Wednesday, October 08, 2014

The Adobe eBook reader. This will likely go well beyond kerfuffle. Fortunately, I use DE2 – downloaded from my local library.
Nate Hoffelder reports:
Adobe has just given us a graphic demonstration of how not to handle security and privacy issues.
A hacker acquaintance of mine has tipped me to a huge security and privacy violation on the part of Adobe. That anonymous acquaintance was examining Adobe’s DRm for educational purposes when they noticed that Digital Editions 4, the newest version of Adobe’s Epub app, seemed to be sending an awful lot of data to Adobe’s servers.
My source told me, and I can confirm, that Adobe is tracking users in the app and uploading the data to their servers. (Adobe was contacted in advance of publication, but declined to respond.)
Read more on The Digital Reader.
Update: The Register now reports that they have also confirmed the allegations, and that Adobe is “looking into the matter.” Because such slurping seems to violate Adobe’s representations to customers, I hope the FTC is “looking into the matter” too.
[From the article:
But wait, there’s more.
Adobe isn’t just tracking what users are doing in DE4; this app was also scanning my computer, gathering the metadata from all of the ebooks sitting on my hard disk, and uploading that data to Adobe’s servers.
In. Plain. Text.
And just to be clear, this includes not just ebooks I opened in DE4, but also ebooks I store in Calibre and every Epub ebook I happen to have sitting on my hard disk.

As April showers bring May flowers... Hacks that grab customer information invite spear phishing. (Perhaps this will be Russia's way of giving their hackers a “Bonus.”)
JPMorgan Bracing For 'Spear Phishing' Campaign: Sources
JPMorgan Chase (NYSE: JPM) officials are bracing for a massive spear phishing campaign launched by cyber thieves who broke into the bank’s servers in the biggest cyber-attack on a U.S. bank to date. Cyber criminals thought to be emanating from Russia or former Soviet satellite states hacked into numerous JPMorgan computer servers and accessed contact information like names and email addresses for 76 million customers and seven million small businesses.

For my Ethical Hackers. I see a business opportunity here.
Your USB Devices Aren’t Safe Anymore, Thanks To BadUSB
… The earth-shattering revelations that USB isn’t as secure as first thought was first disclosed by security researchers Karsten Nohl and Jakob Lell in July, 2014. The malware they created – dubbed BadUSB – exploits a critical vulnerability in the design of USB devices which allowed them to hijack a user’s Internet traffic, install additional malware and even surreptitiously gain control of a user’s keyboard and mouse.
The BadUSB malware isn’t stored on the user-accessible storage partition, but rather on the firmware of a USB device – including Keyboards, phones and flash drives. This means that it’s virtually undetectable to conventional anti-virus packages, and can survive the drive being formatted.
Fortunately, would-be attackers have been unable to take advantage of BadUSB, due to Nohl and Lell not publishing the code in order to give the industry an opportunity to ready a fix. Until recently, that is.
In a talk given at DerbyCon – a computer security conference held in Louisville, Kentucky – Adam Caudill and Brandon Wilson demonstrated their successful reverse-engineering of BadBSD, and published their exploit code on code-sharing platform GitHub.

There is always more to learn.
Data Breaches in Europe: Reported Breaches of Compromised Personal Records in Europe, 2005‐2014
Philip N. Howard
… You can download the full report here (pdf)

Pledges don't protect anything. Will their actions match their words?
Microsoft pledges to keep students’ data private
Microsoft announced today that it is one of the first companies to sign a new pledge designed to protect students’ privacy at a time when more technology is flooding into the classroom.
The “K-12 School Service Provider Pledge to Safeguard Student Privacy,” which was organized by the Future of Privacy Forum and the Software & Information Industry Association, is designed to identify companies that will keep data from students safe.
… Today’s announcement comes a week after California Governor Jerry Brown signed a law that restricts what companies can do with student data.

For my Data Mining students.
WSJ: Microsoft has signed letter of intent to acquire Israeli text analysis firm Equivio
According to a Wall Street Journal (WSJ) report, US software giant Microsoft has signed a letter of intent to purchase Israeli text analysis firm Equivio.
… The company's clients include the US Department of Justice, the Federal Trade Commission, KPMG and Deloitte.
The text analysis software developed by Equivio can, with the help of machine learning algorithms, group together relevant texts from massive amounts of documents, including emails as well as other organizational social and collaboration networks.
The list of the users of Equivio's text analysis software clearly indicates that the company's technology is currently being used by organizations that provide litigation support services to law firms and corporate legal departments trying to dig out relevant data - like legal contracts - from large amounts of documents.

“I keep finding all these new continents that people are adding to the world.” C. Columbus
The Quiet Rise of the Satellite Spy Agency
As far as intelligence agencies go, the National Geospatial-Intelligence Agency has remained relatively low profile—attracting neither the intrigue of, say, the CIA nor the umbrage directed toward the National Security Agency.

For my students.
GitHub Gives Away Free Developer Tools
GitHub has launched the GitHub Student Developer Pack, a set of developer tools aimed exclusively at students. The GitHub Student Developer Pack, released as part of GitHub Education, includes hackable text editor Atom, cloud applications manager Bitnami, crowdsourcing enrichment platform Crowdflower, and database portfolio Orchestrate, as well as a host of other tools.
To be eligible for the GitHub Student Developer Pack, you need to be “a student aged 13+ and enrolled in degree or diploma granting course of study,” and provide a “school-issued email address, valid student identification card, or other official proof of enrollment.” Which seems fairly generous to us.
Interested parties should be aware that while some of the tools are being given away for free, others are being offered by platform credits which may quickly run out. But even with that caveat, it’s still a great initiative.

No comments: