Saturday, May 30, 2015

Lot's of speculation, not much security management.
FBI to Dig Into IRS Data Breach Debacle
The United States Federal Bureau of Investigation is looking into a hack of the U.S. Internal Revenue Service that led to personal data being stolen from at least 100,000 taxpayers' accounts of the 200,000 that were hit.
The hackers got the data by accessing the Get Transcript application, which lets taxpayers download data they filed with the service, the IRS announced Tuesday.
Twenty-three million taxpayers used the online Get Transcript application in the latest filing season.
… The hackers obtained sensitive personal information from outside the service to get through the security hurdles. However, they did not gain access to the core IRS system or the tax accounts it holds, the IRS said.
However, the personal data they acquired "seems to be exactly the kind of information the IRS has," Igor Baikalov, chief scientist at Securonix, told the E-Commerce Times.
… One disturbing possibility for the small number of accounts attacked is that "the hackers specifically identified certain high-value targets they wanted to go after," Radware Security Solutions Director Ben Desjardins told the E-Commerce Times.
… Given that the hackers hit 200,000 or so accounts, the IRS "is apparently lacking security alert systems for being breached, proper authentication using multiple biometric factors, and deep encryption for all customer-sensitive data," he told the E-Commerce Times.




Does this increase their liability? Is their “routine” monitoring timely enough to prevent problems? How about the dozens of social media sites they are not monitoring? Who does the monitoring a psychologist or a teacher?
From the it’s-for-the-kids dept.:
Daniel Dahm reports:
The Orange County school district is now monitoring students’ social media messages in an effort to curb cyberbullying, crime on campus and suicide.
Orange County Public Schools announced Thursday that it has acquired software to monitor social media “to proactively prevent, intervene and (watch) situations that may impact students and staff.” The district has obtained an annual license with SnapTrends, software that monitors Twitter, Facebook, YouTube and Instagram. [What about the ones listed here: http://en.wikipedia.org/wiki/List_of_social_networking_websites Bob]
The district said it plans to use the software to conduct routine monitoring for the purposes of prevention or early intervention of potential issues in which students or staff could be at risk to themselves or to others.
Read more on ClickOrlando.




Perhaps one the Internet, someone does know you're a dog. Once that anonymity is gone, the downside is huge.
Silk Road Mastermind Sentenced to Life in Prison
The highly educated 31-year-old, whose devoted parents have followed every twist and turn in the case, displayed no emotion as he stood in dark prison scrubs to hear his fate from Federal Judge Katherine Forrest.
She sentenced Ulbricht, who used the online alias of "Dread Pirate Roberts" and commissioned five contract killings, to two life sentences for narcotics distribution and criminal enterprise.
Forrest also imposed maximum terms of five, 15 and 20 years for separate hacking, trafficking in false documents and money laundering convictions, to be served concurrently.




But this is not just for the FBI, right?
FBI inches closer to expanded search powers
The Department of Justice (DOJ) is one step closer to making a controversial change in how judges issue warrants for computer searches.
The department confirmed to multiple news outlets that a United States Courts committee has approved its request to give judges the power to authorize warrants for electronic searches in multiple jurisdictions or when investigators don’t know the physical location of a device.
… Tech companies like Google, computer scientists and privacy advocates have decried the potential change, which they believe would give the FBI the authority to hack computers with little oversight.




The market loves social media.
Snapchat Raises $537.6 Million In New Funding As App Makes Media Push
Snapchat raised $537.6 million in new venture capital funding, the company disclosed Friday in a regulatory filing.
The filing does not state how much the stock sold for or name the buyers and sellers. Since its inception, Snapchat has raised more than $1 billion in outside funding, and has been said to be raising at a valuation of more than $15 billion.




For my Data Management students.
General Mills Builds Up Big Data to Answer Big Questions
… How did you get started?
Coming in as an outsider, my first couple of months were focused on figuring out what we really do at General Mills. The very first thing I had to do was sit down and do a catalog of all the different data we commonly use and what we use it for. I started asking around, “Does anybody have a data diagram that tells me the data you have and where it’s being used?” No one had it. So I started doing diagrams to say where the data was connected, where are they not, and asking, where should they be? Where are the various data being used in analyses? Where should they be?
… How you can tell the company is successfully operationalizing analytics?
For us, it’s how many people are using our stuff and asking for more stuff. Ultimately, a company is successful if it can say decisions made by analytics led to incremental profit.




My weekly chuckle.
Hack Education Weekly News
… Chris Christie was for the Common Core before he was against it. (He’s proposed that New Jersey drop the standards that Christie once pushed for.) As Politico notes, “The Republican flip-flop on the Common Core is nearly complete,” with almost every (potential) Republican presidential candidate now opposing the CCSS – save Jeb Bush.
… “Many students in Silicon Valley community not reading by 3rd grade,” so San Mateo County is launching a campaign that will, among other things, help expand preschool programs for low-income families. [Shouldn't they expand the reading program? Bob]
… “Neither the legal principle of academic freedom nor the receipt of outside financial support for his work gives a public-college lecturer a right to declare his correspondence private, the University of Kansas argued this week in state court.” More on the legal battle between the university’s director of Center for Applied Economics and Students for a Sustainable Future in The Chronicle of Higher Education.
… “7 in 10 schools now have shooting drills, needlessly traumatizing huge numbers of children,” Vox reports.
Via NiemanLab: “What happened when a college newspaper abandoned its website for Medium and Twitter.” (A look at student journalism at Mt. San Antonio College.)
… Via Campus Technology: “Why Blogging Is Key to the Future of Higher Ed.” (A look at the digital learning initiatives out of Virginia Commonwealth University.)
Via Education Week: “Data breaches are costing companies in education up to $300 per compromised record, making it the second most impacted sector – behind only healthcare – for businesses with lost or stolen records globally, according to research released Wednesday by the Ponemon Institute.”




We have a student club for exercise fanatics. (I can watch them all day) These might be useful.
Train for a Half Marathon with These Running Websites & Tools
Read on to discover seven great websites with tons of information and tools you need to get started.


Friday, May 29, 2015

...because it's hard to forget or misplace a fingerprint or an iris? Or because a fingerprint identifies you every time on every device?
Japan's Largest Mobile Provider to Ditch Passwords
Japan's largest mobile service provider, NTT DoCoMo, said it would replace passwords with biometric credentials on a number of its online services, in a step to move users closer to a password-free world.
Starting Wednesday, NTT DoCoMo customers with smartphones capable of handling biometric authentication will be able to access several online services using iris recognition or fingerprint authentication, the company said.




Did I miss this? Professor Soma forwarded an email that makes me think I did.
2015 Data Breach Investigations Report
Prepare your enterprise to conduct individualized self-assessments of risk, so you can make realistic decisions on how to avoid cyber threats. The 2015 DBIR expands its investigation into nine common threat patterns and sizes up the effects of all types of data breaches, from small data disclosures to events that hit the headlines.




Interesting, but I think we're still a long way from understanding, let alone controlling sexting. Would receipt of an unsolicited photo be an “invasion” of privacy? How would you prove it was unsolicited? Forwarding the photo is a different kettle of fish.
Michael Miller reports:
School officials on Wednesday said they reported a case of sexting to police to protect the privacy of students whose naked photos were being shared.
A female student saw pictures of a friend on a classmate’s phone in April and reported it to the assistant principal. The school’s resource officer called the Cape May County Prosecutor’s Office.
An investigation led to criminal charges being filed against 20 students at Lower Cape May Regional High School and the Richard M. Teitelman Middle School for allegedly invading the privacy of several female classmates.
Read more on Press of Atlantic City.
[From the article:
The students, including an 18-year-old, were charged with a third-degree crime. Those under 18 face a two-year sentence in a training school for juvenile offenders. The older student could face a sentence of up to five years in state prison.




Is this a disconnect between lawyers and techies? I wonder which side made the assertion that “consumers” could opt out? Did the lawyers just select a few phrases from some “standard” privacy policies?
Elizabeth Litten writes:
This case has nothing to do with HIPAA, but should be a warning to zealous covered entities and other types of business entities trying to give patients or consumers more information about data privacy than is required under applicable law. In short, giving individuals more information is not better, especially where the information might be construed as partially inaccurate or misleading.
Read more on Fox Rothschild Privacy Compliance & Data Security,
[From the article:
The complaint alleged, among other things, that although Nomi’s published privacy policy stated that Nomi would “allow consumers to opt out of Nomi’s [data tracking] service on its website as well as at any retailer using Nomi’s technology,” Nomi actually only allowed consumers to opt-out on its website — no opt-out mechanism was available at the clients’ retail stores.
… The odd aspect of this complaint and consent order is that Nomi did not track or maintain information that would allow the individual consumers to be identified. The media access control (MAC) address broadcast by consumers’ mobile devices as they passed by or entered the stores was cryptographically “hashed” before it was collected, created a unique identifier that allowed Nomi to track the device without tracking the consumer him/herself. As dissenting Commissioner Maureen Ohlhausen points out, as “a third party contractor collecting no personally identifiable information, Nomi had no obligation to offer consumers an opt out.” The majority, however, focuses on the fact that the opt out was partially inaccurate, then leaps to the conclusion that the inaccuracy was deceptive under Section 5 of the FTC Act, without pausing to reflect on the fact that the privacy policy and opt out process may not have been required by law in the first place.




No “opt out” here. I wonder if whatever the police are “targeting” was kept and everything else deleted immediately would reduce the concerns? But then, often there is no specific license plate being searched for. If you fall into a “pattern” the police have established, your data is retained. Unfortunately, unless they know where and when I normally drive, they can't eliminate me.
Martin Kaste reports:
License plate scanners have become a fact of life. They’re attached to traffic lights, on police cars — even “repo” staff use them. All those devices have created a torrent of data, raising new concerns about how it’s being stored and analyzed.
Bryce Newell’s laptop is filled with the comings and goings of Seattle residents. The data comes from the city’s license plate scanner, acquired from the police through public disclosure requests. He plugs in a license plate number, uncovering evidence of long-forgotten errands.
Read more on NPR.
[From the article:
Ron Sloan is director of the Colorado Bureau of Investigation. They've tried analyzing licence plate scans from an area near where a murder victim was found.
"We were able to do some rudimentary analysis of that data to try to determine whether or not there were vehicles that were going through the area that did not live in the area, [I drive through lots of neighborhoods I don't live in. Bob that were from outside of the area or vehicles that that would not have been their route driving home," he says.




I wonder if this comes with a warning to Facebook?
Justin Brookman writes:
Privacy law in the U.S. is weaker than in most places, but hey, at least we’ve got Section 5.
While many countries around the world have affirmative privacy protections for most data, the U.S. instead enforces a hundred-year old prohibition against deceptive business practices to merely prohibit companies from tricking people about data practices. In recent years, the FTC has expanded its interpretation of Section 5’s ban on deceptive practices to apply not just to misstatements but also to affirmative omissions—that is, when by failure to mention a potentially controversial privacy practice, the company is effectively trying to deceive consumers. This line of enforcement is all in the name of creating external accountability for privacy practices, and a transparent market for personal information. This market is far from perfect, and I think the law should do more to empower people to assess various privacy practices and control the flow of their information.
Still, at bottom, the U.S. has always had one (fairly low!) baseline: don’t lie about what you’re doing.
Recently, however, even this weak standard has been called into question—by two sitting Commissioners of the FTC no less.
Read more on IAPP.




Apparently this is even stranger that I first thought. If you read the statement, it looks like the New jersey DA was more 'saving face' than righting wrongs.
Earlier today, I posted the press release from New Jersey about its settlement with Tidbit’s developer, Jeremy Rubin.
Here’s his take on the issues and settlement:
There are some good and bad parts of the settlement. Although I am unhappy with how it reads at a glance — it seems like a defeat — under closer inspection, you can see that New Jersey’s ‘victory’ is Pyrrhic at best.
Read his full statement on Medium.




Unlikely to be followed, but what else is new about UN “suggestions?”
UN Report Champions Encryption and Anonymity
by Sabrina I. Pacifici on May 28, 2015
EPIC – “The UN Special Rapporteur on Freedom of Expression released a report today supporting strong encryption and anonymity tools. The Rapporteur finds that, “States should not restrict encryption and anonymity, which facilitate and often enable the rights to freedom of opinion and expression.” EPIC previously urged the UN to support secure, anonymous communications, stating, “In our modern age, encryption is the key technique and anonymity is the core legal right that protects the right to privacy.” EPIC published the first comprehensive survey of encryption use around the world and worked in support of the OECD Cryptography Guidelines of 1997.”


(Related) See what I mean? To decrypt any encrypted communication, you must control the keys to all encrypted communications.
Glyn Moody reports:
The new Investigatory Powers Bill, announced in yesterday’s Queen’s Speech, will include legislation to force Internet companies to give access to encrypted conversations of suspected terrorists and criminals. According to The Telegraph: “New laws will require WhatsApp, which is owned by Facebook, Snapchat and other popular apps to hand messages sent by their users to MI5, MI6 and GCHQ about suspects under investigation.”
Read more on Ars Technica.




I did this in a Risk Management class. It touches all the bases and actually gets students arguing!
Remember DoD’s Counter-Zombie Plan? It's Actually a ‘Brilliant’ Preparedness, Mitigation, and Response Strategy for New and Unforeseen Threats
It’s been many months since the Defense Department’s fictitious CONPLAN 8888-11, Counter-Zombie Defense, was made public and held up to ridicule –- some declaring it another example of wasteful Pentagon spending. I mean, come on, frittering money on a fictitious plan for countering a zombie apocalypse? But the fact is, CONPLAN 8888-11 is brilliant on so many levels.




As if “Female” wasn't enough (also inevitable) note that her area of expertise is “security and terror.” That's a much more interesting (and somewhat depressing) “first.”
Oxford University first female head
Oxford University is set to have a female head for the first time in its history, with the nomination of Louise Richardson as vice chancellor.
Prof Richardson is currently in charge at St Andrews and has previously had a senior role at Harvard University.
If she is formally adopted as the 272nd vice chancellor, Prof Richardson will follow almost eight centuries of male heads of Oxford University.
… Lord Patten said the nominating committee had been "deeply impressed" by Prof Richardson's strong commitment to "scholarly values" and her record as an "educational leader".
A political scientist, her academic expertise has been in security and terror. She has written books about terror and counter-terror in the wake of the 9/11 attacks in the United States.




For my Business Intelligence students. How do you separate the wheat from the chaff? This is not so different from political spin doctors but is is more likely to be believed?
Russia steps up propaganda push with online “Kremlin trolls”
Deep inside a four-story marble building in St. Petersburg, hundreds of workers tap away at computers on the front lines of an information war, say those who have been inside. Known as “Kremlin trolls,” the men and women work 12-hour shifts around the clock, flooding the Internet with propaganda aimed at stamping President Vladimir Putin’s world vision on Russia, and the world.
… She described how the trolls manage several social media accounts under different nicknames, such as koka-kola23, green_margo and Funornotfun. Those in her department had to bash out 160 blog posts during a 12-hour shift. Trolls in other departments flooded the Internet with doctored images and pro-Putin commentary on news stories that crop up on Russian and Western news portals.




For my Data Governance students.
3 Keys to Data Modernization
Focus on Data Strategy and Data Quality
Do not underestimate the importance of a well-managed data governance team to document the processes and define the data standards and strategy to support those processes.
Understand Data Relationships across the Business
In order for businesses to use data most effectively, we must understand the relationship of the data across the business.
Keep a Flexible Data Platform
The final key to successful data modernization is using a platform that is flexible enough to be globally useful.




For all my students. They come in using the latest technology and wonder why we teach them stuff from ancient (in Internet years) history. e.g. My current textbook on Business Intelligence makes no mention of social networking.
Breaking the Death Grip of Legacy Technologies
Technologies like 3-D printing, robotics, advanced motion controls, and new methods for continuous manufacturing hold great potential for improving how companies design and build products to better serve customers. But if the past is any indicator, many established firms will be slow to adjust because of a formidable obstacle: legacy assets and capabilities that they are reluctant to abandon. Why are older incumbent firms slow to adopt new technologies even when the economic or strategic benefits are clear?
The literature on this subject is enormous. Much of the early work focused on the adoption rate of new technologies following an S-curve, with some users going early, a lot in the middle, and some following late. These models assume that it takes a while for companies to find out about new technology and, once they do, for their employees to assimilate and use it.


Thursday, May 28, 2015

God helps those who help themselves and God help those who don't. How much would your liability rise if there were records proving you had been warned but did nothing?
Gwyn D’Mello reports that an online music site was hacked to make a point after they failed to secure their site despite multiple warnings:
A white hat hacker used an exploit to gain access to Gaana.com user credentials, because they neglected to fix a security bug he reported.
It seems Gaana.com was hacked a few hours ago, with user data and credentials being accessed. But, in a fortunate turn of events, the responsible party turned out to be a white hat hacker.
[…]
Mak Man, the hacker responsible, detailed the incident in a Facebook post, saying he had reported the exploit to the website’s team on multiple occasions, but was ignored. He says he was trying to bring attention to the glaring hole in their security, and had no malicious intent.
While users’ credentials were accessed, Mak Man has since said that the data was being queried in real time, and was not stored or copied on their server.
Read more on DNA.
The site notes that all its passwords were hashed. See their tweets about the incident.


(Related) Don't pay the ransom, but there are still things you can and should do.
The mSpy data breach is the kind of breach that I cover over on databreaches.net, but the privacy implications of this one are so severe that I thought I should note it here.
If you’re using spyware to spy on your children or a partner – regardless of whether you call it spying or “monitoring” or any other euphemism – note that you – and they can be exposed in a breach by companies that do not take adequate security protections.
Brian Krebs has been all over this breach. Today, he writes:
The mSpy data was leaked to the Deep Web, where hundreds of gigabytes of files, chat logs, location records and other data was dumped after the company reportedly declined to comply with extortion demands made by hackers who’d broken into mSpy’s servers. Included in that huge archive is a 13 gigabyte (compressed) directory referencing countless screen shots taken from devices running mSpy’s software — including screen shots taken secretly by users who installed the software on a friend or partner’s device.
The log file of the screen shots taken from mSpy-infested devices doesn’t store the actual screenshot, but instead includes incomplete links to the images. Incredibly, nearly two weeks after this breach became public, all of the leaked screen shots remain viewable over the Internet with nothing more than a Web browser if one knows the base URL that precedes the file name. And that base URL is trivial to work out if you have an active mSpy account.
Read more on KrebsOnSecurity.com.
[From Krebs:
Almost a week after I requested comment from mSpy, a person named Amelie Ross responded with a somewhat nonsensical statement that essentially said the whole incident was dramatically exaggerated and aggravated by the media.
“Data logs do not include the information of the account user, therefore cannot be tracked back to data owner,” Ross said, ignoring the fact that I was able to identify and contact many of the company’s customers.




Local. We may not have as many skimmers as Florida, but we aren't immune either.
Police are hoping that citizens can help catch some men suspected of attaching credit card ‘skimmer’ devices at local banks….. The devices have been discovered on ATM machines at both branches of Bank of Colorado in Grand Junction.
Read more on WesternSlopeNow.com.




Something for my Ethical Hacking students to push?
ACLU: Feds should offer rewards for finding cybersecurity flaws
… The group told the Department of Commerce Internet Policy Task Force in a letter Wednesday to provide financial incentives for security researchers who bring flaws to the government's attention. Such rewards are common practice at large tech firms.




Do we have to do this state by state? No mention of any other state's DA being involved.
Acting Attorney General John J. Hoffman and the New Jersey Division of Consumer Affairs obtained a settlement with the developer of “Tidbit,” a software code designed to help websites generate revenue by using their viewers’ computers to mine for the virtual currency known as Bitcoin.
A New Jersey Division of Consumer Affairs investigation has found that, despite initial assertions by Tidbit’s developer, the software was used to gain access to computers owned by persons in New Jersey, without the computer owners’ knowledge or consent.
The Division further found that the developer of Tidbit offered and provided the software to web developers without reviewing their privacy policies, and without having any control, compliance, or review mechanism in place. The Division alleges that these actions constituted violations of New Jersey’s Computer Related Offenses Act and Consumer Fraud Act.
… Pursuant to the Consent Order announced Tuesday, Tidbit’s developer is prohibited from accessing or attempting to access New Jerseyans’ computers without clearly and conspicuously notifying the owners and obtaining their verifiable consent. The Consent Order also includes a $25,000 monetary settlement that shall be suspended and automatically vacated within two years, provided the software developer complies with the settlement terms.
… Bitcoins are generated or “mined” through the solving of highly complex algorithms, a process that requires significant amounts of computer processing power.
… Rather than show ads to consumers, and earn money by selling space to advertisers, websites that use Tidbit would earn money by taking over part of the processing power of computers that visited those sites, and by using those computers to mine for Bitcoins.




For my Computer Security students. Facebook should sell T-shirts with a big bulls-eye on them. Add this to your weaponized drone software as “automatic targeting” and SkyNet is here?
Facebook Messenger sends out 'creepily' precise location data, as revealed by Marauders Map Chrome extension
Facebook sends out such precise data to people you chat with that your location can be tracked to individual streets, a new Chrome extension shows.
Every time a person sends a Facebook message from a phone, it sends out their location to the person chatting with them. The extensions scrapes all of that data and overlays it on a map, meaning that a precise chart of people’s movements can be done using those conversations.
… Some of the data sent out makes it possible to pinpoint locations to less than a meter, he said, and that can be used to figure out people’s regular schedule or to spy on them. Khanna points out that it doesn’t take many messages to work out people’s habits, especially if a number of people collude to share their data.
… The location sharing can easily be turned off. iOS users can do so by heading to settings and then location services, and turning location off for Facebook Messenger. Android users can go on the app itself, head to its settings, and turn off Location Settings.




For my Statistics students. Often, we assume we know things we don't know. Or at least lawmakers do.
… The plaintiffs are challenging the usual method (counting total number of people living in a district) and are asking that states use the total number of eligible voters instead. The trouble is, we don’t have robust statistics on the number of eligible voters. If the Supreme Court were to set new standards for districting, we would need to overhaul the nation’s statistics and surveys.




Another area where auto-completion will no doubt cause confusion and amusement.
Google’s ‘Mind-Reading’ Search Answers Your Questions Before You Finish Typing
When Google introduced "Instant" to its search engine five years ago, it quickly became another feature that cemented Google as many persons' go-to provider. With features like that and the overall accuracy, it's no wonder why Google hogs 65% of the world's search market share.
Well... it looks like Google's search is about to become even better. So much better, in fact, that it aims to answer a question before you can even ask it. A good example can be seen below:




For the “I want it now!” generation. (and another weapon in the Amazon-Google war)
Amazon expands same-day delivery, offers free shipping on orders over $35
Amazon.com Inc said on Thursday it will expand same-day delivery to San Diego and the Tampa Bay Area under its Prime shipping service, which has been an engine of revenue growth for the online seller.
Amazon offers same-day delivery to Prime members for $5.99 per order and non-members for $8.99 plus 99 cents per unit. It will now allow Prime members free same-day shipping on orders over $35, Greg Greeley, head of Prime, told Reuters.
"We know same-day delivery volumes will grow dramatically now that we are making it free," he said.




Another example of the US as the world's police force? Interesting questions on where these crimes took place and what the laws were in those countries. Or do we not really care?
FIFA officials to be indicted by U.S. on corruption charges
About 10 officials of FIFA, the governing body of world soccer, will be indicted in the U.S. on Wednesday on corruption charges involving the awarding of the World Cup and marketing and broadcast deals.


(Related) On the other hand, this does not surprise me at all.
The world's biggest brands could sue FIFA for millions over 'wasted' marketing budgets
The arrests of several FIFA officials on Wednesday on racketeering and corruption charges has already led to a number of big name sponsors questioning whether they will continue with their advertising contracts.
But the charges, which relate to more than $150 million in alleged bribes and kickbacks from the 1990s to today, not only place Qatar's 2022 World Cup hosting in jeopardy, they also could lead to some of the world's biggest brands suing FIFA for advertising and marketing money already spent on the event.




Looks like the Russian economy has rebounded enough to start this stupidity again. (Or perhaps certain naysayers have been silenced?)
Reuters reporter: Russia is amassing unmarked tanks and soldiers on its border with Ukraine
Russia's army is massing troops and hundreds of pieces of weaponry including mobile rocket launchers, tanks and artillery at a makeshift base near the border with Ukraine, a Reuters reporter saw this week.
Many of the vehicles have number plates and identifying marks removed while many of the servicemen had taken insignia off their fatigues. As such, they match the appearance of some of the forces spotted in eastern Ukraine, which Kiev and its Western allies allege are covert Russian detachments.




For all my students.
How Famed Tech Analyst Mary Meeker Foresees the Future of the Internet
The ever-mounting number of users to join the World Wide Web may finally be starting to plateau. So says esteemed tech analyst Mary Meeker, partner at Kleiner Perkins Caufield & Byers, in her 20th annual Internet Trends report, which she presented today at the Code Conference in California.
To be fair, Internet user growth is still solid, Meeker says, but only increased by 8 percent in 2014 compared to 10 percent in 2013. Smartphone subscriptions followed a similar trajectory, posting increases of 23 percent last year versus 27 percent the year prior.
Her report, embedded below, covers a vast array of topics, including the expected proliferation of drone usage in 2015. Meeker predicts that 4.3 million total consumer drones will be shipped in 2015, comprising a $1.7 billion market.
Meeker also covers the ways in which today’s youth is consuming -- and increasingly creating -- content on the Web.


(Related) This may help me communicate with my students. (I did say, “May.”) My library does not have this yet.
Microsoft Researcher Nancy Baym offers her new take on communication in the digital age
… MIT Comparative Media Studies and Microsoft Researcher Nancy Baym took time out to publish her research on the related phenomenon. Five years ago, Nancy published Personal Connections in the Digital Age. The publication was an investigation into whether technology had the capacity to diminish the interpersonal relationships or in some way negatively impact humanity as a whole.
… Nancy has updated her research publication to include the additional years and has now published a second edition of Personal Connections in the Digital Age, released this week.
… “In the second edition, in particular, I wanted to show that research done before social networking sites existed still has relevance. We don't need to invent the conceptual and empirical wheels anew with each new medium.” [Brilliant! Bob] During the interview, Nancy was also asked about her opinion on whether or not we are on a road to losing intimacy of personal connections? Her short answer was no.




Something for the geek toolkit.
Remote Access Tools or How to Be In Two Places at Once
the right remote access tools can help you connect to and operate a computer in your office as if you were sitting right in front of it. They vary in ease of use, features and cost, but we've collected five of the best for your consideration.


(Related) For the entrepreneur's toolkit.
Free Technology Resources for Small Business Start-Ups




For my data crunching students.
Dasheroo Delivers Insight into Critical Business Metrics
There's certainly no shortage of social media outlets, emarketing sites and online services to help you reach the Internet masses and grow your small business. But there is a shortage of time to track your business' performance on them all. Sure, you can log into Google Analytics, then Facebook, then Salesforce, then MailChimp and so on to check the performance snapshots that each service offers. But what you really need is a dashboard for your dashboards—which is precisely what Dasheroo delivers.
… At the present time, Dasheroo lets you choose from a solid selection of 18 popular online services (with more Insights in the works) that includes Google Analytics, Facebook, Twitter, Google Sheets, YouTube, Campaign Monitor, MailChimp, Instagram, Salesforce, LinkedIn, SurveyMonkey, Vertical Response, Constant Contact and others. Simply select the services you want Dasheroo to track, enter your log-in info for each (you only have to do that once), and you're ready to construct your custom Dashboard.
[From the Dasheroo website:
20 Years for FREE! We love you, our early adopters! So, for all of you that sign-up by June 15, 2015...drum roll please: You’ll get Dasheroo Grande plan FREE for the next 20 years. Yup. Free. Until 2035.


(Related) For my Data Management students.
Did You Realize There Were So Many Facebook Apps?
… The official messaging app, Facebook Messenger, is a widely-used form of communication. You can not only send messages to your Facebook friends, but those in your phone’s contact list as well. You can create group chats, send photos and videos, and see when others have viewed your messages. Facebook Messenger is available for both iOS and Android.




For all my students. Very handy App.
Office Lens - Now Available on Android, iOS, and Windows Phones
Office Lens is an app from Microsoft that is designed for converting pictures of notes on whiteboards and paper into notes that can be edited in Microsoft Word or PowerPoint. I wrote about the app eight weeks ago when it was still in a limited beta for Android users. Office Lens is now available for all Android users. You can find the app in the Google Play store. The iPhone version is available here and the Windows Phone version can be found here.
Probably the best aspect of Office Lens is that hand-drawn images and figures captured through the app can be separated from the text to move and manipulate as individual objects in PowerPoint slides. See the video below for an overview of Office Lens.
Office Lens could be a great app for students to use to snap a picture of something on a whiteboard then add their own comments to it in a Word Document.
The option in Office Lens to separate hand-drawn objects could be a good way to digitize a brainstorming session. When I brainstorm I often do it in a paper notebook that has pages of edits. By taking a picture of the brainstorming session I could separate each part of the notes then move them into new positions on slides or in a document.


Wednesday, May 27, 2015

Hackers would be lucky to get 1% of what a breach costs an organization, but then they can do this hundreds of times.
Cost of data breaches increasing to average of $3.8 million
The total average cost of a data breach is now $3.8 million, up from $3.5 million a year ago, according to a study by data security research organization Ponemon Institute, paid for by International Business Machines Corp.
The direct costs include hiring experts to fix the breach, investigating the cause, setting up hotlines for customers and offering credit monitoring for victims. Business lost because customers are wary after a breach can be even greater, the study said.
… "Most of what's occurring is through organized crime," said Caleb Barlow, vice president of IBM Security. "These are well-funded groups. They work Monday to Friday. They are probably better funded and better staffed than a lot people who are trying to defend against them."
… The cost of a data breach is now $154 per record lost or stolen, up from $145 last year, according to the study, based on interviews with 350 companies from 11 major countries that had suffered a data breach.
… The study found that the healthcare was most at risk for costly breaches, with an average cost per record lost or stolen as high as $363, more than twice the average for all sectors of $154.


(Related) And don't forget the fine!
Last July – and I missed this one at the time – Stan Diel reported;
A laptop computer including some Sterne Agee Group Inc. clients’ account numbers, Social Security numbers and other personal information has been missing since the end of May and the firm has offered some customers free identity theft protection services as a result, a letter to clients indicates.
In the letter dated June 27 the Birmingham-based investment banking firm indicates that an employee’s laptop went missing on May 29 or May 30, and that it included unencrypted identifying information about Private Client Group customers whose accounts were open as of May 29. It also may have included information about Sterne Agee & Leach clients whose accounts were open between July 1, 1992 and June 30, 2013, the letter states.
It turns out the breach was an even bigger deal than the media knew at the time. Today, Law360 reports:
The Financial Industry Regulatory Authority accepted a settlement Friday requiring Sterne Agee & Leach Inc. to pay a fine and review its security protocols after a technician left in a restroom an unencrypted laptop containing sensitive information about 352,551 clients.
Sterne Agee will pay a $225,000 fine over the allegations. The regulatory agency said the firm had been aware of the need to protect information stored on laptops for years but that measures to do so were delayed twice pending budgetary approval.
So failure to invest in encrypting laptops cost them $225,000 plus the costs of the data breach itself? Ouch.


(Related) Another way to seriously increase the cost of a breach. Ignoring notification but provide the tipster with a receipt!
Oh my. DataBreachWallofShame.org posted some of CISO Darknet Group’s attempts to alert Adult Friend Finder back on March 12 that their data had been stolen and were up for sale. The alert was pretty clear, and they got a read receipt – but not actual acknowledgement.
Note that their alert made it clear that FFN did not have to hire them to get the information:
This is not a hard sell or scare tactic, this is what our organization was built on; CyberHumint methodologies for fraud prevention. This information will be provided to you free and our work pro-bono.
So why didn’t FFN respond?
They would later claim they never got the notification – despite, apparently, the read receipt.
More than two months later, on May 22, CISO Darknet Group claims they tried again to notify FFN:
I was just alerted that Adult Friend Finder Network have recently contacted law enforcement concerning your data breach. As you can see from the email below we tried to alert you 2 months ago. We still have access and profile of the bad-actor behind your breach as well as access to all the records compromised.
We can certainly assist should there be an acknowledgment of this alert this time.
And… wait for it… another read receipt – this time allegedly from Diana Ballou, Vice President, Senior Counsel – Corporate Compliance and Litigation – but again, no personal message or request for information.
Read the emails and see what you think. One disclaimer: I have no way of verifying the accuracy of any of their claims, but I’m betting that when a class action lawsuit is filed (or has one been filed already), these emails are going to come into play. And not only may they come into play by plaintiffs, but FFN’s insurer may try to use them to limit their responsibility to FFN.
We’ll see….
Update 1: Friend Finders Network is standing by their statement that despite the read receipt, the March 12th alert with the subject line “BREACH ALERT! URGENT!” was never read and went to a spam folder.
I don’t see how both things can be true – that they never read it but issued a read receipt (unless they send read receipts for everything, including spam) – but aren’t they still responsible for configuring their spam filters? Does no one actually go thru the spam folder to catch false positives?




For my Ethical Hacking students. This article shows the text that is supposed to crash iPhones, but I'll leave it out of this post since some (one or two) of my loyal readers may use an iPhone.
A new iPhone bug lets you crash other people's phones with a single text message
There's a nasty new iPhone bug doing the rounds: It's a string of characters that, when sent in a message, crashes the recipient's phone.
We first heard about the issue on 9to5Mac, and it apparently affects only iPhone-to-iPhone communication. After receiving a text with the particular string of characters, Messages will reportedly crash repeatedly. It can also force iPhones to reboot in some circumstances.




For my Computer Security students.
Ransomware Keeps Growing – How Can You Protect Yourself?
There are plenty of threats on the Internet, but few can be as scary as ransomware. These particularly nasty bits of malware not only infect a user’s computer, but they end up trying to get money out of them! It’s a despicable thing to do, but sadly, it’s part of the world in which we live.
How does ransomware keep growing? How is it spreading. Everything you’ve every wanted to know about ransomware is on the infographic below! Share it with someone you think might fall victim to it.




So it's not that they won't share the data, it's that they take too long when they do?
John Leyden reports:
Skype has been called to appear before a court in Belgium after refusing to hand over customer data following a request for assistance in a criminal investigation.
A court in Mechelen near Brussels wanted “data from messages and calls exchanged on Microsoft-owned Skype”, a regulatory requirement that a Belgian telecoms operator would be required to comply with.
The Microsoft-owned firm declined, Reuters reports.
Read more on The Register.
[From the Register article:
Willems said that police tell him that the time spent by Skype processing these law enforcement requests is becoming a problem.
"It takes for them too long to wait for an official answer from Skype," Willems said. "It's clear that they want to create a precedent as the computer crime units don't want to miss valuable information in the future."




Curious. Is there a “designated driver” exemption?
Joe Cadillic has a justified rant about police going into bars with breathalyzers. The story started in Sacramento before Memorial Day weekend, but there’s also a bill in the California legislature that would expand testing.
Joe writes, in part:
How long before police nationwide will go into bars and force people to blow into breathalyzers and check for possible public inebriation or use ‘Drug Breathalyzers’ on innocent people?
California’s ‘Drug Breathalyzer’ bill is set to do just that:
A California lawmaker introduced a bill that would allow law enforcement to use new ‘Drug Breathalyzers’ on people suspected of driving under the influence of marijuana and other drugs.
Like breathalyzers used to test drivers for alcohol consumption, Assembly Bill 1356 would allow police to use oral fluid devices to check drivers for drug impairment.
Read more on MassPrivateI.
[From the article:
Don't forget DHS is paying police to set up DUI checkpoints. [DHS, It's not just for terrorists! Bob]
… These 'Drug Breathalyzers' can't detect if you've ingested a poppy seed bagel but will alert police that you tested POSITIVE for drugs!
… Obviously the site of several armed officers walking into a bar with breathalyzers in hand is a buzz kill, to say the least.
One of the bar patrons who’s been exposed to the program explains, “Admittedly we were a bit put off when we were gonna walk in and saw a bunch of cops with breathalyzers.”
A “bit put off” is an understatement!
While these officers are promising not to “test and arrest,” the very idea of police entering bars & restuarants and 'asking' people to submit to breathalyzer tests is appalling!




For my Firefox using students. Remind me to opt out in a few months? And with every new version?
Mike Flacy reports:
In an attempt to sell advertising space in a user’s new tab page within the Firefox browser, Mozilla is launching a new platform called “Suggested Tiles” specifically for advertisers. Similar to Google using your Web search history to load related advertisements within Google Adsense placements, Mozilla will look through your visited sites within Firefox to suggest an advertiser site to visit and display it on the new tab page.
Read more on Digital Trends, and if you’re a Firefox user, do note the opt-out provisions.
[From the article:
However, there are user protections built into the new feature as detailed on Mozilla’s Advancing Content blog. Users will be able to flip off the Suggested Tiles function by toggling a check box within the browser’s settings. Users can also completly avoid site suggestions by opting for a blank page when opening up a new tab within Firefox.
… Regarding the launch of Suggested Tiles within Firefox, Mozilla is expected to launch the new feature within the Beta version of the browser relatively soon. The full launch of the feature to the most current version of Firefox will likely occur later in the summer.




Perspective.
Internet used by 3.2 billion people in 2015
Nearly half of the global population will be using the internet by the end of this year, according to a new report.
The International Telecommunication Union (ITU), a United Nations body, predicts that 3.2 billion people will be online. The population currently stands at 7.2 billion.
… There will also be more than 7 billion mobile device subscriptions, the ITU said.
It found that 78 out of 100 people in the US and Europe already use mobile broadband, and 69% of the world has 3G coverage – but only 29% of rural areas are served.




Keeping up with the Social Networking industry. Have we reached the “consolidation phase” so soon?
Snapchat planning for IPO
… The four-year-old company, which offers a smartphone app that is popular with teens, declined Facebook's $3 billion acquisition offer in 2013.


(Related)
Twitter Reportedly in Talks to Buy Flipboard


(Related)
Google, Yahoo Have Had Talks to Buy Flipboard




For our Criminal Justice stuents.
Sunlight Foundation – Opening Criminal Justice Data
by Sabrina I. Pacifici on May 26, 2015
“As part of a new initiative, the Sunlight Foundation has begun amassing an inventory of public and privately-produced criminal justice data. The spreadsheet on this page is a work in progress but we’re publishing it now with hopes that people can use it for research or reporting and even contribute to it. Please go through the spreadsheet — so far we have an inventory started with information from 26 states and the federal government. When we’re done, we’ll have an inventory of data from all 50 states and the District of Columbia. You can read more about this project, submit your own work and feedback [here].”




So I can communicate with my students.
You won't believe the words Merriam-Webster dictionary just added
“Clickbait” has arrived -- in Merriam-Webster’s unabridged online dictionary.
The dictionary announced Tuesday that it has added that word along with about 1,700 other entries, including “emoji” (small images used in email and text messages), “jegging” (a legging that looks like tight jeans), “photobomb” (to jump into a photo as it is being taken) and “NSFW” (not safe for work).


Tuesday, May 26, 2015

You know what they say about “ass u me.” Learn to test, measure, confirm.
Steve Ragan reports:
Last week, CareFirst BlueCross BlueShield (CareFirst) reported a data breach that was initially discovered last year. When the incident was first noticed, the company assumed they had taken care of the problem – only to learn that wasn’t the case ten months later.
The healthcare sector has taken center stage in the recent months as criminals shift from retail and finance towards easier targets. Unfortunately, most healthcare organizations are operating under a number of flawed assumptions concerning security and it’s starting to cause serious problems.
Read more on CSO.




“We don't need no stinking badges!” Nor warrants, or legal justification, or anything except an urge to be like Big Brother.
Cyrus Farivar reports:
The sheriff in San Bernardino County—east of Los Angeles County—has deployed a stingray hundreds of times without a warrant, and under questionable judicial authority.
In response to a public records request, the San Bernardino Sheriff’s Department (SBSD) sent Ars, among other outlets, a rare example of a template for a “pen register and trap and trace order” application. (In the letter, county lawyers claimedthis was a warrant application template, when it clearly is not.) The SBSD is the law enforcement agency for the entire county, the 12th-most populous county in the United States, and the fifth-most populous in California.
Read more on Ars Technica.
[From the article:
This template application, surprisingly, cites no legal authority on which to base its activities. The SBSD did not respond to Ars’ request for comment.
"This is astonishing because it suggests the absence of legal authorization (because if there were clear legal authorization you can bet the government would be citing it)," Fred Cate, a law professor at Indiana University, told Ars by e-mail.




I may have posted this before. “You have no right to see if you were wronged.”
Cyrus Farivar reports:
A San Diego, California court has ruled that a tech entrepreneur will not be allowed to access his license plate reader (LPR) records from a regional government agency.
Earlier this month, Superior Court Judge Katherine Bacal handed down a six-page decision to Michael Robertson, finding that he does not have the right, under the California Public Records Act (CPRA), to access records of his own license plate as scanned by members of the San Diego Association of Governments (SANDAG).
Read more on Ars Technica.




The next Big Brother technology?
Anne-Marie Oostveen And Diana Dimitrova report:
Biometric technologies are on the rise. By electronically recording data about individual’s physical attributes such as fingerprints or iris patterns, security and law enforcement services can quickly identify people with a high degree of accuracy.
The latest development in this field is the scanning of irises from a distance of up to 40 feet (12 metres) away. Researchers from Carnegie Mellon University in the US demonstrated they were able to use their iris recognition technology to identify drivers from an image of their eye captured from their vehicle’s side mirror.
Read more on Phys.org


(Related) Another tool in Big Brother's toolbox.
Charlie Osborne reports:
Security researchers have tracked commuters with over 90 percent accuracy through accelerometer data stolen from Android smartphones.
In a paper describing the research, titled “We Can Track You If You Take the Metro: Tracking Metro Riders Using Accelerometers on Smartphones” (.PDF), a security team hailing from Nanjing University, China say they were able to use motion accelerometers as a side-channel for an attack aimed at tracking users with up to 92 percent accuracy.
Read more on ZDNet.




A step on the slippery slope? (Why does anything I want to say sound like a double entendre?)
Damien Gayle reports:
Britons may soon face identity checks to access adult material on the internet, according to discussions between Whitehall and the private sector.
A scheme proposed by the pornography industry would see adult sites verifying visitors’ identity with organisations such as banks, credit reference agencies or even the NHS.
Read more on The Guardian.
[From the article:
It comes ahead of an expected new law demanding age checks for online pornography and threatening a block on any sites which don’t comply. It is a key Conservative pledge and has widespread support. But critics say the plans are a privacy nightmare. Some warn they are a step towards Chinese-style internet restrictions.




This makes it more of a logistical challenge to have Phil back at the Privacy Foundation.
Juliette Garside reports:
When Philip Zimmermann was campaigning for nuclear disarmament in the 1980s, he kept an escape plan in his back pocket. The inventor of the world’s most widely used email encryption system, Pretty Good Privacy – more commonly known as PGP – was ready to move his family from Colorado to New Zealand at a moment’s notice.
The button was never pressed and the Zimmermanns stayed put. Until this year, that is. At 61, the Internet Hall of Fame inductee and founder of three-year-old mobile encryption startup Silent Circle has just left the US for Switzerland. In the end, it was not the nuclear threat that convinced him to leave his homeland, but the surveillance arms race.
Read more on The Guardian.




Continuing examples of Really Poor Management of schools and school districts. (This has the look of a contract that was deliberately understated to gain approval, then “corrected” to reflect the full cost. If they are not careful, Chicago might get a reputation for corruption.)
CPS forgot 22 schools in estimate for Aramark at a cost of $7 million
Chicago Public Schools somehow forgot about 22 schools, including a selective enrollment high school, in its estimate to hire Aramark to manage school janitors.
That mistake — in all, the district underestimated by nearly 3.2 million square feet the amount of space Aramark would have to clean — cost the district an additional $7 million in the controversial contract.
Last month, when the oversight came to light, CPS wouldn’t say how many facilities had been skipped, but instead advised filing a Freedom of Information Act request for the details.




...and I thought Cable was a declining industry.
Charter Strikes $55 Billion Deal for Time Warner Cable
Charter Communications Inc. has struck a $55 billion cash-and-stock deal for Time Warner Cable Inc., giving cable mogul John Malone the prize he has been chasing for two years.
The offer is valued at about $195 a share, a 14% premium to Time Warner Cable’s last closing price. Including debt, the deal is valued at $78.7 billion.




Somehow, I'll work this into my next Statistics class. Most of the time (60%) your doctor's diagnosis was wrong?
A second opinion could save your life
… Second opinions are valuable for a number of reasons, experts say.
Several recent studies found that as many as 60% of patients who sought a second opinion received a major change in their diagnosis or treatment.
Yet according to a 2010 Gallup Poll, 70% of Americans don't feel the need to ask for one — most said they feel confident in their doctor's advice and saw no need to gather additional information.




I'm planning to add Google Sheets for my Spreadsheet students, probably years before the school makes it a requirement.
Excel vs. Google Sheets: Which One Is Better for You?
The desktop version of Excel has long been the king of the hill when it comes to spreadsheet apps, but Google is making a challenge for the title with Sheets, the spreadsheet tool included in Google Apps.




As a “Heavy” library user, I agree.
Why Libraries Matter More Than Ever in the Age of Google
by Sabrina I. Pacifici on May 25, 2015
“James Palfrey, in his new book BiblioTech: Why Libraries Matter More Than Ever in the Age of Google, gives some truly bummer statistics on what’s happening to this beloved institution. A government report showed that while the nation’s public libraries served 298 million people in 2010 (that’s 96 percent of the U.S. population), states had cut funding by 38 percent and the federal government by 19 percent between 2000 and 2010. “It seems extraordinary that a public service with such reach should be, in effect, punished despite its success,” writes Palfrey. Of necessity, he cites these tough economic times as a reason for this “punishment.” But according to Palfrey, one of the greatest threats to libraries is nostalgia—the way that we, the loving public, associate libraries with the pleasures of a bygone era, and assume that the growth of the Internet is slowly draining libraries of their usefulness. “Nostalgia is too thin a reed for librarians to cling to in a time of such transition,” Palfrey writes. “Thinking of libraries as they were ages ago and wanting them to remain the same is the last thing we should want for them.” In our heartfelt but naïve fondness for “quiet, inviting spaces” full of books and nothing else, we fail to realize that libraries are becoming more important, not less, to our communities and our democracy. Humans are producing such quantities of data—2.5 quintillion bytes of data daily, to be precise—and on such a steep curve, that 90 percent of all existing data is less than two years old. An overwhelming amount of information, access to which is marked by the same stark inequality that exists between economic classes, demands to be moderated for the public good, and libraries are the institutions that do that… BiblioTech is packed with proposals for what libraries can become, all the roles they can play in public life: networks of digital media that can be loaned for free, not purchased; “maker-spaces” that offer equipment so that people can make instead of simply consume culture; easily accessible and networked archives of national heritage; job-search centers; clinics for the technologically illiterate and refuges for those who cannot afford new media—all of this in addition to their current functions…”




Perspective? Check out “Today” and the “Future” of interviewing.
How Job Interviews Have Changed Over the Years
For most of us, job interviews are just a part of life. They can be a little scary if you aren’t prepared, but as long as you go in smart, you have nothing to worry about.
Over time, job interviews have changed. The way in which we pitch ourselves for a job now was vastly different one hundred years ago. Just how has it changed? Check out the infographic below for a look!


(Related) Dilbert explains what happens when you specialize.