Saturday, March 01, 2014

Ukraine. Maybe Tom Clancy was right in his last novel. Russia moved lots of Russians into the Ukraine (and other countries) during the days of the Soviet Union, and they stayed. Now they provide an excuse for intervention. Perhaps not with tanks, but a simple twist of the natural gas value would get Europe's attention.
So is this just increasing the pressure, or “fair warning?”
Russian upper house approves use of force in Ukraine


Reads like a return to “pre-Internet” logic.
Barbara LaBoe reports:
Appeals of two Longview drug convictions led to a far-reaching state Supreme Court decision Thursday that people have the right to privacy in sending and receiving text messages.
In separate 5-4 opinions, the justices overturned two Cowlitz County heroin convictions in cases that hinged on text messages a detective read on someone else’s phone.
Read more on TDN. Gene Johnson of AP also has coverage here, and the Seattle Times covers the ruling here.
[From the AP article:
The court struck down Roden's conviction under the state privacy act, which bars police from intercepting in-state private communications without a warrant or the consent of all parties involved. It overturned Hinton's conviction under the privacy protections of the state Constitution.
[From the Seattle Times article:
Consider a low-tech analogy: “Just because a letter is sitting in your mailbox doesn’t mean the cops get to open it,” Fakhoury said. “The Washington court said there shouldn’t be a difference” between privacy protections on mail, phone calls and text messages.
A person’s privacy interest isn’t “surrendered once you hit send on your phone,” he said.


I'm not sure how this “ensures” safety on campus. If someone plans to vandalize the Dean's car, I doubt they will bring their ID badge. Same for break-in artists, or did they break-in by unlocking the front door? What crimes are addressed by using the ID badge as a meal card, library card, or whatever? If they want to track students like Big Brother, why not just say so?
Alec Torres reports:
Beginning Saturday, March 1, students and staff at Tennessee State University will be required to present identification badges at any time that can also track their movements in and out of buildings, according to a local-news report.
After a spate of break-ins and vandalism, officials at the university instituted the new ID requirement as a way to ensure safety on campus, a TSU release said.
Of course, it doesn’t stop there, although it would be concerning enough if it did. The same ID cards have other uses as well:
Besides being used to access buildings, the IDs can be used as meal cards, to check out library materials, to access computer labs and athletic events, and more.
Read more on National Review Online.
So who will be data mining and commercializing all these data, because you just know it’s going to happen?
[From the National Review article:
“Failure to comply with the new policy,” the school said, “may result in employee disciplinary action, student judicial action, or removal from University property.” [Sounds like they are sure their students are the criminals here. Bob]


Interesting. What does the data tell us? Is a digital clock face, telling us it is 8:02PM as “speech-like” as a computer log entry that alerts us to an unauthorized access?
Paper – Is Data Speech?
by Sabrina I. Pacifici on February 28, 2014
Is Data Speech? January 2014 66 Stan. L. Rev. 57. Jane Bambauer, Associate Professor of Law, University of Arizona, James E. Rogers College of Law; J.D., Yale Law School; B.S., Yale College.
Privacy laws rely on the unexamined assumption that the collection of data is not speech. That assumption is incorrect. Privacy scholars, recognizing an imminent clash between this long-held assumption and First Amendment protections of information, argue that data is different from the sort of speech the Constitution intended to protect. But they fail to articulate a meaningful distinction between data and other more traditional forms of expression. Meanwhile, First Amendment scholars have not paid sufficient attention to new technologies that automatically capture data. These technologies reopen challenging questions about what “speech” is. This Article makes two overdue contributions to the First Amendment literature.
First, it argues that when the scope of First Amendment coverage is ambiguous, courts should analyze the government’s motive for regulating.
Second, it highlights and strengthens the strands of First Amendment theory that protect the right to create knowledge.
Whenever the state regulates in order to interfere with the creation of knowledge, that regulation should draw First Amendment scrutiny. In combination, these claims show clearly why data must receive First Amendment protection. When the collection or distribution of data troubles lawmakers, it does so because data has the potential to inform and to inspire new opinions. Data privacy laws regulate minds, not technology. Thus, for all practical purposes, and in every context relevant to privacy debates, data is speech.” [Andrew Young]


Rather poorly worded if it is okay to play Angry Birds while driving.
Court: No-phones traffic law does not apply to apps
A California law that bans drivers from talking on mobile phones without a hands-free device does not bar them looking at map apps, a court has ruled.
The appeals court threw out a traffic ticket issued to a motorist who was looking at a map on his phone while caught in a traffic jam.
… In their 18-page decision, the 5th Appeals Court of California said Mr Spriggs argued that "he did not violate the statute because he was not talking on the telephone".
"We agree," the court wrote. "Based on the statute's language, its legislative history, and subsequent legislative enactments, we conclude that the statute means what it says - it prohibits a driver only from holding a wireless telephone while conversing on it."
A separate California law bans texting while driving.


Oops indeed!
Teen's Facebook Post Costs Her Dad $80,000. Oops.
So Dana Snay, a Miami teenager, is probably in big trouble right now. As the Miami Herald reports, an appeals court just tossed out her father’s $80,000 age-discrimination settlement because she violated the confidentiality agreement by bragging about it on Facebook. The offending post:
Mama and Papa Snay won the case against Gulliver. Gulliver is now officially paying for my vacation to Europe this summer. SUCK IT.
… Patrick Snay had served as headmaster for the Gulliver Preparatory School for years when they chose not to renew his contract. He sued and settled, but only on the condition that he and his wife keep the “terms and existence” of the agreement private. So the infractions here were twofold: Snay divulging the deal to his daughter and his daughter broadcasting it to all her "friends."


Close enough that my Ethical Hackers need this information.
Army Field Manual for Cyber Electromagnetic Activities
by Sabrina I. Pacifici on February 28, 2014
Via Defense One, by Patrick Tucker - How the Army Plans to Fight a War Across the Electromagnetic Spectrum: “The Pentagon long has made a big effort to showcase its budding cyberwarfare capabilities. But the military has been less forthcoming about a key, more tangible component of cyber — electronic warfare – until now. The Army just publically released its first-ever Field Manual for Cyber Electromagnetic Activities. The manual covers operations related to cyberspace and the electromagnetic spectrum, highlighting that for the Army electronic warfare is every bit as important as the cyber threat we hear so much about in abstract.”


Perhaps our Intro to Programming students might find this too amusing...
Kids Can Learn Programming Basics With “Make Your Own Flappy Bird” In 20 Minutes
Kids have a new incentive to learn programming. Thanks to Code.org, they can design their own Flappy Bird game in 20 minutes. The “Make Your Own Flappy Bird” tutorial is designed for kids as young as six-year olds.
… The drag ‘n drop method is excitingly kid-friendly and it is a teaching method that has been followed successfully by graphical coding tools like Scratch and Blockly.
… There are also plenty more fun tools to get kids excited about programming.


Every week, smiles.
… The publishers Springer and IEEE have had to withdraw more than 120 papers from their subscription services after a discovery that these articles were “computer-generated nonsense.” Or as us humanities folks call it with a smirk, “Sokal-as-a-service.”
… There’s a “kinda sorta working model” of a federated OER Wiki, brought to you by Tim Owens and Mike Caulfield. [Definitely one to watch. Bob]
… “A Colorado Software Firm Is Programming Your Next Professor,” reads the headline in Forbes, a publication that never fails to tout a technodystopian future as some sort of great business deal. “As education costs increase, it’s not unreasonable to think that professors, teachers, adjuncts, and tutors could at least be partially replaced by a $7,000 programmable character who never sleeps or unionizes, or emotionally overreacts to student behavior.”

Friday, February 28, 2014

Keeping up with the Euros...
In a landslide vote (534 to 49), the European Parliament has passed a Resolution on drones, targeted killings, and fully autonomous weapons.
Stay tuned for a post from one of the leading experts on the topic, Anthony Dworkin. Many readers will be familiar with Dworkin’s influential policy paper, Drones and Targeted Killing: Defining a European Position (2013).
In the meantime, here are highlights of some of the most significant parts of the Resolution (with my emphasis added):
1. Obligations for Post-Strike Investigations and Transparency:
2. Geographic Restrictions on Targeted Killings:
3. Action Items on a European Position:


Perspective
The World Map of Internet Censorship


Not the Internet, the Web. Many of us were long time Internet users by 1989.
Pew – The Web at 25 in the U.S.
by Sabrina I. Pacifici on February 27, 2014
“This report is the first part of a sustained effort through 2014 by the Pew Research Center to mark the 25th anniversary of the creation of the World Wide Web by Sir Tim Berners-Lee. Lee wrote a paper on March 12, 1989 proposing an “information management” system that became the conceptual and architectural structure for the Web. He eventually released the code for his system—for free—to the world on Christmas Day in 1990. It became a milestone in easing the way for ordinary people to access documents and interact over a network of computers called the internet—a system that linked computers and that had been around for years. The Web became especially appealing after Web browsers were perfected in the early 1990s to facilitate graphical displays of pages on those linked computers.”


This might amuse my students.
You Can Build Your Own Search Engine
Earlier this week I received an email from someone who had found the custom video search engine that I built last summer. The person who emailed me asked how I did it. There's not much to it other than following a few steps at Google.com/cse. As you can see in the directions embedded below, you don't need any coding skills in order to build your own search engine.


It must be much longer than a New York minute.
An Internet Minute Infographic


Something to calm the savage beasts... (One example)
Ten Google Easter Eggs You Missed Somehow
Play Atari Breakout In Your Browser
Go to Google Image Search and search for Atari Breakout, the classic arcade game. You’ll see the thumbnailed results pop up as usual. But wait for a few seconds and boom! You are now playing Breakout in your browser, with the thumbnails acting as bricks.


Thursday, February 27, 2014

We've been hearing hint that retailers other than Target have been hacked. Could that be the source?
Jim Finkle reports:
A cybersecurity firm said on Tuesday that it uncovered stolen credentials from some 360 million accounts that are available for sale on cyber black markets, though it is unsure where they came from or what they can be used to access.
The discovery could represent more of a risk to consumers and companies than stolen credit card data because of the chance the sets of user names and passwords could open the door to online bank accounts, corporate networks, health records and virtually any other type of computer system.
Alex Holden, chief information security officer of Hold Security LLC, said in an interview that his firm obtained the data over the past three weeks, meaning an unprecedented amount of stolen credentials is available for sale underground.
Read more on Reuters.

(Related)
Danny Yadron reports:
Verizon Communications Inc. is investigating possible security breaches at two unnamed retailers that appear similar to intrusions at other merchants late last year, a Verizon official said.
Bryan Sartin, director of the research, investigations, solutions, knowledge team at Verizon’s enterprise solutions unit, said the retailers involved in the newly discovered breaches haven’t yet disclosed them.
“We’ve been brought into other situations as the investigator,” Mr. Sartin said in an interview with The Wall Street Journal. “The findings already substantiate a very real link between these later situations and something that recently happened.”
[...]
The retailers involved in the newly discovered breaches were contacted by the U.S. Secret Service and then contacted Verizon’s investigative team last week, Mr. Sartin said.
Read more on WSJ.
So if there are two more large retail breaches, and 360M new credentials that Hold Security discovered on the black market, are the two reports connected? The Hold Security report didn’t mention payment card data, so it’s possible they’re not related, but then again, who knows?


Sometimes it's not what you bring to the table, but what you don't have to bring to the table. Old technologies are increasingly mired in regulation while newer, faster moving tech remains relatively bureaucrat free. http://www.telegraph.co.uk/finance/newsbysector/mediatechnologyandtelecoms/telecoms/10663911/Facebooks-WhatsApp-deal-has-unnerved-phone-companies.html
Facebook’s WhatsApp deal has unnerved phone companies
… Holding court on the fringes of the conference, Vittorio Colao, the chief executive of Vodafone, summed up the frustration caused by the regulators. He was asked about his views on ongoing mobile network mergers in Ireland and Germany, which are seen as test cases for a consolidation of European mobile networks.
He replied: “There is a guy [Zuckerberg] who has a billion users and has just bought half a billion users [WhatsApp] and I have to talk about Ireland.”
Colao’s favourite tactic in his long-running battle with European regulators is to cite the total number of government bodies Vodafone has to deal with across the continent: 187.
… In the meantime, European operators will continue to make poor returns compared with their American and Asian counterparts. They can only look on jealously as the likes of WhatsApp, which are relatively unencumbered by competition, radio spectrum, infrastructure and tax regulations, erode their revenues.
… It is the scale of the industry that led Zuckerberg to pay $19bn for WhatsApp. While the price has been raising eyebrows all week, most senior telecoms executives who rode the dotcom wave in the late 1990s and suffered the crash do not believe it is a bad bet.
WhatsApp is already eroding their texting revenues. In Barcelona its co-founder Jan Koum, made a billionaire seven times over by the deal, announced that within weeks it will introduce free voice calls to the app’s 465m users. All of this over the mobile internet infrastructure that is costing operators billions to build.


“Papers, comrade citizen.” I would expect the value of these checkpoints to drop very quickly as word gets out. There must be some value – why not tell the residents what it is? (How wide is the “border” anyway?)
Residents in Arizona town push to remove 'militaristic' border checkpoint
Residents of the southern Arizona town of Arivaca are monitoring a U.S. Border Patrol checkpoint to see how many arrests and drug seizures are made in a bid to remove longstanding interior checkpoints on the roads leading into the town.
Arivaca residents say they are regularly subjected to delays, searches, harassment and racial profiling at the checkpoints.
… A Border Patrol spokesman says the agency won't release data for individual checkpoints. The agency, which describes the checkpoint as temporary despite it being in place for several years, told The Los Angeles Times they have no plans to remove it.


If this is true...
NSA Mass Surveillance Useless, Former Bush Official Says
The National Security Agency's telephone-metadata collection program has been completely useless at preventing terrorist attacks, a prominent former government official said yesterday (Feb. 25).
Speaking on a panel at the RSA security conference here, former White House national-security official Richard Clarke refuted the government's claim that 55 possible terrorist incidents had been stopped by the metadata program, called Section 215 after the language in the USA Patriot Act that made it possible.

(Related) ...this would seem crazy.
Julian Hattem reports:
The National Security Agency (NSA) wants to extend the amount of time that it can hold on to people’s phone records.
In a court filing on Wednesday, the Justice Department said the spy agency needs to keep the metadata beyond its current five-year limit to deal with a handful of lawsuits challenging the legality of its controversial surveillance program.
Read more on The Hill.


If the cops can't search phones, will teachers continue to do it? (I'll bet you they will keep doing it!)
I wouldn’t say the court “expanded” cell phone privacy rights as much as properly recognized them.
Chuck Lindell reports:
Expanding the notion of privacy rights in the digital age, the state’s highest criminal court ruled Wednesday that police improperly searched a Huntsville student’s cell phone without a warrant, even though the device had been sitting in a jail property room.
The 8-1 ruling by the Court of Criminal Appeals rejected prosecutors’ arguments that officials may search any item that belongs to a jail inmate if there is probable cause to believe a law had been broken.
[...]
In its ruling Wednesday, the Court of Criminal Appeals rejected prosecution arguments that a cell phone is no different from other containers, such as a pair of pants or bag of groceries, that lack privacy protections and can be searched in jail.
The warrantless search of Granville’s cell phone violated the U.S. Constitution’s protection against unreasonable search and seizure — “the right of the people to be secure in their persons, houses, papers and effects” as guaranteed by the Fourth Amendment, the court ruled.
Read more on American-Statesman.


Do we know of any strategic (educational) need for “identification numbers?” Looks like the outside testing company is controlling this.
Trevon Milliard reports:
Every single child in Nevada public schools will soon be assigned an identification number and tracked in detail from preschool through high school to college under the combined efforts of a trio of state departments creating a super-data system.
The system will be completed by July 2015 and will track individual test scores and personal information including birth date, ethnicity, whether a student lives in poverty, speaks English as a second language or is classified as special education. It’s called the Statewide Longitudinal Data System — SLDS for short — and it has more than parents concerned.
Meanwhile in Kansas, Bryan Lowry reports bipartisan support for a state law to protect student data privacy:
Democrats and Republicans are backing a bill meant to protect electronic data compiled by schools from being misused.
Senate Education Committee gave unanimous support Tuesday to Senate Bill 367, known as the Student Data Privacy Act.
The bill would ensure that data collected on students can be shared only with parents and authorized personnel from school districts, the Board of Regents and state agencies. It [prevents? Bob] school districts from collecting biometric data, such as finger prints or DNA.


Too restrictive?
Wim Nauwelaerts, of Hunton & Williams writes:
In January 2014, the Belgian Privacy Commission published a set of guidelines on the privacy implications of using dashboard mounted cameras in vehicles (‘‘dash cams’’) and the processing of video footage and images captured by dash cams. The Privacy Commission decided to issue these guidelines in response to the increasing dissemination of dash cam videos and images through various media (including social media such as Facebook).
[…]
Its January 2014 guidance focuses on the three main purposes for which dash cams are often used, and sets out the dos and don’ts for each of these purposes.
Read more on Hunton.com.
[The “three main uses,” from the article:
Dash Cams as Evidence in Traffic Cases
Dash Cams for Recreational Use
Dash Cams and Portrait Rights


Well, it's a thought – and there's not a lot of thinking going on.
Michael Froomkin writes:
I just uploaded a draft of my new paper, Regulating Mass Surveillance as Privacy Pollution: Learning from Environmental Impact Statements to SSRN. Be the first on your block to read it!
Here’s the abstract:
US law has remarkably little to say about mass surveillance in public, a failure which has allowed the surveillance to grow at an alarming rate — a rate that is only set to increase. This article proposes ‘Privacy Impact Notices’ (PINS) — modeled on Environmental Impact Statements — as an initial solution to this problem.

Wednesday, February 26, 2014

As expected.
MPR News reports that several Minnesota banks have sued Target over its recent data breach: The First Farmers & Merchants National Banks of Grand Meadow, Cannon Falls, Luverne, Fairmont, and Brownsdale.
And for those keeping count, MPR reports:
So far, Target now faces 22 data breach lawsuits in the Minnesota U.S. District Court alone. The cases would no doubt be consolidated if they go forward.
Read more on KARE11


I think this may be a very viable “take over the world” strategy. It's certainly worth discussing with my students. (Statistically, half the world is below average.)
Facebook’s Plan to Conquer the World — With Crappy Phones and Bad Networks
… At Mobile World Congress today, Facebook CEO Mark Zuckerberg announced a new Internet.org innovation lab where developers will be able to test the kinds of challenging connectivity conditions they might expect to find in the developing world–without even leaving California. He was describing something that had its roots in this trip to Africa. Facebook had already conquered America. Now, it wanted to take on the rest of the world–especially the parts where people weren’t even online yet. The first step in that journey was to score a phone. Something cheap. Something you couldn’t get in the US.
Srinivasan and George Wang, another of Facebook’s Android project managers, rose early and headed to an electronics market on the outskirts of Lagos. Called Computer Village, it sprawls across several square blocks just off of Kodesoh Street in Ikeja and is chock full of every type of device imaginable, new and used, genuine and counterfeit, legal and decidedly not.


Perhaps it will say that making videos of students in their bedrooms is a bad idea. Same for strip searches, expulsion for blogging, forcing students to reveal their phone passwords, and all the other things I blog about.
Benjamin Herold writes:
Seeking to help schools and districts better protect students’ privacy, the U.S. Department of Education released new guidance Tuesday on the proper use, storage, and security of the massive amounts of data being generated by new, online educational resources.
The guidelines, produced by the department’s privacy technical assistance center, highlight the rapidly evolving, often-murky world of educational technology and student data privacy: “It depends” is the department’s short answer to two major questions related to the laws governing the sharing of sensitive student information with third-party vendors.
[....]
The new federal guidelines are non-binding and contain no new regulations, reflecting a desire to encourage “self-policing” by industry and better policies and practices by school systems as first steps towards shoring up students’ privacy protections.
Read more on Education Week.
Pardon me while I yawn, but non-binding, non-enforceable “guidelines” have done basically nothing in the area of privacy protection. Unless we see regulations with teeth to protect student and parent privacy and data security, we’re just wasting time.


Is this a viable strategy for Facebook? If Google was in the bidding for WhatsApp, perhaps so! I wonder if my students know what a “dial tone” is, or why we say “Dial” at all?
Mark Zuckerberg wants Facebook to be the 'dial tone for the Internet'
Facebook Inc Chief Executive Officer Mark Zuckerberg took a victory lap at the world's largest mobile technology conference in Barcelona on Monday, after beating out Google Inc in a $19 billion acquisition of free messaging service WhatsApp. But he faces bigger hurdles on the horizon.
Just 18 months after appearing at risk of getting crushed by the swelling mobile wave, the No. 1 social network is riding high. It gets a huge chunk of ad revenue on world-wide users of smartphones and tablets, from virtually nothing several years ago.
Now, Zuckerberg's purchase of WhatsApp - while raising eyebrows with the hefty price paid for a company that boasts 450 million users but has little revenue - places Facebook at the heart of smartphone communications.
"In the U.S. you can dial 911 and get access to basic services," Zuckerberg said, referring to the country's national emergency services phone number.
"We want to create a similar kind of dial tone for the Internet," he said, citing messaging, search and weather information among the essential online services that he said people throughout the world should be able to access on Internet-connected phones.

(Related) Perhaps “we want to rule the world” is not the best way to avoid attention.
Facebook-WhatsApp deal may spark probes
Facebook Inc.’s plan to buy WhatsApp Inc. for as much as $19 billion risks triggering privacy probes across the European Union as watchdogs seek to know how the mobile-messaging startup’s treasure trove of client data will be used, the European Union’s top privacy regulator said yesterday.
… The main concern for privacy regulators is the collection of data from its users’ address books on their phones when they download the application, Kohnstamm said.
The risk with such a database is that “it is tempting to use this data” for a completely different purpose, said Kohnstamm.
The company’s “collection of data of people that aren’t using WhatsApp is extreme and is not compliant with Dutch and European law.”


This could be amusing (and useful)
The World’s Constitutions to Read, Search and Compare
by Sabrina I. Pacifici on February 25, 2014
“New constitutions are written every year. The people who write these important documents need to read and analyze texts from other places. Constitute offers access to the world’s constitutions that users can systematically compare them across a broad set of topics — using a modern, clean interface.
HOW TO USE CONSTITUTE? Constitute allows you to interact with the world’s constitutions in a few different ways.
  • Quickly find relevant passages. The Comparative Constitutions Project has tagged passages of each constitution with a topic — e.g., “right to privacy” or “equality regardless of gender” — so you can quickly find relevant excerpts on a particular subject, no matter how they are worded. You can browse the 300+ topics in the expandable drawer on the left of the page, or see suggested topics while typing in the search bar (which also lets you perform free-text queries).
  • Filter searches. Want to view results for a specific region or time period? You can limit your search by country or by date using the buttons under the search bar.
  • Save for further analysis. To download or print excerpts from multiple constitutions, click the “pin” button next to each expanded passage you want to save. You can then view and download your pinned excerpts in the drawer on the right.”


Copyright free?
Introducing eBooks from the Federal Depository Library Program
by Sabrina I. Pacifici on February 25, 2014
“To help meet the needs of the Federal Depository Library (FDL) community, the U.S. Government Printing Office (GPO) has made eBooks available in the Catalog of U.S. Government Publications (CGP). These titles are joining the growing number of online resources that have been a vital part of the Federal Depository Library Program (FDLP) for over 20 years. Users can download GPO-provided files of eBooks free of charge, for use on various eBook reading devices. GPO’s goal is to expand and provide greater access to U.S. Federal Government content. eBook titles can be accessed via catalog records available in the CGP. Catalog records include descriptive information, as well as Persistent Uniform Resource Locators (PURLs) that link to the eBook titles. PURLs provide web links that can be reliably cited in other publications. Each CGP record displays the available formats for a title—.mobi, .epub, as well as other digital formats. Every month, newly-acquired eBook titles are added to the CGP for public access.”


A markup language (lots of templates here) that makes it easier to write complex Math formulas!
– Keep your LaTeX collaborators up to date by letting everyone access and edit the same LaTeX document. ShareLaTeX is the easiest LaTeX editor to get started if you’ve never used LaTeX before. Access the LaTeX editor and compile your LaTeX documents from any computer.


A Chrome App (based in Germany) that lets you pretend to be in another country...
– Unblocks websites. Encrypts your browser traffic. Wifi & hacker protection. ZenMate is free, easy to install and use! Here’s what you’ll get through the ZenMate VPN proxy service – total privacy, they encrypt all your browser traffic. Total freedom – forget location restrictions.


Dilbert illustrates moderate “Fear of public speaking”

Tuesday, February 25, 2014

For my Ethical Hackers. Anyone can get hacked. Make sure you can blame someone else!
Rich McCormick reports:
The EC-Council, a US professional organization that offers a respected certification in ethical hacking, was itself hacked this weekend. Passport and photo ID details of more than 60,000 security professionals who have obtained or applied for the EC-Council’s Certified Ethical Hacker certification are at risk after the breach, many of whom work in sensitive political and military positions. They include members of the US military, FBI, United Nations, and National Security Agency.
Among their number is Edward Snowden, whose passport and application email for the certification were used to deface the EC-Council’s homepage, alongside the message “Defaced again? Yep, good job reusing your passwords morons.”
Read more on The Verge. See also Ars Technica coverage.
[from The Verge article:
The US Department of Defense has the EC-Council's Certified Ethical Hacker qualification as a mandatory standard for its Computer Network Defense Service Providers. According to Steve Ragan of CSO, the EC-Council's website — which is currently inaccessible — was found to have vulnerabilities to various methods of attack last year. This specific defacement is reportedly a DNS redirect, controlled by an IP that was implicated in an attack on Flash-based co-operative shooter Realm of the Mad God earlier this month.


“If you like something, we do that. If you don't like something, we don't do that.” Marketing 101 “We even don't do lots of stuff you didn't know you didn't like.” Marketing 201
Jack Clark reports:
A former White House security advisor has suggested that you, dear reader, are naive if you think hosting data outside of the US will protect a business from the NSA.
“NSA and any other world-class intelligence agency can hack into databases even if they not in the US,” said former White House security advisor Richard Clarke in a speech at the Cloud Security Alliance summit in San Francisco on Monday. “Non-US companies are using NSA revelations as a marketing tool.”
But the takeaway quote of his talk has to be this:
“The United States government has to get out of the business – if it were ever in the business – has to get out of the business of fucking with encryption standards,” Clarke said.
Read more on The Register.


We have the precedent of mandatory health insurance for healthy people to lower the cost to sick people, why not make secure companies pay to lower the cost to incompetents? (Note: This does not “spread the risk” – I'm still less likely to get hacked than the average company.)
David Navetta writes:
The BIG 2014 security stories concerning the Target, Neiman Marcus and Michaels payment card breaches of have highlighted the significant criminal hacking and fraudulent payment card activity that goes on in the retail space. Of course, it was not so long ago that the Heartland Payment Systems breach (2008; 100 million cards exposed) and the TJX breach in (2007; 45 million card exposed) dominated the news cycle. The reactions in the media and with the population then were very similar to those today. The latest round of mega breaches occurred, however, despite the existence of the Payment Card Industry Data Security Standard for a decade. In fact, according to the Verizon 2014 PCI Compliance Report, only 11.1% of the organizations it audited between 2011 and 2013 satisfied all 12 PCI requirements. In other words, just under 90% of the businesses Verizon audited as a PCI Qualified Security Assessor failed. This begs the question, despite aggregate expenditures by merchants likely in the hundreds of millions of dollars (if not over a billion) over the last decade: has anything really changed?
Read more on InfoLawGroup, where David argues that just as states require automobile insurance, they could similarly require cyberinsurance for breaches. Alternatively, and as David seems to prefer, the card brands at the top of the pyramid could make it a contractual requirement for businesses that want to accept their cards.
As a side note, I need to point out that David mentions the reports of Michaels Stores being breached. As of a few days ago when I reached out to them. Michaels Stores has not confirmed that they have had any breach. That’s not to say that they may not have had a breach, but just to point out that it’s possible that we will hear that there’s been no breach in that case.

(Related) and some Perspective.
Telecompaper reports:
Dutch ISP XS4ALL and the law firm Brinkhof have awarded their annual Internet Thesis prize to a masters student researching required disclosure of data breaches. The research found that any such legal requirement would likely not meet its objectives. The thesis was based on the number of disclosures in the US before and after implementation of legal requirements. While the number increased after the requirement was imposed, the impact was minimal: over the research period of eight years, only 0.05 percent of businesses in the US reported a data leak, while British research had already shown that around 80 percent of security managers have dealt with data breaches.

(Related) There ought to be a law!
AG Holder Urges Congress to Create National Standard for Reporting Cyberattacks
by Sabrina I. Pacifici on February 24, 2014
“In a video message released today, Attorney General Eric Holder called on Congress to create a strong, national standard for quickly alerting consumers whose information may be compromised by cyberattacks. This legislation would strengthen the Justice Department’s ability to combat crime, ensure individual privacy, and prevent identity theft, while also helping to bring cybercriminals to justice. [Not sure I completely agree Bob] “Late last year, Target – the second-largest discount retailer in the United States – suffered a massive data breach that may have compromised the personal information of as many as 70 million people, in addition to credit and debit card information of up to 40 million customers. The Department of Justice is currently investigating this breach, in close coordination with the U.S. Secret Service. And we are moving aggressively to respond to hacking, cyberattacks, and other crimes that harm American consumers – and expose personal or financial information to those who would take advantage of their fellow citizens.” As we’ve seen – especially in recent years – these crimes are becoming all too common. And they have the potential to impact millions of Americans every year. Just days after the Target breach was made public, another major retailer – Neiman Marcus – reported that it also suffered a suspected cyberattack during the holiday season. And although Justice Department officials are working closely with the FBI and prosecutors across the country to bring cyber criminals to justice, it’s time for leaders in Washington to provide the tools we need to do even more: by requiring businesses to notify American consumers and law enforcement in the wake of significant [A truly flexible term... Bob] data breaches. “Today, I’m calling on Congress to create a strong, national standard for quickly alerting consumers whose information may be compromised. This would empower [? Bob] the American people to protect themselves if they are at risk of identity theft. It would enable law enforcement to better investigate these crimes – and hold compromised entities accountable [Is this new? Do any existing laws go after breached entities like Target? Bob] when they fail to keep sensitive information safe. And it would provide reasonable exemptions for harmless breaches, to avoid placing unnecessary burdens on businesses that do act responsibly.


That's not funny.
Google's Schmidt: We don't (yet) have a connection inside your brain
When I heard that Google's Eric Schmidt had sat down to chat with a curiously trendy-looking Glenn Beck, I was hoping for questions like: "C'mon, Eric. Are you a commie?"
Instead, what ensued was a conversation about man and machine achieving perfect harmony, something that Lenin spectacularly failed to master.
Some might suspect that, in Google's eyes, such harmony would involve Google being able to control your arm as it reaches to scratch your head.
Schmidt, though, was at pains to put that concept to rest.
He said: "Google does not have a connection inside of your brain."
… Indeed, Schmidt then offered this follow-up: "We're not that good. Maybe yet. Maybe never."


For my students (not many use WhatsApp because of security concerns – should fit right in to Facebook.)
4 Slick WhatsApp Alternatives that Guard Your Privacy
… Facebook isn’t exactly known for its information privacy successes — in fact, its security gaffs have been some of the biggest tech news over the past few years, and its arcane security settings are infamous. We had to write a guide to help you figure them out.
Fortunately, if you no longer feel comfortable sending data through WhatsApp, you have some secure alternatives.

Monday, February 24, 2014

Is this just a betrayal of privacy or a “breach” by the UK Government? Can it be long before the US follows the UK's lead?
If this is true, then heads need to roll. And the sooner, the better.
Laura Donnelly reports:
The medical records of every NHS hospital patient in the country have been sold for insurance purposes, The Telegraph can reveal.
The disclosure comes days after controversial plans to extract patient data from GP files were put on hold, amid concerns over the scheme.
Those in charge of the programme have repeatedly insisted that it will be illegal for information extracted from GP files to be sold to insurers, who might seek to target customers or put up their prices.
However, a report by a major UK insurance society discloses that it was able to obtain 13 years of hospital data – covering 47 million patients – in order to help companies “refine” their premiums.
As a result they recommended an increase in the costs of policies for thousands of customers last year. The report by the Staple Inn Actuarial Society – a major organisation for UK insurers – details how it was able to use NHS data covering all hospital in-patient stays between 1997 and 2010 to track the medical histories of patients, identified by date of birth and postcode.
SOURCE: The Telegraph.
Keep in mind that the anonymization or pseudoanonymization promised by the government for care data supposedly would not use date of birth and postcode, which are two of the three pieces that increase the risk of identifying or re-identifying patients. So why were all these data given to insurers with such information reportedly included? Precisely so they could identify and track individual cases. Did the patients know and consent to their information being shared this way? Did they know and consent to their information being used to increase their premiums?
The SIAS paper can be found here (pdf, download link)


The world changes. We don't need teach cursive, since “everyone” uses a keyboard to “text” their “friends.” Now it is too difficult to “text” so we need technology that lets us “talk” to “friends.” If keyboards killed off the handwriting industry (quill pens and elegant note paper) will speech apps kill the keyboard and perhaps phone companies?
Messaging Giant WhatsApp, Now With 465M Users, Will Add Voice Services In Q2 Of This Year
Today Jan Koum, the CEO of WhatsApp — acquired by Facebook last week for $19 billion — delivered another news bomb on top of last week’s milestone: he announced that the messaging giant is finally moving into voice — a move announced at MWC, the conference for mobile carriers that apps like WhatsApp are squarely disrupting.
The move will put WhatsApp — and by default Facebook — more squarely in competition against the likes of KakaoTalk, Line, BBM and other messaging apps that also offer voice services.


Interesting. Suggests the Law School isn't too interested in things like Constitutional Law, even if that seems to be one path to the presidency. (Maybe these are the “Let's make lots of money” courses?)
What Courses Should Law Students Take? Harvard’s Largest Employers Weigh In
by Sabrina I. Pacifici on February 23, 2014
Coates, IV, John C. and Fried, Jesse M. and Spier, Kathryn E., What Courses Should Law Students Take? Harvard’s Largest Employers Weigh In (February 17, 2014). Available at SSRN: http://ssrn.com/abstract=2397317
“We report the results of an online survey, conducted on behalf of Harvard Law School, of 124 practicing attorneys at major law firms. The survey had two main objectives:
(1) to assist students in selecting courses by providing them with data about the relative importance of courses; and
(2) to provide faculty with information about how to improve the curriculum and best advise students.
The most salient result is that students were strongly advised to study accounting and financial statement analysis, as well as corporate finance. These subject areas were viewed as particularly valuable, not only for corporate/transactional lawyers, but also for litigators. Intriguingly, non-traditional courses and skills, such as business strategy and teamwork, are seen as more important than many traditional courses and skills.”


Perspective. This is how the Philippines sees it. I really like the graphics that accompany this article. Makes it easy to see who was “for” and who “against.”
How the Supreme Court voted on the Cybercrime Law
The Supreme Court ruling on the validity of the Cybercrime Prevention Act of 2012 (Republic Act 10175) will be studied as a landmark case dealing with modern everyday information and communication technologies (ICTs) such as the Internet, cellular phones, and social media.
The 50-page majority opinion – or ponencia – was penned by SC Associate Justice Roberto Abad, who is set to retire this year on May 22. Five justices, including the chief justice, were in the minority who disagreed with some legal points in Abad’s ponencia – in particular, the treatment of cyberlibel, cybersex, and unsolicited commercial communications or “spam.”


Perspective, that's why they hired Kurzweil – he's got one. Is Google trying to catch up to IBM's Watson? Extend the self-driving car technology to Drones? Replace teachers?
Ray Kurzweil changing the landscape of Google with new focus on robotics
by Sabrina I. Pacifici on February 23, 2014
Guardian: “Ray Kurzweil…believes that we can live for ever and that computers will gain what looks like a lot like consciousness in a little over a decade is now Google’s director of engineering. The announcement of this, last year, was extraordinary enough. To people who work with tech or who are interested in tech and who are familiar with the idea that Kurzweil has popularised of “the singularity” – the moment in the future when men and machines will supposedly converge – and know him as either a brilliant maverick and visionary futurist, or a narcissistic crackpot obsessed with longevity, this was headline news in itself. But it’s what came next that puts this into context. It’s since been revealed that Google has gone on an unprecedented shopping spree and is in the throes of assembling what looks like the greatest artificial intelligence laboratory on Earth; a laboratory designed to feast upon a resource of a kind that the world has never seen before: truly massive data. Our data. From the minutiae of our lives. Google has bought almost every machine-learning and robotics company it can find, or at least, rates. It made headlines two months ago, when it bought Boston Dynamics, the firm that produces spectacular, terrifyingly life-like military robots, for an “undisclosed” but undoubtedly massive sum. It spent $3.2bn (£1.9bn) on smart thermostat maker Nest Labs. And this month, it bought the secretive and cutting-edge British artificial intelligence startup DeepMind for £242m. And those are just the big deals. It also bought Bot & Dolly, Meka Robotics, Holomni, Redwood Robotics and Schaft, and another AI startup, DNNresearch. It hired Geoff Hinton, a British computer scientist who’s probably the world’s leading expert on neural networks. And it has embarked upon what one DeepMind investor told the technology publication Re/code two weeks ago was “a Manhattan project of AI”. If artificial intelligence was really possible, and if anybody could do it, he said, “this will be the team”. The future, in ways we can’t even begin to imagine, will be Google’s.”


Y'all should try for right good writing!
Improve Your Writing With Expresso, The Style Checker
… Can no website or app help you make better writing choices?
Meet Expresso. It will change the way you blog – for the better.
… So, how does it work? It’s actually quite simple. Open Expresso up in a modern web browser. Copy your text into your browser and click ‘Analyze Text’. After a few seconds (subject to the length of the piece uploaded), Expresso completes its analysis and tells you how much you suck at writing.

Sunday, February 23, 2014

Granted there are always false positives that need to be investigated (Otherwise they are true positives) What broke down here? It looked like a real program name so we didn't bother to check?
Neiman Marcus Hackers Set Off 60,000 Alerts While Bagging Credit Card Data
The hackers who raided the credit-card payment system of Neiman Marcus Group (NMG) set off alerts on the company’s security systems about 60,000 times as they slunk through the network, according to an internal company investigation.
The hackers moved unnoticed in the company’s computers for more than eight months, sometimes tripping hundreds of alerts daily because their card-stealing software was deleted automatically each day from the Dallas-based retailer’s payment registers and had to be constantly reloaded. Card data were taken from July through October.
The 157-page analysis, which is dated Feb. 14, also shows that the Neiman Marcus breach is almost certainly not the work of the same hackers who stole 40 million credit card numbers from Target (TGT), said Aviv Raff, an Internet-security expert.
… Ginger Reeder, a spokeswoman for Neiman Marcus, says the hackers were sophisticated, giving their software a name nearly identical to the company’s payment software, so any alerts would go unnoticed amid the deluge of data routinely reviewed by the company’s security team.
… The company’s investigation has found that the number of customer cards exposed during the breach was lower than the original estimate of 1.1 million. The maximum number of customer cards exposed, according to the most recent estimate, is less than 350,000, Reeder says. Approximately 9,200 of those have been used fraudulently since the attack, she says.
… According to the report, Neiman Marcus was in compliance with standards meant to protect transaction data when the attack occurred.
… New details of the cyberattack on Neiman Marcus, which the retailer disclosed on Jan. 10, emerged in a forensic report required under security standards set by the major credit-card brands. The review leaves many questions about the attack unanswered because the data are insufficient. Investigators couldn’t trace how the hackers broke into the network, for example, or when the data were removed.
… The system’s ability to automatically block the suspicious activity it flagged was turned off because it would have hampered maintenance, such as patching security holes, the investigators noted.
… Neiman Marcus was first notified of a potential problem on Dec. 17 by TSYS (TSS), a company that processes credit-card payments, according to the report. TSYS linked fraudulent card usage back to what’s called “a common point of purchase”—in this case, Neiman Marcus stores.


Does “Not private” mean open to the public?
Rochelle Olson reports:
A U.S. District Court judge on Friday threw out three major cases involving hundreds of allegations of improper public-employee snooping into driver’s license data, saying no federal law was violated and driver information is not private.
In three similar orders, Judge David Doty said information on drivers’ licenses such as eye color, height, weight and address may be personal, but it’s not private.
Read more on Star Tribune.
[From the article:
“The identical information can be obtained from public property tax records ... [and] there is a long history in the United States of treating motor vehicle records as public records,” the judge’s order said, citing a 1998 ruling from a different circuit.
… A critical question in the cases was whether viewing driver’s license data without an official purpose qualifies as a misuse under federal Driver’s Privacy Protection Act. The driver database contains historical photographs, addresses and driving records on Minnesotans with a license.
In each of the three orders, Doty wrote about two dozen pages with similar reasoning. The judge said the plaintiffs failed to show that the defendants had accessed their records for an impermissible reason. “In the absence of clear evidence to the contrary, courts presume that [public officers] have properly discharged their official duties,” he wrote.

(Related) “Oh, the plan we canceled? That was “Plan 9 from Outer Space,” plans 1 through 8 are working fine, thank you.”
Extensive DHA Licence Plate Data Collection Exists – Expansion Planned
by Sabrina I. Pacifici on February 22, 2014
Follow up to previous posting - EFF – A Massive Expansion of Plate Data Collection, via ACLU - Setting the record straight on DHS and license plate tracking: “First of all, contrary to widespread understanding, DHS’ solicitation for bids had nothing to do with asking a contractor to build a nationwide license plate tracking database. Such a database already exists. The solicitation was more than likely merely a procedural necessity towards the goal of obtaining large numbers of agency subscriptions to said database, so that ICE agents across the country could dip into it at will, as many have been doing for years already. There was never a plan to “build” a plate database. A database almost exactly like the one DHS describes is a current fact. It is operated by a private corporation called Vigilant Solutions, contains nearly two billion records of our movements, and grows by nearly 100 million records per month. As I explain in greater detail here, DHS likely just wanted broader access to tap it. Second, contrary to the impression that many seem to have that DHS does not use license plate readers, some of the agency’s sub-organizations have been using the technology for years now. Customs, Border Patrol, for example, operates license plate readers at every land border crossing, a fact that has been somewhat widely reported. You have to read beyond headlines like “Department of Homeland Security cancels national license-plate tracking plan” to understand that DHS already makes substantial use of license plate readers, both by deploying its own and accessing privately held databases containing billions of records. It seems as if many people are under the mistaken impression that we dodged a surveillance-bullet when DHS withdrew this solicitation. We didn’t. A national plate tracking database exists, run by Vigilant Solutions, and it is widely used by law enforcement nationwide. The company is currently aggressively defending in court its ability to track anyone it wants, however it wants. If you’d like to see which agencies have access to its rapidly growing database, you can click here and scroll through the drop down menu. Vigilant has helpfully provided a list for all to peruse.”


Something for the IP lawyers? “Okay, give them the contact information, but we (the court) will watch them like a hawk, because they are clearly a bunch of trolls.”
Canadian Court Decision on Copyright Trolls and P2P Lawsuit
by Sabrina I. Pacifici on February 22, 2014
Via Michael Geist: “The federal court has released its much anticipated decision in Voltage Pictures v. Does, a case involving demands that TekSavvy, a leading independent ISP, disclose the identities of roughly 2,000 subscribers alleged to have downloaded movies without authorization. The case attracted significant attention for several reasons: it is the first major “copyright troll” case in Canada involving Internet downloading (the recording industry previously tried unsuccessfully to sue 29 alleged file sharers), the government sought to discourage these file sharing lawsuits against individuals by creating a $5,000 liability cap for non-commercial infringement, TekSavvy ensured that affected subscribers were made aware of the case and CIPPIC intervened to ensure the privacy issues were considered by the court. Copies of all the case documents can be found here. The court set the tone for the decision by opening with the following quote from a U.S. copyright case: “the rise of so-called ‘copyright trolls’ – plaintiffs who file multitudes of lawsuits solely to extort quick settlements – requires courts to ensure that the litigation process and their scarce resources are not being abused.” The court was clearly sensitive to the copyright troll concern, noting that “given the issues in play the answers require a delicate balancing of privacy rights versus the rights of copyright holders. This is especially so in the context of modern day technology and users of the Internet.”


A most interesting Infographic...
The Evolution of Data Storage


For my website students.
– is a set of testing tools for Microsoft web developers. Test your site on various versions of IE using free virtual machines for Windows, Mac, and Linux. Test your site on browsers hosted by Browserstack. Scan for common coding problems.