Saturday, November 07, 2015

I don't think it's related to the legalization of marijuana – it just sounds that way in the national news. Lots to consider here, including how to do it properly?
Katie Rogers reports:
Students in Cañon City, Colo., could face criminal charges after an investigation found they were trading hundreds of nude pictures of themselves and other teenagers on their phones using special apps to keep the images secret, the schools superintendent said Friday.
The investigation began on Monday, and officials at Cañon City High School determined that students had been circulating between 300 and 400 illicit photos involving at least 100 students, said George Welsh, the superintendent of the Cañon City School District. Some of the students in the photos were eighth graders, and several of the students who possessed the pictures were members of the school’s football team, Mr. Welsh said.
Read more on NY Times.
[From the article:
Amy Adele Hasinoff, an assistant professor at the University of Colorado Denver and the author of a new book, “Sexting Panic,” contends that schools need to find new ways to talk to students about the issue. Rather than just demanding that students abstain from sending risqué images, she said, educators should aim for open conversations that involve guidance in “safer sexting” with trusted partners.

Something smells here. Are these kids like the initial story suggested? If so, why no arrests? Did the CIA Director's hack open more doors for the hackers? A story to follow.
Nathan Ingraham reports:
Earlier this year, a hacking group broke into the personal email account of CIA director John Brenner and published a host of sensitive attachments that it got its hands on (yes, Brenner should not have been using his AOL email address for CIA business). Now, Wired reports the group has hit a much more sensitive and presumably secure target: a law enforcement portal that contains arrest records as well as tools for sharing info around terrorist events and active shooters. There’s even a real-time chat system built in for the FBI to communicate with other law enforcement groups around the US.
The group has since published a portion the data it collected to Pastebin and Cryptobin
Read more on Engadget. The group also hacked the personal email accounts of FBI Deputy Director Mark Giuliano and his wife, as Hacker News reported.

What would you bet that none of the presidential candidates will suggest eliminating the TSA.
Shocker: When it comes to security the TSA still sucks eggs
Billions of dollars later, the TSA is still incompetent and its screening process is full of fail. The House Oversight and Government Reform Committee wanted answers about TSA security gaps. The DHS Office of Inspector General released a damning report and testified the TSA has not made any real improvements since it failed the last round of covert testing.

Perhaps this is why the FCC wants to create specific privacy regulations?
Gerald J. Ferguson and of Alan L. Friel of Baker & Hostetler write:
The Third Circuit interlocutory decision in Federal Trade Commission v. Wyndham Worldwide Corporation was widely reported as a big win for the Federal Trade Commission (“FTC”). But on closer examination, it was a split decision in which Wyndham Worldwide Corporation (“Wyndham”) can claim an important victory. While affirming the FTC’s authority to regulate cyber-security practices under the “unfair practices” prong of the Federal Trade Commission Act (the “FTC Act”), the Third Circuit also rejected the FTC’s contention that FTC settlements and consent orders in cyber-security cases with unrelated parties have created standards against which Wyndham’s practices can be tested for “unfairness.” This Third Circuit decision identifies defenses companies should develop when facing FTC allegations that the company’s cyber-security practices are “unfair.”[1]
Read more on Baker & Hostetler.

A difficult network to map…
A survey by Jinyan Zang, Krysta Dummit, James Graves, Paul Lisker, and Latanya Sweeney will be of interest to some readers. Here’s the Abstract:
What types of user data are mobile apps sending to third parties? We chose 110 of the most popular free mobile apps as of June-July 2014 from the Google Play Store and Apple App Store, across 9 categories likely to handle potentially sensitive data about users including job information, medical data, and location. For each app, we used a man-in-the-middle proxy to record HTTP and HTTPS traffic that occurred while using the app and looked for transmissions that include personally identifiable information (PII), behavior data such as search terms, and location data, including geo-coordinates. An app that collects these data types may not need to notify the user in current permissions systems.
Results summary: We found that the average Android app sends potentially sensitive data to 3.1 third-party domains, and the average iOS app connects to 2.6 third-party domains. Android apps are more likely than iOS apps to share with a third party personally identifying information such as name (73% of Android apps vs. 16% of iOS apps) and email address (73% vs. 16%). For location data, including geo-coordinates, more iOS apps (47%) than Android apps (33%) share that data with a third party. In terms of potentially sensitive behavioral data, we found that 3 out of the 30 Medical and Health & Fitness category apps in the sample share medically-related search terms and user inputs with a third party. Finally, the third-party domains that receive sensitive data from the most apps are (36% of apps), (18%), (17%), and (14%). 93% of Android apps tested connected to a mysterious domain,, likely due to a background process of the Android phone. Our results show that many mobile apps share potentially sensitive user data with third parties, and that they do not need visible permission requests to access the data. Future mobile operating systems and app stores should consider designs that more prominently describe to users potentially sensitive user data sharing by apps.
You access the full report on JOTS.

It also shows the limitations.
Egypt Crash Shows Key Role Surveillance Can Play: Analysts
The Times and the Daily Telegraph reported Friday that the NSA and GCHQ had intercepted telephone calls recorded before the plane catastrophe last Saturday.
They concluded from the intercepts that it was possible that an attack by the Egyptian branch of the Islamic State group, known as Sinai Province, had brought down the plane after it took off from Sharm el-Sheikh.
On Friday, a source close to the investigation said the black boxes recovered from the Saint Petersburg-bound jet pointed to a bomb attack, apparently confirming suspicions expressed by US President Barack Obama and British Prime Minister David Cameron.

I'm betting there is a big “yet” that goes with this story.
The FCC says it can’t force Google and Facebook to stop tracking their users
… The announcement is a blow to privacy advocates who had petitioned the agency for stronger Internet privacy rules. But it's a win for many Silicon Valley companies whose business models rely on monetizing Internet users’ personal data.

A heads-up for my Android toting students.
Beware: New Android malware is ‘nearly impossible’ to remove.
New strains of Android malware are masquerading as popular apps like "Candy Crush" and Snapchat, but once installed dig themselves so deeply into smartphones they are "nearly impossible" to remove,and could force people to replace their devices, according to cybersecurity firm Lookout.
The company says it observed over 20,000 samples of this type of adware in the digital wild. Some of the malicious apps functioned like their real counterparts, but they all also quietly gain "root access" to a device and install themselves as system applications. That means they have practically unlimited access to files on the device -- a big security and privacy risk. That's why it is so difficult to totally remove the apps.
But, luckily, there is a pretty easy way to avoid them: Only install apps from Google's official Play Store.

In theory, I could print a Stanley Steamer with all the modern safety features. Will we see custom “print-a-car” shops?
World's first 3D-printed car could cost you $53,000

My students don't need no stinking App!
5 Delightfully Evil Sites That Generate Excuses for You

Perhaps not reliable enough for lawyers, but for my students?
LawLib is a free law library for your Apple products
by Sabrina I. Pacifici on Nov 6, 2015
LawLibe™ is a law library for your iPhone®, iPad®, or iPod Touch®. LawLibe™ is a free app that comes preloaded with the U.S. Constitution. Then you can download additional legal content directly into the app, including the U.S. Code, Code of Federal Regulations, State Statutes, the Manual of Patent Examining Procedure, and more! Features:
• Fully offline – just download what you need and go!
• Download additional content directly into the app!
• Lightning-fast speed
• Full-text search and in-text highlighting
• Page through content just like a book
• User preferences – adjust the font and font-size for easier reading
• GoTo Button – know the exact section you want? It’s one touch away
• Includes Advisory Committee Notes where available
• Updated frequently to ensure you have the most current edition

For my researching students.
Find the Date of a Published Post with These Insanely Simple Tips

Because it's inevitable!
How to Install Windows 10 for Free on any Windows, Linux, or OS X PC

Another week, another wacky collection...
Hack Education Weekly News
… On the heels of giving the state of Ohio some $32+ million in grants to expand its charter school system, the Department of Education is now putting some restrictions on that money, sending a letter “to state officials in which it said it did not realize the extent of concerns regarding Ohio's charter schools.”
… “Cheating in Online Classes Is Now Big Business,” The Atlantic reports.
Also via the NYT: “A small survey of parents in Philadelphia found that three-quarters of their children had been given tablets, smartphones or iPods of their own by age 4 and had used the devices without supervision.”

Friday, November 06, 2015

For my Computer Security students. Faster is better, but take time to confirm your sources.
Fraudulent Stock Tweets Result In Civil and Criminal Charges For Scottish Man
A Scottish man is facing civil and criminal charges for allegedly tweeting multiple false statements about two companies that caused significant drops in the stock prices of those companies and even triggered a trading halt in one of the companies. James Alan Craig, 62, is a Scottish resident who is accused of creating two Twitter accounts that closely resembled two well-known established securities research firms in an effort to profit from an anticipated downward movement in the stock prices when the tweets became publicized. In parallel actions announced today, both the Securities and Exchange Commission and the Department of Justice announced civil and criminal charges, respectively, against Craig. Ironically, Craig’s attempt to profit from the false tweets ultimately netted him less than $100.

The incompetence continues. Significantly overstating the scope of a breach is almost as bad as understating. You might frighten customers, board members, or stockholders into overreacting.
TalkTalk hack 'affected 157,000 customers'
TalkTalk has given more details of the cyber-attack on its website, saying nearly 157,000 of its customers' personal details were accessed.
More than 15,600 bank account numbers and sort codes were stolen, the company said.
… Since news of the cyber-attack emerged, TalkTalk shares have lost about a third of their value.
The firm said 4% of TalkTalk customers have sensitive data at risk. It confirmed that scale of the attack was "much more limited than initially suspected".

Also for my Computer Security students. You need to keep a snapshot of your digital environment for a long, long time.
Two breaches seemed small and innocuous at the time, but weren’t. A timely reminder why entities should notify even when they think risk is low.
Thomas Fox-Brewster reports:
In 2009 and 2010 two separate attacks hit widely-used online gambling payments processors Moneybookers and Neteller. Though they initially appeared innocuous, it now seems both attacks saw millions of users’ private data – addresses, emails, telephone numbers, birth dates and, in the case of Neteller, answers to password hints – fall into criminal hands. The details are only now being made public by Optimal Payments, the London-based owner of both Moneybookers (now Skrill) and Neteller, after disclosure from FORBES. The company is now reinvestigating the hacks and the possibility of further breaches.
Read more on Forbes.

“We're gonna do this, even if we don't exactly know what all this stuff means.”
Brian Fung reports:
In the first such case against a U.S. cable company, federal regulators are slapping Cox Communications with a $595,000 fine after Cox allowed hackers from Lizard Squad to penetrate its systems and steal private customer information.
By posing as an IT administrator and tricking a couple of Cox employees into giving up their login credentials, a hacker known as “EvilJordie” broke into Cox’s databases and gained access to customer names, addresses, password recovery information and even “partial” Social Security numbers and driver’s license numbers, according to the Federal Communications Commission. They also got hold of some customers’ telephone records.
Read more on Washington Post.

FCC to tackle broadband privacy in 'next several months'
The Federal Communications Commission (FCC) will take on the issue of online privacy in the “next several months,” Chairman Tom Wheeler said during an interview with Charlie Rose this week. 
He said the agency’s action would address the privacy practices of Internet service providers and how they are protecting the information of their customers.
“In other words, do I know what information is being collected?” he said. “Do I have a voice in whether or not that is going to be used one way or another? And those are two very important baseline rights that individuals ought to have.”
At another point he said, “I’ve told the Congress and others you will see us in the next several months addressing the question of privacy.”

Is this likely? Wouldn't we need a much faster way to approve warrants? Is “watching for accidents at rush hour” surveillance?
House bill would require warrants for aerial surveillance
A House bill introduced on Thursday would require federal law enforcement officials to get a warrant if they want to conduct aerial surveillance inside the country.
It would also forbid them from identifying people who are inadvertently captured by aerial surveillance.

“Gosh, we never thought of that!” Is there no generic statement in their acceptable use policy? “Thou shalt not do non-medical things with thy personal devices?”
Amy Corderoy reports:
Brieana Rose (not her real name) could not have been more vulnerable. Unconscious on an operating table, having gynaecological surgery to see whether she had cancer.
She could never have known that one of the people charged with looking after her would instead take advantage of her, violating her trust by taking a photo of her genitalia and showing the photo to others.
The experience has not only taken a financial and emotional toll, but it has revealed a huge gap in medical and privacy law in NSW.
The nurse left the hospital and was hired by another, and currently has nothing on her publicly available record to indicate what she did. Brieana was also unable to legally force her to provide her phone for forensic analysis – because that would be a violation of the nurse’s privacy – and the hospital had no control over their former employee.
This is a disgusting situation, and yes, the laws in NSW need to change. Not only does the nurse need to be disciplined by her licensing board, but the patient should have the right to sue for the privacy violation and emotional distress caused.
Read more about what happened on Sydney Morning Herald.
[From the article:
Ms McLay said another complication was that the nurse took the image on a private phone, so it was not covered by laws governing medical records. [That's a pretty glaring hole in the law. Bob]

If nothing else, it might skew public perceptions – “government says there is a lot of crime, but there's nothing on the internet!”
Sofia Fontanals and Samara Schaar write:
On 15th October 2015 the Spanish Supreme Court handed down its first ruling[1] on the so-called digital “right to be forgotten” in which it states that harmful information affecting individuals without public relevance should not be accessible to Internet search engines when the news has lost relevance over time.
The background of the case
The decision of the Court is based on the following facts: in the 1980s two people were involved in drug-trafficking and consumption. After being arrested, they were finally convicted for drug smuggling and imprisoned. A few years ago, after having served their sentence imposed for these facts and having remade their personal, family and professional life, they found out that by typing their names in the major Internet search engines (particularly, Google and Yahoo!), the news that once was published in a newspaper (El País) now appeared among the first search results, because such newspaper had digitized their library.

(Related) “Forget all that bad stuff! Loan me lotsa money.”
AJC reports:
…According to a report by the Financial Times, some of the top credit rating companies are now using people’s social media accounts to assess their ability to repay debt. So if you want to be able to qualify for a loan and borrow money, this is just another reason to avoid saying certain things on Facebook.
“If you look at how many times a person says ‘wasted’ in their profile, it has some value in predicting whether they’re going to repay their debt,” Will Lansing, chief executive at credit rating company FICO, told the FT. “It’s not much, but it’s more than zero.”
Read more on AJC.

Negotiating treaties like it's the 1890s?
TPP Trade Agreement Slammed For Eroding Online Rights
The full text of the Trans Pacific-Partnership (TPP) international trade agreement — some eight years in the negotiating — was published online earlier today (in a version marked “subject to legal review”), after agreement was reached between the 12 countries early last month, which include the U.S., Australia, Canada, Japan and New Zealand.
The text still needs to be ratified in the individual countries before the treaty becomes binding.
“The E-Commerce chapter has serious implications for online privacy,” said Peter Maybarduk, of non-profit consumer rights organization, Public Citizen, in a statement on TPP. “The text reveals that policies protecting personal data when it crosses borders could be subject to challenge as a violation of the TPP.”
Public Citizen says the agreement puts a requirement on countries to allow unregulated cross-border transfer of Internet users’ data and prohibits governments from requiring companies host data on local servers — with what it says is no express protection for privacy and data protection policies to be exempted from the rules.

Eventually, everyone will move to a single fiber optic cable (owned by the city?) that delivers TV, phone, Internet and any other digital signals (like burglar alarms)
Time Warner Cable takes baby step toward more affordable pay-TV service
… The head of the company announced last week that Time Warner will test an online service that gets rid of the cable box and could pave the way for introduction of smaller, more affordable programming packages.
… The no-box test is expected to begin next week in New York, a Time Warner spokesman told me. People with a Roku streaming-video device will be able to access Time Warner's programming via an app similar to Netflix's or Hulu's.

Can we live without email? An interesting article.
The Post-Email Organization
How social media can help employees perform better.

I have graduate students who still make these mistakes! I'll link to this article in each of my classes.
Your Microsoft Word Skills Suck

Dilbert illustrates the usefulness of non-textual communications.

Thursday, November 05, 2015

I needed a really bad example for my Computer Security class. Thanks TalkTalk! It's not just bad PR, it's likely to motivate “hacktivists” to teach TalkTalk a lesson.
TalkTalk is really turning out to be the poster child for how not to handle a breach. In today’s installment of “Lollipops are Adequate Mitigation, Right?” Alexander J. Martin reports:
TalkTalk is trying and failing to mend its broken customer relationships following the recent mega breach, in one case offering an individual who had £3,500 stolen from his personal bank account just £30.20 as a “good will gesture [and] final settlement” by way of compensation.
Ian Rimmington, based in Ossett, West Yorkshire, told The Register £3,500 had disappeared from his account on Friday, 23 October. This was two days after the telco had been hacked and hours after it claims it had informed banks that punters’ personal information had been compromised.
Read more on The Register.

New technologies do not always require the invention of new security tools. If they had asked me I could have saved them millions!
The Department of Homeland Security (DHS) Science and Technology Directorate (S&T) has awarded two grants for the development of technologies that can help defend government and privately owned vehicles from cyberattacks. “Modern vehicles are no longer purely mechanical systems,” said Dr. Dan Massey, S&T Cyber Physical Systems Security (CPSSEC) Program Manager. “Today’s vehicles have interdependent cyber components used for telematics, conveniences, and safety-critical systems. A stealthy adversary could gain access to a vehicle’s cyber components and remain completely hidden until initiating a widespread attack.”
Read more about the grant awards to U. Michigan and HRL Laboratories, LLC on Homeland Security News Wire.
From the article:
S&T awarded $1.2 million to the University of Michigan for a project titled “Secure Software Update Over-the-Air for Ground Vehicles Specification and Prototype.” [Aside from the obvious (don't broadcast the updates) encryption will likely work. Bob]
… S&T also awarded $2.5 million to HRL Laboratories, LLC, of Malibu, California, for a project titled “Side-Channel Causal Analysis for Design of Cyber-Physical Security.” [Use public domain software. Problem solved. Bob]

If law enforcement did find a way to decrypt the device without the owner surrendering a password, would a conviction be overturned?
Fiona Hamilton reports:
Convictions of suspects who refuse to hand over their encrypted passwords have risen sixfold in four years, potentially blocking police from examining their electronic devices.
The sharp increase has led to fears that criminals are opting to plead guilty to encryption offences rather than allow detectives to go through their computers and phones, which could lead to more serious charges and longer sentences.
Read more on The Times (subscription required).

We know this is coming. How will these technologies be used? Can I use them too?
California Cops Are Using These Biometric Gadgets in the Field
Law enforcement agencies around the country are increasingly embracing biometric technology, which uses intrinsic physical or behavioral characteristics—such as fingerprints, facial features, irises, tattoos, or DNA—to identify people, sometimes even instantly. Just as the technology that powers your cell phone has shrunk both in size and cost, mobile biometric technologies are now being deployed more widely and cheaply than ever before—and with less oversight.
… Because of the volume of records we’ve received so far (the documents continue to flow in faster than EFF and MuckRock’s teams can read through them), we’re starting with California. Nine of the agencies have responded to our requests with documents, while many more claimed they didn’t have any records.
Of those that did respond, most employed a digital fingerprinting device. Facial recognition has also been widely embraced among agencies in San Diego County, with Santa Clara County law enforcement agencies close behind. In addition, the Los Angeles Sheriff’s Department’s biometrics system includes tattoo recognition, while the Orange County Sheriff's Department is also investigating iris recognition.

Joe Cadillic writes:
The American Police State has become a monster.
Police across the country are forcing motorists to give them blood, saliva (DNA) and much worse.
The National Highway Safety Administration, the agency that funds “No Refusal” DUI checkpoints and forcible blood draws, is also funding nationwide roadblocks that provide police with “voluntary” DNA samples.
Presently there are 28 states, that force motorists to give police their DNA regardless of whether they’ve been convicted of a crime.
Police claim forcing people to submit their DNA will help reunite families…
According to a DHS article titled “Bringing a New Biometric Capability to Verify Families Separated by Crisis“. Law enforcement claims that forcing people to submit their DNA is a public service and will be used to reunite families trust them…
Read more on MassPrivateI.

New jobs for my students?
How Analytics Has Reshaped Political Campaigning Forever
Barack Obama’s 2008 campaign team reinvented the art of modern campaigning by using data to transform almost every aspect of running for office. It succeeded wildly in turning out infrequent and new voters, and since then its innovations—which included mining individual TV-viewing habits to get more out of advertising dollars—have been hard-wired into both parties’ presidential campaigns. That’s led to the birth of dozens of consulting firms making grandiose promises to disrupt politics with analytics.

Facebook tops 1.5B monthly users
Facebook passed another milestone, reporting Wednesday that its base of monthly active users passed 1.5 billion for the first time.
Facebook crossed the 1 billion monthly user mark in September 2012, so it's taken about three years to add the last half billion. It took just over two years to amass the half billion before that. For comparison, Twitter has about 320 million monthly users.
Facebook announced the figure with its earnings results for the third quarter, which came in better than expected. Revenue was $4.5 billion, up 41 percent from a year earlier, the company said, while net profit was $896 million, up 11 percent.

Facebook revenue, profit beat forecasts; shares hit all-time high
… Facebook now has 8 billion video views per day from 500 million people, compared with 4 billion views in April.
And Facebook's website and Instagram photo-sharing app, which opened up its platform to all advertisers in the third quarter, account for more than 1 in 5 minutes spent on mobile devices in the United States, Chief Operating Officer Sheryl Sandberg said.

Still watching.
… Much had previously been made of apparently incriminating Skype calls Dotcom had placed with his former business partners, but today Mansfield said the U.S. had knowingly translated those from German to suit their cause.
One, in which Dotcom allegedly said: “At some point a judge will be convinced how evil we are and then we are in trouble,” was corrected by Mansfield to state: “Because at some stage a judge will be talked into how bad we allegedly are – and then we will be a mess.”
… Mansfield argued that there are limits on how far a company like Megaupload can be held liable for the actions of its users.
He said that in both New Zealand and the United States laws exist to protect people like Dotcom and the service provider companies they create, and the U.S. is attempting to create criminal liability where non exists.
… “Internet giants like Google, Facebook and Twitter are immune from prosecution and to indict them would result in unprecedented public outrage.”

… Earlier today the U.S. government asked Judge Nevin Dawson to rule that the evidence of the defense is inadmissible, meaning that Dotcom would be left without a defense at all.
TorrentFreak approached Dotcom for comment on this bold move. Fortunately for him the Judge quickly dismissed the U.S. attempt at having a one-sided battle.

Dotcom: Extradition treaty not for copyright infringement
… Ron Mansfield, the lawyer representing Dotcom in the ongoing extradition trial in Auckland District Court, on Tuesday accused the US of wilfully excluding from its case the fact that the US Supreme Court has ruled several times that copyright infringement does not constitute wire fraud, the primary charge on which they hope to extradite Dotcom.

Perhaps something my IT students can tap into?
A Small Business IT Concierge at Your Service
When you hear the word "concierge," you probably think of the service that made dinner reservations for you the last time you stayed in an up-scale hotel. You probably didn't think of a dedicated team of tech experts researching solutions for your next small business IT project. But now you can, thanks to the Spiceworks IT Concierge Service.
If you own or operate—or provide IT services to—a small business and you haven't heard of Spiceworks, do yourself a favor and get acquainted. The company provides free (ad-supported) network management, network inventory, and help desk software. It also operates a very active online community of IT professionals.

A simple picture collection of everything. Perhaps I could use it to gather wild mushrooms?
Encyclopedia of Life – Global access to knowledge about life on Earth
by Sabrina I. Pacifici on Nov 4, 2015
What is EOL? – Information and pictures of all species known to science – “Our knowledge of the many life-forms on Earth – of animals, plants, fungi, protists and bacteria – is scattered around the world in books, journals, databases, websites, specimen collections, and in the minds of people everywhere. Imagine what it would mean if this information could be gathered together and made available to everyone – anywhere – at a moment’s notice.”

Some to share with my students?
27 Fantastic Learning Websites You Might Have Missed

Wednesday, November 04, 2015

Privacy Breaches
Friday, November 6, 2015 10:00AM — 1:00 PM Followed by lunch∙
Privacy Foundation at the University of Denver Sturm College of Law, Ricketson Law Building, Room 290, 2255 E Evans Avenue, Denver, Colorado 80208
Register online at or contact Privacy Foundation Administrator Anne Beblavi at
Seminar, CLE (3 hrs. pending) & Lunch $30 Free for DU Faculty & Students

Interesting how quickly they are rolling up the hackers. Makes me think it was a very amateurish hack – and therefore TalkTalk's security was equally amateurish. Plenty happening to keep this in the news.
TalkTalk hack: MPs launch inquiry after police make fourth arrest
… To get a better grasp of the situation, the UK's cross-party Culture, Media and Sport Committee has launched an inquiry today into the recent attack. While TalkTalk is the focal point -- MPs will look at the "nature" of the hack and TalkTalk's response -- it'll also be considering the telecoms and internet service provider (ISP) industry as a whole. Specifically, the Committee wants to know what measures are being taken to stop these sorts of breaches, how much money businesses are investing in their defences, and whether response protocols could be improved.
Police have now arrested four individuals as part of its ongoing investigation. Yesterday evening, detectives used a search warrant at an address in Norwich, apprehending a 16-year-old boy in the process. He's suspected of Computer Misuse Act offences and has since been released on bail. Officers say he will likely be recalled in late March next year. A further three arrests have taken place over the last 10 days; a 15-year-old boy from Northern Ireland, a 16-year-old from London and a 20-year-old man from South Staffordshire. Police haven't revealed their identities or drawn any connections between them -- the short timeframe for the arrests, however, points to the involvement of an organised hacker group. [Or multiple, unconnected hacks? Bob]

The vets in my classes are still a bit pissed at OPM. This is just another indication of really poor management.
Dustin Volz reports:
Fewer than a quarter of 21 million federal workers hit by a major computer hack have been officially told that their personal information was compromised, six months after the breach was detected, a U.S. government official said on Tuesday.
About 5 million notifications about the hack have been sent out so far, a spokesperson for the U.S. Office of Personnel Management (OPM) told Reuters in an email.
Read more on Reuters.
[From the article:
The Defense Information Systems Agency in September awarded a $1.8 million contract to Advanced Onion, a technology firm, to help locate and notify victims of the OPM breach, which exposed names, addresses, Social Security numbers and other sensitive information of current and former federal employees and contractors. About 5.6 million fingerprints were pilfered, an upwardly revised number from an initial estimate of 1.1 million.
… Despite the precaution, a prominent cybersecurity researcher said on Monday there was no indication any hacked OPM data was for sale on the black market, reaffirming the likelihood that the hackers were working for a foreign country.

For my Computer Security students. How will you defend, detect and mitigate?
FFIEC Releases Statement on Cyber Attacks Involving Extortion
by Sabrina I. Pacifici on Nov 3, 2015
“The Federal Financial Institutions Examination Council (FFIEC) members today issued a statement alerting financial institutions to the increasing frequency and severity of cyber attacks involving extortion. The statement describes steps financial institutions should take to respond to these attacks and highlights resources institutions can use to mitigate the risks posed by such attacks. Cyber attacks against financial institutions to extort payment in return for the release of sensitive information are increasing. Financial institutions should address this threat by conducting ongoing cybersecurity risk assessments and monitoring of controls and information systems. In addition, financial institutions should have effective business continuity plans to respond to this type of cyber attack to ensure resiliency of operations. Financial institutions are also encouraged to notify law enforcement and their primary regulator or regulators of a cyber attack involving extortion. More information about financial institution cybersecurity, including information about mitigating the effects of destructive malware and other threats, is available from the FFIEC at”

Also for my Computer Security students: It is possible your best efforts are not going to be enough.
Could the Sony Hack Happen at Other Tech Firms?
Almost one year ago, a group of hackers with an alleged connection to North Korea hacked into the servers of Sony Pictures. The consequences of the breach are still being felt: in leaked scripts, in terminated executives, in class-action lawsuits, in Jennifer Lawrence’s salary.
In our unscientific survey of technology industry leaders, we asked: Could hackers pull off a similar attack on your company?
The overwhelming reply: Any company is vulnerable to such a hack.

(Related) Any company... (Holy mackerel snapper, Batman!)
Shelley Chandler reports:
Investigators with the Vatican City police force arrested a high-ranking member of the clergy along with a Vatican employee for leaking confidential documents.
Read more on Wireless Goodness.

Computer facilitated crime. See if you can find what may have caused the exchanges to notice his trading.
High-frequency trader convicted in first U.S. spoofing case
A jury on Tuesday convicted high-frequency trader Michael Coscia of commodities fraud and "spoofing", in the U.S. government's first criminal prosecution of the banned trading practice.
… Coscia, owner of New Jersey-based Panther Energy Trading, was accused of entering large orders into futures markets in 2011 that he never intended to execute. His goal, prosecutors said, was to lure other traders to markets by creating an illusion of demand so that he could make money on smaller trades, a practice known as spoofing.
… The trial spanned seven days, but the jury in Chicago convicted Coscia on six counts of commodities fraud and six counts of spoofing, all of the charges he had faced, after deliberating for just about an hour.
… Coscia's firm had fewer than 10 employees. However, he "entered more large orders than anyone else in the world" in nearly a dozen CME Group Inc markets ranging from corn and soybeans to gold after he began using two algorithmic trading programs in August 2011, prosecutors said during the trial.
… Coscia's case is U.S. v. Coscia, 14-cr-00551, U.S. District Court, Northern District of Illinois.

Perspective. The world is changing fast, Congress is only half-fast at keeping up. However, I don't think new technologies always need new rules. Some procedures/words may change, but the concepts do not.
Amazon, Apple and Google Unite Behind Financial Innovation Coalition
… “A technological transformation is going to make financial services more accessible, more affordable and more secure,” said Brian Peters, executive director of Financial Innovation Now. “The challenge in Washington is making sure policy-makers understand that, and they’re comfortable with it, and they don’t apply old rules to new technology.”
The contours of a changing world are already visible: More than 2,500 banks and credit unions support Apple’s mobile payments system, ApplePay, which is on track to be accepted at some 1.5 million retail locations by the end of the year. Online crowdfunding site Kickstarter helped raise more than $2 billion in pledges for some 95,000 projects, while the peer-to-peer lending marketplace LendingClub originated some $2.2 billion in loans in the last quarter alone.
Goldman Sachs estimates $4.7 trillion in revenue could be up for grabs as technology upends borrowing, lending, making payments and investing.

We seem to be at the dawn of research via social networks. Collectively, they probably reveal all our secrets.
From the University of Rochester:
Instagram could offer a novel way of monitoring the drinking habits of teenagers.
Using photos and text from Instagram, a team of researchers from the University of Rochester has shown that this data can not only expose patterns of underage drinking more cheaply and faster than conventional surveys, but also find new patterns, such as what alcohol brands or types are favored by different demographic groups. The researchers say they hope exposing these patterns could help develop effective intervention. [And better marketing to underage drinkers! Bob]
Read more on U. Rochester.

I probably spend 60% of my “teaching” time working at home – planning classes, grading papers, researching resources, answering student questions, etc.
In US Telecommuting for Work Climbs to 37%
by Sabrina I. Pacifici on Nov 3, 2015
  • Average worker telecommutes two days per month
  • 46% of telecommuters do so during the workday
  • Most say telecommuters just as productive as other employees
Thirty-seven percent of U.S. workers say they have telecommuted, up slightly from 30% last decade but four times greater than the 9% found in 1995. These results are based on Gallup’s annual Work and Education poll, conducted Aug. 5-9. Technology has made telecommuting easier for workers, and most companies seem willing to let workers do their work remotely, at least on an occasional basis if the position allows for it. Even though telecommuting has become more common, the growth in the practice appears to have leveled off in recent years. It is unclear how much more prevalent telecommuting can become because it is really only feasible for workers who primarily work in offices using a computer to perform most of their work duties. Along these lines, telecommuting is much more common among those who have had more formal education, those who are upper-income and those who have white-collar professions…”

I don't think this means we have all the Big Data questions solved, but it might suggest where we are headed next.
Top 10 Rising and Falling Buzzwords in Tech Job Postings
… For the study, Textio tracked more than 50,000 unique phrases commonly seen in tech job listings, said Kieran Snyder, the company’s chief executive officer. The startup compiled a list of terms that experienced the biggest changes in impact, positively and negatively, over the last year. Among the five biggest losers, none were turn-offs to job candidates in 2014, which shows how fast the industry changes. Among the top five buzzwords, only two were even on the map a year ago, Snyder said.
    1. Rising

Artificial intelligence, Real-time data, High availability, Robust and scalable, Inclusive
    1. Falling

Big data, Virtual team or V-team, Troubleshooting, Subject matter expert, Drug-free workplace

Interesting, but I have a canned reply for 90% of my school emails – “Yes, I'm quite sure you got an “F.” No, I won't change it.”
Google's New AI Will Reply to Your Emails so You Don't Have To
Later this week people who have the Inbox email program on their iPhones or Android devices will soon have a new option when it comes to replying to emails. Instead of coming up with their own responses on their mobile devices, they’ll get to choose between three options created by a neural network built by Google researchers. Google claims it has built an AI that can read incoming emails, understand them, and generate a short, appropriate response that the recipient can then edit or send with just a click.
… Compounding all of this is the issue of privacy. Because Google can’t let its researchers read your emails, it can’t actually check to see if its AIs are generating the right responses outside of the researchers’ emails. And once Google solved that problem, it found that its replies in many cases were variations on the same reply, which wasn’t really very helpful. The company had to build another neural network to teach the computer how to recognize semantically similar replies and discard those so it would come up with three different options for the user to choose from.
Finally it had a surprising issue in that one of the replies was almost always “I love you.” [Something I never say to students. Bob]

On occasion, I am surprised by new applications of technology. I shouldn't be, it's just another way for marketing to get inside my head.
Marketers Should Pay Attention to fMRI
Despite its popularity in academic settings, functional magnetic resonance imaging (fMRI) machines are rarely used as a marketing tool in the corporate world.
… Academic researchers are often attracted to fMRI for its comprehensive ability to investigate a range of neural activity across the entire brain. But for a CMO weighing costs against immediate benefits, the cost of an fMRI-based study might seem prohibitive. fMRI studies depend on access to specialized equipment most commonly found in medical or university settings, and the scanners require significant training to operate. Analyzing the resulting data also takes expertise and time. What’s more, despite being at least three times more expensive than traditional methods, there has been scant evidence that fMRI reveals anything beyond what could be learned by just asking people for their opinions, making the technique hard to justify in a commercial setting.
We believe that may be about to change.
A number of recent studies suggest that neural data recorded from relatively small groups of people (<30 ad="" and="" anti-smoking="" been="" behavior="" behavioral="" better="" but="" campaigns.="" can="" charity="" data="" donations="" even="" fmri="" from="" has="" in="" it="" market-level="" marketing="" music="" not="" of="" only="" outperform="" p="" persuasiveness="" predict="" predicting="" relative="" sales="" scans="" shown="" than="" the="" to="" tools.="" traditional="">

Windows 10 is inevitable. Resistance is futile.
OEMs to stop selling PCs with Windows 7 by October 31, 2016
In February last year, Microsoft said that it would give a one year warning of when systems with Windows 7 preinstalled would no longer be available from OEMs. That time has finally come to pass. As spotted by Ed Bott, there's now a date after which Windows 7 OEM preinstalls will no longer be available: October 31, 2016.
That same date will also apply to Windows 8.1. Windows 8 preinstalls will end a few months earlier than that, June 30, 2016. This means that after October 31 next year, the only version of Windows that will be available on a new system from a PC builder will be Windows 10.

Tuesday, November 03, 2015

Felony Stupidity – I love it!
From the do-you-know-who-you’re-hiring-on-Craigslist dept:
Miles Snyder reports:
A Harrisburg man will serve at least two years in prison for recruiting a computer hacker to wipe out fines he owed to Lancaster County.
Zachary J. Landis, 27, was sentenced to 2-4 years in state prison after pleading guilty last week to felony counts of computer trespass, unlawful use of a computer, and tampering with public records, according to the district attorney’s office.
How stupid do you have to be to advertise for a hacker on Craiglist and then give them not only the docket numbers but your real name and email address? There should be a felony stupidity charge tacked on to some cases…
Read more on ABC27.
[From the article:
Authorities saw the ad and a detective who posed as a hacker contacted Landis for the court docket numbers. The detective received three docket sheets from cases associated with Landis and found the ad was posted using his email address and phone number.
Authorities said Landis still owes more than $9,000 to a victim in a 2008 assault case. The other cases include two DUI convictions. [That suggests where this idea came from. Bob]

The UK market for personal encryption just got hot.
Has the UK lost its collective mind? Tom Whitehead reports:
Internet and social media companies will be banned from putting customer communications beyond their own reach under new laws to be unveiled on Wednesday.
Companies such as Apple, Google and others will no longer be able to offer encryption so advanced that even they cannot decipher it when asked to, the Daily Telegraph can disclose.
Measures in the Investigatory Powers Bill will place in law a requirement on tech firms and service providers to be able to provide unencrypted communications to the police or spy agencies if requested through a warrant.
Read more on The Telegraph.
So the UK is not going to ban encryption, because it’s desirable for some things, but they’re going to ban really good encryption, because it’s undesirable for some things.
I see…

Will Watson just talk about the weather or is IBM ready to do something about it? (Is Watson setting the strategy at IBM?)
IBM Bets Big on Weather Data With The Weather Company Acquisition
… According to The Weather Company, it gathers billions of data points from sensors, smartphones,vehicles and airplane flights. In March, the company partnered with IBM to bring its data to the IBM Cloud and make it available to customers through IBM's analytics and cloud services. At the time, IBM noted that "weather is perhaps the single largest external swing factor in business performance – responsible for an annual economic impact of nearly half a trillion dollars in the U.S. alone." Reflecting the demand for that data, IBM says that the The Weather Company's cloud platform currently handles 26 billion requests per day.
… IBM believes there are significant opportunities to merge The Weather Company's treasure trove of data with Watson's capabilities to transform industries. For instance, it points to the possibility that airlines could save significant amounts of money "by tapping multiple real-time and historical data sources to optimize fuel consumption, reduce delays and airport congestion, and improve passenger safety during disruptive conditions."
… This could shape how the IoT market evolves. Right now, a growing number of companies are focused on building turnkey platforms that companies can use to power their own internets of things, but larger competitors like IBM, which not only have IoT platforms of their own but a means to monetize IoT data, could rain on their parade by purchasing the companies that generate the most and most attractive IoT data.

All the news that fits Facebook's business model. Big Data
How Facebook will use artificial intelligence to organize insane amounts of data into the perfect News Feed and a personal assistant with superpowers
Using some quick and dirty math, Facebook CTO Mike Schroepfer estimates that the amount of content that Facebook considers putting on your News Feed grows 40% to 50% year-over-year.
But because people aren't gaining more time in the day, the company's algorithms have to be much more selective about what they actually show you.

Spotify Now Has the Complete Works of Bach and Beethoven
There are plenty of websites for listening to classical music, but it’s easy to forget that Spotify contains tons of old music, too.
Using the Spotify playlists created by user Ulysses’ Classical, you can stream both the complete works of Johann Sebastian Bach and the complete works of Ludwig van Beethoven.
Bach’s 3,488 songs will take you 169 hours to finish while Beethoven’s 1,203 songs will take you at least 98 hours. All combined, that’s over 260 hours of wonderful classical music to enjoy.
… If these playlists piqued your interest, check out these other ways to explore public domain music.

I predict a social network that will randomly connect you to people around the world.
Are smartphone-connected sex toys the next big thing?
… We-Vibe sells several devices that connect your smartphone with aspects such as vibration able to be controlled from your handset. It works over distance too, allowing someone in another location to control the sex toy. The app that is used to control the device also comes with a videolink feature allowing people to see each other too.

Attention Trekies!
Stream Me Up, Scotty: CBS to Release New Star Trek Episodes Beginning January 2017
In January 2017, the Star Trek franchise is boldly going to a medium it’s never gone to before: Online.
Today, CBS announced that it will be rebooting the Star Trek series on its digital subscription video-streaming service, CBS All Access. A preview broadcast will run on TV, but the first episode and the rest of the series will be available only through the streaming service.

For my CS & IT students.
6 of the Best Paying Tech Careers for 2016

Monday, November 02, 2015

Very interesting. They screwed up and then fixed it. Would a larger company (not staffed entirely with techies) be able to do as well? Take the time to read the rest of this article…
Here’s an example of how to timely detect and disclose a breach transparently.
Halloween Security Breach
By Sean Blanchfield
PageFair security breach has been resolved – here is what you need to know.
Update 1 – 21:30 GMT November 1, 2015
Core Facts
If you are a publisher using our free analytics service, you have good reason to be very angry and disappointed with us right now. For 83 minutes last night, the PageFair analytics service was compromised by hackers, who succeeded in getting malicious javascript to execute on websites via our service, which prompted some visitors to these websites to download an executable file. I am very sorry that this occurred and would like to assure you that it is no longer happening.
The attack was sophisticated and specifically targeted against PageFair, but it is unacceptable that the hackers could gain access to any of our systems. We identified the breach immediately, but it still took over 80 minutes to fully shut it down. During this time, visitors to websites owned by the publishers who have placed their trust in us were targeted by these hackers.
The damage was mitigated by our standard security practices, but the attackers still gained access. I want to take some time here to describe exactly what happened, how it may have affected some of your visitors, and what we are doing to prevent this from ever happening again.
We will update this post as we establish more facts.

As expected.
A caution from the Daily Mail:
In the past week, many pensioners have told the Daily Mail how they have fallen victim to conmen pretending to be from TalkTalk. They often claim to be offering compensation for the data breach before asking for victims’ bank account details.
Last night a senior cyber-crime officer warned: ‘The fraudsters look for victims in their 60s, 70s, 80s and 90s. Some of the conmen have call centre training which means they sound genuine when they call up pretending to be from a telecoms company.
If you know someone who might be at risk, do give them a heads up about this. It’s not uncommon to see criminals use stolen data to try to phish for more, but it’s worth a reminder.

(Related) Could this be the result of the TalkTalk breach? Customers using the same password on both systems? Would customers be on both at the same time? Perhaps they quit TalkTalk and opened accounts on Vodafone?
Almost 2,000 Vodafone customers 'open to fraud'
Criminals used customer details gained from "an unknown source" to try to access accounts between Wednesday and Thursday, the company said.
The telecommunications giant said 1,827 customers had their accounts accessed, with criminals potentially gaining their names and some bank details.
But it insisted its systems had not been breached.
… Vodafone said its security protocols had been "fundamentally effective", but the criminals had potentially gained customers' names, their mobile phone numbers, bank sort codes and the last four digits of their bank account numbers.
… The BBC's technology correspondent Rory Cellan-Jones said the email addresses and passwords criminals used to try to access Vodafone accounts appeared to have been bought on the dark web. [This makes it look like there was a breach. Bob]

Maybe it's me, but I don't see much of a change here. Perhaps an increase in resources devoted to cybersecurity as new technologies are adopted, but the boards I worked with always seemed to understand the risks of IT.
Cybersecurity: The changing role of audit committee and internal audit
by Sabrina I. Pacifici on Nov 1, 2015
Deloitte: “Among the most complex and rapidly evolving issues companies must contend with is cybersecurity. With the advent of mobile technology, cloud computing, and social media, reports on major breaches of proprietary information and damage to organisational IT infrastructure have also become increasingly common, thus transforming the IT risk landscape at a rapid pace. International media reports on high-profile retail breaches and the major discovery of the Heartbleed security vulnerability posing an extensive systemic challenge to the secure storage and transmission of information via the Internet have shone a spotlight on cybersecurity issues. Consequently, this has kept cybersecurity a high priority [Not a new or increased priority Bob] on the agenda of boards and audit committees…”

No liability here, by statute.
Megan Newquist reports:
Imagine a burglar stalking his victims and taking pictures of their cars in parking lots, knowing their whereabouts and then breaking into their homes.
Eden Prairie police say that’s exactly what 45-year-old David William Pollard was doing, but they didn’t know how until he was arrested leaving a Minnetonka home on April 14.
Inside Pollard’s car that night, police found a slew of stolen property. In addition, police say they uncovered how Pollard was able to find his victims – through a subscription-based online account that allowed him to look up individuals by their license plate numbers.
Read more on WDAZ.
[From the article:
5 EYEWITNESS NEWS created an account on the website in question and searched a co-worker's license plate number. The results included his date of birth, name, address, make and model of car and even his vehicle’s identification number.
… DPS claims it took action against the bulk data purchaser who was re-selling this information to the website in question in 2006. It claims the purchaser’s access was terminated. But our investigation revealed the license plate data on that website was updated as recently as Dec. 31, 2011. Our employee whose license plate number was checked purchased the vehicle in 2009, three years after DPS claims it terminated the particular purchaser’s access to bulk data purchases.
… The Department of Public Safety stopped selling this personal information in bulk on Jan. 1. But unless you’ve moved or purchased a new car, your information is still out there for anyone to find.

Removing hoods is probably good. Unless of course, they point to the wrong people. Or someone starts targeting them with 'sticks and stones.' Will they recognize that someone is on an “enemies list” rather than a membership list?
Samburaj Das reports:
Anonymous has made good on its threat to expose KKK members on the internet to reveal phone numbers and emails of alleged KKK members.
Activist collective Anonymous has long had a feud with members of the radical Ku Klux Klan. There is a history there. Recently, Anonymous threatened to dox a thousand members of the KKK, unhooding them publicly in cyberspace.
So far, there have been three pastes, all linked from @YourAnonNews’ Twitter account. The first paste contains two email addresses associated and 10 phone numbers without names or additional details. The second paste contains an 800- phone number, 10 phone numbers without names, and another email address. The third paste contains more phone numbers and 21 email addresses, the majority of which are on .ru domains.
Note that not all the phone numbers are registered to individuals, but one of the numbers checked using reverse phone lookup was reported to be associated with the KKK by someone on who reported getting a call from the number which he described as KKK – “threatening.”
Some of the information in the pastes does not appear to be new, as at least one number checked by had been leaked before following Ferguson with the individual’s full name, address, credit card details, etc.
Note: In a fourth paste that actually preceded the three noted above, “Amped Attacks” (@sgtbilko420 on Twitter) released the names of nine politicians – four U.S. Senators and five mayors – whose email addresses showed up in KKK databases he claims to have hacked. Amped Attacks does not provide their email or postal addresses, or phone numbers, and the basis for him declaring them part of KKK or a supporter of them is that he can seemingly come up with no reason for their email to be in a KKK database unless they’re a member or a support.
In addition to the paste, Amped Attacks has also taken down some KKK sites, with evidence provided in his tweet stream. In one tweet, he declared that he is not part of Anonymous but respects #OpKKK.

I expected much more from South Korea but then these decisions are made by politicians not techies.
Child monitoring app pulled in S Korea
South Korea mandated in April that all children's phones must be monitored.
However, the regulator said the decision to suspend the app had been made prior to the release of a damning report about its security.
The KCC told news agency AP that the decision had been made because of the abundance of free apps now available.
Smart Sheriff had been downloaded hundreds of thousands of times inside the country and was created by a group of telecoms companies known as the Korean Mobile Internet Business Association (Moiba).
Two reports issued, one by the University of Toronto and the other by software auditing firm Cure53, described Smart Sheriff's security as "catastrophic".
The report authors found that children's personal details were not stored securely and that the parental filters applied were easy to disable.
"Smart Sheriff is the kind of babysitter that leaves the doors unlocked and throws a party where everyone is invited," said independent researcher Colin Anderson, who worked on the report, at the time.

So much for yesterday's “easy to understand” privacy policy…
Snapchat reassures users that photo messages are still totally private
Photo-messaging app Snapchat has reassured users that their photos will not be stored on its servers after changes to its privacy policy caused widespread confusion.
The Venice, California-based company published a blog post on Sunday clarifying changes that were made to its Privacy Policy and Terms and Services last week. Photos shared through Snapchat disappear after the recipient has viewed them, but users have been fretting that the updates allowed Snapchat to store photos and share them with advertisers.
Photo messages "are automatically deleted from our servers once we detect that they have been viewed or have expired", just as they were before, Snapchat said. It does not stockpile pictures, and never has.

I'm not sure this is how I would teach lawyers to code, but I'll pass it along anyway.
Coding For Lawyers – Open Source
by Sabrina I. Pacifici on Nov 1, 2015
V. David Zvenyach – “What? Lawyers and Coding? It’s true. Lawyers can code. In fact, if you’re a lawyer, the truth is that it’s easier than you think. I am a lawyer, and a coder.1 In the course of two years, I have gone from knowing essentially nothing to being a decent coder in several languages. This book is intended to drastically shorten that time for others who, like me, decide that they want to learn to code. Why this book? One thing that I discovered, when learning to code, is that there are surprisingly few freely available books on the basics of coding, books that assume you know nothing about coding, books that assume you went to law school because you didn’t like numbers. And, we need more lawyers who code…”

Not being one for “binge TV watching” I could see myself doing some serious binge reading. Especially as books become as cheap as I am. This points you to an interesting article.
The Cost of Used Books Plummets as Availability Swells
by Sabrina I. Pacifici on Nov 1, 2015
New York Times – A Penny for Your Books By Dan Nosowitzoct, October 26, 2015: “…in recent years, my bookshelves have swelled. Old John le Carré and Donald E. Westlake and Lawrence Block titles are easier than ever to find online, along with pretty much every other book published in the last century. They’re all on Amazon, priced incredibly low, and sold by third-party booksellers nobody has ever heard of… In 2014, publishers sold just over 2.7 billion books domestically, for a total net revenue of just under $28 billion, a larger profit than in the preceding two years, according to the Association of American Publishers. There were just over 300,000 new titles (including re-releases) published in the United States in 2013. The book industry may not be as strong as it once was, but it’s still enormous, and generates a considerable amount of surplus product each year.”
[From the article:
Enter the penny booksellers. There are dozens of sellers — Silver Arch Books, Owls Books, Yellow Hammer Books and Sierra Nevada Books — offering scores of relatively sought-after books in varying conditions for a cent. Even including the standard $3.99 shipping, the total sum comes out to several dollars cheaper than what you’d pay at most brick-and-mortar used-book stores.