Saturday, August 31, 2013

True, but is it wise? “Government immunity” is indistinguishable from “government don't give a damn.”
Jess Davis reports:
A Texas appeals court on Thursday blocked a civil rights advocacy group from deposing the state comptroller about a 2010 data breach that published online personal information about millions of Texans, saying the agency has governmental immunity.
Read more on Law360.com (sub. required).

(Related) Stop worrying bout what you are going to say and think about what your customers are going to hear.
From the probably-shouldn’t-say-that dept.:
Yes, laptops that possibly contained personally identifiable information were stolen from our office in a burglary, but we don’t need to strengthen our security measures, says the Atlantic Canada Opportunities Agency.


Why would anyone want this? (My Ethical Hackers would never consider using this to create and document any alibi)
– is an iOS app that automatically and privately detects where you went and what you did. It keeps track of the restaurants you ate at, the museums you visited, and even your hikes and romantic strolls. Remember every detail of your day trip, vacation or weekend getaway, so that you can share with your family and friends.

(Related) Perhaps we could teach a class on stalking?
Derrick Harris writes:
… In order to highlight what’s possible, a group of researchers from the International Computer Science Institute has released a new tool called “Ready or Not” that lets you enter any Twitter or Instagram username and see every place that user has been and what they’ve tweeted while there. It also includes a chart that shows how frequently users are at certain locations at certain times of day. The thought of this information getting into the hands of the wrong person — or, if you’re just into having some semblance of a private life, the thought that it exists — is a pretty troubling proposition.
The Ready or Not tool, ISCI researcher Gerald Friedland acknowledged, certainly engages in a bit of fear-mongering; but that’s the point
Read more on GigaOm.
Related: See the Teaching Privacy web site.


In an effort to become more transparent...
Ellen Nakashima reports:
Director of National Intelligence James R. Clapper on Thursday evening announced that from now on the government will release the total number of surveillance orders issued each year to telecom providers in national security investigations.
They include the number of targeted persons affected by these classified orders, Clapper said in a news release.
Read more on Washington Post. And then tell me why IContheRecord.com is posting “likes” under their announcement.

(Related) ...while remaining totally opaque.
Mike Masnick writes:
So, last night Director of National Intelligence James Clapper said that the administration will start releasing some data on how many FISA records it seeks, and how many “targets” there are. In a first draft of that post, I had originally speculated that this hopefully meant the various tech companies could finally add FISA request numbers to their transparency reports, as they’d requested. However, after reading Clapper’s statement carefully, it seemed fairly obvious that what they were releasing was a lot more limited than what the tech companies have been asking for — including the number of people impacted. Given that, I removed the paragraph about how it might impact tech companies, because it seemed likely that the feds weren’t actually going to allow the tech companies to reveal some basic metadata about the FISA requests they receive. Indeed, today was the (many times extended) deadline for the DOJ to respond to the legal filings by various tech companies to publish those numbers, and it appears that the DOJ has officially turned down the request.
Read more on TechDirt.
So suppose the big guns in tech got together and put the government on notice that starting on _______ date, they were going to start disclosing the data – with or without the government’s consent. What would the government do if the tech companies stuck together? Could DOJ prosecute? Sure. But would they? They need the businesses’ cooperation. Maybe it’s time for the tech companies and providers to just say “NO” to the government’s demands for less than adequate transparency.
[Interesting “Boston Tea Party” level idea, but I suspect the government has all the carrots and sticks necessary to “entice” cooperation on their terms. Bob]

(Related) Wouldn't it be interesting if telecoms had First Amendment traditions like journalists?
What is the sound of a lead balloon?
Mark Hosenball reports:
The British government has asked the New York Times to destroy copies of documents leaked by former National Security Agency contractor Edward Snowden related to the operations of the U.S. spy agency and its British partner, Government Communications Headquarters (GCHQ), people familiar with the matter said.
The British request, made to Times executive editor Jill Abramson by a senior official at the British Embassy in Washington D.C., was greeted by Abramson with silence, according to the sources.
Read more on Reuters. I didn’t realize that ProPublica is also in possession of some of the files.


“If you don't like how we violate your privacy, remember that we could always nullify the treaties we've been ignoring!”
Christopher Wolf writes:
The US privacy framework is under attack from officials in the EU following revelations about NSA surveillance. Yesterday, US Department of Commerce General Counsel Cameron Kerry delivered his valedictory address before his departure from his position next week, and focused both on the progress made by the Obama Administration in privacy and offered the strongest push-back to date on the attacks leveled against the US framework from the EU, including threats to nullify the EU-US Safe Harbor Agreement.


Registration required. Still nothing positive on the “breach of contract” argument.
Margaret Dale and David Munkittrick of Proskauer have this article on Law.com about the state of standing in data breach lawsuits.


Perspective. Big Data is really big. ( 1000 bytes is one kilobyte, 1000 KB is one megabyte, 1000 MB is one gigabyte, 1000 GB is one terabyte, 1000 TB is one petabyte, 1000 PB is one exabyte, 1000 EB is one zettabyte, 1000 ZB is one yottabyte
So one Zettabyte is 1,000,000,000,000,000,000,000 bytes.)
Cisco Visual Networking Index: Forecast and Methodology, 2012–2017
This forecast is part of the Cisco® Visual Networking Index (VNI), an ongoing initiative to track and forecast the impact of visual networking applications. This document presents the details of the Cisco VNI global IP traffic forecast and the methodology behind it. For a more analytical look at the implications of the data presented in this paper, please refer to the companion document, The Zettabyte Era-Trends and Analysis, or the VNI Forecast Highlights tool.
Executive Summary - Annual global IP traffic will surpass the zettabyte threshold (1.4 zettabytes) by the end of 2017. In 2017, global IP traffic will reach 1.4 zettabytes per year, or 120.6 exabytes per month. Global IP traffic will reach 1.0 zettabytes per year or 83.8 exabytes per month in 2015. Global IP traffic has increased more than fourfold in the past 5 years, and will increase threefold over the next 5 years. Overall, IP traffic will grow at a compound annual growth rate (CAGR) of 23 percent from 2012 to 2017. Busy hour Internet traffic is growing more rapidly than average Internet traffic. Busy hour Internet traffic increased 41 percent in 2012, compared to 34 percent growth in average traffic. Busy-hour Internet traffic will increase by a factor of 3.5 between 2012 and 2017, while average Internet traffic will increase 2.9-fold. Busy-hour Internet traffic will reach 865 Tbps in 2017, the equivalent of 720 million people streaming a high-definition video continuously. Metro traffic will surpass long-haul traffic in 2014, and will account for 58 percent of total IP traffic by 2017. Metro traffic will grow nearly twice as fast as long-haul traffic from 2012 to 2017. The higher growth in metro networks is due in part to the increasingly significant role of content delivery networks, which bypass long-haul links and deliver traffic to metro and regional backbones. Content Delivery Networks (CDNs) will carry over half of Internet traffic in 2017. 51 percent of all Internet traffic will cross content delivery networks in 2017 globally, up from 34 percent in 2012. Nearly half of all IP traffic will originate with non-PC devices by 2017. In 2012, only 26 percent of consumer IP traffic originated with non-PC devices, but by 2017 the non-PC share of consumer IP traffic will grow to 49 percent. PC-originated traffic will grow at a CAGR of 14 percent, while TVs, tablets, mobile phones, and machine-to-machine (M2M) modules will have traffic growth rates of 24 percent, 104 percent, 79 percent, and 82 percent, respectively.”


For my students...
Find Cheap Textbooks Online
While not free, Book Renter allows students to rent college textbooks for around 20% of the cover-price. Once finished you simply mail the textbook back to them. You can even take notes and highlight in the books. They also cover the UPS postage costs of returning the books.
If you prefer ebooks then Ecampus.com is a great resource for you. The company, aside from offering the same physical book rental service as BookRenter, allow students to cheaply rent eBook versions of textbooks. The files have an expiry of 6 months, after which they will be unusable.
… If you’re still set on buying your textbook, check out this article about finding the cheapest deals on college textbooks.
Sprint Through Lectures
… a favourite study technique of mine is gaining credence around the web: listening to audio books while jogging. I find myself continuing to jog to listen to the rest of the lecture, where as I would normally have stopped far earlier. So, in the end I accomplish more by exercising both body and mind with the help of audiobooks.
Find Audio Lectures On OpenCourseware
OpenCourseware (OCW) has been around quite a few years at this point.
OCW offers a vast collection of course material, presentations, articles, videos and audio lectures from some of the world’s most highly regarded universities on virtually every degree subject out there. The biggest contributors are MIT, Stanford, and the Open University. Many of these universities will push their open course content under their own brands, but they all belong to the OpenCourseware Consortium
I’m a huge fan of their audio lectures. I’ll often listen to a lecture subject I missed in real life, or gain extra knowledge by listening to related topics. For example, I took an OCW module on Social Media to better equip myself for my marketing module.
Similar to OCW, although a little more closed off, is Khan Academy, a huge resource of free video lectures and beautifully presented tutorials.
Forget Google Scholar — Use Journal Repositories
Google Scholar is the primary research tool for a lot of students.
… Despite Google’s best efforts, there’s a more effective way.
I suggest going straight to journal repositories. Find the top five journals in your study area and use their online search facilities. .... A personal favourite of mine is Emerald Insight.
Then, go to the website of the top 10 universities you can think of, such as Harvard, Brown or Oxford, and search through their online journals. Universities always publish their research to protect their rankings.
When sifting through thousands of articles and journals, don’t scroll. Save time by using Ctrl+F to find specific keywords and topics. I also do this when reading huge eBooks or reports. Going digital is so much better.
Primary Research Bumps Up Your Grade
Email people; lots of people. A little primary research for an assignment can take as little as five minutes. When citing a paper or article, I normally email any questions to the author. This is something very few students do outside of their final year thesis. Author contact details are typically found on the inside page of a report or on the university’s website. I’ve found university professors (even those in different countries with nothing to do with my college) very open to questions about their work and they have no problem being referenced in a student assignment. It’s easy bonus points to bump up a grade.
Learn How To Type
Seriously. Typing properly is the biggest time saver in college, where writing 10,000 words of notes and academic assignments per week is the norm.
Saikat did an awesome rundown of some great online typing tutorials, my favourite being Typing Web. It’s a well-designed typing tutor that tells you just what each finger should be doing and grades your performance.


For my amusement...
… “MOOC” (along with “selfie” and “bitcoin”) entered the Oxford Dictionaries Online this week. The definition provided: “a course of study made available over the Internet without charge to a very large number of people. anyone who decides to take a MOOC simply logs on to the website and signs up.” Tracing the origins of the word to MMORPGs, Stephen Downes notes the dictionary gets both the usage and the etymology of the word wrong.
Inside Higher Ed has released its annual Survey of Faculty Attitudes on Technology. It “finds significant skepticism among faculty members about the quality of online learning, with only one in five of them agreeing that online courses can achieve learning outcomes equivalent to those of in-person courses, and majorities considering online learning to be of lower quality than in-person courses on several key measures (but not in terms of delivering content to meet learning objectives).”
… Students in the Lodi School District have fought back against the district’s plans to create a new social media policy that would make the students “submit to the school’s disciplinary authority for what they say on social networking sites, even off-campus on their personal time.” Among the types of speech the policy sought to ban: cyberbullying, liking or retweeting prohibited content, and subtweeting. After protests and pushback and letters of support from the Student Law Center, the district has dropped the policy.


My wife says Dilbert has nailed the Budget process exactly.

Friday, August 30, 2013

For my students learning to manage IT: Why would any organization have 82,000 names on a laptop?
Well, now maybe the media will pay more attention to the Republic Services breach I reported the other day. The laptop stolen from the employee’s home held the unencrypted names and Social Security numbers of 82,160 current and former employees.


This could be amusing. What caused the FTC to select LabMD out of the hundreds (thousands) who also had security breaches? Perhaps when they release redacted documents we may find out. Will we learn anything new from this? Unlikely, but still worth watching.
The Federal Trade Commission filed a complaint against medical testing laboratory LabMD, Inc. alleging that the company failed to reasonably protect the security of consumers’ personal data, including medical information. The complaint alleges that in two separate incidents, LabMD collectively exposed the personal information of approximately 10,000 consumers.
… The Commission’s complaint alleges that LabMD failed to take reasonable and appropriate measures to prevent unauthorized disclosure of sensitive consumer data – including health information – it held. Among other things, the complaint alleges that the company:
  • did not implement or maintain a comprehensive data security program to protect this information;
  • did not use readily available measures to identify commonly known or reasonably foreseeable security risks and vulnerabilities to this information;
  • did not use adequate measures to prevent employees from accessing personal information not needed to perform their jobs;
  • did not adequately train employees on basic security practices; and
  • did not use readily available measures to prevent and detect unauthorized access to personal information.
… Because LabMD has, in the course of the Commission’s investigation, broadly asserted that documents provided to the Commission contain confidential business information, the Commission is not publicly releasing its complaint until the process for resolving any claims of confidentiality is completed and items in the complaint deemed confidential, if any, are redacted.

(Related)
The following statement attributed to LabMD was sent to PHIprivacy.net:
LabMD Responds to Federal Trade Commission’s Witch Hunt
FTC action a clear example of federal government overreach
WASHINGTON – Today, the Federal Trade Commission (FTC) filed a complaint against LabMD claiming a violation of the Federal Trade Commission Act.
LabMD responded:
“The Federal Trade Commission’s enforcement action against LabMD based, in part, on the alleged actions of Internet trolls, is yet another example of the FTC’s pattern of abusing its authority to engage in an ongoing witch hunt against private businesses. The allegations in the FTC’s complaint are just that: allegations. LabMD looks forward to vigorously fighting against the FTC’s overreach by seeking recourse through the available legal processes.”
The FTC has repeatedly overstepped its statutory authority under Section 5 of the Federal Trade Commission Act and the FTC does not have the authority to bring this enforcement action.
LabMD is a cancer detection facility that specializes in analysis and diagnosis of blood, urine, and tissue specimens for cancers, micro-organisms and tumor markers.


Another “settlement”
Facebook: Actually, here's how we're using your data for ads
Facebook is making changes to the two key documents that govern its service in part to settle a two-year legal battle around its practice of using member data in advertisements.
The social network is proposing updates, some of which have been court-ordered, to its Statement of Rights and Responsibilities and Data Use Policy legal documents to better inform members on how their data is used for advertising purposes, and provide additional clarity on its data collection practices.
Facebook is putting the changes up for review -- but not a vote -- and will collect feedback over the next seven days.
… In 2011, Facebook was accused of violating users' right to privacy by publicizing their "likes" in advertisements without asking them or compensating them. The case was finally settled on Monday.


For my paranoid students...
– With issues cropping up regarding NSA surveillance in major search engines, some people are turning to alternative sources to protect their search activity. One of these is Zeekly, a new search engine that claims to be completely private (i.e. they don’t store data on their users). It pulls queries from different search engines anonymously and offers strong SSL encryption (2048 bit).


I don't see this as really new, even though this may be a “first.”
Text a driver in New Jersey, and you could see your day in court
… Now a New Jersey state appeals court has an addendum: Don't knowingly text a driver -- or you could be held liable if he causes a crash.
… A court summary of the times of texts and calls to and from Best's cell phone reflect what happened next:
The teens were having a text chat, volleying each other messages every few moments.
Seventeen seconds after Best sent a text, he was calling a 911 operator.
His truck had drifted across the double center line and hit the Kuberts head-on.
… The plaintiffs' attorney, Stephen Weinstein, argued that the text sender was electronically in the car with the driver receiving the text and should be treated like someone sitting next to him willfully causing a distraction, legal analyst Marc Saperstein told CNN affiliate WPIX-TV.
The argument seemed to work.
The ruling
On Tuesday, three appeals court judges agreed with it -- in principle.
They ruled that if the sender of text messages knows that the recipient is driving and texting at the same time, a court may hold the sender responsible for distraction and hold him or her liable for the accident.


For my Computer Science (and Math) students
Teaching Tree is a platform for collecting and contributing educational video content on computer science, math, and Ruby programming among others. There are more than 1200 “concepts” on the site so far. It is an open platform, so anyone can use it to assimilate knowledge on the subjects it promotes.


The future. We can ride into it, or be ground to dust under it.
The Current MOOC Trends Worth Knowing About
… Currently, there’s somewhat less buzz happening about MOOCs. But they’re still out there, happening and evolving while we’re busy doing other things. I do find it useful to regularly be able to take the temperature, so to speak, of what people are thinking and what’s actually happening with MOOC trends, which the handy infographic below does wonderfully.


For all my students
– Are you planning to purchase a tablet and want to see how the different devices compare to each other? Check out TabletRocket.com. It’s a new review website that compares all of the tablets on the market based on different attributes. It will show you head-to-head comparisons and summarize the pros and cons of each device, so that you can find the device you need.

(Related)


For those of us who believe one size does not fit all...
9 Word Cloud Generators That Aren’t Wordle
Wordle is quite easily the most popular word cloud generator out there. It’s free and easy to use.

Thursday, August 29, 2013

“Because we don't like foreigners.”
A court in Paris has opened a formal investigation into the PRISM program of electronic surveillance run by the US National Security Agency, and revealed by whistleblower Edward Snowden, it was revealed on Wednesday.
[...]
The court will investigate possible “fraudulent access and maintenance of and automated data processing system,” the “illicit collection of data of a personal nature,” an “attack on privacy,” and “violations of the secrecy of correspondences,” according to BFMTV.
Read more on The Local (FR).


Not a large percentage of Facebook's 1.1 billion monthly users.
Hayley Tsukayama reports:
Facebook fielded requests from 74 countries for data on at least 38,000 users in the first half of 2013, the company said in its first report detailing the scale and scope of data requests it receives from governments around the world.
The report, released Tuesday, covers every request the company has received from every government from January through June 30. Facebook said the report includes requests made for security reasons and for criminal cases.
Read more on Washington Post.


Where will this technology take us? For my Security students. If you can force a connection to smartphones, you can identify people who carry them.
Honda tech warns drivers of pedestrian presence
… Honda released a video today demonstrating a vehicle-to-pedestrian communication system, relying on the increasingly ubiquitous smartphone.


I am curious to see how he will turn it around. This just seems to show how poorly the industry is doing.
Pew – What’s Behind The Washington Post Sale
By Amy Mitchell, Mark Jurkowitz, and Emily Guskin: “The stunning announcement [on August 5, 2013] of the sale of The Washington Post to Amazon founder Jeff Bezos caught many off guard. The Post has been owned by the Graham family for 80 years. But recent years brought steep revenue and circulation declines and as chief executive Donald Graham put it in a letter to the staff, “the newspaper business continued to bring up questions to which we had no answers.” In Bezos, The Post—and a handful of smaller papers owned by the company—get an owner who is considered one of the most successful business and technology entrepreneurs in the country. Bezos is considered to have a strong understanding of audience needs and the financial wherewithal to tolerate sluggish revenue numbers, at least for a while. Still, the challenges are large and not unique to The Post. Pew Research Center’s Journalism Project, which has been tracking the industry for over a decade, puts the sale in context.”


On the other hand, if my students tell me my instructions are gibberish and I plop them into this tool and there is no simpler language...
– is a free website that converts advanced written language into less complex language. It’s perfect for assisting students with understanding complex written language. Paste or type the text that needs to be simplified into the box on the Rewordify web page, and within seconds a simplified version will appear.


Also for my students. Always try the free Apps first.
… Everyone’s favorite smartphones and tablets can be used for more than just fueling your addiction to Candy Crush and Angry Birds.
Quick Graph (Free)
Duolingo (Free)
iTranslate (Free)


This Quarter I have been blessed with a student who speaks in T-shirt-ready phrases. He should make a fortune selling shirts (and ensure his old professor has an endless supply of catchy T-shirts)
… Merchandising is a great way to express your artistry and make money while doing it. Here are some of the best merchandising sites where you can set up your own storefront for your designs.


For my students who program...
For Taking a Guided Tour: Codeacademy’s JavaScript Track
For Experimenting: Chrome’s Console and jsFiddle
And Finally, One Optional Book Code Simplicity,


This is very interesting. Works well for “War and Peace” but not yet ready for my Math textbooks (but I can see some serious applications!)
Small Demons is an amazing tool that lets users enter the name of a book and the site pulls out any references to people, things, places, media, etc. that are mentioned in the book. If a book mentions a song, the song is available for the user to sample, along with the text that the reference was in. It is really a great way to explore and enjoy the world of the written world beyond the page.

Wednesday, August 28, 2013

For my Ethical Hackers. Tools & Techniques for the “How to” manual.


Should this go into the “How to” manual or a collection of “Worst Practices?”
NBC Reports – “How Snowden did it”
Richard Esposito and Matthew Cole, NBC News: “When Edward Snowden stole the crown jewels of the National Security Agency, he didn’t need to use any sophisticated devices or software or go around any computer firewall. All he needed, said multiple intelligence community sources, was a few thumb drives and the willingness to exploit a gaping hole in an antiquated security system to rummage at will through the NSA’s servers and take 20,000 documents without leaving a trace. [No logs? No record of want happened. Bob] .. As a Honolulu-based employee of Booz Allen Hamilton doing contract work for the NSA, Snowden had access to the NSA servers via “thin client” computer. The outdated set-up meant that he had direct access to the NSA servers at headquarters in Ft. Meade, Md., 5,000 miles away. In a “thin client” system, each remote computer is essentially a glorified monitor, with most of the computing power in the central server. The individual computers tend to be assigned to specific individuals, and access for most users can be limited to specific types of files based on a user profile. But Snowden was not most users. A typical NSA worker has a “top secret” security clearance, which gives access to most, but not all, classified information. Snowden also had the enhanced privileges of a “system administrator.” The NSA, which has as many as 40,000 employees, has 1,000 system administrators, most of them contractors. [Note: Reuters reported NSA is eliminating 90% of its system administrators.]


“It's for the children!” Is this a viable Business model? Just like the NSA, but with a smaller target population. At least they outsourced it (recognizing that surveillance is not their forte) Perhaps parents could hire this firm to monitor the teachers and the school board?
School district hires company to follow kids' Facebook, Twitter
… A school district in Southern California is also committed to the safety of its kids. And, given that social media sites are where kids are at these days, it's decided to keep tabs on every single public post its kids are making.
Naturally, the Glendale Unified School District doesn't have the time to do this itself. So it's hired an outside company to do its tab-keeping for it.
As CBS Los Angeles reports, the district chose Geo Listening, a company that specializes in following kids' Facebook, Twitter, Instagram, and YouTube feeds.
"The whole purpose is student safety," the district's superintendent Richard Sheehan told CBS.
… In legal terms, any public posting is fair game. The Geo Listening Web site helpfully explains: "The students we can help are already asking for you. All of the individual posts we monitor on social media networks are already made public by the students themselves. Therefore, no privacy is violated."
Every single public posting made by every one of the district's 13,000 students is being monitored, although the company insists it doesn't peek at "privatized pages, SMS, MMS, email, phone calls, voicemails."


Do all privacy right end when you become a mass murderer? No reason given in the article for failuer to comply with the subpoena.
Christine Stuart reports:
The Newtown school superintendent blew off a subpoena demanding the educational records of mass murderer Adam Lanza, Connecticut’s Office of the Child Advocate claims in court.
Connecticut’s Office of the Child Advocate sued Newtown Public Schools and its interim superintendent John R. Reed, in Superior Court.
[...]
The Child Advocate seeks Lanza’s psychological reports and evaluations, report cards, attendance records, nursing reports and notes, social work records, disciplinary records, education plans, and any communications with his family.
Read more on Courthouse News.


“Looking over the governor's shoulder are three drones of unknown origin...”
Earlier today, Governor Pat Quinn signed into law Senate Bill 1587, a measure that places appropriate and reasonable guidelines on the use of unmanned surveillance aircraft (drones) by state or local law enforcement agencies in Illinois. Most importantly, it requires police to obtain a warrant, subject to narrow exemptions, such as emergencies. It also limits retention and sharing of information collected by drones, and requires police departments with drones to publicly disclose the number of their drones.
Read more on the ACLU of Illinois blog.


History for my Computer Security classes... (Already on hold at my local library)
The Business Insider has an excerpt from Nate Anderson’s new book, The Internet Police: How Crime Went Online, and the Cops Followed by Nate Anderson.” The excerpt deals with an important case in online privacy law – the case of Steven Warshak.
Read the excerpt on BusinessInsider.


Be careful what you wish for.
– is a chrome extension that allows you to monitor web pages for changes. It can alert you whenever a page of your interest updates. To use, simply install extension, go to a webpage you would like to monitor, click on the Page Monitor icon and select “Monitor This Page”. Now whenever this page changes, the monitor icon will display a notification on its badge.


I try to keep up. (I'm sure everyone at Oxford talks like this.)
28 August 2013: Oxford Dictionaries Online quarterly update: new words added to oxforddictionaries.com today
… If buzzworthy vocabulary makes you squee, set aside some me time to explore the latest words which have made their way into common usage.

Tuesday, August 27, 2013

Tools & Techniques for my Ethical Hackers A very common error in the security design.
paganinip posts:
Security researcher Dan Melamed has found a serious Pinterest Exploit that exposed user’s information of over 70 Million accounts.
The security researcher Dan Melamed has found a Critical Pinterest Exploit that compromised the privacy of over 70 Million Users, the flaw allows hackers to view the email address of any user on Pinterest.
Dan has found the way to access to the information belonging to the owner of the Access token, as the researcher has shown it is possible to display them visiting the following RL.
Substituting the “/me/” part of the link with the username of another Pinterest user it is possible to view its email address.
Read more on SecurityAffairs.co. The exploit has already been patched, and it sounds like Pinterest responded appropriately to notification of the problem.

(Related) ...although this looks deliberate. Note that the Metadata revealed this information, not the content of the letter.
Discover and American Express often submit copies of their breach  notification letters to cardmembers to state attorneys general. Their letters, however, generally do not include the name of a breached merchant, so it is often difficult to know what to make of their submissions. But one particular American Express notification, submitted to California last week, caught my attention. Their letter states:
A company that provides payment processing services to numerous merchants has informed us that there has been unauthorized access to its processing system. As a result, account information of some of our Cardmembers, including some of your account information, may have been improperly accessed.
The breach occurred on January 15, according to the date American Express reported to California. But which payment processing services provider and what happened – and when did the provider discover the breach? AmEx reported to California that the breach was discovered on August 23, but I suspect this means that they first learned of the breach on August 23 and that is not when the breached entity learned of the breach.
From the filename AmEx used for its notification letter (“Celerant-C2013068451%20CA%20Customer%20Letter_0.pdf”) and the description saying “Celerant customer letter” (see screen shot taken from the California Attorney General’s web site), the breach appears to have been at Celerant Technology Corporation:
Celerant is a certified provider of retail payment processing software. On its web site, it states:
Celerant offers a multichannel, retail software solution for numerous retail industries, including apparel, footwear, sporting goods, furniture, specialty, gifts, convenience and more. With over 450 clients primarily within the United States, Canada, Europe and the Middle East, our retail system provides an all-in-one solution for retailers selling via brick and mortar stores and on the web.
DataBreaches.net has sent two emails to Celerant since Friday requesting confirmation and information on the breach, but has received no response as yet. I will provide an update when more information becomes available.


For my law geeks...
Jeffrey Brown of CybercrimeReview.com points readers to an upcoming article in the University of Pennsylvania Journal of Constitutional Law. Here’s the abstract of “”The Fourth Amendment Implications of the Government’s Use of Cell Tower Dumps in its Electronic Surveillance” by Brian Owsley:
Privacy concerns resonate with the American people. Although the right to privacy is not explicitly protected in the United States Constitution, the Supreme Court has found the right to privacy rooted within the Constitution based on various amendments. In the modern era, with rapid advances in technology, threats to privacy abound including new surveillance methods by law enforcement.
… Recently, the American Civil Liberties Union brought to light the popular use of government surveillance of cell phones, including the gathering of all cell phone numbers utilizing a specific cell site location. Known as a “cell tower dump,” such procedures essentially obtain all of the telephone number records from a particular cell site tower for a given time period: “A tower dump allows police to request the phone numbers of all phones that connected to a specific tower within a given period of time.”
… No federal statute directly addresses whether and how law enforcement officers may seek a cell tower dump from cellular telephone providers.
… This article provides a brief description of cellular telephone and cell-site technology in Part I. Next, Part II addresses the evolution of Fourth Amendment jurisprudence and argues that the reasonable expectation of privacy standard applies to electronic surveillance such as cell tower dumps. In Part III, the discussion follows the development of statutes addressing electronic surveillance and argues that cell tower dumps request more information than simply just telephone numbers. Part IV analyzes records from both cellular service providers and the federal government to conclude that cell tower dumps routinely occur. Part V assesses the few decisions that even discuss cell tower dumps and argues that the analysis is either non-existent or flawed regarding the use of the Stored Communications Act to permit cell tower dumps. Next, Part VI asserts that cell tower dumps cannot be analyzed pursuant to the Stored Communications Act because the language of the statute is inapplicable and the amount of information sought requires a warrant based on probable cause and concludes by proposing some protocols to safeguard individual privacy rights.
You can download the article from SSRN.


Something for my Ethical Hackers to override?
Police throughout the globe have been embarrassed to see online videos of their officers pepper spraying tied captives. In our age of mobile gadgets the pictures can be uploaded online in seconds, making supervisors to answer the questions.
But now the police may not need to fear scrutiny anymore, because Apple has recently patented a piece of technology that would allow the authorities and police to block data transmission, including video and photos, whenever they like. All they need to do is decide that a public gathering or venue is deemed “sensitive” and needs to be protected from externalities. In this case Apple will enable them to switch off all its gear. The developers insist that the affected locations are normally cinemas, theaters and concert grounds, but Apple admits it could also be used in covert police or government operations that may need complete “blackout” conditions.
Read more on VeteransToday. Thanks to Joe Cadillic for the link.
And if law enforcement or government activate this in a public demonstration/crowd situation, how is this not a violation of First Amendment rights to film public employees in the performance of their duties?


“You have a license to drive and we want to know where you drive.” I suppose driving with disabled trackers will be illegal.
California’s legislature is considering a bill to authorize adding radio tracking beacons to drivers licenses and state non-driver ID cards.
Each such card would broadcast a unique tracking number which could legally be intercepted by anyone with a suitable radio transceiver within range, and which would be linked to a national DHS database of drivers license, state ID card, and citizenship information.
The tracking beacons are designed to allow the tracking numbers on ID cards carried by travelers in motor vehicles to be read from outside their vehicles as they approach or pass through checkpoints. [Like the ones in Egypt? Bob]
Read more on Papers, Please!
Another step in our march towards a national ID and total surveillance state, it seems.


Be sure to check the credit score of anyone you want to “friend.” (Or Big Data will get you!)
Facebook friends could change your credit score
A handful of tech startups are using social data to determine the risk of lending to people who have a difficult time accessing credit. Traditional lenders rely heavily on credit scores like FICO, which look at payments history. They typically steer clear of the millions of people who don't have credit scores.
But some financial lending companies have found that social connections can be a good indicator of a person's creditworthiness.
One such company, Lenddo, determines if you're friends on Facebook (FB) with someone who was late paying back a loan to Lenddo. If so, that's bad news for you. It's even worse news if the delinquent friend is someone you frequently interact with.


Expect more hype and a “3D Bubble” followed by a collapse.
Wall Street Wakes Up to 3D Printing, Predicts Massive Growth


Oh those poor lawyers...
Chelsea Allison reports:
In a long-awaited conclusion to Facebook’s “Sponsored Stories” class action saga, a federal judge gave final approval to a $20 million settlement Monday but took an axe to the $7.5 million in fees requested by plaintiffs attorneys.
The settlement approved by U.S. District Judge Richard Seeborg provides for each Facebook user who submitted a valid claim to receive $15, with remaining funds disbursed to 14 organizations focused on consumer protection, privacy and other issues raised in the suit. Facebook Inc. is also required to improve its disclosure practices, giving users more control over when and how their names and photos will be used. The company must also create special controls for minors.
Read more on Law.com.


I didn't say it. I might have thought it, but I didn't say it.
Students Learn Less in States with Stronger Teachers' Unions
A 1-standard-deviation rise in teachers' union dues per teacher is associated with a 4% fall in student proficiency rates, according to a study of 721 U.S. school districts in 42 states by Johnathan Lott of the University of Chicago Law School and Lawrence W. Kenny of the University of Florida. Dues support union lobbying, which typically pushes for policies such as blocking merit pay and limiting the Teach for America program. Consequently, student proficiency is lower in states with stronger teacher unions, the researchers say.


Tools & Techniques Something to review before you sign up.
– Many companies use dark pattern techniques to make it hard to find how to delete your online account. JustDelete.me is a website that aims to be a directory of urls to enable you to easily find and delete your account from web services. All listed sites are colour-coded to indicate the difficulty level of account deletion. There is also additional info for each site, explaining how to proceed.


For my Smartphone toting students...
The best way to study and review text is to highlight and annotate what you read, and two of the most useful tools for doing this are the online and iPad app, Diigo, and the recently updated eHighlighter.
… Diigo provides you tools to bookmark and annotate webpages, and to also review, manage, and share your annotations in your Diigo account. All your highlights and notes get listed under the source link for each article. You can tag articles and group them into folders.
… If you’re like me and you still also read paper books, you probably know how laborious it can be to type and transcribe text from a book you’re reading. An iPhone OCR app called eHighlighter ($4.99), you can actually take a photo of a page you’re reading in a book, mark the text you want to copy, and eHighlighter will, using OCR technology, translate that image capture into text.
Before you start collecting highlights with eHighlighter, you can use the app to scan the bar code of the book, and in turn the app will locate and download the relevant information (title, author, publisher and date). If the barcode is not available, you can do a manual search in eHighlighter.


This is cool...
Lingualy Helps You Learn a Language While Browsing the Web
Lingualy is a free Google Chrome extension designed to help you learn a new language while browsing the web. With Lingualy installed anytime that you come across a new word you can double-click on it to hear it pronounced, read a translation, and read a definition. The words that you double-click are added to your Lingualy account where you can review them in a quiz format. Watch a short overview of Lingualy in the video below.
Lingualy supports English, Spanish, French, Hebrew, and Arabic. You could have students use Lingualy while reading news articles in the language that they're trying to learn. That would provide some current context for language lessons.


For my students. What does it say about America when Mad Magazine can safely assume everyone knows what they are talking about here?

Monday, August 26, 2013

Which part of “We listen to everything” did you not understand? I'll ask this another way. Who would you like to have a free pass?
Latest NSA abuse allegation: Spying on the United Nations
By now, this shouldn't be a surprise. The National Security Agency spied on the internal videoconferencing system used by United Nations officials by decrypting it last year, according to German magazine Der Spiegel.
The disclosure came from documents leaked by Edward Snowden, the former NSA contractor who has provided a trove of materials to Britain's The Guardian newspaper about heretofore secret details of the NSA's surveillance program. The Spiegel story says that the encryption cracking took place in the summer of 2012. In our spy-versus-spy world, one other choice nugget came to public notice: The documents detail that the NSA discovered that the Chinese were also attempting to break into UN communications at the same time.


Lawyers don't need no book learnin' git out thar and sue someone!
Obama Says Law School Should Be Two, Not Three, Years


Have you ever tried to do something with a short deadline and found that a 'push' update was running and eating all the CPU cycles? This should stop that.
– is a free and simple tool that helps to temporarily disable different kinds of automatic software updates on Windows. You can download and use it completely for free. The software package has no bloatware, advertising or any other kind of bundled software. All critical software updates should always be switched on, but there are situations when you need an exception to this rule.