Wednesday, July 24, 2013

They can identify a new and “sophisticated” attack vector, but they don't bother to log (therefore can't determine) what happens on their own computers?
Graham Cluley reports:
Kitchenware store Lakeland has emailed customers telling them that hackers managed to gain unauthorised access to its web systems and databases late last week.
Although the company has confirmed that hackers accessed “two encrypted databases”, it has been unable to ascertain whether information was stolen.
Read more on his blog.
[From the blog:
Lakeland had been subjected to a sophisticated cyber-attack using a very recently identified flaw in the Java software used by the servers running our website

How would you like be perceived? Voracious consumer of all things digital or typical incompetent government bureaucracy?
NSA Says It Can’t Search Its Own Emails
The NSA is a "supercomputing powerhouse" with machines so powerful their speed is measured in thousands of trillions of operations per second. The agency turns its giant machine brains to the task of sifting through unimaginably large troves of data its surveillance programs capture.
But ask the NSA, as part of a freedom of information request, to do a seemingly simple search of its own employees' email? The agency says it doesn’t have the technology.
"There's no central method to search an email at this time with the way our records are set up, unfortunately," NSA Freedom of Information Act officer Cindy Blacker told me last week.
The system is “a little antiquated and archaic," she added.
… It’s actually common for large corporations to do bulk searches of their employees email as part of internal investigations or legal discovery.

(Related) I already had a low opinion of State.
New Report: The State Department's Anti-Hacking Office Is a Complete Disaster
The State Department has plenty of important secrets—classified cables, foreign policy directives, embassy plans, and more. It also has a department (with a nine-word name) responsible for protecting those secrets from hackers: the Bureau of Information Resource Management's Office of Information Assurance. Yet according to an unusually scathing new report from the State Department's inspector general, this "lead office" for cybersecurity is so dysfunctional and technologically out-of-date that Foggy Bottom may be open to cyberattack.

Are most lawyers ready to defend a Computer Security instructor who was merely trying to demonstrate Privacy “Best Practices?”
How Protecting Your Privacy Could Make You the Bad Guy
There’s a funny catch-22 when it comes to privacy best practices. The very techniques that experts recommend to protect your privacy from government and commercial tracking could be at odds with the antiquated, vague Computer Fraud and Abuse Act (CFAA).
A number of researchers (including me) recently joined an amicus brief (filed by Stanford’s Center for Internet and Society in the “Weev” case), arguing how security and privacy researchers are put at risk by this law.
… The crux of a CFAA violation hinges on whether or not an action allows a user to gain “access without authorization” or “exceed authorized access” to a computer. The scary part, therefore, is when these actions involve everyday behaviors like clearing cookies, changing browser reporting, using VPNs, and even protecting one’s mobile phone from being identified.
… Clearing cookies limits the profiles advertisers can compile, essentially rendering us as a new user to web services. In fact, the FTC recommends that users clear cookies to protect their private information, and the Treasury Department advises the same — though in that case it’s to make sure their website is loading correctly for users.
However, many websites rely on cookies to enforce paywalls. These companies do this so their freemium business models can work transparently, without initially requiring the user to be aware (i.e., log in) until they hit the limit.
The New York Times, for example, imposes a 10 articles-a-month limit for non-subscribers, allowing users to browse 10 articles for free but then requiring payment for subsequent use. But the method the New York Times and other publications use to identify users is unreliable and easy to circumvent, even inadvertently. Clearing one’s cookies periodically — or even using a browser’s private browsing mode — bypasses the flimsy paywalls and allows users to continue reading stories. [Whose “Oops?” The Times or me? Bob]

American Customer Satisfaction Index e-business report
“The annual ForeSee American Customer Satisfaction Index (ACSI) e-business report 2013 includes an analysis of individual companies within three measured e-business categories.
  • Social Media: Google+,,,,,, and
  • Portals and Search Engines:,,,, and
  • News & Information Websites:,,,,,, and”
[From the report:
lowest score in a decade.
social media continues to provide one of the least satisfying experiences ... registered the highest score in this e-business report.

As my friends at the Law School will say, “Let the litigation begin!” (and you thought I coudn't spell 游戏)
Chrysler’s .Ram might just offend a billion people
The internet is changing. Last week, the Internet Corporation for Assigned Names and Numbers, a non-profit entity that runs the web’s naming system, approved four new top-level domain names (TLDs) (the bit after the final dot, such as .com): онлайн and сайт (Russia for “online” and “site”), شبكة (Arabic for “web”) and 游戏 (Chinese for “game”).
So far, uncontroversial. But among the 1,410 TLDs for which nearly 2,000 companies applied are generic names such as .tickets, .app and .wtf as well as more specific ones, like .catholic and .amazon. Things are about to get messy.
Critics say that hundreds of new TLDs will confuse internet users, force companies to pre-emptively sign up across dozens of registers to prevent copyright theft, and confer a monopoly to whomever gains the rights to highly-sought after names. Mindful of the controversial nature of some applications, ICANN included a lengthy objection period.
… Well, the objections poured in. Australia was offended by the idea of .wtf (and plenty else besides), the Saudis couldn’t fathom why Vatican should be given .catholic, Brazil argued against granting .amazon to Amazon, and India took issue with Chrysler’s application for .ram. Of these, India has perhaps the strongest case.
At the most recent meeting of the GAC in Durban last week, India again made clear (pdf) its discomfort with the idea of a .ram domain name. To many outside India, this is baffling. Why does India care about a line of pick-up trucks named for a male sheep?
The objection arises from an unfortunate homonym: Ram, pronounced with a long “a,” is also the name of one of Hinduism’s chief gods.

The Internet is a plethora of niches. Thai monks are (roughly) 12/1000ths of the 3 billion plus Internet users.
Megastore for Thai Monks Brings One-Stop Retail to Buddhism
… Thailand had nearly 300,000 monks and more than 60,000 novice monks at the end of 2012.

For my Ethical Hackers, who need to know about unethical things.
You read that headline right: If  you and I were on the same WiFi network, I could probably log in to some of your sensitive accounts — and I’m not even a hacker. This is thanks to an app for rooted Android devices called dSploit.

For my students, because RSS readers are useful!
Try an online-only replacement for Google Reader. Feedspot isn’t well known now, but that may soon change. Google Reader’s decline means any RSS reader has a chance to step up and convince its readers to try out their service. Feedspot makes a compelling argument. Its interface is clean and likely familiar. Feeds can migrate from Google Reader, or any other RSS reader by use of an OPML file.

No comments: