms what Ron Wyden and, before him, Russ Feingold have warned about for years. In a glossary updated in June 2012, the NSA claims that minimization rules “approved” on October 3, 2011 “now allow for use of certain United States person names and identifiers as query terms.”
[...]
But the Guardian is missing one critical part of this story.
The FISC Court didn’t just “approve” minimization procedures on October 3, 2011. In fact, that was the day that it declared that part of the program — precisely pertaining to minimization procedures — violated the Fourth Amendment.
So where the glossary says minimization procedures approved on that date “now allow” for querying US person data, it almost certainly means that on October 3, 2011, the FISC court ruled the querying the government had already been doing violated the Fourth Amendment, and sent it away to generate “an effective oversight process,” even while approving the idea in general.
Read more of this fascinating post here.

(Related)
TRAC – New Information on FISA Judges
by Sabrina I. Pacifici on August 9, 2013
“Central to the growing dispute about the legality and value of the very extensive electronic surveillance by the National Security Agency (NSA) is the secret federal court that approves the search warrants authorizing the NSA’s world-wide efforts. While the operations of both the NSA and the decisions of what is now incorrectly called the Federal Foreign Intelligence Surveillance Act (FISA) court are highly classified, information about the backgrounds of the judges — including their sentencing patterns over the past five years — has just been released by the Transactional Records Access Clearinghouse (TRAC) at Syracuse University. Read the report. The sentencing information about named judges — which compares each judge’s record with those of his/her colleagues in their home districts — was developed earlier this year using information TRAC obtained and analyzed. With the information in TRAC’s report, you can obtain the median and average sentences the judges imposed for all the matters they handled. You can also drill down into details on specific program areas, such as those cases classified by the Justice Department as involving drugs or white collar crime violations.”

(Related) Does the UK have a FISC Court?
James Ball reports:
BT and Vodafone are among seven large telecoms firms which could be pulled into a legal challenge under human rights law for cooperating with GCHQ’s large-scale internet surveillance programs.
Lawyers for the group Privacy International, whose mission is to defend the right to privacy, have written to the chief executives of the telecoms companies identified last week by the German paper Süddeutsche and the Guardian as collaborating in GCHQ’s Tempora program.
Tempora is an internet buffer that lets analysts search vast databases of metadata on internet traffic crossing the UK, for up to 30 days after data is sent. Content of communications is retained for up to three days.
Read more on The Guardian.

(Related) Cheaper than fighting it in court?
First it was LavaBit. Now it’s Silent Circle shuttering its e-mail service. In a “To Our Customers” post on their blog, Joncallas explains:
Email that uses standard Internet protocols cannot have the same security guarantees that real-time communications has. There are far too many leaks of information and metadata intrinsically in the email protocols themselves. Email as we know it with SMTP, POP3, and IMAP cannot be secure.
And yet, many people wanted it. Silent Mail has similar security guarantees to other secure email systems, and with full disclosure, we thought it would be valuable.
However, we have reconsidered this position. We’ve been thinking about this for some time, whether it was a good idea at all. Today, another secure email provider, Lavabit, shut down their system lest they “be complicit in crimes against the American people.” We see the writing the wall, and we have decided that it is best for us to shut down Silent Mail now. We have not received subpoenas, warrants, security letters, or anything else by any government, and this is why we are acting now.
Their Silent Phone, Silent Text, and Silent Eyes services will continue.
And so our government’s surveillance of its own citizens continues to take a toll on innovation in technology and will drive more customers to EUropean companies and businesses. President Obama may try to claim there is no “domestic spying” program, but he is just playing word games.


“Let's see if they buy this...”
In conjunction with President Obama’s press conference today on privacy and surveillance concerns, the White House released a white paper, Bulk Collection of Telephony Metadata Under Section 215 of the USA PATRIOT Act.
This white paper explains the Government’s legal basis for an intelligence collection program under which the Federal Bureau of Investigation (FBI) obtains court orders directing certain telecommunications service providers to produce telephony metadata in bulk. The bulk metadata is stored, queried and analyzed by the National Security Agency (NSA) for counterterrorism purposes. The Foreign Intelligence Surveillance Court (“the FISC” or “the Court”) authorizes this program under the “business records” provision of the Foreign Intelligence Surveillance Act (FISA), 50 U.S.C. § 1861, enacted as section 215 of the USA PATRIOT Act (Section 215). The Court first authorized the program in 2006, and it has since been renewed thirty-four times under orders issued by fourteen different FISC judges. This paper explains why the telephony metadata collection program, subject to the restrictions imposed by the Court, is consistent with the Constitution and the standards set forth by Congress in Section 215. Because aspects of this program remain classified, there are limits to what can be said publicly about the facts underlying its legal authorization. This paper is an effort to provide as much information as possible to the public concerning the legal authority for this program, consistent with the need to protect national security, including intelligence sources and methods. While this paper summarizes the legal basis for the program, it is not intended to be an exhaustive analysis of the program or the legal arguments or authorities in support of it.
Read the full paper (23 pp.) here. I’ll update this post with links to articles about it as they become available.
Update1: The Washington Post has a transcript of his opening remarks at the press conference.


Might be useful for my Statistics students.
NY Fed Commentary – Historical Use of Graphics
Historical Echoes: Off the Charts! by Kathleen McKiernan
“The visual representation of information, knowledge, or data has been around since the time of the caveman. But it wasn’t until 1786, when William Playfair, a Scottish engineer, published The Commercial and Political Atlas, illustrating for the first time how economic data could be represented by charts. Playfair’s work preceded that of Florence Nightingale—broadly acknowledged as the founder of modern nursing—who used information graphics in the 1850s to convince Queen Victoria that reform was needed in the British military health service. Nightingale developed the Coxcomb chart—a combination of stacked pie and bar charts—to assess mortality among soldiers during the Crimean War. Excerpted below from a report by the Committee for Economic Development, a Washington, D.C., nonprofit think-tank, this 1943 chart presents a long-range record of booms and depressions (the chart is available through the Federal Reserve Archival System for Economic Research, or FRASER). It offers a picture of the more important events that have tended to shape our economic and fiscal curves since 1775. Business activity, price inflation, federal debt, national income, and stock and bond yields are traced in a single spread. The study of “postwar periods” is spotlighted in this edition. (A 1947 release features a special section, “How Much Is One Billion Dollars?”)”


Far more amusing than it should be...
… The Third Circuit Court of Appeals has ruled that a Pennsylvania school district’s ban on wearing cancer awareness bracelets that read “I ♥ boobies” violated students’ First Amendment free speech rights. [They ran into another “zero tolerance” rule Bob]
… The National Science Foundation has cancelled its political science grant funding for the rest of the year, blaming Congress which passed a law requiring that political science research grants benefit either national security or the economy.
… Google’s app store Google Play now offers textbooks for rent or for purchase.


For my students. As we get more into Cloud Computing and Mobile Apps, these are even more fun.
… While ChallengePost doesn’t make the headlines all that often, the site was covered by Wired, Mashable, and a bunch of other tech news sources you already know. In other words, this is a service with a pretty serious footprint. It already carried challenges by Samsung, Evernote (a MakeUseOf favorite), and even the White House. You’ll note that all of these challenges have their own unique domain names, but the ChallengePost interface remains largely unchanged within the challenge itself.
If you’re just looking for an interesting opportunity, though, you’ll want to start from the ChallengePost homepage:
The homepage itself carries just five featured challenges. At the time of this writing, all challenges featured on the homepage carry monetary prizes, with the lowest being $1,200 for the Chart.js Personal Dashboard Challenge and the highest being $50,000 for the Kii Cloud App Challenge. Note that it’s usually not a “winner-takes-all” affair: The Kii challenge, for example, awards $16,900 to the first-place winner, $12,700 to the runner-up, $9,200 to the third-place winner, and $11,700 to a “Popular Choice Award” winner.
If none of the featured challenges captures your imagination, don’t fret: Simply continue to the Discover Challenges page, where you may view a full list of challenges, as well as filter and search for particular types of challenges. The selection is truly impressive, from a challenge calling you to Gamify Asthma and help asthma-suffering kids with tech, to one for developing new ways to discover books, with lots of challenges in-between.


For my students. You can't MindMap much easier than this...
Text2Mindmap

Friday, August 09, 2013

“Yes we follow Best Practices and encrypt your data, but we also follow Worst Practices and provide the decryption App on the same server.”
From the this-doesn’t-sound-good dept.:
Smartphone Experts discovered that the system used for customer payments for online shopping had been hacked. Although stored customer data were encrypted, Diana Kingree, the Senior Vice President of Commerce, noted that the hacker may have been able to use a decryption feature of the system to view customers’ names, addresses, credit or debit card number, CVV, and card expiration date. Why all that information was even stored on the system or for how long it was stored was not disclosed.
The breach was discovered by the Florida-based e-tailer on July 12, but the firm does not indicate how it learned of the breach or, more importantly, perhaps, when the breach actually occurred. California’s breach submission form requires entities to report the date of breach if known. Smartphone Experts did not provide that information, which may indicate that the forensic investigators have yet to determine when the breach actually began.
In their notification letter to customers dated August 6, Smartphone Experts does not offer customers any free credit monitoring service. Indeed, they say they are notifying customers “out of an abundance of caution.” Not only do I disagree that notification is ”an abundance of caution” for this situation, I think affected customers should have been offered some free credit monitoring services.


Note that there is no way to find the email that mentions “EvilGuys@Terrorists-R-Us.org” without reading ALL emails. We've always assumed they could ignore emails that didn't interest them. This could be a minor variation added to Googles email “search” looking for ways to target Ads. (Adding “Bad Behavior” to the Behavioral Advertising tool?)
Charlie Savage reports:
The National Security Agency is searching the contents of vast amounts of Americans’ email and text communications into and out of the country, hunting for people who mention information about foreigners under surveillance, according to intelligence officials.
The NSA is not just intercepting the communications of Americans who are in direct contact with foreigners targeted overseas, a practice that government officials have openly acknowledged. It is also casting a far wider net for people who cite information linked to those foreigners, such as a little-used email address, according to a senior intelligence official.
Read more of this NYT story on Pioneer Press.


Another failure in the land of 32 ounce sodas?
John Caher reports:
The Bloomberg administration has agreed under a settlement announced on Wednesday to purge a New York City Police Department database containing personal information on individuals who were stopped by authorities, and also agreed to pay $10,000 to the lead plaintiff in a putative class action.
Under the terms of the settlement, the city will within 90 days delete the names and addresses of all individuals who were stopped, questioned and/or frisked. It will also pay a settlement to the only plaintiff seeking damages, freelance journalist Daryl Khan. The other members of the class sought only injunctive relief.
Read more on The New York Times.


All this for a mere 91 Suspicious Activity Reports? Only a government could think this made sense.
National Network of Fusion Centers Final Report 2012
DHS Office of Intelligence and Analysis, 2012 National Network of Fusion Centers Final Report, Released July 15, 2013.
“Threats to the homeland are persistent and constantly evolving. Domestic and foreign terrorism and the expanding reach of transnational organized crime syndicates across cyberspace, international borders, and jurisdictional boundaries within the United States highlight the continued need to build and sustain effective intelligence and information sharing partnerships among the federal government; state, local, tribal, and territorial (SLTT) governments; and the private sector. These partnerships are the foundation of a robust and efficient homeland security intelligence enterprise that goes beyond shared access to information and intelligence to foster sustained collaboration in support of a common mission. This collaboration enables the fusion process and provides decision makers across all levels of government and within the private sector with the knowledge to make informed decisions to protect the homeland from a variety of threats and hazards. State and major urban area fusion centers (fusion centers) are the nexus of the homeland security intelligence enterprise at the state and local level. They serve as focal points for the receipt, analysis, gathering, sharing, and safeguarding of threat-related information between the federal government and SLTT and private sector partners. As such, fusion centers provide a state and local context that enhances the national threat picture and enables local officials to better protect their communities. They also provide critical information and subject matter expertise that allows the Intelligence Community (IC) to more effectively “connect the dots” to prevent and protect against threats to the homeland.”


What strategic (or even tactical) advantage did the government gain by leaking these emails?
From the no-surprise dept.:
The Justice Department has asked for a 30-day extension, until Sept. 4, to respond to her lawsuit against the government for violating her family’s privacy, rifling through her e-mails and leaking confidential information about her.
Read more on USA Today.
[From the article:
Kelley had been an unpaid social liaison to the military and had hosted parties for military officials, including Petraeus and Gen. John Allen, at her home on Tampa's Bayshore Boulevard. The headquarters of Central Command, which oversees military action in the Middle East, is a few miles away.
Petraeus' extramarital affair with his biographer, Paula Broadwell, was exposed after Kelley complained to the FBI about harassing e-mails she had received. Broadwell was behind them.
… That prompted then-Defense Secretary Leon Panetta to call for an investigation of Allen's relationship with Kelley to determine if there had been "professional misconduct" on his part. Allen and Kelley say there was nothing inappropriate about their relationship. The Pentagon inspector general agreed, although the Defense Department refuses to release its findings.
… Kelley and her husband, Scott, want an apology and unspecified damages for what they say were willful leaks by federal officials of false and damaging information about them. Those officials should have been protecting them and their privacy, they say in their lawsuit.


Violating the law is not enough? Should he have tried the “not what the contract promised” approach?
John D. Seiver and Ronald G. London write:
In Padilla v. DISH Network L.L.C., a former subscriber alleged DISH failed to destroy his personally identifiable information (PII) upon cancellation of service, and failed to continue sending annual privacy notices while retaining his PII. A Chicago federal district judge dismissed claims for damages under the satellite subscriber privacy provisions (identical to cable’s), holding that the subscriber was not “aggrieved” because indefinite PII retention caused no actual damage, despite being contrary to the statute.
Read more on Lexology.


For my Computer Science students...
– is a new cloud storage service that helps people upload all their files quickly and efficiently from anywhere. Upload any file and send a link to anyone – there’s no requirement for them to sign up and there’s nothing to install. If you sign up today, you will receive 100GB of cloud storage space free, with the option to upgrade to paid plans with more storage and features.


For my Website students...
– has free interactive online courses that teach the basics of web development and computer programming (HTML5, CSS3 and JavaScript), in a way that makes learning fun and effective. All levels are free for registered teachers – for students, level 1 is free while other levels are $5 per student. CA also has a 2-5 day camp that teaches 10-16 year olds the basics of computer programming.


Because I like lists...
Best of the Web for #TLC13
This morning at the Teaching & Learning Conference held on the campus of Gaston College I presented the best of the web 2013. The slides are embedded below.


Just because I'm a geek...
NASA's Massive Free E-Book Collection
Behold, the hundreds of free e-books about space history contained on this webpage.

Thursday, August 08, 2013

Interesting question.
Are Terror Warnings Pointless?
Official warnings of imminent—or even of not so imminent—al-Qaida attacks have (fortunately) had a perfect record: They never seem to pan out.
… Regrettably, the Obama administration has never subjected massive homeland security expenditures to the kind of sober and systematic evaluation they so richly deserve after a decade of drunken-sailor profligacy. And it has continued to find threatening proto-al-Qaidas popping up everywhere.
… And those raising the alarm have a decided advantage: They can never be proved wrong. As Dan Gardner points out in his superb book, Future Babble, if there is an attack, they can claim prescience. If there isn’t, they can insist that their warnings and preparations prevented or deterred it while deftly classifying information that might determine whether that is true or not.
… However, experience questions whether such generalized warnings should be issued at all. If intelligence has uncovered specifics of target and time of attack, the sensible response, of course, is not to bloviate grandly, but to work to secure the likely target or targets or to use policing measure to disrupt the plot.
But if, as it appears thus far in the present case, the warnings are vague and unspecific, issuing proclamations of danger out of an “abundance of caution” (as it has been put by the State Department) scarcely helps the situation.


Rather than disclose classified sources, lie?
John Shiffman and David Ingram report:
Details of a U.S. Drug Enforcement Administration program that feeds tips to federal agents and then instructs them to alter the investigative trail were published in a manual used by agents of the Internal Revenue Service for two years.
The practice of recreating the investigative trail, highly criticized by former prosecutors and defense lawyers after Reuters reported it this week, is now under review by the Justice Department. Two high-profile Republicans have also raised questions about the procedure.
Read more on Reuters.
[From the article:
A 350-word entry in the Internal Revenue Manual instructed agents of the U.S. tax agency to omit any reference to tips supplied by the DEA's Special Operations Division, especially from affidavits, court proceedings or investigative files. The entry was published and posted online in 2005 and 2006, and was removed in early 2007.
… Monday's Reuters report cited internal government documents that show that law enforcement agents have been trained to conceal how such investigations truly begin - to "recreate" the investigative trail to effectively cover up the original source of the information.
DEA officials said the practice is legal and has been in near-daily use since the 1990s. They have said that its purpose is to protect sources and methods, not to withhold evidence.
Defense attorneys and some former judges and prosecutors say that systematically hiding potential evidence from defendants violates the U.S. Constitution. According to documents and interviews, agents use a procedure they call "parallel construction" to recreate the investigative trail, stating in affidavits or in court, for example, that an investigation began with a traffic infraction rather than an SOD tip.


Is worse that what NSA does, and it was an accident? (or is this another IRS lie?)
Bogdan Botezatu reports:
A massive numbers of Prodigy subscribers in Mexico have had their email conversations exposed overnight because of a security flaw in the company’s mobile e-mail and web-based mail systems.
According to a news report by El Economista, the flaw allowed search engines to simply index private conversations and list them on the World Wide Web in search results. At the moment, security specialist Ken Westin, who discovered the flaw, estimates that several thousand e-mail accounts registered on prodigy.net.mx and several other domains have been exposed.
Read more on HotforSecurity.


Wouldn't DoJ view these folks as “Co-conspiritors?”
Publishers urge DOJ to rethink Apple e-book remedies
… Hachette, HarperCollins, Holtzbrinck (also known as Macmillan), Penguin, and Simon & Schuster filed an opposition to last week's proposed remedies against Apple by the Justice Department, arguing that the plan would "effectively eliminate the use of the agency model" for e-book distribution for the next five years.
Under the guise of punishing Apple, they effectively punish the Settling Defendants by prohibiting agreements with Apple using an agency model," the publishers wrote, adding that the move "directly conflicts" with the settlements the publishers reached with the Justice Department before the Apple case went to trial.


More jobs for my Computer Security students.
Avik Roy reports:
In order for Obamacare to work, the government will need to know a lot about your financial, medical, and employment situation. Has the Obama administration set up adequate safeguards to protect Americans’ privacy under the law? According to the Office of the Inspector General of the Department of Health and Human Services, the answer is no. Based on OIG’s analysis, Obamacare’s exchanges may end up illegally exposing Americans’ private records to hackers and criminals.
Read more on Forbes.


Perspective: For my Ethical Hackers. If Willie Sutton (look him up) was alive today, he would say, “I hack, because that's where the money is.”
Pew: 51% of U.S. Adults Bank Online
Susannah Fox: “Fifty-one percent of U.S. adults, or 61% of internet users, bank online. Thirty-two percent of U.S. adults, or 35% of cell phone owners, bank using their mobile phones. Both types of digital banking are on the rise. In 2010, 46% of U.S. adults, or 58% of internet users, said they bank online. In 2011, 18% of cell phone owners said they have used their phone to check their balance or transact business with a bank.”


For my serious hacker students
Want to build your own electronics, but don’t know where to start? Then you’re certainly looked into the Arduino, only to find yourself frustrated when you look for a simple-language guide. We hope Getting Started With Arduino, A Beginner’s Guide can help.
… Arduino is an open-source electronics prototyping platform based on flexible, easy-to use hardware and software. It’s intended for artists, designers, hobbyists, and anyone interested in creating interactive objects or environments.
PDF, EPUB, Amazon and online. No password or registration required.


For the Swiss Army Folder...
When it comes to video editing, most programs currently available are extremely dense and packed with hundreds of options. … The downside is the huge inherent learning curve of such complex programs. What if you want to edit videos on a more basic level? I present to you: Avidemux.
Now, to be fair, there are a few basic video editors available if you need a quick cut or splice – I’m thinking Windows Movie Maker and VirtualDub. However, those programs come with limitations and difficulties that may prove to be dealbreakers. On the other hand, Avidemux is new, simple, powerful, and entirely free.
Avidemux is available on all of the major platforms – Windows, Mac, and Linux … Not only is Avidemux free, but it’s also open source in case you want to take a look at the inner workings of it.
Avidemux is so great that it’s part of our Best Portable Apps page.


I wish I didn't feel I had to tell every woman I know with a Android smartphone about this App. Are there similar Apps for other platforms?
SOS Stay Safe! – is a discreet, personal safety app for women. It empowers women against abuse and acts of violence. Users can send SOS alerts to their friends and family on sensing danger, simply by shaking their phone. Text and email messages are sent at regular intervals to provide real time GPS tracking from your exact location. The alerts are sent discreetly, without you having to even look at your device.

Wednesday, August 07, 2013

The government wants me to pay for your computer security? Expect me to be less than amused if you screw it up. Computer security students: make sure your employers are aware of this!
White House to offer companies cybersecurity incentives
… Chaired by the Department of Homeland Security, the program incentives offered to companies include cybersecurity insurance, priority consideration for grants, and streamlined regulations. To get these incentives, the critical infrastructure companies must agree to adopt certain tech practices within the government's upcoming Cybersecurity Framework.


For my Computer Security students, plan ahead.
Coming Soon: The Cybercrime of Things
Recent work by security researchers indicates that one of the problems with having a "smart" home is that some day, it might be smart enough to attack you. The essence of the forthcoming "internet of things" is that everything we own, from our refrigerators and egg cartons to our cars and thermostats, will some day be outfitted with internet-connected sensors and control systems, allowing all our possessions, and ultimately all of our civic infrastructure, to communicate with each other and be controlled remotely.
… Here, then, is a handy guide to the basic vulnerabilities we'll be adding to our lives once we have connected all of our worldly goods to the internet of things:
Direct attacks that force objects to exceed their design parameters or operate in ways that are unpleasant or dangerous
Misdirection leading to user error and damage
A world of new possibilities for spying


Now you can get that free colonoscopy anywhere! (What is our “cost per terrorist detected?”)
NYT- TSA Expands Duties Beyond Airport Security
Ron Nixon: “With little fanfare, the agency best known for airport screenings has vastly expanded its reach to sporting events, music festivals, rodeos, highway weigh stations and train terminals. Not everyone is happy. T.S.A. and local law enforcement officials say the teams are a critical component of the nation’s counterterrorism efforts, but some members of Congress, auditors at the Department of Homeland Security and civil liberties groups are sounding alarms. The teams are also raising hackles among passengers who call them unnecessary and intrusive… T.S.A. officials respond that the random searches are “special needs” or “administrative searches” that are exempt from probable cause because they further the government’s need to prevent terrorist attacks.”


“We notice that you had the desert last night and did not increase your workout today. We are raising your health insurance premium 2%.”
Nancy Collamer reports:
As useful as health apps and fitness apps may be, a stunning new report from the Privacy Rights Clearinghouse, a consumer education and advocacy nonprofit, says they may also pose “considerable privacy risks” for users.
The group came to this conclusion after studying 43 of the most popular wellness apps (half for iPhones, half for Androids; 23 free and 20 paid). Many of the apps, the study noted, collect a hefty amount of personal information, including the user’s name, email address, age, gender, height, weight, lifestyle habits (diet, exercise, etc.) and prescription records.
Read more on Forbes.


I tried to explain to my Computer Forensics class that they could apply what they learned to more than just criminal investigations... (This case also confirms my “politicians is nutz” mantra...)
$3.1 Million e-Discovery Vendor Fee Was Reasonable in a $30 Million Case
Three Million, One Hundred Thousand Dollars was found to be a reasonable sum to pay an e-discovery vendor for processing and hosting 2.7 million documents for review in a professional malpractice case. Tampa Bay Water v. HDR Engineering, Inc., Case No. 8:08-CV-2446-T-27TBM. (M.D. Fl. November 2, 2012) (also found at 2012 U.S. Dist. LEXIS 157631 and 2012 WL 5387830).
… This $3.1 Million award represents a little more than ten percent of the total value of this case, $30 Million. I derive this case value based on the fact that the case actually did settle with HDR for that amount before trial. Then, in a very unusual move, even for Florida, the settlement was later repudiated by the politicians running the water utility, a quasi-governmental authority.


Google gooder!
Google – In-depth articles in search results
Posted by Pandu Nayak, Member of Google Technical Staff: “Users often turn to Google to answer a quick question, but research suggests that up to 10% of users’ daily information needs involve learning about a broad topic. That’s why today we’re introducing new search results to help users find in-depth articles. These results are ranked algorithmically based on many signals that look for high-quality, in-depth content. You can help our algorithms understand your pages better by following these recommendations:
Following these best practices along with our webmaster guidelines helps our systems to better understand your website’s content, and improves the chances of it appearing in this new set of search results. The in-depth articles feature is rolling out now on google.com in English. For more information, check out our help center article, and feel free to post in the comments in our forums.”

(Related)
YouTube – world’s second largest search engine
Francis Rey Balolong:”All the milestones YouTube achieved in less than a decade has made it the world’s second largest search engine, and a key platform for online video marketing and advertising. The online video sharing service, developed by a trio of former PayPal employees in February 2005, now allows users to upload, watch, and share videos to each other and to other websites, such as Facebook… It processes more than 3 billion searches each month.”


Is this going to help my students or just become a major legal kerfuffle?
Boundless textbooks get paid study guides, iOS apps
Free-textbook service Boundless is delving into paid services this week, all designed to more fiercely compete with textbooks from major publishers.
On Tuesday the Boston-based company rolled out what it considers the second phase of its service: textbooks that can very nearly mirror the titles you'd get from major publishers, but at $20 a piece.
These titles are effectively the same thing the company's offered since last year, but they're specifically reordered to match up with mainstream textbooks. Users can search for the title of the major publisher's book they've been assigned to buy, and get a version from Boundless instead.
… The backdrop to all this is a lawsuit between Boundless and three major academic book publishers, who sued last March. Those companies, which include Pearson, Cengage, and MacMillan, claim that Boundless is violating copyright law by offering works that are "overwhelmingly similar" to their own textbooks. Boundless, on the other hand, has argued it's created the content.
… The new tools came out Tuesday, and the company is still offering its library of 21 "open textbooks" for free -- just without the study guide features.

Tuesday, August 06, 2013

“Dude, don't mess with my revenue stream!” Being unable to accept reservations (airline, hotel, rental cars) costs a lot of money. The last time I remember one of these systems failing, they fired three levels of management.
Airline Reservation System Back Up After Failure
A global computer reservation system crashed on Monday night, impacting hundreds of airlines and airports around the world and causing flight cancellations for hundreds of thousands of travelers.
“Sabre customers were unable to connect to our system for a period of time this evening,” company spokesperson Nancy St. Pierre said in a statement issued early Tuesday morning. “We apologize and regret the inconvenience caused.”
The outage began around 10:45 p.m. Monday night, according to American Airlines. St. Pierre said that systems were coming back online around 1:15 a.m. Tuesday morning.


How would you confirm that the “stolen records” are in fact real records and not something created just for you? Compare them with records that the “clinic” can't release? Buy another set of stolen records?
Several months ago, I was contacted by a reader who asked me about the Alex Rodriguez case and whether there was a HIPAA breach. I responded, via e-mail, that I didn’t know as the clinic was no longer in operation and I didn’t have any information on them. Over the weekend, a story appeared on The Bent Corner in that says, in part:
The evidence against A-Rod is based on stolen medical records obtained from Porter Fischer, an ex-employee of Biogenesis of America, an anti-aging clinic in Coral Gables, Florida. The clinic has since closed. Reportedly, MLB paid Fischer for the records. Fischer stole the medical records from Biogenesis of America because he believed the clinic owed him some money, $4,000 to be exact.
What’s worse, using PEDs or stealing someone’s medical records?
Biogenesis of America was owned and operated by Tony Bosch, a man who at least pretended to be a medical doctor. It would stand to reason that anyone partaking of the ant-aging services of Biogenesis of America, whether they be a retired postal worker or a guy playing third base for the New York Yankees, had the expectation that what they were doing was confidential and protected by doctor-patient privilege.
As I noted in my discussion of a case involving blood donors, not all entities are HIPAA-covered entities, even if they employ doctors or have a medical component. Was Biogenesis of America ever a HIPAA-covered entity? I don’t know. They listed a medical doctor as their medical director in their Florida business incorporation papers, but again, that doesn’t make them a HIPAA-covered entity. So that’s one question: was there a reportable privacy breach under HIPAA or not?
As a second question: can Major League Baseball purchase records stolen from a clinic and use them against a player? I don’t think they should be able to do so, but I don’t know if that’s really what they did, and besides, I am not a lawyer and do not know what the law says about such conduct.
But the public perception is what I want to address. The fact that the public may have an expectation of privacy when there may be no HIPAA protection or state law protection is problematic and needs to be addressed. Whether it’s an anti-aging clinic, a weight loss clinic, or anything other than a medical practice that hands you a copy of their HIPAA policies and/or privacy practices, ask whether they are HIPAA-covered and ask for a copy of their privacy policies.


This reads like Kroes believes using cloud services means he doesn't need to secure his data. How many times have I posted articles about companies who apparently thought the same thing?
EC – consequences of living in an age of total information
“If businesses or governments think they might be spied on, they will have less reason to trust the cloud, and it will be cloud providers who ultimately miss out.
Why would you pay someone else to hold your commercial or other secrets, if you suspect or know they are being shared against your wishes? Front or back door – it doesn’t matter – any smart person doesn’t want the information shared at all. Customers will act rationally, and providers will miss out on a great opportunity. In this case it is often American providers that will miss out, because they are often the leaders in cloud services. Which brings me to another interesting consequence of recent allegations. Particularly allegations about US government surveillance concerning European partners and allies. If European cloud customers cannot trust the United States government or their assurances, then maybe they won’t trust US cloud providers either. [Should they ever? Bob] That is my guess. And if I am right then there are multi-billion euro consequences for American companies. If I were an American cloud provider, I would be quite frustrated with my government right now. I do not have an agenda here: I am committed to open markets, to liberal values, and the opportunities of new digital innovations. [Let's agree that that is an agenda. Bob] Yet even I am thinking twice about whether there is such a thing as a level playing field when it comes to the cloud.
So I am saying two things: Concerns about cloud security can easily push European policy makers into putting security guarantees ahead of open markets; with consequences for American companies. Privacy is not only a fundamental right, it can also be a competitive advantage. Companies focused on privacy need to start coming forward into the light and help them do that. That would be a smart company indeed. And 2013 is the year. That includes European companies who should take advantage of interest to provide services with better privacy protection.”


We knew this would happen, didn't we? I'm still not sure why it happened.
South Korea frets over U.S. veto on Apple sales ban
The South Korean government has voiced its concerns over a decision by the U.S. government to overturn a ban of some Apple models in the United States.
The Obama administration on Saturday vetoed a court ruling that would have stopped the iPhone maker from selling older versions of its smartphone and iPad in the U.S. market.
… It called for the Obama administration to make "fair and reasonable decisions," as Samsung faces a possible import ban on its own products in the U.S. following Apple's claims the Korean manufacturer had infringed on its patents. A decision on this case is expected Friday.


Perspective: Once again I call for the creation of an Anti-Social network, so I can “DisLike” things and brand people “No Friend of Mine!”
72% of Online Adults are Social Networking Site Users
“The Pew Research Center’s Internet & American Life Project has been studying online adults’ social networking site use since 2005, and has seen substantial growth since then. Today, 72% of online adults use social networking sites. Although younger adults continue to be the most likely social media users, one of the more striking stories about the social networking population has been the growth among older internet users in recent years. Those ages 65 and older have roughly tripled their presence on social networking sites in the last four years—from 13% in the spring of 2009 to 43% now. In this report we also studied online adults’ use of Twitter. The percentage of internet users who are on Twitter has more than doubled since November 2010, currently standing at 18%. Internet users ages 18-29 are the most likely to use Twitter—30% of them now do so.”


This is not new. Control Data tried this in the 1960s and found much the same thing...
Gallup – Remote Workers Log More Hours and Are Slightly More Engaged
Gallup blog: A popular workplace trend — working remotely — made the headlines after Yahoo’s CEO required the company’s remote workers to return to the office. The company made the point that employees working from home have fewer chances to collaborate with coworkers. While not all companies allow employees to work off-site, new data from Gallup’s State of the American Workplace report shows that that nearly four in 10 (39%) of the employees surveyed spend some amount of time working remotely or in locations apart from their coworkers. And, Gallup finds that companies that offer the opportunity to work remotely might have some advantages when it comes to hours worked and employee engagement.”


Haaarvard asks:
Do You Need a Résumé in the LinkedIn Era?
Now that LinkedIn has become the standard place to present your professional history and credentials — not to mention the fastest way to check somebody else's — the humble résumé has lost its once-hallowed position as the canonical version of your professional identity. Your LinkedIn profile should be the most-viewed and most current version of your professional life. That has many people asking: Do I even need an old-fashioned résumé anymore?
The answer is a highly qualified "yes".

(Related) For my students (anything to get rid of the pests)
LinkedIn has been the goto social network for finding a job as of late, and honestly, why shouldn’t it be? It has a great deal of wonderful resources and tools aimed at job-seekers and employers alike to help them both on their journeys, and is a great tool for job-finding, especially if you can make your profile irresistible. However, LinkedIn isn’t the only way you can find a job.
There are other social networks out there perfect for helping you finding the perfect job. Some of them are well-hidden, and some are the usual suspects. The point is that you don’t have to limit yourself, and yes, there are plenty of places out there willing to accept your resumé, especially if you style it right.
Pinterest ... ideally works for freelancers and prospective job-seekers who are in some sort of visual field.
Facebook ... We recently published an entire article on the benefits of using Facebook when it comes to finding a job. I will highlight the important parts from that article, but do check it out for more information on how you can use Facebook to find a job.
There are the obvious things: clean up your profile, post a status asking your friends about jobs, participate in discussions on workplace Facebook Pages; you know them, already. However, the two key Facebook features I would like to point out are the Facebook Marketplace and the Social Jobs Partnership app.
Plaxo ... solves the problem that most other social media sites haven’t been able to: people are always changing their contact info. How can this help you find a job? Well, it mainly has to do with networking,
Twitter … Like Facebook, we’ve covered Twitter in detail when it comes to your job search.
Jobster … Admittedly, Jobster seems to be relatively unheard of, but it packs a few serious tools that can help you rise above the competition. Right off the bat, you should understand that Jobster is indeed a social network, and you can actually import your data from LinkedIn to set up a profile. … you can actually upload a video resumé to the site itself

Monday, August 05, 2013

Strategy for my Ethical Hackers: It is better to have hacked something you don't need than to need access to something you haven't hacked. Why would you ignore something that is so easy to control?
Chinese Hacking Team Caught Taking Over Decoy Water Plant
A Chinese hacking group accused this February of being tied to the Chinese army was caught last December infiltrating a decoy water control system for a U.S. municipality, a researcher revealed on Wednesday.
The group, known as APT1, was caught by a research project that provides the most significant proof yet that people are actively trying to exploit the vulnerabilities in industrial control systems. Many of these systems are connected to the Internet to allow remote access (see “Hacking Industrial Systems Turns Out to Be Easy”). APT1, also known as Comment Crew, was lured by a dummy control system set up by Kyle Wilhoit, a researcher with security company Trend Micro, who gave a talk on his findings at the Black Hat conference in Las Vegas.
The attack began in December 2012, says Wilhoit, when a Word document hiding malicious software was used to gain full access to his U.S.-based decoy system, or “honeypot.” [In other words, someone opened a document they should not have opened. Not hard to “hack” when your target cooperates. Bob]


For my Ethical Hackers. TOR still works for anonymous comunications, but you need to check those emails for malware (FBI-ware?). This kind of confirms that the FBI is using hacker tools and techniques to “get their man.” So, will we be able to use the evidence gained from his computers to locate his customers?
Alleged Tor hidden service operator busted for child porn distribution
On Friday, Eric Eoin Marques, a 28 year-old Dublin resident, was arrested on a warrant from the US on charges that he is, in the words of a FBI agent to an Irish court, "the largest facilitator of child porn on the planet." The arrest coincides with the disappearance of a vast number of "hidden services" hosted on Tor, the anonymizing encrypted network.
Marques is alleged to be the founder of Freedom Hosting, a major hidden services hosting provider. While Marques' connection to Freedom Hosting was not brought up in court, he has been widely connected to the service—as well as the Tormail anonymized e-mail service and a Bitcoin exchange and escrow service called Onionbank—in discussions on Tor-based news and Wiki sites. All those services are now offline. And prior to disappearing, the sites hosted by Freedom Hosting were also distributing malware that may have been used to expose the users of those services. [then again, maybe we don't need his computers... Bob]
Tor hidden services are a lesser known part of the Tor "darknet." They are anonymized Web sites, mail hosts, and other services which can only be reached by computers connected to Tor, or through a Tor hidden services proxy website, such as tor2web.org, and they have host names ending in .onion.


Do we even bother to look at what others are doing?
Interesting news from Japan:
The Health, Labor and Welfare Ministry plans to build an Internet-based network that would allow medical institutions nationwide to share patients’ medical treatment and drug prescription records–a move that is also likely to make it easier for patients to switch hospitals or leave one to recover at home, according to ministry officials.
The network will be compiled with so-called receipt computers– PCs equipped with medical receipt-making software used by most medical institutions and pharmacies–allowing hospitals and clinics across the country to view patients’ medical records as needed. The ministry aims to make the network operational by the end of fiscal 2018.
Read more on The Japan News.
Interestingly, the report says that patient consent will be required to share information and that they will track (generate receipts) for data access to prevent wrongful usage.
Will Japan do a better job of this than the US or UK have done so far? And will they have better data security and privacy protections in place? It all remains to be seen.


I could read this as simple prioritization. NSA should be spending resources on national security and not on “can you tell me who grows marijuana in my neighborhood?” On the other hand, this is more likely “damage control” – feeding stories to gullible journalists.
Sean Gallagher reports:
It turns out that the National Security Agency’s wide-ranging surveillance programs could have been much worse, if other federal agencies had had their way. TheNew York Times‘ Eric Lichtblau and Michael S. Schmidt report that the NSA has turned away the majority [51%? Bob] of requests for information sharing from federal law enforcement agencies, on the grounds that the requests have too little to do with national security and could be misused in ways that violate citizens’ privacy.
Read more on Ars Technica.


Someone will have to start indexing all these tools and databases, or is there already an App for that?
International Criminal Court Legal Tools Database
International Criminal Court (ICC): “The Legal Tools are the leading information services on international criminal law. They equip users with legal information, digests and an application to work more effectively with core international crimes cases (involving war crimes, crimes against humanity, genocide or aggression). By being freely available in the public commons, the Tools democratize access to international criminal law information, thus empowering practitioners and levelling preconditions for criminal justice in both richer and materially less resourceful countries. The Legal Tools are a significant contribution to national capacity development in criminal justice for core international crimes. The Tools comprise the online “Legal Tools Database”, together with legal research and reference tools developed by lawyers with expertise in international criminal law and justice: the Case Matrix, the Elements Digest, the Proceedings Digest and the Means of Proof Digest. Text in these tools or in the Legal Tools Database does not necessarily represent views of the ICC, any of its Organs or any participant in proceedings before the ICC or any of the ICC States Parties. The Legal Tools Database is made freely available through this web site. Additionally, criminal jurisdictions, counsel and NGOs that work on core international crimes cases may seek to have access to the Case Matrix – which encompasses the Elements Digest, the Means of Proof Digest and key documents from the Legal Tools Database – by sending an e-mail message with a short statement on the nature of the need to info@casematrixnetwork.org. The Co-ordinator of the Legal Tools Project uses the web site of the independent organization Case Matrix Network (CMN) to administer some aspects of the Legal Tools Project, without cost to the ICC.”


Somehow, the “reasons” don't seem to justify the actions...
Veto of Apple Ruling Likely to Upend Big Patent Battles
The Obama administration's decision to overturn an international trade ruling against Apple Inc.—the first such veto in more than 25 years—promises to upend long-running battles over intellectual property in the smartphone market and change the strategies some of the world's biggest technology companies use to defend their inventions.
Increasingly, those companies have been using patents to try to hobble rivals in a mobile-device market expected to top $400 billion this year. In 2012, the number of patent cases filed in the U.S. jumped nearly 30% from a year earlier to 5,189, according to consulting firm PricewaterhouseCoopers.
… In a letter explaining the veto, U.S. Trade Representative Michael Froman, who was charged with overseeing a presidential review of the ITC ruling, said he came to his decision after extensive consultations with government trade bodies "as well as other interested agencies and persons." Mr. Froman said he based the decision on the potential harm the sales ban would cause to consumers and the U.S. economy. He suggested Samsung could still enforce its patents in the courts.


I have Calibre loaded on a large thumb drive. That allows me to run it at home and at school, manage my books and the wife's, and be ready for eTextbooks if that ever happens.
… Before Kindle, I fell in love with Calibre. A bit on the heavy side, but this eBook management suite is incredibly powerful and always easy to use. For those users just getting started with Calibre, but also for proficient users aiming to maximise Calibre’s potentials, check out MakeUseOf’s Guide To Calibre eBook Manager.
… 1. Add Amazon Books To Calibre
MOBI and EPUB files, but also PDF and even TXT files can be easily added to your Calibre library by dragging them to the application window.
… 2. Converting Other Formats
If you have eBooks in EPUB or another format unsupported by Kindle, you can use Calibre to convert the eBooks to a supported format
… 3. Email To Kindle
Instead of connecting over USB, you can have Calibre send books to your Kindle over email.