Saturday, September 12, 2015

Should “Best Practices” be selected to catch the bad guy or to get your services back online quickly? Perhaps you should contact the experts before you are hacked. Here are just a couple of points the article is trying to make.
US-CERT’s do’s-and-don’ts for after the cyber hack
Too often, agencies are erasing key forensic evidence after a cyber attack.
… So with that rule to live by, US-CERT offers these best practices:
General missteps
Hacked organizations shouldn’t automatically initiate reactive measures to the network without first consulting incident response experts.
… “This can cause loss of volatile data such as memory and other host-based artifacts. We also see them touching adversary infrastructure. It seems unusual, but we do,” she said. “They are pinging or doing name server (NS) look up, browsing to certain sites. Agency staff is trying to investigate the incident, naturally, and they want to conduct the analysis on suspicious domains or IPs. However, these actions can tip off the adversaries that they have been detected. Again, a no-no. You don’t want to do that.”
Resist pre-emptive password resets
Don’t erase audit logs

Nice to see proof it works both ways.
Joshua Phillipp reports:
Hackers released a list showing the phone numbers and home addresses of nine alleged ISIS recruiters, in countries including Turkey, Indonesia, Kuwait, and Iraq. Alongside this, one of the hackers behind the leak detailed how the terrorist organization recruits members using the Internet.
According to the hacker, who goes by the moniker “JhonJoe,” a favorite venue for ISIS recruiters is Twitter. When the recruiters find someone who expresses views similar to their own, they’ll make contact using the direct message function on Twitter.
“We ran a sting operation to uncover this,” said JhonJoe, in an interview on Twitter.
Read more on Epoch Times.

“We're government security. You can trust us!”
TSA Master Baggage Keys Compromised, Now Available Online For 3D Printing
When The Washington Post posted a story about the "secret life" of TSA bag handlers, it thought it'd spice up its presentation with a neat shot of master baggage keys being spread in someone's hand like a fan. As it happens, that was unwise, as when it comes to standard keys like those used for baggage, all that's needed to duplicate them is a clear image.

“Minority Report” is coming.
Joe Cadillic writes:
Your child’s writings, texts etc., could get them arrested and put on the Terror Watch List.
Future policing and incarceration is becoming a reality, a B.S. study called “Profiling School Shooters: Automatic Text-Based Analysis” alleges DHS, teachers and psychologists can identify future school shooters based entirely on a students writings!
What’s that you say? It can’t possibly be real? But the study was conducted with the Department of Education (DOE)!
Read more on MassPrivateI.

An extension of privacy or a tool for terrorists?
First Library to Support Anonymous Internet Browsing Effort Stops After DHS Email
Since Edward Snowden exposed the extent of online surveillance by the U.S. government, there has been a surge of initiatives to protect users’ privacy.
But it hasn’t taken long for one of these efforts — a project to equip local libraries with technology supporting anonymous Internet surfing — to run up against opposition from law enforcement.
In July, the Kilton Public Library in Lebanon, New Hampshire, was the first library in the country to become part of the anonymous Web surfing service Tor. The library allowed Tor users around the world to bounce their Internet traffic through the library, thus masking users’ locations.
Soon after [How closely is DHS monitoring libraries? Maybe they are just mapping TOR? Bob] state authorities received an email about it from an agent at the Department of Homeland Security.
“The Department of Homeland Security got in touch with our Police Department,” said Sean Fleming, the library director of the Lebanon Public Libraries.
After a meeting at which local police and city officials discussed how Tor could be exploited by criminals, the library pulled the plug on the project. [Because deterring crime is more important than securing your communications Bob]

(Related) Still making it sound like every crook uses encryption, which contradicts their reports to Congress. If the message is encrypted, we still have: Who called, who was called, time the call was made, duration of the call, locations of caller and person called, owner of each phone (usually), etc.
RT reports:
FBI Director James Comey continued his push for Silicon Valley to give the federal government backdoor access to encrypted data at a congressional hearing. However, the tech industry has told committee members that it’s not in their interest to help.
At a House Intelligence Committee hearing on Thursday, Comey said that he wants Silicon Valley to create a workaround that would give the federal government access to encrypted data in their programs and hardware, even though more than 140 tech firms have come out against the idea.
Read more on RT.

(Related) This is what the FBI really wants.
Lisa Eadicicco reports:
Siri will be able to perform an important new trick when Apple’s next iPhones come out.
The virtual assistant will always have an ear open, listening for users to summon it, ever ready to answer questions or to assist with certain tasks.
There are a lot of unanswered questions around these “always listening” devices, such as how they can use the data and who they can share it with.
“[The license agreements] have an extraordinarily wide latitude,” Bruce Schneier, a fellow at the Berkman Center for Internet and Society at Harvard Law, said to Business Insider. “And that’s a huge worry.”
Read more on Business Insider.

Schools may need to re-think some of their projects.
Kumar Singam reports:
Reliable sources have informed the Examiner that Montgomery County Public Schools (MCPS), the largest school system in Maryland, has installed LanSchool in Chromebooks distributed to students.
As the product brochure disarmingly mentions, LanSchool can be used for real-time monitoring of student activity on the computer. The website states that “Thumbnail monitoring allows the teacher to quickly view each student’s screen. At a glance, it is easy to see which students are on or off task. Administrators can monitor up to 3000 students at a time and dual-monitors are supported.” The website goes on to say that “LanSchool v7.8 automatically logs all keystrokes on student machines. (This can be disabled if your organization has policies against keystroke monitoring) Months of keystrokes are kept in a rolling log that can be watched in real-time or exported to a .csv file.”
The Examiner has confirmed through knowledgeable sources that MCPS did not obtain parental authorization for the use of the intrusive software from students who were given Chromebooks with LanSchool installed.

Ah man. Are they taking away my right to ram anyone that irritates me? That's unAmerican!
Automakers Will Make Automatic Braking Systems Standard in New Cars

(Related) I'll be these guys don't get that system. Only us second class citizens.
Dodge Charger Pursuit Gets High-Tech System

Journalists (or anyone) could broadcast using Periscope or a similar App, but this way they have a predefined audience?
Journalists Can Now Broadcast Live Over Facebook
Facebook wants more journalists to use its platform as their distribution channel of choice. Now the company is giving reporters a new tool: the ability to stream live on Facebook itself.
Facebook said today that verified journalists, experts, and other “influencers” will now be able to use its Mentions app—formerly available only to select celebrities. The app will allow journalists to post live to Facebook during breaking news, for behind-the-scenes reports, or to host live Q&As with followers, among other possibilities.

Is Microsoft expanding into hardware or (like Amazon and Google) expanding into everything?
Juicy Rumor Suggests Microsoft Looking To Rock Computing World With Possible AMD Acquisition
If you thought that news of Windows 10 downloading in the background without your knowledge was the biggest bombshell to come out of Redmond, Washington today, then you’re sorely mistaken. A very interesting rumor is making the rounds that has the possibility to send shockwaves through the entire computing industry.
Microsoft is reportedly in talks to acquire AMD, which would make things quite interesting not only in the CPU sector (where AMD has played second fiddle to Intel for years), but also in the graphics sector (where AMD dukes it out with NVIDIA). For all its efforts to stand up to Intel recently, AMD just hasn’t had much luck in making a noticeable dent in the company’s massive share of the desktop, notebook, and server markets. And even in the graphics sector, NVIDIA has opened up a pretty significant lead in the discrete graphics market [PDF] as far as sales are concerned.

Sony does it again? (Screws up, that is.)
Sony: Don't Use Those 'Waterproof' Xperias Underwater
Turns out, Sony's "waterproof" Xperia devices might not be so waterproof after all.
After talking up the waterproof capabilities of its Xperia devices for years — even running marketing campaigns showing people happily using its devices underwater — Sony now says that they should not be submerged. As XperiaBlog first reported, Sony recently revised its support page on water and dust protection to warn people against taking a swim with their gadgets.
"Remember not to use the device underwater," the site says.

Maybe someday that long, boring commute won't be so bad...
European Court Rules That Commuting Time Is Part of the Workday
If Dante had known the pain of traveling to and from work, he would have made it a punishment in one of the circles of hell. But a recent court decision in Europe might actually make some workers want to commute longer.
On Thursday, Europe’s top court ruled that the time spent commuting to and from work should count as part of the workday. The ruling applies to employees who don’t have a regional office to work out of, like electrical technicians, for example.
The time spent commuting to the first appointment and driving home from the last appointment is to be considered part of the work day, according to the ruling, which was handed down by the Court of Justice of the European Union in Luxembourg.

“I'm shocked, shocked I tell you!”
Iran says finds unexpectedly high uranium reserve
Iran has discovered an unexpectedly high reserve of uranium and will soon begin extracting the radioactive element at a new mine, the head of Iran's Atomic Energy Organisation said on Saturday.
The comments cast doubt on previous assessments from some Western analysts who said the country had a low supply and would sooner or later would need to import uranium, the raw material needed for its nuclear program.

Sounds classified to me.
Exclusive: New Emails on Secret Benghazi Weapons
On the third anniversary of the Benghazi terrorist attack, emails reviewed by Fox News raise significant questions about US government support for the secret shipment of weapons to the Libyan opposition.
… As Fox News chief intelligence correspondent Catherine Herridge first reported, a heavily redacted email released to the Benghazi committee in May clearly states that on April 8, 2011, a day after the Turi/Stevens exchange, Clinton was interested in arming the rebels using contractors:
"FYI. the idea of using private security experts to arm the opposition should be considered," Clinton wrote. Significantly, the state department released emails blacked out this line, but the version given to the Benghazi select committee was complete.

On the 3rd of September, 2015, Benedict Evans, a veteran mobile industry analyst turned venture capitalist, tweeted a chart showing how traditional TV is losing its share of screen to smartphones and tablets. While Mr. Evans’ chart was not the first chart to alarm the cable industry, its timing was particularly interesting, as it came exactly a week before Apple’s major update of its Apple TV hardware. In fact, many financial and industry analysts have predicted the demise of the cable industry since rumors of a new Apple TV hardware or an Apple over-the-top streaming service emerged earlier this year.
For the first time ever, time spent inside mobile applications by the average US consumer has exceeded that of TV.

While my students played video games?
Interview: Seattle girls launch a balloon spacecraft to the edge of space, and NASA takes note
Our guests on the GeekWire radio show this week are Rebecca Yeung, 10, and Kimberly Yeung, 8 — two sisters from Seattle who built a spacecraft out of wood, broken arrow shafts and a high-altitude balloon, sending it to the edge of space this past weekend. Their project — and especially their handwritten “lessons learned” — captured the attention of thousands of people, including an exec at NASA’s Jet Propulsion Lab.

This could be useful.
Zoom - Record Video Conferences in HD is a great service for hosting and recording video conferences in high definition. I was introduced to it by Rod Berger when he proposed using to record segments for the #askRichardByrne video series that we're producing. I'm glad he recommended it because it is a fantastic tool. allows you to record your video in a side-by-side format to equally feature both people in the recording or switch between featuring one person more than another in the video (click here for an example). When you record through Zoom you're given an HD video file to save locally as well as a separate HD voice recording. Zoom isn't limited to just webcam views as you can also share your screen through the service. Zoom's free plan allows you to record for up to forty minutes in each video. The number of videos that you can create is not limited.
Zoom does require that you install a desktop client in order to call, receive calls, and to record.

For my iPhone using students. Also note that this is another example of “free” resulting in higher sales.
Camera+, The Third-Party Camera App With 14 Million Users, Goes Free
Tap tap tap, the company behind the popular third-party camera app Camera+, is making its flagship application free today. The app
… Many app makers believe that offering a free version of their app will hamper sales of their paid version, which is why they’ll often roll out stripped-down, “lite” versions of the app as a way to encourage users to upgrade to the full experience.
… Then last year, tap tap tap ran a big promotion with Apple which made the app – the full version – available for free on the App Store. And what the company discovered was surprising.
“With the Apple promotion, we definitely were concerned that giving away the full version for free could potentially hurt sales,” explains Casasanta. “We still decided that it would’ve been worth the risk to try it out and when we did, we were pleasantly surprised to find out that it actually helped sales as we got a significant spike during the promotion and afterward.”
That experience then prompted the company to refocus on developing the free version of Camera+, which is available today.

I do teach all this but I find it better to let my spreadsheet students see that others think it's valuable.
5 Excel Tools You Need Right Now
Powerful and complex, Microsoft Excel comes packed with so many tools that it's often hard to know which tool can solve a particular problem. Ever feel like it's easier to just keep doing things the slow way simply because it works? But you deserve better than that, so we've gathered five essential Excel tools that save you time and effort. If you're not currently using them, it's time to up your game.

Laugh educator, laugh.
Hack Education Weekly News
According to Los Angeles Unified Superintendent Ramon Cortines, the district is close to a $6 million settlement with Apple and Pearson over its botched iPad program. [For the failure of a $1.3 billion program? Someone has good negotiators. Bob]
Via Inside Higher Ed: “The Texas State University System on Thursday announced a Freshman Year for Free program in which students can earn a full year of credit through massive open online courses offered by edX and coordinated by a new nonprofit called the Modern States Education Alliance. The only costs to students would be either Advanced Placement or College Level Examination Program tests, which would be passed after completing various MOOCs. Appropriate scores would be required on the tests to receive credit from Texas State campuses.”
… “Meet the Crowdfunded Professor,” says The Chronicle of Higher Education. “He's left his tenured job and gone online, solo.” (Related: Ian Bogost on “Quit Lit.”)
Richmond Community College in North Carolina will offer free tuition to high school students in the area: “The program, dubbed RichmondCC Guarantee, promises two free years of college for students of public, private and home schools who have at least a 3.0 grade-point average and two college courses under their belts.”
Via ProPublica: “First Library to Support Anonymous Internet Browsing Effort Stops After DHS Email.” The Kilton Public Library in New Hampshire was using Tor, but police have pressured the library to stop.
Via the US Census: back-to-school factoids.
… “US education is a $1.5 trillion industry and growing at 5 percent annually,” says McKinsey.

Friday, September 11, 2015

Digital Bad Citizen? My insurance company won't let me drive a car once the passenger side airbags go off because the driver's airbag might not deploy if there was another accident. GM would have let me drive around with the possibility my brakes could be disabled. Digital Bad Citizen!
GM Took 5 Years to Fix a Full-Takeover Hack in Millions of OnStar Cars
When a pair of security researchers showed they could hack a Jeep over the Internet earlier this summer to hijack its brakes and transmission, the impact was swift and explosive: Chrysler issued a software fix before the research was even made public. The National Highway Traffic and Safety Administration launched an investigation. Within days Chrysler issued a 1.4 million vehicle recall.
But when another group of researchers quietly pulled off that same automotive magic trick five years earlier, their work was answered with exactly none of those reactions. That’s in part because the prior group of car hackers, researchers at the University of California at San Diego and the University of Washington, chose not to publicly name the make and model of the vehicle they tested, which has since been revealed to be General Motors’ 2009 Chevy Impala. They also discreetly shared their exploit code only with GM itself rather than publish it.
The result, WIRED has learned, is that GM took nearly five years to fully protect its vehicles from the hacking technique, which the researchers privately disclosed to the auto giant and to the National Highway Traffic Safety Administration in the spring of 2010. For nearly half a decade, millions of GM cars and trucks were vulnerable to that privately known attack, a remote exploit that targeted its OnStar dashboard computer and was capable of everything from tracking vehicles to engaging their brakes at high speed to disabling brakes altogether.

Another Ashley Madison oops!
Once seen as bulletproof, 11 million+ Ashley Madison passwords already cracked
When the Ashley Madison hackers leaked close to 100 gigabytes' worth of sensitive documents belonging to the online dating service for people cheating on their romantic partners, there seemed to be one saving grace. User passwords were cryptographically protected using bcrypt, an algorithm so slow and computationally demanding it would literally take centuries to crack all 36 million of them.
Now, a crew of hobbyist crackers has uncovered programming errors that make more than 15 million of the Ashley Madison account passcodes orders of magnitude faster to crack. The blunders are so monumental that the researchers have already deciphered more than 11 million of the passwords in the past 10 days. In the next week, they hope to tackle most of the remaining 4 million improperly secured account passcodes, although they cautioned they may fall short of that goal. The breakthrough underscores how a single misstep can undermine an otherwise flawless execution. Data that was designed to require decades or at least years to crack was instead recovered in a matter of a week or two.

Yeah, there's an App for that. Unfortunately.
CoreBot Becomes Full-Fledged Banking Trojan
IBM reported in August that its researchers had come across CoreBot, a new piece of malware designed to steal data from infected devices. Initially, the threat only had limited capabilities, but IBM now says CoreBot has become a full-fledged banking Trojan.
The first CoreBot samples analyzed by IBM were designed to steal locally stored sensitive information, but they lacked the capability to intercept and steal data in real time. However, experts noted at the time that the malware used a modular plugin system that allowed its developers to easily add new capabilities.
The latest samples analyzed by researchers include new features such as browser hooking, real-time form grabbing, a virtual network computing (VNC) module for remote control, man-in-the-middle (MitM) functionality for session takeovers, a custom web injection mechanism, and on-the-fly web injections.
While CoreBot seems to have evolved from a basic data stealer to a full-fledged financial malware overnight, IBM believes its authors were until recently undergoing a long process of developing and testing the new capabilities.
The new CoreBot monitors browsing sessions to see if one of 55 targeted URLs is visited by the victim. These URLs are associated with the websites of 33 financial institutions from the United States (62%), Canada (32%) and the United Kingdom (6%).

For my Computer Security and Ethical Hacking students. Easy to program and it will even work if the hacker has taken no steps to obfuscate their location and implemented no counter-hacking techniques.
Hayley Tsukayama reports on a nifty-sounding hack-back program. Whether it’s legal or not is unclear:
Have you ever gotten an e-mail from a service warning that someone is trying to hack into your account and wondered: Who is doing this to me?
A password manager called LogMeOnce now gives you the option to take a picture of whoever is trying to access the accounts that you’ve registered with its service. It does this by hacking the hacker’s camera, whether that is attached to a computer or mobile device, and secretly taking a photo.
Read more on Washington Post.
[From the article:
The feature, which is called Mugshot and launched Tuesday, also provides you with information on where your attacker is located and the hacker’s IP address -- the unique set of numbers that identify each computer on a network. And it offers the option to grab a photo from the rear-facing camera of a mobile device, so you can get a look at the hacker's surroundings.

How do I surveil thee?
Let me count the ways...
How the Government Surveils Cell Phones: A Primer
… If law enforcement wants to surveil your cell phone, they have two ways to do it. They can do it through a phone company; or they can do it directly, using a device like a Stingray.

Surprise? Or am I missing something?
California governor vetoes bill banning drones over private property
Legislation that would have restricted drone pilots in California has been struck down by governor Jerry Brown. The bill, spearheaded by state senator Hannah-Beth Jackson, would have banned quadcopters from flying below 350 feet around private properties -- at least, not without the permission of the building's owner, anyway. It passed both the state Assembly and state Senate in August, prompting opposition from GoPro and advocacy groups with ties to Amazon and Google. Brown has now dismissed the bill, however, because of its potential to "expose the occasional hobbyist and FAA-approved commercial user to burdensome litigation." He admitted the bill was "well-intentioned," but stressed that all parties need to discuss the issue further "before we go down that path." Jackson, meanwhile, has gracefully accepted defeat, meaning Senate Bill 142 is shelved for now.

Promises, Promises. Is the right to remedy too big a hurdle? Would law enforcement be the target?
Access writes:
Negotiators from the United States and the European Union recently reached a preliminary deal on the so-called Umbrella Agreement, a transatlantic deal that sets standards for protecting personal data when it is transferred for law enforcement purposes. However, one key hurdle remains before the agreement will get sign off: the U.S. must grant a right to remedy for E.U. citizens who suffer privacy violations (a right that already exists in the E.U. for U.S. citizens in similar circumstances). It remains to be seen whether the U.S. will follow through on providing that protection, and whether it will be meaningful enough to meet E.U. standards.
Read more on Access.

Somehow I don't think the Chinese leadership is too worried.
These Four Charts Show How Obama's Leverage Over Xi Is Increasing
The tables are starting to turn.
For years after the global financial crisis, China's steady growth kept the world economy churning while the U.S. and other advanced nations slumped. Now, after China's summer of financial turmoil and increasing signs of a slowdown, President Xi Jinping's economic hand is weaker heading into his state visit to Washington later this month. Here are four charts that tell the story.

Are we heading toward “Free Delivery” for everything purchased online?
EBay Set to Offer Shipping Club, Starting in Germany
Fresh from its split with PayPal, eBay Inc. is addressing one of its longstanding challenges: shipping.
The e-commerce giant on Tuesday is set to introduce a speedy shipping membership in Germany it is calling eBay Plus. The 19.90 euro ($22) membership promises free delivery within two days on many items, as well as free returns within 30 days of a purchase.

For my iPhone toting students.
Hands on: Paper by FiftyThree comes to your pocket with iPhone support
We’ve been big fans of FiftyThree’s Paper for a while. It may not be the most feature-packed drawing app out there, but it’s well designed and easy to use, making it an ideal choice for jotting down quick sketches and diagrams.

Statistically speaking...
2015 NFL Preview: Peyton’s Broncos Headline The AFC West For At Least One More Season
Denver Broncos
2014 Record: 12-4 | 2015 Projected Wins: 9.9 | Playoff Odds: 73.0%
Offensive Rank: 4th | Defensive Rank: 13th | Special Teams Rank: 6th

(Related) We need a fantasy football club. er... This is for my Statistics students.
NFL Elo Ratings Are Back!
A good deal of FiveThirtyEight’s NFL coverage last season used Elo ratings, a simple system that estimates each team’s skill level using only the final scores and locations of each game. For 2015, we’re not only bringing Elo back (with a few small tweaks — more on those in a moment), but we’ve also built a continually updating Elo NFL predictions page that allows you to see the latest rankings, plus win probabilities and point spreads for the current week of NFL games.

Apparently “doing” is what I'm doing wrong.

Thursday, September 10, 2015

Too many companies take too long to detect a breach.
AP reports:
A health insurer in western New York and affiliates said Wednesday that their computers were targeted last month in a cyberattack that may have provided unauthorized access to more than 10 million personal records.
Excellus BlueCross BlueShield, headquartered in Rochester, and Lifetime Healthcare Companies said they’re offering affected individuals in upstate New York two years of free identity theft protection.
The companies said unauthorized computer access was discovered Aug. 5, and further investigation revealed that the initial attack occurred on Dec. 23, 2013.
Read more on NBC.

It's like Willie Sutton for the Internet. Automated crime, what a concept!
Cyber-Extortionists Targeting the Financial Sector Are Demanding Bitcoin Ransoms
… DD4BC – which stands for “DDoS for Bitcoin” (Distributed Denial of Service for Bitcoin) – has been targeting firms since mid-2014, so far evading international police forces.
… As cyber-attacks go, DDoS is a blunt instrument. It involves hammering a target website with traffic using a distributed network of computers under the control of one attacker. The aim is to flood the site with traffic to the point that its web server crashes and the site goes offline.
There is a commercial impact – estimated by Neustar to cost up to $100,000 per hour – but these attacks predominantly damage brand perception. “It represents vulnerability,” says Cisco’s Adam Philpott, who heads up cybersecurity in Europe. “If I can't access the service of an organization that’s handling a significant amount of my money, how can I trust it?”
DDoS extortion is not new, but DD4BC is particularly prolific.
They’ve been industrializing their operation – doing it at a scale and level that has not been seen before,” adds James Chappell, co-founder of security firm Digital Shadows.
The group is going for second- and third-tier financial organisations – ones that have money but not necessarily the defences or technical acumen to deal with a DDoS assault.

If the door is locked, try a window. Another piece of the dossier started with OPM?
Jacqueline Klimas reports:
Hackers infiltrated the Pentagon food court’s computer system, compromising the bank data of an unknown number of employees.
Lt. Col. Tom Crosson, a Defense Department spokesman, said on Tuesday that employees were notified that hackers may have stolen bank account information from people who paid for concessions at the Pentagon with a credit or debit card.
Read more on Washington Examiner.

This was a big item on today's local news. No idea why.
Energy Dept. hacked 150 times in 4 years
Hackers infiltrated the Department of Energy’s computer system over 150 times between 2010 and 2014, according to federal documents obtained by USA Today.
The records — received through a Freedom of Information Act request — reveal a blanket of digital attacks the agency has been struggling to thwart for years. In total, hackers targeted DOE networks 1,131 times over the four-year span, successfully cracking the network 159 times.
... But records show the assaults did hit some of the agency’s most sensitive systems.
The National Nuclear Security Administration, a sub-agency within DOE that secures the country’s nuclear weapons, was hit with 19 successful cyberattacks over the four years.
… In a 2013 oversight report, the agency’s inspector general noted “unclear lines of responsibility” regarding cybersecurity and a “lack of awareness by responsible officials.”

A rather strange survey. Do they think Hillary “got schooled” in Computer Security?
64 Percent of American Voters Predict a 2016 Presidential Campaign Will Be Hacked
As the 2016 presidential race heats up, data security company PKWARE announced the results of a poll conducted by Wakefield Research that examined American perceptions of the threat of political hacking, and which of the leading U.S. presidential candidates are most qualified to protect our nation from a growing onslaught of cyber-crime. According to the survey, which was sponsored by PKWARE and conducted in recent weeks, the majority (64 percent) of registered U.S. voters believe it is likely that a 2016 presidential campaign will be hacked.
… Despite Hillary Clinton's private email controversy, 42 percent of registered voters think she is the presidential candidate most qualified to protect the United States from cyber-attacks. She is followed by Donald Trump (24 percent), Scott Walker (18 percent) and Jeb Bush (15 percent).

I'm skeptical.
Justice Department Sets Sights on Wall Street Executives
Stung by years of criticism that it has coddled Wall Street criminals, the Justice Department issued new policies on Wednesday that prioritize the prosecution of individual employees — not just their companies — and put pressure on corporations to turn over evidence against their executives.
The new rules, issued in a memo to federal prosecutors nationwide, are the first major policy announcement by Attorney General Loretta E. Lynch since she took office in April. The memo is a tacit acknowledgment of criticism that despite securing record fines from major corporations, the Justice Department under President Obama has punished few executives involved in the housing crisis, the financial meltdown and corporate scandals.
“Corporations can only commit crimes through flesh-and-blood people,” Sally Q. Yates, the deputy attorney general and the author of the memo, said in an interview on Wednesday. “It’s only fair [Political correctness? Bob] that the people who are responsible for committing those crimes be held accountable.

(Related) Could we extend executive responsibility to vendors who don't use security Best Practices? Please.
When California State University decided to purchase a We End Violence program, Agent of Change, they reportedly did consider data security. The Press-Telegram reports:
Laurie Weidner, spokeswoman for the Chancellor’s Office, said CSU has not terminated its relationship with We End Violence, which administered the training program called Agent of Change. The vendor was one of three offered to campuses, when the sexual violence prevention program was rolled out, she said.
Weidner said in an email the vendor was one of several reviewed and was recommended by the White House task force on campus sexual violence prevention.
Did the White House task force review data security of the products?
“The vendor agreed to the required contract terms and conditions regarding information security, including accepting CSU definitions for what constitutes confidential data, and the requirement to maintain the privacy (of) confidential information,” Weidner said.
And what, exactly, were those terms and conditions? has emailed We End Violence to ask whether the sensitive student information was stored in plain text. Did CSU know the data would be stored in clear text? Did they accept that?
CSU has no plans to change the screening process of vendors delivering the online sexual assault prevention training, Weidner said.
So CSU has no plans to learn from this experience by investigating data security more before they make arrangements with a vendor?
“The breach occurred with one vendor not the others,” she said in the email. “The CSU has other contracts with other vendors, and there has been no data exposure.”
Perhaps she should add, “… yet.”
Keep in mind that all enrolled students in the 23-campus CSU system are reportedly required by federal law and the state auditor to take sexual assault prevention training. That is a tremendous number of students who may have their sensitive and/or personal information exposed through a vendor, as CSU’s statement about over 79,000 students being impacted illustrates.
If the U.S. Education Department and Congress are serious about data security and EdTech, maybe they should investigate the We End Violence breach and all the vendors’ contracts and assurances of data security (if they have not done so already).
And while the FTC cannot take action against CSU, it does have authority to enforce data security in the vendors. Maybe they, too, should look into whether We End Violence has a reasonable security program or if they violated Section 5 by failure to deploy commercially reasonable and appropriate safeguards for sensitive information that left consumers at risk of substantial injury.

Dell says to invest $125 bln in China over five years
Computer maker Dell Inc will invest $125 billion in China over the next five years, its chief executive said on Thursday, as the company continues to expand in the world's second-largest economy.
The world's third-largest maker of personal computers said the investment would contribute about $175 billion to imports and exports, sustaining more than one million jobs in China.
"The Internet is the new engine for China's future economic growth and has unlimited potential," Chief Executive Michael Dell wrote in a statement.
… Dell has been in China for about two decades and, before it went private in 2013, saw annual sales in the country of roughly $5 billion.
In January, it announced partnerships with state-owned China Electronics Corporation and the municipal government of Guiyang.

Perspective. For my IT Governance students.
The Talent Imperative in Digital Business
MIT Sloan Management Review's 2015 Report on Digital Business revealed two surprising insights that have profound implications for your organization’s digital initiatives.
First, employees report to a surprisingly high degree (80%) that they preferred for work for digital leaders. This result is not limited to Millennial employees, either; the percentage of employees who express preference for working for a digitally enabled company remains consistently above 70% for all age groups.
Second, fewer than half of all respondents indicated that they were satisfied with their organization’s digital efforts. As might be expected, this result is strongly correlated with the organization’s digital maturity — employees are least satisfied with those organizations that are digital laggards.

Some hype still sneaks in, but out of hundreds of articles this one looks readable.
A Hype-Free Guide to the Latest Apple Event… [Tech News Digest]

Oh joy. The debates are only a way to sell ads?
CNN to stream GOP debate for free
… The cable network announced it will lift that paywall from 6 p.m. to 11 p.m. the night of the debate and feature the live stream on its homepage. The move is meant to "showcase the value of 'TV Everywhere'" — the name the CNN gives to its streaming service.
… Fox News scored about 24 million viewers to the first GOP debate in August, breaking all previous debate and cable news records. Those rating have reportedly boosted ad prices for future debates, like the one hosted by CNN next Wednesday.
But Fox received some criticism for not offering a free livestream, which forced those without cable subscriptions to find a someone with a subscription or miss the live event.
Susan Crawford, a visiting professor at Harvard University, called Fox's move "wrong" and said it "shouldn't happen again." She described it as a new kind of poll tax.
"Fox News felt no need to ensure that online viewers could watch the debate. That meant that cord-cutters and cord-nevers — basically, Millennials and an ever-increasing chunk of Americans — whose high-speed Internet access wasn’t sold to them by a cable company had to wait for re-runs," she wrote in a Medium post.

For my Business Intelligence students? Looks interesting.
New Census Web Tool Helps Business Owners Make Data Driven Decisions
by Sabrina I. Pacifici on Sep 9, 2015
“The U.S. Census Bureau today released Census Business Builder: Small Business Edition, a new Web tool that allows business owners and entrepreneurs to easily navigate and use key demographic and economic data to help guide their research into opening a new business or adding to an existing one. The Census Business Builder was developed with user-centered design at its core and incorporated feedback from customers and stakeholders, including small business owners, trade associations and other government agencies. The tool combines data from the American Community Survey, the economic census, County Business Patterns and other economic surveys to provide a complete business profile of an area. Business statistics include the number of establishments, employment, payroll and sales. American Community Survey statistics include population characteristics, economic characteristics and housing characteristics. The new tool also combines third-party consumer spending data with the Census Bureau economic and demographic data.”

Some might even work for my students.
The Best 20 Apps for Students to Get Through a Day of School

Wednesday, September 09, 2015

Security for all my students. (Because undoing these hacks is tedious. Best to avoid them if possible.)
How to Spot & Avoid 10 of the Most Insidious Hacking Techniques

I see more articles like this, but not yet in mainstream sources.
Kenneth Lipp reports:
Prior to two weeks ago, when this reporter alerted authorities that they had exposed critical data, anyone online was able to freely access a City of Boston automated license plate reader (ALPR) system and to download dozens of sensitive files, including hundreds of thousands of motor vehicle records dating back to 2012. If someone saw your shiny car and wanted to rob your equally nice house, for example, they could use your parking permit number to obtain your address. All they had to do was find the server’s URL.
The open online server was a file share, primarily used for municipal parking enforcement to transfer and store vehicular permit information and nearly one million license plate numbers. This was all waiting to be discovered by anyone spelunking Google for terms including “Genetec,” the name of a Canadian surveillance company that owns the popular AutoVu brand of license plate readers.
Read more on DigBoston.

When would this be necessary?
Joe Cadillic writes:
Thanks to DHS’s own research & development department if you’re arrested, cops can now read your bank balance!
Police are now able to read our bank credit and debit cards, retail gift cards, library cards, hotel card keys, even magnetic-striped Metrorail cards instantly!
Did you catch that? Police will even know the balance of your commuter train/bus cards, all without a WARRANT!
DHS and Technology Directorate’s Electronic Recovery and Access to Data (ERAD) Prepaid Card Reader is now being used to read EVERY magnetic-striped card.
“The ERAD Prepaid Card Reader is a small, handheld device that uses wireless connectivity to allow law enforcement officers in the field to check the balance of cards. This allows for identification of suspicious prepaid cards and the ability to put a temporary hold on the linked funds until a full investigation can be completed.”
Read more on MassPrivateI.
How is this not a warrantless search and seizure?
Update: Orin Kerr blogged about his issue in July, here. He disagreed with a court opinion that held that it was not a 4-A search.

Hummm, is this really a carrot rather than a privacy stick?
A new article by privacy law scholars Neil Richards and Woodrow Hartzog.
Trust is beautiful. The willingness to accept vulnerability to the actions of others is the essential ingredient for friendship, commerce, transportation, and virtually every other activity that involves other people. It allows us to build things, and it allows us to grow. Trust is everywhere, but particularly at the core of the information relationships that have come to characterize our modern, digital lives. Relationships between people and their ISPs, social networks, and hired professionals are typically understood in terms of privacy. But the way we have talked about privacy has a pessimism problem – privacy is conceptualized in negative terms, which leads us to mistakenly look for “creepy” new practices, focus excessively on harms from invasions of privacy, and place too much weight on the ability of individuals to opt out of harmful or offensive data practices.
But there is another way to think about privacy and shape our laws. Instead of trying to protect us against bad things, privacy rules can also be used to create good things, like trust. In this paper, we argue that privacy can and should be thought of as enabling trust in our essential information relationships. This vision of privacy creates value for all parties to an information transaction and enables the kind of sustainable information relationships on which our digital economy must depend.
Drawing by analogy on the law of fiduciary duties, we argue that privacy laws and practices centered on trust would enrich our understanding of the existing privacy principles of confidentiality, transparency, and data protection. Re-considering these principles in terms of trust would move them from procedural means of compliance for data extraction towards substantive principles to build trusted, sustainable information relationships. Thinking about privacy in terms of trust also reveals a principle that we argue should become a new bedrock tenet of privacy law: the Loyalty that data holders must give to data subjects. Rejuvenating privacy law by getting past Privacy Pessimism is essential if we are to build the kind of digital society that is sustainable and ultimately beneficial to all – users, governments, and companies. There is a better way forward for privacy. Trust us.
You can download the full article from SSRN:
Richards, Neil M. and Hartzog, Woodrow, Taking Trust Seriously in Privacy Law (September 3, 2015). Available at SSRN:

(Related) Find a school you trust?
Herb Weisbaum reports:
For parents, the return to school means signing a stack of permission forms. One that’s easy to miss deals with the privacy of your child’s personal information – and your right to stop the school from sharing it.
Schools are allowed by federal law to share or sell “directory information” about their students with anyone – including data brokers and marketing companies – unless they have a parental opt-out form on file. that could subject parents and, in some cases even young students, to a torrent of advertising.
Read more on NBC News.
Weisbaum makes a good point that many otherwise-savvy parents may not know: if you sign an opt-out form for directory information, it is only good for that school year: you must sign a new one each year.

For my Ethical Hacking students. You won't even notice this censorship if you look at the blog here in the US.
Prevent Blogger from Redirecting your Blogspot Blog to Country-Specific URLs
Google now redirects Blogger blogs to country-specific domains. For instance, if you open in your web browser, you will be redirected to if you are located in India or to if you are accessing the blog from UK.
Google does country-specific redirection for selective censorship – that means they can easily censor or block a blog post, or other entire blog site, in one country but still serve that page in other geographic regions.

Mark Zuckerberg Tops the 2015 New Establishment List—and Snags the October Cover!
Facebook chairman and C.E.O. Mark Zuckerberg has struck deals with The New York Times and BuzzFeed to publish articles directly into users’ pages. He’s reportedly negotiating with record labels and content providers to secure rights to music videos and scripted shows. And, if he has his way, virtual reality may someday soon connect every person in the world. These are just a few of the reasons why Zuckerberg tops Vanity Fair’s 2015 New Establishment Disrupters list, a milestone the magazine celebrates by featuring the mogul on the October cover, in a photo by Annie Leibovitz.
“At 31, Mark Zuckerberg stands out as something of an elder statesman,” Vanity Fair editor Graydon Carter writes in his October editor’s letter.
… For a complete accounting of who’s up, who’s down, and who’s new on this year’s New Establishment list, check out the full rankings here.

Perspective. If trump is a flash in the pan, we should be looking at number two. (I thought Carson was too smart to be elected.) An interesting discussion...
If Donald Trump Can Win The Nomination, Ben Carson Could Too
Ben Carson is on the upswing in national polls.
… He’s also made gains in Iowa:
… And he’s done so largely without the media’s help. Will the Carson surge just be a blip à la Michele Bachmann and Herman Cain in the 2012 cycle? Or can Carson take down The Donald?

Science Fiction writers have long predicted that computers that allow us to work from home and have anything we desire delivered to our door will result in people who never physically meet another person. I think of that every time I see us getting closer.
Google to start testing fresh food and grocery deliveries
Google will start testing a delivery service for fresh food and groceries in two US cities later this year, stepping up competition with online retailer and startup Instacart.
The trial will begin in San Francisco and another city, said Brian Elliott, general manager of Google Express, which already delivers merchandise, including dry foods, to customers. Whole Foods Market and Costco Wholesale will be among Google's partners for the new service, he said.

Could Donald Trump steal the election by promising free wifi? Estimating the cost for the US might make an interesting project.
Philippines to Roll Out Nationwide Free Wi-Fi Service by 2016
The Philippines is planning free Wi-Fi services to half of its towns and cities this year and nationwide coverage by end-2016, limiting the data revenue prospects for Philippine Long Distance Telephone Co. and Globe Telecom Inc.
The free Internet service will cost the government about 1.5 billion pesos ($32 million) a year and will be available in areas such as public schools, hospitals, airports and parks, said Monchito Ibrahim, deputy executive director of the Information and Communications Technology Office.

Tools & Techniques (because you never know when you might need them)
How to Convert Any File Format Online with Free Tools
If you want to turn a FLAC into an MP3 or a PDF into a Doc, you don’t need to download fancy software. Just fire up your browser, head to one of these websites, and you’ll be done in a jiffy. And completely free too!

Tools for students and teachers.
7 New Google Drive Features Every Student Must Know
School is in session and Google is ready to make things easier for students with Google Drive. New features have been introduced and some old ones refined.
Not only is it free and cross-platform, but the Google Drive suite has become quite powerful, recently. You can now even use it offline on PC or mobile. Students are the future, so Google is adding student-centric features. The cool part? They’re useful even if you aren’t a student!

There is more than a grain of truth here.
Strategic Humor: Cartoons from the October 2015 Issue

Tuesday, September 08, 2015

Is there such a thing?
Ben Monarch, a University of Kentucky College of Law student, has an article that he has uploaded to SSRN that calls for amendments to the Computer Fraud and Abuse Act (CFAA) to recognize hacktivism as a defense. Monarch argues that the U.S. “application of the CFAA and (attempted) simultaneous adherence to Article 19 of the International Covenant on Civil and Political Rights (“ICCPR”) and Article 19 of the Universal Declaration of Human Rights (“UDHR”) are inconsistent.”
Here’s the Abstract:
“Hacker” is an extremely opaque, arguably insidious word. It conjures images of a computer mastermind with an appetite for destruction, theft, and a cocktail of illegal ambitions. This stereotype leaves little room for images of moral crusaders in the tradition of Martin Luther King, Jr. or Mahatma Ghandi. Yet, there are hackers who more closely resemble such icons than the cyber-criminals often associated with the hacker moniker. These other hackers have their own label — hacktivists. This article explores the role of hacktivists in democracy and discusses domestic laws that make hacktivist activities illegal. The article further explores how these restrictive laws are inconsistent with democratic tradition and international law, and how domestic law should be reformed to eliminate this inconsistency.
Of course, that might assume that federal prosecutors and those who wish to use the CFAA for civil litigation actually give a damn about the ICCPR and UDHR. Those arguing for amendments to CFAA seem more inclined to consider exemptions for journalists and researchers than for those engaging in political protest.
You can download Monarch’s full article for free at SSRN.
Monarch, Ben, The Good Hacker: A Look at the Role of Hacktivisim in Democracy (May 8, 2015). Available at SSRN: or

The real concern is that you can convince the car there is nothing in front of it.
Researcher Hacks Self-driving Car Sensors
The multi-thousand-dollar laser ranging (lidar) systems that most self-driving cars rely on to sense obstacles can be hacked by a setup costing just $60, according to a security researcher.
“I can take echoes of a fake car and put them at any location I want,” says Jonathan Petit, Principal Scientist at Security Innovation, a software security company. “And I can do the same with a pedestrian or a wall.”
Using such a system, attackers could trick a self-driving car into thinking something is directly ahead of it, thus forcing it to slow down. Or they could overwhelm it with so many spurious signals that the car would not move at all for fear of hitting phantom obstacles.
… “You can easily do it with a Raspberry Pi or an Arduino. It’s really off the shelf.”
Petit set out to explore the vulnerabilities of autonomous vehicles, and quickly settled on sensors as the most susceptible technologies. “This is a key point, where the input starts,” he says. “If a self-driving car has poor inputs, it will make poor driving decisions.”

I can see a few (Okay, many) problems with this. If only “officials” can authenticate the information, then I can create a bogus license to prove that I'm Millard Fillmore.
Iowa begins testing digital driver's licenses on your smartphone
Last year, we told you about Iowa's interest in launching digital driver's licenses, a move that might begin the phasing out of plastic licenses currently in use nationwide.
On Wednesday, the state announced live testing of what it calls the Mobile Driver License (mDL) in a number of settings, but that testing will be limited to hundreds of Iowa Department of Transportation employees.
The license appears on your smartphone, and looks much like a normal driver's license, including a photo, date of birth, address and license expiration date. In a demonstration video, which uses an iPhone, a quick screen swipe flips the license to its back, revealing a bar code and the class of the license.
But the feature that really makes the mDL special is that it allows the Department of Motor Vehicles to instantly update any information that may change, such as when a driver reaches the age of 21, or when a driver is hit with restrictions to their license.
Officials can check the authenticity of the mDL by using MorphoTrust's (the creator of the system) verification app, which acts as a mobile watermark reader. Using the verification app, a police officer can check the identity and license details of a driver without touching the driver's phone.
… Although the Supreme Court recently ruled that police need a warrant to search your smartphone, making your smartphone a part of the process of checking your identity seems like fertile territory for official intrusions into your device that might not otherwise occur with a plastic identity card.

MasterCard Testing New App That Lets You Make Payments With Selfie: Say Cheese!
… Expected to launch next year, MasterCard's new biometrics software, which is being integrated into the MasterCard app, will give consumers the option to purchase things by either offering up their faces or fingers for authentication.
… "When consumers shop on the Internet, their banks need ways to verify their identities," said Bhalla. "So this particular product seamlessly integrates biometrics into the overall payments experience."
The app's fingerprint scanner converts prints into code, which is stored on the mobile device. Its facial recognition software, however, is a bit more trendy right now.

Those annoying robo-calls are exempt from the “do not call” laws as long as they from politicians to us second class citizens. Imagine how intrusive social media could be if they get similar exemptions. I think there will be a huge market for ad blockers that work on everything!
Social media ready to cash in on 2016 election
Tech firms are courting campaigns ahead of the 2016 presidential election, where budgets for digital advertising are expected to reach new highs.
The election will be tweeted, googled, snapped, liked on Facebook, and shared on numerous other social media platforms. And Silicon Valley is hoping to turn that engagement into big profits.
While billions will be spent on political advertising over the next year, television remains the prime mover and budgets for digital ads trail traditional media.
But even by one recent estimate from Borrell Associates, 9.5 percent of political media budgets could go towards digital media — a total of $1 billion.

And the very polite argument continues.
Over at the Volokh Conspiracy, Orin Kerr responds, point by point, to my disagreement with his take on the Microsoft warrant case. I thank Kerr for continuing the conversation, and make four points in response:

Take me for a ride and I'll buy your stock?
BlaBlaCar Is Raising $160 Million From Insight, Valuing Ride-Sharing Startup At $1.2 Billion
A little more than a year after announcing a $100 million mega-round, we’re hearing from multiple sources that long-distance ride-sharing platform BlaBlaCar is in the process of raising another round with Insight Venture Partners. TechCrunch has learned that the French startup is raising $160 million at a post-money valuation of $1.2 billion.
… As a reminder, BlaBlaCar is a marketplace where you can find a driver who is driving from one city to another and book a seat in advance. It connects people with empty seats with riders. Drivers can make a bit of money while riders can travel for cheap. Like Airbnb, the company takes a small cut on every ride (currently around 10 percent).

Another “Thing” on the Internet of Things? Automating medicine? (iDoctor?)
Take a Deep Breath, Then Check Your Smartphone
The stethoscope, that iconic tool of doctors, has been upgraded several times since it was invented two centuries ago. Eko Devices, a start-up led by three recent graduates of the University of California, Berkeley, is betting that it is time for another innovative overhaul.
Last Friday, the fledgling company received approval from the Food and Drug Administration to market its Eko Core, a digital device that attaches to a conventional stethoscope and allows it to record, amplify and wirelessly send audio and sound wave images to an iPhone application. Its software meets federal standards for privacy and security, the founders say, and it can transmit its heart sounds and waveforms to the electronic health records used in hospitals and clinics. An Android app is scheduled to be released early next year.

Interesting. Perhaps a “hot air” map to locate politicians?
5 Mesmerizing Maps That Will Blow Your Mind