Saturday, August 09, 2014

For my Computer Security students in the Network Security Club.
Network Visibility Can Help Avoid the IT Blame Game
The proliferation of data on enterprise networks continues to increase with the rising demand for such technologies as virtualization, software-defined networking, and high-performance computing, as well as a growing dependency on mobility across the workforce. Couple this with a sophisticated cyber attack landscape, and it’s all IT can do to keep up with network activity.
… Click through for results from a survey on network visibility and monitoring tools in IT operations, conducted by Emulex.

A common problem. Do they somehow get paid based on the number of participants?
Stephanie M. Lee reports that the recent announcement by rival insurers Blue Shield of California and Anthem Blue Cross that they would team up to create an health information sharing network with their combined 9 million patients is raising privacy concerns. All members will be participants by default in Cal Index unless they opt out.
Lee Tien of EFF gets to the crux of the matter:
As Tien put it, “The industry has never liked opt-in. Privacy advocates believe in opt-in.”
By default, the 9 million patients in Blue Shield and Anthem Blue Cross will become part of the network. Before the system goes live, members will be told of a website where they can choose to not have their information shared, said Dr. Ken Park, vice president of payer and provider solutions at Anthem Blue Cross. Those patients will still receive coverage and treatment.
Cal Index chose this approach to try to balance privacy protection and participation rates, given that rates can sometimes be lower when people are asked to opt in, Park said.
Read more on SFGate.

Perhaps they are learning.
FCC to wireless providers: When do you slow download speeds?
… Verizon, the biggest U.S. carrier, said last month that the top 5 percent of high-speed data users on its older unlimited data plans might experience slower speeds starting in October.
In a letter to Verizon, Federal Communications Commission Chairman Tom Wheeler said he was "deeply troubled" by the plan and expressed concern the decision to slow data was based on consumers' plans instead of network needs.

US States with Fastest Internet Speed; And the Winner is…

There's an App for that too. Unfortunately.
App alerts people to avoid unsafe areas
A new app is here that alerts users to avoid "sketchy" areas and provides safe walking directions in the neighbourhood.
The app has also invited some sharp reactions from people who think it will fuel racism.
Launching it on the iTunes app store for New York City users, the app will provide walking directions on a map based on user feedback and allow people to "share pro tips about what routes you take and why".
SketchFactor is a tool for anyone, anywhere, at any time.
… According to McGuire, she was inspired to create the app after living in Washington, DC, as a young non-profit worker.

Perhaps my student vets would find this amusing. (The Marines read “Ender's Game” – interesting.)
The 13 Best Books The Army Wants Its Leaders To Read
Unlike the Marine Corps' reading list which is broken down by rank or topic, the Army's reading list is broken down into three categories: "Armies at War: Battles and Campaigns," "The Army Profession," and "Strategy and the Strategic Environment." The Army explains that the sublists are appropriate for any rank and that they allow the reader to choose the topics that best suit their interests.
The list is published annually, and the current list can be seen in full here. We've picked thirteen of our favorites and offer a brief glimpse into each

For my students.
Apps on Sale
… This week’s sales are all about productivity, with some of the App Store’s best email applications, calendars, scanners and sketching environments slashed in price. There’s also the usual smattering of games, like Deus Ex: The Fall for the bargain price of a dollar.

For my geeky students.
– is the easiest, most extensive way to learn and prototype with electronics. They are born out of the Maker Movement and have been helping lead the Open Hardware Movement. That’s why littleBits is open source and building a community of contributors who experiment, share online, and learn from each other’s creativity. Designs are publicly available to anyone.

Laugh it up!
… Catherine Sugrue, who’s twice failed the Chicago Public Schools’ selection test for principals, will become the principal at Gray Elementary. Sugrue is the sister of Chicago Alderman Patrick O’Connor. Ah, Chicago politics.
… A two part guide (1, 2) from the EFF on using Tor – a “network of virtual tunnels that allows people and groups to improve their privacy and security on the Internet” – on college campuses.
Millennial” parents (those under age 34) are less satisfied with the availability and use of technology in schools than older parents, according to a survey conducted by the University of Southern California’s Annenberg School for Communication and Journalism.

Friday, August 08, 2014

Quis custodiet ipsos custodes? “Security Theater”
Airport security devices can be hacked, says researcher
… On his own time, Billy Rios of Qualys Security said he purchased some of the hardware and software used by the Transportation Security Administration.
At a talk at this year’s Black Hat conference in Las Vegas, he revealed details about several vulnerabilities he was able to find, most notably in the device entrusted to detect trace levels of drugs and explosives.
The machine, the Morpho Itemiser, is set up so that the technician level password is hardcoded in.
It’s a common practice for a range of devices, one aimed at making it easier for technicians to get in and do maintenance, but it’s become taboo among security advocates because it also makes it easier for machines to be hacked.
… His findings, he said, show TSA is not properly vetting the products it uses for security.

What does this have to do with academics? Will they monitor what the kids had for breakfast? Have they had their shots or been treated for cuts and bruises that indicate abuse? How long was the TV on last night? Where does it stop? Can parents make it stop?
Diane Cho reports:
Washington County public school officials announced that, with the start of the new school year in just two weeks, they will be using new software to monitor students’ social media posts.
The county will be one of only four school districts in the nation to enlist a new software program called Social Sentinel that tracks social media accounts for certain keywords.
To those that question the legality of such monitoring in the face of privacy rights, school officials said the software uses “geofencing” protocol to only track posts that are made while the student is on school property.
Read more on WJLA.
[From the article:
School officials said the goal is to protect student safety. Examples of such posts that will be tracked include those that feature keywords like "kill," "bomb" and others.
School officials said they will also be consulting with parents and members of student government for feedback on what additional keywords should be added to the watch-list.
Threats will be flushed out, officials added - if a keyword is caught, the post will be read to check for threats of violence, bullying or harassment, reference to using drugs or alcohol, references to weapons, and the like.

“Take my picture, feel my wrath!” It's merely paranoia, but in this case the paranoids have guns.
Tim Cushing writes:
Here’s what exercising your First Amendment rights gets you in certain parts of the US. Photographer Jeff Gray has been filming cops and photographing public structures, as well as documenting the reactions of law enforcement to his activities.
The Department of Homeland Security apparently felt Gray was enough of a “threat” that it opened an investigation on him. After scrutinizing publicly-available information (like Gray’s own YouTube account), it came to the conclusion that his activities were completely protected… it just didn’t like the way he acted.
Read more on TechDirt.

I have driven through Massachusetts – they do drive like terrorists. (Colorado shares this information too according to the “document.”)
sosadmin writes:
The state of Massachusetts is one of fifteen states sharing drivers’ license images and data with federal agencies including the CIA and Department of Defense, a newly disclosed federal government document shows.
The document, which boasts about “strategic accomplishments” of the National Counterterrorism Center’s Directorate of Terrorist Identities, is published to support a new story on The Intercept about the government’s bloated watch-listing and terror database systems.
Read more on PrivacySOS.

This sounds worse than our sanctions.
Moscow bans Western food imports; Russian quits as Ukraine rebel chief
… Moscow imposed a one year ban on all meat, fish, dairy, fruit and vegetables from the United States, the 28 European Union countries, Canada, Australia and non-EU member Norway.
Russia has become by far the biggest consumer of EU fruit and vegetables, the second biggest buyer of U.S. poultry and a major global consumer of fish, meat and dairy products.

Does this really surprise anyone?
$619 billion missed from federal transparency site
A government website intended to make federal spending more transparent was missing at least $619 billion from 302 federal programs, a government audit has found.
And the data that does exist is wildly inaccurate, according to the Government Accountability Office, which looked at 2012 spending data. Only 2% to 7% of spending data on is "fully consistent with agencies' records," according to the report.
… The Department of the Interior did not report spending for 163 of its 265 assistance programs because, the department said, its accounting systems were not compatible with the data formats required by
The White House itself failed to report any of the programs it's directly responsible for. At the Office of National Drug Control Policy, which is part of the White House, officials said they thought HHS was responsible for reporting their spending.
For more than 22% of federal awards, the spending website literally doesn't know where the money went. The "place of performance" of federal contracts was most likely to be wrong.

For my geeky students. Please do not drool on the keyboards.
IBM Unveils a ‘Brain-Like’ Chip With 4,000 Processor Cores
… Most efforts to mimic the brain have focused on software, but in recent years, some researchers have ramped up efforts to create neuro-inspired computer chips that process information in fundamentally different ways from traditional hardware. This includes an ambitious project inside tech giant IBM, and today, Big Blue released a research paper describing the latest fruits of these labors. With this paper, published in the academic journal Science, the company unveils what it calls TrueNorth, a custom-made “brain-like” chip that builds on a simpler experimental system the company released in 2011.
TrueNorth comes packed with 4,096 processor cores, and it mimics one million human neurons and 256 million synapses, two of the fundamental biological building blocks that make up the human brain.

Thursday, August 07, 2014

DHS has lost similar data before. If I wanted to slip an agent into the DHS (can't imagine why I would) the is the information I would want to analyze to create the perfect background profile.
Ellen Nakashima reports:
A major U.S. contractor that conducts background checks for the Department of Homeland Security has suffered a computer breach that likely resulted in the theft of employees’ personal information, officials said Wednesday.
The company, USIS, said in a statement that the intrusion “has all the markings of a state-sponsored attack.”
The breach, discovered recently, prompted DHS to suspend all work with USIS as the FBI launches an investigation. It’s unclear how many employees were affected, but officials said they believe the breach did not affect employees outside DHS. [So was DHS specifically targeted or is DHS their only client? Bob] Still, the Office of Personnel Management has also suspended work with the company “out of an abundance of caution,”a senior administration official said.
Read more on Washington Post, keeping in mind as you read the rest of her report that Anonymous claims that not only did China hack OPM in March, but it had hacked OPM, too. OPM has not confirmed nor denied that claim.

Gosh Mr Science, could this happen in the US too?
Kate Fulton reports:
The UK’s privacy watchdog has fired a warning to barristers and solicitors following a spate of data protection breaches by legal professionals.
In a blog post, the ICO wrote that 15 incidents involving legal professionals breaching the Data Protection Act (DPA) have been reported in the last three months.
Read more on TechRadar.
[From the article:
"We have published some top tips to help barristers and solicitors look after the personal information they handle. These measures will set them on the road to compliance and help them get the basics right."

Tools & Techniques for my Computer Security students.
LogRhythm Launches Honeypot Security Analytics Suite
Just weeks after announcing that it had raised $40 million in a new round of equity financing, SIEM and security intelligence vendor LogRhythm has released a new analytics suite that monitors honeypots in order to detect and track would-be attackers.
According to the Boulder, Colorado-based Company, the suite enables customers to analyze nefarious tactics and generate targeted threat intelligence.
Designed to look like production servers but left vulnerable on purpose, Honeypots are isolated decoy systems and services used to deceive and detect attackers.
The new Honeypot Security Analytics Suite helps LogRhythm customers deploy honeypots to attract opportunistic hackers and then capture network and log activity stemming from the honeypots. By deploying honeypots, organizations can detect various evolving attacks – including advanced zero-day malware, brute force attacks and emerging nefarious payloads, the company said.

It's what you don't know that hurts you. My wife buys vitamins and other supplements for her horse and our dogs. What group does that put us in?
Too much soft cheese may directly impact your health insurance premiums
… You shop at the supermarket and you give them your loyalty card because you’re constantly told that this practice will give you some amount of monetary return. It also gives the supermarket the ability to monitor your purchasing habits. Now keep in mind that you are a known quantity; your name, your contact details and various other personally identifiable data points about you as an individual.
Now you go and apply for insurance with an organisation that has access to this data, whether that be because both companies are under the same umbrella or that the fine print none of us ever read when you signed up for the loyalty card said it could be shared with partners. You buy too much crap – soft drinks, chips, high-fat foods – and you’re also buying vitamins to treat high blood pressure and elevated cholesterol. Then you apply for life insurance.
Or perhaps your shopping habits put you squarely into a particular ethnic bracket; the foods you eat, the magazines you buy, the medicines you choose and so on and so forth. Studies show this ethnic group also has a higher propensity of at-fault claims on their motor vehicle insurance. Now you want to insure your new wheels.

I offer you a new term, “Creep-nology” Really creepy technology.
Douglas Macmillan reports:
Hiding in Foursquare’s revamped mobile app is a feature some users might find creepy: It tracks your every movement, even when the app is closed.
Starting today, users who download or update the Foursquare app will automatically let the company track their GPS coordinates any time their phone is powered on. Foursquare previously required users to give the app permission to turn on location-tracking. Now users must change a setting within the app to opt out.
Read more on WSJ.

A TED video.
The dark secrets of a surveillance state
Tour the deep dark world of the East German state security agency known as Stasi. Uniquely powerful at spying on its citizens, until the fall of the Berlin Wall in 1989 the Stasi masterminded a system of surveillance and psychological pressure that kept the country under control for decades. Hubertus Knabe studies the Stasi — and was spied on by them. He shares stunning details from the fall of a surveillance state, and shows how easy it was for neighbor to turn on neighbor.

Et tu, Bill?
Microsoft Is Scanning Your Online Images
You’ll be pleased to discover it isn’t just Google scanning your emails for evidence of illegal activity; Microsoft is doing exactly the same thing. In the same way Google tipped off the authorities about child pornography allegedly being shared via Gmail, Microsoft did the same when it discovered abuse images allegedly being stored on OneDrive.
Microsoft’s Terms of Service explicitly state that the company will use “automated technologies to detect child pornography or abusive behaviour that might harm the system, our customers, or others.” However, regardless of the vile nature of the images being shared, this still raises questions over the right to privacy when using cloud services.

For my Computer Security students. Would you like the poster or the T-shirt?
Passwords Are Like Underwear—They Aren’t Meant to Be Shared
… Software vendor IS Decisions has recently published a report entitled “From Brutus To Snowden: A Study Of Insider Threat Personas” in which the company looks at workers’ habits, behavior and attitudes around topics including password sharing and network access. The company surveyed 1,000 people in the U.S. and another 1,000 in the U.K. to compile the report’s data.
IS Decisions found that while information security teams spend the majority of their time defending against attacks from outside the organization, the threat from within the organization is not considered seriously enough. The report looks at hypothetical “personas” based on worker demographics to help companies understand who is most likely to share a password with someone or exhibit other behavior that can put a network at risk.
… I’ll leave it to you to read the report and draw your own lessons from it, but I will close with this interesting bit of advice from an infographic in the report:
Passwords are like underwear.
  • Change yours often.
  • Don’t share them with friends.
  • The longer, the better.
  • Be mysterious.
  • Don’t leave yours lying around.

To delink or not to delink. The data itself is fine, but no one can point users to it?
Wikimedia Blasts Europe's 'Right to Be Forgotten'
The Wikimedia Foundation on Wednesday released its first-ever transparency report -- and along with it a protest against Europe's "right to be forgotten" law. Wikimedia is the nonprofit owner of Wikipedia and other sites.
"Last week, the Wikimedia Foundation began receiving notices that certain links to Wikipedia content would no longer appear in search results served to people in Europe," wrote Wikimedia General Counsel Geoff Brigham and Legal Counsel Michelle Paulson.
"Denying people access to relevant and neutral information runs counter to the ethos and values of the Wikimedia movement," they added. "The Wikimedia Foundation has made a statement opposing the scope of the judgment and its implications for free knowledge."
… "I think they're overstating the case," John Simpson, director of Consumer Watchdog's Privacy Project, told TechNewsWorld. "I don't think they understand the privacy issues involved."

Meanwhile, the professionals (e.g. ) are slowly running out of funding.
Consumer Privacy Organizations Oppose Farcical Class Action Settlement
by Sabrina I. Pacifici on Aug 6, 2014
“EPIC, along with a group of consumer privacy organizations, has asked the Federal Trade Commission to object to an unfair class action settlement in California federal court. In 2010, Google was sued for sharing user web browsing information with advertisers. Under the proposed settlement agreement, Google will distribute several million dollars to a handful of organizations, many of which already have ties to the company. EPIC and other privacy organizations have argued that the proposed agreement “confers no monetary relief to class members, compels no change in Google’s behavior, and misallocates the cy pres distribution” to organizations that are “not aligned with the interests of class members and do not further the purpose of the litigation.” The consumer groups, who have already written to the court opposing the settlement, urged the Federal Trade Commission to object as well. The agency filed a similar objection in Fraley v. Facebook, an unfair class action settlement in the Ninth Circuit. For more information, see EPIC: FTC and EPIC: Search Engine Privacy.”

Why has PETA refused to become involved?
Photographer 'lost £10,000' in Wikipedia monkey 'selfie' row
A photographer involved in a copyright row with Wikipedia over a monkey "selfie" says he has lost £10,000 in income over two years because of it.
David Slater, from Coleford in the Forest of Dean, said the web-based encyclopaedia had repeatedly refused to remove the image from its site.
He said there had been no interest from anyone in buying the image since it was declared to be in the "public domain".
The site said Mr Slater did not own the copyright as he did not take the photo.
… The debate about the picture resurfaced on Wednesday as the Wikipedia Foundation published its first transparency report - following a similar practice by Google, Twitter and others.

Perhaps we could recreate the full survey here. I'd bet our students would out score those kids. (I did)
Technology knowledge -- it's all downhill after you're 14
A new study by the UK's communications regulator Ofcom finds that the "millennium generation" of 14-15 year olds are the most technology aware group but as we get older digital knowledge begins to decline.
The study of 2,000 adults and 800 children measured confidence and knowledge of communications technology to calculate a Digital Quotient (DQ) with the average UK adult scoring 100.
Today's 14 year olds have a DQ of 113 and are the first generation to have grown up with the benefits of broadband, probably never knowing the pleasures of dial-up internet. People in their 40s have a DQ in the high 90s, around the same as a modern six-year-old. Over 70s score a DQ in the 80s. You can try this out for yourself and see how you compare with a quick three minute taster test.
… You can find out more about the results of the survey on the Ofcom website.

Apparently we're not teaching everything future tech workers will need.
AI, Robotics, and the Future of Jobs
by Sabrina I. Pacifici on Aug 6, 2014
Pew Report – “The vast majority of respondents to the 2014 Future of the Internet canvassing anticipate that robotics and artificial intelligence will permeate wide segments of daily life by 2025, with huge implications for a range of industries such as health care, transport and logistics, customer service, and home maintenance. But even as they are largely consistent in their predictions for the evolution of technology itself, they are deeply divided on how advances in AI and robotics will impact the economic and employment picture over the next decade. We call this a canvassing because it is not a representative, randomized survey. Its findings emerge from an “opt in” invitation to experts who have been identified by researching those who are widely quoted as technology builders and analysts and those who have made insightful predictions to our previous queries about the future of the Internet. (For more details, please see the section “About this Report and Survey.”)

We still have a few design students finishing their program. I can't do what they do, so I find tools like this to trade for future design favors.
– Create vector graphic design with YouiDraw online. It’s like Adobe Illustrator or CorelDraw but it works with HTML5 and Google Drive. So there’s no software to download and you can access your work anytime, anywhere. An Online Logo Maker is available for creating high quality vector graphics, headings, HTML5 logos, icons, web site elements and buttons by hundreds of templates and styles.

(Related) Oh look, another one!
– if you are into blogging or publishing in any way, then you will need a constant supply of royalty-free photos. One such source for this is Raumrot which is a site of free high-resolution photos you can download for any personal or commercial project. Each photo is categorized and links to the larger version on

Another tool for my Math students.
Find More Than 4,000 Math Lessons on Open Curriculum
Open Curriculum is a new entry into the lesson depot market. Like similar sites, Open Curriculum offers a collection of thousands of resources for teaching mathematics. You browse the Open Curriculum resource lists according to grade level and topic.
Open Curriculum provides more than just a collection of mathematics lesson materials. In your Open Curriculum account you can create and share your own lessons and units of study. You can also upload existing materials to incorporate into the lessons and units that you create in Open Curriculum.
… The sharing aspect of Open Curriculum could be useful for large departments that are looking for a place to share materials that they like and create with each other.

For my students. Could be more fun that a formal presentation. (Perfect for math problems?)
Google Acquires Directr, An App For Shooting Short Films On Your Phone
Directr, an app that we’ve covered a few times since its launch back in 2012, has just been snatched up by Google.
In an age of ultra-brief videos, Directr existed to help users and businesses shoot videos that were a bit longer than your average Vine — think ads, or promo clips, or family holiday videos.

Perhaps my idea to have my students write their own textbook isn't so great after all.

Wednesday, August 06, 2014

For my Ethical Hackers: Now that they have them, what will they do with them?
Russian hackers amass biggest ever password haul
A Russian criminal gang is believed to have stolen more than a billion internet usernames and passwords – the largest stockpile of web credentials yet amassed by cybercriminals.
The gang is thought to be made up of a dozen individuals, based in south-central Russia.
The extent of its cache of stolen passwords was revealed by Hold Security, an American company, which says that the data was stolen from around 420,000 websites.
The affected sites are not being named because many are thought to still be vulnerable to the techniques that allowed the Russian gang to strip them of data.

(Related) Maybe my Ethical Hackers could do it for $19.95!

Can't hurt.
Eight tips to improve your internet security
If ‘password’, ‘123456’, 'admin', or ‘letmein’ is your password of choice, you could do with a few lessons in internet security.
A Russian crime gang has managed to amass 1.2 billion stolen internet credentials of unsuspecting individuals and businesses, collected from a number of high-profile hacks including the Adobe breach last year, according to The New York Times.
The incident has prompted experts to call on Australians to change their passwords and update their internet security measures, and fortunately there are some simple ways to sharpen your defences against hackers.
1. Keep software up-to-date
2. Regularly change your password
3. Use password management apps
4. Be wary of untrusted networks
5. Secure your email account
6. Know the latest scams
Scammers are constantly changing their tactics, so staying up to date can be difficult, but websites such as SCAMwatch and Stay Smart Online provide the latest information on known scams.
7. Use secure websites
8. Use fake details
McKinnon said when possible, people should use fake birth dates and details on websites so if hackers do steal them, they'll have a harder time using, or selling, your true credentials.
“This is a contentious point, but if it’s not a legal site or something you’re bound to, and the website doesn’t have a clear reason for asking you certain pieces of private information, don’t feel obligated to provide it,” he said.

About time!
Mark Ward reports:
All 500,000 victims of Cryptolocker can now recover files encrypted by the malware without paying a ransom.
The malicious program encrypted files on Windows computers and demanded a substantial fee before handing over the key to the scrambled files.
Thanks to security experts, an online portal has been created where victims can get the key for free.
Read more on BBC.

Interesting speculation?
Latest US Media Intel Scoop Suggests New Leaker
The latest media scoop about the internal workings of the US intelligence community has convinced officials they have a new leaker feeding information to journalists, reports said Tuesday.
The concerns came after The Intercept, a news site that has access to documents from known leaker Edward Snowden, published new revelations about the scope of the US terrorism watchlist.
The Intercept report was "obtained from a source in the intelligence community." Previously, it has not hidden when Snowden was its source, suggesting the latest scoop came from someone else.

I think this goes back much farther than two years.
Kevin Poulsen reports:
Security experts call it a “drive-by download”: a hacker infiltrates a high-traffic website and then subverts it to deliver malware to every single visitor. It’s one of the most powerful tools in the black hat arsenal, capable of delivering thousands of fresh victims into a hackers’ clutches within minutes.
Now the technique is being adopted by a different kind of a hacker—the kind with a badge. For the last two years, the FBI has been quietly experimenting with drive-by hacks as a solution to one of law enforcement’s knottiest Internet problems: how to identify and prosecute users of criminal websites hiding behind the powerful Tor anonymity system.
Read more on Wired.

An interesting article. Something to consider at least.
Teens Are Waging a Privacy War on the Internet — Why Marketers Should Listen
Back in the early days of social media, Danah Boyd was asked to participate on a panel alongside some representatives from various consumer brands. A fellow panelist who worked at Coca-Cola commented with satisfaction that his company was the most popular brand on MySpace. Without meaning to, Boyd (who writes her name in all lowercase letters) laughed audibly. At the moderator’s prompting, she explained that she, too, had noticed how popular Coke was on the site, and investigated. The most popular “brand” turned out to be not the soft drink, but cocaine.
Web-savvy brand managers, marketers, programmers and data analysts would never make that kind of mistake today — or would they? Boyd, an internationally recognized authority on social media — the Financial Times has dubbed her the “high priestess” of social networks — told the audience at the recent Wharton Web Conference that it is becoming more and more difficult even for web professionals to crack the ever-shifting code of people’s online interactions.

Worth looking at...
– makes it easy for you to adjust, check, test, and maintain your online privacy. You can click on each logo to find the privacy page for each service. Next, you can test your privacy settings by seeing how easily you can find yourself using this custom people search engine. This search provides results from other people directories.

Actually old tech (bouncing lasers off of windows to pick up vibrations has been a tool for years)
Eavesdropping On A New Level
… Researchers from MIT, Microsoft, and Adobe have shown that they can recover sound from video imagery, a technique that promises to pique the interest of intelligence agencies and forensic investigators. While the technique will need to be refined to be practical outside the laboratory, it has the potential to enable retroactive eavesdropping at events that were videoed with sufficient fidelity.
… In a paper to be presented in mid-August at SIGGRAPH 2014, the researchers describe how they filmed a series of objects using both a high-speed video camera and a consumer video camera and were able to reproduce sounds that had been playing near objects using only video information -- the object's minute vibrations in response to the impact of sound waves.
… US intelligence presumably already has more sophisticated eavesdropping technology. A decade-old patent application arising from work at NASA, "Technique and device for through-the-wall audio surveillance," describes a way to listen in on even soundproofed locations by using "reflected electromagnetic signals to detect audible sound." But MIT's Visual Microphone technique could become a useful addition to an already formidable set of surveillance tools.

For my Ethical Hacker's “Guide to Hacking”
How Hackable Is Your Car? Consult This Handy Chart
… All the cars’ ratings were based on three factors: The first was the size of their wireless “attack surface”—features like Bluetooth, Wi-Fi, cellular network connections, keyless entry systems, and even radio-readable tire pressure monitoring systems. Any of those radio connections could potentially be used by a hacker to find a security vulnerability and gain an initial foothold onto a car’s network. Second, they examined the vehicles’ network architecture, how much access those possible footholds offered to more critical systems steering and brakes. And third, Miller and Valasek assessed what they call the cars’ “cyberphysical” features: capabilities like automated braking, parking and lane assist that could transform a few spoofed digital commands into an actual out-of-control car.

You can autocomplete all of the people some of the time and some of the people all of the time, but you can't avoid litigation any time.
Now Google Autocomplete Could Be Found Guilty Of Libel In Hong Kong
Another story to illustrate a favourite theme of mine. This time it’s the possibility that Google's autocomplete function will get the company sued for, and found guilty of, libel in Hong Kong.
A court has ruled that a Hong Kong tycoon can sue Google over its autocomplete results suggesting he has links to organized crime.
In a judgment released Wednesday, the court dismissed the Internet search giant’s objections to tycoon Albert Yeung’s defamation lawsuit.
Yeung filed the lawsuit after Google refused to remove autocomplete suggestions such as “triad,” as organized crime gangs are known in China, which popped up with searches on his name.

For my Computer Security and IT students.
IT Salary Guide 2014
(Please note: These IT salary numbers are for starting pay only. Factors like seniority and performance reports are impossible to calculate.)

For all my students, please!
8 Ways To Spell & Grammar Check In Microsoft Word Using Different Dictionaries & Languages

Tuesday, August 05, 2014

Interesting wording. (Only the Lakewood CO store was hit.)
P.F. Chang's: 33 restaurants affected in data breach
The restaurant chain P.F. Chang's China Bistro said Monday a security breach first reported in June may have led to the theft of customer data from credit and debit cards used at 33 restaurants.
An intruder may have stolen card numbers and possibly names and expiration dates of customers's credit and debit cards used over the course of about 8 months. But the chain has not determined that any specific card holders' data was stolen. [Another way to say that: “We have no idea what was taken.” Bob]
In Monday's statement the chain updated its progress in investigating a breach first reported in June. The statement said all card data has been processed securely at all locations since June 11.
The security breach of their card processing systems occurred between October 19th of 2013, and June 11th of 2014, one day after the Secret Service made the company aware of the breach. [“It's not like we can just turn off our compromised systems... Well, we could, but then we'd have to process the cards manually and that's like boring dude.” Bob]
… If you dined at any of the listed locations, between the dates noted, you are strongly advised to review your financial records to determine if any fraudulent activity has occurred since that time.

The “Oops!” just keep coming.
Myles Udland reports:
Target’s data breach just got more expensive.
In a statement, the retailer said its second quarter earnings will include a $148 million charge related to losses regarding the massive data breach which occurred during last year’s holiday shopping season. This is more than the company previously estimated.
Read more on BusinessInsider

Gamers in Philadelphia are crooks? Thumbprints ensure the games haven't been stolen? “We're just gathering data for the next thing in Behavioral Advertising – 'Bail Bond ads!'”
Steve Tawa reports:
The big video game retailer, GameStop, is now requiring its customers in Philadelphia, but not in the suburbs, to provide a fingerprint scan on certain transactions.
When GameStop buys used video games from customers, the chain says it is following a local law that allows the store to collect thumb prints, which go into a database to help law enforcement track down thieves who fence stolen goods.
City Solicitor Shelley Smith says, however, the city is not requiring GameStop to abide by the pawnbroker’s ordinance:
“What GameStop does doesn’t meet any of the elements of the definition in the code, so the pawnbreaker ordinance doesn’t apply to GameStop.”
Read more on CBS Philly.
[From the article:
The Philadelphia Police Department says the company is being proactive by storing fingerprints in a secure database – LeadsOnline – which is the nation’s largest online investigation system.

Still want to allow BYOD in your corporation?
Most Top Free and Paid Mobile Apps Pose Threat to Enterprises: Report
Mobile app risk management solutions provider Appthority has analyzed 400 of the most popular free and paid applications for Android and iOS devices and presented the results in a report released on Monday.
The risky behaviors identified by the company are related to the type of data that's collected, and where the data is going, not outright malware risks. According to Appthority's App Reputation Report for the summer of 2014, most apps collect information on the user's location, they access the address book and the calendar, they identify the user based on the device's IMEI or UDID, and they're capable of performing in-app purchases. The collected data can go to ad networks, social networks, third-party analytic frameworks, third-party crash reporting SDKs, and public cloud file storage providers.
according to F-Secure's Q1 2014 Mobile Threat Report, more than 99 percent of new mobile threats discovered by the security firm in the first quarter of 2014 targeted Android users.
Last summer, researchers from Bitdefender unveiled research that also found iOS apps to be just as invasive and curious about user data as Android apps are.
The complete 2014 App Reputation Report from Appthority is available for download in PDF format.

Schools apparently have little or no resistance to salesmen. Wouldn't it be much simpler (and cheaper) to give the teachers an App that allowed them to do everything related to teaching and grading? (Note to reporters: The bracelets don't track student behavior, they record teacher opinions.)
Abbie Napier reports:
A North Canterbury school’s plan to fit students with microchip bracelets to track their behaviour has prompted concern among parents.
Swannanoa School wants to use silicon bracelets as part of a scheme to reward good behaviour, minutes from a Parent Teacher Association meeting show.
Teachers would use portable scanners to add points to a student’s online good behaviour chart with a reward when a certain amount of points was accumulated.
The school says the scheme would cost $7000 to set up. The proposal has been opposed by some parents.
Read more on Stuff.
[From the article:..
After the school was approached by The Press, parents received a letter about the proposed new system.
In it, McClelland said the bracelet system was an alternative to a previously proposed electronic card that students could lose.

(Related) Of course it's not just schools. My tax dollars, wasted! “Hey, they keep offering us all this money. Should we turn it down?”
Lynn Thompson reports:
More than a year after Seattle police promised to not turn on a network of surveillance cameras and communication nodes installed as part of a federal port-security grant, the department still hasn’t released a draft policy on how it will use the equipment and protect citizen privacy.
The installation of the 30 cameras and a wireless mesh broadband network came shortly after the Police Department’s purchase of two aerial drones, also with a Homeland Security grant, and also without public notice.
Read more on Seattle Times.

Bold headline.
The Supreme Court Is Wising Up on Digital Privacy
While much of Washington grapples with a handful of newly-minted Supreme Court decisions focused on social and campaign finance reform, three largely overlooked court decisions signal a much larger tidal wave of change ahead for the tech community. Taken together, these cases shed light on the court’s views of how the Fourth Amendment’s protections of searches and seizures are complicated when much of our personal information is now digital.
The turning point for tech began in 2012 with United States v. Jones, in which the court ruled that attaching a GPS device to a car and monitoring its movements constitutes a search under the Fourth Amendment. This year, the court issued a single opinion on two more cases, Riley v. California and United States v. Wurie, finding that police enforcement must obtain a warrant in order to search digital information on a cell phone seized from an individual at the time of the arrest.
… As we enter an increasingly digital world, a period in which the Internet of Things is poised for explosive growth, it’s reassuring to see that today’s court is equipped to handle cases related to digital privacy. [Slick infographic Bob]

So if I'm sending or receiving high volumes on my phone, I could (temporarily of course) become a “Big Data user” and the medical data I'm sending for diagnosis will wait for some kid's selfie, because that's “fair.”.
Verizon response to FCC's throttling concerns: everyone's doing it
Verizon Wireless has officially responded to FCC Chairman Tom Wheeler and his data throttling concerns. The Verge has obtained a copy of the carrier's response, dated August 1st, which was written by Kathleen Grillo, the company's SVP of Federal Regulatory Affairs. In it, Verizon underlines the notion that customers will only experience slowdowns "under very limited circumstances." It will only happen at "particular cell sites experiencing unusually high demand," the letter reads. We've outlined the other factors that could result in reduced data speeds previously.
Verizon notes that any throttling will cease immediately when demand on a strained cell site returns to normal. "Our practice is a measured and fair step to ensure that this small group of customers do not disadvantage all others in the sharing of network resources during times of high demand." The carrier insists only big data users who "have an out-sized effect on the network" will be slowed down.
Verizon claims those same people almost always have unlimited data plans and have "no incentive not to" hog up network resources. The top 5 percent of data users will be subject to LTE throttling beginning in October. It may sound difficult to reach that level of data usage, but keep in mind that right now Verizon says exceeding 4.7GB of data would put you there.

Who cares what laws them fur-n-ers got... This here's 'Merica!
Federal Court Ruling Orders Microsoft to Violate International Law
Lawyers for Microsoft say they will appeal a federal judge's order that they turn over the contents of a customer's email that's stored on a server in Ireland. But if Microsoft were to comply with the order, it appears that the company would be in violation of both Irish and European laws.

My Computer Security students could build a wiki of useful guides and studies... Not doing it probably won't impact your grade... Probably.
Anna Forrester reports:
The National Institute of Standards and Technology has released a draft guidance for federal agencies, contractors and the intelligence community to evaluate the privacy and security controls used on federal information systems and information technology networks
NIST said Friday that the “Assessing Security and Privacy Controls in Federal Information Systems and Organizations: Building Effective Assessment Plans” document (SP 800-53A) and the supplementary catalog of controls (SP 800-53) are available for public comments through Sept. 26.
Read more on ExecutiveGov.

It was the first MS operating system that was “good enough.”
Windows XP Is Refusing To Die
Despite Microsoft pulling support for Windows XP in April, the ancient [in Internet years Bob] operating system is refusing to die. According to the latest figures from Net Applications, XP still accounts for 24.82 percent of the Windows market share, down just 1.5 percent since Microsoft pulled the plug.
Meanwhile, Windows 8 and Windows 8.1 continue to struggle, with a 12.48 percent market share for July actually showing a drop on the previous month. Windows 7 now boasts a market share of 51.22 percent, making it by far the most popular version of Windows out in the wild. We hope Microsoft is taking note of these statistics while developing Windows 9.

A way for my website students to “introduce” themselves to potential employers?
Remove Unused CSS to Reduce the Size of your Stylesheets
The CSS files of your website may have several redundant rules that are no longer used by any element on the web pages. For instance, you may have added a site search box on your website and associated styles went into the stylesheet. Later, if you decide to remove that search box, the styles may continue to exist in your CSS though they aren’t being used anywhere.
These unused entries in your CSS files increase the page load time of your website and also affect the site’s performance as the browser has to do extra work parsing all the extra rules. And even if the impact on performance is minimal, it would make your task of maintaining CSS easier if the files are kept clean and well-structured.