Saturday, June 27, 2015

Another article written for my IT Governance students. We'll have to discuss those “government wide” initiatives. (One size fits all?)
GAO Report – Recent Data Breaches Illustrate Need for Strong Controls across Federal Agencies
by Sabrina I. Pacifici on Jun 26, 2015
Cybersecurity: Recent Data Breaches Illustrate Need for Strong Controls across Federal Agencies, GAO-15-725T: Published: Jun 24, 2015. Publicly Released: Jun 24, 2015
“GAO has identified a number of challenges federal agencies face in addressing threats to their cybersecurity, including the following:
  • Designing and implementing a risk-based cybersecurity program.
  • Enhancing oversight of contractors providing IT services.
  • Improving security incident response activities.
  • Responding to breaches of personal information.
  • Implementing cybersecurity programs at small agencies.
Until federal agencies take actions to address these challenges—including implementing the hundreds of recommendations GAO and agency inspectors general have made—federal systems and information, including sensitive personal information, will be at an increased risk of compromise from cyber-based attacks and other threats. In an effort to bolster cybersecurity across the federal government, several government-wide initiatives, spearheaded by the Department of Homeland Security (DHS) and the Office of Management and Budget (OMB), [Who is in charge? Bob] are under way. These include the following:
  • Personal Identity Verification: In 2004, the President directed the establishment of a government-wide standard for secure and reliable forms of ID for federal employees and contractor personnel who access government facilities and systems. Subsequently, OMB directed agencies to issue personal identity verification credentials to control access to federal facilities and systems. OMB recently reported that only 41 percent of user accounts at 23 civilian agencies had required these credentials for accessing agency systems.
  • National Cybersecurity Protection System (NCPS): This system, also referred to as EINSTEIN, is to include capabilities for monitoring network traffic and detecting and preventing intrusions, among other things. GAO has ongoing work reviewing the implementation of NCPS, and preliminary observations indicate that implementation of the intrusion detection and prevention capabilities may be limited and DHS appears to have not fully defined requirements for future capabilities.
While these initiatives are intended to improve security, no single technology or tool is sufficient to protect against all cyber threats. Rather, agencies need to employ a multi-layered, “defense in depth” approach to security that includes well-trained personnel, effective and consistently applied processes, and appropriate technologies.”

Not yet at the fully automated legal practice, but it looks like we're getting there. Worth a quick read!
The Best of Internet: Your Search for Expert Legal Help Gets Easier Now [US Only]
… Finding the next Perry Mason to take your case, is as simple as turning on your computer and going online. You may also be looking for detailed legal information, so you can represent yourself.
The ever-helpful MakeUseOf is now here to put it all together for you in one article. Now go forth and sue someone for breathing!

“Overreaction reversed”
Exclusive: Apple Will Restore Battle of Gettysburg App

Americans’ Internet Access: 2000-2015
by Sabrina I. Pacifici on Jun 26, 2015
Pew – As internet use nears saturation for some groups, a look at patterns of adoption:”A new analysis of 15 years-worth of data highlights several key trends: For some groups, especially young adults, those with high levels of education, and those in more affluent households, internet penetration is at full saturation levels. other groups, such as older adults, those with less educational attainment, and those living in lower-income households, adoption has historically been lower but rising steadily, especially in recent years. At the same time, digital gaps still persist. In this report, we cover some of the major demographic trends that lie beneath the topline adoption numbers and highlight:
  • Age differences: Older adults have lagged behind younger adults in their adoption, but now a clear majority (58%) of senior citizens uses the internet.
  • Class differences: Those with college educations are more likely than those who do not have high school diplomas to use the internet. Similarly, those who live in households earning more than $75,000 are more likely to be internet users than those living in households earning less than $30,000. Still, the class-related gaps have shrunk dramatically in 15 years as the most pronounced growth has come among those in lower-income households and those with lower levels of educational attainment.
  • Racial and ethnic differences: African-Americans and Hispanics have been somewhat less likely than whites or English-speaking Asian-Americans to be internet users, but the gaps have narrowed. Today, 78% of blacks and 81% of Hispanics use the internet, compared with 85% of whites and 97% of English-speaking Asian Americans.
  • Community differences: Those who live in rural areas are less likely than those in the suburbs and urban areas to use the internet. Still, 78% of rural residents are online.”

This explains a lot. Does anyone know if goldfish study Math?
Study – smartphones diminish attention span
by Sabrina I. Pacifici on Jun 26, 2015
A Microsoft study highlights the deteriorating attention span of humans, saying it has fallen from 12 seconds in 2000 to eight seconds: “According to scientists, the age of smartphones has left humans with such a short attention span even a goldfish can hold a thought for longer. Researchers surveyed 2,000 participants in Canada and studied the brain activity of 112 others using electroencephalograms. The results showed the average human attention span has fallen from 12 seconds in 2000, or around the time the mobile revolution began, to eight seconds. Goldfish, meanwhile, are believed to have an attention span of nine seconds.”

Every Saturday I laugh along...
Hack Education Weekly News
… Texas Governor Greg Abbott has chosen Donna Bahorich to chair the state’s board of education. Bahorich has never sent her children to public school, opting to homeschool her sons.
… Governor Abbott has signed a bill that decriminalizes truancy in Texas.
… The Department of Education has decided not to move forward with its plans to create a college ratings system. Instead it’s going to make a “consumer-focused website.”
Via Buzzfeed: “Baltimore’s Challenge: Buy Tablets For 100,000 Kids, And Don’t Mess It Up.” [Interesting plan, do the opposite of what LA did. Bob]
Via Campus Technology: “More than one third of all malware events in 2014 happened within the education sector.” Congratulations on your leadership, education.

Friday, June 26, 2015

Would that I was as confident.
CBR reports:
A new survey has revealed that 61% of energy security professionals believe their organisation could detect a critical system breach within 24 hours.
94% of executives agreed that their organisation is a target for cyber criminals, with 86% of respondents saying that they could detect a breach in less than one week.
49% of respondents believe their organisation could detect a cyberattack within 24 hours, while just 3% said it would take more than a month to identify it.
Read more on CBR.
For some, it’s all confident statements until there’s a “sophisticated” attack by “state actors.”
[From the article:
These levels of confidence notwithstanding, Mandiant’s M-Trends 2015 report has revealed that the average time required to detect an advanced persistent threat on a corporate network is 205 days. Additionally, in the 2015 Data Breach Investigations Report, whose key takeaways can be found here, Verizon reported that two-thirds of targeted attacks generally took months to detect.
This apparent gap in understanding is especially significant given an analysis earlier this year that found that the United States’ power grid experiences targeted attacks, both digital and physical in nature, every four days.

There's money to be made, but I find what they say about Contracts most interesting.
John Danaher writes:
You have probably noticed it already. There is a strange logic at the heart of the modern tech industry. The goal of many new tech startups is not to produce products or services for which consumers are willing to pay. Instead, the goal is create a digital platform or hub that will capture information from as many users as possible — to grab as many ‘eyeballs’ as you can. This information can then be analysed, repackaged and monetised in various ways. The appetite for this information-capture and analysis seems to be insatiable, with ever increasing volumes of information being extracted and analysed from an ever-expanding array of data-monitoring technologies.
The famous Harvard business theorist Shoshana Zuboff refers to this phenomenon as surveillance capitalism and she believes that it has its own internal ‘logic’ that we need to carefully and critically assess.

(Related) I doubt we'll see anyone talk about a similar here, Again, too much money.

Strange, but apparently Gawker thinks there is evidence (that they don't already have?) that will help them defend the lawsuit. Perhaps one of my lawyer friends could explain what that could be.
AP reports:
A federal judge has ordered the FBI to turn over evidence related to professional wrestler Hulk Hogan’s sex tape.
Gawker sued the FBI after it refused a Freedom of Information Act request for the evidence, which could find its way into Hogan’s invasion of privacy suit against the gossip site. Hogan sued Gawker after it published parts of the sex tape in 2012.
Read more on Tampa Bay Tribune.

Worth a try? For a passing grade, my students' policies should include at least what this automated tool does.
Now you have no excuse not to have a privacy policy for your web site or business. The Office of the Privacy Commissioner of New Zealand has launched Priv-o-matic (I kid you not about the name!):
Get your privacy statement sorted. It takes five minutes.
All you’ll need is a good understanding of your business.
If you’ve been procrastinating, try using this free tool. There are also tips provided for NZ entities that non-NZ entities may also find informative.

Perhaps a preview of how the Internet of (Annoying) Things will work. Imagine messages that “Alert” you to the fact that you will need an oil change in a mere 250 mile, the lint filter in you dryer needs to be cleared, there is a bulb out on your Christmas tree, etc., etc. and so forth.
Chevrolet Adds Theft Alarm Feature: Now Your Car Can Text You If It's Being Stolen
… One of the company's newest offerings is a safety feature that notifies owners in the unlikely event that their vehicles are being stolen. It's already available for Buick, Cadillac, and GMC models, and it's now available on Chevrolet vehicles, too.
The feature is called "Theft Alarm Notification".
… If you're an OnStar subscriber, you can opt-in to Theft Alarm Notification and select how you'd like to be notified when a would-be thief triggers your car alarm. You can choose to receive a text message, email, or phone call.

… The five largest publicly traded health insurance companies (UnitedHealth, Anthem,1 Aetna, Humana and Cigna) — all of which were party to an amicus brief in support of the subsidies filed by America’s Health Insurance Plans, a trade group for insurance companies — rose an average of 1 percent over their opening prices by 11 a.m. Thursday. The bounce started at approximately 10:10 a.m., right when SCOTUSblog first announced the Supreme Court’s decision.
That rise amounted to a $3 billion increase in the combined market capitalization of the five companies. And that figure underestimates the decision’s real benefit to these companies.

Another interesting toy. Forward Looking InfraRed is the technology used in heat seeking missiles. What could possibly go wrong?
New FLIR One Thermal Imaging Accessory Launched for Android and iOS
… The highlight of the FLIR One accessory is that it transforms a mobile device to into a thermal imager that with infrared can show heat images and measures temperature.
… The FLIR One can be attached to the Micro-USB connector for Android or to a Lightning connector for iOS devices. The new FLIR One is powered by an internal battery and features a Lepton thermal camera core, which is four times the resolution of the previous version.
The company claims that the FLIR One can show temperature variations of less than a tenth of a degree.

A bit of an overreaction? Even in an appropriate context, it's politically incorrect. Pretend the Civil War never happened? (Digest Item #2)
Apple Pulls American Civil War Games
Apple has pulled all games from the App Store which feature the Confederate flag. This means any and all games concerning the American Civil War have disappeared, with Apple telling affected developers this is because their game “includes images of the confederate flag used in offensive and mean-spirited ways.”
This is in response to the racially motivated mass murder at the Emanuel African Methodist Episcopal Church on June 17th. In the aftermath of the killing and the debate that ensued, retailers banned sales of the Confederate flag. However, Apple is going one step further and trying to rewrite history.
In order to have their games reinstated to the App Store, Apple is asking developers to remove all traces of the Confederate flag. Thus ignoring the fact that, as unsavory as it may be, the Confederate flag is a part of history. We can only imagine Apple would remove Hitler from the movie Downfall if it had its way.

I have students who read. Two of them!
Three Tools to Help Students Find Books to Read This Summer
… The Book Seer is a neat book recommendation engine that I discovered few years ago through Kristen Swanson's Teachers as Technology Trailblazers blog. The Book Seer is very easy to use. To get a book recommendation just type in the title and author of a book that you've recently read and the Book Seer will spit out a list of related titles and authors that you might enjoy.
Your Next Read is a neat little site that provides you with a web of book recommendations based on the authors and books you already like. … Click on any of the books appearing in the web to create another new web.
Your Next Read 2Titles takes a slightly different approach to making book recommendations. On 2Titles you answer a series of eight questions about your personality and interests before answering questions about books you've previously read.

Strange promotion, but a Coke for the troops is worth a click.
Every Click is a Coke for the Troops

Maybe, sometimes, there isn't an App for that, possibly.
Make your own app with these DIY services
Appy Pie prides itself on being simple and easy to use—hence their tagline, “make an app, as easy as pie.” Their code-free drag-and-drop app builder is easy to navigate (and supported with helpful pop-ups, video tutorials, and a live chat box), and even a complete tech newbie will be able to create a professional-looking app in a few hours.
Como makes app-making even easier than Appy Pie does. Como is very similar to Appy Pie, but with one major (possibly game-changing) difference—in the second step of Como’s app-building process, they ask you to input your Facebook page or website URL, and then they pull your existing content and info to create a template for your app.
GoodBarber is all about sexy mobile apps—heck, even their splash page is a minimalist rainbow blend of watercolors and text. While Appy Pie offers up a few generic stock photos, and Como gives you four or five basic themes, GoodBarber has an entire theme library, complete with custom fonts and high-resolution stock photos from Unsplash (a free stock photo library).

(Related) Don't make your App too good. Dilbert shows us why...

Thursday, June 25, 2015

I'm thinking of writing a book titled: “Chinese Hackers's Best Practices.” Nothing new or innovative, just pointing out all the existing security holes every hacker knows. The ones we teach our Ethical Hacking students.
Government Credentials on the Open Web
by Sabrina I. Pacifici on Jun 24, 2015
Follow up to Massive hack of federal personnel files included security-clearance database – related news – “Recorded Future identified the possible exposures of login credentials for 47 United States government agencies across 89 unique domains. As of early 2015, 12 of these agencies allowed some of their users access to computer networks with no form of two-factor authentication. This scenario heightens the risk of cyber espionage, crime, or attack for these agencies. This data was identified through open source intelligence (OSINT) collection and analysis of 17 paste sites including over a one year period ending in November 2014. Recorded Future shared this information with the majority of affected agencies in late 2014 and early 2015. At the time of our analysis, the Department of Energy had the widest exposure, with email/password combinations for nine different domains identified on the open Web. The Department of Commerce was the second hardest hit with seven domains suffering exposures.”

For my Computer Security students.
UK: Information Security Breaches Survey 2015
by Sabrina I. Pacifici on Jun 24, 2015
PWC: “We have been commissioned by the Department for Business, Innovation and Skills (BIS) to survey companies across the UK on cyber security incidents and emerging trends… The key observations from the 2015 survey were:
  • The number of security breaches has increased, the scale and cost has nearly doubled. Eleven percent of respondents changed the nature of their business as a result of their worst breach.
  • Nearly 9 out of 10 large organisations surveyed now suffer some form of security breach – suggesting that these incidents are now a near certainty. Businesses should ensure they are managing the risk accordingly.

Fortunately, they can learn from the IRS. (See next article)
Michael Hardy reports:
The government stores personal information on millions of Americans who have used the system, a situation which is raising privacy concerns as the recent successful attack that compromised Office of Personnel Management data makes plain the damage that hackers can do.
Called the Multidimensional Insurance Data Analytics System, or MIDAS, the system stories names, Social Security numbers, financial accounts and other sensitive personal information. But according to an Associated Press report, there is no plan in place to destroy old records, raising eyebrows among cybersecurity experts.
Read more on Federal Times.

Yet another article for my IT Governance class. We will discuss “legal holds” and Best Practice procedures that ensure that data is retained as long as needed and deleted when no longer required. In this case it is very unlikely that the “employees” made a mistake. They deleted the emails as required by their data retention policy.
Watchdog: IRS erased backups after loss of tea party emails
IRS employees erased computer backup tapes a month after officials discovered that thousands of emails related to the tax agency's tea party scandal had been lost, according to government investigators.
The investigators, however, concluded that employees erased the tapes by mistake, not as part of an attempt to destroy evidence.
As many as 24,000 emails were lost because 422 backup tapes were erased, according to J. Russell George, the Treasury inspector general for tax administration.
The revelation is likely to fuel conspiracy theories among conservatives who say the IRS has obstructed congressional investigations into the scandal.
George says the workers were unaware of a 2013 directive from the agency's chief technology officer to halt the destruction of email backup tapes.

This seems high to me, even after seeing all those subpoena reports from Google, Facebook, etc.
Justin Davenport reports:
Scotland Yard is making more than 120 requests a day to access private phone calls, texts and emails, new figures reveal.
Statistics revealed to the Evening Standard show that last year the Met made 45,249 requests to obtain communications data under the Regulation of Investigatory Powers Act, or Ripa.
The legislation allows officers to access people’s phone use, emails and web searches — provided they do not view the content.
Read more on the London Evening Standard.

Keeping up...
Dan Cooper writes:
On June 18, 2015, the Canadian Parliament passed the Digital Privacy Act (DPA), Senate Bill S-4, into law. The DPA amends Canada’s federal data protection statute, the Personal Information Protection and Electronic Documents Act (PIPEDA) in important respects, including introducing a new data breach notification requirement (which is not yet in force) and making other material changes to PIPEDA. This post summarizes key changes to PIPEDA brought about by the DPA.
Read more on Covington & Burling Inside Privacy.

Free texting?
Messaging will be Facebook's 'next major wave of innovation and financial windfall'
When Facebook purchased WhatsApp last year for $19 billion, many were shocked by the astronomical price paid for a little-known company with only 55 employees.
… In a note to clients on Tuesday, Deutsche Bank estimated that WhatsApp, along with Facebook’s Messenger app, will have more than 2 billion active users and generate between $9 and $10 billion in revenues in 2020.
Deutsche Bank is predicting an enormous monetization of Messenger and WhatsApp, which currently provide $0 and $49 million in revenues, respectively. By 2020, they expect those numbers to jump to $4.224 billion and $4.827 billion, representing about 17% of Facebook’s total ad revenues.
Messaging apps are becoming immensely popular around the world, with mobile-first apps like WhatsApp being "always on" replacements for SMS.
"The value of sending fast, reliable and free messaging vs. the previous onerous SMS fees charged by carriers (especially for international SMS), is clear as day and a big reason why these services took off initially on a global scale," the report said.
Facebook’s two apps have grown globally too, especially in emerging markets. WhatsApp has 800 million users, with 80% from emerging markets while Messenger has 700 million users, with 75% from these markets.
WhatsApp has penetrated an impressive 88% of the mobile market in Brazil and 81% of the mobile market in Argentina.

Perspective. (And perhaps to inspire a new business model?)
Apple Music will pay labels just $0.002 per stream during its free trial — before tax
… Spotify says it pays labels and publishers between $0.006 and $0.0084 per stream. A Guardian report suggests that the average payment a signed artist gets after their label takes its share is a mere $0.001128.
… Apple will pay music owners 71.5% of Apple Music's revenue in the US. Outside the US this could fluctuate, but will average out at around 73%.
… Apple's revenue split is only a few percentage points more than the industry average of 70%, which Spotify also says it pays.

Interesting. Is this enabled by any technology beyond the connection?
Ford takes on Uber with car-sharing program
Ford is launching a pilot car-sharing program, according to multiple reports.
Under the program, people who have financed their vehicles through Ford’s credit arm will be able to rent it out for short periods of time, according to the Associated Press. U.S. based owners will do so through a program created by Getaround, a California-based startup that allows people to rent out their cars.
… It’s a sign that the car manufacturer is looking to confront the way that short-term car sharing services like Zipcar and ridesharing platforms like Uber have changed the American public's relationships with cars.
"We are seeing a lot of folks that don't want to own a vehicle, and we as a company want to make sure we are listening to customers and see if we can help in that regard," Ford CEO Mark Fields told CNBC. "Customers, particularly in urban areas want access versus ownership."

Another technology I'll probably never use. BUT, it might increase the number of students who “read” the textbook...
The Rise of ‘Speed-Listening’
… speed-listening represents yet another step away from the curled-in-bed ideal. It suggests that a book exists not primarily for pleasure, but rather for being sucked of its precious information as efficiently as possible. It suggests that digital advances can help make an extremely old activity—reading—newly transactional.
… personalized, sped-up audio playback, for its part, has been around since 2004, Brian Feldman notes, when Apple introduced variable playback speeds into its iPod software. In 2007, the “Getting Things Done” blog recommended “adjusting the playback speed of your audiobook or video to a maximum of 150 percent” to complete the book more quickly. In 2010, the tech blog GigaOm suggested “speed-listening to podcasts” as an overall time-saving technique. Software titled, straightforwardly, FasterAudio promises to “cut your audio learning time in half.”

This is just showing off, but I'll add it to my next Excel class.
How to See All Your PC Information Using a Simple Excel VBA Script
Have you ever needed to know your computer’s CPU or memory details, serial or model number, or installed software versions, but weren’t sure where to look? With just a bit of simple code in Excel, you can extract a whole library of your Windows PC information.

I may have a use for this too.
Create Interactive Videos on Wideo
Wideo is a nice tool for creating Common Craft-style videos. You can create animated videos on Wideo by dragging and dropping clipart and text in storyboard frames. You set the position and animation sequence for each element in each storyboard frame. When you have completed your storyboards Wideo generates a video for you.
This week Wideo added a new feature that allows you to build interactive buttons into each frame of your video. The buttons can be hyperlinked to any webpage that you like. When people are watching your video they can click the buttons to be taken to the webpage you want them to land on.
… The free version of Wideo limits video length to 45 seconds. 45 seconds is long enough for a lot of video projects. Discounts are given to educators who want to purchase the capability to produce longer videos.

How to Tweet better than your students.
Send Tweets with Rich-Text Formatting using TallTweets
A new release of TallTweets has just been rolled out and it includes several new features and enhancements. The interesting additions are:
  1. TallTweets now supports rich-text formatting so you can use bold text, write in italics or even mark words with the yellow highlighter. See image tweet.
  2. You can compose Tweetstorms (numbered tweets, sent sequentially) and TallTweets will offer a live preview as you type so you know exactly how the tweets will look like in your timeline. See Tweetstorm
  3. TallTweets has gone international and now supports all languages including Hindi, Arabic, Malay, Chinese and more. In fact, if you use the “tweet as image” option, you can even send tweets in languages that are not officially supported by Twitter yet.

According to this, I'm writing my Blog all wrong. But perhaps it will help my students...
How to Write a Piece of Content From Conception to Publication
Are you trying to write something, either for work or just for your own enjoyment? Sitting down in front of a computer and delivering a piece of content can be a stressful experience.
You need a roadmap that will guide you through the process, and that’s just what the infographic below provides you with. It breaks everything down into small steps that anyone can accomplish. By the time you’re done, you’ll have created a finished piece of written work that you can be proud of!

Wednesday, June 24, 2015

Telling everyone that details of the breach are “classified” makes no sense if the Senators have already learned everything in the news and social media! Not surprising, politicians (even those who “run” government agencies) often make no sense.
Kaveh Waddell reports:
After weeks of revelations about cyberattacks that may have exposed the personal information of as many as 18 million federal workers, Katherine Archuleta, the director of the Office of Personnel Management, gave senators a classified briefing Tuesday to try to put lawmakers’ questions to rest.
But senators from both sides of the aisle say they were far from satisfied with what they learned behind closed doors.
Read more on National Journal.
[From the article:
… members of that subcommittee said they didn't hear anything new in the secret briefing later that day, even when it came to basic information about the extent of the hack.
"Generally we don't yet know the magnitude of the breach, or the consequences, or number of federal employees or personal information—the scope of the damage done," said Kansas Republican Jerry Moran. "So those questions that arose in this morning's hearing were not answered in this afternoon's classified briefing."

$19 million is the estimated cost of notifications and credit monitoring for affected employees, according to OPM director Katherine Archuleta, It’s not clear to me if she based that figure on the original 4.2M affected figure or a newer 18M estimate. And it doesn’t include notifications or credit monitoring for family members or others whose information was exposed in the employees’ files.
So expect the $19M figure to go up.
And up.
And then add in more forensics costs.
And more security upgrades.
And the cost of dealing with litigation.
And the cost in personnel time of dealing with this mess.
Yeah, this is a mess….

Something for my Ethical Hacking students. I wonder if we can reproduce it from the pictures. I bet we can. And a better antenna should increase the range a bit too.
Developed by researchers from Tel Aviv University and Israel’s Technion research institute, the device is built from components that total less than $300. While it uses techniques that have been demonstrated in the past—researchers have long known that the signals emitted by processors as they churn through calculations can be hijacked in order to obtain information—the team points out that it’s the smallest, cheapest implementation to date.

“All the better to serve you ads, my dear.” the Big Bad Wolf to Little Red Riding Hood (Internet fairytale version)
Google eavesdropping tool installed on computers without permission
Privacy campaigners and open source developers are up in arms over the secret installing of Google software which is capable of listening in on conversations held in front of a computer.
First spotted by open source developers, the Chromium browser – the open source basis for Google’s Chrome – began remotely installing audio-snooping code that was capable of listening to users.
It was designed to support Chrome’s new “OK, Google” hotword detection – which makes the computer respond when you talk to it – but was installed, and, some users have claimed, it is activated on computers without their permission.

Off hand I'd say the FAA is seriously underestimating the number of drones that will be in the sky. They also have to address conflicts on the radio control frequencies – you don't want me taking control of an Amazon drone!
Why Air Traffic Control Will Be Necessary for Future Drone Use
Drones, or unmanned aerial vehicles, could be the wave of the future. While they’ve been around for a number of years, only recently have they exploded in popularity. Businesses are even seeing the potential they have to offer, which could revolutionize the commercial landscape. The number of drones flying through the sky is expected to increase in the near future.
The FAA even predicts that by 2018, up to 7,500 drones (unmanned aircraft that weigh 55 pounds or less) will be occupying US airspace.
… At the moment, the FAA has released very few rules regarding the flight patterns of private drones. Those guidelines that have been released don’t necessarily make for a bright future for commercial drone use. On the positive side, the FAA says drone pilots don’t need an actual pilot license; all they have to do is pass a special test that gives them an operator certificate.

I suppose you could call it “convergence.” It might even make sense, but it could also be a harbinger of thing to come in the auto industry.
Nothing DRMs Like a Deere: Why Farmers Can’t Fix Their Own Tractors
John Deere, manufacturer of some of the world’s most popular tractors and farming equipment, recently submitted a letter to the U.S. Copyright Office asking it to forbid its customers from modifying the software that operates its machines. The implications here are huge: because of copyright laws, farmers cannot diagnose problems or make repairs on their own tractors.
… Six pages into John Deere’s letter to the Copyright Office, the company makes a jarring statement about ownership:
[…] the vehicle owner receives an implied license for the life of the vehicle to operate the vehicle, subject to any warranty limitations, disclaimers or other contractual limitations in the sales contract or documentation.

This is very strange. The Navy always gets the new/best toys, so what are they doing still using a 2001 operating system? (And can I use FOIA to get copies of the updates?)
Navy pays millions to keep using Windows XP
The Navy will pay more than $9 million to keep using Windows XP under a contract signed this month, Computerworld reported Tuesday.
The Space and Naval Warfare Systems Command (SPAWAR) will pay Microsoft $9,149,000 through the contract, which was approved earlier this month. It could eventually grow to be as large as $30,842,980 by 2017.

About time.
Data Requests Put Amazon Between Rock, Hard Place
Amazon's recently released first report on government requests for information revealed that from January to May, it received 813 subpoenas and 25 search warrants.
The company fully responded and provided all the requested information sought for 542 of the subpoenas. It partially responded and provided only some of the requested information for 126 of the cases, and it did not respond with any information for 145 cases. Amazon fully responded to 13 of the search warrants, partially responded to eight, and did not respond to four.

Big Data they can handle. I'm curious to see how quickly they can analyze DNA.
Google Partners With Broad Institute Of MIT And Harvard To Bring Genome Analysis Tool To Its Cloud Platform
Google today announced that it has partnered with the Broad Institute of MIT and Harvard to launch a limited alpha of the institute’s Genome Analysis Toolkit (GATK) on Google’s Cloud Platform and make it available as a service. The software, which was developed by the Broad Institute and helps scientists to quickly analyze genomic sequencing data, will be offered to academic researchers at no charge (though they will still have to pay for using Google’s Cloud Platform). Business users will have to license the software from Broad.
… DNA sequencing generates huge amounts of data (the raw data of the genome of one person takes up more than 100 gigabytes) and the Broad Institute has either sequenced or genotyped the equivalent of more than 1.4 million biological samples.

And yes, they have Jazz and Classical.
How Google thinks it can beat Apple Music and Spotify
While Apple, Spotify, and Pandora are all competing to become the dominant streaming music service, Google wants to make sure you haven't forgotten about its own music app: Google Play Music.

I wonder if I can use the Research and Report tools to help my students write better papers?
Google Launches News Lab
by Sabrina I. Pacifici on Jun 23, 2015
Official Google Blog: “…we’ve created the News Lab, a new effort at Google to empower innovation at the intersection of technology and media. Our mission is to collaborate with journalists and entrepreneurs to help build the future of media. And we’re tackling this in three ways: though ensuring our tools are made available to journalists around the world (and that newsrooms know how to use them); by getting helpful Google data sets in the hands of journalists everywhere; and through programs designed to build on some of the biggest opportunities that exist in the media industry today.”

Again, Wally illustrates a common Strategy failure. Like using an old (2008) textbook that makes no mention of social media!

Tuesday, June 23, 2015

Not exactly counter-propaganda, but then I don't think we know how to do that very well.
Europe’s top cops fight ISIS on social media
… Starting next week, a unit of the European police agency Europol will plan to remove social media accounts belonging to members of the Islamic State in Iraq and Syria (ISIS) within two hours of detecting them.
The unit will be working with various unnamed social media sites, Europol Director Rob Wainwright told the Guardian this weekend to “identify the ringleaders online” and keep tabs on who they are targeting for new recruits.
… The move is a sign of officials’ recognition that ISIS has had a tremendous ability to gather recruits internationally and inspire people around the globe to launch attacks against their home country.
… According to analysis from the Brookings Institution, there are at least 46,000 Twitter accounts associated with ISIS supporters.

Another article for my IT Governance and Risk Management class. We need a strategy...
Cybersecurity Has a Leadership Problem: Study
RAND didn't pull any punches in its 162-page report, The Defender's Dilemma, noting that defenders responsible for protecting corporate and personal data are unprepared, overwhelmed, and unsupported.
Researchers interviewed CISOs, reviewed existing technologies, and assessed the challenges behind making secure software in order to create the economic models, which make up the report, recently released by Juniper Networks.
Another common sense element found that people-centric investments, such as technologies to automate security management, advanced security training for employees, and hiring security staff led to greater cost-savings down the road. Organizations with high levels of security diligence curbed costs of managing security by 19 percent in the first year, and 28 percent by the tenth year compared to organizations with low diligence, RAND found in its survey.

A simple extension of biometrics. I wonder how far Facebook and others will wander down this road?
Facebook Is Now Able To Recognize You Without Even Seeing Your Face
… Facebook’s artificial intelligence team is testing out an algorithm that can recognize people in photos even if they are not looking at the camera.
According to New Scientist, the algorithm is able to identify people by reviewing hairdos, clothing, postures and body shapes. Facebook’s head of artificial intelligence Yann LeCun used CEO Mark Zuckerberg as an example of how the algorithm recognizes fashion preferences since he is known for always wearing a gray T-shirt.
… As of right now, the experimental algorithm is able to identify people with 83% accuracy.

Another government agency looking to hide behind “Management Theater?” (If you don't know how to solve a problem, do something that sounds good then keep shuffling the deck.)
FAA Refuses to Release Key Documents
The Federal Aviation Administration is refusing to release key documents that would support the agency’s claim that its controversial Biographical Questionnaire or BQ is valid. The BQ is a personality test that all FAA air traffic control applicants must pass in order to be considered for a job with the FAA. A FOX Business Network investigative report, ‘‘Trouble In the Skies’’, first exposed internal FAA documents which discredited the BQ on May 20, 2015.
The report also made public recordings of FAA employees offering to help air traffic control candidates cheat on the 2014 BQ.
… Failing scores on the BQ disqualified 3000 students from FAA Collegiate Training Initiative Schools, a program created by the FAA to prepare future air traffic controllers, from obtaining jobs with the agency. Those 3000 students had previously been considered “well qualified” by the FAA after earning the highest scores on an exam used by the FAA to test an applicant’s cognitive ability.
… The FAA discarded the BQ in 2015 and used a new version of the test also created by APT Metrics. The FAA refuses to say why the first version of the BQ was thrown out if it had been validated.

(Related) An example of Security Theater.
Tim Cushing writes:
Concerns over pervasive surveillance are often shrugged off with “ends justify the means” rationalizing. If it’s effective, it must be worth doing. But as more information on domestic surveillance programs surfaces, we’re finding out that not only are they intrusive, but they’re also mostly useless.
TrapWire — software produced by Stratfor and used by security and law enforcement agencies around the world — utilizes facial and pattern recognition technology to analyze CCTV footage for “pre-attack patterns,” meshing this information with other law enforcement databases, including online submissions from citizens reporting “suspicious behavior.”
Read more on TechDirt.

You gotta love it. I wonder how much of the government Google could replace? Probably almost as much as they influence with their political contributions.
Senators to feds: 'Just Google it'
Senators want to eliminate an agency tucked within the Commerce Department, suggesting that the Internet has made it obsolete.
Republican Sens. Mark Kirk (Ill.), Kelly Ayotte (N.H.), Tom Cotton (Ark.) and David Perdue (Ga.) introduced the Just Google It Act on Monday, which would eliminate the National Technical Information Service (NTIS).
… The senators pointed to a 2014 Government Accountability Office (GAO) report which found that a majority of documents added to the NTIS collection over the past twenty years could be found somewhere else, with most of those available for free online.
… The senators' proposal isn't the first time the agency has come under congressional fire.
Sen. Claire McCaskill (D-Mo.) and then-Sen. Tom Corburn (R-Okla.) introduced a similar proposal last year, the Let Me Google That For You Act.

For my Computer Security students.
Free recorded webinar on Pluralsight: Why SQL Injection Remains the #1 Web Security Risk Today
A couple of weeks ago I did a free webinar on Pluralsight titled Why SQL Injection Remains the #1 Web Security Risk Today (and what you should know about it). This is a rather self-explanatory title and it’s completely true – SQL injection remains a big thing and we keep getting it wrong. Like an example? Only 8 months ago, Drupal had a major vulnerability in their product. If you’re not already familiar with Drupal, it allegedly powers 2.1% of the world’s websites… including But here’s the really scary bit from their announcement:
You should proceed under the assumption that every Drupal 7 website was compromised unless updated or patched before Oct 15th, 11pm UTC, that is 7 hours after the announcement.

Another one for my toolkit.
How to Transcribe Video Files to Text with YouTube

A way to gather my handouts?
Book Creator for Windows - Create Multimedia eBooks
Book Creator has long been a popular iPad and Android app for creating multimedia ebooks. Today, the developers of Book Creator released a Windows version of the app.
Book Creator for Windows (Windows 8.1 or higher required) allows anyone to create his or her own ebooks using images, text, videos, and audio recordings. You can arrange your book in three different formats; portrait, square, or landscape. Each page in your book can include pictures and videos. In addition to the pictures and videos you can include as much as text as you can fit on each page. In fact, if you just want to have text on a page you can do that. If you would like to narrate your book you can tap the record button to add your voice to each page of your book. Every page in your book can have a custom color scheme.
Book Creator can be a fantastic tool for students to use to create short stories or to create longer research papers that include multimedia elements. [Now that is a nasty idea. I like it! Bob]

Dilbert on strategy.

Monday, June 22, 2015

Another article for my IT Governance and Risk management class.
Hackers force Polish airline to cancel flights
Poland's LOT airline was forced to cancel around 10 foreign and domestic flights after hackers attacked its computers on Sunday.
Airline spokesman Adrian Kubicki said the attack temporarily paralyzed LOT's computers at Warsaw's Frederic Chopin airport, disrupting the processing of passengers for the flights.
… LOT Airlines said no airborne planes were affected.
A representative at LOT told CBS News on Monday morning that the hackers attacked the airline's internet network, affecting email and web access in their offices. It was not a targeted attack to their flight plan computers.
The biggest effect, the airline official said, was that they could not issue flight plans during the outage.

Do they have photos in these files? If not, I guess I could get them from a Facebook page. Any Intelligence service would be happy to have full dossiers on everyone who works for a target.
Report – hacker had access to U.S. security clearance data for one year
by Sabrina I. Pacifici on Jun 21, 2015
Follow up to previous posting, Massive hack of federal personnel files included security-clearance database, again via Washington Post: “The recently disclosed breach of the Office of Personnel Management’s security-clearance computer system took place a year ago, giving Chinese government intruders access to sensitive data for a year, according to new information. The considerable lag time between breach and discovery means that the adversary had more time to pull off a cyber-heist of consequence, said Stewart Baker, a former National Security Agency general counsel. “The longer you have to exfiltrate the data, the more you can take,” he said. “If you’ve got a year to map the network, to look at the file structures, to consult with experts and then go in and pack up stuff, you’re not going to miss the most valuable files.”

Why would my Ethical Hacking students (for example) be free to reverse engineer software when a government agency, doing exactly the same thing, have to jump through hoops? Have we lost perspective or does someone want to sell consulting services to GCHQ? Perhaps they just want to deflect the kind of lawsuits that the FBI seems to attract. See the next couple of articles.
Andrew Fishman and Glenn Greenwald report:
British spies have received government permission to intensively study software programs for ways to infiltrate and take control of computers. The GCHQ spy agency was vulnerable to legal action for the hacking efforts, known as “reverse engineering,” since such activity could have violated copyright law. But GCHQ sought and obtained a legally questionable warrant from the Foreign Secretary in an attempt to immunize itself from legal liability.
GCHQ’s reverse engineering targeted a wide range of popular software products for compromise, including online bulletin board systems, commercial encryption software and anti-virus programs. Reverse engineering “is essential in order to be able to exploit such software and prevent detection of our activities,” the electronic spy agency said in a warrant renewal application.
Read more on The Intercept.

“We don't have to explain why we put people on the no-fly list and we don't have to explain why we take people off the no-fly list. We're the US government and we do whatever we damn well want to do!”
From Papers, Please!
Four days before a Federal judge was scheduled to hear arguments in a lawsuit brought by four Muslim US citizens who were placed on the US government’s “no-fly” list to try to pressure them into becoming informants for the FBI, the government has notified the plaintiffs in the case that all of them have been removed from the no-fly list.
The plaintiffs in Tanvir v. Lynch are continuing to press their claims, as are other US citizens challenging their placement on the no-fly list in retaliation for declining to inform on their friends, families, communities, and fellow worshippers. But we expect that, as has been its pattern, the government defendants will now try to get the case dismissed as “moot“.
Read more on Papers, Please!

(Related) “We don't want anyone to know what we do because we might have to stop it.”
DOJ Prevailed Over Google on Email Privacy Case
by Sabrina I. Pacifici on Jun 21, 2015
Ryan Gallagher – The Intercept:The Obama administration fought a legal battle against Google to secretly obtain the email records of a security researcher and journalist associated with WikiLeaks. Newly unsealed court documents obtained by The Intercept reveal the Justice Department won an order forcing Google to turn over more than one year’s worth of data from the Gmail account of Jacob Appelbaum (pictured above), a developer for the Tor online anonymity project who has worked with WikiLeaks as a volunteer. The order also gagged Google, preventing it from notifying Appelbaum that his records had been provided to the government. The surveillance of Appelbaum’s Gmail account was tied to the Justice Department’s long-running criminal investigation of WikiLeaks, which began in 2010 following the transparency group’s publication of a large cache of U.S. government diplomatic cables….”
[From the article:
The Justice Department argued in the case that Appelbaum had “no reasonable expectation of privacy” over his email records under the Fourth Amendment, which protects against unreasonable searches and seizures. Rather than seeking a search warrant that would require it to show probable cause that he had committed a crime, the government instead sought and received an order to obtain the data under a lesser standard, requiring only “reasonable grounds” to believe that the records were “relevant and material” to an ongoing criminal investigation.

Sounds like a tool for cults to ensure their mind control is working.
Joe Cadillic writes:
Soon every churchgoer will be identified by facial recognition software! You read that right, churches will soon be using facial recognition software to identify you and your family.
The company website brags: “First of its kind, Churchix provides you with accurate data on members attendance in your events and services. The software also allows you to sort and manage your videos and photos.”
Churchix was originally developed by us for a chain of international churches, which wanted to follow up with membership attendance at its events. Today it’s being used at a number of other churches in the US and in Indonesia” Moshe Greenshpan, the company’s CEO said.
Read more on MassPrivateI

“Hey guys! Look what I just noticed.” But if you are dead, you forfeit your privacy rights?
Emily Nitcher reports:
Citing a federal law that has been on the books for 21 years, the Arkansas State Police began earlier this month withholding nearly all personal information from vehicle crash reports available to the public.
The agency contends the 1994 Drivers Privacy Protection Act, which prohibits personal information from motor vehicle reports from being made public, also covers police crash reports.
Read more on Arkansas Online.
[From the article:
The new policy means the only personal information available on state police crash reports are the names and hometowns of fatalities. All other information, including the names of other drivers and passengers, is withheld.
Critics of the new practice, which has already been included in a lawsuit against the state police over its records disclosures, are skeptical about the application of the federal law and the 21-year delay in enforcing it.

Don't mess with Taylor! Some smart entrepreneur will ask Taylor what the ideal music payment model (or models) should be and thereby own the market. (I'm assuming she has some really smart lawyers.)
Apple will pay artists during three-month trial after Taylor Swift open letter
No more bad blood: Apple senior executive Eddy Cue announced on Twitter that Apple Music will pay artists during the service’s free, three-month trial period. The reversal of policy comes one day after Taylor Swift wrote an indictment of Apple Music on Tumblr titled “Dear Apple, Love Taylor.”
… In an interview with Billboard, Cue said it was Swift’s letter that spurred the company to make its decision. “When I woke up this morning and saw what Taylor had written, it really solidified that we needed a change,” Cue said. “And so that’s why we decide we will now pay artists during the trial period.”

Wally sounds like my students. They wait until class starts to ask me if it is Okay to submit their papers late. (It is not) I find it frustrating, they find it hurts their grades.