Saturday, February 08, 2014

Strange. It “does not” remote monitor, except it does for Target.
Target HVAC Contractor Says It Was Breached By Hackers
Ross Fazio, President and Owner of Fazio Mechanical Services, said in a statement that it does maintain a data connection with Target that was used exclusively for electronic billing, contract submission and project management.
Fazio said his firm does not perform remote monitoring of or control of heating, cooling and refrigeration systems for Target. He also said that Target is the only customer that it provides such management for on a remote basis, and that no other customers have been affected by the breach.
"The recent discovery that the credentials stolen in the Target breach were from an HVAC contractor shows how much we live in a connected world and how insider threats are the hardest to detect since outside attackers look just like employees when they are on the network,” Eric Chiu, president & co-founder of HyTrust, told SecurityWeek. “In this new 'Internet-of-Things' world, heating are connected to the same corporate networks that run other systems such as point-of-sale applications and customer databases. [They do not need to be. Only lazy or ignorant IT would do it that way. Bob]
… “One thing that isn't known about this attack: were the same credentials for the HVAC system used on other devices in the network? If so, that is what I would call a rookie mistake," Melancon said.
… Qualys researchers Billy Rios and Terry McCorkle say they have found 55,000 HVAC systems connected to the Internet, most with basic security vulnerabilities that put them at risk and provide links to numerous other unwitting corporate networks.
Target previously said that it has taken extra precautions such as limiting or updating access to some of its platforms while the investigation continues. [Again illustrating how easy it is to apply the “fix” that would have prevented the breach, once it is pointed out by the bad guys. It's anticipating how attacks might come at you that is hard. Learn from the mistakes of others! That's what Best Practices are for! Bob]


You need to know where and how you can attack, with what weapons, and what the probably effect will be. You do not need to know how to write the code. Think of it as “Point and click warfare.”
Raytheon Gets $9.8 Million Under DARPA's 'Plan X' Cyberwarfare Program
Defense contractor Raytheon announced this week that it has been awarded a $9.8 million contract by the Defense Advanced Research Projects Agency (DARPA) as part of its 'Plan X' program.
Plan X is a five-year $110 million foundational cyberwarfare program to develop platforms for the Department of Defense (DoD) to plan for, conduct and assess cyberwarfare in a manner similar to kinetic warfare. As a DARPA research program, Plan X has a goal of creating an advanced map that details the billions of devices connected to the Internet so that military commanders can identify, and if necessary, disable targets.
Raytheon also announced on Dec. 16 that its BBN Technologies subsidiary is working on a program under Plan X designed to help U.S. government agencies “plan, execute and assess cyber network operations”.
"Plan X is an entirely new approach for planning and executing cyber operations," Dr. Jack Marin, vice president for cyber security at Raytheon BBN said in December. "It is a comprehensive program designed to provide easy-to-use cyber operations planning tools to users who may not have a deep background in cyber."


Perspective And one of those little statistical oddities that catch my attention.
Where Are All the Self-Employed Workers?
Along with a bunch of other, more headline-grabbing numbers, the Bureau of Labor Statistics reported this morning that 14.4 million Americans were self-employed in January. Of those, 9.2 million were unincorporated self-employed workers and another 5.2 million were incorporated.
That’s interesting, given that back in January 2000 (which is as far as the BLS tally of the incorporated self-employed goes), the number of self-employed was … 14.4 million. Since then there have been some modest ups and downs, but overall no change.


A very amusing (to me at least) summary of “education related stuff”
A proposal by Tennessee Governor Bill Haslam would make two years of community college and technical school in the state tuition-free. [I like it! Bob]
Meanwhile in Kansas, the legislature was looking to block Google Fiber and stop cities from investing in broadband. ’Til the Internet caught wind of the plan, that is. [Good to see that someone is watching the idiots in the legislature. Bob]
… And speaking of the dismal state of science education: A fifth of Americans do not think (or aren’t sure) that the Earth revolves around the Sun.
The NMC Horizon Report for Higher Education is out. On the horizon: learning analytics and the flipped classroom.

Friday, February 07, 2014

“Obtain awareness” is quite far from “actionable intelligence” in my experience. Perhaps they mean actions like pointing to potential entry points or locating secondary infections? I guess I don't see any new value here. This seems to duplicate CERT or Cyber Command or any of the anti-virus vendors. (Unless the FBI plans to introduce selected malware themselves?)
Got Malware? The FBI Is Willing to Pay For It
According to a 'Request for a Quote' posted on the Federal Business Opportunities website, the FBI is looking for price quotes for malware for the Investigative Analysis Unit of the agency's Operational Technology Division.
"The Operational Technology Division (OTD), Investigative Analysis Unit (IAU) of the FBI has the following mission: Provide technical analysis of digital methods, software and data, and provide technical support to FBI investigations and intelligence operations that involve computers, networks and malicious software," according to the document (.doc).
The agency does not say precisely how the malware will be used, but the document calls the collection of malware from law enforcement and research sources "critical to the success of the IAU's mission to obtain global awareness of malware threat."
"The collection of this malware allows the IAU to provide actionable intelligence to the investigator in both criminal and intelligence matters," according to the document.


I would have thought that obvious, since it passes my “It's only a digital version” test. If someone had mailed me a copy of an old fashion printed photo, I would have the envelope to examine. It would tell me where the photo was mailed, when it was mailed, and perhaps a lot more. If someone “sends” me metadata, why would/should I ignore it?
Orin Kerr writes:
I’m guessing we all know that you don’t have a reasonable expectation of privacy in photographs that you post on the public Internet. Government investigators don’t violate privacy rights by looking at photos posted on the web for all to see. But what about the metadata embedded in those photographs? And what if it’s a website only accessible using the TOR browser?
In a case handed down last week, United States v. Post, a district court held that the Fourth Amendment still offers no protection.
Read more on WaPo Volokh Conspiracy.


Interesting that the Post thinks this is new tech. It has been used in Afghanistan (see http://en.wikipedia.org/wiki/Kestrel_%28surveillance_system%29 for example) for several years.
New surveillance technology can track everyone in an area for several hours at a time
… As Americans have grown increasingly comfortable with traditional surveillance cameras, a new, far more powerful generation is being quietly deployed that can track every vehicle and person across an area the size of a small city, for several hours at a time. Although these cameras can’t read license plates or see faces, they provide such a wealth of data that police, businesses and even private individuals can use them to help identify people and track their movements.


Global Warming! Global Warming! This article actually seems to make sense. Deforestation and (in Colorado) the pine beetle contribute to global warming. Perhaps Al Gore will help us plant trees? I do find it interesting that we understand so few of these systems impacting climate.
Report – Tree roots in the mountains ‘acted like a thermostat’ for millions of years
by Sabrina I. Pacifici on February 6, 2014
University of Oxford: “For the first time, scientists have discovered how tree roots in the mountains may play an important role in controlling long-term global temperatures. Researchers from Oxford and Sheffield Universities have found that temperatures affect the thickness of the leaf litter and organic soil layers, as well as the rate at which the tree roots grow. In a warmer world, this means that tree roots are more likely to grow into the mineral layer of the soil, breaking down rock into component parts which will eventually combine with carbon dioxide. This process, called weathering, draws carbon dioxide out of the atmosphere and cools the planet. The researchers say this theory suggests that mountainous ecosystems have acted like the Earth’s thermostat, addressing the risk of ‘catastrophic’ overheating or cooling over millions of years. In their research paper published online in Geophysical Research Letters, the researchers carried out studies in tropical rain forests in Peru, measuring tree roots across different sites of varying altitude – from the warm Amazonian Lowlands to the cooler mountain ranges of the Andes.
… Lead researcher Chris Doughty, from the School of Geography and the Environment at the University of Oxford, said: ‘This is a simple process driven by tree root growth and the decomposition of organic material. Yet it may contribute to Earth’s long-term climate stability. It seems to act like a thermostat, drawing more carbon dioxide out of the atmosphere when it is warm and less when it is cooler.'
… In the past, this natural process may have prevented the planet from reaching temperatures that are catastrophic for life.’”

Thursday, February 06, 2014

What would you do if you “owned” Facebook?
SEA Comes Close to Owning Facebook
06 February 2014
The Syrian Electronic Army (SEA) claimed yesterday that it had owned Facebook. It wasn't quite true in any meaningful way, but SEA came very close to being able to redirect millions of Facebook users to its own websites.
… SEA's latest exploit, announced yesterday, seems to have failed. "Happy Birthday Mark! http://Facebook.com owned by #SEA." It appears that while this was strictly true, briefly, it had no effect on Facebook users. It was again a DNS poisoning attack, again through Facebook's registrar, which was again MarkMonitor.
It seems that, already on high alert after the Paypal attack, MarkMonitor reacted fast enough to prevent any serious damage. It immediately took down its management portal and regained control over the accounts. "We changed the nameservers, but it's taking too much time..." confirmed SEA on Twitter. Why it took so long is not clear, but seems to imply that MarkMonitor has additional security in this area. Exactly what that security might be is unknown because Markmonitor has a strict policy of not commenting on its clients (which SEA screenshots indicate also include Google, Yahoo and Amazon).


Interesting. Why would an air conditioner repairman have access to the credit card system?
Target Hackers Broke in Via HVAC Company
Last week, Target told reporters at The Wall Street Journal and Reuters that the initial intrusion into its systems was traced back to network credentials that were stolen from a third party vendor. Sources now tell KrebsOnSecurity that the vendor in question was a refrigeration, heating and air conditioning subcontractor that has worked at a number of locations at Target and other top retailers.
Sources close to the investigation said the attackers first broke into the retailer’s network on Nov. 15, 2013 using network credentials stolen from Fazio Mechanical Services, a Sharpsburg, Penn.-based provider of refrigeration and HVAC systems.
… According to the company’s homepage, Fazio Mechanical also has done refrigeration and HVAC projects for specific Trader Joe’s, Whole Foods and BJ’s Wholesale Club locations in Pennsylvania, Maryland, Ohio, Virginia and West Virginia.
… It’s not immediately clear why Target would have given an HVAC company external network access, or why that access would not be cordoned off from Target’s payment system network. But according to a cybersecurity expert at a large retailer who asked not to be named because he did not have permission to speak on the record, it is common for large retail operations to have a team that routinely monitors energy consumption and temperatures in stores to save on costs (particularly at night) and to alert store managers if temperatures in the stores fluctuate outside of an acceptable range that could prevent customers from shopping at the store.
Avivah Litan, a fraud analyst with Gartner Inc., said that although the current PCI standard (PDF) does not require organizations to maintain separate networks for payment and non-payment operations (page 7), it does require merchants to incorporate two-factor authentication for remote network access originating from outside the network by personnel and all third parties — including vendor access for support or maintenance (see section 8.3).
In any case, Litan estimates that Target could be facing losses of up to $420 million as a result of this breach, including reimbursement associated with banks recovering the costs of reissuing millions of cards; fines from the card brands for PCI non-compliance; and direct Target customer service costs, including legal fees and credit monitoring for tens of millions of customers impacted by the breach.


I would be concerned that this was a test of impact and response. The substation feed Silicon Valley, but disruption seemed short lived and minor.
Snipers Coordinated an Attack on the Power Grid, but Why?
Last April, unknown attackers shot up 17 transformers at a California substation in what the then-chairman of the Federal Energy Regulatory Commission Jon Wellinghoff called "the most significant incident of domestic terrorism involving the grid that has ever occurred" in this country.
Though news reports about the incident at the Metcalf transmission facility came out in April, The Wall Street Journal just pieced together the larger story of the attack together from regulatory filings and outside reporting.
… Before the attackers opened fire on the transformers, fiber optic lines running nearby were cut.
Whoever executed the maneuver knew where to shoot the transformers. They aimed at the oil-cooling systems, causing them to leak oil and eventually overheat. By the time that happened, the attackers were long gone.
[From the WSJ:
it took utility workers 27 days to make repairs and bring the substation back to life.


Part of this is “We can, therefore we must” and part is “We don't need parental approval for anything we do to our students.” But mostly it's, “Stupid is as stupid does.”
Kathleen McGrory reports from Tallahassee:
Polk County parents were apoplectic last year when they discovered the school district had been scanning the irises of students’ eyes without parental permission.
The controversial practice might soon be banned.
On Tuesday, state lawmakers will take up a proposal that would prohibit school districts from collecting biometric information, including the characteristics of fingerprints, hands, eyes and the voice. It would affect the Pinellas County school district, which allows schools to scan the palms of students’ hands instead of accepting cash in the cafeteria, and school systems that use fingerprint scanners.
“We’ve been able to get kids through a lunch line for decades,” said state Sen. Dorothy Hukill, a Port Orange Republican who brought the idea to the Florida Senate. “Why do we need to take their biometric information when we know there is the potential for identity theft?”
Read more on Miami Herald.
[From the article:
“Biometrics is coming,” said Miami-Dade School Board member Raquel Regalado, who spearheaded an effort to create a local biometrics policy this month. “It exists in the market. It will exist in our schools. It may end up being a viable way to ensure there isn’t fraud.”


Interesting, but how do you prove “willful?” Perhaps their procedures don't bother checking “facts?”
Tim Hull reports on a case that privacy advocates should keep our eyes on:
An unemployed man can sue the website Spokeo.com for inaccurately describing him as wealthy and well educated, the 9th Cicuit ruled Tuesday.
Virginia resident Thomas Robins claims that his job search has been hampered by a description of him as a high earner with a graduate degree on Spokeo, a search engine that aggregates information about individuals.
Alleging that the misinformed profile violated the Fair Credit Reporting Act (FCRA), Robins proposed a 2010 class action against Spokeo in Los Angeles.
U.S. District Judge Otis Wright dismissed Robins’s first complaint for lack of standing, and eventually did the same with an amended complaint. The judge found that Robins had failed to show that he had suffered any actual harm.
A three-judge panel of the federal appeals court reversed Tuesday.
Read more on Courthouse News.
[From the article:
At this early stage of the case, Robins can gain standing by alleging a violation of the FCRA "without showing actual harm," according to the ruling.
"The statutory cause of action does not require a showing of actual harm when a plaintiff sues for willful violations," Judge Diarmuid O'Scannlain wrote for the panel.


Perspective
Computer and Internet Access in the United States: 2012
by Sabrina I. Pacifici on February 5, 2014
“Computer and Internet Use: 2012 Based on Current Population Survey statistics from July 2012, the Computer and Internet Access in the United States infographic provides household and individual level analysis of computer use and Internet access, as well as a profile of individual smartphone usage. A set of tables will accompany the infographic.”


An interesting article for my Economics students.
The Pipe Dream of Big Marijuana Revenues
… But there is a catch that many people have not thought about. The marijuana plant is sturdy and not difficult to grow
… So imagine a near future when marijuana seeds and even starter plants could be sold through garden centers and other similar outlets much like tomato seeds and plants are sold today. These seeds and plants could be grown in a backyard garden (or even a flower pot on a patio) with the same degree of difficulty as growing fresh tomatoes.


For my student geeks...
With the Release of the Google Chromecast SDK, Expect Big Things
… After just over six months, Google has released the Google Cast Software Development Kit (SDK) for developers.
This means that developers now have all the tools necessary to build apps and websites that are Chromecast compatible. For end users of the Chromecast, it means that there could be a whole new world of entertainment waiting for them on their television sets.
Developers who want to find out more about their options and what they can expect should keep tabs on the Google Developers Blog. For the rest of us, bookmark the Chromecast Apps page where you can see all the new options that will be available to you. With an incredibly vibrant ecosystem built around Google’s Android platform, we can only imagine how many more creative uses for the Chromecast we’ll be presented with.

Wednesday, February 05, 2014

Good PR, but this was already in the works.
Target Making $100 Million Push Toward Chip-Enabled Smart Cards
In his testimony before the Senate Committee on the Judiciary in Washington, D.C., Target Corp. Chief Financial Officer John Mulligan, said on Tuesday that the company would accelerate its implementation of smart card technology in an effort to reduce credit and debit card fraud stemming from customers shopping in its stores.
… During his testimony, Mulligan said Target will equip its own "REDcards" and all of its store card readers in the U.S. with chip-enabled smart-card technology by the first quarter of 2015, more than six months ahead of previous plans.


A tiny hack, but one that caught my attention. Poor system design, but if my “e-check” was stolen while I was teaching an Ethical Hacking class, can imagine my response?
Darlene Storm reports:
No matter how much you love your job, very few people work for free. About 80% of Americans receive their paychecks via direct deposit, but if a hacker manages to reroute your paycheck to his or her account, is that just tough luck and you don’t get paid? That’s basically what a faculty member at Western Michigan University (WMU) was told.
Read more on Computerworld.
[From the article:
On Dec. 20, WMU issued him a paycheck advance, Cool said, which he is paying back in four installments. However, he said he believes the university should reimburse him for his loss, since it was its system that was hacked. Cool said he filed a grievance last week with the Michigan Department of Licensing and Regulatory Affairs.
… Last fall after "two separate incidents of WMU employees having their paychecks stolen electronically," the university "instituted a process so that, whenever someone goes into their account and changes financial information, such as a routing number, they immediately get an email asking if that is a legitimate change." According to Cheryl Roland, executive director of university relations, "We know that happened in this case [theft of Cool’s paycheck]."
Yet Cool said he was teaching a class and “never saw the email warning him his routing number had changed. The hackers remained in Cool's account for approximately 40 minutes, Cool said detectives told him. WMU's information technology department later retrieved the email from his trash.” Cool added, "If the hackers are this smart that they can go in there, wait and delete the email, you would have to be watching your computer almost continuously."


One of the pictures released was Nadella in a hoodie. Does that suggest Microsoft will become more Facebook-like?
Microsoft names Nadella as CEO; Gates out as chairman
Microsoft announced Tuesday that Satya Nadella will become the third chief executive in the company’s history as it moves into the mobile era.
The company also announced that co-founder Bill Gates will step down as chairman of the board to take on a role as “technology adviser” once his term expires. Longtime Microsoft board member John Thompson, who led the CEO search, will assume the role as chairman.

(Related) Not very useful, since he uses every current buzzword.
Satya Nadella drops some hints about Microsoft’s future
… "I believe over the next decade computing will become even more ubiquitous and intelligence will become ambient," Nadella wrote. "This will be made possible by an ever-growing network of connected devices, incredible computing capacity from the cloud, insights from big data, and intelligence from machine learning."


Should they have said, “Probably, but we don't know until we look for him specifically?”
US Official Won't Say Whether Obama Phone Data is Collected


How was medical leave authorized? The employer had to know something from some “official” source. Can the Human Resource department tell the employees manager nothing? Looks like this one told the manager way too much.
Meghan Cowan reports:
A recent decision dealing with the collection, use and disclosure of employees’ personal information provides a noteworthy lesson for employers when managing sensitive employee medical information.
In a December 2013 decision of the Alberta Information and Privacy Commissioner, an employee made a complaint under Alberta’s privacy legislation, the Personal Information Protection Act (PIPA), alleging that her personal employee information had been improperly collected, used and disclosed by her employer.
[From the article:
A foreman called the employee to inquire about her absence from work and her possible date of return. In the discussion, the foreman indicated he had read the employee’s personnel file, which contained a letter from her insurance provider denying her disability claim. The foreman also discussed the employee’s condition with a co-worker who was a friend of the employee. In that discussion, he disclosed that the employee’s disability claim had been denied.


Inevitable, when the party in power believes that government should do everything (people don't know what's good for them) and they also believe people should be made to pay for government.
IRS Criminal Prosecutions Rise 23% Under Obama
by Sabrina I. Pacifici on February 4, 2014
Transactional Records Access Clearinghouse: ”During the Obama administration, the number of criminal prosecutions referred each year by the Internal Revenue Service (IRS) has risen by nearly a quarter — 23.4 percent — over the Bush years. Prosecutions in fiscal year 2013 alone are up 30.6 percent from the previous year. Convictions are also drawing slightly longer average prison terms — 27 months under Obama versus 25 months under Bush, according to case-by-case information obtained by TRAC under the Freedom of Information Act from the Executive Office for United States Attorneys. Among U.S. federal judicial districts, Alaska registered the highest per capita rate of IRS prosecutions, with 53 per million people as compared with 6.4 prosecutions per million nationally. Second was the Middle District of Alabama (Montgomery) with 30 per million, followed by the District of Columbia with 27 per million. For more details, including a timeline of prosecutions, top lead charges and top ten district rankings, see the report.”


Free is good, and increasingly possible.
European Law via WorldLII
by Sabrina I. Pacifici on February 4, 2014
EuroLII – “Securing widespread free access to legal information (legislation, cases, legal literature) has become important globally. Europe is an example of coexistence of different legal systems where a vast amount of legal information content is provided at Community and national level. Free access facilities for comparative law research is a crucial issue, both in relation to the law of European institutions, and national law. Free access to European law transposed into national law could significantly contribute to a better establishment of the rule of law and to an overall consolidation of national legal institutions around Europe.”

(Related) Also free, but a bit harder to search if you aren't sure who paid for the research.
Clearinghouse for the Open Research of the United States
by Sabrina I. Pacifici on February 4, 2014
“The Clearinghouse for the Open Research of the United States (CHORUS) is a not-for-profit public-private partnership to increase public access to peer-reviewed publications that report on federally funded research. Conceived by publishers, CHORUS:

(Related) Even more free stuff!
– is currently making 1.67TB of research data available. Sharing data is hard. Emails have size limits, and setting up servers is too much work. We’ve designed a distributed system for sharing enormous datasets – for researchers, by researchers. The result is a scalable, secure, and fault-tolerant repository for data, with blazing fast download speeds.


Just what Congress needs!
District of Columbia city council votes to decriminalize pot

Tuesday, February 04, 2014

This is rarely listed as a “Risk” when planning for Security. But ask your Public Relations people what the downside of looking like an uncaring incompetent might be. And remember, Congress needs to portray you as head of an uncaring corporation that doesn't know how to protect its customers.
Esme Murphy reports:
Congress began a series of hearings Monday before a Senate banking subcommittee into the massive data breach at Target and other retailers.
Lawmakers grilled the Secret Service about when Target told them about the breach, and another hearing is slated for Tuesday. That’s when Target CFO John Mulligan will be in the hot seat.
On Monday, members of Congress focused on whether companies, including Target, delayed informing law enforcement officials and the public.
Read more on CBS Minnesota, where you can also watch a clip from today’s hearing. If you missed the hearing and want to watch the whole of today’s hearing, you can view it on C-Span (1 hr, 49 minutes).
Tomorrow, the Senate Judiciary Committee will be holding its own hearing on “Privacy in the Digital Age: Preventing Data Breaches and Combating Cybercrime.” Target CFO John Mulligan is slated to be a witness on the first panel. The hearing begins and 10:15 am and will be streamed online. More details and the schedule can be found here.


“Just ask, we'll send you money.” (This drives auditors, even ex-auditors like me, absolutely crazy!)
File Your Taxes Before the Fraudsters Do
… According to a 2013 report from the Treasury Inspector General’s office, the U.S. Internal Revenue Service (IRS) issued nearly $4 billion in bogus tax refunds in 2012. The money largely was sent to people who stole Social Security numbers and other information on U.S. citizens, and then filed fraudulent tax returns on those individuals claiming a large refund but at a different address.


Very often a “he said, she said” argument with few facts. But not when details are released.
Giving Up on Oracle, Researcher Discloses Critical Vulnerabilities in Oracle Forms and Reports
In a blog post, security researcher Dana Taylor recounted what became a two-year odyssey between her and the company to fix software vulnerabilities in Oracle Forms and Reports. Oracle did not respond to multiple requests over the past few weeks from SecurityWeek to comment, but Taylor said in an email interview that she went "above and beyond" what is normally considered responsible disclosure.
… "In the Oracle reporting server’s case it is unfortunately fairly easy to show the magnitude of the problem," he said. "A simple Google dork search on "inurl:rwservlet" which is the fingerprint of a reporting server that may be vulnerable, returns [roughly] one million results. That means that when a zero-day like this comes to play, hackers have a starting point of [approximately] one million potential targets."
While some companies are good at patching servers in time, it is never immediate due to the service disruption that ensues as well as the process of applying every update as soon as it comes out, he added.


Should be no surprise. The data is out there. All you need is someone smart enough to interpret what it is telling you. (and to realize that no matter what it tells you, “There's a market for that!”)
We have Pam Dixon’s testimony on behalf of the World Privacy Forum to thank for this.
From the Democratic Press Office:
Chairman John D. (Jay) Rockefeller IV is asking six data brokers for information on the compilation and sale of products that identify consumers based on their financial vulnerability or health status. [Of course, the consumers “self-identify” based on the sites they visit. Brokers merely lump similar users together. Bob] Rockefeller brought attention to this industry practice during the Committee’s December 18, 2013, hearing titled, “What Information Do Data Brokers Have on Consumers, and How Do They Use It?”, and it was also highlighted in the majority staff report released at the hearing.


“We call it the 'George Orwell was too optimistic' system.” Assuming they have all this data (and they likely will, one way or another) what will they do with it? Fire “below average” teachers? Deny admissions to state funded universities? Require students to smile when they ask, “Would you like fries with that?”
Jules Polonetsky writes:
New York State is working on a system that will track students from pre-kindergarten to the work force. The goals are noble. Despite the billions we spend on education, we don’t have the data to evaluate what works. But what are the risks of assembling detailed data about every student’s abilities? Privacy advocates are sounding the alarm, worried about the implications of sharing this data. Parents and policymakers are being drawn into the fray, but often aren’t steeped in the full scope of the debate.
Read more on LinkedIn.
[From the article:
We need to discuss the deployment of big data analytics by education institutions to enhance student performance, evaluate teachers, improve education techniques, customize programs, devise financial assistance plans, and better leverage scarce resources to optimize education results.


This surprises you, why?
Latest transparency reports show steady rise in surveillance data requests
Google, Facebook and Microsoft were among the technology companies to release new figures Monday showing a rising number of requests for their users’ data coming from a secretive U.S. surveillance court.
Google received FISA requests related to the content of between 9,000 and 9,999 accounts during the first half of 2013, up from between 7,000 and 7,999 in the first half of 2011.
The court sought content related to 15,000 to 15,999 accounts from Microsoft, up from 11,000 to 11,999 in the second half of 2011.
At Facebook, during the second half of 2012, the court sought data related to the content of 4,000 to 4,999 Facebook user accounts, the company said in a report. The company received more of FISA requests during the first half of 2013—the number rose to between 5,000 and 5,999 users’ accounts.
Yahoo and LinkedIn also released new figures on Monday related to government data requests tied to national security. At Yahoo, the company only said it received FISA requests related to content for between 30,000 and 30,999 accounts during the first half of 2013.
… Apple already released new figures last week in response.


From the “government knows what is best for you” people? Fortunately, I have plenty of time to prepare my Ethical Hackers. Your cars will say, “You can't park here. This is Bob's parking space. Move me immediately!” Better still, how about howling like a dog at 3AM?
U.S. may mandate 'talking' cars by early 2017
U.S. regulators are crafting a rule that would require all new vehicles to be able to "talk" to one another using wireless technology, which the Department of Transportation said would significantly reduce accidents on U.S. roads and alleviate traffic congestion.
… "When these technologies are adapted across the fleet, the results could be nothing short of revolutionary for roadway safety," said David Friedman, acting administrator of the DOT's National Highway Traffic Safety Administration.
The details of implementation are still unknown. [Translation: “We don't know what we going to do, but it will be amazing! Trust us!” Bob]


Perspective
Pew – 6 new facts about Facebook
by Sabrina I. Pacifici on February 3, 2014
Aaron Smith – “Facebook turns 10 tomorrow and reaches that milestone as the dominant social networking platform, used by 57% of all adults and 73% of all those ages 12-17. Adult Facebook use is intensifying: 64% of Facebook users visit the site on a daily basis, up from 51% of users who were daily users in 2010. Among teens, the total number of users remains high, according to Pew Research Center surveys, and they are not abandoning the site. But focus group interviews suggest that teens’ relationship with Facebook is complicated and may be evolving. New Pew Research Center survey findings show how people are using Facebook and what they like and dislike about the site.”


For my Criminal Justice students. See why we insist you take those techie courses? (and economics) My lawyer friends can tell me how you go about seizing the database that resides on the servers, and what you might have told the judge you will do with it.
Digital Currency Founder: U.S. Indicted Me For Not Giving FBI My Source Code
The indicted founder of digital currency Liberty Reserve says the U.S. government began targeting him only after he refused to turn over the source code for his proprietary system to the FBI.
Arthur Budovsky, who is fighting extradition to the U.S. from Spain, told a Madrid court that the FBI approached him in 2011 to obtain the source code for what he says was the purpose of undermining the service.
“I refused. It’s like asking Coca-Cola for their secret formula,” he told the court, according to the Associated Press. “The truth is that the U.S. wants to protect its monopoly on financial transfer platforms.”
His denial launched a witch hunt, he says, that resulted in his indictment last year along with six others in a $6 billion money-laundering scheme, in what authorities are calling the largest international money laundering case ever prosecuted.
It also resulted in U.S. authorities seizing Liberty Reserve’s servers in Holland, giving them access to financial information on some 800,000 users and 44 million transactions and the ability to trawl through the data for evidence of illegal activity conducted by Liberty Reserve users. The case was handled by the U.S. Secret Service and DHS’s Homeland Security Investigations.


For my Math students.
The Art of Problem Solving
Last week Marilyn Just emailed me with a couple of suggestions to add to my list of mathematics resources. One of the suggestions that jumped out at me was the Art of Problem Solving. The Art of Problem Solving offers a variety of tutorial resources for students. Some of the resources are free and some are not. The highlight of the free resources is a catalog of more than three hundred short instructional videos like the one embedded below.
http://www.youtube.com/watch?v=S4knArgz7cA
The bulk of the videos are designed for pre-algebra and algebra lessons.


One of those World Changing Things that sneak in under the radar.
Personal Loans Online — How Peer-to-Peer Lending Is Changing the Game
… the public perception of this lending paradigm is one associated mostly with the developing world.
I was surprised to discover that peer to peer lending is also challenging the likes of BarclayCard and CitiBank in their traditional heartlands of the affluent West. There are a number of services on the market right now which allow lenders to provide credit, and for borrowers to gain access to funds without dealing with a bank or credit union. I looked at three of them, and explored how they’re shaking up the finance game.

Monday, February 03, 2014

Design security in from the start? What an old concept!
DOD/GSA Report – Improving Cybersecurity and Resilience through Acquisition
by Sabrina I. Pacifici on February 2, 2014
“On February 12th, 2013, the President issued Executive Order 13636, entitled Improving Critical Infrastructure Cybersecurity (EO 13636). In accordance with Section 8(e), GSA and the Department of Defense submitted recommendations to the President addressing the feasibility, benefits, and merits of incorporating cybersecurity standards into acquisition planning and contract administration, and harmonizing procurement requirements. The jointly authored report containing the recommendations it titles, Improving Cybersecurity and Resilience through Acquisition. The report provides a path forward to aligning Federal cybersecurity risk management and acquisition processes. It provides strategic recommendations for addressing relevant issues, suggests how challenges might be resolved, and identifies important considerations for the implementation of the recommendations. The ultimate goal of the recommendations is strengthening the cyber resilience of the Federal government by improving management of the people, processes, and technology affected by the Federal Acquisition System. The recommendations focus on the need for baseline cybersecurity for Federal contractors, comprehensive workforce training, consistent cybersecurity terminology for contracts, incorporation of cyber risk management into Federal enterprise risk management, development of more specific and standardized security controls for particular types of acquisitions, limiting purchases to certain sources for higher risk acquisitions, and increasing government accountability for cybersecurity throughout the development, acquisition, sustainment, and disposal lifecycles.”


I would imagine some universities are also resources (not just tech firms)
National Guard units help states ward off cyberattacks
Colorado Governor John Hickenlooper, vice chairman of the National Governors Association, said in the recent annual State of the States speech in Washington, D.C., “as the nation develops resiliency to cyberattacks, the Guard should be mobilized to support federal and state efforts to protect networks and respond to incidents. While the federal government seeks to clarify how it will work with the private sector and states to better secure cyberspace, states are already moving forward to develop and implement new cyber policies to protect their economies and ensure public safety.”
The National Defense Authorization Act, which passed on 26 December 2013, requires the Pentagon to consider the National Guard’s cyber capabilities as it may support the Pentagon’s cybersecurity measures. The Act orders the Pentagon to consult with governors about their states’ cybersecurity needs and their states’ Guard units’ ability to assist in this area.


Interesting. I wonder who my Official, “go to” Ethics guy should be now that Dean Dan Vigil has (mostly) retired?
ABA – 10 Tips for Avoiding Ethical Lapses When Using Social Media
by Sabrina I. Pacifici on February 2, 2014
“You may be among the thousands of legal professionals flocking to social media sites like LinkedIn, Facebook, Twitter, or Google+ to expand your professional presence in the emerging digital frontier. If so, have you paused to consider how the ethics rules apply to your online activities? You should. Some of the ethical constraints that apply to your social media usage as a legal professional may surprise you. Moreover, legal ethics regulators across the country are beginning to pay close attention to what legal professionals are doing with social media, how they are doing it, and why they are doing it. The result is a patchwork quilt of ethics opinions and rule changes intended to clarify how the rules of professional conduct apply to social media activities. This article, Cby hristina Vassiliou Harvey, Mac R. McCoy, Brook Sneath, provides 10 tips for avoiding ethical lapses while using social media as a legal professional. The authors cite primarily to the ABA Model Rules of Professional Conduct (RPC) and select ethics opinions from various states. In addition to considering the general information in this article, you should carefully review the ethics rules and ethics opinions adopted by the specific jurisdiction(s) in which you are licensed and in which your law firm maintains an office.”


Not the most up-to-date site I've ever seen. Perhaps my students could add to this?
Cornell University Digital Literacy Resource
by Sabrina I. Pacifici on February 2, 2014
The Digital Literacy Project – Cornell University: “Digital literacy is the ability to find, evaluate, utilize, share, and create content using information technologies and the Internet. As a Cornell student, activities including writing papers, creating multimedia presentations, and posting information about yourself or others online are all a part of your day-to-day life, and all of these activities require varying degrees of digital literacy… Digital literacy is an important topic because technology is changing faster than society is. The same advances that enhance leisure and make our work easier—those that make it possible for us to search online databases, text friends, and stream media—also present urgent challenges to the social norms, market models, and legal frameworks that structure our society. The rules of appropriate behavior in these digital contexts may be unknown or unknowable. Well-established concepts such as copyright, academic integrity, and privacy are now difficult to define, as their meanings are in flux. This digital literacy site is a resource you can come to again and again during your time at Cornell, to get up-to-date information about issues like these. Look here to learn about Cornell’s recommendations for finding, evaluating, and citing information sources online; to learn about copyright law; to read and hear Cornell faculty viewpoints on plagiarism; and to get our best advice regarding privacy practices on the Internet. Look here, too, for links to many other Cornell resources on these topics.”

Sunday, February 02, 2014

As breaches get larger, the impact gets broader. If this only happened to ½ of 1 percent of the people, that's 550,000 times! (110,000,000 victims times .005)
Target data breach could affect real estate transactions
… Among the scenarios that could begin surfacing as the stolen information from retailers is sold and used in the coming months:
•Home sales could be knocked off track by the sudden appearance of new debts on buyers' credit reports. Many lenders now monitor national credit bureau files electronically from the date of loan approval to moments before closing. Even if you explain that you were a victim of identity theft, your financing could be put on ice until you and the bureaus clean up your reports. That could cause you to miss contractual deadlines with the home seller and, worst case, cause you to lose the house.
•Undetected run-ups of balances on credit cards could seriously affect "utilization ratios" — how much of the available credit maximum a consumer has drawn down — and cause declines in scores. High rates of utilization or "maxing out" are penalized by the major scoring models. Lower credit scores, in turn, may disqualify you for a mortgage, at least until you are able to document to the credit bureaus' satisfaction that the new debts were the result of identity theft.
•Undetected use of your information to create one or more new credit cards could be especially damaging and time consuming to fix. Clemans notes that although merchants and the bureaus may be eager to help resolve identity theft situations, they are also on guard against attempts by consumers to blame everything negative in their files on identity theft. They'll want proof and documentation before expunging the bad information.


“More to the point, we were lying about how the scanners were used. What do you suppose we're lying about now?”
Former TSA employee Jason Edward Harrington has written an article confirming many American’s worst fears about how we have been viewed and mocked by TSA employees. Here’s a snippet:
Most of my co-workers found humor in the I.O. room on a cruder level. Just as the long-suffering American public waiting on those security lines suspected, jokes about the passengers ran rampant among my TSA colleagues:
… All the old, crass stereotypes about race and genitalia size thrived on our secure government radio channels.
Read his article on Politico.
Not surprisingly, TSA has pushed back against the article, claiming it’s inaccurate and outdated.


Oh look! The FTC has settled ¼ of 3/10ths of 9/92nds of a percent of yesterday's breaches! Not bad for a government agency.


I doubt congress is getting serious, perhaps this was for Data Privacy Day?
There’s a new report by Kristin Finklea, Specialist in Domestic Security, for the Congressional Research Service.
You can access the full report on FAS.


Learn to program.
– Go is an open source programming language designed for building simple, fast, and reliable software. Go by Example is a hands-on introduction to Go using annotated example programs, one of which is the famous “Hello World” program. The site also provides a list of numerous other programs to browse through and try out.


For my Website students.
– Create your frontend code simply and quickly with Bootstrap using LayOutIt’s Drag & Drop Interface Builder. High quality HTML5 is made using the Interface Builder. Drag-and-drop the Bootstrap components to your own design. It’s easy to integrate with any programming language – just download the HTML and start coding the design into it. Professional and validated HTML which you can replace with your own variables.


Dilbert combines Jeff Bezos, pizza, and infinite math. What could be better?