Saturday, October 10, 2015

Early notice. The Privacy Foundation Seminar on Friday, November 6th will address the FTC v. Wyndham decision. (Inadequate security is now a regulatory issue) I'll update as soon as I get the formal notice.

Not a big breach and they quickly change the topic in this article. I post it only because it's another example of a company that didn't notice the breach. And are they trying to suggest the breach was a single event that took place sometime in the last three years or that it has been ongoing for the last three years? The WSJ used to write clear and informative articles.
Dow Jones Discloses Customer Data Breach
… In a letter to customers on Friday, Dow Jones Chief Executive William Lewis said law-enforcement officials in late July informed the company that there may have been a breach. A company investigation with the help of a cybersecurity firm revealed the unauthorized access took place between August 2012 and July 2015.

(Related) This of course is far worse.
Andrea Peterson reports that E-Trade is first notifying 31,000 customers of a breach it discovered in 2013. The breach was first disclosed in 2014, but at that time, E-Trade reportedly didn’t believe that customer information had been involved.
The hackers may have accessed customers’ e-mail names, as well as e-mail and physical addresses, according to a notification E-Trade sent to customers affected by the incident. But there is “no evidence that any sensitive customer account information, including passwords, Social Security numbers, or financial information was compromised,” the e-mail said. There were “no reports of financial fraud or loss resulting from this incident.”
Read more on The Washington Post.
This incident is also likely related to the recently disclosed Scottrade breach and Dow Jones breach.

The future? Will everyone follow?
Amazon Casts Its Net on the Internet of Things
Amazon on Thursday leapt into the Internet of Things market with the announcement of its AWS IoT platform.
AWS IoT lets devices -- ranging from cars and turbines to sensor grids and light bulbs -- connect to services from Amazon Web Services.
That in turn allows companies to store, process, analyze and act on the mountains of data generated by connected devices.
… And what an opportunity it is -- the installed base of IoT units, which totaled 9 billion at the end of 2013, is expected to grow at a compound annual growth rate of 17.5 percent to hit 28 billion in 2020.
… Devices connect to AWS IoT's device gateway using both HTTP and MQTT -- Message Queue Telemetry Transport. MQTT is an industry-standard lightweight communications protocol for sensors and mobile devices.
… A rules engine lets device manufacturers define rules to filter, process and route data between devices, AWS services, and applications, as well as establish the action to take when various conditions are met -- such as sending an alert when a pressure sensor reports an unusually high reading.
Cloud applications can interact with connected devices even when the devices are offline through a shadow, or persistent virtual version, of devices AWS IoT will create.

Windows 10 Partly To Blame For 7.7 Percent Drop In PC Sales
… "Worldwide PC shipments totaled 73.7 million units in the third quarter of 2015, a 7.7 percent decline from the third quarter of 2014," research firm Gartner Inc. reports.
One reason for this, analysts say, is that "the global PC market has experienced price increases of around 10 percent throughout the year, due to the sharp appreciation of the U.S. dollar against local currencies."
Moreover, International Data Corporation's (IDC) research manager for its Worldwide PC Tracker, Jay Chou, adds that Microsoft's initiative of giving away Windows 10 for free is another reason for the PC industry's current downward slump. People are more than happy and willing to download a free upgrade to Windows 10 than have to shell out cash to buy a new device with exactly the same software.
Gartner echoes the same sentiments.

No matter how often I preach security and backup, this comes as no surprise. (Could this include student notes? Might explain a lot.)
The Rise and Impact of Digital Amnesia
by Sabrina I. Pacifici on Oct 9, 2015
Kaspersky Lab – Why we need to protect what we no longer remember – “Key findings from the study include:
• Across the United States, the study shows that an overwhelming number of consumers can easily admit their dependency on the Internet and devices as a tool for remembering. Almost all (91.2%) of those surveyed agreed that they use the Internet as an online extension of their brain. Almost half (44.0%) also admit that their smartphone serves as their memory–everything they need to recall and want to have easy access to is all on it.
• In addition, many consumers are happy to forget, or risk forgetting information they can easily find–or find again- online. When faced with a question, half of U.S. consumers would turn to the Internet before trying to remember and 28.9% would forget an online fact as soon as they had used it.
• Although dependence on devices appears high, when asked, most participants could phone the house they lived in at 15 (67.4%) as well as their partners (69.7%), children (34.5%), and place of work (45.4%). They could not however call their siblings (44.2%), friends (51.4%), or neighbors (70.0%) without first looking up the number.
• Contrary to general assumptions, Digital Amnesia is not only affecting younger digital natives–the study found that it was equally and some times more prevalent in older age groups.
• The loss or compromise of data stored on digital devices, and smartphones in particular, would cause immense distress, particularly among women and people under 35. More than half of women (51.0%) and almost the same number of 25 to 34 year-olds (48.6%) say it would fill them with sadness, since there are memories stored on their connected devices that they would never get back. However, it caused the even younger participants the most fear. One in four women (27.1%) and 35.0% of respondents age 16 to 24 say they would panic: their devices are the only place they store images and contact information.
• Worryingly, despite this growing reliance on connected devices, the study found that consumers across America are failing to adequately protect them with IT security. Just one in three (30.5%) installs extra IT security, such as an anti-virus software solution on their smartphone and one in five (20.7%) adds any security to their tablet. 28.0% doesn’t protect any of their devices.”

An indication that Computer Science has arrived and may now be discussed in polite company.
Computer science now top major for women at Stanford University

Friday, October 09, 2015

Part of any security plan is a review for any indications of a breach, We never assume our defenses will be perfect. Their investigation found signs of the breach, why weren't they using those tool all the time?
Customers may be singing, “You got mud on your face, you big disgrace” when they receive a breach notification from GlamGlow, the latest business to disclose that it had a breach more than one year ago that they’ve only recently discovered. The notification letter begins:
We recently became aware that an unauthorized party accessed the website and acquired certain personal information of some of our customers. After learning of the issue, we launched an investigation and retained outside experts to help us understand the nature and scope of the issue. Based on the investigation, we believe the incident occurred between September 19 and September 21, 2014 and May 12 and May 15, 2015. The affected information may have included names; addresses; telephone numbers; payment card numbers, expiration dates and security codes; email addresses; and GlamGlow account passwords.
Those notified are being offered one year of services with Equifax Credit WatchTM Gold. In the meantime, check your statements for signs of fraud, and change your passwords if you’ve reused your GlamGlow password anywhere else.

How often is too often? How big is too big? How sensitive is too sensitive? When does bad security rise to a level that attracts regulatory attention? A clear threshold would be nice.
Priya Anand reports:
Consumer and data privacy advocates are asking federal regulators to investigate the breach at credit bureau Experian, which compromised the personal information of millions of T-Mobile customers.
“We believe that it is incumbent on the regulatory agencies to fully investigate this breach, including whether other Experian databases have been breached,” they wrote in a letter to the Federal Trade Commission and Consumer Financial Protection Bureau, a watchdog agency. “A data security breach that affected Experian’s credit report files would be a terrifying and unmitigated disaster.”
Read more on MarketWatch.
Well, maybe now the FTC will do something. It’s nice to see others urging an investigation. I wish they had spoken up back in 2012 when I first disclosed Experian’s repeated breaches involving their credit report database, but better late than never.

A contract with your clients?
Mark McGreary writes:
New innovations come hand in hand with new privacy issues. [I respectfully disagree. Bob] Privacy policies may seem like a last minute add-on to some app developers but they are actually an important aspect of an app. Data breaches are an imminent risk and a business’s first defense to potential problems is a privacy policy.
Fordham University in New York hosted its Ninth Law and Information Society Symposium last week [May 13th, actually Bob] where policy and technology leaders came together to discuss current privacy pitfalls and solutions. Joanne McNabb, the California attorney general’s privacy education director and a leader in policies affecting the privacy agreements of companies such as Google and Apple, emphasized in a panel that she “wants to make the case for the unread privacy policy.” She noted that the policy mainly promotes “governance and accountability [and] it forces an organization to be aware of their data practices to some degree, express them and then therefore to stand behind them.” The privacy policy still matters because it protects businesses from the risks associated with having a high level of data.
Read ore on Fox Rothschild Privacy Compliance & Data Security. I love this line:
Whether a privacy policy is read is insignificant. The protections it puts in place for all parties involved are crucial.
Indeed. How many enforcement actions have we seen by the FTC (including the Wyndham case) where the FTC quoted the firm’s privacy policy and argued that the entity did not live up to the assurances it had made to consumers? If your policy promises “industry standard” data security, are you living up to that promise? If not, I think you can reasonably expect to be sued in the event of a data breach involving identity information.
[It looks like Fordham videod everything:

Any Privacy Policy here? When is “consent” not voluntary?
Dana DiFilippo reports:
…. Bucks County officials announced the new database – the first of its kind nationally – at a news conference yesterday at the county courthouse in Doylestown, recounting case after case in which the new database solved crimes that might have gone cold with few other clues.
The new system – in which authorities can swab suspects for DNA even before they’re arrested – might raise the eyebrows of privacy-protective civil-rights advocates. The state database maintained by the Pennsylvania State Police, for example, contains DNA only from convicted offenders.
But Harran emphasized that suspects must consent to be swabbed, unless officers can persuade a judge for a court order.
“People think it’s ‘Big Brother,’ ” Harran said, referring to a character in a popular dystopian novel about government oppression. “It’s not. It’s an all-voluntary program. People can say no. Thank God criminals are stupid” and usually consent.

Being religious is not being godly.
Joe Cadillic is all over this one (some typos corrected by me):
According to an Arizona Dept. of Child Safety document, churches are working with social workers to spy on families and they’re also using “Child Safety and Risk Assessments“.
According to a article, church leaders are openly encouraged to collaborate with the gov’t. The article goes on to explain how religious organizations will spy on families and help the gov’t decide whether they should remove a child from their family!
“Called The Care Portal, the online tool allows DCS caseworkers who know of a specific need of a child or family to submit that request via email to nearby churches enrolled in the system.”
Read more on MassPrivateI.

Does this solve everything?
Sacramento – Today, in a landmark victory for Californians’ digital privacy rights, Governor Jerry Brown signed the California Electronic Communications Privacy Act (CalECPA, SB 178) into law. The bill, jointly authored by Senators Mark Leno (D-San Francisco) and Joel Anderson (R-Alpine), updates the state’s privacy laws for the digital age by protecting Californians against warrantless surveillance of their digital information.
“Governor Brown just signed a law that says ‘no’ to warrantless government snooping in our digital information. This is a landmark win for digital privacy and all Californians,” said Nicole Ozer, Technology & Civil Liberties Policy Director at the ACLU of California. “We hope this is a model for the rest of the nation in protecting our digital privacy rights.”
… CalECPA updates California’s privacy protections to reflect the modern digital world and reinforces constitutional rights to privacy by ensuring that police get a warrant before accessing digital information like emails, text messages and online documents and tracking or searching electronic devices like cell phones. Full bill language, polling, fact sheets, and more information about CalECPA can be found here:
SOURCE: ACLU of Northern California

Better than England? But only one city, so far.
Zheping Huang reports:
During China’s National Day holidays this month, almost 8 million tourists visited Beijing in just four days—and the Chinese government kept a close watch on every one of them as they toured the capital’s streets.
Beijing police added new surveillance cameras ahead of the holiday, and have expand coverage in the city to “100 percent” for the first time ever, to “tighten the capital’s security” and “avoid crimes in crowds,” state-run China Daily reported.
Read more on Quartz.

Is there a report that says they work?
Joe Cadillic starts with this statement:
According to a National Academies of Sciences, Engineering, and Medicine (NAS) report, airport X-ray body scanners are safe.
but then proceeds to question how unbiased and independent the report really is.
You can read what he found and his 10 reasons not to trust the NAS report on his blog, MassPrivateI.

A calculated PR stunt?
Chris Mandle reports:
The photo agency responsible for the nude photos of Justin Bieber have denied claims the singer’s privacy was invaded as he stood on the decking of a remote holiday apartment.
Speaking to The Independent, a spokesman from FameFlynet UK said: “There’s no invasion of privacy” and would not comment on whether a long-lens was used to get the photos.
Bieber was photographed while on holiday in Bora Bora, walking from the inside of a seafront bungalow to the decking outside. Several photos show full-frontal nudity.
The pictures were published exclusively on New York Daily News, who covered Bieber’s crotch with a modesty bar, but the originals were leaked onto Twitter late last night and soon went viral.
Read more on The Independent.
If this would be an invasion of privacy for a female, it’s an invasion of privacy for Bieber. If it’s an invasion of privacy for a private (non-public) figure, it’s an invasion of privacy for a public figure or celebrity. We need to stop with the double standards. This is not just a matter of tackiness. If you sit quietly by while this happens to Bieber, why should you expect that your own privacy should be respected or protected?

“We weren’t really serious about that.” This was a looser going in. If I encrypt my email (for example) and then my email provider encrypts it again, all they can decrypt is the gibberish I sent them. Would the government then go after them for “failing” to decrypt my message?
Obama administration opts not to force firms to decrypt data — for now
After months of deliberation, the Obama administration has made a long-awaited decision on the thorny issue of how to deal with encrypted communications: It will not — for now — call for legislation requiring companies to decode messages for law enforcement.

If I started a database like this one and charged just a couple of cents for each query, would I be competitive with the big boys?
Tami Abdollah of AP reports:
For years, police nationwide have used patrol car-mounted scanners to automatically photograph and log the whereabouts of peoples’ cars, uploading the images into databases they’ve used to identify suspects in crimes from theft to murder.
Nowadays, they are also increasingly buying access to expansive databases run by private companies whose repo men and tow-truck drivers photograph license plates of vehicles every day.
Civil libertarians and lawmakers are raising concerns about the latest practice, arguing that there are few, if any, protections against abuse [No risk for me to store the data, right? Bob] and that the private databases go back years at a time when agencies are limiting how long such information is stored.
Read more on WTOP.

Smartphones are the new credit cards. You need a device that accepts the phone's offer to pay – that would seem to be the bottleneck. Will you need a proprietary device for each phone/payment system combination?
Apple Pay Continues To Expand, Coming To Starbucks, KFC And Chili's

This one is not on Hillary. Why do I get the feeling that no one involved with this investigation has a clue how Computer Security (or any other form of security) is supposed to work. I try to teach my students to pay attention to any warnings about security.
Clinton e-mails were vulnerable to hackers, tech firm warned
A technology subcontractor that has worked on Hillary Rodham Clinton’s e-mail setup expressed concerns over the summer that the system was inadequately protected and vulnerable to hackers, a company official said Wednesday.
But the concerns were rebuffed by the company managing the Clinton account, Platte River Networks, which said it had been instructed by the FBI not to make changes. [I doubt this is what they meant. Bob]
… A Platte River Networks spokesman acknowledged receiving upgrade requests from Datto.
“It’s not that we ignored them, but the FBI had told us not to change or adjust anything,” the spokesman, Andy Boian, said.
Boian said, however, the company did not take Datto’s concerns to the FBI.
… The concerns expressed by Datto reflected worry that the system, which was still in use for the Clintons’ personal office in August, [Really? So they are making changes every day! Bob] could have been vulnerable to hackers who targeted it for its new notoriety amid the swirling controversy.

For my Computer Security students. They “yell” at your drone, thinking that will “freeze” it in place. If you drone loses your command signals, isn't it programmed to return to where it was launched?
UK firms develop drone-freezing ray
The Anti-UAV Defense System (Auds) works by covertly [Rather obvious actually. Bob] jamming a drone's signal, making it unresponsive.
After this disruption, the operator is likely to retrieve the drone believing that it has malfunctioned.
The system joins a host of recently announced technologies which can blast larger drones out of the sky.
… The Auds operator can then choose to freeze the drone just for a short time - to convince its owner that there's something wrong with it – or for a longer period, until its battery dies and it crashes.
Auds has been tested in the UK, the USA and France, said Mr Taylor, and government organisations in all three countries had been involved in those tests.

I find this difficult to understand. Did the software change how the engines worked or how the emissions were reported? Either way, I don't see how the company could miss this.
Volkswagen U.S. CEO Says He Didn’t Know in 2014 of Emissions Defeat Devices
… Michael Horn, head of Volkswagen Group of America, said during a congressional hearing on Thursday that he believed “a couple of software engineers” were responsible for software that allowed nearly a half million diesel-powered cars sold in the U.S. since 2008 to dupe emissions tests.
… House Republicans and Democrats alike decried Volkswagen’s long running deception with defeat-device software that made the auto makers’ diesel cars run cleaner during emissions testing than they did on the road. [Apparently, the cars can run clean. Perhaps it causes the engines excessive wear? Bob]
… Mr. Horn ruled out buying back vehicles from dealers. He said the cars are legal and safe to drive. [How can that be? Is this about extra pollution taxes? Bob] Volkswagen is focused on repairs, hoping to have a fix available next year, he added. A timetable for a U.S. recall isn’t yet set.
… On Thursday, German prosecutors raided Volkswagen offices and private homes, seizing documents and data storage devices that may shed light on who was involved in the engine software and any alterations to it.
… Volkswagen has so far set aside $7.3 billion to address the problem. Current Chief Executive Matthias Müller has said the cost will likely rise.

Volkswagen America's CEO blames software engineers for emissions cheating scandal
… At one point, Horn was asked if he knew how the defeat devices work. "Personally, no. I’m not an engineer," he responded. Later, in response to a similar question, Horn was suddenly able to describe how the defeat devices were able to fool the EPA's tests, and mimicked turning a car's steering wheel. (One of the ways the offending software was able to recognize whether a car was being tested or not was to monitor the amount of movement in the steering wheel.) [Sounds like the software changed what it reported, not want actually happened in the engine. Bob]

This is a pretty significant failure. Have we become so incompetent that we can't train soldiers? Or perhaps we can't find potential soldiers to train? Or maybe Russia is right and we should never have declared the Assad government as evil.
Obama Administration Ends Pentagon Program to Train Syrian Rebels
The Obama administration has ended the Pentagon’s $500 million program to train and equip Syrian rebels, administration officials said on Friday, in an acknowledgment that the beleaguered program had failed to produce any kind of ground combat forces capable of taking on the Islamic State in Syria.
… The change makes official what those in the Pentagon and elsewhere in the administration have been saying for several weeks would most likely happen, particularly in the wake of revelations that the program at one point last month had only “four or five” trainees in the fight in Syria — a far cry from the plan formally started in December to prepare as many as 5,400 fighters this year, and 15,000 over the next three years.

Perspective. (Apparently, I'm still anti-social)
Social Media Usage: 2005-2015
by Sabrina I. Pacifici on Oct 8, 2015
“Nearly two-thirds of American adults (65%) use social networking sites, up from 7% when Pew Research Center began systematically tracking social media usage in 2005. Pew Research reports have documented in great detail how the rise of social media has affected such things as work, politics and political deliberation, communications patterns around the globe, as well as the way people get and share information about health, civic life, news consumption, communities, teenage life, parenting, dating and even people’s level of stress.”

(Related) An infographic.
Think Before You Tweet: Don’t Let Social Media Get You Fired

Nuts, just nuts.
Hack Education Weekly News
… “The U.S. Department of Education’s Office of Inspector General has pumped the brakes on competency-based education, partially due to concerns about the level of interaction between instructors and students in some of those programs,” Inside Higher Ed reports.
… “These states spend more on prisons than colleges.” (Saved you a click: Michigan, Oregon, Arizona, Vermont, Colorado, Pennsylvania, New Hampshire, Delaware, Rhode Island, Massachusetts, and Connecticut.)
Via the AP: “The former CEO of Chicago Public Schools will plead guilty in an indictment that alleges she was involved in a scheme to steer $20 million worth of no-bid contracts to education companies in exchange for bribes and kickbacks, her attorney said Thursday.” [It's a Chicago thing. Bob]
Via The Chronicle of Higher Education: “MIT Unveils ‘MicroMaster’s,’ Allowing Students to Get Half Their Degree From MOOCs.” (That is, a master’s degree in supply chain management.)
… The University of Phoenix has been barred from recruiting on military bases, says The Wall Street Journal, and troops will not be able to use federal money to pay for classes at the school.
Via District Administration: “Of the 2,000 high school students in Albemarle County Public Schools, only 25 requested lockers last school year, as more students carry their devices and books in backpacks.” Instead of lockers: charging stations.

Thursday, October 08, 2015

For my Ethical Hacking students. It is much easier to hack a technology when you know exactly how it works. And remember, this is “strategic hacking.” Each step has a goal of enabling more hacks, not just owning one system.
Chinese Hackers Breached LoopPay, Whose Tech Is Central to Samsung Pay
Months before its technology became the centerpiece of Samsung’s new mobile payment system, LoopPay, a small Massachusetts subsidiary of the South Korean electronics giant, was the target of a sophisticated attack by a group of government-affiliated Chinese hackers.
As early as March, the hackers — alternatively known as the Codoso Group or Sunshock Group by those who track them — had breached the computer network of LoopPay, a start-up in Burlington, Mass., that was acquired by Samsung in February for more than $250 million, according to several people briefed on the still-unfolding investigation, as well as Samsung and LoopPay executives.
LoopPay executives said the Codoso hackers appeared to have been after the company’s technology, known as magnetic secure transmission, or MST, which is a key part of the Samsung Pay mobile payment wallet that made its public debut in the United States last week.
LoopPay did not learn of the breach until late August, when an organization came across LoopPay’s data while tracking the Codoso Group in a separate investigation.
… two people briefed on the investigation, as well as security experts who have been tracking the Codoso hackers as they have targeted hundreds of victims around the world, said it would be premature to say what the hackers did and did not accomplish since they were discovered in August.
To start, the hackers were inside LoopPay’s network for five months before they were discovered. And the Codoso Group is known for maintaining a hidden foothold in its victims’ systems. Security experts say the group’s modus operandi is to plant hidden back doors across victims’ systems so that they continue to infiltrate their networks long after the initial breach.

...because the “victims” were “asking for it?” Sound familiar?
David Wells reports:
A cyber criminal hijacked computers to spy on people having sex through their webcams, the National Crime Agency (NCA) has said.
Stefan Rigo, 33, used malware called Blackshades to give him control over strangers’ cameras and spent five to 12 hours a day watching what they were doing in front of their computers.
The NCA said he was addicted to monitoring his victims, some of whom he knew and some who were complete strangers.
Rigo was given a 40-week suspended prison sentence, placed on the Sex Offenders Register for seven years and ordered to do 200 hours of unpaid work by magistrates in Leeds after he admitted voyeurism at a previous hearing, the agency confirmed.
Read more on Western Morning News.
And he didn’t get any prison time…. why?!

“Because it's more important to have the information than to protect the information.” Makes the government sound like a Silicon Valley start-up.
Feds push forward with controversial health rule
The Obama administration is moving ahead with controversial new rules that require doctors to switch to electronic health records or face fees, resisting calls from both parties to delay implementation.
Federal health officials said the final rules released Tuesday will make “significant changes" in the "meaningful use" electronic health records program, such as lowering the number of standards each provider must meet and allowing providers to apply for hardship exemptions.
… It’s an attempt to move away from a paper-based system that depends on a doctor’s handwriting and paper copies of files – and one that could become a major part of Obama’s health legacy.
Groups like the American Academy of Family Physicians have said many of its providers’ issues with electronic health records are the result of the technology itself.
“We believe this is the fault of the vendors and their lack of accountability while reaping huge profits from the HITECH act,” the group’s president, Dr. Robert Wergin, wrote in a statement hours before the rules were announced.
“Vendors, not providers, must be held fiscally accountable for not yet achieving an appropriate level of interoperability.”

Local. I was a bit concerned that the “I can hack an airplane” claim was a bid for attention. Perhaps they saw this coming even back then.
Sorry to hear of this.
Katy Stech reports:
A Colorado cybersecurity firm whose founder said he hacked into more than a dozen airline flights by plugging his laptop into a passenger jet’s entertainment system has filed for bankruptcy.
One World Labs Inc., founded by Chris Roberts in 2009, filed for bankruptcy protection on Friday, saying it faces roughly $720,000 in debt.
Company officials are negotiating a deal to sell the Denver-based intelligence firm, which says it has “access to the world’s largest index of dark content to protect corporations, governments and nonprofit organizations,” enabling clients to search the database for stolen data. The firm took in $3 million in revenue last year, according to documents filed in U.S. Bankruptcy Court in Denver.
Read more on WSJ.

Perspective. Not bad for a company started in a dorm room.
Dell Is in Talks With EMC Over Possible Merger
Dell Inc. and private-equity firm Silver Lake are in advanced talks to buy EMC Corp. according to people familiar with the matter, a deal that would rank as the biggest technology-industry takeover ever and remove questions about EMC that have hung over the data-storage giant for more than a year.

There's a market for all that hippie stuff?
Amazon Challenges Etsy With Strictly Handmade Marketplace

Interesting. I wonder if my students would be interested in research?
Our mission at YC is to enable as much innovation as we can. Mostly this means funding startups. But startups aren’t ideal for some kinds of innovation—for example, work that requires a very long time horizon, seeks to answer very open-ended questions, or develops technology that shouldn’t be owned by any one company.
We think research institutions can be better than they are today. So we’re starting a new research lab, which we’re calling YC Research, to work on some of these areas.
… YCR is a non-profit. Any IP developed will be made available freely to everyone.
… Because of the openness, the researchers will be able to freely collaborate with people in other institutions.

Perspective. Maybe peoples in O-re-gone are just not too smart? Or is everyone getting dumber?
Shakespeare in Modern English?
THE Oregon Shakespeare Festival has decided that Shakespeare’s language is too difficult for today’s audiences to understand. It recently announced that over the next three years, it will commission 36 playwrights to translate all of Shakespeare’s plays into modern English.

Wednesday, October 07, 2015

For my Ethical Hacking students. Perhaps we need a “drone swatter” to keep our secrets?
Hacking Wireless Printers With Phones on Drones
… researchers in Singapore have demonstrated how attackers using a drone plus a mobile phone could easily intercept documents sent to a seemingly inaccessible Wi-Fi printer. The method they devised is actually intended to help organizations determine cheaply and easily if they have vulnerable open Wi-Fi devices that can be accessed from the sky. But the same technique could also be used by corporate spies intent on economic espionage.
The drone is simply the transport used to ferry a mobile phone that contains two different apps the researchers designed. One, which they call Cybersecurity Patrol, detects open Wi-Fi printers and can be used for defensive purposes to uncover vulnerable devices and notify organizations that they’re open to attack. The second app performs the same detection activity, but for purposes of attack. Once it detects an open wireless printer, the app uses the phone to establish a fake access point that mimics the printer and intercept documents intended for the real device.
… Any organizations that are more interested in uncovering vulnerable devices than attacking them can simply install the Cybersecurity Patrol app on a phone and attach it to a drone to scan their buildings for unsecured printers and other wireless devices. A drone isn’t essential for this, however. As the researchers show in their demo video (above), a phone containing their app can also be attached to a robot vacuum cleaner and set loose inside an office to scan for vulnerable devices as it cleans a company’s floors.

(Related) Really not clear from the article what evidence exists to base these fines on. I doubt the FAA had adequate “drone monitoring” technology deployed. Are they relying on anecdotal information from SkyPan? Can they derive anything from analyzing the videos taken (if any?)
65 Unauthorized Flights Could Cost a Drone Company Nearly $2 Million
… on Tuesday, ... it announced that it is seeking to fine SkyPan International, a Chicago-based drone company, $1.9 million for “endangering the safety of our airspace.” If SkyPan ends up having to pay, it’d be the largest civil penalty ever for a drone company.
… an FAA spokesperson said that while SkyPan was granted the Section 333 UAS exemption, the flights SkyPan is being fined for occurred before the company secured the exemption.

For a lot of my students, including Computer Security, Ethical Hacking, Forensics and Data Management. Easy data access for the company/industry may not be the best way to protect your clients. Definitely read the article.
Brian Krebs reports:
The next time you’re thinking of throwing away a used boarding pass with a barcode on it, consider tossing the boarding pass into a document shredder instead. Two-dimensional barcodes and QR codes can hold a great deal of information, and the codes printed on airline boarding passes may allow someone to discover more about you, your future travel plans, and your frequent flyer account.

Surveillance is easy. Opting out does not stop Facebook's data gathering, it only stops target ads.
Nate Cardozo of EFF writes:
The ubiquitous blue “Like” or “Share” buttons that you see all over the Internet are hiding an ugly secret. Starting this month, Facebook will use them to track your visit to every Web page that displays the buttons–even if you don’t click on anything.
Facebook will use the data it collects to build a dossier of your browsing habits, logging every site you visit, so it can learn those last few details about your life that it doesn’t already know. And there’s nothing you can do about it, short of staying totally logged out of the social media site or tracking down and installing a special browser extension to protect from this kind of sneaky behavior.
Read more on The Mercury News.

(Related) What's good enough for Facebook...
Verizon’s Zombie Cookie Gets New Life
Verizon is giving a new mission to its controversial hidden identifier that tracks users of mobile devices. Verizon said in a little-noticed announcement that it will soon begin sharing the profiles with AOL’s ad network, which in turn monitors users across a large swath of the Internet.
That means AOL’s ad network will be able to match millions of Internet users to their real-world details gathered by Verizon, including — “your gender, age range and interests.” AOL’s network is on 40 percent of websites, including on ProPublica.
AOL will also be able to use data from Verizon’s identifier to track the apps that mobile users open, what sites they visit, and for how long. Verizon purchased AOL earlier this year.

Strange we haven't heard of this firm until now. Do you think there are others we don't know about? Did anyone contact them ask them to preserve evidence? If we are just now starting to look at other firms, this investigation could go on for a long, long time. Perhaps the FBI should assign more that one part-time agent?
Tom Hamburger and Rosalind S. Helderman report:
The FBI’s probe into the security of Hillary Rodham Clinton’s e-mail has expanded to include a second private technology company, which said Tuesday it plans to provide the law enforcement agency with data it preserved from Clinton’s account.
The additional data, provided by Connecticut-based Datto Inc., could open a new avenue for investigators interested in recovering e-mails deleted by the former secretary of state — now the Democratic presidential front-runner — that have caught the interest of GOP lawmakers.
Read more on Washington Post.
[From the article:
Datto was hired to provide backups for the Clinton e-mail accounts starting in May 2013 by Platte River Networks, the Colorado-based tech firm hired earlier that year by the Clinton family to manage the system after Hillary Clinton concluded her term as secretary.
… Late Tuesday, officials from the two tech firms disagreed about the possibility that years-old e-mails Clinton has deemed personal and deleted could be recovered by the FBI.
A Datto official said that investigators may be able to recover the e-mails if the data existed at the time the company was hired in May 2013 and had not been altered since.
A spokesman for Platte River, Andy Boian, said his company assumed that Datto would have retained data for only a short period and older e-mails would no longer be available.
… The letter to Datto from Sen. Ron Johnson (R-Wis.) cited e-mails and other documents that have been turned over to the committee by Platte River in recent weeks that show a more complicated array of companies involved in managing the Clinton e-mail system than had previously been publicly known.
… Of particular interest to Johnson, according to his letter, is whether Datto was authorized to store classified information and whether the firm has come under cyberattack.

Does this explain my student's reluctance to discuss the topics in my lecture?
The Flight From Conversation
… Sherry Turkle, a clinical psychologist and sociologist at the Massachusetts Institute of Technology, has spent the past 30 years observing how people react and adapt when new technologies change the ways we communicate. In her latest book, Reclaiming Conversation: The Power of Talk in a Digital Age, Turkle argues that texts, tweets, Facebook posts, emails, instant messages, and snapchats—simultaneous, rapid-fire “sips” of online communication—have replaced face-to-face conversation, and that people are noticing the consequences. Over-reliance on devices, she argues, is harming our ability to have valuable face-to-face conversations, “the most human thing we do,” by splitting our attention and diminishing our capacity for empathy.

(Related) Is it a “want” or a “need?” Interesting graphic.
Can Americans Keep Up With Buying the New, New Technology?
… A startling 69 percent of Americans said that having the latest technology is “total[ly] necessary” to their lives, according to the results of the most recent Heartland Monitor Poll. Just 12 percent of those surveyed called new technology “not at all necessary.”

Something to help my students take notes? No! I don't want them all muttering into their phones.
Here’s How to Get Accurate Voice-to-Text Conversion for Free
Free dictation apps that convert your speech accurately to onscreen text do exist. I learned that when I stumbled upon Dictanote in the Chrome Web Store.
Speech recognition technology has become quite impressive in recent times. It has given you assistants like Google Now, Siri, and Cortana to make your routine digital tasks easier.
… It turns out that there are other Chrome-based speech-to-text apps, such as Voice Recognition, that share Dictanote’s accuracy levels. That’s because they all function on Chrome’s Web Speech API, which now boasts a 92% accuracy rate.
Of course, these apps may be accurate, but they’re not flawless. If you use one, do copy-paste your notes to your regular text editor for backup. You could even skip the app installation altogether and use the Web Speech API demo to dictate notes.
By the way, did you know that you can type with your voice in Google Docs?

Tuesday, October 06, 2015

I'm sure they'll claim that this is not a problem 99.9% of the time. I'm telling you it certainly is. The password allows changes to the student's laptop. Apparently they use the same password for all students. (The link is bad and I can't find the article on the newspaper website.)
It’s nice that the district followed up by publicly disclosing what went wrong.
Preston Spencer reports:
The Lake Norman High student who obtained an administrative password last week did so by using more sophisticated methods than just simply guessing.
Dr. David Blattner, chief technology officer for Iredell-Statesville Schools, said the password, which was spread to six other students who used it to access other students’ computers, was acquired after “a file that was intended to give students the ability to add printers at home did not delete as intended.”
We have a script that we send out that runs on the computers that does contain the admin password,” Blattner said in an email. “It runs and then deletes itself…. The file was made invisible and the script to delete the file was provided by the software manufacturer, but it did not work as designed.”

You have got to be kidding me.
Many 911 calls coming from butt dials
Pocket dials accounted for about 20 percent of all 911 calls in San Francisco last year, according to a study conducted by Google.
The city does not specifically track accidental 911 calls made from mobile phones, but the study found most of the unknown or miscellaneous 911 calls logged were from pocket dials — sometimes known as butt dials.
… “As smartphone ownership increases, accidental dials to 9-1-1 increase,” the study’s authors concluded. “Based on the data collected, the majority of callbacks by 9-1-1 dispatchers are made to wireless phones.”

This “looks” like a clear (simple) problem. I wonder how difficult the solution will be?
Europe's biggest airline is attacking Google over its 'misleading' search ads
Ryanair, Europe's biggest airline, is attacking Google for its "misleading" search ads and is calling on the search giant to enforce advertising transparency."
In a press release, Ryanair points to a search for "Ryanair," which returns an ad from what appears to be the official airline itself.
In fact, Ryanair says this ad is from an unaffiliated "screenscraper" website called eDreams, which is "masquerading" as Ryanair and "unlawfully" selling its flights.
… Ryanair says it has taken legal action against several screenscraper websites across Europe. The Court of Hamburg ruled in January that eDreams had been using an unlawful subdomain and was misleading customers into thinking it had an official partnership with Ryanair.
But Ryanair is demanding Google works harder to prevent these issues from occurring in the first place.

Registration required.
Annual Study Reveals Average Cost of Cyber Crime per Organization Escalates to $15 Million
HP today unveiled the results from its sixth annual study in partnership with the Ponemon Institute detailing the economic impact of cyber attacks across both the private and public sectors. The findings reveal a dramatic increase in the overall cost of cyber crime, while providing insight to the most costly cyber crimes and the approaches organizations can take to minimize the impact.
-- Cost to resolve cyber attack escalates: The average time to resolve a cyber attack was 46 days, with an average cost to participating organizations of more than $1.9 million during this 46-day period.(1) This represents a 22 percent increase from last year's estimated average cost of approximately $1.5 million, which was based upon a similar 45-day resolution period.(2)
… For more information on country-specific findings of the Cost of Cyber Crime Study or copies of the full reports, along with an interactive assessment tool, visit

Far below estimates... What did we miss?
BP's Record Oil Spill Settlement Rises to More Than $20 Billion
The value of BP Plc’s settlement with the U.S. government and five Gulf states over the Deepwater Horizon oil spill rose to $20.8 billion in the latest tally of costs from the U.S. Department of Justice.
… BP’s total settlement cost of $18.7 billion announced in July didn’t include some reimbursements, interest payments and committed expenditures for early restoration of damages to natural resources. The London-based company has set aside a total of $53.7 billion to pay for the disaster in 2010, when an explosion on the Deepwater Horizon drilling rig in the Gulf of Mexico resulted in the largest offshore oil spill in U.S. history.

For my Data Management students.
Google Takes Stake in Messaging Startup Symphony Communication Services
Google Inc. plans to invest in a new round of funding for Symphony Communication Services LLC that values the Wall Street-backed messaging company at about $650 million, people familiar with the matter said.
… Symphony was created as an alternative to Bloomberg LP’s terminals, which have long been a hallmark of trading floors but are viewed as a major cost center for financial firms.
The startup platform initially made its encryption technology a selling point, but attracted regulatory attention from the New York State Department of Financial Services, which was concerned about record-keeping. The agency, New York’s top banking watchdog, reached a deal last month with the four banks it regulates that invested in Symphony over how to keep their records.
The agency said at the time that the agreement with Goldman, Deutsche Bank AG , Credit Suisse Group AG and Bank of New York Mellon Corp. was “to help ensure the banks’ responsible use” of Symphony. The deal requires the platform to keep copies of all electronic communications sent to or from the four banks through Symphony for seven years.
… Symphony launched its service on Sept. 15. It charges a monthly fee of $15 per user for organizations with 50 users or more, according to its website, and is free for individuals. The company hasn’t disclosed how many users it has accumulated.

For my statistics students (and football fans)
How Microsoft got so good at predicting who will win NFL games
Bing Predicts, a statistical modeling tool from Microsoft, s run by a team of about a half dozen people out of Microsoft's Redmond, Washington headquarters. It uses machine learning and analyses big data on the web to predict the outcomes of reality TV shows, elections, sporting events, and more.
And it's gotten pretty good at it.
For the 2014 World Cup, Bing correctly predicted the outcomes for all of the 15 games in the knockout round. And it was more than 67% accurate when it came the outcome of the 2014 NFL season, correctly predicting around Thanksgiving that the New England Patriots would win the Super Bowl.

Something for my students to play with.
How to Build a Facebook "Hello World" Web App in Python
In our continuing “Hello World of APIs” tutorial series we look at Facebook; what a developer needs to know to understand the Facebook API and build an application that integrates with it. As with our first tutorial that used Twitter as an example, we have chosen Facebook for obvious reasons: Its huge presence as a social networking service and the fact that an enormous number of apps and websites integrate with the Facebook API to add features that include social updates and interaction, in-game purchasing and social sign-on.

Is Dilbert commenting on Artificial Intelligence or just what passes for intelligence?

Monday, October 05, 2015

Could it happen to the DC subway?
The Korea Herald reports:
The computer server of one of Seoul City’s subway operators was found to have been hacked last year, allegedly by North Korea, though little damage has been confirmed, officials said Monday.
According to Saenuri Party Rep. Ha Tae-keung quoting the National Intelligence Service’s report, two servers in charge of managing the PCs of Seoul Metro were hacked in July last year, allowing unauthorized access to 213 company computers. Of them, 58 were found have to been infected with a malicious code, resulting in the leak of 12 work documents.
Read more on Korea Herald.
[From the article:
The NIS, however, said it could not find the first point of hacking and the source of the code, citing insufficient log files, officials said.
… Seoul Metro also stressed that the hacking did not affect subway safety as the central control system is run separately in an enclosed type of network server. [Do we do the same? Bob]
As part of the efforts to improve the server safety, Seoul Metro formatted all PCs last year and strengthened the security measures.
Seoul Metro has seen a rise in cyberattacks in recent years. As of last month, over 350,000 cases were confirmed this year, which is nearly equivalent to last year’s total figure, Seoul officials said.

Understand the freemium model or live in the last century. (Like in “1989.”)
Spotify CEO Explains How Ticking Off Taylor Swift Was Big For Business, Still Wants Her Back
Taylor Swift once said of the streaming music scene, and Spotify in particular, that it feels like a "grand experiment," one in which she's not willing to contribute her life's work to because it doesn't fairly compensate the artists, song writers, and everyone else who contributes to the creation of music. She ended up pulling her library of songs from Spotify, though looking back on the situation. Spotify CEO Daniel Ek says the high profile breakup actually benefited the company.
… "The middle of America found out what Spotify was, so we had a big success," Ek said through a video feed at the IAB Mixx interactive advertising conference in New York, according to CNET. "I wish we could have gotten that attention in a better way than pissing off Taylor Swift."
Swift's point of contention with Spotify was that users of the service's ad-supported tier could listen to her music at no cost. Even though Swift was still being compensated for her tunes streamed to non-subscribing music listeners, she felt strongly that it created a culture in which consumers would view music as being worthless.

I think it's because government understands financial firms, but not individuals. They can follow a trail of evidence that explains what the firm did. There is less evidence of management failures, dysfunctional corporate cultures and other soft factors. Big fines sound impressive but rarely have a lasting impact on these firms.
Ben Bernanke: More bankers deserved to be jailed for financial crisis
Don’t expect Ben Bernanke to have a lot of nice things to say about Wall Street bankers in his upcoming memoir, which comes out this week. In a wide ranging interview with USA Today, the former chairman of the Federal Reserve says more of the bankers and corporate executives who helped cause the financial crisis should be in jail.
He says the Department of Justice focused too much, in the wake of the meltdown, on sanctioning financial firms, and getting large fines. He said there wasn’t enough effort put into punishing individuals.

It might be useful to teach our Criminal Justice students a bit more about existing technologies. An App similar to this one could locate witnesses who might have taken photos or video of crimes.
How to Use Twitter API and PHP to Locate Eyewitnesses
Geotagging is the process of embedding latitude, longitude, and even altitude coordinates in some type of media, such as a photo, video or promotional offer. Many people don’t realise it, but modern mobile phones are constantly recording our movements and making that information available to network providers, and sometimes even third-parties willing to pay for the data.
As the second installment in a two-part Tuts+ series on harnessing location data from social media, Jeff Reifman discussed using the Twitter API to find eyewitnesses to a public event.

See Where You’ve Been with Google Maps’ New Timeline Feature
… If you think that Google logging everywhere you go and then displaying that information on a map/timeline is creepy, you’re probably right. In fact, we’d absolutely hate it — if it wasn’t so damn cool!
… your timeline will show you where it thinks you’ve been, when you arrived at and left each place, and how you travelled between places.
It’ll also automatically attach any photos you took while at said destination, log events about each “trip” into town (such as time/route taken), and make lists of the places you frequent the most, offering tips and recommendations for other similar nearby places.

Is there a cure? An interesting application of statistics.
Supreme Court Justices Get More Liberal As They Get Older
… There’s an old saw, often mistakenly attributed to Winston Churchill, that goes something like this: “If you’re not a liberal when you’re 25, you have no heart. If you’re not a conservative when you’re 35, you have no brain.” A person should start left and drift right, and not the other way around, the adage suggests.1
But when it comes to Supreme Court justices, growing older appears to incite a trend in the opposite ideological direction. One prominent measure of judicial ideology — the Martin-Quinn score — illustrates this tendency. These scores, as DW-Nominate does for legislators, use the justices’ votes to quantify their position on a left-right spectrum. A more negative score means a justice is further left; a more positive score means she’s further right. The scores are based on data from the Supreme Court Database and are calculated back to 1937.
… Why might this happen? What forces act upon a justice as he or she ages on the bench? Here are a few theories that emerged after I poked around and talked to some experts:

We used to call this stuff “Targeting Information.” Immediately after 9/11, the government was paying local police to monitor dams – in case terrorists agreed. What has changed?
National Inventory of Dams
by Sabrina I. Pacifici on Oct 4, 2015
Via IRE – “The National Inventory of Dams (NID) contains records on dams in all 50 states, kept by the U.S. Army Corps of Engineers.
Dams are included if they meet at least one of the following criteria:
— High hazard classification – loss of one human life is likely if the dam fails,
— Significant hazard classification – possible loss of human life and likely significant property or environmental destruction,
— Equal or exceed 25 feet in height and exceed 15 acre-feet in storage,
— Equal or exceed 50 acre-feet storage and exceed 6 feet in height.”

Collections by obsessive/compulsives always amuse me. If my website students used these I have to give those pages a ZERO.
An Insane Collection of 1990s GIFs
People of the Internet, join me, as we travel back to the year 1997. It was an era of yowling modems, AOL chatrooms, and websites under construction.
And you knew they were under construction because they told you. With GIFs. Glorious, blinking, yellow and black GIFS.
… “It represents this utterly different philosophy that you need to know that this site is under construction, it's not done yet,” said Jason Scott, a historian at the Internet Archive. “Now, we know all sites are not done. If your site is done, something is wrong. It’s bad. You’re either out of money or your boring.”
Scott has given this matter a good deal of thought, in part because he’s spent time collecting these lost GIFs from across the web, saving them from total obscurity. “It's a ridiculously massive collection,” he said. And it’s worth perusing his page devoted to “under construction” GIFs, in all their frenetic 1990s glory, for yourself. (The dizzying effect you get when the page is loading was intended.)

Could be handy for those points I have to repeat endlessly for my students. (Late policy. APA formatting. “I” before “E.”)
Record your Presentations with is a great tool that you can use to record your presentations. You can create a video recording of yourself, a voice over, or simply a looping slideshow!
The process is quite simple. Just create a free account on the education website (you are limited to three videos a month and and are limited to live recordings, no uploaded video). You can upload your presentation directly or via Google Drive as a .ppt, .pptx, .pdf, Google Doc, and even a Prezi! Next, you select whether you want to record your presentation with a video, a voice over, or just the presentation itself. You can even stop, go back, and trim if you make a mistake.
When you finish, your video is published on the site, Social Media platform of your choosing, or even via email; you can also get the embed code and publish it to a blog or website. This is a great tool if you are interested in flipping your lessons, teaching an online course, or want students to create their own content.