Saturday, March 07, 2015

Bold, innovative, worth emulating! Technology from the 1990's (1994 to be specific) arrives in Washington!
FTC enables default encryption
The Federal Trade Commission has enabled secure encrypted browsing on its entire government website.
… Some government websites use this the security layer throughout their entire site, while others do not. Soltani noted that it is a best practice, even though it is not a requirement for federal websites “at this time.”
… “As a quick primer, HTTPS encryption secures your communications while in transit with websites so that only you and the website are able to view the content,” he wrote.

Perhaps redundant, but worth repeating.
Last week Director of National Intelligence James Clapper released the 2015 Worldwide Threat Assessment of the US Intelligence Community and testified about it before the Senate Armed Services Committee. “Cyber” tops the list of “global threats” again this year. As others have noted (see here and here), the Assessment and DNI Clapper’s opening statement contained a number of reveals, including attributing the 2014 attack on the Las Vegas Sands Corporation to Iran and announcing that “the Russian cyber threat is more severe than we’ve previously assessed.” I want to focus in this post on a few additional issues raised by the Assessment: its effort to shift the debate on the nature of cyber risk; its emphasis on threats to integrity of information; and its repeated references to private parties as actors in national cyber strategy.

Something for my Computer Security students to consider. Might make a good paper... Threats are increasing as costs fall. New “Things” need to be secured. Most security isn't that secure. But there are new tools to help.
Bracing for the Cyberthreat Deluge
Almost 17,000 malware alerts surface every week, the Ponemon Institute recently found.
Only 4 percent of alerts were investigated, and traditional antivirus products missed nearly 70 percent of malware in the first hour, researchers discovered in a recent Damballa study.
Rescanning led to identification of 66 percent of the malware in 24 hours and 72 percent after seven days. It took AV products more than six months to create signatures for 100 percent of the malware.
… Phishing attacks are only going to become easier, because the level of technological knowledge needed to launch them is falling. Cybercriminals are building and selling phishing kits for between US$2 and $10, according to Symantec.
Most companies "are only investing in security to check the box," remarked Ray Suarez, director of product management at Core Security.
"About 10 percent of the companies I talk to are serious about security and approaching it appropriately," he told TechNewsWorld.
At large companies, there are "often only two or three people who are in charge of 50,000-plus assets, and ... so they are totally reactive," Suarez said.
… Things will get even worse as the Internet of Things becomes more widespread.
Right now, 50 percent of manufacturers surveyed by IDC and Flexera Software said they had developed intelligent devices, and another 21 percent planned to make their devices intelligent over the next two years.
… Rapid discovery and remediation can prevent damage, he maintained. Even if a network has been hacked, antifraud solutions might help.
One example is a device-based authentication service from Iovation. It checks the device used at every online transaction to authenticate that it belongs to the account holder.

Think of this as an opportunity to suggest some collaboration tools?
CIA director orders major shake-up
The head of the CIA is ordering sweeping structural changes he says will allow officials to wield new technological powers and face down threats.
… As one major part of the shake-up, Brennan on Friday announced a new focus on the “digital revolution” by prioritizing cybersecurity issues and new technology.
To do so, the agency is creating a new office responsible for making sure that workers across the CIA are integrating digital tools into their work. [Not the way to do it. Bob]

“Once is an accident. Twice is coincidence. Three times is an enemy action.” Ian Fleming Just saying.
A Third Blast on Oil Trains Stirs Scrutiny
For the third time in less than a month, a train carrying flammable crude oil has derailed and burst into flames, prompting questions over whether stricter measures being considered to ensure their safety will be enough.
All three accidents involved a newer generation of tank cars that are supposed to be sturdier and safer than older models.

I look forward to laughing at education every week.
Hack Education Weekly News
… Legislators in Arizona have decided to completely eliminate state support for its three largest community college districts, including Maricopa and Pima. More details via Inside Higher Ed.
… Wyoming governor Matt Mead has signed a bill that will allow the topic of climate change to be taught in the state.
… Alibaba and Peking University are launching a MOOC platform.
… Versal, a startup that allows anyone to make online lessons, has left beta and partnered with Wolfram Research. (Wolfram gadgets will be available to Versal users.)

For my Statistics students. Know when to fold 'em.
Bluff too often, get called too often.
Bluff too seldom, never get called.
To Bluff or Not to Bluff
Game theorists take a different view on bluffing. For Ehud Kalai, a professor of managerial economics and decision sciences at the Kellogg School and founding editor of Games and Economic Behavior, bluffing is primarily computational, not psychological. To win in any strategic game, it pays to be unpredictable, and game theory offers models for how to keep one’s opponent guessing.
“It’s straight mathematics,” Kalai says. “If I bluffed all the time, obviously my bluffing would be ineffective. But it’s not effective to under-bluff, either, because then I’m not making enough use of my reputation as a non-bluffer. If you never bluff, or bluff very rarely, you can use this reputation to bluff more effectively and increase your long-term winnings.”

For my Data Management and Business Intelligence students. (and a do-it-yourself guide)
How to Become a Data Scientist
Data science has gone from a newly coined term in 2007 to being one of the most sought-after disciplines in the professional world. But what does a data scientist really do? And how can you break into the field? Here’s what you need to know if you’re looking to get the skills to become a data scientist.

Dilbert forecasts how women will achieve parity.

Friday, March 06, 2015

No matter how logical it was to hold off on the audit (and there are many good reasons to do so) the perception will be that they were not concerned about security.
Shaun Nichols reports:
A year or so before American health insurer Anthem admitted it had been ruthlessly ransacked by hackers, a US federal watchdog had offered to audit the giant’s computer security – but was rebuffed.
And, after miscreants looted Anthem’s servers and accessed up to 88.8 million private records, the watchdog again offered to audit the insurer’s systems, and was again turned away.
No real surprise there, as now that everyone’s suing them, why would they want an audit that could become more fodder for litigation? [To confirm they had found and fixed all the problems? Bob]
But why did they decline last year?
“We do not know why Anthem refuses to cooperate,” government officials told The Register today.
The Office of the Inspector General (OIG) for the US Office of Personnel Management (OPM) told us it wanted to audit Anthem’s information security protections back in 2013, but was snubbed by the insurer.
According to the agency, Anthem participates in the US Federal Employees Health Benefits Program, which requires regular audits from the OIG, audits that Anthem allegedly thwarted. Other health insurers submit to Uncle Sam’s audits “without incident,” we’re told.
Read more on The Register.
Will Anthem live to regret its decision not to permit an audit last year? And will HHS/OCR take that refusal into account in its own investigation of the Anthem breach?

Interesting that civilian researchers are “discovering” techniques that the military has been using for decades. Perhaps next they will realize that they do not need to break encryption to determine who is calling whom.
Researchers can work out your location based on who you talk to on Twitter
Researchers from Cornell University have worked out how to track Twitter users' locations — even when they have location services disabled.
A paper from Ryan Compton, David Jurgens and David Allen explains a new method for tracking the location of Twitter users to around 6km based on who they interact with. Using the method, the researchers say, they're able to "geotag over 80% of public tweets."

(Related) A way to “discover” what can be learned from metadata. I wonder if US companies would see this as a significant (money making) idea?
Simon Sharwood reports:
Australia’s dominant carrier, Telstra, will give its customers the chance to access their metadata, for a fee.
The new policy, explained in a post from chief risk officer Kate Hughes, is based on the principle that “offering the same access to a customer’s own metadata as we are required to offer to law enforcement agencies.”
Read more on The Register.

Hard to block all access on the Internet, but 100,000 is a very small percentage of the population.
Indians Find Ways to See Rape Documentary Despite Ban
A British-made documentary about a grisly gang rape in India spread throughout social media on Thursday, thwarting official efforts to block it and gaining a wide audience despite a government ban.
A spokesman for YouTube in India, Gaurav Bhaskar, said that the company had agreed to a government request to block channels of multiple users who had uploaded the documentary. The original link posted by the BBC, however, was still available, he said. By Thursday night, the film had been viewed more than 100,000 times from that link, not including viewings from other sources.

This talk could have been titled, “Once upon a time, we had this thing called Privacy”
Andy Yen: Think your email's private? Think again
Sending an email message is like sending a postcard, says scientist Andy Yen in this thought-provoking talk: Anyone can read it. Yet encryption, the technology that protects the privacy of email communication, does exist. It's just that until now it has been difficult to install and a hassle to use. Showing a demo of an email program he designed with colleagues at CERN, Yen argues that encryption can be made simple to the point of becoming the default option, providing true email privacy to all.

The implications of your new hip, or pacemaker as just another thing on the Internet of Things? We have no group we trust to gather, store and analyze sensitive data and take all our personal secrets to the grave. No matter how beneficial, we expect to see our data compromised.
Medical device surveillance on the horizon
Thousands of people around the world have been exposed to toxic chemicals generated by their metal hip implants. Similarly, many patients have contracted infections from pieces of implanted mesh used in hernia-repair surgery, even though materials less prone to causing complications were available.
In these cases, and many more like them, experts say the health care system is failing to quickly detect and react to problematic medical devices. It’s all the more puzzling because the health care system is generating more data than ever on patients, and the safety gaps in the system have long been recognized by Congress and health care researchers.
Quicker detection and communication could spare scores of patients from suffering complications, if researchers could tap the vast troves of health data that doctors and hospitals have begun to collect on their patients.
That’s why harnessing the potential of data on patients is one of the main goals of a national device surveillance system proposal being unveiled Monday by the health care arm of the Brookings Institution, the Washington think tank.
The report, “Strengthening Patient Care,” written at the behest of the Food and Drug Administration’s device-safety division, lays out an ambitious seven-year, $250 million proposal to study and then launch the National Medical Device Postmarket Surveillance System.

Every state will need laws that address drones. I wonder how many will bother to pass them.
Derrick Nunnally reports:
The Washington state House of Representatives passed a series of bills Wednesday to strengthen privacy rights against emerging incursions from surveillance technology and drone aircraft.
Under the bills sent to the Senate by wide, bipartisan margins, it would become a state misdemeanor and civil liability for a private citizen to use a drone to peep on another person, and police would need specific legislative permission to buy new drones or other types of advanced surveillance technology.
And a piece of technology already in use by police to sweep up data from cellphone signals would require a warrant for any future usage.
Read more from AP on KOMO News.

I wonder if Google runs their business through their smartphones? The “little guys” Google is partnering with are the ones in direct contact with users.
Android for Work pushes Google further into enterprise
Google's push into the enterprise gained steam last week when the company finally launched Android for Work, a containerization platform and standalone app for older Android devices that lets IT administrators create separate corporate and personal workspaces on Android smartphones and tablets.
Android for Work is Google's latest attempt to address two of Android's most significant challenges for IT: security and fragmentation. The latest version of Android, v5.0, known as "Lollipop," now supports separate spheres for personal and work. Devices running older versions of the OS can access some of the same features in a separate Android for Work app.
Google is taking a partner-centric approach in hopes of encouraging more businesses to adopt Android for enterprise applications and protocols. To this end, the company partnered with many well-known enterprise mobility management (EMM) providers, including BlackBerry, Citrix, IBM, MobileIron, SAP, Soti and Vmware.

Four one-hour talks. Might be worth watching.
Join Me for An Afternoon of Free Webinars About Google Apps
On March 31st Simple K12 is hosting an afternoon of free webinars about Google tools for teachers. The webinars will start at 1pm Eastern Time and run until 5pm Eastern Time.
These free webinars are designed for folks who are new to using Google tools. Teachers who would like to pick up some tips for teaching others how to take advantage of the great things that Google has to offer will also enjoy the content of these webinars.
Click here to register for this free PD opportunity.
… We will make the recordings available for 2 weeks following the event.

First, I need to get my students to talk in class. Then I might try this collaboration stuff.
10+ No-Signup Collaboration Tools You Can Use in 10 Seconds
  • No sign-up
  • No download
  • Shareable link
  • Quick to start (10 seconds or less)
  • Accessible from any Internet-enabled device

An infographic that covers almost everyone. Then there are us non-users who completely ignored the fad.
9 Types of Facebook Users – Which One Are You?
Have you heard of a website called Facebook? Of course you have! It’s one of the most popular sites on the Internet. Everyone and their mom (literally) is on the social network for one reason or another, and comically, most users seem to fall into one of nine different categories.
Via Optify

Thursday, March 05, 2015

An apology. Please forgive my earlier post on this topic. I should have known the Computer Security people at the State Department would have raised this issue. Just as I should have known they were ignored.
Cyber staffers warned Clinton about personal email
State Department cybersecurity staffers warned Hillary Clinton's office that the secretary's private email service was more vulnerable to hackers than the agency’s email service, Al Jazeera reported.
“We tried,” an unnamed current employee told Al Jazeera. “We told people in her office that it wasn’t a good idea. They were so uninterested that I doubt the secretary was ever informed.”
… it’s also led many to wonder whether the secretary exposed department information to hackers by relying on an email server with weak security measures.
… noncommercial servers rarely contain the layers of digital security offered by commercial data centers. Additionally, State Department networks benefit from government programs that continuously monitor for intrusions and unusual activity.
… The State Department has insisted no classified emails were sent through Clinton's personal account. [Lack of a classification stamp or header does not mean the data contained didn't require classification. Perhaps when State actually looks at the rest of the emails they will change their mind? Bob]

Background for my Computer Security students.
The History of Biometric Security, and How It’s Being Used Today
… While law enforcement, and high-security facilities have been using biometric identification for decades, we’re now living in a world that is making a real push toward biometrics for both identification and access-based technology in consumer goods.
This push is bleeding into consumer markets in the form of fingerprint scanners for automobiles, laptops and mobile devices, facial recognition technology in computer software, and iris recognition used in ATMs in some corners of the globe.

This should be amusing. Might be fun to sic my Data Analysis students on it.
Canadian Journalists for Free Expression (CJFE) is excited to announce the launch of the Snowden Archive, a comprehensive database of all of the documents published to date from the Snowden leak.
Created in partnership with the Faculty of Information at the University of Toronto, the Archive is the world’s first fully indexed and searchable collection of publicly released Snowden documents.
The Archive is a powerful resource for journalists, researchers and concerned citizens to find new stories and to delve deeply into the critically important information about government surveillance practices made public thanks to Edward Snowden.
The Snowden Archive and additional information on the project can be found at

For my Computer Security students. A summary of 600,000+ incidents (all in 2014).
Annual Report to Congress: Federal Information Security Management Act
Annual Report to Congress, February 27, 2015: “As cyber threats continue to evolve, the Federal Government is embarking on a number of initiatives to protect Federal information and assets and improve the resilience of Federal networks. OMB, in coordination with its partners at the National Security Council (NSC), the Department of Homeland Security (DHS), and other agencies, helps drive these efforts in its role overseeing the implementation of programs to combat cyber vulnerabilities and threats to Federal systems.
… The fiscal year (FY) 2014 FISMA report provides metrics on Federal cybersecurity incidents, the efforts being undertaken to mitigate them and prevent future incidents, and agency progress in implementing cybersecurity policies and programs to protect their networks. FY2014 proved to be a year of continued progress toward the Administration’s Cybersecurity Cross Agency Priority (CAP) Goal, which requires agencies to “Know Your Network” (Information Security Continuous Monitoring), “Know Your Users” (Strong Authentication), and “Know Your Traffic” (Trusted Internet Connection Consolidation and Capabilities).”

(Related) What makes this report worth $4300? (I'll probably never know)
Identity Fraud Cost U.S. Consumers $16 billion in 2014
Identity thieves were busy during 2014, but a new study estimates that U.S. consumers actually suffered fewer losses than in the past.
According to the 2015 Identity Fraud Study from Javelin Strategy & Research, the number of identity fraud victims decreased slightly last year, dropping by three percent from 2013. All totaled, Javelin estimates 12.7 million U.S. consumers were victimized in identity theft in 2014, compared to 13.1 million the previous year. Total fraud losses fell as well, dropping from $18 billion in 2013 to $16 billion in 2014.

The joys of Big Data.
Bob Parks reports:
The NYPD is paying $442,500 for a three-year subscription to Vigilant Solutions’ database of 2.2 billion licence plate images of cars across America, according to Ars Technica. Advocates in law enforcement say the tool will help find suspects faster. Privacy advocates contend it could dramatically increase the police’s ability to catalog and predict the movements of everyday Americans.
Read more on BoingBoing.
[From the Ars Technica article:
"It could take a decade or more for a constitutional challenge to warrantless license plate tracking to reach the Supreme Court, if it ever does," she wrote by e-mail. "In the meantime, police nationwide have far too much power to track the movements of totally law abiding people. Legislatures in the states and congress must act quickly to pass laws bringing license plate reader technology in line with the golden rule of American criminal jurisprudence: the probable cause warrant."
… According to the New York Daily News, the NYPD will soon have access to the Vigilant database that will allow investigators to “virtually stake out a location." The system also alerts law enforcement when a wanted vehicle turns up well outside of the Big Apple. Vigilant’s software even includes the ability to perform “associate analysis” to figure out who that target frequently drives with. [Meaning “drives where the suspect drives?” Bob]
… Vigilant requires that its licensees—law enforcement agencies—not talk publicly about its LPR database. According to the 2014 edition of its terms and conditions: "This prohibition is specifically intended to prohibit users from cooperating with any media outlet to bring attention to LEARN or LEARN-NVLS."

Privacy down under.
Caroline Bush and Amanda Graham of Clayton Utz write:
Although there is some legislative protection for Australians’ personal information, it doesn’t extend to every instance of what might be considered as an invasion of privacy. Courts in the United Kingdom have found that the cause of action of breach of confidence may provide a remedy for people who are seeking to protect their privacy in the absence of a statutory cause of action – and Australian courts are beginning to follow them, as the recent Western Australian decision of Wilson v Ferguson [2015] WASC 15 highlights.
Read more on Clayton Utz.

Privacy across the pond.
Jennifer Baker reports:
Activists have leaked the latest draft of Europe’s planned data protection law – which is supposed to safeguard Europeans’ personal information when in the hands of businesses and governments.
The proposed rules have been agreed by the European Parliament. Now Euro nations’ government ministers, who sit on the Council of the European Union, are tearing the text apart, and rewriting large chunks of it.
The 305-page document [PDF] – obtained and published by Privacy International, EDRi, Access and the Panoptykon Foundation – shows the changes put forward by the council. The four civil-liberties groups say ministers are effectively ruining any chance of real data protection in the EU.
Read more on The Register.

The law is imperfect and there is a difference between legal and wise. This may be a good article to start that discussion. What would have tipped this over the edge?
Stephanie Castillo reports:
The University of Oregon (UO) is under fire for using a student rape victim’s therapy records against her after she sued the campus for mishandling her sexual assault case.
FERPA is a federal law that protects the privacy of students’ “education records.” These records refer to records directly related to a student, plus records “maintained by an educational agency or institution or by a party acting for the agency of institution,” the U.S Department of Education reported. While medical and psychological treatment records are not defined as education records at colleges and universities, “an eligible student’s treatment records may be disclosed for purpose other than the student’s treatment, provided the records are disclosed under one of the exceptions to written consent.” One such exception is a lawsuit.
Read more on Medical Daily.

“One must keep one's largest market.” That rule overrides the “One must protect customer privacy.”
Apple already agreed to the tough Chinese rules that Obama is furious about
Obama's sharp criticism on China's new rules for foreign technology companies has been undermined by the fact that Apple has already agreed to the plans, Quartz reports.
As previously reported, Apple agreed in January to allow the Chinese authorities to conduct "security audits" on its products to ensure it's not sharing user data with the US government.

(Related) On the other hand...
Alibaba opens first U.S. data center, challenging Amazon in the cloud
Alibaba is opening a data center in Silicon Valley — its first outside of China — stepping up its competition with Amazon and ultimately hoping to get U.S. companies to start using its cloud computing services.
The company’s Aliyun cloud-computing subsidiary announced the move overnight, describing it as part of a new effort to serve customers globally. A spokeswoman says the company “will initially target Chinese enterprises based in the United States with the plan to gradually expand its products and services to international clients in the second half of this year.”

Higher prices have support, but what about splitting that revenue?
OVERNIGHT TECH: Chorus sings new tune on songwriter payments
… Compensation for songwriters whenever a song is bought online or in a CD is set by the federal Copyright Royalty Board and is currently 9.1 cents. Critics say that's far too low and argue that the market -- not the government -- ought to be setting the prices for how much songs are worth. The Songwriter Equity Act would have the Copyright Royalty Board set compensation levels equivalent to their fair market value. It would also broaden the scope of evidence that the federal rate court can look at when determining how much to pay songwriters when their songs are performed publicly.

How Boeing gathers Big Data.
Why big data matters to Boeing, and what it means for your next flight
… “On a plane where we have 8,000 sensors capturing the 8,000 data points per second … if we extrapolate that for more than 5,000 planes … and optimizing that and providing sort of real-time optimization, (that) is where there is a huge benefit for our customers,” said Rao. “But it is also a great opportunity for our company as far as a revenue generation standpoint.”
In total, Rao said Boeing is sitting on a treasure trove of about 100 Petabytes of data, and now the company is looking to unlock that in new ways, benefiting its carrier customers and future flyers.

Taylor Swift has good IP lawyers?
Taylor Swift, Trademarks and Music’s New Branding Model
If you’re ready to “party like its 1989,” you’ll have to talk to Taylor Swift first. The pop star recently applied to trademark that phrase and others related to her songs — a move that marks a shift in the industry, as artists, songwriters and music publishers increasingly become independent brands.
… Swift’s trademark quest could work out fine, or it could backfire, according to R. Polk Wagner, a professor at the University of Pennsylvania Law School
… “It’s a smart move,” adds Christopher Jon Sprigman, law professor at New York University’s School of Law

Reid Hoffman’s Two Rules for Strategy Decisions
Reid Hoffman — the co-founder and chairman of LinkedIn and partner at the venture capital firm Greylock — is a preeminent Silicon Valley strategist.
… Reid’s first principle is speed. One of his most popular quotes is, “If you aren’t embarrassed by the first version of your product, you shipped too late.” Another is, “In founding a startup, you throw yourself off a cliff and build an airplane on the way down.”
… Reid’s second principle is simplicity — simplicity enables speed.

Pour le encourage les students. AT least my geeky students.
Developing IoT Apps Is Easier Than You Think
Want to develop IoT apps but put off by the complexity? It's actually quite easy, if you let IoT development platforms do all of the heavy lifting.
For enterprises, the promise of the Internet of Things is clear: by sensing (and to a lesser extent controlling) the physical world through networked "things" it is possible to exploit previously invisible opportunities, expand revenue and optimize operational systems and processes.
Networkable sensors (and these could be anything from cameras and GPS receivers to temperature, pressure or humidity sensors) are available off the shelf and are cheap to buy. They may also be incorporated into equipment your company already owns or purchases, like vending machines, vehicles or refrigeration units.

Tools for my students. Make that outline look geekier?
Two Tools for Turning Outlines Into Mind Maps
Some students prefer to see ideas organized in an outline style while others see large concepts better when they're in a mind map format. Text 2 Mind Map and MindMeister's Google Docs Add-on bridge the gap between the outline format and the mind map format. Both tools allow you to type an outline then see that outline turned into a mind map.
To create a mind map on Text 2 Mind Map type out an outline in the text box. After typing your outline click "draw mind map" to have your mind map created for you. If after creating your mind map you need to add more elements to just add them into your outline and click "draw mind map" again. Your mind map can be downloaded as a PDF or PNG file. The mind maps that you create on Text 2 Mind Map can also be shared via email, Facebook, or Twitter.
To create a mind map with MindMeister's Google Docs Add-on create a bullet point list in your document. Highlight your list then select the MindMeister Add-on and click "insert as mind map." A mind map will then be generated based on your list. There are a couple of tips to note about MindMeister's Add-on. First, you cannot edit the position of cells in the mind map. Second, you must use bullet points or number lists generated by the list menus in Google Docs. I tried just selecting a list without the bullet points and MindMeister didn't create a mind map for me.

Another tool for my students.
How to Emulate Android and Run Android Apps on Your PC
In many cases, Android apps are superior to desktop apps. They’re compact, often better written, and have a low resource footprint.
… several methods are available for you to choose from that will enable you to run virtually any Android app on Windows, Linux, or Mac OS X.

For the Unix students.
Linux Treasures: 11 Sublime Native Linux Apps That Will Make You Want To Switch

For my Ethical Hackers? Sometimes just one idea is worth reading the article.
5 Email Tools & Utilities You Should Try
Have you ever been in a situation where you needed to find the email address of someone at a company, but you couldn’t find it? Or perhaps you just need a faster way to look for the address? Then Thrust is your go-to service.
Just enter the person’s name and the company they work for, and Thrust will start looking for their email. When it has found it, there will be a clickable link to open a new email window with the address already pre-populated and ready to go.

A tool of immediate value to my students. (Hint, hint!)
Tagboard - Follow Hashtags from Multiple Networks in One Place
Tagboard is one of the tools that we looked at today in my NCTIES15 workshop about blogs and social media. Tagboard is a free tool that allows you to enter any hashtag like #NCTIES15 and view all of the Tweets, Instagram pictures, Facebook posts, Google+ posts, and Vine posts associated with that hashtag. All of the posts are displayed in a bulletin board/ grid display. You can reTweet and or reply to messages while viewing Tagboard, provided that you are signed into your Twitter account.
One of the things that I always mention in my talk about online personal learning networks is that you don't have to always be connected in order to benefit from having an online PLN. You can check in for fifteen to thirty minutes per day during the commercial breaks of your favorite television show and glean a lot of useful information in that time. A tool like Tagboard could enable to you catch up even faster because you will see more messages in the same amount of screen space. You can also participate in multiple social networks from the same screen while using Tagboard.

Dilbert explains the downside of discriminating against women.

Wednesday, March 04, 2015

Local. Similar to many other PoS breaches.
Natural Grocers Investigates Data Breach
The incident has been contained, and the company said law enforcement is investigating the matter. So far, Natural Grocers has not received any reports of fraudulent use of customer information, and there is no evidence any PIN numbers or card verification codes were accessed.
"While its investigation is ongoing, Natural Grocers has accelerated pre-existing plans to upgrade the point-of-sale system in all of its store locations with a new PCI-compliant system that includes point-to-point encryption and new pin pads that accept “chip and PIN” cards," the company said in a statement.
According to security blogger Brian Krebs, the attackers broke into Natural Grocers just before Christmas by attacking vulnerable database servers. From there, they were reportedly able to pivot around the network and infect the PoS systems.
[From the Krebs article:
Perhaps they aren’t reporting the fraud to Natural Grocer, but banking sources have told this author about a pattern of card fraud indicating cards stolen from the retailer are already on sale in the cybercrime underground.

“Gosh, it looked Okay to us!”
Brian Krebs reports:
A public hospital in Washington state is suing Bank of America to recoup some of the losses from a $1.03 million cyberheist that the healthcare organization suffered in 2013.
In April 2013, organized cyber thieves broke into the payroll accounts of Chelan County Hospital No. 1, one of several hospitals managed by the Cascade Medical Center in Leavenworth, Wash. The crooks added to the hospital’s payroll account almost 100 “money mules,” unwitting accomplices who’d been hired to receive and forward money to the perpetrators.
On Thursday, April 19, and then again on April 20, the thieves put through a total of three unauthorized payroll payments (known as automated clearing house or ACH payments), siphoning approximately $1 million from the hospital.
[From the article:
“Craig Scott, a Bank of America employee, contacted the Chelan County Treasurer’s office later that morning and asked if a pending transfer request of $603,575.00 was authorized,” the complaint reads. “No funds had been transferred at the time of the phone call. Theresa Pinneo, an employee in the Chelan County Treasurer’s Office, responded immediately that the $603,575.00 transfer request was not authorized. Nonetheless, Bank of America processed the $603,575.00 transfer request and transferred the funds as directed by the hackers.” [Oops! Bob]

Interesting, but not much detail.
Apple Pay sees 60x more fraud than regular cards, expert says
… Fraud in the so-called Yellow Path is “growing like a weed, and the bank is unable to tell friend from foe,” Abraham wrote in a blog post on Feb. 22. “No one is bold enough to call the emperor naked.”
He estimated that it’s not unusual to see fraud account for about 6 percent of Apple Pay transactions compared with 0.1 percent using a traditional credit or debit card, according to the Wall Street Journal.
The White House recently announced that Apple Pay would be available as an alternative to federal payment cards in systems like GSA SmartPay. The service will also be available for transactions with national parks.
Apple has said the service is designed to be “extremely secure” and suggested the banks may be at fault for the verification of fraudulent cards.

(Related) The Yellow Path.
Amid Apple Pay fraud, banks scramble to fix Yellow Path process
… According to reports, criminals have been setting up iPhones with stolen personal information, then calling banks to authenticate a victim's card on the new device. This is so-called "Yellow Path" authentication, in which a card isn't automatically accepted (Green Path) or rejected (Red Path), but requires additional provisioning by the bank to be added to Apple Pay.

The joys of politically motivated technology restrictions? (Failure to pass Economics 101 leads to many other failures?)
Decade-old 'FREAK' security flaw left millions exposed
… The newly discovered encryption flaw known as "FREAK attack" left users of Apple's Safari and Google's Android browsers vulnerable to hackers for more than a decade, researchers told the Washington Post. Users of the browsers were vulnerable to having their electronic communications intercepted when visiting any of hundreds of thousands of websites, including, and
Researchers said there was no evidence hackers had exploited the vulnerability, which they blamed on a former US policy that banned US companies from exporting the strongest encryption standards available, according to the newspaper. The restrictions were lifted in the late 1990s, but the weaker standards were already part of software used widely around the world, including the web browsers.

“We don't need no stinking employees!”
“We don't need no stinking security!”
“We don't need no stinking backups!”
Notice a theme here?
Ted Johnson reports:
Nine former Sony employees have filed an amended class action lawsuit against Sony Pictures Entertainment, alleging that the studio failed to take adequate safeguards to protect personal information that was exposed in the hacking attack last year.
“Following the breach, SPE has focused on its own remediation efforts, not on protecting employees’ sensitive records or minimizing the harm to its employees and their families,” states the amended complaint, filed on Monday in U.S. District Court in Los Angeles. “Rather, SPE has focused on securing its own intellectual property from pirates and a public relations campaign directed at controlling damage to SPE associated with the release of embarrassing internal emails.”
Read more on Variety.

For my Ethical Hackers: “Disruptions” are detectable... Just saying.
Kim Zetter reports:
For years the government has kept mum about its use of a powerful phone surveillance technology known as a stingray.
The Justice Department and local law enforcement agencies insist that the only reason for their secrecy is to prevent suspects from learning how the devices work and devising methods to thwart them.
But a court filing recently uncovered by the ACLU suggests another reason for the secrecy: the fact that stingrays can disrupt cellular service for any phone in their vicinity—not just targeted phones—as well as any other mobile devices that use the same cellular network for connectivity as the targeted phone.
Read more on Wired.
[From the article:
But in the newly uncovered document (.pdf)—a warrant application requesting approval to use a stingray—FBI Special Agent Michael A. Scimeca disclosed the disruptive capability to a judge.
“Because of the way, the Mobile Equipment sometimes operates,” Scimeca wrote in his application, “its use has the potential to intermittently disrupt cellular service to a small fraction of Sprint’s wireless customers within its immediate vicinity.

Do their computers contain the intellectual property of the firm or the skills of the lawyer? I'm pretty sure the answer is a four letter word.
Debra Cassens Weiss reports:
A battle over laptops taken by lawyers to a new law firm failed to reach a settlement last week during a three-hour session before a magistrate judge.
The suit by Pennsylvania insurance boutique Nelson Brown Hamilton & Krekstein initially sought the return of laptops taken by 14 departing lawyers to Lewis, Brisbois, Bisgaard & Smith, the National Law Journal (sub. req.) reports. The suit seeks damages under the Computer Fraud and Abuse Act.
After the suit was filed last May, Lewis Brisbois returned the laptops, but erased and preserved the information they held, the story says. Now both law firms have hired computer experts to determine what information was on the devices.
The departing lawyers had represented hacked companies, and Nelson Brown says sensitive information such as Social Security numbers may have been saved on the laptops. The firm also says the devices may have contained confidential client lists and legal strategies.
Read more on ABA Journal.
From looking at the complaint, Nelson Brown owned the laptops and devices that the departing attorneys took with them in February 2014. What were the lawyers’ ethical obligations to the firm’s clients they had been representing? Could they just hand over the laptops and walk away?
And given that personal and sensitive information of data breach victims may have been on those laptops and devices, I wonder what would have happened if Nelson Brown had configured their security so that data were not stored locally but on their server from which it could be accessed but not saved locally? Why were all their lawyers walking around with PII on laptops? Were the data encrypted?

Wow! I wonder where they got that crazy idea?
Irony: Obama Balks At Chinese Government's Orwellian Cybersecurity Tactics
… President Obama is fearful that China’s plans — which include allowing the Chinese government to install security backdoors, requiring companies to hand over encryption keys, and keeping user data on Chinese soil — are an assault on intellectual property held by American companies and leaves customers open to privacy violations.
China’s draft proposal for the its anti-terrorism legislation "would essentially force all foreign companies, including U.S. companies, to turn over to the Chinese government mechanisms where they can snoop and keep track of all the users of those services," said President Obama in an interview with Reuters. "As you might imagine tech companies are not going to be willing to do that.”
… What’s somewhat amusing is that the U.S. government has been found to employ some of these same tactics not only abroad, but also on home turf. FBI Director James Comey has been an ardent critic of smartphone encryption employed by Google and Apple, seeing it as an affront to law enforcement and national security.

(Related) Makes you think the government doesn't get it.
14 Consumer Groups Outline Shortcomings In WH Privacy Legislation
“Consumer Watchdog today joined 13 other public interest groups in a letter to President Obama outlining the shortcomings of the draft Consumer Privacy Bill Of Rights Act and pledging to work with the Administration and Congress to strengthen the
“In 2 2012, you released your vision of the founding principles of consumer privacy — the Consumer Privacy Bill of Rights. Many of us hope that your principles, once implemented in legislation, will form a powerful framework to protect Americans’ fundamental right to privacy,” the 14 groups wrote in their joint letter. “Unfortunately, the discussion draft released last Friday falls short of that promise.”
Read the groups’ letter here.
… “The bill is full of loopholes and gives consumers no meaningful control of their data. Even the Federal Trade Commission says they have concerns that the draft bill does not provide consumers with the strong and enforceable protections needed to safeguard their privacy.
Read the draft Consumer Privacy Bill of Rights Act here.

Now this could be amusing... If true, what else is implied? If we dynamite the dam, what else is released? If we don't what else is blocked?
Federal Courts Considers FTC’s Data Protection Authority
EPIC – “A federal appeals court heard arguments today in FTC v. Wyndham, an important data privacy case. Wyndham Hotels, which revealed hundreds of thousands of customer records following a data breach, is challenging the FTC’s authority to enforce data security standards. In an amicus brief joined by legal scholars and technical experts, EPIC defended the FTC’s “critical role in safeguarding consumer privacy and promoting stronger security standards.” EPIC explained that the damage caused by data breaches – more than $500 million last year – makes data security one of the top concerns of American consumers. EPIC warned the court that “removing the FTC’s authority to regulate data security would be to bring dynamite to the dam.”

It's sad that this is the best way to catch pimps.
Adam Liptak reports:
The Supreme Court on Tuesday seemed inclined to let the police in Los Angeles inspect hotel and motel guest registries without permission from a judge.
A lawyer for the city, E. Joshua Rosenkranz, told the justices that such surprise inspections are vital to law enforcement.
This case is about whether to deprive scores of cities of one of the most effective tools that they have developed to deter human trafficking, prostitution and drug crimes that have seized the ground in America’s hotels and motels,” he said.
Read more on New York Times.

Anything for a story? “Drones are illegal so let's get a drone and see what the illegal drones saw?” Apparently journalists are much easier to catch than competent drone operators.
Paris Drone: Al Jazeera Journalist Fined
A British journalist for the Al Jazeera network has been fined for illegally flying a drone over central Paris.
… Several of the aircraft had been seen flying over locations including the US Embassy and the Eiffel Tower in the two nights preceding the trio's arrests.
… Al Jazeera confirmed initial reports that the drone was being used to put together a report on the mystery sightings in Paris when the journalists were arrested themselves.
… Authorities were first alerted to mystery drone flights in October, when state-run power company EDF filed a complaint with police. Sightings continued into the new year.

Could be worth following.
Michael Cooney reports:
Most days it seems like keeping and protecting any sort of data private is a pipe dream.
There are a variety of research efforts underway to keep private data private but it may be too little too late, some experts say.
Despite that notion the researchers at DARPA next month will go over a program the agency says will help develop the “technical means to protect the private and proprietary information of individuals and enterprises.”
The program is named after Louis Brandeis, an associate Supreme Court Justice who was arguably the world’s first privacy champion having helped pen “The Right to Privacy” for the Harvard Law Review in 1890 which is still the basis for a number of privacy protections in the US.
Read more on Network World.

Watson (like Audrey in Little Shop of Horrors) demands to be fed!
IBM buys AlchemyAPI to boost Watson computing unit
International Business Machines Corp said on Wednesday it had acquired AlchemyAPI, a fast-growing startup selling software that collects and analyzes unstructured text and data in ways big enterprises, website publishers and advertisers find useful.
… AlchemyAPI already has about 40,000 developers building tools using its technology, which would give IBM access to a much bigger, ready-made user base.
… AlchemyAPI, founded in 2005 and based in Denver, has 18 full-time employees. Its customers include publishing company Hearst Corp and image agency Shutterstock. IBM did not disclose the purchase price.
The startup's software gathers data from a wide range of sources, from Twitter posts and news stories to website images and text messages, sorts the data, learns to differentiate between them, and allows users to see connections that would take much longer to establish using more standard computing methods.
The software, which learns as it goes, enables users to group together disparate information on a certain topic or event, find related articles or information sources, and helps advertisers target online ads better.

For my Statistics students who have great difficulty “forecasting” the solution to the Monte Hall Problem. (I'm trying to get them to use algorithms.)
Algorithm Aversion: People Erroneously Avoid Algorithms after Seeing Them Err
Dietvorst, Berkeley J. and Simmons, Joseph P. and Massey, Cade, Algorithm Aversion: People Erroneously Avoid Algorithms after Seeing Them Err (July 6, 2014). Forthcoming in Journal of Experimental Psychology: General. Available for download at SSRN: or
Research shows that evidence-based algorithms more accurately predict the future than do human forecasters. Yet, when forecasters are deciding whether to use a human forecaster or a statistical algorithm, they often choose the human forecaster. This phenomenon, which we call algorithm aversion, is costly, and it is important to understand its causes. We show that people are especially averse to algorithmic forecasters after seeing them perform, even when they see them outperform a human forecaster. This is because people more quickly lose confidence in algorithmic than human forecasters after seeing them make the same mistake. In five studies, participants either saw an algorithm make forecasts, a human make forecasts, both, or neither. They then decided whether to tie their incentives to the future predictions of the algorithm or the human. Participants who saw the algorithm perform were less confident in it, and less likely to choose it over an inferior human forecaster. This was true even among those who saw the algorithm outperform the human.”

I noticed a student just the other day who had his nose six inches from the monitor because he had smashed his glasses and was awaiting a new pair. Making the text larger was a revelation. (Who said this generation knows everything about technology?)
Are You Nearsighted or Farsighted? Tips to Make Windows More Accessible for Young & Old

Perspective for my Business Intelligence students.
Is Social Media Actually Helping Your Company’s Bottom Line?

For my nerdy students? Check out the photo that accompanies the article.
The Bank of Canada is warning people to stop drawing Spock on their money
Canadians are paying a strange sort of tribute to the late Leonard Nimoy — they're drawing his most famous character, Star Trek's Spock, over a 19th-century politician on their banknotes.
It looks like the fad goes back further. Apparently, Canadians have been turning Sir Wilfrid Laurier, the country's first French-speaking prime minister, into a Vulcan for years.