When?
My Ethical Hackers are already planning how to hijack the best
parking spots. (I told them they should apply for a Grant!)
When
Cars Are as Hackable as Cell Phones
Imagine
this future scenario: Self-driving cars form an orderly procession
down a highway, traveling at precisely the right following distance
and speed. All the on-board computers cooperate and all the vehicles
travel reach their destinations safely.
But
what if one person jailbreaks her car, and tells her AI driver to go
just a little faster than the other cars? As the aggressive car
moves up on the other vehicles, their safety mechanisms kick in and
they change lanes to get out of the way. It might make the overall
efficiency of the transportation lower, but this one person would get
ahead.
This
is but one of many scenarios that Ryan Gerdes of Utah State
University is exploring with a
$1.2 million grant from the National Science Foundation to look
at the security of the autonomous vehicle future.
…
What he's fascinated by is the way that bad actors could use the
self-driving cars' algorithms against themselves. The algorithms
that guide these cars—at least now—are fairly "deterministic"
as he put it. A given set of inputs will yield the same outputs over
and over. That makes them prone to manipulation by someone with
knowledge of how they work. He can spin out scenario after scenario:
"What happens when you have two advanced cruise control
vehicles and the one in front starts accelerating and breaking such
that the one behind it starts doing the same thing in a more
amplified fashion?"
"We’re looking at the collision avoidance systems. They
rely on radar. We think we can manipulate radar sensors to some
extent. Is it simple for an attacker to create an obstacle out of
thin air?"
"Auto manufacturers always maintain the proper spacing in
adaptive cruise control. You might get interesting effects if
[someone] crafted certain inputs or misbehaved in a certain way so
they create a very large traffic jam."
"If I’m a shipping company and I want to slow down the
competition... I can take advantage of their sensors and keep making
their cars brake and accelerate. We’ve already demonstrated in
theory that it’s possible."
…
A 2010 paper found all
kinds of security flaws in a modern automobile, including
headslappingly simple stuff like allowing the car's control system to
be accessed through the radio controller. Install a hackable
aftermarket radio and some malicious entity could take control of
one's brakes.
For
my Computer Security students. See? It can be done!
How
quickly can your organization detect and stop a breach?
It
looks like the National Committee for Quality Assurance
(NCQA) caught
one pretty quickly, as it only affected customers making online
purchases on September 3 between 2 am and 10 am.
They
called those affected, and by September 5, were sending out letters
to those affected, telling them that their names, addresses,
credit/debit card numbers and card expiration dates were breached.
What
a fast breach detection, response, and notification.
Well
done, NCQA!
Compare
and contrast the article above to this one...
In
Wake of Confirmed Breach at Home Depot, Banks See Spike in PIN Debit
Card Fraud
Nearly
a week after this blog first
reported signs that Home Depot was battling a
major security incident, the company has acknowledged that it
suffered a credit and debit card breach involving its U.S. and
Canadian stores dating back to April 2014. Home
Depot was quick to assure customers and banks that no debit card PIN
data was compromised in the break-in. Nevertheless, multiple
financial institutions contacted by this publication are reporting a
steep increase over the past few days in fraudulent ATM withdrawals
on customer accounts.
The
card data for sale in the underground that was stolen from Home Depot
shoppers allows thieves to create counterfeit copies of debit and
credit cards that can be used to purchase merchandise in big box
stores. But if the crooks who buy stolen debit cards also are able
to change the PIN on those accounts, the fabricated debit cards can
then be used to withdraw cash from ATMs.
…
Here’s the critical part: The card data stolen from Home Depot
customers and now for sale on the crime shop Rescator[dot]cc
includes both the information needed to fabricate counterfeit cards
as well as the legitimate cardholder’s full name and the
city, state and ZIP of the Home Depot store from which the card was
stolen (presumably by
malware installed on some part of the retailer’s network, and
probably on each point-of-sale device).
Their
use of spyware ended in early 2012. The lawsuits may end in 2112.
Maybe.
Hilary
Niles reports a settlement between Vermont and Aaron’s, a firm that
was charged
by the FTC and sued civilly by customers over the use of remotely
activated spyware that captured images of customers. As reported on
this blog in numerous previous entries, the software enabled the
franchises to locate lost or stolen laptops, but it also enabled them
to track down customers who defaulted on their rental agreements,
without the knowledge or consent of customers. In some cases, the
spyware reportedly captured sensitive or personal images. Previous
coverage on this blog is linked from here.
Niles reports:
Three Vermont consumers will collect $2,000 in fines to make up for
violations of their privacy by a computer leasing company. The state
additionally will collect $45,000 in civil penalties and legal costs
from SEI/Aaron’s.
Read
more on VTDigger.
The
Vermont Attorney General’s Office posted this press release about
the case today:
No
doubt this will explain everything to everyone's satisfaction.
EPIC
(Finally) Obtains Memos on Warrantless Wiretapping Program
by
Sabrina I.
Pacifici on Sep 8, 2014
“More
than eight years after filing a Freedom
of Information Act request for the
legal justification behind the “Warrantless Wiretapping” program
of President Bush, EPIC has now obtained a mostly nredacted version
of two key memos (OLC54)
and (OLC85)
by former Justice Department official Jack Goldsmith. EPIC requested
these memos just four hours after the New York Times broke the
story about the program in December
2005. When the agency failed to release the documents, EPIC filed
a lawsuit. The ACLU and the
National Security Archive later joined the case. These two Office of
Legal Counsel memos offer the fullest justification of the
warrantless wiretapping program available to date, arguing that the
president has inherent constitutional power to monitor American’s
communications without a warrant in a time of war. But some parts of
the legal analysis, including possibly contrary authority, are still
being withheld. The warrantless wiretapping program was part of
“Stellar Wind,” a broad program of email interception, phone
record collection, and data collection undertaken by the NSA without
the approval of Congress. For more information see EPIC:
EPIC v. DOJ: Warrantless Wiretapping Program.”
(Related)
Something to think about and then ignore?
International
Law and Secret Surveillance: Binding Restrictions upon State
Monitoring of Telephone and Internet Activity
by
Sabrina I.
Pacifici on Sep 8, 2014
CDT:
“In the year that has followed Edward Snowden’s first disclosures
concerning secret US and UK surveillance practices, many governments,
human-rights groups, and UN bodies have debated—and at times
disagreed sharply—about whether the Internet and telephone
surveillance practices that governments employ today are consistent
with international law. With a view to informing these discussions,
this
report
briefly summarizes the current state of international law as it
applies to the secret surveillance of communications.
Many commentators divide international law into two categories: “hard
law,” which is binding upon at least some states, and “soft law,”
which includes nonbinding materials such as UN General Assembly
resolutions. In order to facilitate a greater degree of
understanding and consensus, this report is restricted to major
international sources of “hard law.” The report describes two
distinct bodies of law: customary international law (specifically,
the principle of territorial and political integrity) and
international human-rights law. As explained below, these two bodies
of law exist independently of one another, meaning that a
surveillance practice that does not violate human-rights law may
still violate customary international law, and vice versa. The
report does not address the special legal regimes that apply during
situations of armed conflict. Where international human-rights law
is concerned, the report focuses on the right to privacy, freedom of
expression, and the right to a remedy, and provides a summary of the
applicable case-law of the European Court of Human Rights and
Inter-American Court of Human Rights. In this respect, the report is
intended to serve as a basic reference work for scholars,
practitioners, and activists. Although the applicability of the
relevant laws and norms to the United States is described in some
detail, the discussion below is relevant to all states’
surveillance practices.”
Have
we thought this through?
Tech
Firms Ask Congress to Redefine Medical Privacy Rules
Tech
firms, including Amazon.com Inc., are asking Congress to redefine the
rules on medical privacy, saying the potential risks of disclosure
should be weighed again against the potential benefits of wider
sharing and easier access to crucial health data.
Executives
of tech companies and health organizations have told the House Energy
and Commerce Committee in recent months that what they consider an
excessively conservative stance on health data privacy is hindering
development of new medical technologies and approaches to treatment,
and also adding costs to already burdened state and federal budgets.
…
Large companies also are looking for changes in HIPAA. Paul Misener,
Amazon’s vice president for global public policy, in July told
Energy and Commerce that current rules make it difficult to negotiate
contracts for cloud computing services.
Clearly,
someone needs guidance.
Kim
Archer reports that the same state education department that upset
the hell out of privacy advocates by publicly posting students’
personal details if they applied for a waiver of state tests still
doesn’t grasp their obligations to rigorously protect student
privacy:
Some area school officials say the Oklahoma State Department of
Education has violated state and federal laws protecting student
privacy by releasing information to districts about students who no
longer attend their schools.
“If (the students have) left us, we really shouldn’t have access
to that information,” said Larry Smith, deputy superintendent at
Sapulpa Public Schools.
The data include student grades, disability status, and free and
reduced-lunch status.
Read
more on Tulsa
World.
It
would be bad enough if the department had just made a configuration
error in its settings and thereby allowed all districts’ personnel
to access all students’ data. But for the state to later claim
that they are “erring on the side of caution” in limiting access
to data that should be limited is concerning, as it
suggests that they really don’t get that such privacy and data
protection isn’t optional.
For
my Computer Security students?
Gadget
knocks drones, Google Glass offline
Bothered
by gadgets like Google Glass that can, theoretically, be used to
snoop on you in public? Then why not get your own gadget that can
knock them all offline?
That's
what the creators of Cyborg Unplug promise. Billed as a "wireless
anti-surveillance system," Unplug is, essentially, a portable
router that can detect drones, surveillance cameras and mobile tech
like Glass trying to access your Wi-Fi signal and boot them off of
it.
…
That's Unplug's stated purpose, anyway. But, as its creators freely
note, it also has an "All Out Mode" that would let you
knock devices off of any wireless network, not just yours.
The
company says it doesn't recommend doing that because ... you know ...
it's probably really, really illegal.
…
To be clear, Cyborg Unplug can't stop anyone from using mobile
devices to record or photograph you. It only keeps that data from
being streamed afterward.
...and
99 cents here in the US too.
Amazon
slashes Fire Phone price to 99 cents ahead of Apple's launch event
Global
e-commerce giant Amazon has cut the price of its flagship Fire Phone
by US $198 to 99 cents just two months after the maiden smartphone's
launch.
…
Similar offers have been made available in the UK and Germany, where
consumers can get the phone for zero pounds and one euro,
respectively under contracts with Amazon's telecom partners.
Is
this just a lawyer thing, or a tool for any busy executive?
New
on LLRX – Will Lawyers Embrace Wearable Tech, And The Future?
by
Sabrina I.
Pacifici on Sep 8, 2014
Via
LLRX.com
- Will
Lawyers Embrace Wearable Tech, And The Future? Nicole
Black predicts that smartwatches
will soon be very popular with lawyers as they offer an easy and
unobtrusive way to filter only the most important information
received on your smartphone. So if you’re expecting a priority
email or phone call, you can program your phone to forward it to your
smartwatch so that you’ll receive a subtle vibration on your wrist.
This will come in handy when you’re in court, for example. So
instead of causing a disruption in the proceedings, you can leave the
room quietly and tend to the matter in the hallway with no one else
the wiser.
Doh!
Behold,
a Database That Tracks More Than 500 Episodes of The Simpsons
…
To celebrate the show's quarter-century of existence, fans are being
treated to projects that capitalize on this documentary breadth.
There's the marathon
of the show that's been airing on the cable network FXX; the
social media conversation that has accompanied the marathon; the new
app, Simpsons
World, that will function like
a DVD box set for the show, with even more extras. But there's
another Simpsons project Fox isn't responsible for: a
searchable database. One that has taken every episode of The
Simpsons and made it, in its way, interactive. As Homer might
put it: "Mmmmmm, searchability."
…
OK, that’s enough: here’s
the link to the Bookworm, and here’s
the source code.
I
have a smart student who wants to add mapping features to her
business website.
How
You Could Make Your Own Google Maps Using A Drone
Imagine
sending a drone to take pictures above your neighborhood, then
compiling those photos into an extremely high-resolution, local map.
A new piece of software, combined with improved drone technology,
means this kind of arrangement is already cheaper than you may think.
Maps
Made Easy recently completed their Kickstarter campaign, meaning
their software for combining a massive number of aerial photos into a
coherent whole will soon be a reality.
…
Maps Made Easy, according to Thomas, is a piece of software that
stitches images together. It’s not concerned with precise GPS
location, making the process relatively simple.
Might
be a fun writing project...
–
is a free tool for authors and publishers to turn their illustrated
children’s books into great-looking Kindle books. Kindle Kids’
Book Creator makes it easy for authors and publishers to import
artwork, add text to pages, and preview how their book will look on
Kindle devices.
A
simple illustration of why I say, “Free is good!”
Kindle
vs. iBooks: Which Is The Best eReader For Your iPad or iPhone?
Apple’s
iBooks
and Amazon’s Kindle
(both free) are two of the best
apps for reading a book on your iPhone or iPad, and each has its
own strengths and weaknesses – so which is right for your reading
habits?
…
Both Kindle
and iBooks
are free downloads and if you haven’t yet used them, I encourage
you download them both to
see which works best for your reading and studying needs.
Please
don't shoot the messenger.
A
Man’s College Degree Does Have Value: to His Wife
Although
a man’s educational level has no impact on his own happiness, a
woman married to a man with at least a college degree is about 5%
more likely to be very happy with her marriage, according to an
analysis of the General Social Survey, funded by the U.S. National
Science Foundation. “There seems to be an inherent quality of a
man having a college degree that makes a woman happier in marriage,”
write economists Bruce T. Elmslie of the University of New Hampshire
and Edinaldo Tebaldi of Bryant University. Men,
by contrast, seem to have little interest in the educational level of
their wives.
An
infographic for my students who actually use electronic mail.
How
To Write Better Emails
I
could have guessed some of these – a couple I've never heard of.
http://www.theatlantic.com/technology/archive/2014/09/the-100-books-that-facebook-users-love/379797/
The
100 Books Facebook Users Love
…
I’m usually a skeptic of such meme-y Facebook statuses, but people
gathering around books that meant something to them melted even my
cold heart. So I asked the Facebook Data Science team if this status
had gotten “big” enough to attract their attention, and what they
had seen in it.
They
replied with something I wasn’t expecting: a list of the 20 books
most cited by Facebook users who participated in the game.
In
a new blog post, they’ve released that list (it’s also below)
and some of their methodology.
…
Without further ado, here is that list, along with the
percentage of statuses that each title appeared in:
- The Harry Potter series, J.K. Rowling (appeared in 21.08 percent of all statuses)
- To Kill a Mockingbird, Harper Lee (14.48 percent)
- The Lord of the Rings series, J.R.R. Tolkien (13.86 percent)
- The Hobbit, J.R.R. Tolkien (7.48 percent)
- Pride and Prejudice, Jane Austen (7.28 percent)
- The Holy Bible (7.21 percent)
- The Hitchhiker's Guide to the Galaxy, Douglas Adams (5.97 percent)
- The Hunger Games Trilogy, Suzanne Collins (5.82 percent)
- Catcher in the Rye, J.D. Salinger (5.70 percent)
- The Great Gatsby, F. Scott Fitzgerald (5.61 percent)
- 1984, George Orwell (5.37 percent)
- Little Women, Louisa May Alcott (5.26 percent)
- Jane Eyre, Charlotte Bronte (5.23 percent)
- The Stand, Stephen King (5.11 percent)
- Gone with the Wind, Margaret Mitchell (4.95 percent)
- A Wrinkle in Time, Madeleine L'Engle (4.38 percent)
- The Handmaid’s Tale, Margaret Atwood (4.27 percent)
- The Lion, the Witch, and the Wardrobe, C.S. Lewis (4.05 percent)
- The Alchemist, Paulo Coelho (4.01 percent)
- Anne of Green Gables, L.M. Montgomery (3.95 percent)
No comments:
Post a Comment