Saturday, November 21, 2015

In short, it will probably happen again. ...and hackers can read.
OMB – Federal Information Security Modernization Act Audit FY 2015
by Sabrina I. Pacifici on Nov 20, 2015
“In FY 2015 OPM was the victim of a massive data breach that involved the theft of sensitive personal information of millions of individuals. For many years we have reported critical weaknesses in OPM’s ability to manage its information technology (IT) environment, and warned that the agency was as an increased risk of a data breach. In the wake of this data breach, OPM is finally focusing its efforts on improving its IT security posture. Unfortunately, as indicated by the variety of findings in this audit report, OPM continues to struggle to meet many FISMA requirements. During this audit we did close a long-standing recommendation related to OPM’s information security management structure – [Report Number 4A-CI-00-15-011, November 10, 2015] However, this audit also determined that there has been a regression in OPM’s management of its system Authorization program, which we classified as a material weakness in the FY 2014 FISMA audit report. In April 2015, the Chief Information Officer issued a memorandum that granted an extension of the previous Authorizations for all systems whose Authorization had already expired, and for those scheduled to expire through September 2016. Should this moratorium on Authorizations continue, the agency will have up to 23 systems that have not been subject to a thorough security controls assessment. We continue to believe that OPM’s management of system Authorizations represents a material weakness in the internal control structure of the agency’s IT security program. The moratorium on Authorizations will result in the IT security controls of OPM’s systems being neglected. Combined with the inadequacy and non-compliance of OPM’s continuous monitoring program, we are very concerned that the agency’s systems will not be protected against another attack.”

(Related) And it could happen almost anywhere.
Feds lack method to grade critical infrastructure cybersecurity
Most federal agencies overseeing the security of America’s critical infrastructure still lack formal methods for determining whether those essential networks are protected from hackers, according to a new government report.
Of the 15 critical infrastructure industries examined in the Government Accountability Office (GAO) report — including banking, finance energy and telecommunications — 12 were overseen by agencies that didn’t have proper cybersecurity metrics.

My after-turkey reading.
Stacey Gray writes:
Each year, FPF invites privacy scholars and authors to submit articles and papers to be considered by members of our Advisory Board, with an aim toward showcasing those articles that should inform any conversation about privacy among policymakers in Congress, as well as at the Federal Trade Commission and in other government agencies.
Our top privacy papers for 2015 are, in alphabetical order:
A Design Space for Effective Privacy Notices
Florian Schaub, Rebecca Balebako, Adam L. Durity, and Lorrie Faith Cranor
Anonymization and Risk
Ira S. Rubinstein and Woodrow Hartzog
A Precautionary Approach to Big Data Privacy
Arvind Narayanan, Joanna Huey, and Edward W. Felten
Privacy and Markets: A Love Story
Ryan Calo
Taking Trust Seriously in Privacy Law
Neil Richards and Woodrow Hartzog
Our two papers selected for Notable Mention are:
Going Dark: Encryption, Technology, and the Balance Between Public Safety and Privacy
Peter Swire (Testimony, Senate Judiciary Committee Hearing, July 8, 2015)
The Transparent Citizen
Joel R. Reidenberg
Congratulations to all those whose work has been recognized!

Start from the premise, “They're all terrorists!”
Because of the difficulties civil litigants have encountered in challenging section 702 of the Foreign Intelligence Surveillance Act (as created by the FISA Amendments Act of 2008), the most realistic forum for judicial review of the constitutionality of section 702 has been through a motion to suppress evidence derived from section 702 in a criminal case (especially once the government actually began disclosing that it was relying upon such evidence). Yesterday, Judge Kane (D. Colo.) issued perhaps the most significant ruling to date on a motion to suppress 702 evidence. In a nutshell, Judge Kane denied the motion, holding that, both on its face and as applied to the defendant, Jamshid Muhtorov, section 702 violates neither the Fourth Amendment nor Article III. In the post that follows, I briefly summarize Judge Kane’s reasoning, and then explain why each conclusion is deeply incomplete — and should raise serious grounds for a post-conviction appeal to the Tenth Circuit. In a nutshell, though, yesterday’s decision may well have raised more questions than it answered.

This could kill the drone stocking stuffer.
Even Some Toy Drones Would Need Registration in U.S. Proposal
Owners of all but the smallest toy drones will have to register them with the U.S. government before the end of the year if the Obama administration adopts proposals being issued by a task force it appointed.
Registration -- designed to make it easier for authorities to track down the growing numbers of illegal flights -- should be free, easy to complete online and permit multiple devices on an owner’s filing, the task force is proposing, according to three people familiar with its recommendations who weren’t authorized to speak about it.
… The task force members, some of whom are still uneasy about elements of the compromise, agreed to include anything weighing more than 250 grams (9 ounces) in the registration program, according to the people who asked not to be named.
The FAA believes that the law requires the agency to charge $5 to register an aircraft and there may be no way to exempt drone owners from the fee, according to one of the people familiar with the task force’s debate.

My industry is funny.
Hack Education Weekly News
… “Texas rejects letting academics vet public school textbooks,” the AP reports.
Via The San Jose Mercury News: “A 17-year-old Lincoln High School student has been criminally cited after he hosted an Instagram account that featured nude photos of underage girls, authorities say, including some from Lincoln.”
… “It Won’t Be Long Now Until Every School Has Internet Access,” Wired trumpets. According to EducationSuperHighway, the schools which meet the FCC’s minimum requirements for Internet speed has jumped from 30% to 77% since 2013. (Mark Zuckerberg also announced this week he’s giving EducationSuperHighway $20 million. While headlines read that the money will help schools get faster Internet, it will actually go towards more staff and consultants for EducationSuperHighway.) Education Week has a good series of stories on how schools are charged outrageous fees for lousy Internet service.
Via NPR: “U.S. Colleges See A Big Bump In International Students.”
Meanwhile… “Northern Virginia Community College’s Extended Learning Institute (ELI) and open courseware provider Lumen Learning announced a collaboration to publish 24 online college courses for two complete degree programs. All courses were developed for zero student cost using open educational resources (OER) (i.e., no textbooks, just public access Internet).” [The future? Bob]
Via Politico: “The Education Department is doing a poor job on everything from responding to cyber attacks to updating its software and hardware, but it’s especially bad at monitoring its computer networks for threats, according to an annual inspector general audit.”
A report from Australia’s National Assessment Programme says that tablets are “eroding” children’s digital skills.

Friday, November 20, 2015

Does this surprise anyone? If you need the intelligence, you find a way to get it.
File Says N.S.A. Found Way to Replace Email Program
… The newly disclosed information about the email records program is contained in a report by the N.S.A.’s inspector general that was obtained by The New York Times through a lawsuit under the Freedom of Information Act. One passage lists four reasons that the N.S.A. decided to end the email program and purge previously collected data. Three were redacted, but the fourth was uncensored. It said that “other authorities can satisfy certain foreign intelligence requirements” that the bulk email records program “had been designed to meet.”
The report explained that there were two other legal ways to get such data. One was the collection of bulk data that had been gathered in other countries, where the N.S.A.’s activities are largely not subject to regulation by the Foreign Intelligence Surveillance Act and oversight by the intelligence court. Because of the way the Internet operates, domestic data is often found on fiber optic cables abroad.
The N.S.A. had long barred analysts from using Americans’ data that had been swept up abroad, but in November 2010 it changed that rule, documents leaked by Edward J. Snowden have shown. The inspector general report cited that change to the N.S.A.’s internal procedures.
The other replacement source for the data was collection under the FISA Amendments Act of 2008, which permits warrantless surveillance on domestic soil that targets specific noncitizens abroad, including their new or stored emails to or from Americans.

For my Computer Security students.
Orin Kerr writes:
The Third Circuit has handed down a very important opinion on Internet surveillance law: In re Google Cookie Placement Consumer Privacy Litigation (Nov. 10, 2015). The decision is the first case to grapple in detail with how the Wiretap Act applies to the Internet. If you’re interested in surveillance law, you need to give this opinion a close and careful read. It’s a big deal. It leaves some things undecided, but it also suggests that the Wiretap Act provides pretty strong privacy protections online.
This post will go over the decision, explore its reasoning and conclude with its implications.
Read more on The Volokh Conspiracy.

Am I at risk because of my deeply held belief that DHS is worthless?
Joe Cadillic notes:
Last week, I reported how your social, political and religious views are now deemed suspicious by police.
“The Berkley Police Review Commission in California admits DHS run Fusion Centers are tracking American’s social, political and religious views.”
Yesterday, Police kicked four passengers off plane because they looked Middle Eastern and were watching the news on their smartphones.
“Four people were removed from a Chicago-bound flight in Baltimore Tuesday morning, and the plane delayed for three hours, after a woman became suspicious of a man who appeared to be of Middle Eastern descent and who was watching the news on his phone, according to authorities and several passengers.”
Read more on MassPrivateI.

This is unworkable. You can't sell encryption as a service if the data is not encrypted for law enforcement. (Another article that claims the Paris terrorists were encrypting their communications even though the French government says they did not.)
Shaun Waterman reports:
Blackberry believes in a “balanced” approach to encryption, incorporating lawful intercept capabilities, and the company prioritizes cooperation with law enforcement, Chief Operating Officer Marty Beard said Tuesday.
“We very much take a balanced approach” to the issue of encryption, he told the FedTalks government IT summit, differentiating Blackberry’s approach from that of some of their competitors who are “all about encryption all the way.”
Read more on FedScoop.

Do we have enough people who care? So far it looks like they are pointing to takedowns that overreact. Or perhaps they are keywords triggered and then takendown with out human review. Tracks Content Takedowns by Social Media Sites
by Sabrina I. Pacifici on Nov 19, 2015
“The Electronic Frontier Foundation (EFF) and Visualizing Impact launched today, a new platform to document the who, what, and why of content takedowns on social media sites. The project, made possible by a 2014 Knight News Challenge award, will address how social media sites moderate user-generated content and how free expression is affected across the globe.”

The telephone was demonstrated publicly for the first time the same week that Custer rode into the Little Big Horn. Apparently, the FCC understands technology that old. Or maybe they will do what Congress spells out for them and consider thinking about evaluating other proposals...
Overnight Tech: FCC vows to enforce robocall provision
A new provision allowing government debt collectors to conduct robocalls will be enforced by the Federal Communications Commission

Those government alerts on your phone could get longer
… The Federal Communications Commission (FCC) unanimously voted Thursday to seek comment on a proposal that would increase the maximum length of alerts from 90 characters to 360 characters, among other things.
… The proposal would allow government agencies to include helpful phone numbers or Web addresses in the alerts. It would also require wireless carriers to target the alerts to narrower geographic regions. Currently, alerts go out to counties affected by an emergency.

Still waiting for a decision in the Kim Dotcom extradition hearing. This was amusing. How quickly technology becomes obsolete, lost, and incomprehensible.
When Megaupload was raided early 2012 the U.S. Government seized 1,103 servers at Carpathia’s hosting facility in the United States.
Nearly four years have since passed and it’s still uncertain what will happen to the servers, which are safely stored in a Virginia warehouse at the moment.
After a renewed request for guidance on the issue, District Court Judge O’Grady started to explore what options are on the table. He asked the various parties what would be required to release the servers and whether their possible return has any complications.
In a response, hosting company QTS/Carpathia says that most data will still be intact but that retrieving it will be a costly endeavor.
The equipment that was used to link the servers together is no longer on the market. Used parts are still available but this would cost roughly $500,000. In addition, hundreds of thousands of dollars are needed to move the servers and set them up properly.
United States Attorney Dana Boente notes that a successful data return would likely cost millions. However, the Government has no interest in the servers [Why were they seized? Bob] and doesn’t want any of Megaupload’s restrained funds to be released to pay for the costs.
… “The United States further reminds the Court that the Federal Bureau of Investigation found that many of these servers contain, as indicated more particularly under seal, copies of known images of child pornography,” Boente writes (pdf).
… “The MPAA members remain gravely concerned about the potential release of the copyrighted works that are stored on the […] servers at issue here,” the movie industry group writes (pdf).
Transferring the data to Megaupload or another party would be copyright infringement in and by itself, they argue.

Perhaps a target for my Data Mining students?
Analysis reveals info on 1.1 Billion NYC Taxi and Uber Trips
by Sabrina I. Pacifici on Nov 19, 2015
Todd W. Schneider – An open-source exploration of the city’s neighborhoods, nightlife, airport traffic, and more, through the lens of publicly available taxi and Uber data – “The New York City Taxi & Limousine Commission has released a staggeringly detailed historical dataset covering over 1.1 billion individual taxi trips in the city from January 2009 through June 2015. Taken as a whole, the detailed trip-level data is more than just a vast list of taxi pickup and drop off coordinates: it’s a story of New York. How bad is the rush hour traffic from Midtown to JFK? Where does the Bridge and Tunnel crowd hang out on Saturday nights? What time do investment bankers get to work? How has Uber changed the landscape for taxis? And could Bruce Willis and Samuel L. Jackson have made it from 72nd and Broadway to Wall Street in less than 30 minutes? The dataset addresses all of these questions and many more. I mapped the coordinates of every trip to local census tracts and neighborhoods, then set about in an attempt to extract stories and meaning from the data. This post covers a lot, but for those who want to pursue more analysis on their own: everything in this post—the data, software, and code—is freely available. Full instructions to download and analyze the data for yourself are available on GitHub.”

Some of my students should start looking immediately.
Pew – Searching for Work in the Digital Era
by Sabrina I. Pacifici on Nov 19, 2015
Aaron Smith: “The internet is an essential employment resource for many of today’s job seekers, according to a new survey by Pew Research Center. A majority of U.S. adults (54%) have gone online to look for job information, 45% have applied for a job online, and job-seeking Americans are just as likely to have turned to the internet during their most recent employment search as to their personal or professional networks. Yet even as the internet has taken on a central role in how people find and apply for work, a minority of Americans would find it difficult to engage in many digital job seeking behaviors – such as creating a professional resume, searching job listings online, or following up via email with potential employers. And while many of today’s job seekers are enlisting their smartphones to browse jobs or communicate with potential employers, others are using their mobile devices for far more complex and challenging tasks, from writing a resume to filling out an online job application.”

I don't think we use them enough.
7 Tools for Creating Flowcharts, Mind Maps, and Diagrams

I think it helps with Math too.
How to Read Music - And Seven Other Lessons About Music
Last month one of the most popular posts that I published was about writing music in Google Documents. That feature is useful only if you know how to read and write music. A TED-Ed lesson that I recently stumbled upon explains the fundamentals of reading music. Watching the video won't turn students into composers over night, but it provides a good start.
TED-Ed offers a lot of interesting and useful video lessons for students. Many of the videos are organized into playlists . Unfortunately, I couldn't find a playlist of all of the TED-Ed lessons about music. To remedy that problem, I made a playlist of my own featuring eight TED-Ed lessons about music.

Thursday, November 19, 2015

For my Computer Security students.
"Onion-Layered" Attacks on the Rise, IBM Says
Released this week, IBM’s report (PDF) cites four key trends that have been observed this year, with onion-layered and ransomware attacks joined by attacks coming from inside an organization and by an increased management awareness of the need to address security threats proactively.
IBM explains that onion-layered security incidents involve a second, more damaging attack hidden behind a visible one. Usually, these attacks are carried by two actors, namely a script kiddie, an unsophisticated attacker launching highly visible attacks which can be easily caught, and a more sophisticated stealthy attacker who might expand their grip of the victim’s network without being detected for weeks or even months.
Earlier this year, Corero Network Security warned that distributed denial-of-service (DDoS) attacks were being leveraged to circumvent cybersecurity solutions, disrupt service availability and infiltrate victim networks.
"The danger in partial link saturation attacks is not the ‘denial of service’ as the acronym describes, but the attack itself," Corero said. "The attack is designed to leave just enough bandwidth available for other sophisticated multi-vector attacks with data exfiltration as the main objective, to fly in under the radar, while the distracting DDoS attack consumes resources."
Based on investigations conducted by Mandiant/FireEye throughout 2014, the median number of days that attackers were present on a victim’s network before being discovered was 205 days.
IBM provided fundamental advice, suggesting that organizations keep systems updated and increase their visibility into the network, as well as build an internal security operations center, create operational procedures, and ensure an appropriate level of logging, in addition to periodically performing penetration testing exercises.

Not a huge breach, but it illustrates (for my Computer Security students) how failure to follow Best Practices can result it recreation of well known failures.
Hannah Francis reports:
Australians’ private tax records were left unsecured thanks to a serious flaw in how the tax office’s online services connect with myGov, in the latest of a series of security bungles related to the federal government’s online services.
Experts have raised concerns over the handling of IT security issues by the Australian Taxation Office and the Department of Human Services, which runs the overarching service portal myGov, after a taxpayer who tried to report the issue claimed he was hung up on twice by the agencies’ call centre staff.
Read more on Sydney Morning Herald.
[From the article:
In a video obtained exclusively by Fairfax Media, Liew demonstrated how downloading a PDF letter from the tax office by clicking on a link within the myGov mailbox creates a "cookie" which logs the user into (In this case, cookies are used to authenticate the "single sign-on" process, or SSO, whereby the user only has to login once with myGov to access multiple linked services, such as tax, Medicare and Centrelink.)
Because clicking on the PDF link didn't actually open a browser page at and therefore a page was never closed, the cookie did not expire, meaning the next user who logged in to myGov and clicked on a link to saw the previous user's records.

(Related) A somewhat larger breach, illustrating how failure to follow established (but apparently unsupervised) procedures can send things south in a hurry.
Secretary of State released names and all identifying info on 6.1 million voters
Every month, the Secretary of State (Brian Kemp) releases all the new registered voters on a disc so that various entities can update their records. This information is generally limited to names, addresses, and demographic information. But last week, the SoS decided to give out a bunch of information it has collected on you and everybody you know to anyone who signed up.
Their monthly CD for October contained the Drivers license number, social security number, full name, address, and everything else you need to steal someone’s identity for every single registered voter in Georgia. All 6.1 million of us. It was not encrypted. It was not password protected. It was a gift for anyone who ever thought of doing wrong.
[The Class Action complaint: Download (PDF, 767KB)

Now this is interesting. They must have had some evidence that this research existed. What would justify a subpoena?
Carnegie Mellon Says It Was Subpoenaed-And Not Paid-For Research On Breaking Tor
Carnegie Mellon University today implied in a statement that it was served with a subpoena to hand over research related to unmasking the identity of users on the Tor network, and that it was not paid $1 million by the FBI for doing so, as alleged by the Tor Project.
The statement, released shortly after noon Eastern, is vague and fails to answer a number of outstanding questions not only about the ethics and legality of the attack on Tor, but also whether the research was prompted by the government, which the Snowden documents revealed, has had its struggles breaking Tor traffic.

Of course NSA would like to review these “exploits.” It's possible (if unlikely) there might be something to learn, but at minimum there will be “fingerprints” to record. I wonder if they can trace anyone who subscribes? Perhaps companies could fund an organization to buy and analyze and then share the results?
Here’s a Spy Firm’s Price List for Secret Hacker Techniques
… In an unprecedented move Wednesday, the zero-day broker startup Zerodium published a price chart for different classes of digital intrusion techniques and software targets that it buys from hackers and resells in a subscription service to customers that include government agencies. The list, which details the sums it pays for attack methods that effect dozens of different applications and operating systems, represents one of the most detailed views yet into the controversial and murky market for secret hacker exploits.
… An attack that can fully, remotely take over a victim’s computer through his or her Safari or Internet Explorer browser, for instance, fetches a price of as much as $50,000. For the harder target of Google Chrome, Zerodium’s price rises to $80,000. Remote exploits that entirely defeat the security of an Android or Windows Phone device go for as much as $100,000. And an iOS attack can earn a hacker half a million dollars, by far the highest price on the list.
… Zerodium, in other words, is keeping its fresh hacker techniques under wraps for its customers, which it says include “government organizations in need of specific and tailored cybersecurity capabilities,” as well as corporate customers it says use the techniques for defensive purposes. Zerodium founder Bekrar says Zerodium clients pay subscription rates of at least $500,000 a year for access to its exploits. He wouldn’t name any specific customers. But Bekrar’s last startup, the French company Vupen, more explicitly offered its zero-day exploits to customers it described as government agencies within NATO and “NATO ally” countries. A Freedom of Information request from the investigative news site Muckrock in 2013 showed that Vupen’s customers included the NSA.

Not everyone who should encrypt their communications bothers to do so. Not all terrorists are knowledgeable about secure communications and many are mere “cannon fodder” who are not worth investing the time and effort to train. That does not mean every terrorist communication will be recognized, analyzed, and communicated to appropriate authorities in a time to stop attacks.
Signs Point to Unencrypted Communications Between Terror Suspects
In the wake of the Paris attack, intelligence officials and sympathizers upset by the Edward Snowden leaks and the spread of encrypted communications have tried to blame Snowden for the terrorists’ ability to keep their plans secret from law enforcement.
Yet news emerging from Paris — as well as evidence from a Belgian ISIS raid in January — suggests that the ISIS terror networks involved were communicating in the clear, and that the data on their smartphones was not encrypted.
… Details about the major ISIS terror plot averted 10 months ago in Belgium also indicate that while Abaaoud previously attempted to avoid government surveillance, he did not use encryption.
A prescient bulletin sent out in May by the Department of Homeland Security assessed “that the plot disrupted by Belgian authorities in January 2015 is the first instance in which a large group of terrorists possibly operating under ISIL direction has been discovered and may indicate the group has developed the capability to launch more complex operations in the West.”
Abaaoud’s planned operation in Belgium was blown when authorities, who had been closely surveilling his three accomplices, stormed their safe house in the city of Verviers after determining that they were planning a major attack — very much like the one that took place in Paris on Friday. A pitched firefight between Belgian commandos and the ISIS veterans firing Kalashnikov rifles and lobbing grenades ended with two suspects dead and a third captured.
Belgian investigators concluded that Abaaoud directed the foiled operation there by cellphone from Greece — and that despite his attempts to avoid surveillance, his communications were in fact intercepted. Just a few days after the raid, Belgian news website RTL Info ran a whole article titled “What the Terrorist Suspects under Surveillance Were Saying.” It described surveillance over several months, through wiretaps and listening devices placed in the suspects’ car and their apartment.

(Related) Perhaps they were too arrogant to call for help? No doubt this is what the CIA and FBI will be talking about in those Congressional hearings.
ISIS Has Help Desk for Terrorists Staffed Around the Clock
… Counterterrorism analysts affiliated with the U.S. Army tell NBC News that the ISIS help desk, manned by a half-dozen senior operatives around the clock, was established with the express purpose of helping would-be jihadists use encryption and other secure communications in order to evade detection by law enforcement and intelligence authorities.

Interesting and strange guy. He appears to be doing what is expected, but I doubt his heart is in it.
Founder of app used by ISIS once said ‘We shouldn’t feel guilty.’ On Wednesday he banned their accounts.
Pavel Durov knew that terrorists were using his app to communicate. And he decided it was something he could live with.
“I think that privacy, ultimately, and our right for privacy is more important than our fear of bad things happening, like terrorism,” the founder of Telegram, a highly secure messaging app, said at a TechCrunch panel in September when asked if he “slept well at night” knowing his technology was used for violence.
… “Ultimately, ISIS will find a way to communicate with its cells, and if any means doesn’t feel secure to them, they’ll [find something else]. We shouldn’t feel guilty about it. We’re still doing the right thing, protecting our users’ privacy.”
… In a Facebook post, Durov blamed “shortsighted socialists” in the French government for the attacks as much as Islamic State militants.
Which is why a statement from Telegram posted on its site Wednesday is such a surprising reversal of course.
“We were disturbed to learn that Telegram’s public channels were being used by ISIS to spread their propaganda,” it read. “… As a result, this week alone we blocked 78 ISIS-related channels across 12 languages.”
The statement had a ring of insincerity to it, given Durov’s comments two months ago (the New York Times noted that the statement sounded like Claude Rains’s famous line in “Casablanca,” claiming to be “shocked, shocked” to find that gambling was happening at Rick’s, just before collecting his winnings).

Interesting. App data for people who haven't even installed the Apps! Android only, so far.
Google boosts mobile search: Now it surfaces app data and streams apps
… With today's changes, Google will start showing content in mobile search results that only lives within apps, for example, apps with content that doesn't have a corresponding web page.
An example of a mobile app that has corresponding web content is Facebook, which earlier this week enabled Google's app indexing. Now Android users can hop from search results of indexed Facebook pages directly to the relevant part of Facebook's app. Other popular apps that are indexed by Google include Airbnb, Instagram and Pinterest.
Under the extended app-indexing service, content from apps such as HotelTonight, which does not have corresponding web content, will also appear in search results. The aim is to make it easier to find information in applications.
Along with this development, Google has kicked off app-streaming from Search, so users can interact with an app that they haven't yet installed.
"With one tap on a Stream button next to the HotelTonight app result, you'll get a streamed version of the app, so that you can quickly and easily find what you need, and even complete a booking, just as if you were in the app itself. And if you like what you see, installing it is just a click away. This uses a new cloud-based technology that we're currently experimenting with," Google engineering manager Jennifer Lin said.
According to Marketing Land, for now these options will only be available within the Google app on Android 5.0 and Android 6.0 handsets.

Perhaps a voice will say, “No. It doesn't make you look fat.”
At This Store, the Fitting-Room Mirrors Know All
… In one corner, a lanky blonde woman examines a white cashmere turtleneck before placing it back on its hanger. Had she taken the item into one of the dressing rooms, she'd immediately find an image of the turtleneck displayed on the touchscreen mirror in front of her, with options to request a different size, a different color or a pair of jeans to go with it.
That's right -- the fitting rooms in Ralph Lauren's Polo flagship are smart. Very smart. Equipped with radio-frequency identification technology that tracks items via their tags, the room identifies every item that enters and reflects it back on the mirror that doubles as a touchscreen. Shoppers can interact with the mirror, which functions like a giant tablet, to control the lighting, request alternate items or style advice from a sales associate.

Perspective. Soon Watson may have friends to chat with.
China nearly triples number of supercomputers, report says
The country has 109 high-performance computing systems on the biannual Top500 list of supercomputers, up 196% from 37 just six months ago.
The most powerful supercomputer, China's Tianhe-2, also retained the top spot for the sixth consecutive time.
In contrast, the US has seen the number of its supercomputers decline.

I find 8 in Colorado.
Open Data Inception – 1600+ Open Data Portals Around the World
by Sabrina I. Pacifici on Nov 18, 2015
“You can find the list geotagged on a map at When building the best Open Data portals, the same question always comes up. Where can I find clean and usable data? Our answer is usually: “Did you search on existing Open Data portals?” But the truth is, some Open Data portals can be hard to come by. We decided to put together a resource that would be truly useful for all the data geeks out there (and we know we are plenty). We called this project: Open Data Inception. We rolled up our sleeves and started aggregating all of the Open Data portals we could get our hands on. We are thrilled to present you the first version of our comprehensive list of 1600+ Open Data portals around the world. To facilitate your search, we decided to geotag intergovernmental organization portals on their parent organization headquarters. The table of contents will give you a summary of all countries represented on this list. Simply click on a country’s name and the page will bring you to the correct section. If you are curious about how we created this list, we wrote an article about it. We hope that you will find solace in your data quest with this list. Don’t hesitate to send us feedback through the form at the bottom of the page or at @opendatas

Perhaps the would help fund the Privacy Foundation?
Introducing New Tools for Nonprofits
… Today we’re testing fundraisers – a new tool – and improving our Donate button, to allow people to donate to charities without leaving Facebook. We hope these features help nonprofits reach new supporters, engage their community and get the valuable funding they need to continue their good work.
In 2013, we first tested different ways for nonprofits to fundraise on Facebook.

I subscribe (via RSS) to a couple of these. Perhaps I should look at some others.
Read More Intelligent Content in 2016 with These 35 Sites
… For a couple of years now, we’ve occasionally brought to light some of these refuges of intelligence. In 2013 we introduced you to Reddit’s In Depth Stories, and The Feature. In 2014 we told you about and The Browser. Now at the end of 2015, we’re offering a much more comprehensive list of where to find the best online content, and journalism.

Dilbert elegantly illustrates how the Internet facilitates miscommunication.

Wednesday, November 18, 2015

The Internet provides all the education and most of the tools to do this. It also provides a connection to targets around the globe. (and it's more fun than “tipping cows.”)
BBC reports:
A 15-year-old British boy has been charged over cyber-attacks on international websites and bomb hoaxes against US airlines, police have said.
The boy, from Plymouth, is accused of offences related to service attacks on websites in Europe, North America, Africa and Asia.
Charges against him also relate to bomb hoaxes placed with North American airlines via social media, police said.
He has been bailed to appear before Plymouth Youth Court.
Read more on BBC. The police statement can be found here.
Anyone know what his Twitter handle was or who this is? Is this the teen identified as @RansomTheThug back in January? If you have any information, please e-mail breaches[at]

For my Computer Security and Ethical Hacking students.
The traditional padlock gets the “smart” treatment
… Users manage their padlocks through a smartphone app, and have a variety of methods at their disposal to unlock the LockSmart: either by passcode, Touch ID, or tapping an icon on the phone app. The unlock signal is then sent by Bluetooth using 128-bit encryption to the padlock.

Something for my Computer Security students to consider.
Nadella: Microsoft to Be Stealth Operator for Cloud Security
… Microsoft has launched a new Cyber Defense Operations Center at its headquarters in Redmond, Washington, Nadella told attendees, as part of the US$1 billion a year it plans to spend on security.
Nadella boasted -- raising a few eyebrows -- that Windows 10 was the most secure operating system in the world, and that the company aimed to be able to detect and respond to security threats in real time anywhere in the world on any type of device for any type of customer within its ecosystem.

Scare tactics? Is the CIA trying to say, “use encryption, become a target?”
Take a Stroll over to the App Store to Download the Very Same App ISIS Uses
… According to the Daily Beast, ISIS is encouraging its members and followers to use Telegram after the deadly attacks in Paris as a means of subverting spies.
CIA Director John Brennan is quite concerned about the technology’s prominence among jihadists, saying Monday:
“There are a lot of technological capabilities that are available right now that make it exceptionally difficult, both technically as well as legally, [?? Bob] for intelligence and security services to have the insight they need to uncover.”
Brennan added:
“There has been a significant increase in the operational security of a number of these operatives and terrorist networks as they have gone to school on what it is that they need to do in order to keep their activities concealed from the authorities.” [Knowing you might become a target for a Maverick Missile does seem to concentrate the mind. Bob]
… While the CIA feels the threat of this kind of technology is real, there is a different tone outside the intelligence community, such as Matthew Green, an assistant professor at the Johns Hopkins Information Security Institute, who said:
“Law enforcement is talking about easy encryption apps that you download from the app store. What we’ve learned from terrorists is that they will go to great lengths to encrypt and even hide their communications in code. They’re not completely dependent on these easy use apps that people are talking about.”

(Related) More about the technology itself.
An app called Telegram is the 'hot new thing among jihadists'
… The Berlin-based startup boasts two layers of encryption and claims to be "faster and more secure" than its competitor WhatsApp, which is owned by Facebook.
Users can securely message friends and send pictures and files. They can also create group chats with up to 200 members or opt for "special secret chats" where messages, photos, and videos will self-destruct.
… ISIS is also using Telegram to broadcast big messages on the app's "channels," which are devoted to a variety of topics. It was on the official ISIS channel that the group said the Paris attacks would be the "first of the storm."

So, what can you do? (Let me guess. You could do something if you had a bigger budget.)
FCC says it can't shut down ISIS websites
The head of the Federal Communications Commission (FCC) on Tuesday shot down suggestions that the agency could take down websites used by the Islamic State in Iraq and Syria (ISIS) and other terrorist groups.
… "We cannot underestimate the challenge," FCC Chairman Tom Wheeler responded. "I'm not sure our authority extends to [shut down the websites], but I do think there are specific things we can do."
Wheeler similarly told Rep. Bobby Rush (D-Ill.) that the commission does not have the authority to target the social media accounts of gang leaders in the United States that are contributing to urban violence.
"We do not have jurisdiction over Facebook and all the other edge providers. We do not intend to assert jurisdiction over them," Wheeler said.
But the chairman said he can use the FCC's bully pulpit to press tech CEOs on the issue, such as Facebook's Mark Zuckerberg.
"I will call Mark Zuckerberg this afternoon to raise the issue you've raised and the issue Mr. Barton raised. And I'm sure he is concerned as well and he'll have some thoughts," Wheeler said.
… Wheeler offered other areas where the commission could take action. He specifically mentioned the rash of vandalism to fiberoptic cables in the California Bay Area.
… Wheeler said the system, called the Network Outage Reporting System, could be mined to put together larger trends about outages. But he said that is currently impossible because the system is running on outdated technology, being held together by "bailing wire and glue."

(Related)  Gosh! I wonder if they called Mark Zuckerberg for advice too?
Hacker Groups Claims to Hit 5,500 IS Accounts
The hacker group Anonymous claimed Tuesday to have taken out 5,500 Twitter accounts linked to the Islamic State group, which claimed responsibility for the Paris attacks.
The loosely organized hacking collective made the claim in a tweet one day after launching #OpParis campaign, which stepped up an earlier effort to shut down social media accounts of the organization.
In an apparent riposte, a message posted via the messaging service Telegram calls on Islamic State affiliates to secure their Internet communications.

WWHD? (What Would Harvard Do?) Would we be better off if universities didn't care about Halloween costumes?
Yale’s Alumni Donations May Suffer Amid Free Speech Debate
… This Ivy League institution has become the center of a free speech debate after two conflicting emails were sent out to students about Halloween costumes. The first email, sent to the campus by the Intercultural Affairs Committee, which seeks to promote an inclusive and diverse campus, requested that students avoid wearing “culturally unaware or insensitive” Halloween costumes, including Native American dress, redface and blackface. In response, faculty member Erika Christakis, sent an email saying students should be free to wear whichever costumes they choose. Both were cited by the Foundation for Individual Rights in Education (FIRE).
… According to the Yale Daily News, the student newspaper, students have skipped classes and midterm exams, or requested extensions citing emotional distress as rendering them unable to fulfill academic obligations.
Now, hundreds of alumni are frustrated with how Yale has handled the crisis. For many, they’ve threatened to withhold future donations if the administration favors protesting students.

Perspective. “It's not fair! They have a larger population than we do!”
Report: India Set To Overtake U.S. To Become World’s Second Largest Internet Market
The number of Internet users in India is tipped to surpass 400 million by the end of this year, making it the second largest online population in the world behind only China, according to a new report from the Internet and Mobile Association of India (IAMAI) and market research IMRB.
The report claims that the total number of Internet users in the country will reach 402 million by December, of which 351 million will go online daily. That first figure would see India surpass U.S on total web users, but leave it some way behind China which claims over 600 million.

Tuesday, November 17, 2015

Sounds like just another minor breach, but this one has clear political overtones. Does the DoL ever release data like this for non-political purposes?
AP reports:
A Bluefield auto dealership owned by Republican gubernatorial candidate Bill Cole has asked Gov. Earl Ray Tomblin’s office to investigate a state agency’s recent release of the names, salaries and social security numbers of more than 200 employees who work for Cole.
[From the article:
The Charlotte Gazette-Mail reports that the state Division of Labor’s released the employees’ confidential information last month, in response to a request from the newspaper for a story about wage complaints filed against businesses owned by candidates for governor in West Virginia.

Reacting to TalkTalk, not Paris. (Because TalkTalk users vote in UK elections.)
UK to Double Funding to Fight Cyber Attacks
Britain on Tuesday said it will double its investment in cyber-security to counter threats including from the Islamic State group, in the wake of the Paris attacks claimed by IS.
Speaking at the headquarters of Britain's electronic spy agency GCHQ in southwest England, finance minister George Osborne said the money would be used against criminals, rogue states and terror factions.
Osborne said that, while IS jihadists did not yet have the capability for attacking Britain's infrastructure through the web, "we know they want it, and are doing their best to build it".

Encrypted communications leave law enforcement no choice?
Vice’s Motherboard is puzzling over a massive leap in the number of Title III wiretap orders served on Facebook during the first half of 2015: A whopping 201 (targeting 259 users) over the course of just six months, according to the social networking giant’s latest transparency report, compared with a mere nine such orders (targeting 16 users) for the whole of 2014. The experts Motherboard interviewed were at a loss to explain the jump, but one quite simple and plausible explanation leaps out at me: WhatsApp, the instant messaging client whose acquisition was finalized by Facebook at the very end of last year — and which law enforcement officials routinely say is favored by bad actors looking to communicate securely.

Analyzing Zuckerberg? The photo looks so lifelike!
Inside Mark Zuckerberg's Bold Plan For The Future Of Facebook

Another instance where the scammers are ahead of the government.
You don’t need to pay someone to register your drone
You wouldn’t pay a private company to get your car registered, and you don’t need to hire one to get your drone registered either, the Federal Aviation Administration said Monday.
At least one private firm has begun offering to handle drone registration for a fee, helping drone owners to comply with an FAA mandate that requires registration, the federal agency said. But the FAA still hasn’t sorted out how registration will be handled and cautions against paying money prematurely for assistance.

The illogic of politics. No doubt we will see a lots of statements like this one.
After Paris, Encryption Will Be a Key Issue in the 2016 Race
… Just yesterday, CIA director John Brennan said that he hoped the Paris attacks would serve as “a wakeup call” to those who oppose government surveillance in favor of personal privacy.

(Related) Never let the facts enter the debate.
Encrypted Messaging Apps Face New Scrutiny Over Possible Role in Paris Attacks
American and French officials say there is still no definitive evidence to back up their presumption that the terrorists who massacred 129 people in Paris used new, difficult-to-crack encryption technologies to organize the plot.

It's the future, but is it wise, or even legal? For example, leaving a running car unattended (a “puffer car”) is illegal in Denver and Aurora, perhaps state wide?
Ford Borrows A Play From Tesla, Launches App With Remote Start, Unlocking And More
Ford just announced a service that allows owners to control their car from a smartphone app. Called Sync Connect, the service brings a lot of functionality not traditionally found in gas automobiles — let alone, inexpensive gas-powered cars. The functions rival that found on Tesla’s app and will first be available on the 2017 Ford Escape small SUV.
This app allows owners to lock and unlock their vehicle from afar as well as remotely start the engine. It even allows owners to schedule remote starts, so, say if the owner leaves the house everyday at 7:00 AM, this app can start the car on designated days at 6:55 so it’s nice and toasty warm by 7:00.

This sounds very “politically incorrect” but what the author says is that communicating using a global language makes it easier to see global connections.
… When we think of innovation, we tend to think of smart, technically trained people sitting in a room coming up with game-changing ideas. But innovation is just as much a function of connections—of a person’s or team’s ability to access global information networks and work alongside others with relevant skills.
In a global economy, English facilitates those connections. When a country has strong English abilities, its innovation sector can better pull from the global pool of talent and ideas. And we now have data that illustrates the close relationship between innovation and English proficiency worldwide.

Ha! Take that you posture weenies. I've been doing it right all along!
Sitting Up Straight Is Bad: The Right Way to Sit at a Desk
The proper angle is somewhere between 120 and 135 degrees, which looks like this:

Tools & Techniques. Useful USB tips.
Are USB Flash Drives Still Worth It In 2015?

Look at it this way. A Masters degree will cost you a bachelors degree and then some. (Infographic)
Is A Bachelor’s Degree A Financially Viable Choice?

Perspective. Does Seattle really not see the potential income stream here? I would really like to see their analysis.
Seattle city council votes down municipal broadband pilot project
The Seattle City Council voted against a $5 million municipal broadband pilot program on Monday, delivering a major blow to groups that want to see the Internet treated like a public utility akin to electricity.
… The mayor’s office has opposed the larger municipal broadband initiative, saying the $480 million to $665 million project simply isn’t possible without some type of outside funding.

Cute, but where do they fall in the alphabet?
For first time ever, an emoji is crowned Oxford Dictionaries’ Word of the Year
… Oxford Dictionaries has recognized the influential and complex function of emoji by giving one of the symbols its highest honor. For the first time in Oxford’s history, the Word of the Year is a pictograph.
Officially, 2015’s linguistic champion is known as the “Face with Tears of Joy” emoji. Oxford Dictionaries announced in a statement Monday: “There were other strong contenders from a range of fields…but [Face with Tears of Joy] was chosen as the ‘word’ that best reflected the ethos, mood and preoccupations of 2015.”

I wish more of my students would read.
How These College Kids Got 150 Top CEOs to Give Them Book Recommendations
There are millions of books that can help you navigate the business world, but which are the best of the best?
That's what Julia Wittrock and Grant Hensel wanted to know as they prepared to graduate from Wheaton College this past May. Like many students, the two were about to start their first jobs: Wittrock as a strategic sourcing analyst at 3M in Minneapolis and Hensel as an analyst at Slalom Consulting in Chicago.
Three weeks before graduation, the two friends sent short letters to all of the CEOs on the Fortune 500 list, asking them for their favorite business book recommendations.

For the listening generation. Also, How to make your own podcast.
5 Places to Discover New Podcasts That You’ll Love

Yeah they're cartoons. You gotta problem wid dat?

Toll & Techniques. Worth knowing about. (A couple of categories)
10 iPhone and iPad Apps That Take Accessibility To The Next Level
Apps for People with Hearing Impairments
Apps for People with Vision Loss