Wednesday, July 22, 2015

China called this exactly right. We make a fuss, call China a bunch of evil hackers, then balk at any official action for dubious political reasons. If there are benefits and no consequences, why would China stop the behavior?
Ellen Nakashima reports:
Months after the discovery of a massive breach of U.S. government personnel records, the Obama administration has decided against publicly blaming China for the intrusion in part out of reluctance to reveal the evidence that American investigators have assembled, U.S. officials said.
The administration also appears to have refrained from any direct retaliation against China or attempt to use cyber-measures to corrupt or destroy the stockpile of sensitive data stolen from the Office of Personnel Management.
Read more on Washington Post.

Remember, the Internet is global. If you annoy my Ethical Hacking students, they will turn you car into a driverless adventure ride, no matter where in the world you are. Imagine a future where an entrepreneur creates a game that grabs a car at random for gamers to control. What fun!
Hackers take over a Jeep from 10 miles away
… In a Wired exclusive published Tuesday, two hackers (who have been showing for years that cars are vulnerable to attacks) took control of a reporter’s Jeep Cherokee using a laptop 10 miles away, and killed its transmission, as well as messed with its windshield wipers, radio and air conditioning. They say Fiat Chrysler cars, which include the Jeep brand, feature an Internet-connected computer called Uconnect are vulnerable to remote attackers.
Sens. Ed Markey (D-Mass.) and Richard Blumenthal (D-Conn.) introduced a bill Tuesday directing federal regulators to set security standards for vehicles, after Markey’s office published a report earlier this year finding that nearly all cars could be vulnerable to hacking.

This is a real (and guaranteed) cost of almost all security breaches. Even getting this tossed out of court will take time and treasure. Is that built into your Risk Management analysis?
So of course UCLA Health System has been sued over their recently disclosed breach, even though they’ve said they don’t have any evidence that patient information was even accessed. All they know/were able to confirm so far is that the hackers had access to the part of the system that housed patient information.
Law360 has more on Allen v. UCLA Health Systems Auxiliary et al, filed in the Central District of California.

My IT Governance students can create a better plan. (Their grade depends on it!)
Jana Winter reports:
Last month, in the wake of a series of massive breaches at the federal Office of Personnel Management, the Army issued a bulletin warning that some victims were being hit by hackers a second time, this time with an email phishing campaign asking them to input personal information into a third-party website to receive credit monitoring.
Except it turns out the email in question was completely legitimate. It was sent en masse by the OPM contractor providing notification and credit-monitoring services to the agency’s hacking victims.
Read more on The Intercept.

The court said judges can protect your rights under the constitution. Can they identify a bogus technological assertion?
Patrick G. Lee reports that it was a bad day for user privacy in a New York state appeals court:
Facebook Inc. lost a bid to block the biggest set of search warrants the company said it ever received in a case that might affect the amount of information social-media sites turn over to law enforcement.
Manhattan District Attorney Cyrus Vance Jr. obtained 381 warrants in 2013 as part of a Social Security fraud investigation. Facebook postings and other content — such as photos of suspects riding jet skis and performing mixed martial arts — provided Vance with evidence that helped bring charges last year against people accused of cheating the government by lying about their disabilities.
Of the 381 Facebook users that Vance targeted with the search warrants, 319 weren’t indicted, according to the ruling. Others were indicted without reliance on the Facebook warrants.
Even though Facebook had already complied with the search warrants, its appeal was allowed to continue in a case that has drawn the attention of Google Inc. and Twitter Inc., as well as the American Civil Liberties Union.
A New York state appeals court in Manhattan unanimously ruled on Tuesday that Facebook had no right to challenge Vance’s search warrants before they were executed.
Read more on Bloomberg.
[From the article:
The judge serves as a “constitutional gatekeeper” who “protects citizens from the actions of an overzealous government,” the court said.
… The case is In re 381 Search Warrants Directed to Facebook Inc., 30207-13, New York State Supreme Court, Appellate Division, First Department.

I don't see how politicians can use this in their Presidential campaigning, but then most of what they say is meaningless, isn't it?
This drone is packing heat, but it isn't breaking any laws
A gun-toting drone, tested and video taped by an 18-year-old Connecticut man apparently did not violate any existing laws, although the FAA is looking into it, according to ABC News and other reports.
In a video posted to YouTube July 10, the drone is seen hovering about five feet in the air, firing a front-mounted semi-automatic gun.
… an FAA spokesman told CNET that the agency is looking into whether the test flight, which did not break any state laws, violated any of its own regulations.
The video went viral just days after California authorities said the presence of five drones delayed firefighter response to the big North Fire near Los Angeles as well as the first FAA-approved drone delivery of medical supplies to a remote Virginia clinic.

(Related) Shouldn't a regulatory agency be more familiar with its regulations?
FAA Goes Into Full Panic Mode After Video Shows Drone Firing Semi-Automatic Handgun
… “The FAA will investigate the operation of an unmanned aircraft system in a Connecticut park to determine if any Federal Aviation Regulations were violated,” said FAA spokesman Jim Peters when the video first surfaced earlier this month. “The FAA will also work with its law enforcement partners to determine if there were any violations of criminal statutes.”

This rather surprises me. I wonder what the rates are in Washington? (What will organized crime bid for a copy of the user database?)
One in five Ottawans is registered on Ashley Madison
… One in five Ottawa residents allegedly subscribed to adulterers’ website Ashley Madison, making one of the world’s coldest capitals among the hottest for extra-marital hookups – and the most vulnerable to a breach of privacy after hackers targeted the site.
… The hackers, who referred to customers as “cheating dirtbags who deserve no discretion,” appear uninterested in blackmailing individual clients, unlike an organized crime outfit.

About time.
Feds go after LifeLock, alleging poor data security
Federal regulators are going after identity fraud protection firm LifeLock for allegedly deceiving customers about how secure their data is.
The Federal Trade Commission (FTC) on Tuesday accused LifeLock, which has over 3 million subscribers, of violating a $12 million 2010 settlement with the agency and 35 state attorneys general.

I thought this had been resolved when the government tried (and failed) to stop Phil Zimmerman from selling his encryption software (PGP) by classifying it as a “munition.” What are they worried about? Do they think China will buy these tools and thus be able to hack the Office of Personnel management?
Google: New export rules could be 'disastrous'
Google is warning that the Commerce Department’s attempt to control the export of hacking tools will “hamper our ability to defend ourselves, our users, and make the web safer.”
“It would be a disastrous outcome if an export regulation intended to make people more secure resulted in billions of users across the globe becoming persistently less secure,” the company said late Monday in a blog post.
Google’s remarks align the search engine giant with the cybersecurity community, which has been raising red flags for months about a Commerce Department proposal that would require companies to obtain licenses when exporting technology behind “intrusion software.”

I watch surveillance technology. But not as comprehensively as you are being watched. Here is one example. All of this in addition to knowing everything you have ever searched for...
Google Maps Timeline tracks your location and shows you where you've been
Google is introducing a new feature to its Maps application that allows users to see where they have been on any given day, month or year.
Google Now provides notifications when there are traffic incidents along your commute, or reminds you where you parked your car.
… People who use Google Photos, Google's new app that assigns tags to objects in photos and automatically arranges them into albums, can also see all the photos they took in a specific place or on a specific day on their Timeline.

Rethinking customization. Giving users control results in a site that is out of control.
Better Get Used to Twitter’s New Blandness
… This week, Twitter pulled the option of customizing background images on its website. It also replaced user’s chosen images with a single color, putting that same blue-gray on everyone’s page. It’s utterly plain and totally inoffensive, completely devoid of customization. Twitter users hate it.
… you can expect to see more of this. Twitter long has been going the way of Facebook, dropping user customization in favor of platform uniformity. Twitter would rather you focus on all the interesting things happening on the network, not on what you made your little part of it look like.
… There were many problems with MySpace, but one of the most obvious was the site’s total loss of control over what it looked like, and the unnavigable mess many users made of it. Good luck trying to find the message button on a white page with yellow text overrun with twirling Lisa Frank stickers. I mean, look at this mess. Or this one. Or this one.

Big Data and Analytics. This has implications in other industries.
The Other ‘Moneyball': Using Analytics to Sell Season Tickets
… Among the main things Horton and Hurwitz were looking for were indications of loyalty, which they determined was a key factor in those who would renew season ticket or multi-game plans. In that context, they said, it is one thing to buy a ticket, but another to use it. For that reason, they mine data from the ticket scanners each major league club uses when fans enter the stadium to attend a game.

Something to integrate into my classes. “Collaboration is the new Black!”
Google Drive Plugin for Microsoft Office Launched for Easier Syncing
Google has made it easier for users to open any Office files stored on Google Drive directly in Office apps, edit them, and save them back to Google Drive. The feature comes with the release of a new plugin by Google for Microsoft Office on Windows, making syncing changes to files stored on Drive easier.
Using the Google Drive plugin, any local files can also be saved on the Google's cloud storage platform directly from the Office apps. The feature however, might be more useful when sharing files with teams or for file access from different devices. To download the plugin, users would have to visit the Google Tools page, simply click on the 'Download' option below, and click on 'Accept and install' the binary file of 910KB.

(Related) We need to teach collaboration techniques.
How Collaboration and Crowdsourcing are Changing Legal Research
by Sabrina I. Pacifici on Jul 21, 2015
ThomsonReuters/Susan Martin: “Bob Ambrogi, lawyer, consultant and blogger at Law Sites, spoke at a well-attended session this morning at the American Association of Law Libraries (AALL) Annual Meeting. Titled “Playing Well With Others: How Collaboration and Crowdsourcing are Changing Legal Research,” Ambrogi’s presentation began with a light-hearted scolding of lawyers and legal professionals who simply “aren’t very good at sharing.” “Crowdsourcing requires sharing and lawyers tend to be very possessive, so that makes it difficult,” said Ambrogi. He cited the giants like Thomson Reuters, Lexis, and Bloomberg, who take raw legal information and have an army of editors who annotate it, organize it and comment on it. “But we don’t have all those paid people to do this for us when it comes to legal research on the internet. That is where crowdsourcing comes in,” he stated. Ambrogi… shared some examples of crowdsourcing gone wrong, where sites were built and abandoned or simply not updated enough to be effective… He then went on to showcase three examples of great crowdsourced sites:

For my Website students.
Get Your Site Mobile-Ready With 6 Free Emulators

I have to admit, most of my students invent uncommon errors. Some useful resources here.
A Quick Guide to Avoiding Common Writing Errors

Might be worth looking at a few...
Free Windows 10 Ebooks & Information Material to Prepare for the Upgrade

I want to read this more carefully since it seems to be something my students do instinctively.
Information Avoidance
by Sabrina I. Pacifici on Jul 21, 2015
Golman, Russell and Hagmann, David and Loewenstein, George, Information Avoidance (July 17, 2015). Available for download at SSRN:
“We commonly think of information as a means to an end. However, a growing theoretical and experimental literature suggests that information may directly enter the agent’s utility function. This can create an incentive to avoid information, even when it is useful, free, and independent of strategic considerations. We review manifestations of information avoidance as well as theoretical and empirical research on reasons for why people avoid information, drawing from economics, psychology, and other disciplines. The review concludes with a discussion of some of the diverse (and costly) individual and societal consequences of information avoidance.”

I had an interesting call from “The IRS” yesterday. Apparently I was in deep but unspecified dodo and unless I called them back immediately they would be confiscating my car, my house and my yacht.
Just for grins a went to the IRS Phishing page to report the incident, but chose not to bother when they wanted me to create an incident number to uniquely identify the tip and leave them my name, address, email, phone number(s) and whatever.
Perhaps they are not really interested in catching (or at least shutting down) these guys. Anyway, I took it as, “Don't bother us unless it's really important.”

No comments: