Saturday, January 03, 2015
“We don't like North Korea anyway, so guilty or not a few sanctions that sound good but don't really mean much makes it look like we're retaliating.”
The Obama administration doubled down on Friday on its allegation that North Korea’s leadership was behind the hacking of Sony Pictures as it announced new sanctions on 10 senior North Korean officials and several organizations.
… “It’s a first step,” one of the officials said. “The administration felt that it had to do something to stay on point. This is certainly not the end for them.”
… The more immediate impact of the announcement may be that the administration is not backing down on Mr. Obama’s announcement on Dec. 19, hours before leaving for his Hawaii vacation, that “North Korea engaged in this attack” on Sony Pictures. The president’s statement touched off an escalating debate between skeptics who said the attack came from inside Sony and government officials who said it could be traced to North Korea.
Unfortunately, I think most big entertainment companies would do pretty much the same thing. I doubt they will ever read this article.
Sony’s ‘Holiday Thank You’ Completely Misses the Point
In response to Lizard Squad’s massive attack against PlayStation Network and Xbox Live that brought each service offline for days, Sony has just offered players a five day extension of their PlayStation Plus memberships and a 10% coupon to be used in the PlayStation Store. It’s an offer that rings hollow and completely misses the point of what was so distressing about the outage.
PlayStation Network has never had a great track record. Its in-game performance is often spotty, and its download speeds are slow. It has lagged behind Xbox Live and Steam in basic functionality for years. It goes down frequently for “routine maintenance.” It was taken offline for 23 days in 2011 after the personal details of 77 million user accounts were stolen during a hack so dramatic it earned its own Wikipedia page and Sony had to answer to the US House of Representatives. That’s why it was so significant during Sony’s February 2013 reveal of the PlayStation 4 that it promised to improve its network. The “fastest gaming network in the world,” it vowed. It had learned from the failings of the PlayStation 3, of the network hack, of the superior service offered by competitors. It’s just too bad that, like most of the features promised during that reveal, Sony has failed to follow through.
Here’s the problem with Sony’s statement: It is completely oblivious to the valid concerns its customers have. Sony has still, thus far, not even officially recognized Lizard Squad’s attack as the cause of the downtime, which flies directly in the face of the 2011 network hack when Sony was widely criticized for taking so long to inform its customers of the network compromise. It was irresponsible then, and it’s irresponsible now not to own up to the true cause of the outage. Instead, all we get is a vague admission that “access to PlayStation Network was impacted during the holidays.” But that’s not the only problem.
From top to bottom, the entire statement reads like it had been written 20 minutes prior, full of unclear terms and indefinite timelines. In regards to the free five days of PlayStation Plus, Sony writes, “We will post additional information here on PlayStation.Blog when the extension becomes available.” Players who do not already have a Plus account will get their five days “once the extension becomes available (we will notify you when).” As well, the 10% off coupon for the PlayStation Store will be available “sometime this month.” It’s baffling that Sony would put out a statement with so many uncertainties and speaks volumes to Sony’s level of commitment to improving its network.
I’ve had a PlayStation Plus subscription for three years now. I’m not interested in a five-day extension. That does nothing for me. I didn’t even get a chance to play anything during the Christmas outage, so it didn’t affect or inconvenience me at all. And frankly, I find a 10% limited discount code to be actually insulting. Why should I reward Sony for not being prepared for an attack threatened weeks in advance by spending money in its store?
What I want, and what we as gamers should demand, is that Sony finally make good on its promises from almost two years ago, that in exchange for mandating a paid subscription to access multiplayer on PlayStation 4, it would deliver a truly fast, reliable, and safe network. I still maintain that the blame for the attacks should be on Lizard Squad, but that by no means excuses Sony for its lackluster network.
For my Ethical Hackers. Sound familiar?
A Hacker's Hit List of American Infrastructure
On Friday, December 19, the FBI officially named North Korea as the party responsible for a cyber attack and email theft against Sony Pictures.
… Technology journalists were quick to point out that, even though the cyber attack could be attributable to a nation state actor, it wasn’t particularly sophisticated. Ars Technica’s Sean Gallagher likened it to a “software pipe bomb.” [Love that phrase! Bob]
But according to cyber-security professionals, the Sony hack may be a prelude to a cyber attack on United States infrastructure that could occur in 2015, as a result of a very different, self-inflicted document dump from the Department of Homeland Security in July.
Here’s the background: On July 3, DHS, which plays “key role” in responding to cyber-attacks on the nation, replied to a Freedom of Information Act (FOIA) request on a malware attack on Google called “Operation Aurora.”
Unfortunately, as Threatpost writer Dennis Fisher reports, DHS officials made a grave error in their response. DHS released more than 800 pages of documents related not to Operation Aurora but rather the Aurora Project, a 2007 research effort led by Idaho National Laboratory demonstrating how easy it was to hack elements in power and water systems.
I wonder if there was a sudden rush to “un-friend” the boss of if they had already created a “for the boss” version of their Facebook page and didn't need to change anything?
Jim Matheny reports:
Now that 2015 is here, the new year means lots of new laws take effect in Tennessee. That includes a change that protects employees’ private information on Facebook, Twitter, and other social media accounts from nosy bosses.
“The new law says an employer cannot force you to tell them your social media passwords or login to let them see what you’re doing. That seems obvious to most people. But what an employer also cannot do anymore is tell an employee or applicant, I need you to ‘friend’ me on Facebook, or I need you to friend me on Instagram, or follow me on Twitter. That way I can see what you’re doing,” said Chris McCarty, a Knoxville attorney who specializes in employment law.
Read more on WBIR.
It's all about the technology.
The Future of Getting Arrested
Even the most straightforward arrest is built upon an incredibly complex foundation: the moment the handcuffs go on is the moment some of our society’s most hotly contested ideas about justice, security, and liberty are brought to bear on an individual. It’s also a moment that’s poised to change dramatically, as law-enforcement agencies around the country adopt new technology—from predictive-policing software to surveillance cameras programmed to detect criminal activity—and incorporate emerging research into the work of apprehending suspects.
How They’ll Know a Crime Is Taking Place
Devices designed to detect questionable activity are proliferating.
How They’ll Find Their Suspects
Usually predictive policing refers to feeding reams of city data into a computer and dispatching extra officers to areas that are deemed to be at high risk of future crime. There’s potential, though, for predictive policing to be less passive.
How They’ll Actually Arrest Someone
Confronting suspects and taking them into custody should become safer for police officers, thanks to so-called real-time crime centers staffed by analysts who can transmit information to officers en route to a crime scene—the criminal histories of the people who live at that address, say, or floor-plan details, or intelligence gathered from surveillance cameras.
Talking the talk? By now, courts should have plenty of experience with automated systems and (one can only hope) with security.
… As a first step, many legal documents will be made available online as the court transitions to making electronic filings the official avenue for parties to submit documents, Chief Justice John Roberts announced in his year-end report released Wednesday night. The system would accept petitions, briefs and all other motions.
… Roberts said the court has been purposely slow to adopt new technology or embrace the “next big thing” because of its role. He cited a number of reasons, from the appropriations and procurement process to making sure that every member of the public — and not just the “most tech savvy” — can access the records.
He also touched on the specter of court records being hacked into, noting the sensitivity of some documents.
“Courts understandably proceed cautiously in introducing new information technology systems until they have fairly considered how to keep the information contained therein secure from foreign and domestic hackers, whose motives may range from fishing for secrets to discrediting the government or impairing court operations,” he wrote.
An article for both my Data Management and my Business Intelligence classes.
Boards Dissatisfied With Cyber, IT Risk Info Provided by Management
… directors want changes in how risk oversight responsibilities are allocated. More than half of them believe this should be the province of the full board, rather than an audit committee alone.
In addition to being dissatisfied about the quantity of information management provides on cybersecurity and IT risk, some 36 percent said they are also unsatisfied with the quality of that information.
A giggle or two every week. Who could ask for more?
Hack Education Weekly News
… Georgia state lawmakers have passed legislation to reform lobbying, but have created a loophole so that they can still get freebies like college football tickets. Because ethics.
… “One bad tweet can be costly to a student athlete” as more schools monitor what students and recruits do online.
I'm all about learning to talk gooder!
A new word for the overworked: 'al desko'
The Oxford English Dictionary added "al desko" in 2014. It can be used as an adjective or an adverb and is kind of a cruel play on the Italian term "al fresco," meaning in the fresh air.
Friday, January 02, 2015
Troy will not be the only security expert taking this position.
Sony, North Korea and Cyberwarfare on RunAs Radio
It was the story that got weirder and weirder and will likely remain the high water mark for impactful security breaches for, well, probably not very long given this industry! Be that as it may, the Sony saga was unprecedented in many ways and it provoked some really interesting discussions.
A couple of weeks back I suggested that many of us are working for the next Sony Pictures insofar as a lot of the atrocious practices they followed being pretty much par for the course in large enterprises. This to me is one of the key lessons we should be taking away from all this – you may be nothing more than one bad employee or one nasty piece of malware away from your own place of work suffering the same fate.
Last week I caught up with Richard Campbell and we recorded a RunAs Radio episode on the hack. Whilst only a half hour can barely do it justice, we still covered a lot and I hope you find it interesting listening. Enjoy!
Every organization suffers from “bureaucrats,” few more than the FBI. The techies want to be right, the bureaucrats want to be flashy, fast, and most of all, “newsworthy!”
FBI may have made embarrassing mistake investigating Sony hack
A confidential bulletin sent by the FBI to companies across the US warning of further cyberattacks by the Sony hackers may have been based on fake posts and messages created by a prankster.
… But hours after the story published, a journalist who writes about cybersecurity stepped forward and claimed that he wrote the threat to CNN as a prank, copying another message that he found online and simply swapping some of the words.
Mediaite reports that David Garrett Jr., a writer for Homeland Security Examiner, took to Twitter and posted screenshots which appear to show that he was the author of the threat to CNN.
… But if Garrett is to be believed, then the FBI may have been fooled by a simple prank. If the FBI published a security bulletin based on anonymous and unauthenticated internet posts, that's going to make it more difficult for people to believe its other claims.
Along with the threat against CNN, the FBI also mentioned another PasteBin post that mocked the bureau's own investigation. If the prankster is to be believed, that second post could also be fake.
Some security experts have cast doubt on the FBI's claim that North Korea was behind the hack of Sony Pictures. If the FBI has been fooled by an online prankster, that could make its claim that North Korea ordered the hack more difficult to believe.
Perhaps a project for my Statistics students?
Police Officer Body-Worn Cameras
Police Officer Body-Worn Cameras – Assessing the Evidence, by Michael D. White, PhD – Office of Justice Programs.
“The majority of this publication reviews the claims made by advocates and critics regarding body worn camera technology and includes a discussion of the empirical evidence supporting each claim. Given the lack of research, there is little evidence to support or refute many of the claims, and there are outstanding questions regarding the impact and consequences of body-worn cameras. Nevertheless, the available studies have provided insight into several areas, suggesting that additional study of the technology is warranted. However, police departments should be cautious and deliberate in their exploration of the technology given the lack of research.”
Freer and Sackler Galleries Launch Free HiRes Download of Over 40,000 Works
“Welcome to Phase 1 of Open F|S, the complete digitized collections of the Freer and Sackler Galleries and the Freer Study Collection. With more than 40,000 works being made available for high-resolution download—expanding regularly with our new acquisitions—you can explore the Smithsonian’s museums of Asian art from anywhere in the world, whenever you like. Images can be used for all non-commercial purposes, from desktop wallpapers to artistic gifts for family and friends.”
Thursday, January 01, 2015
Do you get a sense of “We have this under control” or “Our current worst case scenario is...” These hackers are building up a large amount of FBI embarrassment. That can only end badly.
FBI: The Sony Hackers Also Targeted CNN (Probably)
According to an official FBI bulletin obtained by The Intercept, the same hackers who broke into Sony Pictures and stole a devastating amount of data made threats against an American “news media organisation” as well. (It’s probably CNN.) The bulletin also warns that the attacks “may extend to other such organisations in the near future.”
That’s not a comforting way to start the new year if you’re a sysadmin at CNN or any other news outlet. It’s hard to tell how serious the threat is, but the fact that it’s included in a a Joint Intelligence Bulletin of the FBI and the Department of Homeland Security doesn’t bode well. The bulletin points to a December 20 Pastebin post where a group identifying themselves as GOP — or Guardians of Peace — taunt the FBI and a link to a YouTube video called “you are an idiot!” Screenshots exist of a similar taunt directed towards CNN, and apparently federal authorities consider this a threat.
A guide for terrorists wishing to avoid detection? (Ethical Hackers: Always look for the bad guys in the “Thou shalt not” zones.)
Foreign Intelligence Gathering Laws
Library of Congress – “This report contains information on laws regulating the collection of intelligence in the European Union, United Kingdom, France, Netherlands, Portugal, Romania, and Sweden. The report details how EU Members States control activities of their intelligence agencies and what restrictions are imposed on information collection. All EU Member States follow EU legislation on personal data protection, which is a part of the common European Union responsibility. A comparative summary is included.”
Will this be available to your insurer?
The Quantified Self: How To Track Your Life With Your iPhone
The first step to change is knowing what you are dealing with. If you track your actions, you will be able to do them better. There is plenty of science to support this. However, tracking can be tiresome if you don’t have the right tools. That is not an excuse iPhone users can dole out any more, now that Loggr is here.
Why Should You Quantify Yourself?
The quantified self movement is gaining more followers as tools get easier. In our article What Is Lifelogging And Why Should You Do It?, Nancy says it gives you actual data to make your life better. It tells you whether you are actually benefitting from your exercise regimen or diet, and how it’s helping, or what needs to change.
… Loggr is completely free. No payments to unlock a pro version, no ads
Download: Loggr (Free) from the iTunes App Store
Good news for my Data Analysis students.
SEC to Simplify Analysis of Corporate Financial Data
“The Securities and Exchange Commission has launched a program aimed at making it easier for investors to dig through and compare company financial filings. Under the program being tested, financial data the companies report will be organized into structured sets that the public can then download in bulk. The program will be expanded next year to include data in footnotes of the financial statements. The structured data are currently available as eXtensible Business Reporting Language (XBRL) exhibits. The SEC will now make the information available in other formats. Data sets will be updated quarterly.”
If you haven't learned how to run Apps on your PC, get an emulator (BlueStacks) and be sure to grab MathHero (and/or the iPhone equivalent, PhotoMath)
Amazon Gives Away $110 Worth Of Apps To Close Out 2014
Earlier this month, there were over $100 worth of apps up for grabs, and then just last week, it put another $200 worth on the table. As if that wasn't enough, it's just gone ahead and given us another list of free apps to peruse.
As usual, there's a great variety of apps to choose from here, with nearly half of the list dedicated to games
… If you want to take advantage of these free apps but don't own an Amazon tablet or smartphone, you're not out of luck. But because Google doesn't like having competing app stores in its own Play Store, you'll need to jump through a couple of simple hoops. Head here to download the APK, and follow the steps at the bottom. You can then choose which apps you'd like for free from within the app itself, or add them to your Amazon account from the website.
Wednesday, December 31, 2014
Perhaps North Korea will go shopping?
Lizard Squad hackers offer cyberattacking services for fee
… The group’s website offers interested buyers the opportunity to overwhelm a server and push it offline — a somewhat common disabling method that’s been dubbed a “distributed denial of service,” or DDOS attack, The Hill reported.
… “This booter is famous for taking down some of the world’s largest gaming networks, such as Xbox Live, PlayStation Network, Jagex, BattleNet, League of Legends and many more,” the Lizard Squad said in its ad, The Hill reported. “With this stresser, you wield the power to launch some of the world’s largest denial of service attacks.”
The group only accepts bitcoins, The Hill reported.
As we become increasingly “global” it seems we want more “Balkanization” at the same time. Operate businesses globally to unite the world, but obey the laws of every county, even those that kept their companies from becoming global competitors.
Growing European Issues Imperil U.S. Tech Business Models
From Paris to Berlin and from Madrid and London to Moscow, the tech giants find themselves in battles over data privacy, taxation, national politics and other sovereign interests which are foreign to the business environment in the United States.
To say the primary issue is economics oversimplifies a range of nationalistic issues that would usually be reserved for discussions with other nation-states. The root of the emotions driving national demands is a sense of being invaded, even “colonized,” and not knowing where the invasion will end.
As reported in the Wall Street Journal, France and Germany have recently acted to curb the business practices of top U.S. tech firms, with overwhelming approval by the European Parliament of a resolution which calls for actions aimed at possibly breaking up Google.
… Issues exist in varying forms. England has recently announced a “Google tax” targeting profits of U.S. tech firms reaped locally. Russia and Turkey, which demand censorship control over information Google, Facebook and Twitter convey regarding “subversive” and selected local political matters.
All of this ultimately leads to the question of who controls the information flowing through the Internet. Pressures on tech firms to comply with nationalistic desires vary. Russia and others threaten to block U.S. social media services if their demands are not met. Other European countries want local data stored in local computer centers.
… Bank of America Merrill Lynch analyst Justin Post recently downgraded Google shares, citing European regulatory risk, stating that these clashes pose “one of the greatest threats to U.S. technology giants since their emergence from garages and college campuses over the past four decades.”
How is this useful? If I create a game using stolen code I probably get my joystick sued off. (On the other hand, I can do anonymous.)
Xbox One leak could allow people to make their own games for the console
… Xbox keeps the approval process for games locked down — developers must register with Microsoft and be approved before posting games to the Xbox’s official release channels. That protection will still be in place, but the leak of the SDK could lead to the emergence of a “homebrew” community, of developers making and sharing games for the Xbox One through unofficial channels.
The Internet and email are the most common tools. We don't teach students how to use either to best advantage. (Landlines preferred over cellphones)
Technology’s Impact on Workers
“The internet and cell phones have infiltrated every cranny of American workplaces, and digital technology has transformed vast numbers of American jobs. Work done in the most sophisticated scientific enterprises, entirely new technology businesses, the extensive array of knowledge and media endeavors, the places where crops are grown, the factory floor, and even mom-and-pop stores has been reshaped by new pathways to information and new avenues of selling goods and services. For most office workers now, life on the job means life online. Pew Research surveyed online a representative sample of adult internet users and asked those who have jobs a series of questions about the role of digital technology in their work lives. This is not a sample representative of all workers. It covers online adults who also have full- or part-time jobs in any capacity. The most recent survey data from Pew Research in late 2013 shows that 94% of jobholders are internet users and they work in all kinds of enterprises from technology companies to non-technology firms; from big corporations to small proprietor operations; and from those in urban areas, farms, and places in between. Some of the key findings are highlighted below…”
For my students? Could be interesting but I don't know how many of my students have Chrombooks.
Run Linux In A Window On A Chromebook
It’s now possible to run Linux in a window on a Chromebook. Google evangelist François Beaufort revealed how to do so in a Google+ post, detailing the various steps Chromebook owners must take in order to run their favorite Linux distros in a window.
Essentially, you need to be running Chrome OS in Developer Mode and install David Schneider’s Crouton extension. You can then run Linux in a separate window, saving you from switching between Virtual Terminals, which previously was the only way to run Linux on a Chromebook.
This isn’t recommended for inexperienced users, but then they will probably be happy using Chrome OS as is. Instead, this is for existing Linux users who like the Chromebook hardware but find Google’s operating system too limiting.
The Best Linux Software
Linux is full of awesome apps, both open source and proprietary.
We have to start teaching these devices as well as the rest of the Internet of Things cornucopia. An infographic.
How Do Smartphones Compare To Supercomputers Of The Past?
Most of us carry a smartphone around in our pocket without really thinking twice about just how impressive it is. These tiny little devices can do so many things, and they can do them for a (relatively) low price.
Have you ever thought about what your smartphone can do when compared to the supercomputers of the past? At one point, these computers were the pinnacle of power, and they required massive amounts of space to work. This infographic breaks down how how the devices we have today compare with supercomputers, and the results are truly something to behold.
Check it out, and share your thoughts with us in the comments!
For my gamers. At least, for those with friends.
Free Copies For Nuclear Throne Friends
Everyone who currently owns a copy of Nuclear Throne will get a free copy of the game to give away to a friend. The giveaway will commence tomorrow (Jan. 1, 2015), with the idea being to bring fresh blood into the community to enable the game to grow and evolve.
As Vlambeer, the developer behind Nuclear Throne, explained on YouTube, “We need fresh eyes on the game, people that will still get decimated by Big Bandit and that will complain about the ravens in the scrapyard. We need to know how they feel about Nuclear Throne, and we need your help to reach them.” If it’s free then I’m in. Now, to find a friend who owns the game…
Tuesday, December 30, 2014
If there are security measures that can frustrate the NSA's best efforts, would you implement them? “Major problems” is not the same as “impossible,” but would the NSA spend much time or effort trying to read my communications with my bank?
Documents leaked by Edward Snowden show that the National Security Agency, despite its seemingly best efforts, is unable to crack certain types of cyber defenses.
The German newspaper Der Spiegel uncovered among the former contractor’s document trove new details about the extent of the spy agency’s ability to crack online encryption, which defenders of the agency say is necessary to monitor potential terrorists’ communications. [True if you define “monitor” as read as easily as if they sent you a copy. Bob]
… According to one Snowden document, as of 2012, agents had “major” problems tracking users on the Tor network, which encrypts and relays data all around the Web. The Off-the-Record (OTR) protocol for encrypting instant messages also caused significant problems for the agency, as did the Pretty Good Privacy (PGP) email encryption program, which is decades old and relatively common among security proponents.
Looks like this isn't as resolved as the FBI would hope.
A Bunch Of New Evidence In The Sony Hack Is Pointing Away From North Korea
New evidence emerging in the Sony Pictures cyberattack suggests that the hackers may have been far closer to home than North Korea.
News broke Monday that a security firm working with the FBI has come up with a list of six people who may have been closely involved with the hack. One of the individuals investigated by the firm also happens to be a disgruntled former Sony employee.
Security Ledger reports that Norse investigated a Sony employee known only as "Lena," viewing messages that she posted on social media and group chats. She worked at Sony for over a decade, performing an IT role with a "very technical background."
… A former federal prosecutor has also cast doubt on the FBI's assertion that North Korea was involved with the Sony hack. Mark Rasch of Rasch Technology and Cyberlaw says the claim that North Korea was behind the hack is "doubtful" and that the attack seemed to be carried out by someone with close knowledge of how Hollywood works, leaking only data that was embarrassing to Sony executives.
Many security researchers have been doubtful over the FBI's assertion since the agency announced on Dec. 19 that it was blaming North Korea for the Sony hack. The official US government position is that hackers affiliated with North Korea carried out the attack in retaliation for Sony's releasing the movie "The Interview."
Maury Nichols (one of the few people who admits they read my blog) sent me this article.
What Is Wrong With 'Legal Malware'?
Can malware, malicious by definition, ever be a good thing? Surprisingly, there are law enforcement agencies that would answer yes. There are a growing number of hacking techniques involving malware deployed by governments around the world. Effectively they are using criminal tools, which they claim is a legitimate means to the ultimate, legitimate end – fighting crime, even going so far as deeming their use legal. I disagree. And I think it is a worrying trend generally – one that needs to be nipped in the bud.
My colleague, security-researcher Costin Raiu, just recently published a report summarizing his research findings over the years plus predictions for the future in the murky world of sophisticated advanced persistent threat (APT) cyberattacks.
… Based on the reasons I give above, I think it is fair to say that terms like ‘legitimate malware’ or ‘offensive security’ are oxymoronic and disturbingly dystopian, reminiscent of Orwell’s ‘war is peace’ and ‘freedom is slavery’.
(Related) Convergence (the 'hot sheet' and mug shots?) Eventually police will have a Swiss Army Knife type of system. Need a particular tool? Just pull out a new blade.
The leading suppler of automated license plate reader technology in the US (ALPR, also known as ANPR in Europe) is expanding its offerings to law enforcement. Vehicle owners have already had their movements tracked by the company Vigilant Solutions, which boasts 2 billion entries in its nationwide database, with 70 million additional license plate photographs being added each month. Now passengers can also be tracked if they hitch a ride with a friend and are photographed by a camera aimed at the front of the car. The Livermore, California-based firm recently announced expanded integration of facial recognition technology into its offerings.
Only a handful of states have laws in place to regulate automated license plate reader technology.
Read more on TheNewspaper.com.
(Related) If we gather information on you, deliberately or not, it's an ongoing investigation and we don't have to release the information.
John Ruch reports:
The Boston Police Department embodies the Surveillance Age’s chilling twin principles: more power to spy on law-abiding citizens, and less accountability for doing it. That’s what we at the Jamaica Plain Gazette and Mission Hill Gazette have learned as our attempts to investigate police spying abuses are stymied by the department’s flouting of state public records laws.
Read more on the New England First Amendment Coalition.
I'd like to know how they got this past the Board of Directors. Are they relying on “forgiveness?”
The FBI Is Investigating Whether US Banks Are Launching Cyberattacks Of Their Own
… Bloomberg is reporting that the FBI is investigating whether US financial institutions have started fighting back against hackers.
… It's reported that JPMorgan Chase proposed to the FBI that the bank work from offshore locations to disable the servers used to launch denial of service attacks against its website. But attendees of the meeting dismissed the idea over concerns of its legality.
Despite ruling out the proposed hack, Bloomberg reports that US investigators found that a third party had carried out the attack after all. Now the FBI is investigating whether US companies broke the law in ordering the hack against the Iranian servers.
Sony Pictures, the movie studio targeted by hackers, allegedly used Amazon Web Services to try to disrupt people downloading the files leaked as part of the hack.
(Related) Interesting article.
Since the alleged North Korean cyber operation against Sony in late November, it has become de rigeur to engage in “enemy at the gate” rhetoric. Referring to “how the Internet and cyber operates,” even President Obama described the situation as “sort of the Wild West,” adding “part of the problem is you’ve got weak States that can engage in these kinds of attacks, you’ve got non-State actors that can do enormous damage.” Such a dire portrayal of the current state of cyber affairs on the part of a world leader not known for hyperbole deserves serious attention.
An interesting use of “Big Data” Will all such uses attract lawsuits?
Skiplagged finds cheap one-way fares by surfacing weird airline pricing strategies, like pricing a NY-SFO-Lake Tahoe flight cheaper than an NY-SFO flight, so you book all the way through to Tahoe, debark at SFO, and walk away from the final leg.
Of course, it only works if you fly without luggage. But given that the airlines' entire business strategy is to hoard information about their pricing and operations from their customers, in the hopes of tricking them into paying more for the same flight than the person in the next seat, it's hard to work up any sympathy for the industry when the tables are turned on them.
Skiplagged doesn't sell plane tickets, they don't even sell information. All they do is document the pricing strategies of the airlines. In the view of United and Orbitz, this is illegal -- they're suing the service (run by a 22 year old New Yorker named Aktarer Zaman), calling it "unfair competition."
Zaman said he knew a lawsuit was inevitable but he points out that there’s nothing illegal about his web site.
He also said he has made no profit via the website and that all he’s done is help travelers get the best prices by exposing an “inefficiency,” in airline prices that insiders have known about for decades.
For my students. We've got a lot to read, so pick a tool that works for you!
5 Best PDF & Ebook Readers For Windows
For my Ethical Hackers.
What Is The OBD-II Port And What Is It Used For?
… OBD-II is a sort of computer which monitors emissions, mileage, speed, and other useful data. OBD-II is connected to the Check Engine light, which illuminates when the system detects a problem.
… Traditionally, hand held scan tools are hooked up, allowing the average vehicle owner to read DTC’s. However, a reference for the code numbers is still needed. You can find such a reference in various handbooks and websites, such as OBD-Codes.
Some modern scan tools can be connected to a Windows desktop or laptop, like ScanTool’s OBDLink SX USB Adapter on Amazon for $29.95, which allows you to turn your laptop into a very detailed scan tool.
Monday, December 29, 2014
Not all downtimes are due to enemy action.
Twitter Back Up After Strange Downtime
Twitter is recovering from a prolonged period of downtime which affected Android and desktop users. For around five hours on Sunday (Dec 28), anyone trying to log in via the official apps was hit with an error message. The iOS Twitter apps remained unaffected by the issue throughout.
Tweetdeck users were hit with a different issue whereby all tweets were dated one year into the future. This could explain the problem, with the premature date change leading to session tokens instantaneously expiring. Either way, Twitter has now fixed the issue… at least until the real 2015 rolls around.
For my Ethical Hackers. For your toolkit.
German Defense Minister von der Leyen's fingerprint copied by Chaos Computer Club
A speaker at the yearly conference of the Chaos Computer Club has shown how fingerprints can be faked using only a few photographs. To demonstrate, he copied the thumbprint of the German defense minister.
… Krissler explained that he didn't even need an object that von der Leyen had touched to create the copy. Using several close-range photos in order to capture every angle, Krissler used a commercially available software called VeriFinger to create an image of the minister's fingerprint.
Along with fellow hacker Tobias Fiebig, Krissler has been working at the Technical University of Berlin on research into weaknesses of biometric security systems. Krissler pulled a similar stunt in 2008 with a fingerprint of then interior minister and current Finance Minister Wolfgang Schäuble.
Krissler intends to show how systems which use these prints or iris scans to verify identity, which are becoming more prevalent and popular, can be outsmarted. He gave the example of facial recognition software that can be fooled by a person's photograph, as well as showing how his fake fingerprint can trick the iPhone fingerprint sensor.
Perhaps a project for my Ethical Hackers. How to safeguard victims of amuse. (How to make anyone less surveilable?)
Exclusive: Abusers using spyware apps to monitor partners reaches 'epidemic proportions'
The use of surveillance software by abusive spouses to monitor the phones and computers of their partners secretly has reached “epidemic proportions” and police are ill-equipped to tackle it, domestic violence campaigners have warned.
… A survey by Women’s Aid, the domestic violence charity, found that 41 per cent of domestic violence victims it helped had been tracked or harassed using electronic devices. A second study this year by the Digital Trust, which helps victims of online stalking, found that more than 50 per cent of abusive partners used spyware or some other form of electronic surveillance to stalk their victims.
… “However, in many cases the police are not trained to recognise and understand the impact of online abuse, including tracking, and action is rarely taken against abusers.”
Will this spur new laws?
The spat between retailers and banks over who foots the bill and bears the responsibility following a data breach is ramping up heading into 2015.
A group of retail trade groups on Monday fought back against what they call a misleading survey from the Independent Community Bankers of America (ICBA), which alleged banks are shelling out millions of dollars because retailers can’t secure their networks.
… The ICBA survey, released Dec. 18, said community banks had to reissue nearly 7.5 million credit and debit cards at a cost of $90 million in the wake of the massive Home Depot data breach, which exposed 56 million customers’ payment card information.
“We continue to advocate that the costs associated with data breaches be borne by the party that experiences the breach,” ICBA Chairman John Buhrmaster said at the time. “Communities and customers should not suffer for the faults of retailers.”
… Retailers bear equal or greater costs after a data breach, they argued, pointing to a 2013 Federal Reserve study of debit card fraud.
Banks are also disingenuous about their switch to chip-enabled cards, the retailers said.
“While ICBA supports the movement to embedded-chip technology for credit and debit cards, the organization appears to only do so grudgingly, questioning its efficacy against data breaches,” they said.
Does this report tell us anything we did not already know?
Competition Among U.S. Broadband Service Providers
“More than one quarter of American homes have not adopted Internet service, many citing cost as their primary reason.
… Looking at Internet service options available to households in December 2013, using data from the Census Bureau and National Telecommunications and Information Administration, we find that more service providers offer lower-speed than higher-speed service. [Duh! Bob] At download speeds of 3 megabits per second (Mbps), which is the Federal Communications Commission’s current approximate standard for basic broadband service, 98 percent of the population had a choice of at least two mobile ISPs and 88 percent had two or more fixed ISPs available to them. However, as multiple household members increasingly consume video streaming services music streaming, and online games, the adequate broadband speed bar has been raised.
To understand just how slow 3 Mbps is, it takes about 2.25 hours to download a 6 gigabyte movie. The same movie would only take 16 minutes to download at 25 Mbps.
… only 37 percent of the population had a choice of two or more providers at speeds of 25 Mbps or greater; only 9 percent had three or more choices. Moreover, four out of ten Americans did not live where very-high-speed broadband service – 100 Mbps or greater – is available.
… The report examines both fixed and mobile ISPs. We separate our analysis of these two types of Internet access because some groups consider them to be imperfect substitutes, especially for higher-bandwidth applications.
Mobile ISPs typically charge high fees if consumers exceed data usage limits. Furthermore, the service is less reliable, companies have not fully deployed newer generation technologies with higher download speeds and reduced latency, and mobile service is virtually non-existent at download speeds of 25 Mbps or greater.
In sum, the report finds that the number of ISPs from which consumers can choose varies by speed; there are multiple providers of lower speed broadband but this number dwindles at higher speeds. All else equal, having fewer competitors at a given speed is likely to drive up prices. As a result, some consumers will decide not to adopt Internet access at all, some will choose a slower speed that otherwise, and some will economize in other ways.”
I want to develop a “Math in the 21st Century” course, using tools like this. These tools are already available to my students, why not teach them the proper way to use them? No. it doesn't do everything for you, any more than power tools will build a house for you. These Apps are available for iPhones, Droid, etc.
Wolfram|Alpha Apps and Math Course Apps for Windows—Just Released
… We’re also happy to announce the release of several of our Course Assistant Apps on Windows 8.1 devices:
These apps also feature our custom keyboards for the quick entry of your homework problems. View Step-by-step solutions to learn how to solve complex math queries, plot 2D or 3D functions, explore topics applicable to your high school and college math courses, and much more.
For my students. Get in the habit now. (Why only paper planners?)
How To Create A Custom Planner To Meet Your Goals In 2015
Sunday, December 28, 2014
So, what's next? (Because the hackers are having way too much fun to leave them alone.)
Sony restores Playstation but doubts linger
Ending several days of interruption, Sony Corp on Sunday finally restored services to its PlayStation online gaming network after a Christmas Day cyber attack shuttered access to large numbers of customers, including holiday recipients of new game consoles.
… "It's not yet clear whether it's just an outage of the PlayStation Network or if some personal data has been stolen too," Hideki Yasuda, a Tokyo-based analyst at Ace Research Institute, said.
Once upon a time: “On the Internet, nobody knows you're a dog!” That had a certain appeal.
Now: “On the Internet, everyone thinks you're a terrorist!”
Ben Westcott reports:
Innovative Australian online mental health providers could be deserted by clients under the government’s controversial new metadata laws.
One of the developers of a widely used Canberra-based online mental health program said the new policy would affect the site’s ability to provide anonymity and freedom from stigma.
But the Attorney-General’s Department said the government was limiting metadata access to agencies with a clear operational or investigative need.
The Abbott government has introduced a bill to make it mandatory for telecommunications companies to store customer information for two years.
Read more on Sydney Morning Herald.
You are worth too much to these companies, they can't let you opt out.
Do Not Track is History?
New York Times: “Four years ago, the Federal Trade Commission announced, with fanfare, a plan to let American consumers decide whether to let companies track their online browsing and buying habits. The plan would let users opt out of the collection of data about their habits through a setting in their web browsers, without having to decide on a site-by-site basis. The idea, known as “Do Not Track,” and modeled on the popular “Do Not Call” rule that protects consumers from unwanted telemarketing calls, is simple. But the details are anything but. Although many digital advertising companies agreed to the idea in principle, the debate over the definition, scope and application of “Do Not Track” has been raging for several years. Now, finally, an industry working group is expected to propose detailed rules governing how the privacy switch should work. The group includes experts but is dominated by Internet giants like Adobe, Apple, Facebook, Google and Yahoo. It is poised to recommend a carve-out that would effectively free them from honoring “Do Not Track” requests. If regulators go along, the rules would allow the largest Internet giants to continue scooping up data about users on their own sites and on other sites that include their plug-ins, such as Facebook’s “Like” button or an embedded YouTube video. This giant loophole would make “Do Not Track” meaningless.”
(Related) For my Business Intelligence and Data Mining students. Multiple business opportunities! If the current price is $2,000 per website per month, what is the software worth?
Priceonomics Launches a Platform to Crawl and Analyze Web Data
Priceonomics has launched a new offering that enables developers to crawl and analyze web pages on a large scale.
… Once a web page is crawled, the Priceonomics Analysis Engine analyzes the data it contains using applications that, for instance, can extract email addresses and phone numbers or retrieve information about where and how much the page has been shared on social media.
… Currently, Priceonomics is offering free access to its Analysis Engine. Developers can either use a shared API key that may produce slow results, or sign up for a private API key that is limited to 1,500 requests per day.
Data is the gold of the digital age and scraping is increasingly akin to gold mining. According to Priceonomics, "Tech companies and hedge funds pay us between $2K to $10K per month to crawl web pages, structure the information, and then deliver it to them in analyzed form. This is a pretty significant amount of money because acquiring data is a burning problem for some companies."
… Because data is so valuable and scraping it can be such a challenging task, a growing number of companies are hoping to build big businesses by offering self-serve tools that essentially allow anyone to turn web pages into APIs.
… Right now, it looks as if the market is large enough to support multiple companies but as more and more companies come face to face with the fact that their data is being scraped and incorporated into unofficial APIs, it's possible that offerings like Priceonomics' Analysis Engine will eventually have the ironic effect of encouraging companies to build official APIs that they can control and monetize.
Something for my Criminal Justice students?
Social Media Directory – DHS
“The Department of Homeland Security and its component agencies use numerous social media accounts to provide you with information in more places and more ways [the listing is quite long – what appears below is only a portion of the total]. The Department uses non-government sites to make information and services more widely available.