Thursday, April 26, 2012
Best Practices As new security tools and techniques become available, you should re-visit applications that were “cleared” using earlier, less capable tools. I suspect few organizations do, and therefore don't detect backdoors added by “cutting edge” hackers.
Cryptic Studios uncovers old hack, notifies users
A reader alerted me to a breach notification he received from Perfect World subsidiary Cryptic Studios, a massively multiplayer online role-playing game developer. You can read the web version of their notice. The hack occurred in 2010 but was only first discovered now due to “increased security analysis.”
The intruder reportedly accessed account names, handles, and encrypted passwords, at least some of which were apparently decrypted. The intruder also may have been able to access date of birth, e-mail and billing addresses, and partial credit card numbers, although Cryptic Solutions doesn’t believe that those were accessed.
As always, if you had reused passwords across sites, go change your passwords on the other sites.
(Related) ...and here's why we follow Best Practices. (Yes, I'm being repetitious and redundant. That too is a Best Practice.)
"If businesses and consumers stuck to security basics, they could have avoided all cases of Conficker worm infection detected on 1.7 million systems by Microsoft researchers in the last half of 2011. According to the latest Microsoft Security Intelligence report, all cases of Conficker infection stemmed from just two attack methods: weak or stolen passwords and exploiting software vulnerabilities for which updates existed."
Everything's big in China. When they decide to clean house, they seem to have no trouble identifying and gathering up large volumes of 'evil doers.' But then, the first time is easy. Now that they have been warned, they'll start using accounts in their lawyer's names.
Cn: 1,700 arrested on stealing personal data
Wow. He Dan reports:
Police across the country have arrested more than 1,700 people on suspicion of stealing or misusing personal information, according to the Ministry of Public Security.
Under the ministry’s deployment, police in 20 provincial-level regions, including Beijing and Shanxi, uncovered 38 operations where people’s personal details were being illegally traded, according to a statement posted on the ministry’s website on Tuesday night.
In the first-ever crackdown of its kind, 611 companies that illicitly conducted surveys were closed, and 161 unauthorized databases were destroyed.
Read more on xinhuanet.com
(Related) But if you want really big, you have to hand it to Texas.
Texas Error Exposed Over 13 Million Voters’ Social Security Numbers
I don’t know he is on other issues, but Texas Attorney General Greg Abbott is one of the most active AG’s when it comes to pursuing those who dump data or don’t secure it properly. I can only imagine how mortified he must be by this breach, which thankfully, could have been much worse if the data had fallen into the wrong hands.
From the Lone Star Project:
A legal brief filed by opponents of the Texas Voter Photo ID law reveals that Attorney General Greg Abbott exposed millions of Texas voters’ full Social Security numbers to possible theft and abuse.
The brief, filed Monday, April 23, 2012 states:
“… after vigorously fighting the production of data containing full Social Security numbers, Texas mistakenly produced to Intervenors data from the VR [voter registration] data base that contained full Social Security numbers.” (Defendant-Intervenors’ Motion for Clarification of the Trial Schedule, 4/23/12, page seven.)
Texas voters escaped public release of their Social Security numbers only because of the vigilance of conscientious lawyers working against the Voter Photo ID bill. Rather than attach the files to documents circulated to other attorneys or expose them to access by the general public, opposing counsel immediately notified the AG’s office of the bungled release of private data. Abbott then, at the expense of Texas taxpayers, sent a courier to both New York and Washington, DC to retrieve the files.
Read more on Lone Star Project.
According to the Texas Secretary of State web site, Texas had 13,269,233 registered voters in the November 2010 election.
China again. If China steals from everyone, why bother to hack anyone else?
VMWare Source Code Leak Follows Alleged Hack of Chinese Defense Contractor
Source code belonging to VMWare has leaked to the internet after apparently being stolen by a hacker who claims to have obtained it from a Chinese firm’s network.
The source code belongs to VMWare’s ESX virtual machine software product, a popular tool for creating and operating virtual computing environments. The code was posted to the Patebin web site, a repository for coders that has become a favorite for hackers to publish purloined wares.
VMWare acknowledged the leak in a note posted to the company’s web site.
Perhaps my “Technical University” could team up with the PrivacyFoundation.org and build a few for demonstration purposes? Nerf weapons anyone?
Who Has the Right to Fly a Drone Above Your Head? Finally, There's a List
While the government's use of drones in other countries has drawn scrutiny, there are plenty of drones flying in American skies on behalf of the military, law enforcement, universities, and local governments.
… Perhaps most interesting is how many universities have applied for permits. Some may be working with military grant money. [Magic words for cutting through University red tape Bob]
It's a start, but one not likely to last past November without a lot more public comment. -
The White House threatens to veto CISPA
April 25, 2012 by Dissent
This may be the strongest pro-privacy statement I’ve seen from President Obama. Let’s hope it’s not just posturing and rhetoric: [Is it from a politician? Are his lips moving? Bob]
The Administration is committed to increasing public-private sharing of information about cybersecurity threats as an essential part of comprehensive legislation to protect the Nation’s vital information systems and critical infrastructure. The sharing of information must be conducted in a manner that preserves Americans’ privacy, data confidentiality, and civil liberties and recognizes the civilian nature of cyberspace. Cybersecurity and privacy are not mutually exclusive. Moreover, information sharing, while an essential component of comprehensive legislation, is not alone enough to protect the Nation’s core critical infrastructure from cyber threats. Accordingly, the Administration strongly opposes H.R. 3523, the Cyber Intelligence Sharing and Protection Act, in its current form.
[Yada, yada, yada Bob]
The House takes up the bill Thursday and there have been a slew of proposed amendments, the vast majority of which do not address the main concerns privacy advocates have.
If I ran for President on an “eliminate TSA” platform, would Obama and Romney even notice?
"With public outcry against the TSA continuing to spread, the TSA is defending a recent episode in which a four-year-old was patted down while kicking and screaming at Wichita Airport in Kansas. From the AP article: 'The grandmother of a 4-year-old girl who became hysterical during a security screening at a Kansas airport said Wednesday that the child was forced to undergo a pat-down after hugging her, with security agents yelling and calling the crying girl an uncooperative suspect.'"
Now even those who are not Computer Security majors may listen to me.
"A German court has ruled that clients, not banks, are responsible for losses in phishing scams. The German Federal Court of Justice (the country's highest civil court) ruled in the case of a German retiree who lost €5,000 ($6,608) in a bank transfer fraudulently sent to Greece. According to The Local, a German news site, the man entered 10 transaction codes into a site designed to look like his bank's web site and his bank is not liable as it specifically warned against such phishing attacks."
Some years ago, this worked into my model for organizational change. It is very difficult to change an organization's culture, so you need to create a parallel organization. When it works the way you want it to, you fold the original organization and transfer everything to the new one. (If it doesn't work, kill it and start over.)
The A/B Test: Inside the Technology That’s Changing the Rules of Business
… Over the past decade, the power of A/B testing has become an open secret of high-stakes web development. It’s now the standard (but seldom advertised) means through which Silicon Valley improves its online products. Using A/B, new ideas can be essentially focus-group tested in real time: Without being told, a fraction of users are diverted to a slightly different version of a given web page and their behavior compared against the mass of users on the standard site. If the new version proves superior—gaining more clicks, longer visits, more purchases—it will displace the original; if the new version is inferior, it’s quietly phased out without most users ever seeing it. A/B allows seemingly subjective questions of design—color, layout, image selection, text—to become incontrovertible matters of data-driven social science.
After joining the Obama campaign, Siroker used A/B to rethink the basic elements of the campaign website. The new-media team already knew that their greatest challenge was turning the site’s visitors into subscribers—scoring an email address so that a drumbeat of campaign emails might eventually convert them into donors.
… Most shocking of all to Obama’s team was just how poorly their instincts served them during the test. Almost unanimously, staffers expected that a video of Obama speaking at a rally would handily outperform any still photo. But in fact the video fared 30.3 percent worse than even the turquoise image. [Amazing! Politicians believing facts! Bob]
One word: Multivac
"Google could go the way of the dodo if ultra intelligent electronic agents (UIEA) make their way into the mainstream, according to technology prognosticator Daniel Burrus. Siri is just the first example of how a UIEA could end search as we know it. By leveraging the cloud and supercomputing capabilities, Siri uses natural language search to circumvent the entire Google process. If Burrus is right, we'll no longer have to wade through '30,000,000 returns in .0013 milliseconds' of irrelevant search results."
Why wouldn't your local bank offer the same service? After all, “that's where the money is.” (Willie Sutton)
Buy a product on Walmart.com, pay with...cash?
The retail giant says that customers can now browse more items on its Web site, and then opt to pay with cash by heading into a local store and dropping off the Benjamins.
That will teach him to toy with Hasbro! (Should you really sue your fans?)
Hasbro Goes After Blogger In IP Theft Case
You’d never think that the world of Nerf guns and dart shooters was so intense, but Hasbro apparently sued a blogger for leaking information about unreleased Nerf products he found on Chinese marketplace Taobao using the sweetest bait imaginable: free Nerf guns.
Urban Taggers is a blog about “assault blasters” for “kidults.” Essentially they cover Nerf guns and the like and are fairly popular in the space. The lead blogger, Pocket, ran a review of an unreleased gun. A few days later, he received a note from Hasbro offering some guns to giveaway to his readers. Eager to share the blaster love, he agreed and sent his address. That’s when his troubles began.
Immediately after the emails went back and forth, Pocket received a letter from Hasbro’s lawyers accusing him of IP theft.
Perspective. Can you see shelves full of Kindles? Me neither...
April 25, 2012
Pew Presentation: Public libraries in the digital age
Public libraries in the digital age by Mary Madden, Kathryn Zickuhr, Apr 25, 2012 at Chief Officers of State Library Agencies: "They presented findings on the rise of e-reading, including reading-device ownership and the general reading habits/preferences of Americans. Their presentation included libraries research fact sheets:
(Related) Sci-Fi publishers are such forward thinking people I would expect nothing less...
"'Science fiction publisher Tor UK is dropping digital rights management from its e-books alongside a similar move by its U.S. partners. ... Tor UK, Tor Books and Forge are divisions of Pan Macmillan, which said it viewed the move as an "experiment."' With experiments, come results. Now users can finally read their books across multiple devices such as Amazon's Kindle, Sony Reader, Kobo eReader and Apple's iBooks. Perhaps we will see the *increase* of sales, because the new unrestricted format outweighs the decrease caused by piracy?"
Useful in my “build your own website” class...
Tools to keep in the “Oh Crap!” folder.
I'm afraid to ask. Is this for the “English for people who can't read” class?
Yesterday, I Tweeted a story from Open Culture that highlighted 12 animated Shakespeare stories. In my investigation of the video source that Open Culture highlighted, I discovered Shakespeare Animated. Shakespeare Animated is a YouTube channel containing twelve playlists ten of which are animated adaptations of Shakespeare's most famous plays. Some of the animated plays that appear in the Shakespeare Animated playlist are Romeo and Juliet, Hamlet, MacBeth, and The Taming of the Shrew. I've embedded part one of Romeo and Juliet below.
The Shakespeare Animated videos could be useful for supporting your students' reading of Romeo and Juliet or any of the nine other plays in the list. Because the plays are broken into segment they are well-suited to being used one class meeting at a time. You could show the ten to twelve minute segments
You might also like:
For my students (and my 1%)
Another Crowdfunding Player Enters The Fray: Apps Genius Launches GetFunded.com
… Like Kickstarter and many others, GetFunded will be a “crowdfunding platform for entrepreneurs who are seeking new investments in their businesses and ideas,” according to a statement from App Genius.