Saturday, August 01, 2015

Make up your mind! You refuse to “officially” blame China, but you're going to retaliate? That's true doublethink Big Brother.
U.S. Decides to Retaliate Against China’s Hacking
The Obama administration has determined that it must retaliate against China for the theft of the personal information of more than 20 million Americans from the databases of the Office of Personnel Management, but it is still struggling to decide what it can do without prompting an escalating cyberconflict.
The decision came after the administration concluded that the hacking attack was so vast in scope and ambition that the usual practices for dealing with traditional espionage cases did not apply.
But in a series of classified meetings, officials have struggled to choose among options that range from largely symbolic responses — for example, diplomatic protests or the ouster of known Chinese agents in the United States — to more significant actions that some officials fear could lead to an escalation of the hacking conflict between the two countries.
… In public, Mr. Obama has said almost nothing, and officials are under strict instructions to avoid naming China as the source of the attack. While James R. Clapper Jr., the director of national intelligence, said last month that “you have to kind of salute the Chinese for what they did,” he avoided repeating that accusation when pressed again in public last week.
… For Mr. Obama, responding to the theft at the Office of Personnel Management is complicated because it was not destructive, nor did it involve stealing intellectual property. Instead, the goal was espionage, on a scale that no one imagined before. [My Ethincal Hacking students did. Bob]
“This is one of those cases where you have to ask, ‘Does the size of the operation change the nature of it?’ ” one senior intelligence official said. “Clearly, it does.”

(Related) Can we blame China or is that not politically correct?
The University is responding to a criminal cyberintrusion through which hackers apparently originating in China gained access to servers at UConn’s School of Engineering. UConn has implemented a combination of measures intended to further protect the University from cyberattack, and to assist individuals and research partners whose data may have been exposed.
UConn IT security professionals, working with outside specialists, have no direct evidence that any data was removed from the School of Engineering’s servers. However the University is proceeding from an abundance of caution by notifying roughly 200 research sponsors in government and private industry, as well as working to determine how many individuals need to be notified about a potential compromise of personal information.
… The security breach was first detected by IT staffers at the School of Engineering on March 9, 2015, when they found malicious software, or “malware,” on a number of servers that are part of the school’s technical infrastructure.
… Related: From their FAQ on Incident:
What did the investigation reveal?
Based on analysis done both internally by the University and by Dell SecureWorks, it was determined that the first penetration of a server on the School of Engineering network occurred on Sept. 24, 2013, with further penetration of the system occurring after that date.

Of course they do. Hackers never pass up a golden opportunity and Microsoft confused users about which Windows 10 would be free, so many stopped paying attention.
Windows 10 rollout gets hijacked by scammers with malicious upgrade email
With millions of people expecting to upgrade to Windows 10 this week, fraudsters have taken advantage of an opportunity to scam some money. Many people have not received an official notification to upgrade, so when an email purporting to be from Microsoft tells them to run an attached file for the upgrade, some people are eager to do it.
To the unsuspecting eye, the email looks quite convincing; it uses the Microsoft color scheme, comes from an address, has a disclaimer message and even includes a message saying that the email was scanned for viruses and passed.
But the email is of course fake and the attached file is a CTB-Locker, which is ransomeware or a variant of malware.

Worth reading the whole article...
4th Amendment Lives: Court Tells US Government Get A Warrant If It Wants Mobile Phone Location Info
A potentially big ruling came out of the courtroom of Judge Lucy Koh yesterday, in which she affirmed a magistrate judge's decision to tell the government to get a warrant if it wants to obtain historical location info about certain "target" mobile phones (officially known as "Cell Site Location Info" -- or CSLI). The government sought to use a provision of the Stored Communications Act (a part of ECPA, the Electronic Communications Privacy Act) to demand this info without a warrant -- using a much lower standard: "specific and articulable facts" rather than the all important "probable cause." Judge Koh says that's doesn't pass 4th Amendment muster, relying heavily on the important Supreme Court rulings in the Jones case, involving attaching a GPS device to a car, and the Riley case about searching mobile phones.
… Judge Koh points to some survey data from Pew (sent in by EFF) noting that many, many people consider their location information to be "sensitive information" and, on top of that, the fact that CSLI is generated even if someone turns off the GPS or "location data" features on their phone -- meaning they can't even opt out of generating such information to try to keep it private.

Nathan Freed Wessler of the ACLU writes:
A petition submitted to the Supreme Court could settle a key question about the extent of our privacy rights in the digital age.
The ACLU, working with attorneys in Florida, has asked the court to take up Davis v. United States, a case involving warrantless government access to a large volume of cell phone location information. At stake is the continuing vitality of the Fourth Amendment.
Read more on ACLU.

(Related) For one or two cards, I agree. Hundreds of cards looks like probable cause to me.
Orin Kerr writes:
In United States v. Bah, decided July 24th, the U.S. Court of Appeals for the Sixth Circuit handed down the first circuit ruling on whether skimming a credit card — swiping the card through a magnetic reader to find out the number and name stored inside — is a Fourth Amendment search. The court ruled that the answer is “no.” I think that’s wrong, and that the answer should be “yes.”
Continue reading on The Volokh Conspiracy.

It's not really new. It shows no details. But look! It's a map! (Wop-de-do)
Exclusive: Secret NSA Map Shows China Cyber Attacks on U.S. Targets
A secret NSA map obtained exclusively by NBC News shows the Chinese government's massive cyber assault on all sectors of the U.S economy, including major firms like Google and Lockheed Martin, as well as the U.S. government and military.
The map uses red dots to mark more than 600 corporate, private or government "Victims of Chinese Cyber Espionage" that were attacked over a five-year period, with clusters in America's industrial centers.
… Each dot represents a successful Chinese attempt to steal corporate and military secrets and data about America's critical infrastructure, particularly the electrical power and telecommunications and internet backbone.
… The map was part of an NSA briefing prepared by the NSA Threat Operations Center (NTOC) in February 2014, an intelligence source told NBC News.

Did they just figure this out? More likely they want to be able to point out that “We told you so!”
Homeland Security warns drones could be used in attacks
CBS News has learned that the Department of Homeland Security has sent an intelligence assessment to police agencies across the country about drones being used as weapons in an attack.
The bulletin went out Friday and warned that unmanned aircraft systems or drones could be used in the U.S. to advance terrorist and criminal activities.
… the release of a bulletin dedicated to the threat from UAS is unusual. The bulletin does not mention any specific upcoming events authorities are concerned about but points to the overall security challenges drones present.

If one parent wants a camera, but the others do not, who wins?
Eva-Marie Ayala reports:
Texas special education advocates say a new law requiring video cameras in some classrooms will protect those students most at risk of being abused.
The law says school districts must install cameras in special education classrooms if parents, teachers or school staffers request them. The law also requires that parents be allowed to view the videos.
The new law limits the list of those allowed to watch a video. That includes a parent or school employee who is involved in an incident, police officers, nurses, staff trained in de-escalation and restraint techniques, and state authorities who could be investigating.
The thrust of the article is concern over costs pitted against concerns about protecting vulnerable students. There’s no specific mention of FERPA in this article, but the reference to federal student privacy laws suggests that there may be a FERPA issue brewing here. Can parents view videos of other people’s children if those children are caught on camera during an incident involving their child? It sounds likely that they could. What privacy rights does the other student and their parents have?
Are classroom videos “education records” under FERPA? If so, how do you allow parents to access their child’s records but protect other children’s? This could get messy and even more costly quickly. Not that it’s not a good idea to protect the most vulnerable children who often can’t tell us what’s happened to them, but I do see some student privacy concerns here.

More government disconnect? Still hiring like it's 1955?
Federal Bureau of Investigation understaffed to tackle cyber threats
The U.S. Department of Justice released a report underlining the FBI’s difficulty in attracting and keeping computer scientists for its cybersecurity program, mainly due to low wages, Reuters reported yesterday (July 30).
The DOJ Inspector General called on the FBI to measure timeliness of the information sharing, work harder to hire computer scientists, continue developing new strategies for recruiting, hiring and retaining cyber professionals and ensure changes to the Cyber Division are strongly communicated.
The Bureau spent $314 million on the program in 2014, which included 1,333 full-time workers, but only 52 computer specialists had been hired by the end of January, 2015.
The average salary offered to a cybersecurity expert by FBI is significantly lower than that offered to candidates in the private sector, according to the Office of the Inspector General.

(Related) Gismondo was more blunt.
FBI Struggling With Cybersecurity Because Of Shit Pay And Drug Tests

(Related?) Is Dilbert suggesting a way for the FBI to learn about technology?

Reading these articles is kinds like going to law school, but cheaper.
Kate Groetzinger reports:
…. Unfortunately for [Sandra Bland] —and for anyone else who is pulled over and asked to step out of their car—her rights are murky. Even though the Fourth Amendment guarantees citizens will not be subjected to unreasonable searches and seizures, it hasn’t been able to protect drivers from this particular invasion of privacy since 1977.
Two major Supreme Court decisions in the past half-century have eroded the Fourth Amendment’s power in an effort to protect police in the line of duty.
Read more on Quartz, where Groetzinger describes the impact of the Terry and Mimms rulings.

Privacy Laws in Asia – free download available
by Sabrina I. Pacifici on Jul 31, 2015
Bloomberg BNA – “With its critical impact on the world economy and global trade, privacy legislation in Asia has been extremely active in the last several years. A recently released report, Privacy Laws in Asia, written by Cynthia Rich of Morrison & Foerster LLP for Bloomberg BNA, analyzes commonalities and differences in the privacy and data security requirements in countries including Australia, India, Hong Kong and more. This report gives you at-a-glance access to:
  • A side-by-side chart comparing four key compliance areas, including registration requirements, cross-border data transfer limitations, and data breach notification, and data protection officer requirements.
  • A country-by-country review of the differences and special characteristics in the law, as well as a look at privacy legislation in development.
  • Explanations of the common elements of the laws in 11 jurisdictions with comprehensive privacy laws with regards to Notice, Opt-In and Consent issues, Data Retention, and more.”

And again, ditto.
Last Thursday, France’s constitutional court—le Conseil constitutionnel—issued a ruling upholding most of that country’s controversial new surveillance law, enacted in the wake of the Charlie Hebdo terrorist attacks. Francophones can read the untranslated decision here.
The legislation grants the French government sweeping new powers to monitor suspected terrorists. Among other things, the law authorizes warrantless wiretaps; officials need not obtain a court order before conducting electronic surveillance but rather must receive permission from a special administrative body. The law also requires telecommunications carriers and internet service providers to install “black boxes” on their networks, which the government can use to collect and analyze users’ communications metadata. The court’s largely favorable ruling means the law will now go into effect.

We don't have a Law School but we have a few Big Data wonks, so perhaps we could partner with one to do some innovative legal research?
Univ of Toronto virtual legal research database uses IBM Watson
by Sabrina I. Pacifici on Jul 31, 2015
“The University of Toronto team that built a virtual legal research database [video demonstration is embedded in this article] for the IBM Watson Cognitive Computing Competition made it to the final round of the top three before finishing the competition in second place… The contest began when International Business Machines Corp. (IBM) asked 10 elite schools, including Stanford, Carnegie Mellon and U of T, to put together teams at each university using its famous Jeopardy-playing super-computer, named Watson. U of T was the only Canadian institution invited to participate; its computer science department was recently ranked among the top 10 computer science departments worldwide in the prestigious Shanghai Jiao Tong University’s Academic Ranking of World Universities. (Read more about the decision to bring Watson to U of T.)

Still no hint of an alternative system for delivering classified information to the Secretary of State. This would go away if State could point to a secure delivery method that was always in place. I suspect there was no other system.
John Solomon and S. A. Miller report:
The U.S. intelligence community is bracing for the possibility that former Secretary of State Hillary Rodham Clinton’s private email account contains hundreds of revelations of classified information from spy agencies and is taking steps to contain any damage to national security, according to documents and interviews Thursday.
The top lawmakers on the House and Senate intelligence committee have been notified in recent days that the extent of classified information on Mrs. Clinton’s private email server was likely far more extensive than the four emails publicly acknowledged last week as containing some sensitive spy agency secrets.
Read more on Washington Times.

(Related) Another amusing factoid.
Hillary Clinton Emails: 1,300 Messages From Private Account Released
… Ironically, one email posted today shows Clinton in 2009 asking her chief of staff to borrow a book on email etiquette called "SEND: Why People Email So Badly and How to Do It Better," by David Shipley.

Perspective. You can't tell the winners without a scorecard!
Uber Speeds Past Facebook as Quickest to $50 Billion Value Level
Uber just closed a new round of funding that will value the company at more than $50 billion, according to The Wall Street Journal.
The newspaper says that Uber raised close to $1 billion in the round, which brings the total amount of equity financing the company has raised to more than $5 billion.
Previously, Facebook had been the only venture-backed private company to sport a $50 billion valuation. But it took Facebook a good deal longer to hit that level: eight years, compared with Uber's five.
Facebook, which subsequently went public, is now worth just over $260 billion.

Interesting choice for stalkers and pedophiles?
Things You’ll Wish You Knew Before Your Kids Started Using Kik
Kik is a free texting app, with a user-base of around 50 million (so really small, compared to WhatsApp). iTunes gives it a rating of 17+, but despite that, people much younger (as young as 13) use it on a regular basis. But for some strange reason, Google Android rates it 12+. Not sure what is going on there.
Where Kik sharply differs from WhatsApp however, is that WhatsApp works with the user’s mobile phone number, as the “username”. Kik, on the other hand, requires no phone number — just an invented username. Therefore, as well as smartphones, you can also install Kik on iPod Touch and iPads (which have no phone capabilities and are therefore commonly given to tweens).

For our Business Intelligence students. We teach them to use the Intelligence they generate.
Companies Collect Competitive Intelligence, but Don’t Use It

Free is good!
Free eBook: ‘The Path to Value in the Cloud’
Today, we have an awesome free eBook called “The Path to Value in the Cloud” that will show you key things you need to know to make the Cloud an important part of your business. It’s short enough that you’ll be able to read through it in one sitting, but it’s packed with valuable information that you’ll most definitely want to use for your business.

I like to make sure my students know of the free options.
Which Office Suite Is Best for You?

No comments: