If this story is true, someone needs time in jail to think about civic responsibility:

In a lawsuit filed Tuesday in federal court, [a Pennsylvania] family said the school's assistant principal had confronted their son, told him he had "engaged in improper behavior in [his] home, and cited as evidence a photograph from the webcam embedded in [his] personal laptop issued by the school district."

The suit contends the Lower Merion School District, one of the most prosperous and highest-achieving in the state, had the ability to turn on students' webcams and illegally invade their privacy.

The suit says that in November, assistant principal Lynn Matsko called in sophomore Blake Robbins and told him that he had "engaged in improper behavior in his home," and cited as evidence a photograph from the webcam in his school-issued laptop.

Matsko later told Robbins' father, Michael, that the district "could remotely activate the webcam contained in a student's personal laptop . . . at any time it chose and to view and capture whatever images were in front of the webcam" without the knowledge or approval of the laptop's users, the suit says.

A security professional in New York has investigated the technical claims and found them convincing. He also expanded on the original news story with some circumstantial evidence:

The truly amazing part of this story is what's coming out from comments from the students themselves. Some of the interesting points:

• Possession of a monitored Macbook was required for classes
• Possession of an unmonitored personal computer was forbidden and would be confiscated
• Disabling the camera was impossible
• Jailbreaking a school laptop in order to secure it or monitor it against intrusion was an offense which merited expulsion

When I spoke at MIT about the wealth of electronic evidence I came across regarding Chinese gymnasts, I used the phrase "compulsory transparency". I never thought I would be using the phrase to describe America, especially so soon, but that appears to be exactly the case.

I can't wait to see how this turns out.

Software entrepreneur Joel Spolsky says that's a good start, but only part of it:

[L]et’s stop talking about “backups.” Doing a backup is too low a bar. Any experienced system administrator will tell you that they have a great backup plan, the trouble comes when you have to restore.

And that’s when you discover that:

• The backed-up files were encrypted with a cryptographically-secure key, the only copy of which was on the machine that was lost
• The server had enormous amounts of configuration information stored in the IIS metabase which wasn’t backed up
• The backup files were being copied to a FAT partition and were silently being truncated to 2GB
• Your backups were on an LTO drive which was lost with the data center, and you can’t get another LTO drive for three days
• And a million other things that can go wrong even when you “have” “backups.”

The minimum bar for a reliable service is not that you have done a backup, but that you have done a restore.

As someone who's got reliable, clockwork backups running, and has had them fail for one of the reasons Spolsky listed (and others that he didn't), I think this is tremendously good advice.

I don't know where this came from originally, but...well, look:

(Full size after the jump.)

And you don't let a convicted hacker near the prison computers, either:

Douglas Havard, 27, serving six years for stealing up to £6.5million using forged credit cards over the internet, was approached after governors wanted to create an internal TV station but needed a special computer program written.

He was left unguarded and hacked into the system's hard drive at Ranby Prison, near Retford, Notts. Then he set up a series of passwords so no one else could get into the system.

How could this be worse? Glad you asked:

The blunder emerged a week after the Sunday Mirror revealed how an inmate at the same jail managed to get a key cut that opened every door.

It's scary when the Mirror starts to sound like the Onion...

(Via Bruce Schneier.

I can't wait to see what they'll have us do after this:

On the evening of Aug. 28, Prince Mohammed bin Nayef, the Saudi Deputy Interior Minister — and the man in charge of the kingdom’s counterterrorism efforts — was receiving members of the public in connection with the celebration of Ramadan....

One of the highlights of the Friday gathering was supposed to be the prince’s meeting with Abdullah Hassan Taleh al-Asiri, a Saudi man who was a wanted militant from al Qaeda in the Arabian Peninsula (AQAP). Al-Asiri had allegedly renounced terrorism and had requested to meet the prince in order to repent and then be accepted into the kingdom’s amnesty program. Such surrenders are not unprecedented....

But the al-Asiri case ended very differently from the al-Awfi case. Unlike al-Awfi, al-Asiri was not a genuine repentant — he was a human Trojan horse. After al-Asiri entered a small room to speak with Prince Mohammed, he activated a small improvised explosive device (IED) he had been carrying inside his anal cavity. The resulting explosion ripped al-Asiri to shreds but only lightly injured the shocked prince — the target of al-Asiri’s unsuccessful assassination attempt.

(Via Bruce Schneier.)