GOP Adopts "Internet Freedom" Plank

The GOP has adopted a "Protecting Internet Freedom" plank for the Republican platform. While most of the language is too vague and general to draw conclusions about how exactly a Republican administration would go about addressing the issues, there are a few statements that are worth closer consideration.

We will resist any effort to shift control away from the successful multi-stakeholder approach of Internet governance and toward governance by international or other intergovernmental organizations.

This statement refers to the recent discussions to have the UN take over regulation of the Internet. Supported mainly by Russia and China, these efforts would hand over control of regulation of the Internet to the International Telecommunications Union (ITU). Most major U.S. Internet companies have made public statements saying UN control of the Internet would be bad for business.

2. [The FCC] has conducted no auction of spectrum, has offered no incentives for investment, and, through the FCC’s net neutrality rule, is trying to micromanage telecom as if it were a railroad network.

The Net Neutrality discussion is a long and complicated one that essentially pits the best interests of large cable companies against start-up Internet companies and consumers. As PCWorld points out, the FCC's Net Neutrality rule had three benefits for consumers:

1. Add transparency to how broadband providers--both wired and wireless--manage networks.
2. Prohibit wired broadband providers from blocking lawful content, applications, services, and non-harmful devices. Wireless providers are also barred from blocking lawful websites or applications that compete with voice or video services.
3. Forbid wired broadband providers from discriminating in the transmission of lawful network traffic. 

The GOP plank implies a Republican administration would eliminate the FCC, and Net Neutrality in the process, and replace it with "a more modern relationship with the federal government."

Some statements about protecting privacy and personal information from "government overreach" are difficult to judge without an action plan, but seem to propose the status quo will continue to be debated in Congress and in court.

The National Journal reports some Democrats have been looking to adopt a similar plank, but with the promise of protecting network neutrality.

image: www.opengardensblog.futuretext.com

Article first published as GOP Adopts "Internet Freedom" Plank on Technorati.

Pro-Syria Hackers Attack Amnesty International Web Site

Throughout the day Monday Amnesty International struggled to regain control of the blog section of their web site. An unknown group of Syrian government supporters posted fake article about investigations conducted by Amnesty International within Syria, claiming that rebel groups were committing atrocities and crimes against humanity.

A Washington Post article offered an overview of the struggle to take back the site from the hackers:

Amnesty struggled through Monday evening to delete the posts from its site. According to a spokesman for the group, entries removed by technical-staff members would rapidly reappear on the site over the course of several hours. 

A spokesman from Amnesty International in London said the system on which the blog ran did not contain sensitive data on activists or others. By Tuesday morning, the blog was back to its usual appearance.

This isn't the first pro-Syria hack attack. Tech Week Europe reports Reuters had it's blogging platform hacked twice:

The first incident saw a false posting appear on its blog “purporting to carry an interview with a Syrian rebel leader was illegally posted on a Reuters’ journalist’s blog.” 

Later in the month, a Reuters blog carried erroneous reports of the death of Saudi Arabia’s Foreign Minister Prince Saud al-Faisal.

So far no-one has claimed responsibility for the attack, but the Syrian Electronic Army is the best known pro-Syrian hacking group and may be to blame.

image: http://www.flickr.com/photos/9899582@N05
Article first published as Pro-Syria Hackers Attack Amnesty International Web Site on Technorati.

Will Two-Factor Authentication Become the New Normal?

Many Banks and payment providers such as Visa and PayPal already either require or allow for the use of two-factor authentication. File-sharing service DropBox has announced a two-factor authentication process that will require subscribers to type in both a password and a code sent to their mobile phone, according to a Washington Post article.

One-factor authentication is typically something you know, like a password. Two-factor is something you know, plus something you are (such as a fingerprint or iris scan) or something you have. In this case, a six-digit passcode sent to your mobile phone means that your password would have to be compromised AND your mobile phone stolen.

From the DropBox Blog:

“Two-step verification is an optional but highly recommended security feature that adds an extra layer of protection to your Dropbox account,” Dropbox writes. “Once enabled, Dropbox will require a six-digit security code in addition to your password whenever you sign in to Dropbox or link a new computer, phone, or tablet.”

DropBox has had a number of security breaches in the recent past. In July of 2011, a "code update" allowed anyone with a DropBox account to log into any other account. In July of 2012, usernames and passwords stolen from other web services were used to compromise DropBox accounts.  The same attack was used to hack 400,000 Yahoo! accounts this summer. After continual promises to do better, has finally made a change that might make a difference.

Google already offers what they call two-step verification, but some researchers, including Bruce Schneier, say two-factor authentication solves "problems we had ten years ago." A virus called the ZeuS Trojan has already been discovered that specifically targets bank tokens, effectively stealing the code from your mobile phone.

The lesson learned from all of these hacking events - use different, strong, passwords for each of your accounts, and turn on two-step verification when you can. Unfortunately, strong passwords remain our first line of defense in Internet transactions. Adding a second factor to that protection might not solve the problem, but it makes both hacking accounts, and logging into your own account, a bit more difficult.

image: http://www.security-faqs.com/


Article first published as Will Two-Factor Authentication Become the New Normal? on Technorati.

What's Wrong With the Apple V. Samsung Win?

The recent $1 billion judgement against Samsung creates one real loser, and it isn't Samsung, according to this post on the Findlaw Blog. The real loser is the smartphone industry, and anyone who considers standardize user interfaces a good thing for usability. From the article:

At a minimum, the case could prevent Android makers from designing a product whose appearance is too similar to Apple's iPhone. Design features like the double-tap to zoom, the fact that icons will snap into place, and the shape of the phone itself are all part of the iPhone and iPad aesthetic.
Samsung's designs were found to infringe patents for all of those features, reports Ars Technica.

So imagine using an iPhone, double tapping, expanding to zoom, and then trying to learn an Android device that is required to create a whole different set of user interactions. Fewer people would be likely to switch, reducing competition and (most likely) innovation.

Judge Upholds $675k File Sharing Penalty

A federal judge has refused to alter the $675,000 jury imposed fine from 2009. From the Boston Globe article:

US District Court Judge Rya W. Zobel ruled Thursday that jurors properly weighed evidence in 2009 before determining Joel Tenenbaum violated copyright laws and in setting the amount of the fine, and so there is no reason for another jury to hear the case. Zobel also found that the judgment did not violate Tenenbaum’s due process rights.

Tenebaum was accused of downloading 30 songs as a graduate student.

U.S. General Confirms Use of Cyber-Attacks in Afghanistan

In what the Associated Press is reporting as one of the first public admissions of the use of cyber-attacks against other countries, Marine Lt. General Richard P. Mills says:

"I can tell you that as a commander in Afghanistan in the year 2010, I was able to use my cyber operations against my adversary with great impact," Mills said. "I was able to get inside his nets, infect his command-and-control, and in fact defend myself against his almost constant incursions to get inside my wire, to affect my operations."

While reports of cyber-attacks have been shared with the press in the past, such as the development and use of the Stuxnet virus against Iran reported by the NY Times, these reports usually depended on anonymous sources.

Mills was in charge of International forces in Afghanistan from 2010 - 2011. He did not offer details of the attacks. His speech can be viewed below.

The ethics of cyber-attacks and counter-attacks have been widely debated, but it is important to note in cyber-warfare the difference between attacking and defending isn't always clear.

Recent attacks have been linked to Stuxnet, and the Pentagon has recently asked forexpanded cyber-defense abilities.

Video from:

http://www.slideshare.net/afcea/afcea-technet-land-forces-east-aberdeen-chapter-lunch-ltgen-richard-p-mills-usmc

AFCEA TechNet Land Forces East Aberdeen Chapter Lunch - LtGen Richard P. Mills, USMC from AFCEA International

image: http://www.acus.org

Article first published as U.S. General Confirms Use of Cyber-Attacks in Afghanistan on Technorati.

Apple Wins $1 Billion Settlement Over Samsung

A nine-member jury in San Jose, California, agreed with most of Apple's claims that Samsung copied the look and feel of the Apple Iphone in Samsung smartphones.

According to the LA Times, the verdict was surprising in that it was delivered in less than three days of deliberation. The trial lasted four weeks, and resulted in Samsung being awarded $0 in damages for their counter claims.

From the article:

The jury found all of Apple's patents to be valid and said Samsung "willfully" infringed on many of them. 

According to reports from the courthouse, as of 4 p.m. Pacific the jury found that Samsung infringed on Apple's so-called "pinch and zoom" patent, or the ability to make text on a touchscreen bigger by moving one's fingers outward; as well as its bounce-back patent, or the way the image onscreen bounces back when it is dragged with a finger to the edge of the device.

USA Today reports that this is the largest standing verdict in a patent lawsuit:

The $1.05 billion in damages is the largest surviving verdict in patent history. Two larger verdicts were reversed, according to Stanford University law professor Mark Lemley. 

"It's a huge win for Apple," says Lemley, who specializes in technology. "But this is one lawsuit among 50 in the smartphone market, and Apple's real target may be the Android ecosystem."

image: http://www.apptec.net
Article first published as Apple Wins $1 Billion Settlement Over Samsung on Technorati.

Your Brain Can Be Hacked

Scientists from the Universities of Oxford, California, and Geneva have shown they can discover secrets such as passwords and pin numbers using off the shelf technology, like the gaming headset from Emotiv, pictured here.

These headsets use EEG technology to detect and acquire neuro-signals - brainwaves, and are already popular with gamers who simply "think" about their next move.

Researchers at the recent Usenix security conference in Washington state showed how these same devices can be used to detect information that people are trying to protect. Your brain sets off a certain wave if something important to you is discussed, and this particular brain wave can be detected by the headset. From the ExtremeTech article:

In this case, the security researchers — from the Universities of Oxford and Geneva, and the University of California, Berkeley — created a custom program that was specially designed with the sole purpose of finding out sensitive data, such as the location of your home, your debit card PIN, which bank you use, and your date of birth. The researchers tried out their program on 28 participants (who were cooperative and didn’t know that they were being brain-hacked), and in general the experiments had a 10 to 40% chance of success of obtaining useful information (pictured above).

This is a first, awkward step in brainwave detection. The subject has to wear one of these strange devices, and the investigator needs to say the pin number or password to successfully detect whether it means something to the subject. While these EEG devices are fantastic for assisting people who have disabilities, this lie-detection type use may have long-term privacy implications if it improves.

image: http://emotiv.com/ 

Article first published as Your Brain Can Be Hacked on Technorati.

The NSA Secret Data Collection Program

The NYTimes has a profile of William Binney, 32 year veteran of the NSA discussing his role in developing a top-secret program to collect personal information on Americans. Laura Poitras is a documentary film-maker who work has been nominated for an academy award, and shown at the Whitney Biennial. This short profile is a preview of her latest documentary of post 9/11 US life.

image: http://www.democracynow.org

Popular Web Sites Collecting Data on Children

A coalition of privacy, pro-democracy, and children's protection groups has announced that they plan to file a complaint with the Federal Trade Commission (FTC) today, according to an article in the NY Times. According to the complaint, popular children's Web sites including McDonald's, Subway, and Nickelodeon have created online "games" that allow children to play "brand related" games or to create customized videos promoting one of the companies products. The child can then "share this with a friend," which is where the advocacy groups say the Web sites violate Federal law.

According to the 1998 Children's Online Privacy Protection Act, a Web site can only collect personal information from children under the age of 13 if they have made a reasonable effort to collect verifiable parental consent. The idea behind the law is parents of children under the age of 13 should be made aware of companies collecting data about the children, and have the opportunity to stop that collection.

There is an exception to the law which at least one of the companies claims protects their practice, the one-time use exception:

online contact information collected from a child that is used only to respond directly on a one-time basis to a specific request from the child and is not used to recontact the child and is not maintained in retrievable form by the operator;

If the Web site operators can prove that they do not retain the collected email addresses, which is highly unlikely, they may not be in violation of COPPA.

From the article:

The sites cited by the advocacy groups include McDonald’s HappyMeal.com; Nick.com, the Nickelodeon site owned by Viacom; General Mills’ ReesesPuffs.com;SubwayKids.com; another General Mills site, TrixWorld.com; and Turner’sCartoonNetwork.com.

Image: http://www.digitaltrends.com
Article first published as Popular Web Sites Collecting Data on Children on Technorati.

Will the Car of the Future Be Required to Drive Itself?

Over the course of the next year, 3,000 cars, trucks, and buses in Detroit will be equipped to communicate traffic and road hazard data to each other and to the drivers. The project will cost $25 million dollars and will focus on improving transportation safety by making drivers aware of accidents or hazardous road conditions.

The NY Times reportsTransportation Secretary Ray LaHood is considering whether similar wireless technology should be required in future vehicles:

Mr. LaHood said the $25 million study would yield data useful in deciding whether the government should require such crash avoidance technology in future vehicles.

“Cars talking to each other is the future of motor safety,” Mr. LaHood said at a ceremony Tuesday at the University of Michigan Transportation Research Institute, which will install the wireless devices and collect data from the vehicles in the study.

Many cars can already park themselves (see a YouTube video of the Ford Explorer parking itself) , manage speed when set to cruise control, and alert the driver if the car swerves into another lane. Google has completed over 300,000 accident free miles in its self-driving car, and Europe has successfully completed tests of automated driver-less car "trains".

As more technology is introduced into our vehicles, new and different risks will have to be addressed. We have already seen cars hacked through the wireless tire sensors, and ahacker shut down over 100 cars remotely.

image: http://www.shattuckauto.com

Article first published as Will the Car of the Future Be Required to Drive Itself? on Technorati.

Bow Wow's Twitter Feed Hacked

A rival rapper hacked Bow Wow's Twitter feed and demanded that all of his 2.3 million followers download the hackers mixed tape. From the BoomBox article:

"N----a i got Bow twitter on smash follow me... Im the haaacker this n---a got B---HES in his DM's. Bow u want pg back i want 10k," the hacker wrote. Is that $10,000 he wants? 10K Twitter followers?

"All you lil fans that's mad so be it. I want followers. Pick up my new mixtape 'the street code vol1 n---a got 2 mill followers ima promote," he ordered.

The hackers mix tape met with harsh reviews from the fans, according to BoomBox. The hacker also threatened to expose direct messages from the account.

A few simple tips to protect your Twitter account: use a strong and unique password and don't click on links shared through Tweets (one of the most common ways to get hacked). The tweets are still live, but appeared to have stopped 9 hours ago: https://twitter.com/BowWow

SMSZombie Malware Infects 500,000 Android Devices

The ThreatPost has an article about the recent SMSZombie malware that has infected over 500,000 Chinese Android phone users and steals money by using SMS Payment system used by China mobile. Apparently the malware is hidden in applications that offer wallpaper for the device.

From the article:

"Once installed, the virus then tries to obtain administrator privileges on the user’s device. This step cannot be canceled by the user, as the 'Cancel' button only reloads the dialog box until the user eventually is forced to select 'Activate' to stop the dialog box. These privileges disable users’ ability to delete the app, causing the device to return to the home screen even after choosing to uninstall the app."

While this particular malware is unlikely to affect U.S. users right away, as discussions of mobile payment systems increase, especially systems that allow for payments at multiple large vendors, the likelihood of similar malware is inevitable.

Retail Giants Team Up for Mobile Payments

According to Reuters, Walmart, Best Buy, and Target and other major retailers have created a new company called Merchant Customer Exchange in order to provide an app that will allow for mobile payments in their stores. The system would compete with Google Wallet and Square, which recently teamed up with Starbucks.

Mobile payments processes take different forms; Near Field Communications - where you can wave your phone at a device and debit your payment account, or the simpler online payment method where you actually make your purchase online and the point of purchase is informed of the completed transaction - more like picking up an item you bought online.

We are familiar with the risks of purchasing online, one small example is the hack or retailer Zappos this January that exposed 24 million customer records. In addition to this long running risk, if you lose your phone whoever finds it might be able to use your account to make purchases, and any single merchant on the payment system can introduce a vulnerability for all merchants, which we call the weakest link effect.

The privacy risk is even greater. By sharing purchasing habits across each of these different major retailers, not only will retailers have more information about WHAT you purchase, but where and when you purchase it, and how likely you are to respond to bargains and incentives. In addition, as researchers have shown, you can control people, to an extent, using their mobile apps.

From the article:

The group of retailers, which account for about $1 trillion in annual sales, wants to make sure it has a say in the development of standards for mobile payments, Terry Scully, Target's president of financial and retail services, said on Wednesday.

"What we are looking for is a broad, seamless experience across all retail formats," Scully said. 

Mobile payments are expected to rise nearly four-fold to more than $1.3 trillion annually by 2017, a report from Juniper Research said on Wednesday.

 image: http://www.thetransactiongroup.net 

Article first published as Retail Giants Team Up for Mobile Payments on Technorati.

Anonymous Attacks UK Justice Web Site in Support of Wikileaks

The Huffington Post reports Anonymous has attacked the UK Justice Ministry Web site Monday. According to the report, the Justice Ministry said they were looking into "disruptions on its Web site".
The group of hackers known as Anonymous has claimed they attacked the Justice Ministry site, as you can see in the screen shot from the Anonymous Twitter feed:

Justice.gov.uk was still online at 9:30 P.M., although it was very slow to load.

Apparently Anonymous is attacking UK sites in support of Julian Assange, who is in Ecuador's embassy in London to avoid extradition to Sweden. From the article:

Ecuador granted the 41-year-old Australian diplomatic asylum last week, but Britain has said it will not grant him safe passage out of the U.K., insisting that it must follow the law and deliver him to Sweden on a binding European arrest warrant.

Assange claims the attempt to extradite him to Sweden is a conspiracy to make him stand trial in the U.S. for revealing state secrets, and Anonymous is supporting his efforts to be safely extradited to Sweden.

Article first published as Anonymous Attacks UK Justice Web Site in Support of Assange on Technorati.

Anonymous Did Not Hack Sony PSN Again

A number of blogs and some reputable outlets like Forbes have pointed to a recent re-hack of Sony's Playstation Network, a claim inspired by a Tweet from the Anonymous account and a post to Pastebin with usernames and account information. CSO magazine reports that the hack was simply a re-post of the attack from April, after analyzing the data that was released.

AMD Blog Hacked

According to ZDNet, an AMD blog was hacked by a group calling themselves r00tbeer. ZDNet reports the database was downloaded by the hackers, announced via Twitter, then made public. The database did not contain customer details, but 190 internal accounts were exposed. The blog has been replaced with an "routine maintenance" message.



image: maintenance.amd.com

Balancing Privacy and Security: Surveillance of Government Workers

Interesting article in the Washington Post today about the increased surveillance of government workers. In addition to tracking every keystroke of government scientists, including the use of personal email accounts, there is a growing trend of monitoring all government employee use of computers. From the article:

Although the FDA has said it acted out of concern that the scientists were improperly sharing trade secrets, the scientists have argued in a lawsuit that they were targeted because they were blowing the whistle on what they thought had been an unethical review process. 

At least two other agencies, the Transportation Security Administration and the Federal Maritime Commission, are under congressional scrutiny for seeking and using employee monitoring software that critics say is intrusive. 

Federal agencies generally decline to elaborate on their monitoring practices or what activity might trigger them to closely watch an employee’s communications. But officials defend the push for more aggressive surveillance, noting that the federal workforce is more mobile and wired than ever — and more vulnerable to leaking sensitive information by accident or design.

"Personalized" Prices and Electronic Wallets

Two articles from the NY Times this week highlight a really interesting trend that could be bad for both privacy and consumer rights. The first article highlights the increase in "personalization" of prices at grocery stores. Different shoppers receive different electronic discounts based on previous shopping behavior and profiles. The idea is companies can encourage behavior using timed discounts, but the end result, as Joseph Turow from the Annenberg School of Communication points out in the article:

... shoppers should be cautious. The pricing at grocery stores and other retailers is not transparent enough to give consumers any real power or choice, he said, and “there’s a sense of fairness that’s derailed here.”

The difference between frequent flier miles and personalized pricing is discounts are applied to a group in the frequent flier model, and access to that group is a transparent and open process. In the personalization scenario, a merchant can set any criteria as a determination of pricing, including gender, race, sexual preference, or employment history.

When this personalization trend is coupled with mobile computing, we can see how location data and the use of our mobile device to do everything from searching for a nearby restaurant to paying for our meal at that restaurant can be used to further develop our consumer profile. The other relevant article in the NY Times discusses the "Campaign to Digitize Your Wallet" and focuses on the partnership between Starbucks and Square, the mobile payment provider. Google wallet has a similar app, which essentially allows "near field communication" - your phone communicates with the cash register and approves the transfer of funds, reducing "friction" and making it easier to get the money out of your account into the merchant's.

The problem with mobile payments and personalized pricing, from a privacy perspective, is all of our purchases will be digital. The data and metadata related to the purchase will be added to our "consumer profile" sold, and resold to other merchants. This is a process that still lacks any transparency; there is no way for an individual consumer to have any control over the data that is collected about her in an electronic transaction. The only privacy protecting measure is to remove the battery from your phone before you walk into a store (so your location and identifying information can't be tracked using your mobile device) and to pay with cash (and don't give your zip code when they ask).

Protecting privacy will become exceptionally more difficult as mobile payments and personalized pricing become more prevalent.


Article first published as "Personalized" Prices and Electronic Wallets on Technorati.

image: www.foodanddrinkdigital.com

Germany Re-Opens Facebook Faces Probe

Johannes Caspar, the Data Protection Commissioner for Germany, suspended an investigation into Facebook's business practices related to the photo suggest feature on Facebook. The privacy complaint is two-fold; that Facebook is developing a massive database of images uploaded by Facebook subscribers without their permission, and that Facebook uses an opt-out rather than an opt-in approach, which is the legal standard in Germany. While the legal consequences for Facebook are a minuscule $31,000 fine, reopening this investigation might have an EU-wide effect with greater legal and reputation consequences.
From the NYTimes article:

The data protection commissioner in Hamburg, Johannes Caspar, suspended the inquiry in June, but said he reopened it after attempts to persuade Facebook to change its policies had failed.
“We have met repeatedly with Facebook but have not been able to get their cooperation on this issue, which has grave implications for personal data,” Mr. Caspar said in an interview.

AT&T Victim of Denial of Service Attack

According to Martyn Williams of IDG News (as reported through PCWorld), AT&T has been a victim of a distributed denial of service attack aimed at the AT&T DNS servers. Some AT&T business customers have been unable to gain Internet access. From the article:

The multi-hour attack began Wednesday morning West Coast time and at the time of this writing, eight hours later, does not appear to have been mitigated. 

"Due to a distributed denial of service attack attempting to flood our Domain Name System servers in two locations, some AT&T business customers are experiencing intermittent disruptions in service," an AT&T spokesman told IDG News Service by email. "Restoration efforts are underway and we apologize for any inconvenience to our customers." 

The attack appears to have affected enterprise customers using AT&T's managed services DNS product.

License Plate Surveillance

Cyrus Farivar has a great roundup of license plate surveillance in Ars Technica. He focuses on the town of Tiburon, California which had a crime rate of about 100 - 120 thefts per year before it installed the $130k surveillance system to record every license plate that comes into or out of town.
Farivar covers a wide range of privacy concerns that this practice raises; from a lack of retention standards to false positives to insufficient updates. License Plate Readers, or LPR's, are cameras that scan a license plate from a distance, record the license plate number and match those numbers against a "hot list". This essentially means that the license plate of every car that passes by the camera is added to a database, tracking your every move. From the article:

Today, tens of thousands of LPRs are being used by law enforcement agencies all over the country—practically every week, local media around the country report on some LPR expansion. But the system's unchecked and largely unmonitored use raises significant privacy concerns. License plates, dates, times, and locations of all cars seen are kept in law enforcement databases for months or even years at a time. In the worst case, the New York State Police keeps all of its LPR data indefinitely. No universal standard governs how long data can or should be retained.

image: www.pbs.org

New Malware Linked to Stuxnet, Flame

Researchers from Kaspersky labs, a Russian cybersecurity firm, have identified a new piece of malware that they believe comes from the same "factory" as the state-sponsored Stuxnet and Flame malware that was targeted at Iran. The new software, called Gauss, is supposedly aimed at Lebannon, whereas Stuxnet and Flame were developed to disrupt Iranian nuclear ambitions. From the Washington Post article:

“Nation-states want to monitor activity,” said Roel Schouwenberg, senior researcher for Kaspersky Lab, the Russian cybersecurity firm that discovered the new malware and also discovered Flame. “Seeing how the money is flowing in these bank accounts can be very interesting for them.”

Stuxnet and Flame are believed to have been developed by the United States and Israel.

In its analysis, Kaspersky experts stopped short of speculating on who might be behind the new malware, dubbed Gauss, but they said they believe it “was created by the same ‘factory’ which produced Flame. This indicates it is most likely a nation-state sponsored operation.”

Pentagon Seeks Expanded Cyber Defense Permission

According to the Washington Post, the Pentagon has announced a plan that would allow U.S. military cyber-security specialists to take action on computers outside the U.S. network to defend critical infrastructure. This rule change would allow security specialists to take action against computers in other countries, including government and private computer systems, in order to defend U.S. infrastructure. From the article:

“Without a doubt it would be a very big and significant step forward,” said a senior defense official, speaking on the condition of anonymity to discuss a sensitive topic. “It would account for changes in technology that will give more flexibility in defending the nation from cyberattack.” 

Currently, the military is permitted to take defensive actions or to block malicious software — such as code that can sabotage another computer — only inside or at the boundaries of its own networks. But advances in technology and mounting concern about the potential for a cyberattack to damage power stations, water-treatment plants and other critical systems have prompted senior officials to seek a more robust role for the department’s Cyber Command.

Yahoo Account Hack Lawsuit

According to Courthouse News Service, a class action lawsuit has been filed against Yahoo for the July hack by the "D33Ds Company" of the Yahoo! contributor service, which allows bloggers to write content for Yahoo! and get paid through advertising. I posted some information on the hack in an article back in July.

New Hampshire resident Jeff Allen is a plaintiff in the case. He found out his information was compromised when the same username and password was used to access his Ebay account. A similar set of circumstances is ongoing with Wired News reporter Mat Honan, when a hacker used social engineering to get Apple support to give him access to Honan's Apple account, and then used that access to pivot and gain access to the rest of Honan's accounts.

Both of these hacks should serve as a reminder to never use the same password on more than one account. One recommendation is to use what is called a "salt" in your passphrase. Pick a phrase that is easy to remember like "I love green hair", change some of the vowels to numbers and add the first three to seven letters of the service you are using. Create a pattern that results in a unique, strong password, and don't store it on your computer.

Obama Mobile App Raises Privacy Concerns

The Obama campaign has a new tool to help campaign volunteers connect with Democrats. According to the Washington Post, the Obama for America Iphone and Android app shows the location of nearby democrats and makes the address, first name, and last initial of registered voters available to volunteers, or anyone who has downloaded the application.

The current location of individuals is only available if the person has downloaded the app and chosen to share their location.

Mark Rotenberg, Executive Director of the Electronic Privacy Information Center told the Post "Party affiliation is public information, available through the state voter registration records. I don’t see the problem there."

But just because the information is already publicly available in multiple different databases doesn't mean the "aggregation" (a term used by Daniel Solove to define one aspect of privacy) isn't a problem. Social networking researcher Danah Boyd points out two reasons we should be concerned with the re-use of publicly available personal information in her article "Facebook's Privacy Trainwreck: Exposure, Invasion, and Drama." Boyd writes about the changes to Facebook's privacy policies in 2006 that made it easier to see information that was already publicly available. She points to Exposure; making publicly available information easier to discover, and Invasion; how that access to information changes your relationship with people, as two reasons we should be concerned.

The Obama administration has recently come under fire (a good summary is available here from Politico) for a poor transparency record, making the use of personal information in this app ironic.

While the Obama administration may be the first to make an app like this publicly available, it certainly won't be the last. Article first published as Obama Mobile App Raises Privacy Concerns on Technorati.

Netflix Settlement Results in New Privacy Policy

According to the Findlaw blog, Netflix has settled a class action lawsuit that will result in $2.27m for attorneys, $30k for the two named plaintiffs, and a slightly changed privacy policy. The suit was over Netflix retaining customers viewing history and selling those data to third parties without telling customers it was engaged in this practice. As part of the settlement, Netflix has agreed to decouple subscribers viewing histories from their personal information if the customer has not been a customer for more than a year. In other words, if you subscribe to Netflix, then quit, a year later your personal information will be decoupled from your viewing history. Both sets of data will be retained indefinitely by the company.

Wired News Reporter's Accounts Hacked

Mat Honan, a reporter for Wired News, had his Apple accounts (and subsequently his other accounts) taken over by a hacker yesterday. Mat offers a full description of exactly what happened and what he could have done to lessen the impact on his blog. The upshot is, the hacker used social engineering to get Apple to give him Honan's password. There really isn't anything you can do to stop that.

Honan's problem got worse because all of his accounts are interconnected - his Google, Apple, voicemail, Twitter, etc. all share credentials, allowing the hacker to use one account to compromise many. Honan offers a detailed description on what he would have done differently. This is a great reminder to do some house cleaning of our own accounts.

Google, Facebook, Amazon Create New Lobbying Group

The Internet Association is a group of tech giants: Google, Facebook, Amazon, and Ebay that are sharing resources to lobby in favor of an "open Internet". From the Internet Association Web site:

The Internet Association is dedicated to advancing public policy solutions to strengthen and protect an open, innovative and free Internet.

From the Washington Post Article:

The association is expected to officially launch in September, when it will release its full list of sponsors and members. Its most prominent members are Silicon Valley giants Google, Facebook, eBay and Amazon, according to a person familiar with the group’s plans. Those firms face a slew of regulatory issues that directly affect their businesses: privacy legislation, online sales tax reforms, cybersecurity and proposed anti-piracy and copyright laws.

image: softsupplier.com

Google Wallet Moves to the Cloud

Google has announced changes to Google Wallet - the app that allows subscribers to use their mobile device to purchase items. Google wallet will now store the subscribers authentication information in the cloud and allow subscribers to remotely disable the app if their phone goes missing. From the Washington Post article:

Google’s update is the latest effort to solve a series of pressing concerns for Google Wallet. One, clearly, is that of adoption: As Google knows, it’s tough to get mobile users interested in a mobile payment system that it only supports a single credit card, as Google Wallet did previously. 

Two, Google is also trying hard to bridge the gap between openness and security, the latter of which has been a pressing concern for Google Wallet since the beginning.

Cyber-Security Bill Fails in Senate

The Washington Post and CNN both report on the latest Cyber-security bill that has failed to pass in the Senate. The Cybersecurity Act of 2012 was sponsored by Joe Lieberman and Susan Collins, and was strongly endorsed by President Obama and the Chairman of the Joint Chiefs of Staff and the White House Counterterrorism advisor both endorsed the bill. Senators who voted against the bill claimed it was rushed and did not follow the usual review process, which they felt was inappropriate for such a wide reaching cybersecurity bill. They also claimed that any regulation would impose undo financial burdens on the private companies that are protecting our national infrastructure.

The bill sponsors hoped to provide a way for the government and industry to share security data to protect against threats, and would require companies in charge of our national infrastructure to meet cybersecurity standards.

In November of 2011 an Illinois Water Pump was "hacked", but it wasn't until December that we were able to figure out the hack wasn't a hack at all, but a system malfunction. Standards would require basic standards like logging changes and limiting the exposure of these systems to the Internet. If complying with basic standards is a financial burden, these companies aren't doing their job.