Saturday, November 28, 2015

Ah that Christmas hacking spirit.
Major Toy Maker VTech Hacked: 4.8 Million Parents And 200,000 Children Exposed
Electronic toy maker VTech's Learning Lodge, the company's app store database, has been compromised. The security breach, which occurred earlier this month, has been deemed among the biggest hacks ever documented.
The incident exposed the private information of nearly 5 million parents and more than 200,000 children.
According to Motherboard, the hacked personal information of the Chinese company's customers include names, passwords, email addresses and home addresses of 4,833,678 parents as well as the first names, birthdays and genders of their children.
… The hacker told Motherboard of the security breach, and even handed over files containing the confidential data. Motherboard then reached out to VTech.
The toy maker confirmed the breach over an email it sent out to Motherboard on Thursday, Nov. 26, indicating that an illegal party accessed VTech customer data on its Learning Lodge app store customer database last Nov. 14.
"We were not aware of this unauthorized access until you alerted us," said Grace Pang, VTech's spokesperson.
When asked about the real purpose in obtaining the data, the hacker said "nothing." The hacker even said that the data has only been shared with Motherboard, albeit a possibility exists that the data could have been sold to someone else.

Covers Computer Security and Statistics. My students will hate it
… There are many interesting examples that illustrate the concept. I’ll reproduce one of those here:
“In a city of 1 million inhabitants let there be 100 terrorists and 999,900 non-terrorists. To simplify the example, it is assumed that all people present in the city are inhabitants. Thus, the base rate probability of a randomly selected inhabitant of the city being a terrorist is 0.0001, and the base rate probability of that same inhabitant being a non-terrorist is 0.9999. In an attempt to catch the terrorists, the city installs an alarm system with a surveillance camera and automatic facial recognition software.
The software has two failure rates of 1%:
  • The false negative rate: If the camera scans a terrorist, a bell will ring 99% of the time, and it will fail to ring 1% of the time.
  • The false positive rate: If the camera scans a non-terrorist, a bell will not ring 99% of the time, but it will ring 1% of the time.

Very amusing. Would make a good lecture!
It’s not just images – there’s text and quotes from historians that accompany this interesting piece on Medium.

(Related) Do you suppose my students care? Will they bother with preventive measures?
Porn Viewing Habits Could Be the Next Big Leak: Here’s What To Do

We'll have to lock down our printer…
Want a Ford GT? Print it yourself
You’re unlikely to find a new Ford GT in your garage this holiday, but the automaker is giving you a chance to build one yourself. All you’ll need is a 3D printer and some plans provided by Ford.
With 3D printers predicted to become household appliances in the near future, Ford is celebrating its own use of the technology (at least, a very refined version thereof) with detailed printable versions of its cars. Tech-savvy makers can simply download and manufacture more than 1,000 models in miniature, and the rest of us can have a 6-inch-long pre-printed version delivered. The GT (rather, the “Ford GT E3 2015 Forza Motorsport 6”) is offered as a $230, limited-edition full-color rendition shipped in a wooden gift box, while the others — $39 printed or $4.99 for the 3D-printer-ready .STL file — are a solid colour.

(Related) Perhaps self-driving slot-cars?
Formula E is planning the first racing series for driverless cars

Interesting. Perhaps a “revolving door” App to connect businesses with professors?
Business Professors Need to Spend Time in Companies

Not as bizarre as you might think.
Tech Tats, A New Biowearable Technology In the Form of Temporary Circuit Board Tattoos
Tech Tats are a new category of biowearable technology in the form of temporary circuit board tattoos that are applied directly to the skin. Designer Eric Schneider explains the Tech Tat wearables being developed at Chaotic Moon Studios in a video produced by the company.

A turkey of a week.
Hack Education Weekly News
… Via Politico, a look at the worst school system in the US, those on Native American reservations: “How Washington created some of the worst schools in America.” [A useful bad example? Bob]
Via The Columbus Dispatch: “The state has ordered the entire administrative and teaching staff at a Columbus middle school to undergo training in identifying warning signs for behavioral disabilities among students after they suspended an unruly sixth-grader for 70 days last school year.” [“Why? We don't care why!” Bob]
… The BBC looks at “merger madness” – that is, the consolidation of European universities.
… The world’s largest OER collection has been released by the Smithsonian.
… “Children are becoming more trusting of what they see online, but sometimes lack the understanding to decide whether it is true or impartial,” according to a study by Ofcom, which uses the phrase “digital natives” in its headline. Ugh. Don’t do that. Here’s a better headline, from Motherboard: “Only 31% of Preteens Can Distinguish Paid Ads from Real Search Results.”

Friday, November 27, 2015

For my Ethical Hacking and Computer Security students.
7 Alarming Ways Hackers Can Screw with Your Smartphone
… to get you thinking the right way, here are some real examples in which your smartphone can be hacked and used against you, and I promise you’ll start thinking of smartphone security as an everyday necessity rather than just for the paranoid.

Unfortunately, less boob-tube time does not translate into fewer boobs.
Online Streams Are Destroying Cable TV and These 3 Stats Prove It
Cord-cutting isn’t just a hypothetical dream anymore. It’s happening all over the country and the numbers are accelerating at speeds no one could have foreseen or predicted. The new age of online streaming is already here and it’s here to stay.
1. Netflix is still growing — significantly. In Q1 of 2015, Netflix’s membership grew by 4.9 million subscribers. In the quarter before that, membership grew by 4.0 million subscribers. In total, Netflix now has over 62 million users all over the world (and 40 million of those users in the U.S.).
2. Pay TV subscription rates are dropping like flies. In Q2 of 2015, the pay TV industry (which includes cable, satellite, and telco TV) lost a total of 566,000 subscribers. Compare that to Q2 of 2014 when they’d lost a total of 321,000 subscribers. The attrition rate is increasing at alarming speeds.
3. Almost every single age group is watching less TV. In Q2 of 2015, the only age groups to watch more TV in a month were 50 to 64 and 65+ — which means that people between the ages of 2 to 49 all watched less TV.

Interesting. Think of it as crowd-sourcing education. But do we want popular or accurate information? Using professionals in training might keep Wikipedia on track. We could do this in any field of study.
Batea – The clinical browser data mining project
by Sabrina I. Pacifici on Nov 26, 2015
November 17, 2015 – “DocGraph publicly released Batea, a browser extension that tracks clinical reference URLs visited by medical students when they study. Batea was built by DocGraph with support from the Robert Wood Johnson Foundation (RWJF). Medical students across the country are encouraged to download the Batea extension for use on their personal computers. Browsing histories will be aggregated monthly and shared with WikiProject Medicine to help direct future improvements to Wikipedia medical articles. According to a 2014 study, Wikipedia is the single leading source of medical information for patients and healthcare professionals. Wikipedia’s 25,000 medical articles receive more than 200 million views per month and its 8,000 pharmacology articles receive more than 40 million views per month…. DocGraph ( is an organization that works to create, maintain, and improve open healthcare datasets. It aims to grow the open health data movement and build a community of data scientists, journalists, and clinical enterprises who use open data to understand and help evolve the healthcare system.”

Something to get my Computer Security students talking.
10 Great Security Tools You Should Be Using

Something to get my Master Data Management students talking.
How Master Data Management Demand May Change in 2016

For all my students, especially those who miss class due to a “Check engine” light.
Upgrade Your Car, Just Add iPhone: 20 Apps for Motorists

Thursday, November 26, 2015

Is this what infected Hilton and Starwood PoS terminals?
Sophisticated PoS Malware "ModPOS" Targets US Retailers
The malware, dubbed “ModPOS” due of its modular architecture, uses modules that are packed kernel drivers, which makes them more difficult to detect by security products. The modules identified by iSIGHT Partners so far include one for logging keystrokes, one for uploading stolen data and downloading additional components, and one for collecting card data.
The “POS Scraper” module is designed to collect payment card track data from memory. Researchers believe the attackers target specific PoS software processes, such as “credit.exe.”
This [process] is unique to POS vendors that use this executable as a part of their software. iSIGHT Partners is confident that the actors customize the malware based on the targeted environment,” the security firm noted in its report on ModPOS.
According to Trustwave’s 2015 Global Security Report, 40 percent of the data breaches reported in 2014 were PoS-related, such systems being targeted by 70 individual variants of malware. A large majority of PoS breaches occurred due to a combination of remote access and weak passwords.

Was it the plane or Putin ordering in missiles? Either way, this is what you have to expect when even teenagers can “join the fight.”
Waqas writes:
Turkish hackers just took down the official website of Russian Central Bank amid tension near Syrian-Turkey border.
A group of Turkish hacktivist going with the handle of Turk Hack Team has conducted a powerful DDoS attack on the official website of Russian Central Bank earlier today forcing it to go offline for over 10 minutes.
While talking to HackRead, the Black-Spy attacker from THT explained that the reason for targeting the Russian bank was to send a message to Russia.
Read more on HackRead.

Not sure I like this one. I'll have to think about it for a bit.
New Technology, New Information Privacy: Social-Value-Oriented Information Privacy Theory
by Sabrina I. Pacifici on Nov 25, 2015
Chang, Chen-Hung, New Technology, New Information Privacy: Social-Value-Oriented Information Privacy Theory (September 30, 2015). Available for download at SSRN:
“Today’s innovative technologies offer remarkable advantages in our daily lives, but they also give rise to concerns that these technological advancements will adversely impact individuals’ privacy. The traditional notions of information privacy were based on personal control over data about oneself, an antiqued notion in a time where pervasive surveillance has rendered it nearly impossible for individuals to protect information privacy on their own. Key privacy concerns arise because it is nearly impossible to be left out of the intertwined digital and Internet world. Those who choose not to use the Internet, smartphones, tablet computers, electronic mail and online social network platforms, nevertheless remain trapped in the inescapable digital net, with others able to track their personal data. This essay includes suggestions for reconstructing traditional privacy theories. The traditional notice-and-choice principle has failed to protect the information privacy. Privacy should be determined by both individuals’ subjective feelings and objective social norms. The government has a constitutional obligation to protect the right to privacy by constructing basic information privacy protection principles. Furthermore, this essay proposes an approach to constructing a social-value-oriented information privacy theory. Among others, in determining the context of privacy, if no social precedents are available, the particular social activity’s consequences, purposes, and values may first be identified, and then these results may be used to trace back to the starting point and consider how to regulate social activities.” [Huh? Bob]

Have I mentioned that I love Google? All of my (so far unpublished) studies prove Google is a giant in the areas of privacy protection, consumer rights and PAC donations.
Google’s insidious shadow lobbying: How the Internet giant is bankrolling friendly academics—and skirting federal investigations
In June 2011, Google had a problem. The Federal Trade Commission (FTC) had opened multiple investigations into whether the tech giant illegally favored its own shopping and travel sites in search engine queries; restricted advertisers from running ads on competing sites; and copied rival search engines’ results.
To fight this threat, Google turned to a key third-party validator: academia, and in particular one university with a long history as an advocate for corporate interests.
From the beginning of the FTC investigation through the end of 2013, Google gave George Mason University’s Law and Economics Center (LEC) $762,000 in donations, confirmed by cancelled checks obtained in a public records request. In exchange, the LEC issued numerous studies supporting Google’s position that they committed no legal violations, and hosted conferences on the same issues where Google representatives suggested speakers and invitees.

Is this how the FTC works? Make a deal then stand by as it is ignored?
Albertsons buys back stores feds forced it to sell
Less than a year after federal regulators forced Albertsons Co. to sell off more than a 146 grocery stores as part of a $9.2 billion merger with Safeway, the grocery chain has started buying them back for pennies on the dollar.
And, in some cases, for only $1.
A federal bankruptcy judge on Tuesday approved Albertsons' purchase of 33 stores, including three in Arizona, from Haggen Holdings LLC, a Pacific Northwest grocery chain that failed spectacularly months after it took over Albertsons stores in five states.
The buyback appears to erode a Federal Trade Commission order that required Albertsons and Safeway to divest 168 total stores to prevent the new company from having a monopoly in dozens of markets.
… Haggen sold 55 stores at a bankruptcy auction this month for about $47 million, court records show.
Albertsons paid $14.3 million for the 33 stores. Albertsons’ bid price for nearly half of the stores was $1 each, according to a story in The Wall Street Journal. It also assumed liabilities as part of the purchase price.

Worth reading. Tells me something I never would have suspected! For my App developing students.
How a Food-Ordering App Broke into a Crowded Market
It’s not easy to find companies that genuinely do things differently. But for the founders of the takeout-ordering app Eat24, doing things differently is what allowed them to build up their company into an attractive acquisition target – they recently completed a $134 million deal with Yelp.
… It’s true that the founders weren’t technical experts, they had no previous startup experience, and GrubHub already had impressive marketshare. But Eat24 managed to bootstrap their app anyway. Here’s how.
1. Go after “undesirable” customers.
2. Go after “undesirable” media. Oddly enough, Eat24’s biggest break came when they left Google and Facebook as marketing platforms after advertising rates rose. Eat24 instead turned to … porn websites. The marketing expense was 90% cheaper than on Google, Facebook, and Twitter – after all, lots of companies don’t want to advertise on porn sites – but the exposure was 200% higher. Moreover, return customers were four times higher. And they were also reaching new customers — nine out of 10 visitors to Eat24 from the sites were new, and conversion rates blew Facebook away. As Nadav told an Israeli newspaper, “we just let the numbers talk.”
Of course, this makes sense: the audience on porn sites is young, male, more inclined to order food online.

Clearly the Brits do things differently.
Barclays fined for lax crime checks in 'deal of century'
Britain's financial watchdog has fined Barclays (BARC.L) 72 million pounds ($109 million) for cutting corners in checking wealthy customers involved in a huge transaction described by one senior manager as potentially the "deal of the century."
Barclays arranged the 1.9 billion pound transaction in 2011 and 2012 for a number of rich clients deemed by the regulator to be politically exposed persons (PEPs), or people holding prominent positions that could be open to financial abuse.
That should require a bank to conduct more detailed checks on them, but Barclays failed to do so and in fact cut corners with its compliance procedures, Britain's Financial Conduct Authority (FCA) said in a damning report on Thursday.
"Barclays did not follow its standard procedures, preferring instead to take on the clients as quickly as possible and thereby generated 52.3 million pounds in revenue," the FCA said.
Barclays, which received a 30 percent discount on the fine for settling at an early stage in the investigation, said the FCA made no finding that the bank facilitated any financial crime in relation to the transaction or the clients on whose behalf it was executed.
… Just over 52 million pounds of the penalty on the bank comprised disgorgement, meaning clawing back the profit Barclays made on the transaction. That is the largest disgorgement penalty ever imposed by the FCA.
… FCA said Barclays kept details of the clients and transaction off its computer system, and had agreed that if their names were ever revealed it would have had to pay them 37.7 million pounds.
"Barclays restricted the number of its staff who were involved in the business relationship and sought to address the financial crime risks that were associated with it in an ad hoc way," the FCA said in a 37-page notice on the bank's failings.
… The bank also failed to establish adequately the purpose and nature of the deal and did not sufficiently corroborate the clients’ stated source of wealth and source of funds for the transaction, the FCA said.

Real lawyers don't get caught!
AAP reports:
A law student has been charged with hacking the University of Queensland‘s computer system to cheat his way to better marks.
The student allegedly used a staff ID card to break into a staff area and logged on to the private system to upgrade the marks on his papers ahead of graduation, according to News Corp.
Read more on Brisbane Times.

For years we lock ourselves out of this. Probably not a good thing.
Why Cuba Stands Tall in Health Care Metrics
Despite the decades long U.S. trade embargo, Cuba’s health care system has thrived, building a record on major health care metrics that is comparable with not only other countries in the same per capita income bracket, but also with the U.S. Cuba has also made remarkable advances in biotechnology, especially in pediatric vaccines.
… One vaccine developed in Cuba, called CimaVax, promises to be a cheap, safe, effective and easy to administer treatment for lung cancer, according to a recent Knowledge@Wharton report. The vaccine has been developed by the Havana-based Center for Molecular Immunology, and is now being tested for the U.S. market by the Roswell Park Cancer Institute of Buffalo, N.Y.

Perspective. We must look like a country of techies, but what percentage can program their toys?
Smartphone, computer or tablet? 36% of Americans own all three
by Sabrina I. Pacifici on Nov 25, 2015
“A new Pew Research Center analysis finds that 66% of Americans own at least two digital devices – smartphone, desktop or laptop computer, or tablet – and 36% own all three. Fueled in part by the rapid adoption of smartphones and tablets, the share of American adults who own a smartphone, computer and a tablet has doubled since 2012. At that time, only 15% of U.S. adults owned all three devices. The age group most likely to own multiple devices is 30- to 49-year-olds, half of whom report owning all three, according to our 2015 survey data. People who are more affluent and those with more formal education also are more likely to own multiple devices. Whites are a bit more likely than blacks to have all three gadgets, while men and women are equally likely to do so…”

Now do the same with textbooks!
Raspberry Pi Zero: The $5 computer has arrived
The Raspberry Pi Foundation has hit rock bottom. After years of working to lower the cost of hobbyist and educational computing, founder Eben Upton says it can go no further: at just $5 its latest creation is as cheap is it can make a computer.
The $5 Raspberry Pi Zero follows on from the wildly successful Raspberry Pi A, B and 2 computers, which cost $20 to $35.
But despite the staggeringly low price, it still has many of the same features, and runs about 40 percent faster than the Raspberry Pi 1.

Wednesday, November 25, 2015

Interesting. They are so concerned about security they looked into your device to make sure you were doing your part.
Amazon forces some customers to reset passwords
Amazon has forced an unknown number of account holders to change passwords that may have been compromised, just as it heads into one of the busied shopping days of the year.
… The e-mail sent to affected users said that the company had "recently discovered that your [Amazon] password may have been improperly stored on your device or transmitted to Amazon in a way that could potentially expose it to a third party," according to ZDNet.

Which statement do we believe, they are investigating this article or they never comment on articles. Maybe this was leaked like the original data was leaked?
Andrea Shalal reports:
The U.S. Air Force is looking into how classified data about a competition for a next-generation U.S. bomber found its way into a report published by Forbes magazine, according to several sources familiar with the issue.
Boeing Co and Lockheed Martin Corp this month filed a formal protest against the Air Force’s contract with Northrop Grumman Corp to develop the new long-range strike bomber, a deal worth up to $80 billion.
Loren Thompson, chief operating officer of the Lexington Institute think tank, published a detailed column on the Forbes website the day the protest was filed, saying the estimate that it would cost $21.4 billion to develop the plane was roughly twice what the competing industry teams had bid.
The level of detail included in the column raised concerns given the classified nature of the bomber program, according to three of the sources.
Read more on Reuters.
[From Reuters:
"The Air Force does not comment on whether or not media articles might contain classified information," said Major Robert Leese, an Air Force spokesman.

Is this related to the Starwood breach I posted on Monday?
Hilton confirms malware accessed payment info at its hotels
If you've stayed at one of Hilton's hotels in the past year, you might want to check your credit card history. The chain has confirmed a report that malware compromised its payment systems, putting your data at risk. The intruders got in between November 18th and December 5th in 2014, and between April 21st and July 27th this year. The malware didn't expose home addresses or PIN codes, but it did get access to card numbers, security codes and names -- enough that hackers could potentially make purchases.
Hilton is quick to say that it eliminated the rogue code, and it's offering a year's worth of free credit monitoring if you're nervous. With that said, this is a story we've heard all too often: it's a belated warning (about two months after a third-party discovery) for data breaches that could have been devastating far earlier. While there's no guarantee that Hilton could have stopped the intrusions in the first place, it would have ideally notified travelers the moment it realized that something was wrong.

A conspiracy of juveniles? TalkTalk should be embarrassed.
From the Metropolitan Police:
A fifth person has been arrested in connection with the investigation into alleged data theft from TalkTalk.
On Tuesday, 24 November, detectives from the Metropolitan Police Service’s Cyber Crime Unit (MPCCU) and officers from Southern Wales Regional Organised Crime Unit executed a search warrant at an address in Llanelli, Wales.
The 18-year-old boy [E] was arrested at the address on suspicion of blackmail and taken into custody at a Dyfed Powys police station.
Detectives continue to investigative. Four other people have been arrested in connection with the investigation.

What logic?
Well, this is different. A jury actually found for a plaintiff who alleged snooping in her driver’s records – and awarded her damages that included penalizing the Marion County Sheriff’s Office for enabling the snooping. Nicki Gorny reports:
An Ocala woman did not suffer emotional distress when a former Marion County Sheriff’s Office deputy snooped on her driving record, an eight-person jury decided Thursday morning, but she is entitled to $10,100 in damages.
After approximately five hours of deliberation split between two days, the jury found that former deputy Clayton Thomas twice violated the federal Drivers Privacy Protection Act by pulling up Kellean Truesdell’s photograph on the Driver and Vehicle Information Database. The panel awarded her punitive and statutory damages:
• $100 in punitive damages against Thomas, punishing him for snooping
• $5,000 in punitive damages against MCSO, punishing the agency for enabling Thomas’ snooping through a “custom, policy or practice”
• $5,000 in statutory damages against Thomas and MCSO together, recognizing two violations of the federal statute in regard to Truesdell
So how did they manage to successfully hold the sheriff’s office responsible? It seems that Thomas had been caught misusing the DAVID database in 2012, resulting in a suspension of his access for two months. But:
When this suspension was lifted, Parmer emphasized, Thomas continued his DAVID searches with no oversight or repercussions.
The current sheriff is reportedly more proactive in auditing usage. [I'd call that managing. Bob]

Will Mattel notify anyone if the child talks about suicide or indicates she has been abused? If not, is there liability?
Joe Cadillic points out to a “Hell No Barbie” post from Campaign for a Commercial-Free Childhood (CCFC):
“Prepare your daughter for a lifetime of surveillance with Hello Barbie, the doll that records children’s private conversations and transmits them to cloud servers, where they are analyzed by algorithms and listened to by strangers. Girls will learn important lessons, like that a friend might really be a corporate spy, and that anything you say can and will be used for market research.
Read more on CCFC and then read Joe’s own post about this topic on MassPrivateI.

Clever. You give me all your personal information and I'll give you a word cloud.
Paul Bischoff writes:
Lately, you’ve probably seen a couple of your Facebook friends post the results of a quiz app that figures out your most-used words in statuses. Or maybe you posted it yourself.
The “quiz,” created by a company called, has risen to over 16 million shares in a matter of days. It’s been written about in the Independent, Cosmopolitan, and EliteDaily. Sounds fun, right?
Wrong. That’s over 16 million people who agreed to give up almost every private detail about themselves to a company they likely know nothing about.
Read more on Comparitech.
[From the article:
The app, like many Facebook quiz apps, is a privacy nightmare. Here’s a list of the info quiz players have to disclose to
  • Name, profile picture, age, sex, birthday, and other public info
  • Entire friend list
  • Everything you’ve ever posted on your timeline
  • All of your photos and photos you’re tagged in
  • Education history
  • Hometown and current city
  • Everything you’ve ever liked
  • IP address
  • Info about the device you’re using including browser and language

Gosh, I don't want anyone to know about that! I admit I don't know the most requested sites – except Facebook.
European privacy requests for search removals
Total URLs that Google has evaluated for removal: 1,234,092 URLs
Total requests Google has received: 348,085 requests
… Of total URLs requested for removal from search results, these top ten sites account for 9%

The new toys just keep coming!
IBM Turns Up Heat Under Competition in Artificial Intelligence
Programmers of artificial intelligence software got a new tool to work with Monday, when International Business Machines Corp. announced that a proprietary program known as SystemML would be freely available to share and modify through the Apache Software Foundation.
… IBM is one of the three companies this year to make available proprietary machine-learning technology under an open-source license. Facebook Inc. in February, released portions of its Torch software, while Alphabet Inc.’s Google division earlier this month open-sourced parts of its TensorFlow system.

When is free not good? When you competitor does it? Given enough time, it is likely governments would offer services like this. Probably within 200 years…
Facebook expands controversial service in India
A controversial Facebook service offering free Web services in some parts of India will now be available across the country, CEO Mark Zuckerberg said in a Monday post.
The Free Basics service, offered through the nonprofit, allows customers on some wireless networks around the world to use certain services, free of charge. That service is now available to customers of Facebook’s local wireless partner in India, Reliance Communications.
“As of today, everyone in India nationwide can access free internet services for health, education, jobs and communication through's Free Basics app on the Reliance network,” Zuckerberg said.
… Activists contend that the service, because it could drive users to Facebook-provided applications, violates the principle of net neutrality, which dictates that all traffic on the Internet should be treated in the same way. That criticism has cost the company: local partners on the project dropped out after the net neutrality concerns were raised earlier this year.
Zuckerberg fought that argument at the time, saying that these “two principles — universal connectivity and net neutrality — can and must coexist.”

Oops! Why do we continue to believe that governments know how to handle technologies?
Bangladesh: Government 'mistakenly' cuts off internet
Officials announced on Wednesday that access to Facebook, Viber and WhatsApp had all been blocked in the wake of a Supreme Court ruling upholding death sentences for two men convicted of war crimes. But the country's Telecommunication Regulatory Commission says it accidentally cut off access to the internet across the whole country.
The web blackout started at around 13:00 local time and lasted at least 75 minutes, according to the Bangladeshi newspaper The Daily Star. "We restored the internet as soon as we realised the mistake," says Shahjahan Mahmood, the commission's chairman. The messaging services were blocked as originally planned in order to maintain security, he says.

(Related) At least they are trying – if they listen to him.
Jonathan Mayer, Well-Known Online Security Expert, Joins F.C.C.
Among privacy groups in the United States, Jonathan Mayer is known as a vocal advocate who has defended the right of consumers to turn off online tracking of their browsing activities.
Among digital security experts, Mr. Mayer is known, among other things, as the Stanford computer scientist who reported in 2012 that Google was bypassing privacy settings in Apple’s Safari browser by placing bits of code in digital ads that tracked the sites users visited. Google subsequently agreed to pay a $22.5 million fine to settle charges by the Federal Trade Commission that the company had misrepresented its privacy practices.
Now Mr. Mayer, 28, has a new handle: federal regulator.
On Tuesday, the Federal Communications Commission said it had hired Mr. Mayer as chief technologist in the agency’s enforcement bureau.
… The F.C.C. declined to comment on whether its enforcement bureau had opened investigations into reports by Mr. Mayer before he was hired by the agency.

Just saying. This will give Apple the ability to put Porky Pig's face on Donald Trump in real time.
Confirmed: Apple Acquired Real-Time Motion Capture Firm Faceshift
Faceshift's real-time motion capture work in the gaming and chat arena could be used for things like real-time avatars for FaceTime video chats, but there are also more serious applications such as biometrics for unlocking devices or authorizing payments through facial recognition techniques.

Only 6 weeks late!
Kim Dotcom extradition hearing reaches conclusion
… If, on the face of it, he rules there is some merit in the US government's charges and a case to answer, on the face of it, the quartet will be sent overseas.
However, should that be the case, an appeal of the District Court's decision would not be a surprise since the last three years has been dominated by legal wrangling in all New Zealand's jurisdictions.
… Mr Mansfield said Megaupload was an internet service provider and as such was covered by safe harbour provisions in the Copyright Act.
That was not a defence to the allegations but a complete bar from prosecution, he said.
The defence argued "Mr Dotcom's dream idea" was created in response to large attachments being unable to be sent via email and was "copyright neutral".
"What the US is effectively saying to internet service providers is: 'you need to actively investigate copyright infringement and stop it, because if you don't you'll not only be civilly liable but criminally liable'," Mr Mansfield said.

For my next Statistics class. Students have to interpret results for themselves.
Not Even Scientists Can Easily Explain P-values
… To be clear, everyone I spoke with at METRICS could tell me the technical definition of a p-value — the probability of getting results at least as extreme as the ones you observed, given that the null hypothesis is correct — but almost no one could translate that into something easy to understand.
… We want to know if results are right, but a p-value doesn’t measure that. It can’t tell you the magnitude of an effect, the strength of the evidence or the probability that the finding was the result of chance.
So what information can you glean from a p-value? The most straightforward explanation I found came from Stuart Buck, vice president of research integrity at the Laura and John Arnold Foundation. Imagine, he said, that you have a coin that you suspect is weighted toward heads. (Your null hypothesis is then that the coin is fair.) You flip it 100 times and get more heads than tails. The p-value won’t tell you whether the coin is fair, but it will tell you the probability that you’d get at least as many heads as you did if the coin was fair. That’s it — nothing more.

Tuesday, November 24, 2015

Worth passing along.
Dan Solove writes:
It is essential that children learn about data privacy and security. Their lives will be fully enveloped by technologies that involve data. But far too little about these topics is currently taught in most schools.
Fortunately, there is a solution, one that I’m proud to have been involved in creating. The Internet Keep Safe Coalition (iKeepSafe), a nonprofit group of policy leaders, educators, and various experts, has released the Privacy K-12 Curriculum Matrix.
Read more about this free resource on LinkedIn.

Includes some interesting math. Are they concerned about kamikaze drones? (If so, this is the wrong math)
FAA panel releases drone recommendations
The recommendations from an FAA task force released Monday would require all drones weighing a little more than half a pound — 250 grams or more — to contain an identifying number that can be traced back to an owner.
… The task force also recommended that the drone registration data be exempt from Freedom of Information Act requests.
… Kids would have to be at least 13 years old to register. People younger than that would have to get a parent or guardian to register.
Free registration would ideally be made online or through an app, according to the report.
After registering, people would receive a certificate with an ID number that would have to be affixed and visible on all drones they fly. In some cases, a drone’s serial number could be used as the ID number if operators choose to disclose that number.

Interesting. Does the FTC have anyone that looks outside of their own little world?
C. Ryan Barber reports that one week after the initial decision by Administrative Law Judge D. Michael Chappell in FTC v. LabMD, Michael Daugherty and LabMD filed a civil suit against three FTC attorneys involved in the case. The suit, which names Carl Settlemyer, Alain Sheer and Ruth Yodaiken as defendants, was filed Friday in U.S. District Court for the District of Columbia.
Barber writes:
Describing the FTC’s pursuit of LabMD as “illegal and unconstitutional,” Bailey & Ehrenberg partner Jason Ehrenberg based much of the suit on the agency’s interaction with Tiversa, a data security firm that came under congressional scrutiny last year over accusations that it hacked a LabMD computer and tried to blackmail the company.
“Every step of the way, the defendant FTC attorneys supported their actions with lies, thievery and testimony from a private company, Tiversa, whose business model was based on convincing companies to pay them to ‘recover’ files that, in truth, they hacked from computers all over the world,” Ehrenberg, who is representing LabMD and its owner, Michael Daugherty, wrote in the lawsuit.
Much of the complaint reiterates LabMD’s claims about Tiversa, Inc., and its CEO, Robert Boback, and takes the position that FTC complaint counsel knew — or should have known — that they were using fraudulent data. Further, the suit alleges, complaint counsel misled the commissioners to pursue what is described as a vindictive case and a conspiracy to deprive Daugherty and LabMD of their constitutional rights.
Read more about the lawsuit on National Law Journal. The FTC has not yet formally announced whether they will appeal Judge Chappell’s initial decision, although a statement made last week suggests that they are likely to.

I guess the court doesn't trust Google Translate.
Facebook privacy judgement 'waiting for translation'
The case, brought by the Belgian Privacy Commission (BPC), required the social network to stop tracking non-users immediately or face a fine.
It was handed down on 9 November and Facebook was given 48 hours to comply.
Facebook said it was negotiating with the BPC.
"We met with the BPC and provided them specific solutions addressing their concerns about our security cookie. This cookie helped us stop more than 33,000 account takeover attempts in Belgium in the last month, and similar cookies are used by most major internet services.
"We look forward to resolving this without jeopardising people's safe and secure access to Facebook," said Alex Stamos, chief security officer, in a statement.
A spokeswoman for the BPC told the BBC the judgement had yet to be formally served to Facebook because it is "waiting for an English translation" of the 33 pages.
The case hinged on a tracking cookie that Facebook has used for the last five years.

This looks even worse than it did initially.
Lawyer reveals details of arrest of ‘clock kid’ Ahmed, plans to file suit
Two months after “clock kid” Ahmed Mohamed made international headlines, new details of his controversial arrest emerged Monday in a letter his attorney has sent to school and city officials in Irving, Tex.
As many as seven adults teamed up to interrogate the 14-year-old boy after a teacher mistook his homemade clock for a bomb and pressured him to sign a confession, according to the “letter of demand” from his lawyer warning of plans to file a $15 million suit.

A Data Mining tool.
Social Media Tracker, Analyzer, & Collector Toolkit at Syracuse
by Sabrina I. Pacifici on Nov 23, 2015
“STACKS is an extensible social media research toolkit designed to collect, process, and store data from online social networks. The toolkit is an ongoing project via the Syracuse University iSchool, and currently supports the Twitter Streaming API. Collecting from Facebook public pages and Twitter search API are under development. The toolkit architecture is modular and supports extending.”
You can cite this repository: Hemsley, J., Ceskavich, B., Tanupabrungsun, S. (2014). STACK (Version 1.0). Syracuse University, School of Information Studies. Retrieved from DOI: 10.5281/zenodo.12388

Dig Up Old Social Posts with These 5 Tools
… We’ve shown you how to time travel through the brief history of the Internet, and how to find anything in your Facebook timeline. Today we’re going to look at a few tools that make it easier to find old Twitter and Reddit posts, then show you a way to browse your own personal past every day.

Perspective. Before the Internet, this number was always zero.
Google Received More Than 65 Million URL Takedown Requests In The Past Month
The number of URL copyright removal requests sent to Google continues to climb at a rapid rate. According to its latest transparency report data, Google received 15,659,212 URL takedown requests based on copyright infringement during the week of November 19, averaging 2.2 million requests per day.

A better way to point to a page. Some of my students need this – the ones who think everything is TL;DR
How to Link to a Specific Part of a Web Page
… Genius and TLDRify are useful web apps that that let you annotate web pages much like the yellow highlighter pens that you would use on the printed page. The services let you highlight any paragraph or specific sentence on a web page and create direct deep links to the highlighted text. When people click the shared link, they see the original page but with the annotated text.
Genius is a music lyrics website but they also provide a web annotator to help you add context and commentary on any web page. The best part about Genius is that you don’t need to install any bookmarklets or browser extensions to use the annotator. Go to the browser’s address bar and add before the page URL.
… The next useful app in the category is TLDRify. Here you need a bookmarklet or a browser extension but there’s no need to sign-up for an account to annotate web pages. Also, unlike Genius which may show annotations left by other users on the same page, TLDRify links will only show your own highlights.
While you are on a web page page, select any sentence or paragraph, click the TLDRify bookmarklet and it will create a deep link to the highlighted text. When people click the link, the browser will automatically scroll to the annotated text.

Monday, November 23, 2015

I find it interesting that there was no mention of how the malware got into all those terminals. Do we have hackers on a road trip? More likely, they are loading the malware as an update. And that is really disturbing from a security viewpoint.
54 Starwood Hotels Ransacked By Credit Card Gobbling Malware
Dozens of Starwood hotels around the country were hit with malware that enabled cyber thieves to access credit and debit card information from point of sale terminals. The malware affected a variety of locations on Starwood properties, including restaurants, gift shops, and other places where customers might have swiped a payment card.
A total of 54 Starwood hotels (PDF) fell prey to the malware, including places like the Walt Disney World Dolphin - A Sheraton Hotel in Orlando, Florida, and over a dozen Westin hotels spanning the continental U.S. and Hawaii.

If you don't have everything you need to steal money, try extorting it from your victims.
The opportunistic and empty threat that is data breach victim extortion
… Let me explain how these blackmail attempts work, what the extortionists are looking for and how they’re becoming an increasingly common thing in the wake of a major data breach. Oh – and we’ll see if anyone is actually paying the bastards as well.

It is possible, if you know who is doing it.
How to Opt-Out of Interest-Based Advertising and Stop the Ads from Following You
… . To give you an example, if you search for ‘hotels in singapore’ on a travel website, you’ll see that almost every website you visit later will have ads arounds Singapore hotels. Whether you are reading news on CNN, checking out cooking videos on YouTube or reading your Facebook newsfeed, the ads are likely to be around the same them – Singapore hotels.
In other words, the ads follow you on the Internet even after you have switched to a different website. Online advertisers, with the help of browser cookies, are able to track you across the web and serve relevant advertising.
If you would not like web companies to use your past online behavior to target ads on your computer, you do have an option to easily opt-out. Google, Microsoft, Yahoo, Facebook, Amazon and other web advertising networks offer simple ways to help you opt-out of targeted advertising.

Toss the baby with the bathwater? The whole purpose is to make the cards like cash. If the cards become a hassle, terrorists will go back to cash.
The Latest: France wants controls on prepaid bank cards
… The French government says it wants to tighten the rules on the use of prepaid bank cards as part of a crackdown on extremist financing.
Finance Minister Michel Sapin says the aim is to restrict the ability of extremists to use such cards for anonymous money transfers.
He says Europe-wide rules are needed to ensure the user's identity is checked when they apply for and use the cards.
Sapin said Monday that those who carried out the Nov. 13 attacks in Paris used prepaid cards. He didn't elaborate.

Ancient History Encyclopedia
by Sabrina I. Pacifici on Nov 22, 2015
Ancient History Encyclopedia is the global leader in ancient history content online, boasting the highest number of monthly visitors of any dedicated website… Our team of ten volunteers is passionate about history: We want to inspire our readers with the stories of the past, making history engaging and exciting. Here you’ll find high-quality articles, videos, interactive maps, and books on ancient history. All contributions are reviewed by expert volunteers who wish to share their knowledge. Ancient History Encyclopedia is entirely run by volunteers from all over the world. Our core team hails from the United States, the United Kingdom, Australia, Argentina, Germany, and Italy. We’re always looking for people from all walks of life to join our team.”

Amusing and I expect tomorrow's will be for the Democrats.
The Perfect Republican Stump Speech

Sunday, November 22, 2015

When it a hack not a hack? Perhaps it is when a hack allows social engineering resulting in an authorized individual taking an authorized action based on phoney authorization.
In September, it was reported that BitPay was suing its insurer, Massachusetts Bay Insurance Company, for reimbursement of $1.8M funds lost in a phishing attack in December 2014. Now the insurance company has moved to dismiss the suit. Stan Higgins reports:
However, in a 17th November court filing, MBIC has stated that it believes it was justified in rejecting BitPay’s claim, formally requesting the court to toss the suit.
At the heart of the dispute is whether the transfers in question were fraudulently executed.
Read more on CoinDesk, where they’ve uploaded the insurer’s response. It’s an interesting situation, because the criminals didn’t authorize the funds transfers – the BitPay executive did.

BitPay Sues Insurer After Losing $1.8 Million in Phishing Attack
… “The facts as presented do not support a direct loss since there was not a hacking or unauthorized entry into BitPay's computer system fraudulently causing a transfer of money. Instead, the computer system of David Bailey, BitPay's business partner, was compromised resulting in fictitious emails being received by BitPay."

Unlikely to suppress and impossible to remove the DA who delegated so it can't happen again? No wonder law enforcement shops for favorable judges.
Brad Heath and Brett Kelman report:
Prosecutors in the Los Angeles suburb responsible for a huge share of the nation’s wiretaps almost certainly violated federal law when they authorized widespread eavesdropping that police used to make more than 300 arrests and seize millions of dollars in cash and drugs throughout the USA.
The violations could undermine the legality of as many as 738 wiretaps approved in Riverside County, Calif., since the middle of 2013, an investigation by USA TODAY and The Desert Sun, based on interviews and court records, has found. Prosecutors reported that those taps, often conducted by federal drug investigators, intercepted phone calls and text messages by more than 52,000 people.
Read more on USA Today.
“Could undermine….” but how often do the courts just excuse conduct by saying law enforcement believed they could do what they did, and therefore, any motion to suppress is dismissed?

My Computer Security students will appreciate this. This has potential, let's see how they enforce it. The letter is very interesting!
H. Deen Kaplan, Harriet Pearson, Timothy Tobin, and Stephanie Handler write:
On November 9, 2015, Anthony Albanese, Acting Superintendent of the New York State Department of Financial Services (NYDFS), issued a letter to a wide array of federal and state financial services regulators that are part of the Financial and Banking Information Infrastructure Committee (FBIIC). The FBIIC members work together to enhance the reliability and security of financial sector infrastructure. Mr. Albanese’s letter outlines potential new cybersecurity regulations that would impact NYDFS-regulated financial institutions. The letter, which follows numerous steps taken by the NYDFS in recent years to better understand and mitigate cybersecurity risks, further positions the NYDFS as a leading regulator on cybersecurity issues in the U.S., particularly with respect to the financial sector. While no precise timeline was specified for enacting the potential regulations outlined, it appears likely that the NYDFS may formally propose comprehensive cybersecurity regulations in the months ahead.
Read more on Hogan Lovells Chronicle of Data Protection.

This could be a very big deal. (The next Big Thing?) I mentioned this last Thursday, but it needs some amplification. This is a much more in depth article.
Google App Streaming: A Big Move In Building “The Web Of Apps”
… Imagine if, in order to use the web, you had to download an app for each website you wanted to visit. To find news from the New York Times, you had to install an app that let you access the site through your web browser. To purchase from Amazon, you first needed to install an Amazon app for your browser. To share on Facebook, installation of the Facebook app for your browser would be required.
… For a short time before the web, it even seemed this was how online services would go. You had your AOL, your CompuServe, your Prodigy, your MSN — all online services that were disconnected from each other, some with unique content that could only be accessed if you installed (and subscribed to) that particular online service.
The web put an end to this. More specifically, the web browser did. The web browser became a universal app that let anyone open anything on the web. No need to download software for an online service. No need to download an app for a specific web site. Simply launch the web browser of your choice, and you could get to anything. Moreover, search engines like Google could point you anywhere, knowing you wouldn’t need to install any special apps.
The Disconnected World Of Apps
The growth of mobile and its app-centric world has been the opposite of the web. Until fairly recently, there’s been no seamless moving between apps. If you wanted New York Times news within an app environment, you had to download that app. If you wanted to interact with Facebook easily on mobile, you needed the Facebook app.
… Worse, there’s a small but growing number of app-only publishers and services. They have no web sites and thus nothing for Google or other search engines to point you at from mobile search results.
The Web Of Apps Begins
Wouldn’t it be nice if you could move between apps just as you do with the web? Major companies like Google, Apple, Facebook and Microsoft certainly believe so. That’s why over the past two years or so, they’ve all been pushing things like Google App Indexing, Apple Deep Linking & Universal Links, Facebook App Links and Bing App Linking.
For a general overview on these efforts, see our Marketing Land guide to app indexing and deep links. But the takeaway is that all these companies want to make it easier to go from any link — from a web page or within an app — and into another app, when appropriate.
… This is where Google’s big news today comes in. With app streaming, Google will effectively broadcast what you’re looking for within an app, without requiring you to download it at all. There’s no need to worry about whether you want to invest the time and bandwidth downloading some app for a one-time use. If it works as promised, you’ll be able to browse within apps with the same type of experience that you browse web pages.

Might be a fun writing class. Also might be a place for some of my students to sell their papers, which are clearly in the comedy genre.
Amazon Studios Launches Amazon Storywriter, Free Cloud Software For Screenwriters
In an effort to expand its original video content, including movies and TV series, Amazon announced this morning the launch of a free, cloud-based screenwriting software program called Amazon Storywriter. In addition, the company says it’s expanding to include drama submissions, and will no longer take a free option on scripts submitted to the Amazon Studios website, allowing WGA members to upload directly to the site.