Saturday, November 15, 2014

If you can't win the argument, leave the room. Did any of this make the news here?
Putin plans to leave G20 early after West blasts Russia over Ukraine
Russian President Vladimir Putin plans to leave the G20 summit early, a member of his delegation said, after Western leaders blasted Moscow on Saturday for the crisis in Ukraine and threatened more sanctions.
Russia denied it was involved in a recent escalation of military activity in Ukraine, where fighting has claimed more than 4,000 lives, but faced strong rebukes from Western leaders, including U.S. President Barack Obama and Canadian Prime Minister Stephen Harper.
… German Chancellor Angela Merkel said the European Union was considering further financial sanctions against Russian individuals because of the crisis in Ukraine.
… Putin also met French President Francois Hollande, and both agreed to protect their ties from the effects of sanctions, the spokesman said.

(Related) France has a Billion reasons to “protect their ties” with Russia.
Russia Just Gave France A Final Deadline To Hand Over The Mistral Warship
Russia has given France until the end of November to deliver the first of two Mistral-class helicopter carriers currently stuck in a shipyard in Saint-Nazaire, according to reports.
… Since the onset of the Ukraine crisis the French government has agonised over the €1.2 billion contract. After tense negotiations, France succeeded in getting existing contracts excluded from the European Union's package of sanctions against Russia over its role in supporting rebels in eastern Ukraine.


This is always on my Computer Security final in one form or another.
Identify stupid things IT can do to defeat your security:
A) Fail to change default passwords.
B) Write the password on a sticky note and leave it attached to the computer.
C) Give every user unlimited access.
Delwyn Pinto reports:
When a small-time Tennessee restaurateur named Khaled Abdel Fattah was running short of cash he went to an ATM machine. Actually, according to federal prosecutors, he went to a lot of them. Over 18 months, he visited a slew of small kiosk ATMs around Nashville and withdrew a total of more than $400,000 in 20-dollar bills. These two individuals managed to hack and reprogram the ATMs using just the keypad. These ATMs in question have an operator mode, using which a lot of variables of the machine can be managed and set to default mode. Most ATMs secure this mode by using a secret passcode. Fattah, being a former bank employee, knew this code and abused it to hack into the machines. Once hacked into the system, they reprogrammed the machine to think it was dispensing $1 bills when it reality it was dispensing $20 dollar bills. Once withdrawn, they programmed the machine back so that their little exercise wasn’t detected. [Surely someone at the bank can count? Bob]
Read more on TechWorm.


A question for the more advanced Management of Computer Security class. How much employee training is enough? Note that “internal controls” detected and stopped the unauthorized changes. (Perhaps as simple as calling or emailing the employee to confirm the change.) But the phishers still had the hacked employee's data.
If seven of your employees fell for a phishing scam, I’d say that’s pretty compelling evidence that you need to do more training of your employees, wouldn’t you?


I'm confused. As I read this, the compromised individuals were in the database, not the subscribers accessing it. If these are “public records,” why would this be considered a breach? Does aggregating the data and making it easily searchable change the nature of “public?”
West Publishing Corporation, a unit of Thomson Reuters, has notified the New Hampshire Attorney General’s Office of a breach involving their Westlaw subscription-only public records database.
In a letter dated November 4th to those affected, Senior Vice President Andy Martens explained that on October 14, they detected unusual search activity. Investigation revealed that some subscribers’ passwords had been compromised and used to access the database. The types of information involved included addresses, date of birth, and in some cases, driver’s license numbers and Social Security numbers. No bank account or credit card information was involved.
In response to the breach, West removed external access to full sensitive identifiers in public records, forced a password reset on all public user accounts, and implemented additional technological controls to detect and respond to searches of more limited public records that also appeared unauthorized. Federal law enforcement was also contacted.
West offered those affected two years of free credit monitoring with Experian ProtectMyID Elite.
Nine NH residents were notified. The total number of individuals notified was not indicated in their report to New Hampshire.


Defending legality by not mentioning the law? This could be similar to driving around town looking for a suspect's vehicle. You look at every car, even if only long enough to dismiss it.
U.S. Defends Marshals in Wake of Secret Cellphone Spying Report
The Justice Department, without formally acknowledging the existence of the program, defended the legality of the operation by the U.S. Marshals Service, saying the agency doesn’t maintain a database of everyday Americans’ cellphones.
… A Justice Department official on Friday refused to confirm or deny the existence of such a program, because doing so would allow criminals to better evade law enforcement. [Because that is Policy, not logic. Bob]


Interesting. Could it be “because we're a monopoly in most markets.” Or is there really an economic reason. Can't wait to see how they spin this.
FCC Questions AT&T: Explain Why Your Fiber-Optic High-Speed Internet Nationwide Rollout Will be Delayed
The Federal Communications Commission is seeking an explanation from AT&T on why the company will be delaying the rollout of the fiber-optic expansion for high-speed Internet.
AT&T CEO Randall Stephenson previously said that the company will be stopping its investments in its planned nationwide fiber upgrade plan until matters on net neutrality are resolved.
… The letter by the FCC is asking AT&T to reveal all the documentation connected with the company's decision to halt its investments and expansion. Included in the information being requested by the FCC are the location and number of households that would have received access to fiber networks in earlier plans of the company and the same data for the company's current plans.
Additionally, the FCC asked whether the investment model of AT&T now shows that the deployment of fiber networks is unprofitable, or if the company is expecting it to become unprofitable after its purchase of DirecTV. [Interesting way to ask if buying DirecTV was a huge mistake. Bob]

(Related) An alternative take... (Translating the political politeness?)
FCC: You, AT&T. Get in here and explain this 'no more gigabit fiber' threat
US watchdog the FCC is calling out AT&T for throwing a hissy-fit over net neutrality and halting its gigabit-a-second fiber rollout.
… The FCC, however, is not so convinced of AT&T's arguments that it could lose money from the wider rollout of gigabit fiber, should FCC enforce net neutrality rules, and so the commission wants to check AT&T's math.


Big Data Analysis. Interesting approach.
Attensity Boosts Ability to Discover 'Unknown' Trends in Data
"Social analytics has largely been limited up to this point by forming hypotheses and testing them – the hunting and pecking for insights that traditional search requires you to do," Matsumoto said. "But there is a growing need for our customers to be presented with findings that they didn’t know to look for. These findings may be within their search topic, adjacent to it or many degrees removed through nested relationships."
… Matsumoto offered the example of the Amazon Firephone. Using traditional search methodology, it is easy to see the product has a low number of mentions. But a recent search on Attensity Q showed a significant spike of interest in the Firephone on Sept. 16 that Attensity attributed to growing interest in Amazon's Firefly technology, which allows users to snap a picture of an object and buy it from Amazon.
… "With this information, an Amazon product marketer knows where to focus his or her energy. At this point, they are much better off than just wondering, 'How can I get more interest in my product,' since they now have a theory to pursue," she said.


I work in a very funny industry.
Coursera announced that it has struck a deal with the Department of Veterans Affairs, making one free verified certificate available to each US veteran. According to Coursera, “this effort will expose Veteran learners to industry relevant education and help them master new skills to succeed in today’s workforce.” It’s fascinating how the Obama Administration says it wants to crack down on for-profit universities, and then happily funnels money to another for-profit higher ed company. Tressie McMillan Cottom responds.
Visit the Veteran Employment Center to learn how to redeem your free credential voucher.
… Muslims in Montgomery County, Maryland asked the district to close schools on their two most important religious holidays – ya know, like schools do for Christian and Jewish holy days. “Instead, the school board voted 7–1 on Tuesday to strip all mention of religious holidays from the calendar, even though Christian and Jewish holidays remain official days off,” reports Libby Nelson for Vox.
… A Huntsville, Alabama school district “expelled 14 students last year based on the findings of a private contractor who monitored students’ social-media activity as part of greater school security efforts, according to a review by The Huntsville Times. Twelve of them were black, drawing concerns that the program unfairly targeted African-American students.” [No indication of specific laws or policies violated. Bob]
… The Thurgood Marshall College Fund and the University of Phoenix announced a partnership that will enable students at HBCUs to take online courses from the for-profit university to supplement their on-campus work. [Future market for “For Profit” universities? Bob]
Google boasted on its blog this week that the Chromebook was the bestselling K–12 device in the third quarter of 2014.
… In a partnership with Nature Education and Roche, UNESCO has launched a free science education resource, World Library of Science.
Clayton Christensen doubles down on his prediction that half of all universities will be bankrupt in the next 15 years.
… “Sixty-six percent of schools nationwide offer ebooks, up from 54 percent in 2013.” More from the School Library Journal’s annual “Ebook Usage in U.S. School (K–12) Libraries” report.

Friday, November 14, 2014

So what do we call it? A “drive-by?” Even worse: Putin thinks this will stimulate the Russian economy.
Russian Tanks in Ukraine, but US Won’t Say ‘Invasion’
Thousands of Russian troops have crossed into eastern Ukraine in recent days, along with columns of tanks, artillery and air-defense systems, according to NATO’s top commander.
By nearly every definition – indeed, according to the Oxford dictionary – the act of armed forces crossing the border would constitute an invasion.
But the Obama administration has noticeably avoided using the word to describe Russia’s apparent action (Russia denies any of its troops or military equipment are in Ukraine). Instead, U.S. officials have resorted to terms like “incursion” or even more contorted rhetorical gymnastics.


If I was the suspicious type, which I have been trained to be, I might think this was a deliberate backdoor into Windows. Even so, it's amazing that it took 19 years for someone outside of the NSA to find it.
Microsoft fixes severe 19-year-old Windows bug found in everything since Windows 95
… IBM researcher Robert Freeman described the vulnerability as “rare, ‘unicorn-like’ bug found in code that IE relies on but doesn’t necessarily belong to.”
According to Freeman, the bug relies on a vulnerability in VBScript, which was introduced in Internet Explorer 3.0. Even today, the bug is impervious to Microsoft’s anti-exploitation tools (known as Enhanced Mitigation Experience Toolkit) and the sandboxing features in Internet Explorer 11.
The good news is that there’s no evidence of anyone actually exploiting this vulnerability in the wild, and doing so would be technically tricky. [Good hacking technique: erase the evidence! Bob]


For discussion n my Computer Security class.
The Veterans Administration has introduced a new snapshot element to their monthly reports to Congress, and it’s informative. For the month of October, they report:
  • Intrusion Attempts (Blocked): 12,148,205
  • Malware (Blocked/Contained): 206,564,180
  • Suspicious/Malicious Emails (Blocked): 71,598,834
  • Infected Medical Devices (Contained)** 27
  • Outgoing Unencrypted Emails (Blocked) 96
** Running total of medical device infections for which remediation efforts are underway
In terms of reported breach/incidents for the month, they report:
  • Lost and Stolen Devices: 52
  • Lost PIV Cards: 131
  • Mishandled Incidents: 128
  • Mis-mailed Incidents: 146
The incidents resulted in:
  • 765 VETERANS AFFECTED
  • 229 Notifications
  • 536 Credit Protection Services Offered
The VA notes: “Of the total # of Veterans affected, 640 were in relation to protected health information incidents, reported to HHS in accordance with the HITECH Act.”
You can read details of the incidents in the full report.


Not a large beach, but the “third party” here is a law firm.
Heather Graf reports that Seattle Public Schools has notified parents of approximately 8,000 students of a breach involving their records. Most of the students involved are special education students.
According to King5 News, the notification states, in part:
“Late Tuesday night Seattle Public Schools learned that a law firm retained by the district to handle a complaint against the district inadvertently sent personally identifiable student information to an individual involved in the case. The district promptly removed the law firm from the case and is working to ensure that all improperly released records are retrieved or destroyed.”
The person to whom the records were mistakenly released contacted the district to report the breach.
You can read more on King5 News. There does not appear to be any notice up on the Seattle Public Schools web site at this time.
The district has reportedly notified the U.S. Education Department of the breach to seek their assistance in investigating how the breach happened. I’d be surprised if they got any real assistance of that kind, but I’d be happy to be wrong about that.
Most people know that students’ education records are protected under FERPA, but for special education students, another federal law, the Individuals with Disabilities Education Act (IDEA) also applies. IDEA has provisions requiring confidentiality of records. Unlike FERPA, however, IDEA is enforced by the state’s education agency, not the U.S. Education Department.
So what might the consequences of this breach be? The law firm who exposed the information got fired. That’s unusual, but I do think that needs to be headlined so that law firms get the message that their clients are serious about data protection. Other than that, I don’t really expect anything else. A complaint to USED under FERPA might result in an educative letter to the District without any other consequences, and a complaint to the state is unlikely to result in any consequences for the district.
Could the FTC initiate an investigation and/or enforcement action against the law firm? I cannot think of any data security cases involving law firms, can you?
In other words, this is likely to be just another day in the education sector.


I think, in some instances, she is correct.
Margo Schlanger has written a great article forthcoming in the Harvard National Security Journal about intelligence legalism, an ethical framework she sees underlying NSA surveillance. Margo makes the case that NSA and the executive branch haven’t been asking what the right surveillance practices should be, but rather what surveillance practices are allowed to be.
… In the model of legalism that Margo sees the NSA following, any spying that is not legally prohibited is also right and good because ethics is synonymous with following the rules. Her critique of “intelligence legalism” is that the rules are the bare minimum, and merely following the rules doesn’t take civil liberties concerns seriously enough.


Leaves much to be desired...
Marianne Le Moullec writes:
The Article 29 Working Party, which is composed of representatives of DPA’s from every European country, has recently rendered an opinion (http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2014/wp223_en.pdf) on data privacy issues surrounding the development of the “Internet of Things” (IoT), which includes wearable computing, quantified self devices, and domotics. Although such data is generated by “things” or devices, it is considered personal data because it may enable the life pattern of a specific individual to be discerned. After identifying the major privacy issues raised by such devices, the Article 29 Working Party made a series of recommendations to IoT stakeholders.
Read more on Proskauer Privacy Law Blog.


I'm going to go way out on a limb here and suggest that nothing written by lawyers is written for “users.” Everything is written with that court clash in mind.
Facebook writes new privacy policy for users, not lawyer
Facebook released proposed changes to its policy Thursday and created a tutorial to answer questions about privacy. But the changes don't do anything to alter what data Facebook collects.
… The proposed policy is 2,700 words, down from 9,000. Facebook will be taking comments and questions about the new policy for the next seven days. The announcement included a new "Privacy Basics" guide to help users understand who can see information that is posted.


Curious. This will be fun to implement.
Jeff Kosseff writes:
The Ninth Circuit recently issued two opinions addressing whether companies should require customers to explicitly agree to key provisions of user terms and other policies.
On Monday, a unanimous three-judge panel issued an opinion in Knutson v. Sirius XM Radio. In this case, the plaintiff purchased a Toyota that included a trial subscription to Sirius. About a month after his trial subscription began, he received a Welcome Kit that included a customer agreement with an arbitration clause.
[...]
The Knutson decision comes a few months after the Ninth Circuit’s opinion in Nguyen v. Barnes & Noble, Inc., in which the Ninth Circuit refused to enforce an arbitration clause on Barnes & Noble’s website’s terms of use. The terms were made available to users via a link at the bottom of each page of the website. But the site did not require users to affirmatively agree to the terms, such as by checking a box or clicking “I agree.”
Read more on Covington & Burling InsidePrivacy.


I think this judge is smart.
Court: Website domains can’t be seized
A federal court has ruled that country code domain names such as .us and .uk aren’t property and can’t be seized as part of a court process.
Victims of terrorism from Iran, Syria and North Korea had asked the U.S. District Court for the District of Columbia to force the nonprofit Internet Corporation for Assigned Names and Numbers (ICANN) — which handles domain names online — to hand over control of those countries’ domain names, which are .ir, .sy and .kp, respectively.
… This week, Judge Royce Lamberth tossed that argument out.
Country code top-level domains (ccTLDs) "are not property" that can be seized, he ruled, because they “cannot be conceptualized apart from the services provided” by the domain name managers.


Do they view this as an arms race? Will they insist on air-to-air missiles? How long before they go nuclear?
John Surico writes:
Imagine a small drone fluttering its way across the East River in New York City. Undetectable by radar, it’s headed toward midtown Manhattan, and equipped with a destructive arsenal of weapons. Or a chemical agent. Or explosives. Or on a collision course with a jetliner. A hovering warcraft that can take out hundreds, if not thousands, of American citizens, controlled by a not-too-distant terrorist organization, and ready to unleash death from above on suspecting New Yorkers.
Sounds terrifying, right? According to top New York Police Department brass, this kind of nightmare scenario could be in Gotham’s not-too-distant future.
Last week, CBS News reported that the largest municipal police force in the country is seriously considering weaponized drones as the newest security threat to terrorists’ favorite target.
Read more on Vice.


A tidbit from MakeUseOf's collection of short items.
MPAA Tells You Where To Watch TV
A new website has launched detailing where you can watch your favorite movies and TV shows online. And this particular one, WhereToWatch.com, has been put together by the Motion Picture Association of America (MPAA), those crazy cats who protect the interests of Hollywood.
As you may expect, Where To Watch only features legal sources for movies and TV shows, such as Netflix and iTunes. It also doesn’t have any advertising, which should win it some imaginary Internet points. As Re/Code points out, its one failing is a lack of pay TV listings, which actually makes it perfect for cord-cutters.


“Information Governance,” the next big thing?
Symantec – Government agencies and private sector businesses are drowning in information
Navigating Information Governance – “In addition to managing the growing variety, velocity, and volume of data, they must:
  • Meet information transparency objectives
  • Respond quickly to eDiscovery requirements
  • Manage Freedom of Information Act (FOIA) requests and internal investigations
  • Comply with records management regulations
  • With data requirements skyrocketing, how can organizations leverage information governance to meet this tidal wave head on while ensuring data security?
To find out, Symantec recently surveyed 152 Federal government and 153 private sector attorneys, IT executives, FOIA agents, and records managers to examine barriers to and benefits of achieving true enterprise-wide information governance.” Today’s information governance is inadequate:
  • Nearly three-quarters of respondents’ organizations (74%) have a formal, enterprise-wide information governance strategy, but just one in five say it’s very effective
Data security is at risk:
  • Just 37% give their organizations an “A” for data protection, 28% for data discovery, and 26% for data management
  • Forty-four percent of respondents say that data security and protection is the single largest information governance-risk their organizations will face if not addressed
Organizations must make investments in technology and training:
  • Respondents believe their organization should take the following steps to ensure effective, enterprise-wide information governance programs: Improve training (46%), educate end users on the importance of records (46%), and improve technology (43%)
  • During the next two years, organizations say they are most likely to invest in security software, document management, data loss prevention, and backup..”

Thursday, November 13, 2014

Apparently, they don't have a handle on this breach yet. They shut down VPN either at headquarters or nationwide. Also, read the FAQ with particular attention to the question on lessons learned. They didn't.
Postal Service Suspends Telecommuting, VPN Access as Breach Investigation Continues
The United States Postal Service (USPS) has shut down employee VPN (virtual private network) access and suspended telecommuting until further notice for employees at Postal Service headquarters.
USPS Media Relations Manager David Partenheimer told SecurityWeek via email that while VPN is out nationwide, the suspension of telecommuting does not affect a huge number of employees.
In a FAQ for employees dated Nov. 10, the postal service stated that VPN access was identified as being vulnerable to intrusion and would be unavailable as USPS makes modifications.
… "Additionally, we are instituting numerous additional security measures, some of which are equipment and system upgrades that will not be visible to any users, and some of which are changes in policies and procedures that we will be rolling out in the coming days and weeks." [Translation: “Our security was lousy but we're scrambling to fix all the holes we've known about for years.” Bob]


Why would China (or anyone else) want to break into the US Weather Service? It has military implications. Does the US have better weather models than China?
Cyberattackers believed to have been working from China broke through defenses of the US weather service recently, according to a Washington Post report.
US media outlets on Wednesday said that the US National Oceanic and Atmospheric Administration (NOAA) confirmed that some of its websites had been compromised but declined to discuss who may have been responsible.
NOAA, which includes the National Weather Service, reportedly sealed off weather data relied upon for aviation, shipping, and more after security teams caught on to the breach.


I need to think about this a bit. Clearly , there's a new sheriff in town, but what will really change and how fast?
Jeff Kosseff writes:
When Republicans take over the Senate in January, new leaders will control key committees that oversee privacy and data security issues, and their priorities will differ significantly from those of their predecessors. Privacy issues, however, generally tend not to break neatly along party lines and there will remain bipartisan support – and bipartisan opposition – to most initiatives.
But you shouldn’t expect an immediate sea-change in privacy laws, leaders of Covington’s privacy and data security practice said on a post-election conference call on Monday.
Read more on Covington & Burling InsidePrivacy.


What does it take to rise to the level of a constitutional amendment?
Aaron Schrank reports:
State lawmakers this week will hear proposals to add an individual right to privacy to the Wyoming Constitution.
The Digital Information Privacy Task Force is made up of lawmakers and Wyoming citizens. Task Force Chairman Senator Chris Rothfuss says the proposed amendment would limit what information Wyoming could compile about its citizens. The goal is to ensure privacy rights aren’t ignored in service of other state interests.
Read more on Wyoming Public Radio.


Pew is listening. Is Congress?
Pew Study: Two Thirds Say Gov't Should Limit Ways Advertisers Use Personal Data
Almost two out of three Americans think the government should limit how advertisers draw on consumers' personal information. That's according to the Pew Research Center, which earlier today released the report, “Public Perceptions of Privacy and Security in the Post-Snowden Era.”
… More than nine in 10 respondents, 91%, said that consumers no longer wield control over how their personal information is collected and used by companies, while 80% of social networking users said they are concerned that the data they share on those services will be accessed by advertisers or businesses.


Would you expect anything else from Facebook?
Facebook Profiles Young People as Optimistic and Globally Conscious
… more mobile devices and Internet access mean more social media use, too. But what does this all mean for young people?
Perhaps unsurprisingly, it keeps them connected to their friends, family and the world around them, according to a new study from Facebook for Business. In the survey, 74 percent of young people ages 13 to 24 said that social media helps them stay up-to-date with their friends and family, 65 percent said they use social media to connect with people they see every day, 61 percent said that social media makes them feel like part of a wider community and 66 percent said that social media makes them feel more up-to-date with the world.


Google + Drone = Groan?
Google Leases Historic Navy Air Base ... for 60 Years
Earlier this week, Google (GOOGL) made headlines with news that it’s spending over a $1 billion to lease an old NASA hangar on a historic Navy air base for a 60-year period. More specifically, the Internet search company is leasing a 1,000-acre site that is part of the former Moffett Field Naval Air Station on the San Francisco Peninsula.
While Google was rather tight lipped on the event, more insight was had from the NASA press release that said a Google subsidiary called Planetary Ventures LLC will use the hangars for “research, development, assembly and testing in the areas of space exploration, aviation, rover/robotics and other emerging technologies."


The future is “Services?” Look at the list and you decide.
There Is an Uber for All of the Things (Even for This Article)
This week, the new on-demand laundry service Washio launched in Boston. With just a tap on your smartphone, you can get somebody else to come get your laundry.
Do you need that? Probably not. (Or maybe!) But it’s just one example of the many, many smartphone-powered service industry apps that have sprung up in recent years. The most popular, of course, is the ride-calling app Uber. And that has given rise to a refrain in the startup world. There is an Uber, it seems, for everything—an “Uber for laundry” is just the latest example.
… Here are a mere 50 of them, ranging from the possibly useful (Uber for dog walkers) to the wildly vague (Uber for anything) to the decidedly weird (Uber for your uterus).


Cute! Put your money where your hack is!
Scared of cyberattacks? Buy this ETF
"HACK" is the ticker symbol of the first exchange-traded fund focused on cybersecurity. If the past year is any indication, companies will continue to pour money into cyber defense.
"It's a way for investors to play the space thematically instead of trying to bet on one horse," said Daniel Ives, an analyst who covers cyber stocks at FBR Capital Markets.
… The biggest lure to cyber stocks is the fact that security spending continues to ramp up -- to the tune of 15% to 20% a year -- even as overall IT spending is barely growing at all.

Wednesday, November 12, 2014

We love our customers, but only as long as we can use their emails for Behavioral Analysis. Encryption interferes with that. So we will support the FBI's efforts to ban encryption. (and meanwhile, we will remove it when possible.)
Jacob Hoffman-Andrews writes:
Recently, Verizon was caught tampering with its customer’s web requests to inject a tracking super-cookie. Another network-tampering threat to user safety has come to light from other providers: email encryption downgrade attacks. In recent months, researchers have reported ISPs in the US and Thailand intercepting their customers’ data to strip a security flag—called STARTTLS—from email traffic. The STARTTLS flag is an essential security and privacy protection used by an email server to request encryption when talking to another server or client.1
Read more on EFF.


I expect more discussion on this point, but few people will agree with the judge. Would the judge have ruled differently if access depended on a retinal scan?
Evan Schuman comments on a recent court opinion in Virginia v. Baust that a person can be compelled to open his phone with his fingerprint but that trying to compel the person to disclose his password implicates the 5th Amendment [media coverage of ruling, commentary by Orin Kerr].
In his commentary, Evan argues that a fingerprint scan is just a substitute PIN, which can’t be required by law enforcement. Here’s a snippet from his commentary:
But consider this scenario. I have a physical key that opens a physical deadbolt on the front door of my house. Because certain family members (who I will not name; they know who they are) have a tendency to forget or lose their house keys, I’ve debated changing the lock to accommodate a PIN keypad.
Now, according to this weird legal distinction, I could be forced to give my key to the police, but not my lock’s PIN. But hold on. Just as the iPhone’s finger scan is simply a digital version of a password/PIN, that deadbolt’s PIN is simply a digital alternative to my physical key. On what possible rationale should law enforcement treat the two differently?
Read his article on ComputerWorld.


Interesting. As we become more like a Thing on the Internet of Things, we are measured and analyzed in every more intrusive ways – including a few we pay extra to have!
Kirk Nahra does a terrific job articulating the concerns about non-HIPAA-covered health data and the debate that has already started as to whether such data should be regulated, and if so, how. Read his article on Wiley Rein.


Divorce? There's an App for that!
WhatsApp Blamed For Causing Divorces
WhatsApp is being cited in 40 percent of divorce cases in Italy, at least according to a report from the Italian Association of Matrimonial Lawyers. Gian Ettore Gassani, president of the association, suggested, “Social media has boosted betrayal in Italy by making it easier, first through texting, then Facebook, and now WhatsApp,” before adding that the messaging app “has encouraged the return of the Latin lover.
There is clearly a debate to be had about whether WhatsApp and other messaging apps are actually encouraging people to cheat on their partners or whether they’re just the latest tools in a serial cheater’s arsenal. Regardless, the fact WhatsApp is cited in such a high percentage of divorce cases is rather unsettling.

Tuesday, November 11, 2014

Small but interesting.
US Postal Service Suffers Massive Data Breach, Over 800K Employees And Customers Exposed
Data on as many as 800,000 employees may have been stolen along with data on customers who called the USPS' various call centers between January and August of this year.
That's actually a little surprising, given the scope of the operations that the Post Office oversees. If you get mail -- and 99.9% of us do, even if it's junk -- the Post Office has a record of your name and address.
Getting access to this information -- as well as possibly a web of data on who sends packages to whom -- could be useful to nation-states who want to track the actions of specific targets.
There’s no word yet on who may have perpetrated the attack, or exactly what the infection vector was. Congress has requested more information from the USPS on the attack,


It's what you do after the disaster.
South Korea court jails captain of doomed ferry for 36 years
The captain of a South Korean ferry that capsized in April killing 304 passengers was jailed for 36 years on Tuesday after a court found him guilty of negligence, but was acquitted of homicide for which prosecutors had sought the death penalty.
The court convicted the ship's chief engineer of homicide for not aiding two injured fellow crew members, making him the only one of four facing homicide charges to be found guilty on that count, and sentenced him to 30 years in prison.
The remaining 13 surviving crew members of the ferry Sewol were found guilty of various charges, including negligence, and handed down prison terms ranging from five to 20 years.


Using the Bully Pulpit? Is it because the elections are over, or because he's heading out of town?
Obama Calls for Strict Net Neutrality Policy
President Obama on Monday put the full weight of his administration behind an open and free Internet, calling for a strict policy of so-called net neutrality and formally opposing deals in which content providers like Netflix would pay huge sums to broadband companies for faster access to their customers.
The president’s proposal is consistent with his longstanding support for rules that seek to prevent cable and telephone companies from providing special access to some content providers. But the statement posted online Monday, as Mr. Obama traveled to Asia, is the most direct effort by the president to influence the debate about the Internet’s future.
… Mr. Obama said that new rules under consideration by the F.C.C. should adhere to several key principles:
No website or service should be blocked by an Internet service provider;
no content should be purposefully slowed down or sped up;
there should be more transparency about where traffic is routed;
and no paid deals should be made to provide a speed advantage to some providers over others in delivering content.
That last principle would directly affect some of the megadeals already being made by companies like Netflix, whose video streaming service has been gobbling up bandwidth and slowing down the Internet as millions of people attempt to watch movies and television shows on their computers and tablets.

(Related) So I don't have to keep explaining it!
6 things to know about net neutrality
If you've found most pieces on net neutrality tl;dr (that's "too long; didn't read" in Internet parlance), we're here to help.
1. What is it? Net neutrality, sometimes called "open Internet," is the idea that all Internet traffic should be treated the same way. It's the way the Internet works now.
2. Why are we talking about it now? The FCC has been debating a rule change
3.Why it's important: If net neutrality goes away, regular folks won't have to pay more directly for Internet access — but the higher access fees paid by businesses would almost certainly result in costs passed down to customers. Less-wealthy entities — think schools, nonprofits, start-ups, small businesses — would be handicapped online, unable to offer the same kind of fast access to their websites that better-funded businesses could.
4.But net neutrality sounds great. Who on Earth could possibly oppose it? … Some broadband service providers argue that because they've born the cost of building out the nation's broadband network, they should be allowed to recoup those costs.
5.About that ... : The U.S. has the 13th-fastest average broadband speeds in the world, behind Bulgaria.
6.What happens next: FCC Chairman Tom Wheeler has issued a statement saying Obama's remarks will be entered into the record on this discussion (and the pushback from broadband service providers has already begun). Now, we wait.


Damned if you do, damned if you don't. You need to know the “Goldilocks zone” – the “just right” amount of information to release.
Christopher Hoyme of Jackson Lewis writes:
Most employers are well aware that potential liability lurks if unauthorized information is disclosed to third parties. Obvious examples would include unauthorized employee or applicant health or financial information or personal information such as social security numbers and the like.
In an interesting twist, the Minnesota Supreme Court considered whether liability could be created when disclosure of requested information was incomplete.


Tools for privacy?
Firefox 10-Year Anniversary Release Focuses on Privacy
While performance is an important aspect when it comes to surfing the Internet, recent revelations have made many users more aware of the importance of privacy. In a survey conducted last month by Harris Poll on behalf of Mozilla, 74% of the 7,000 respondents said they felt Internet companies knew too much about them, while 54% admitted doing something online that they wanted to forget.
In response to the survey results, the new version of Firefox comes with two new important privacy features. One of them is the introduction of the privacy-focused search engine DuckDuckGo as a pre-installed search option.
… Another privacy-oriented feature introduced in the latest version of Firefox is called "Forget." Users can rely on the "Forget" button to tell the Web browser to delete their recent activity. Users don’t have to specify what they want cleared; they only have to choose how much they want to forget.
"Once you tell Firefox you want to forget the last 5 minutes, or 2 hours, or 24 hours, it takes care of the rest.


This could make a great “case study,” since it seems to include all the major failures possible in systems development, starting with “no one in charge.” (Not a very detailed report)
Let’s compile massive databases on students where the databases are riddled with errors. It’s good preparation for when they’re adults and have credit reports.
Howard Blume reports:
The rollout of a new student records system for Los Angeles schools was problematic at just about every level, according to a consultant’s report released Thursday.
[...]
In tracing what went wrong, the report concludes that L.A. Unified didn’t properly account for the greater size and complexity of its needs compared to Fresno Unified, from which L.A. adapted the software.
The entire development process “has been mired with software bugs,” the consultants wrote. And there was a “deficiency” in available experts and insufficient involvement from people who would be using the system.
At many points, red flags indicated serious issues, “but when it came to the ‘Go/No Go’ decision,” the leadership always said “Go.”
Read more on L.A. Times.
[Here is the report:


Just in case.
A new typeface could help people with dyslexia read with ease
A Dutch designer has created Dyslexie, a typeface that he hopes will make it easier for people with dyslexia to read.
[Individuals can get it free here:


For my Geeks!
Mozilla Introduces the First Browser Built For Developers: Firefox Developer Edition
… In celebration of the 10th anniversary of Firefox, we’re excited to unveil Firefox Developer Edition, the first browser created specifically for developers.


Worth having?
First Aid Smartphone Apps Save Lives


For my spreadsheet students.
Visualize Your Data & Make Your Spreadsheets User Friendly With An Excel Dashboard
… The main function of an Excel Dashboard is to transform a great deal of information into one manageable screen. What you choose to put on that screen is up to you, but this guide will instruct you how to best draw together different types of Excel content into a single environment. From there, you might choose to implement it to keep an eye on project progress at your place of business, or you might use it at home to track your finances — the same techniques can be applied to a broad spectrum of uses.


Ideas for the Big Data class.
Hacking a Universe's Worth of Data
… this past Friday about 130 hackers gathered in the Hayden Planetarium to participate in the American Museum of Natural History’s very first hackathon.
The premise was simple: The museum handed the huge dataset they call The Digital Universe to the hackers and gave them 24 hours to make something.
Christina Wallace, head of the museum’s brand-new BridgeUp: STEM program, says that the hackathon had one other purpose, beyond exploring data: “We wanted to quietly showcase the diversity of people who go into science and tech careers. Half our participants at the hackathon are women. All four of our judges are women—that one we didn’t even plan, they were just the best.” (BridgeUp: STEM is a program for high-school girls to introduce them to computer science, and its applications in fields like genetics and archaeology and paleontology.)


For my vets.
Vets can make out with several freebies on Veterans Day