ILI Student Blog

Month: November 2012

  • Texas HS Student Fighting Suspension for Refusing to Wear RFID Nametag

    Here’s a story below from SANS NewsBites Vol. 14 Num. 94. A high school in Texas is RFID ing students as a means of funding. In addition to the unexpected use of this technology, what I find most interesting about the story is that because it’s a public school, the issue potentially becomes a Constitutional violation. Were it a private school (or company), the matter would be much more restricted in it’s scope, but because it’s a state run agency, the issue become much more complex.

    “Texas HS Student Fighting Suspension for Refusing to Wear RFID Nametag (November 21 & 23, 2012) A Texas high school student has been suspended for refusing to wear an RFID badge. The Northside Independent School District’s John Jay High School’s Science and Engineering Academy in San Antonio implemented the RFID program to increase state funding. Schools in Texas receive funding based on student attendance; the tags can be used to determine that students are present at the school even if they are not in class. A Texas judge has issued a temporary injunction blocking the girl’s suspension pending a hearing scheduled for this week. Student Andrea Hernandez and her parents say that requiring her to wear the tag is a violation of her First Amendment rights.

    http://www.wired.com/threatlevel/2012/11/student-suspension/

    In apparent protest, individuals claiming association with the Anonymous hacking collective have taken down the school’s website http://www.theregister.co.uk/2012/11/27/annymous_takes_down_northside_independent_school_district_as_revenge_for_rfid_tracking/ “

  • Online exam proctoring? Solving one problem of Massively Open Online Courses

    I came across a recent post regarding proctoring during online exams (http://www.technologyreview.com/news/506346/in-online-exams-big-brother-will-be-watching/). As you might imagine, teachers face a legitimate problem of being assured that students taking online classes are not cheating. This solution?: startup firms that provide online proctoring using webcams and screen sharing technologies. The issue, this article claims, is precipitated by the surge in popularity of free online classes provided by some top schools. Some of these classes can even reach enrolments of hundreds of thousands!

    Interestingly, the people hired by these proctoring firms are, themselves, students. Given that the goal is to reduce cheating — or at least the perception or possibility for cheating — I have no idea whether that should matter. Overall, the article claims a (known) cheating rate of 0.7% (7 out of every 1000) — a fair bit lower than typical class rooms, I would bet. And while expectation of privacy is appropriately low during a typical classroom exam, one would not think that online monitoring with a webcam should not violate any social norms.

  • Game company sued for using two factor authentication. Hun?

    There’s a story (http://www.securityprivacyandthelaw.com/admin/trackback/289911) about a lawsuit filed against the game company, Blizzard, which seeks class action status. It appears that the company is being sued for enabling two factor authentication for their online gaming service. Yeah, that’s what I thought: why on earth would someone sue a company for *having* strong authentication? The lawsuit isn’t really about any particular breach, or any harm resulting from negligent actions by Blizzard, or any actual identity theft suffered by its customers. Rather, the complaint appears to argue that customers might, someday, experience harm, possibly, in the future, should Blizzard be (again) hacked. Uh-hun. It further states that, “defendant’s acts have … harmed plaintiffs’ and class members by devaluing their video games … by adding elements of risk to each and every act of playing said games.” Really? Devaluing their video game? How, exactly? Is there any evidence of this? No, there’s not.

    It also suggests that customers were deceived into purchasing the game only to later learn that they also needed a $6.50 device to enable two-factor authentication (the RSA ID fob). Now, fine. If it’s true that customers were misled in some material way, then an allegation of consumer fraud might be appropriate (though, isn’t this the role of the FTC?), and if there was some evidence of any kind of harm (even a real privacy harm), then that might be valid, but these claims seem to be quite stretched.

  • Cyber crime insurance policy now covers data breach losses

    A recent circuit court ruling held that a company’s ‘computer crime’ policy covered them for losses stemming from a data breach, despite the policy stating otherwise. In the world of cyberinsurance, this is a game changer.

    Cyberinsurance has been a hot topic of discussion for academics for at least a decade. We love to differentiate the issues of cyberinsurance from other forms of insurance by highlighting that beyond just problems of information asymmetry (leading to familiar moral hazard and adverse selection), computer systems are of course networked. This poses two separate but related problems. The first issue is a problem for the firm: the security of your network is a function of the degree to which your business partners protect their systems. It’s a familiar problem not just in computer networks, but also with airlines. (See Howard Kunreuther and Geoffrey Heal. (2003). Interdependent security. Journal of Risk and Uncertainty, 26(2-3):231–49). The second issue is a problem for the insurer: correlated failures. It means that an attack on (or failure of) one client’s network, might also signal an attack on (or failure of) another client’s network. We saw examples of this from the recent attack on universities in the US, Europe and Asia. As an insurer, you suffer loss when clients file claims against their policies, and you become profitable only when you pool your risk. However, consider the consequences of now instead of one or two clients filing claims, if they all did. In recent conversations with insurance companies, *this* is what keeps them up at night.

    So what makes this ruling so important is that other traditional computer crime policies may now be used to recover losses from data breaches. This is nice for companies that suffer losses, but obviously bad for the insurance carriers. We can be assured that policies are very quickly being updated and revised.

    For more information see: http://privacylaw.proskauer.com/2012/09/articles/data-breaches/crime-policy-does-pay-sixth-circuit-holds-that-endorsement-of-crime-policy-covers-losses-from-hackers-data-breach/#page=1 .