Tuesday, July 03, 2012


Sharing on Facebook... “Those who do not study 'really stupid things to do online' are doomed to repeat 'really stupid things to do online.'” Bob, with apologies to Santayana.
Twitter feed reveals nirvana of human doltishness
… this is a Twitter feed called NeedADebitCard. It serves a vast social purpose.
Yes, it reveals all those who happen to share pictures of their brand new debit cards. Full frontal. Numbers exposed. Names attached.
… Naturally, some speculate that the vast majority of those tweeting these pictures are teenagers, who have so little money that their identity is scarcely worth stealing.


Updates as massive security/privacy/operational issues.
Do it our way (which is none of your business) or else!
“We are not amused.” “Queen” Victoria, my network gal...
Cisco’s cloud vision: Mandatory, monetized, and killed at their discretion
… When owners of the E2700, E3500, or E4500 attempted to log in to their devices, they were asked to login/register using their “Cisco Connect Cloud” account information. The story that’s emerged from this unexpected “upgrade” is a perfect example of how buzzword fixation can lead to extremely poor decisions.
… The E2700, E3500, and E4500 all shipped with the “Automatic Firmware Update” option selected, [Best Practice is to change all “default settings” which in your best interest. Bob] which is why so many users found themselves asked to authenticate using a different account with no prior warning.
… The second major problem with Cisco’s Cloud Connect is its “supplemental privacy policy.” This policy is an addition to Cisco’s Privacy Statement. As of June 27, the fifth paragraph read as follows:
When you use the Service, we may keep track of certain information related to your use of the Service, including but not limited to the status and health of your network and networked products; which apps relating to the Service you are using; which features you are using within the Service infrastructure; network traffic (e.g., megabytes per hour); Internet history; how frequently you encounter errors on the Service system and other related information (“Other Information”).
This paragraph has been excised entirely from the current version of the Supplemental Privacy Policy, but that proves nothing — Cisco has the right to update its privacy policy at any time, without legal penalty. Both versions of the document contain a further statement that may raise a few eyebrows. The next-to-last sentence reads: “In some cases, in order to provide an optimal experience on your home network, some updates may still be automatically applied, regardless of the auto-update setting.”

(Related) “Why should we fix it? It's working exactly as we intended.”
Facebook's e-mail debacle: One 'bug' fix, but rollback impossible
Facebook changed its 900+ million users' primary e-mail address a week ago, setting in motion a continually cascading series of failures.
Users have lost unknown amounts of e-mail, and address books were unknowingly overwritten. Facebook's first official response yesterday was that everyone was just confused about how to look in their Facebook inboxes.
Now they've changed their tune. But their admission of intercepted and lost e-mail, questions about privacy ethics, and new issues around Apple iOS 6 show that Facebook's Apple app is also adding secondary, undeletable contacts into users' address books.

(Related)
Auto-Sunk. Check Your Hidden Facebook “Other” Inbox For Your Missing Emails


Perhaps they learned from the team that created Stuxnet? At least I now know who to call if my sprinklers come on by themselves. The pie charts are interesting...
July 02, 2012
Industrial Control Systems Cyber Emergency Response Team Report
"The Department of Homeland Security (DHS) Control Systems Security Program manages and operates the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) to provide focused operational capabilities for defense of control system environments against emerging cyber threats... This report provides a summary of cyber incidents, onsite deployments, and associated findings from the time ICS-CERT was established in 2009 through the end of 2011. The most common infection vector for network intrusion was spear-phishing emails with malicious links or attachments. Spear-phishing accounted for 7 out of 17 incidents. At least one incident involved an infection from a removable USB device."

(Related) Looks like we need another “Team.” Seriously! This is biological warfare and lots of US hating countries with no nuclear weapons have plenty of bugs.
"Timothy Paine, an entomologist at the University of California-Riverside, recently 'committed to the scientific record the idea that California's eucalyptus trees may have been biologically sabotaged, publishing an article [in the Journal of Economic Entomology] raising the possibility of bioterrorism.' Specifically, Paine argues that foreign insect pests have been deliberately introduced in the Golden State, in hopes of decimating the state's population of eucalyptus (especially the two species regarded as invasive, which 'are particularly susceptible to the pests.') In California's Bioterror Mystery, Paine (and scientists who are skeptical) make their arguments. What isn't in dispute is that the insect pests have already inflicted hundreds of millions of dollars in damage, making the story a cautionary tale about what might happen if a food or crop were intentionally targeted."


How do you plan to counter this, Computer Security students?
How Anonymous Picks Targets, Launches Attacks, and Takes Powerful Organizations Down
… In fact, the success of Anonymous without leaders is pretty easy to understand—if you forget everything you think you know about how organizations work. Anonymous is a classic “do-ocracy,” to use a phrase that’s popular in the open source movement. As the term implies, that means rule by sheer doing: Individuals propose actions, others join in (or not), and then the Anonymous flag is flown over the result.


1) Wait, wait... You haven't been doing this all along?
2) Someone better tell Congress before they start passing laws based on this stuff...
Feds Look to Fight Leaks With ‘Fog of Disinformation’
Pentagon-funded researchers have come up with a new plan for busting leakers: Spot them by how they search, and then entice the secret-spillers with decoy documents that will give them away.
Computer scientists call it “Fog Computing” — a play on today’s cloud computing craze. And in a recent paper for Darpa, the Pentagon’s premiere research arm, researchers say they’ve built “a prototype for automatically generating and distributing believable misinformation … and then tracking access and attempted misuse of it. We call this ‘disinformation technology.’”


I was dreading a long report at 140 characters per Tweet... It is actually fairly comprehensible.
Twitter Transparency Report
July 2, 2012 by Dissent
Twitter has issued its first transparency report, covering governmental requests for user account data for the period January 1, 2012 – June 30, 2012.
Out of the 849 requests it received during this period (a number significantly lower than what I had imagined), 679 were from the U.S. for user account information on 948 users. Of those 679 requests, 75% resulted in Twitter providing some or all of the requested data.
See the report, and kudos to Twitter for disclosing these numbers.
[Also see Twitter's Guidelines for Law Enforcement. Bob]

(Related) So we will likely see many more requests...
Judge Finds No Constitutional Violation in Producing Tweets
July 2, 2012 by Dissent
Andrew Keshner reports:
Twitter must produce tweets and user information of an Occupy Wall Street protester, a judge has ruled, discounting objections from the social media website in a case of first impression.
“The Constitution gives you the right to post, but as numerous people have learned, there are still consequences for your public posts. What you give to the public belongs to the public. What you keep to yourself belongs only to you,” Criminal Court Judge Matthew Sciarrino Jr., sitting in Manhattan, wrote inPeople v. Harris, 2011NY080152.
Read more on New York Law Journal.


For my Data Mining and Data Analysis students
July 02, 2012
Managing Discovery of Electronic Information: A Pocket Guide for Judges
Managing Discovery of Electronic Information: A Pocket Guide for Judges, Second Edition. Barbara J. Rothstein, Ronald J. Hedges, and Elizabeth C. Wiggins. Federal Judicial Center, 2012
  • "ESI currently includes e-mail messages, word processing files, web pages, and databases created and stored on computers, magnetic disks (such as computer hard drives), optical disks (such as DVDs and CDs), and flash memory (such as “thumb” or “flash” drives), and increasingly on “cloud” based servers hosted by third parties that are accessed through Internet connections. The technology changes rapidly, making a complete list impossible. Federal Rules of Civil Procedure 26 and 34, which went into effect on December 1, 2006, use the broad term “electronically stored information” to identify a distinct category of information that, along with “documents” and “things,” is subject to discovery rights and obligations."


Attention Ethical Hackers: Two teams, one builds drones the other tries to take them over. One month form now we switch teams. Note that this was NOT a true hack of the drone.
Research Team Hacks Surveillance Drone With Less than $1,000 in Equipment
July 2, 2012 by Dissent
David Sydiongco reports:
Last week, a team University of Texas researchers, led by professor Todd Humphreys, managed to hack a surveillance drone before the eyes of the Department of Homeland Security, successfully “spoofing” the UAV’s GPS system with just about $1,000 is off-the-shelf hardware.
Read more on Slate.
[From the article:
The University of Texas team constructed a “spoofing device,” which sent counterfeit GPS signals to the unmanned aerial vehicle, steering it off-course.
DHS officials were pleased with his results, says Humphreys, as they were a “fulfillment of their prophecies.”
He explains that while the hardware of the “spoofing” device is easily accessible, its “special sauce” is in the software, which was developed over a four-year period by his team. “It’s outside the capability of any average American citizen,” said Humphreys. [Well, are you going to allow that challenge to go unanswered? Bob]


Perspective: So far, none of my students have asked, “What is that strapped to your wrist, professor?”
The Smartphone Replacement Index
… O2, the same network that documented the phone call's fifth-most-popular ranking among smartphone functions, also conducted research into the non-phone-y uses of the smartphone. What it found was a Swiss Army effect: people are using their smartphones not just as phones, and not even just as portable Internet cafes, but also as diaries and watches and cameras and alarm clocks and libraries and personal movie theaters.

(Related)
Maybe We Should Stop Calling Smartphones 'Phones'
Every day, the average smartphone user spends 128 minutes actively using the device. That's just over two hours. The average user is spending those 128 minutes surfing the Internet (for nearly 25 minutes), engaging in social networking (for more than 17), listening to music (more than 15), and playing games (more than 14). 
What the average user is doing relatively little of, however, is talking -- using the smartphone as, you know, a phone.


Hope for the future. This increases the odds that someone will actually figure it out!
Tyler Cowen: 'Everywhere Will Be Like the Music Industry'
The music industry, as we all know, has been turned upside down by the new behaviors enabled by the Internet. If you look at recorded music sales alone, the industry has nosedived since the late 90s. But if you take a broader view, we see that people continue to listen to tons of music, go to concerts, and that all kinds of startups are desperately trying to become the new model for the industry.
If George Mason economist and Marginal Revolution blogger Tyler Cowen is right, higher education is about to go the way of the record company. Speaking at the Aspen Ideas Festival, he offered up college as the next in a long line of industries that Internet-enabled innovation is going to scramble.


Years ago, I thought of this exact form of funding, but as a “charity” replacement. Let the donors pick new projects to fund.
The Power and the Peril of Our Crowdfunded Future
Since Kickstarter launched in April of 2009, we, the crowd, have funded a quarter of a billion dollars worth of art projects, small businesses, tech gear, etc.


I'm shocked! My blog isn't on the list!
The 1000 most-visited sites on the web

No comments: