Saturday, March 28, 2015
For my Computer Security students. Something for the toolkit.
Detekt – free tool that scans your Windows computer for traces of commercial surveillance spyware
Via FastCoExit: “Spyware like FinFisher contributes to a multi-billion dollar business. But until last week, activists had few ways to defend themselves, aside from the well-placed bit of duct tape over the computer camera and rigorous digital hygiene practices. That’s why Amnesty International, Privacy International, Digitale Gesellschaft, and the Electronic Frontier Foundation rolled out a new tool, called Detekt, that lets you know when you’ve been hacked. “If the last 10 to 15 years of spying has been interception, search and seizure, and detaining, this is the future of government spying,” says Privacy International deputy director Eric King. “Detekt has only been up for a day, and I know there’s already been hundreds of thousands of hits on the website. My inbox is full of people who have been infected.” Anyone can freely download Detekt’s open-source software, but if the tool does detect spyware, getting rid of it is another matter entirely. The Detekt website does link to instructions to help people clear their machines, but it’s also no safeguard against the NSA or GCHQ’s sophisticated mass surveillance methods, the likes of which were revealed by Edward Snowden in June of 2013.”
How to look completely innocent.
Fidgeting, whistling, sweaty palms. These are just a few of the suspicious signs that the Transportation Security Administration directs its officers to look out for in airport travelers, according to a confidential document obtained exclusively by The Intercept.
Read more on The Intercept.
In related news, Joe Cadillic discusses the new use of biometric iris and fingerprint scans at airports.
My students seem to put everything on the credit cards, including stuff from the school vending machines.
Mark Wilson reports:
It’s disconcerting when you consider just how much your bank or credit card company can see without even really trying: everywhere you shop, eat, and play—right down to how much you spend and when. (Suddenly, even Uber’s God View doesn’t seem so scary.)
Capital One is developing an app called Ideas—an optional stand-alone app from their main one—that mines customers’ spending histories to offer them relevant deals and events (for which Capital One takes no cut). Each day, it produces a short, personalized list of coupons (like save 10% at J. Crew) and things to do (like check out The Book of Mormon), all translated to a short, image-forward list you swipe through, kind of like Tinder. If a customer likes an event, she can save it to be reminded later. If a customer likes a deal, he can virtually clip the coupon. And if that coupon goes unspent, then shortly before it expires, Ideas will SMS the customer to warn him about it.
Read more on FastCompany.
Eventually, this will lead to “self-driving” scalpels.
Google Moves to the Operating Room in Robotics Deal With J&J
… The search giant is pooling resources and intellectual property with Johnson & Johnson to develop robots to assist surgeons. No financial terms were disclosed. J&J said in a statement that the deal is expected to close in the second quarter and has to be reviewed by antitrust authorities.
Google reckons it can use its machine-vision and image-analysis software to help surgeons see better as they operate or make it easier for them to get information that’s relevant to the surgery.
Perspective. Lest you think all drones are the size of model airplanes.
Facebook's Internet-Beaming Aquila Drone Has Wingspan Of A Boeing 737, Will Take Flight This Summer
… The drones are capable of cruising at an altitude of 60,000 to 90,000 feet, and can stay aloft for months at a time thanks to solar panels embedded in the massive wings and onboard lithium-ion batteries. Each drone will be capable of “[beaming] down backbone Internet access” to people across the globe — those who otherwise wouldn’t have easy access to Internet connectivity — as part of the Facebook’s Internet.org efforts. According to Facebook’s estimates, there are anywhere from between 1.1 billion to 2.8 billion people on the planet that don’t have access to the Internet.
This could be very interesting. Imagine replacing the redacted text with you own words (a la Woody Allen's “What's up tiger lilly?”)
FCC Releases Redacted Manual for Mobile Surveillance
Follow up to previous posting – StingRay surveillance device intercepts a cellphone signals, capture texts, calls, emails and other data – via Slate, via TheBlot: A heavily redacted copy of the 2010 manual for StingRay and KingFish mobile data surveillance equipment was released by the FCC in response to a FOIA request by TheBlot over the strong objections of the equipment manufacturer. Matthew Keys for TheBlot: “On March 23 — more than six months after the request had been filed and two months after the January call — the FCC delivered a heavily redacted user manual covering the StingRay, StingRay II and KingFish devices. The manual, which appears to be the same copy submitted to the FCC by Harris in 2010, reveals the StingRay and KingFish equipment are likely individual components that comprise a cellphone surveillance kit marketed and sold to police. The manual indicates the StingRay and KingFish devices are sold as part of a larger surveillance kit that includes third-party software and laptops. Tables that contain the names of the other equipment is redacted in the copy provided by the FCC, but other records reviewed by TheBlot indicate the laptops are manufactured by Dell and Panasonic, while the software is designed by Pen-Link, a company that makes programs for cellphone forensics. Numerous warnings note that the manual is “confidential,” “not for public inspection” and contains information that falls under the purview of the International Traffic in Arms Regulation (ITAR), a federal statute that prohibits certain defense information and equipment from being distributed outside the United States. Harris also warns that the manual “may be provided only to … government law enforcement agencies or communication service providers,” and that the document contains material related to a “restricted use item” that is “associated with the monitoring of cellular transmissions.” (The latter phrasing appears clearly in one section of the manual, despite being redacted on other pages.) None of the redactions made to the document were explained by the FCC as information withheld pursuant to national security interests. Instead, the FCC explained its redactions through Exemption 4 of the FOIA law, which protects the release of trade secrets and certain confidential business information submitted to the government.”
Well blogged, every week.
Hack Education Weekly News
… Enrollment at the University of Phoenix is down by over 50% over the past 5 years, reports CNN.
… According to a report released by the Education Department's National Center for Education Statistics, “After taking grants into account, the average full-time undergraduate in 2011–12 paid a net price of $11,700 to attend a public two-year college and $18,000 for public four-year college. Include loans, work-study and other forms of aid and the out-of-pocket costs come in at $9,900 and $11,800, respectively.”
… “In Defense of Snow Days” – according to research published by Education Next, school closures due to bad weather have little or no effect on student achievement. [Who paid for that study? Bob]
… From the American Association of University Women: “Solving the Equation: The Variables for Women's Success in Engineering and Computing.”
An infographic for my students. May they become rich and famous (and hire me as a consultant)
30 Inspirational Quotes for Entrepreneurs (Infographic)
Friday, March 27, 2015
The more you know, the more you want to keep your old car running.
Jesse Tahirali reports:
Your new car is probably spying on you.
Modern vehicles are powerful data-scraping machines, warns a group of B.C. privacy advocates, and Canada urgently needs to regulate what companies can do with the information cars send them.
The British Columbia Freedom of Information and Privacy Association (FIPA) published a 123-page report Wednesday, detailing what your vehicle might know about you and who can access that information.
In the report, which is the culmination of a year’s worth of research, the group calls for immediate action in creating standards for “connected cars” — vehicles equipped with the Internet, providing features like navigation and parking assistance, in-car entertainment and a range of safety features.
Read more on CTV News.
U.S. Senators Amy Klobuchar (D-MN) and John Hoeven (R-ND) reintroduced their Driver Privacy Act, legislation that protects a driver’s personal privacy by making it clear that the owner of a vehicle is also the owner of any information collected by an Event Data Recorder (EDR).
An EDR is an onboard electronic device that has the ability to continuously collect at least 43 pieces of information about a vehicle’s operation. This includes direction, speed, seatbelt usage and other data. The senators’ legislation would ensure that the vehicle owner controls the data and their personal privacy is protected.
… Fifteen states, including North Dakota, have passed laws related to EDRs. States with laws protecting drivers’ ownership of EDR data include Arkansas, California, Colorado, Connecticut, Delaware, Maine, Nevada, New Hampshire, New York, North Dakota, Oregon, Texas, Utah, Virginia and Washington.
As I understand it, “stories” are investigated by local teams and then the stars of 60 Minutes swoop in and do the “reporting.” This would seem to create a real potential for error. If 60 Minutes can't be held accountable, Bloggers should be untouchable.
Executives at Lumber Liquidators, the controversial discount floor retailer, are telling investors they are feeling so emboldened by a recent regulatory announcement they may sue the news program “60 Minutes” over its reporting that raised issues about the safety of the company’s products, the FOX Business Network has learned.
On Wednesday, the U.S. Consumer Product Safety Commission (CPSC) announced it will conduct an investigation into the company’s laminate flooring. However, the agency said it would not use the same “destructive” testing method used by '60 Minutes.'
… The deconstructive method for testing flooring is conducted by taking the product apart, and then testing each individual piece for the toxin. But the safety commission said Wednesday it would be testing only the finished goods, similar to the methods Lumber Liquidators uses, and one in which the carcinogen level in the flooring appears much lower.
We seem to be heading toward e-Textbooks. I wonder what those all-in-one printers that “print and bind a book” cost?
For young readers – print and digital coexist
“A new book called Words Onscreen: The Fate of Reading in a Digital World cites surveys that say that young readers increasingly prefer to read books from paper, not screens. More than that, though, they find ebooks and printed books complementary. Printed books are good for protracted reading and comprehension. Ebooks are good for subsequent reference and convenient access. I started arguing this in 2008, and it certainly reflects my own experience. The future composts the past. [What the hell does that mean? Bob] The advent of films made it possible for performances that couldn’t work onstage to be born and it moved all the plays that were uncomfortable fits onstage to the screen. What it left behind were plays that were more like plays — and a theater industry that’s still going strong, even if it’s dwarfed by the screen. By the same token, books are becoming more booklike. Books that work best as ebooks — for example, big reference books; but also short works that are too slight to rest comfortably on their own between covers — are moving to ebook-land. Things that are produced as printed books have passed a test in which someone has asked, “Is there an important reason for this to exist in print, instead of exclusively onscreen?”
How to become a “Chief Economist?”
Thursday, March 26, 2015
The downside of looking for live on the Internet? The Bad guys are looking for loot.
Sextortion Schemes Using Mobile Malware in Asia: Trend Micro
Cybercriminals in Asia are taking advantage of smartphones and mobile malware to rake in significant profits through sextortion schemes, a report from Trend Micro has found.
In sextortion cases, a victim is lured into performing explicit acts that are secretly recorded and then blackmailed with the video. In a new report, researchers at Trend Micro detailed how these sextortion gangs are operating. In one case, police in Japan arrested two men suspected of being part of a gang that stole at least Ɏ3.5 million (US$29,204.88) from 22 victims between December 2013 and January 2014.
Might be fun to see if this is related to population (if so, why is India not number one) or
China Named Top Originator of Attack Traffic in Q4 2014: Akamai
A new report from Akamai Technologies names China as the top source of attack traffic on the Web.
In its 'Fourth Quarter, 2014 State of the Internet Report', Akamai cited China as the originator of 41 percent of observed attack traffic. According to the report, during the fourth quarter of last year Akamai observed attack traffic originating from 199 unique countries and regions. Out of the 199, China was the clear leader of the pack, accounting for more than triple the amount originating from the U.S.
… "The overall concentration of observed attack traffic decreased in the fourth quarter, with the top 10 countries/regions originating 75% of observed attacks, down from 84% and 82% in the second and third quarters, respectively," according to the report. [Everyone is getting into the act. Bob]
For my Computer Security students. Remember, it's your job to fix each of these! (Assuming you work 50 weeks each year, you need to fix roughly 62 vulnerabilities every day.)
Over 15,000 Vulnerabilities Detected in 2014: Secunia
IT security solutions provider Secunia today published its annual vulnerability review. The report provides facts and details on the security flaws uncovered in 2014.
According to the security firm, a total of 15,435 vulnerabilities were identified in 2014 in 3,870 applications from 500 vendors. This represents an 18 percent increase compared to the previous year, and a 55 percent increase over five years.
The complete Secunia Vulnerability Review 2015 is available online.
Knowing is not as effective as nagging? Good News/Bad News: Here is a good way to get educate users about privacy and the discontinue the App. Sounds like a business opportunity I should run by may students.
Byron Spice writes:
Many smartphone users know that free apps sometimes share private information with third parties, but few, if any, are aware of how frequently this occurs. An experiment at Carnegie Mellon University shows that when people learn exactly how many times these apps share that information they rapidly act to limit further sharing.
In one phase of a study that evaluated the benefits of app permission managers – software that gives people control over what sensitive information their apps can access – 23 smartphone users received a daily message, or “privacy nudge,” telling them how many times information such as location, contact lists or phone call logs had been shared.
Some nudges were alarming. One notable example: “Your location has been shared 5,398 times with Facebook, Groupon, GO Launcher EX and seven other apps in the last 14 days.”
In interviews, the research subjects repeatedly said the frequency of access to their personal information caught them by surprise.
… “The vast majority of people have no clue about what’s going on,” said Norman Sadeh, a professor in the School of Computer Science’s Institute for Software Research. Most smartphone users, in fact, have no way of obtaining this data about app behavior. But the study shows that when they do, they tend to act rapidly to change their privacy settings.
… An app permission manager allows smartphone users to decide which apps have access to personal information and sensitive functionality. The study used a permission manager for Android 4.3 called AppOps.
… When the participants were given access to AppOps, they collectively reviewed their app permissions 51 times and restricted 272 permissions on 76 distinct apps. Only one participant failed to review permissions.
But once the participants had set their preferences over the first few days, they stopped making changes. When they began getting the privacy nudges, however, they went back to their privacy settings and further restricted many of them.
… Sadeh said when people download an Android app, they are told what information the app is permitted to access, but few pay much attention, and fewer understand the implications of those permissions.
“The fact that users respond to privacy nudges indicate that they really care about privacy, but were just unaware of how much information was being collected about them,” Sadeh said.
The AppOps software was discontinued on later versions of Android. While iPhones do have a privacy manager, it does not tell users how often their information is used or for what purpose and does not nudge users to regularly review their settings.
SOURCE: Carnegie Mellon University News
All employees are trustworthy up until the moment they're not.
Dune Lawrence reports:
Whether you call Edward Snowden a traitor or a whistle-blower, he earned one label about which there’s no debate: insider threat.
Guarding against such risks is an expanding niche in the security industry, with at least 20 companies marketing software tools for tracking and analyzing employee behavior. “The bad guys helped us,” says Idan Tendler, the founder and chief executive officer of Fortscale Security in San Francisco. “It started with Snowden, and people said, ‘Wow, if that happened in the NSA, it could happen to us.’ ”
Companies are also realizing that tracking insiders may improve their odds of catching outside hackers.
Read more on BloombergBusiness.
Interesting, but will it change their practices going forward?
Elizabeth Warmerdam reports:
The FBI can no longer withhold thousands of pages of surveillance files of Muslim communities by claiming the “law enforcement” exemption of the Freedom of Information Act, a federal judge ruled Monday.
U.S. District Judge Richard Seeborg found that the exemption “is not the appropriate umbrella under which to shield these documents from public view.”
The American Civil Liberties Union, the Asian Law Caucus and the San Francisco Bay Guardian in 2010 requested records concerning the FBI’s investigation and surveillance of Muslim communities in Northern California.
Read more on Courthouse News.
[From the article:
Although the FBI submitted a lengthy declaration describing how the type of documents it withheld advance law enforcement interests, it did not sufficiently "establish a rational nexus between the enforcement of a federal law and the documents for which it claims Exemption 7 applies," Seeborg wrote in a 7-page ruling.
… "The FBI's refrain at oral argument that many of the withheld documents do not relate to particular investigations, and thus cannot be linked to any particular provision of law, only serves to emphasize the point that Exemption 7 is not the appropriate umbrella under which to shield these documents from public view," Seeborg wrote.
The concern, Dear Feds, is that the pass was not free.
Federal regulators are pushing back against suggestions that they gave Google a free pass under antitrust law, potentially out of deference to the Obama administration.
After stories in the Wall Street Journal showing that Federal Trade Commission (FTC) staff urged the agency to take action against the Web giant — which it ultimately did not — and detailing Google’s close ties to the White House, members of the FTC are pushing back.
My students may not know it yet, but they need social media.
How To Kickstart Your New Social Media Accounts
… Before we start, I just need to point something out. Obviously there are numerous social media sites out there — too many to count. So to make things easy, in this article, I am just going to go with Twitter. However, the principles below apply to any social media site. Twitter not your gig? Then take the advice below and apply it/adapt it to that site.
Why would this be funny? It is exactly the techno-babble Economists speak!
Wednesday, March 25, 2015
I suspect school districts are very “low hanging fruit” for hackers. Expect more, hope some are better prepared.
Walt Hunter reports:
The FBI, New Jersey State Police, county and local investigators are on the trail of hackers who hijacked a Gloucester County school’s district’s computer network, demanding a ransom payment to make it usable again.
The Superintendent of the Swedesboro-Woolwich School District says the unidentified hackers are demanding a payment of 500 bitcoins, the equivalent of $128,000, to return the computer system to working condition.
Read more on CBS.
A message on the district’s website states:
… At this point there appears to be no data breach. The files affected were mainly word documents, excel spreadsheets and .pdf files created by staff members. Data for the student information system as well as other applications is stored offsite on hosted servers and was not affected by the virus.
Encrypted files were restored from backup to their original state. Servers were restored to remove any trace of the malware. Email and other systems are being restored as quickly as possible.
OK, but what’s this nonsense from the Superintendent that “Without working computers, teachers cannot take attendance, access phone numbers or records, and students cannot purchase food in cafeterias.”
Gee, I remember the days when teachers took attendance by checking off our names on paper charts, when our phone numbers were on index cards in the school office, and we paid cash for food in the cafeteria. Are schools TOO reliant on technology now? Seems so if they can’t figure out how to operate without computers.
The Superintendent says, without Smartboards, students Monday used pens, pencils and papers, going back to, what he described, “education as it was 20 or 30 years ago.”
Wow. The horror of it all.
Does the data eventually wind up in Data Broker databases?
Sam Schechner and Valentina Pop report:
LUXEMBOURG—In a gold-curtained courtroom here, a debate is playing out over the transfer of personal data used for billions of dollars in digital advertising.
The European Court of Justice—the European Union’s top court—heard arguments Tuesday in the biggest threat yet to a legal mechanism that allows Facebook Inc. and thousands of other firms to transfer European personal data to U.S.-based servers.
Following revelations of widespread surveillance by the U.S. National Security Agency, plaintiff Max Schrems, an Austrian law student, made the case that the EU-U.S. agreement, called Safe Harbor, no longer guarantees the privacy of European residents. He was supported by lawyers representing the governments of Belgium, Poland and Austria.
Read more on WSJ.
The case is Maximilian Schrems v. Data Protection Commissioner.
Interesting question for my students to ponder.
David Kravets reports:
When the Supreme Court ruled in 2012 that affixing GPS devices to vehicles to track their every move without court warrants was an unconstitutional trespass, the outcome was seen as one of the biggest high court decisions in the digital age.
That precedent, which paved the way for the disabling of thousands of GPS devices clandestinely tacked onto vehicles by the authorities, is now being invoked to question the involuntary placement of GPS devices onto human beings.
Read more on Ars Technica.
This really looks interesting. For my friends at the Law School and those already in practice.
Free Practice Technology Ebook for Law Students
David Whelan – What it is:
- a free e-book of roughly 20,000 words providing an overview of practice technology in a generic law practice;
- licensed under a Creative Commons Share-alike license so that faculty can repurpose it however they like;
- an e-book for law students looking for something longer than blog posts or even long form law practice technology articles;
- intended to be practical, flavored heavily with my own opinions about law practice technology and data that I rely on myself when thinking about legal technology. I realize I’m not a practicing lawyer, and for those who find this text lacking because of that, I encourage them to enhance it and share their own knowledge;
- version 1, and it may be a bit rough (and use a bit more editing) but I hope it will continue at least to version 2.
In some respects, this was a bit of mental clearing of the decks. It’s been percolating for awhile and is ready to be public, if not published. I’m hoping it will be useful to someone. You can read the entire text here: http://books.ofaolain.com/legaltech/ although you may find my server slow. You can download the EPUB version or MOB versions too.”
We would need slightly larger drones, but... If we apply the algorithms used in self-driving cars, we could have “flying cars” by Christmas!
Amazon Hammers FAA For Lack Of 'Impetus' Over Drone Policy
Amazon.com is not pleased with the pace by which the Federal Aviation Administration is addressing the commercial use of drones and it let the public know in a congressional hearing on Tuesday.
In a Washington, D.C. meeting with Senate members of the Subcommittee on Aviation, Operations, Safety and Security, Paul Misener, Amazon’s vice president of global public policy, criticized the FAA for lacking “impetus” to develop timely policies for the operations of unmanned aerial systems (UASs or UAVs).
… Misener stressed the differences between the U.S. and places like Europe, where the company is already testing outdoors in the United Kingdom. “Nowhere outside of the United States have we been required to wait more than one or two months to begin testing,” he said.
UNMANNED AERIAL SYSTEMS
Status of Test Sites and International Developments
… This testimony provides preliminary observations on 1) status of FAA’s test sites, 2) how other countries have progressed integrating UAS for commercial purposes, and 3) critical steps for FAA going forward.
Would US politicians accept free iPads?
Every British MP is being given a free iPad
Every British MP is to be given a free iPad after the General Election in May, the Telegraph reports.
said Shadow Cabinet Office minister Chi Onwurah. "And that's without mentioning the tax avoidance issue.Politicians say they need suitable hardware to do their work properly — but the new scheme has run into criticism. "Locking some of the most powerful people in the country into a platform that most of my constituents can't afford seems like a mistake,"
… Some of the 209 MPs who already own iPads have been caught using them in a way that's definitely not intended. Nigel Mills was photographed using his to play Candy Crush over a period of two and a half hours during a committee meeting on pension reforms.
Background beats for my student raps! (My new idea for better presentations.) Article 4
Play an Online 808 Drum Machine
You can now play an online version of the legendary Roland TR-808 drum machine, the real-world version of which was used by such artists as the Beastie Boys, Outkast, and Kanye West.
The online HTML5 version features all of the real percussion sounds, which you can adjust to your heart’s content. And when you’re happy with your hip-hop bassline, you can export it as a WAV file. [H/T FACT Magazine]
For my students.
Make a PowerPoint Presentation That Doesn’t Put Your Audience to Sleep
PowerPoint presentations, when done right, can be an engaging way to provide an audience with information. When done poorly, however, they can quickly put the audience to sleep.
… So what you can do to make your PowerPoint presentations informative and exciting? Follow the tips outlined on the infographic below, and you’ll be well on your way!
For my students who think APA is a federal agency.
About EasyBib, RefME, and Other Bibliography Generators
This afternoon I received a lengthy email (a three page attachment came with it) from someone who really did not like that I have promoted EasyBib, RefME, and other bibliography creation tools over the years. The reader seemed to take most offense to my recent post about Google Docs Add-ons in which I included the EasyBib Add-on. The reader rightly pointed out that those tools don't always format citations perfectly.
Granted those tools aren't always perfect in their formatting of citations (I have pointed out some of those flaws in my webinars and workshops over the years), but I think they are still valuable because they help get students into the habit of citing their sources of information and keeping a record of the sources they use. Furthermore, if EasyBib, RefME, or one of the other bibliography generators does make a mistake you can turn that into a teaching opportunity with your students. Point out the flaw and how to correct it.
Finally, we can tell students not to use bibliography creation tools but they are going to find them and try to use them anyway. The same can be said for Wikipedia, but that's a conversation for another day. I would rather tell students about bibliography creation tools and teach them how to recognize if the tool made an error than I would pretend that students aren't going to use the tools.
Tuesday, March 24, 2015
“We phished you, now we'll use your email to phish all your friends.”
Uh oh. SLC Security reports:
While we can’t name any particular names at this time we have started seeing indicators of another related attack originating out of China aimed at US Healthcare entities. This time another well known affiliate of a previously breached healthcare entity appears to be attacking other Healthcare entities in California and Arizona.
Read more on Vulnerable Disclosures.
[From the article:
… it appears as though a new malware variant is being sent via Phishing emails and they are coming from other healthcare entities so it appears as legitimate traffic which may be problematic as they may be assumed to be trusted entities.
Exactly the correct steps, slightly out of the correct sequence?
Lorraine Bailey reports:
Credit-reporting giant TransUnion charges $10 before it places security freezes on the files of people dealing with identity theft, a class claims in Federal Court.
Jon Niermann, the lead plaintiff in the March 18 action, says he learned about TransUnion’s “illegal” policy after he became a victim of identity theft.
Read more about his complaint on Courthouse News.
[From the article:
He notes that Texas law "allows CRAs to charge a 'reasonable fee,' not to exceed $10.00, for placing a security freeze, [but] does not make the CRAs' duty to place the security freeze within five business days conditional on the payment of the charge, nor does it allow CRAs to delay placing the security freeze until after the charge is paid," the complaint states, abbreviating credit-reporting agencies.
Shocking! A government that is preparing to defend its citizens. Who would have thought that possible?
But they’re polite while they’re stealing data and destroying infrastructure, right?
Ryan Gallagher reports:
Canada’s electronic surveillance agency has secretly developed an arsenal of cyber weapons capable of stealing data and destroying adversaries’ infrastructure, according to newly revealed classified documents.
Communications Security Establishment, or CSE, has also covertly hacked into computers across the world to gather intelligence, breaking into networks in Europe, Mexico, the Middle East, and North Africa, the documents show.
Read more on The Intercept.
The survey results are interesting but are unlikely to result in any laws that reduce the amount of data a typical data broker accumulates.
Boston parents overwhelmingly agree that schools should demand restrictions on data mining from internet companies
A survey of parents with school-age children in Boston shows parents see many benefits from in-school internet access, with more than 80 percent stating that in-school internet access helps students develop the necessary skills to gain employment and participate in the global economy. However, a majority of parents are unaware that technology companies may be tracking their children’s internet use at school. This demonstrates the importance of and need for stronger protections to prevent student data mining and online tracking in Boston schools.
… The findings are based on a survey conducted between January 2015 and February 2015 of parents with school-age children in Boston. For more detailed results, please visit: http://bit.ly/1O7xntD
“Hey look! We're doing something!” The question, as always is what.
FTC Starts Up New Tech Research Office
The Federal Trade Commission is launching a new research office to do deeper dives into privacy, new payment methods and the Internet of Things (among other things), the FTC announced in a pair of blog posts on Monday (March 23).
The new Office of Technology Research and Investigation (OTRI) is a successor to the FTC’s Mobile Technology Unit, which was created in 2012 to handle consumer issues related to mobile devices, including children’s privacy and mobile shopping data-use policies.
But the OTRI has a broader mandate and is hiring more technologists (its predecessor only had one) to examine privacy and security issues related to “connected cars, smart homes, algorithmic transparency, emerging payment methods, big data, and the Internet of Things,” according to FTC Chief Technologist Ashkan Soltani.
While that’s a broad mandate, the FTC has already gotten started in some of those areas — for example, in January the FTC issued a report on privacy and security issues involving the Internet of Things.
But exactly how much the OTRI will be able to do beyond researching these areas isn’t clear. In general, the FTC is limited to pursuing companies that misrepresent what they do or engage in false advertising. As a result, the FTC’s privacy enforcement actions have largely consisted of going after retailers who have violated their own published privacy policies. (The one exception to that is marketing online to children, which is covered by the Children’s Online Privacy Protection Act. That puts much more stringent limits on what information website operators can collect from children under age 13, and how it must be handled.)
That means the new OTRI can investigate security and privacy issues, but there’s some question as to what else it can do beyond issuing reports. And as the Washington Post notes, the FTC is facing a potential turf war with the Federal Communications Commission over “net neutrality” and related privacy issues.
This might be a “doing something” worth the doing.
Hamish Barwick reports:
The NSW Information and Privacy Commission (IPC) has unveiled an e-learning portal to help organisations in the state deal with privacy complaint handling and other privacy issues.
The e-learning portal is free and currently provides access to two e-learning modules- privacy complaint handling and Government Information Public Access (GIPA) Act: Access training for decision makers.
Read more on Computerworld.
[Register here: http://www.ipc.nsw.gov.au/e-learning
It would be a worthless law.
Should Governments Ban Ballot Selfies?
Would Hitler have wanted people to post who they voted for? Would Benito Mussolini have tweeted photos with voters? Would Francisco Franco have Instagrammed a ballot with a check next to his name? These are the questions I was asking myself after listening to a recent NPR story on the controversy brewing around “ballot selfies.”
For my Computer Security students.
Cybersecurity and Information Sharing: Legal Challenges and Solutions
CRS – Cybersecurity and Information Sharing: Legal Challenges and Solutions. Andrew Nolan, Legislative Attorney. March 16, 2015.
… While considerable debate exists with regard to the best strategies for protecting America’s various cyber-systems and promoting cybersecurity, one point of general agreement amongst cyber-analysts is the perceived need for enhanced and timely exchange of cyber-threat intelligence both within the private sector and between the private sector and the government.
… this report examines the various legal issues that arise with respect to the sharing of cybersecurity intelligence, with a special focus on two distinct concepts: (1) sharing of cyber-information within the government’s possession and (2) sharing of cyber-information within the possession of the private sector.
With regard to cyber-intelligence that is possessed by the federal government, the legal landscape is relatively clear: ample legal authority exists for the Department of Homeland Security (DHS) to serve as the central repository and distributor of cyber-intelligence for the federal government. Nonetheless, the legal authorities that do exist often overlap, perhaps resulting in confusion as to which of the multiple sub-agencies within DHS or even outside of DHS should be leading efforts on the distribution of cyber-information within the government and with the public.
… With regard to cyber-intelligence that is possessed by the private sector, legal issues are clouded with uncertainty. A private entity that wishes to share cyber-intelligence with another company, an information sharing organization like an Information Sharing and Analysis Organization (ISAO) or an Information Sharing and Analysis Centers (ISAC), or the federal government may be exposed to civil or even criminal liability from a variety of different federal and state laws.
… concerns may arise with regard to how the government collects and maintains privately held cyber-intelligence, including fears that the information disclosed to the government could (1) be released through a public records request; (2) result in the forfeit of certain intellectual property rights; (3) be used against a private entity in a subsequent regulatory action; or (4) risk the privacy rights of individuals whose information may be encompassed in disclosed cyber-intelligence.
The report concludes by examining the major legislative proposal—including the Cyber Intelligence Sharing and Protection Act (CISPA), Cybersecurity Information Sharing Act (CISA), and the Cyber Threat Sharing Act (CTSA)—and the potential legal issues that such laws could prompt.”
My students have convinced me this could be more important than a resume. Especially the social networking bit.
A 101 Guide To Building Your Personal Brand
… Developing and building your personal brand is an important part of deciding how you want to be known in your workplace, industry and life. Below are four important steps you can take to start building your personal brand today.
(Related) Perhaps if the campaign is mostly on social networks we might see fewer TV ads? Nah.
Ted Cruz’s Monday morning announcement that he was running for president sent a jolt through political circles — and their Facebook friends.
The Texas Republican senator’s announcement sparked 5.7 million comments, likes and other conversations among 2.2 million people on the global social network on Monday, according to Facebook. That’s more than 30 times the average number of people who have talked about Cruz in the last three months.
… Cruz, who has significant appeal among conservatives, has found a winning message on some social media sites.
In fact, he first announced his new campaign on Twitter, hours before giving his Monday morning speech.
For my geeky students.
How to Create an iPhone Game From Scratch
Monday, March 23, 2015
If the police were relying on “encryption in a box” they don't understand security. If everyone uses the same encryption, loss of one machine compromises everyone. Even after the Poles stole an Enigma machine from the Germans in 1939 it took years to reliably decrypt messages.
From the where-is-Captain-Midnight-when-you-need-him dept.:
Theft of an electronic instrument worth around Rs 3 lakh [$4816.53 – Dissent] from the building of Dang district superintendent of police, Ahwa, has created panic among top national security agencies. Sources in police claim that the stolen device is a decoder of encrypted secret code language used by intelligence agencies to exchange top secret information.
The device is called as Cipher or N-decoder and only government-authorized agencies can procure it. [and the occasional burglar. Bob] Naxal activities were reported from Dang in recent past and theft of this device has created major challenge for police. All the top security agencies, part of armed forces, police or special operation groups use these devices to receive and share information.
Read more on Times of India.
A lot of speculation but will we see a different Putin?
Is Putin Losing Power?
Vladimir Putin’s recent disappearance from public view for over a week fed wild rumors about a possible coup and his removal from power.
… The story of the coup has revealed something very interesting about the secretive world of Russian politics. First of all, when the rumors first surfaced the population remained calm. Forget Mr. Putin’s 85% approval rating, there were no demonstrations and no visible signs of any reaction on the part of the Russian people. They remained silent. Second, media comments also did not reveal any particular anxiety about the possible removal of Mr. Putin. One could even sense a sigh of relief. Even the response from the Russian nationalists was rather favorable. Igor Strelkov—the former commander of the rebel army in the east of Ukraine—speculated about the advantages of removing Putin from power.
Unfortunate that the law has so many holes in it that this is the only way to avoid someone using these domains for “evil purposes.” I note that she did not buy TaylorSwift.sucks which also becomes available under the new domain name rules. What is their definition of a “celebrity?” If someone takes my name in vain, do I have recourse?
Here’s Why Taylor Swift Just Bought Some Porn Sites with Her Name on Them
Taylor Swift has a very good reasons for quickly snapping up new websites TaylorSwift.porn and TaylorSwift.adult. She bought them so that neither you, nor anyone on her long list of ex-lovers could buy them first. The purchase is part of a larger controversial practice called “domain squatting” and it just became a much bigger issue for celebrities and corporations.
… Among those new gTLDs are some salacious options like .porn, .sucks, and .adult so ICANN is allowing celebrities and corporations (basically anyone with a brand or trademark to protect), to get first dibs on the more controversial gTLDs before they become available to any and everyone on June 1st.
I hope my students could write better raps. I know they could sing better raps. Now all they need to do is learn the math!
Short Math and Science Lessons in Rap Form
Rhyme 'n Learn is a series of math and science lessons presented in short rap music form. About half of the raps are provided in video format with visuals to support the lesson. The other half of the lessons are audio only, but do have transcripts available to help your students or you follow along. A couple of the video raps are embedded below.
Sunday, March 22, 2015
I could have done without this. We have people in this country who listen to the voices in their head or the commands of the neighbor's dog. Now we need to worry about these nuts passing them specific targeting information? I hope someone is passing the details to local law enforcement and trustworthy neighbors.
Jason Molinet reports:
Islamic State hackers have posted the personal details of 100 U.S. service members they claim took part in the bombing of ISIS targets in Iraq, Syria, Yemen, Somalia and Afghanistan – and called on homegrown radicals to strike back.
The group calling itself Islamic State Hacking Division allegedly gathered the dossier from cracked military databases and made an open call for “jihad against the crusaders” using JustPaste.it, a Polish-based social network favored by ISIS propagandists.
Read more on NY Daily News.
The ISIS support Twitter account, @ISHackingDiv was suspended shortly after posting a link to the material.
The Department of Defense has not yet confirmed or denied the accuracy of the information nor the hackers’ claims that they obtained the material through various sources, including hacked databases.
Could be just an angry ex-employee causing waves. Could be government bureaucracy at it's worst. Probably will die quietly unless something significant leaks.
Peter Jackson reports:
First they said they’re looking into it. Now they’re saying nothing happened.
The day before he was cut from cabinet on March 12, former Services NL minister Tony Cornect denied there was ever a security breach at the Office of the Chief Information Officer (OCIO).
The OCIO oversees information technology and security for the government and goverment agencies, including health boards and the police.
Their denials are challenged by the former security analyst who raised the alarm originally:
“We know that there was two-way communication between the government DNS servers and the server in the Czech Republic; therefore, messages were exchanged. We may not know the significance of these messages, but to argue that there were no messages is disingenuous.”
Read more on The Telegram.
[From the article:
… The OCIO oversees information technology and security for the government and goverment agencies, including health boards and the police.
… Internal communications obtained by The Telegram show that while Lorimer’s alerts about the breaches were acknowledged, they were not acted upon for a week.
… The OCIO said the matter was investigated at the time and that there was no threat to security. But after Lorimer filed an information request looking for the results of that investigation, the office admitted no such report existed.
In November 2014, Cornect called for an external investigation into the matter. That review was carried out by EWA-Canada. The findings were submitted over a month ago, on Feb. 11.
I have contacted the OCIO in an attempt to obtain the report, and Lorimer has filed an access-to-information request. But the department has so far refused to release it.
“It's completely neutral except for the part that's not neutral.” Big Cable Brother
Streaming TV Services Seek to Sidestep Web Congestion
HBO, Showtime, and Sony Corp. are jumping into online television. But instead of putting their Web traffic on the public Internet’s main thoroughfare, they want to be in a separate lane that would ensure their content gets special treatment.
Those companies have talked to major broadband providers such as Comcast Corp. about having their Web TV services treated as “managed” services, according to people familiar with the discussions.
… The Federal Communications Commission’s recently approved net-neutrality rules, which go into effect in a few months, bar broadband providers from accepting payment from companies to favor their traffic. And the rules say the FCC “expressly reserves the authority to take action” if it finds that specialized services are “being used to evade the open Internet rules.”
But the agency has maintained that cable and phone companies can offer certain specially managed services—digital phone and video-on-demand, for example—that run on a dedicated slice of bandwidth in the cable pipe that is separate from the portion reserved for public Internet access.
… At least one emerging online TV player, Dish Network Corp.’s Sling TV, believes the managed-service arrangement would be a negative overall. “It’s a bad thing for consumers and a bad thing for innovation,” said Roger Lynch, Sling TV’s chief executive, adding that big companies like Dish could afford to cut special deals like this but small companies can’t.
“It makes a mockery of net neutrality,” he said, adding that Sling would strike such a deal only “under duress,” if other companies did first.
Curious. On the military side, we seem to be very opposed to becoming the world's police force. DoJ does not seem to be worried about that at all. Should we assume that the countries where these “law breakers” live do not have laws they have broken? Would we allow US citizens to prosecuted under laws that do not exist in the US? Is “offering for sale” proof of “intent to defraud?”
I’ve been posting some of the U.S. Department of Justice’s attempts to justify their proposed amendments to cybersecurity laws. Here’s how the most recent post in their series begins:
In the last of our series on the need for limited updates to laws enhancing cybersecurity while protecting individual rights, this post will describe a proposal that is geared toward shutting down the international black market for Americans’ stolen financial information.
Here is the problem. Current law makes it a crime to sell “access devices” such as credit card numbers. The law allows the government to prosecute offenders located outside the United States if the credit card number involved in the offense was issued by an American company and meets a set of additional requirements. In the increasingly international marketplace for stolen financial information, however, these requirements have proved increasingly unworkable in practice. The government has to prove either that an “article” used in committing the offense moved though the United States, or that the criminal is holding his illicit profits in an American bank. But when you steal only digital data, it’s not clear what “article” could be involved. And of course, foreign criminals generally move their money back to their home country.
Read more on DOJ’s Blog.