Saturday, December 05, 2015

I also thought this a bit strange. Not least because journalists claimed law enforcement was “done with” the apartment. What if this is not exactly what everyone thinks it is?
Jed Bracy reports on what was a “WTF?!” moment for anyone watching MSNB or CNN today.
It seems as though the world is getting more chaotic by the minute. There have been awful terrorist attacks around the world, seemingly unabated – from Egypt to Paris to Mali to San Bernadino.
And it appears that chaos is infecting the news media.
On Friday, reporters from CNN and MSNBC openly rummaged through the now-deceased San Bernadino attackers’ home like eager shoppers on Black Friday.
TV journalists gain unprecedented access to shooting suspect’s apartment.
— Matthew Keys (@MatthewKeysLive) December 4, 2015
Live on TV for everyone to see, reporters unapologetically let the world into this home – a crime scene – sharing baby pictures, clothing, contents of their refrigerator.
And get this: passports, work IDs and even a California state driver’s license.
Read more on IAPP.

I know just who to nominate! I'll send Barack an email as soon as I'm done blogging.
Tara Seals reports:
The White House has announced plans to establish a new Federal Privacy Council, which will serve as an ecosystem for strategic thinking on privacy implementation.
It will serve as a central place to coordinate and share ideas, best practices and successful approaches for protecting privacy across the government, “bringing together the best minds we have to tackle the cutting-edge privacy issues of the digital era,” according to Shaun Donovan, director of the White House Office of Management and Budget.
The Council will also develop guidance, standards and best practices to serve as a road map to successful implementation, starting with updating privacy guidance at OMB over the next several months.
Read more on InfoSecurity Magazine.

Censorship. Sounds much more useful than it actually is.
Social media censorship in Bangladesh hints at long-term problems for publishers
Two weeks have passed since the government in Bangladesh blocked access to Facebook, WhatsApp, Viber, and other social media sites. In Dhaka, some people have crowded into hotel lobbies to access private networks, while others are gaining access through proxy servers. The reason for the ban, according to the government, has to do with security, in light of the recent terrorist attacks and local political violence, but there is concern that it’s part of a creeping pattern of censorship that’s having a negative impact on publishers, especially after the temporary block in January and reports of journalists being harassed.

I think all the fuss over encryption is helping sell encryption software.
Open Whisper Systems Launches Encrypted Messaging App for Desktop
Open Whisper Systems, the group behind the Signal secure communication application for Android, this week announced the release of their encrypted messaging application for desktop computers.
The new Signal Desktop software is now available in beta as a Chrome application, designed to constantly stay connected with a phone, so that all incoming and outgoing messages are available on all devices at all time. The same as the Signal app for Android and iOS devices, Signal Desktop offers end-to-end encryption, offering support for free private group, text, picture, and video messages.
Once enabled, Signal Desktop enables users to seamlessly continue conversations back and forth between their mobile devices and a desktop computer, as all messages will be available instantly when switching to another device. Signal Desktop beta comes only with support for linking to the Android application, with iOS support expected to follow.

This has probably been suggested several time, but if it every actually happens we will still wonder, “why didn't someone think of this years ago?”
The Cloud Catalog: One Catalog to Serve Them All
by Sabrina I. Pacifici on Dec 4, 2015
The Cloud Catalog: One Catalog to Serve Them All – By Steve Coffman
“As a whole, public libraries are the single largest supplier of books in the U.S. No single other outlet can compete with public libraries—not Amazon, not Barnes & Noble, not Walmart or Costco, not all your local bookstores. But you’d never know it to look at us on the web.

Stupidity: Regular as clockwork.
Hack Education Weekly News
… “Education Dept CIO comes under fire from Congress for major security loopholes,” says EdScoop, which notes the department had 91 data breaches this year.

Yes, I'm old. But I rarely start sentences, “Back in my day...”
5 Online Radios That Travel Through Space and Time
… We’ve shown you where to find unlimited online radio; here’s how to travel in time through that free radio and find exactly what you’re looking for. Some Station Somewhere Is Playing Your Song
Radiooooo: Music from Any Decade/Nation Combination
Rewind Radio: Travel to Radio Stations from Past Decades
Magic Transistor Radio: Open and Enjoy Some Early Rock
Old Radio World: Archive of Old Radio Shows and Broadcasts
Or, if nothing here satisfies you, why not start your own online radio station and create something that does?

Friday, December 04, 2015

To pay, or not to pay – that is the question
Whether 'tis cheaper in the long run to suffer
The slings and arrows of outraged customers
Or to take arms against a sea of hackers
And by opposing end them.
Kevin Collier reports that “Hacker Buba,” the individual who allegedly hacked InvestBank in the UAE, has made good on his threat to dump customer bank data if the bank didn’t pay his extortion demand.
The means by which that information was posted is striking. Hacker Buba initially tweeted from accounts like @investbank_2, though those were quickly deleted. But late Tuesday night and then again on Wednesday, approximately 50 seemingly unrelated Twitter accounts began tweeting the same message, which included both the name Invest Bank and a link to a site, signed Hacker Buba, that had six zip files purporting to obtain that vast bank information.
Read more on Daily Dot.

This is very good news for my video game playing students. It will allow them to indulge their wildest fantasy without fear. But, I guess we'll need to re-think Acceptable Use policies… We can still fire employees who don't play well with others.
Jamie Williams writes:
The United States Court of Appeals for the Eleventh Circuit issued an opinion rejecting the government’s attempt to hold an employee criminally liable under the federal hacking statute—the Computer Fraud and Abuse Act (“CFAA”)—for violating his employer-imposed computer use restrictions. The decision is important because it ensures that employers and website owners don’t have the power to criminalize a broad range of innocuous everyday behaviors, like checking personal email or the score of a baseball game, through simply adopting use restrictions in their corporate policies or terms of use.
Read more on EFF.
[From the Article:
The case, United States v. Gilberto Valle, received a lot of attention in the press because it involved the so-called “cannibal cop”—a New York City police officer who was charged with conspiracy to kidnap for posts he wrote on fetish websites about cannibalism. Valle was also charged with violating the CFAA for accessing a police database to look up information about people without a valid law enforcement purpose, in violation of NYPD policy. [This is very common! Bob] The jury convicted Valle on all counts, but the trial court reversed the jury’s conspiracy verdict, stating that “the nearly yearlong kidnapping conspiracy alleged by the government is one in which no one was ever kidnapped, no attempted kidnapping ever took place, and no real-world, non-Internet-based steps were ever taken to kidnap anyone.” The trial court ultimately found that holding Valle guilty of conspiracy to kidnap would make him guilty of thoughtcrime.
… The Second Circuit also upheld the trial court’s decision to throw out the conspiracy conviction, as we had urged in a second amicus brief filed in the case, holding that “[t]he mere indulgence of fantasy, even of the repugnant and unsettling kind here, is not, without more, criminal.”

Let's see how well this goes. Who did they learn this from? Oh, yeah, Russia.
Kazakhstan will force its citizens to install internet backdoors
In less than a month, Kazakhstan will begin enforcing a new law that requires every internet user in the country to install a backdoor, allowing the government to conduct surveillance.
In a brief statement (translated), KazakhTelecom, the country's largest telecom, said citizens are "obliged" to install a "national security certificate" on every device, including desktops and mobile devices.
This allows the government to conduct a so-called "man-in-the-middle" attack, which allows the government to intercept every secure connection in the country and snoop on web browsing history, usernames and passwords, and even secure and HTTPS-encrypted traffic.

This is the “Serve” part of the job.
Bellingham police create an Internet exchange zone for online buyers, sellers
There's no doubt that buying and selling goods on the Internet can be sketchy, especially when you have to meet that seller on Craigslist to make the transaction in person. But a lot of people do it anyway — at the bank, the local Starbucks, you name it. In some areas, however, you can make exchanges at a police station.
Police departments across the country are setting up designated locations where buyers and sellers can meet. The latest to do this is the Bellingham Police Department in Bellingham, Mass., which posted a sign outside its facility on Nov. 30.
… Bellingham PD also wanted to follow suit with nearby police departments that have started creating exchange points during the past few months. Bellingham PD's spot is just outside the department where video cameras are monitoring the area 24/7.

This is what we're pointing out that ISIS does so well. Is there no counter measure?
Using Social Media in Business Disputes
Large companies frequently exploit their vastly superior legal resources and capabilities to the disadvantage of smaller competitors. Frequently, the mere threat of litigation and the prospect of an expensive, prolonged lawsuit is all that is necessary to persuade a smaller business to acquiesce to the larger competitor’s legal demands. However, I have recently studied an emergent defensive strategy that turns the tables on large companies when they legally threaten smaller enterprises. The approach involves soliciting public support, typically through social media and public relations, in hopes of achieving a favorable outcome. I call this technique “lawsourcing.”1

The future or now? The book is already in my local library so no waiting.
Digital Immortality and the Future of Humanity
A new book by Martine Rothblatt, Co-CEO and Chair of United Therapeutics, envisions a mind clone — a digital copy of your mind outside your body — that can go on living after you are gone. But the book is not science fiction; it is a nonfiction book by someone who has been a technological innovator. … Today, United Therapeutics is focused on developing an endless supply of manufactured organs.

Google's Chromebooks make up half of US classroom devices
Google, Microsoft and Apple have been competing for years in the very lucrative education technology market. For the first time, Google has taken a huge lead over its rivals.
Chromebooks now make up more than half of all devices in U.S. classrooms, up from less than 1 percent in 2012, according to a new report from Futuresource Consulting. To analysts, this comes as a big surprise.

Apple's Swift programming language is now open-source
At WWDC in June, Apple announced it would be open-sourcing its Swift programming language by the end of the year. Well, it's the first week of December and Apple kept is promise: Swift is now open source.
… Apple has set up as the main hub for the Swift open-source community. This website will contain the mailing lists, reporting tools, tutorials, documentation, blogs and binary downloads for OS X and Linux.
But what's an open-source project without a Github profile? Nothing, so Apple is putting its public source-code repositories for Swift on Github at

Could be very useful and probably very contentious in some areas.
Project to Annotate All Knowledge
by Sabrina I. Pacifici on Dec 3, 2015
“As accessing information becomes less challenging for most of the world, new problems emerge. Discovering, evaluating, and most importantly, connecting relevant knowledge is overwhelming. There hasn’t been a way to bridge the chasm between isolated communities with their specific knowledge base and the rest of us – until now! launched a mission driven coalition: “annotating all knowledge” and SSRN is proud to be one of the founding members. Their recent blog post states the coalition members “realize that a robust and interoperable conversation layer can transform scholarship, enabling personal note taking, peer review, copy editing, post publication discussion, journal clubs, classroom uses, automated classification, deep linking, and much more… was created to build a layer of conversation over any online content. They are only one of the players in this movement (and very intentionally so). The conversations can be broad or extremely granular but they focus on the content itself instead of the system or tool being used to view and manipulate it. This means and other platform users are not limited by the functionality, resources, or breadth of a single provider.”

Thursday, December 03, 2015

Every technology that believes it is “new” thinks first about “selling features.” Why no one considers security a selling feature is beyond me. “Always bet on ignorance and intellectual laziness!”
Why VTech Breach is So Bad - and So Avoidable
The data breach involving Hong Kong toymaker VTech highlights a growing concern over manufacturers selling many more devices that are Internet-connected, yet apparently failing to safeguard those devices – and related information that gets collected and stored – against even the most rudimentary types of online attacks
… The apparent severity of the breach at VTech, which reported an annual revenue of $1.9 billion earlier this year, has continued to increase since the company first confirmed Nov. 27 that it had been breached, with the latest count of breach victims hitting 11.2 million people. In its most recent breach notification, released Dec. 2, the company says that on Nov. 14, "an unauthorized party accessed VTech customer data" connected with the databases and servers behind these services:
… Hong Kong's privacy commissioner, as well as attorneys general in multiple U.S. states, have said they are probing the breach.

(Related) Those who do not study history security best practices are doomed to repeat it.
More Trouble For VTech -- Kids Tablet Is 'Easy' To Hack
VTech is having a quite abysmal week following a hack that exposed data on 6.4 million children and 4.8 million adults. Not only has its stock price dipped to a year low, security researchers have found two glaring vulnerabilities in its InnoTab Max tablet for kids, and it is refusing to answer questions on whether it even has a security team.
Ken Munro, who heads up consultancy Pen Test Partners, discovered the issues with the InnoTab within a day. It was simple to find the flaw because it’s been known for more than two years.
… There have been numerous signs VTech hasn’t paid enough attention to security. First, the hack itself, according to a Vice Motherboard report, was perpetrated with an age-old techniqueSQL injection – that firms should be prepared for. It was storing most data, including children’s images and chat messages with parents, in unencrypted fashion. Its website was not protected with SSL web encryption. And its Android application used by parents to chat with their children was said to be vulnerable.

The continuing joy of data breaches.
Target in $39.4 million settlement with banks over data breach
Target Corp has agreed to pay $39.4 million to resolve claims by banks and credit unions that said they lost money because of the retailer's late 2013 data breach.
The settlement filed on Wednesday resolves class-action claims by lenders seeking to hold Target responsible for their costs to reimburse fraudulent charges and issue new credit and debit cards.
… Target reached a similar accord with MasterCard in April, but it was rejected the next month when card issuers deemed the sum too low.
… Earlier this year, Target agreed to pay Visa Inc card issuers as much as $67 million over the breach and reached a $10 million settlement with shoppers. The latter accord won court approval last month.
Last week, Target said it had spent $290 million related to the breach, and expected insurers to reimburse $90 million. It still faces shareholder lawsuits, as well as probes by the Federal Trade Commission and state attorneys general, over the breach.

Almost exactly what my Computer Security students concluded would happen. Perhaps this is easier than giving their hackers a bad performance review?
If I knew emojis, I’d include one for “highly skeptical” to accompany this story. Ellen Nakashima reports:
The Chinese government recently arrested a handful of hackers it says were connected to the breach of Office of Personnel Management’s database earlier this year, a mammoth break-in that exposed the records of more than 22 million current and former federal employees.
The arrests took place shortly before a state visit in late September by President Xi Jinping, and U.S. officials say they appear to have been carried out in an effort to lessen tensions with Washington.
The identities of the suspects — and whether they have any connection to the Chinese government — remain unclear.
Read more on Washington Post.

For my Forensics students.
Orin Kerr writes:
On Tuesday, the 11th Circuit handed down a new computer search decision, United States v. Johnson, that both sharpens and deepens the circuit split on how the private search doctrine of the Fourth Amendment applies to computers. Johnson isn’t a likely candidate for Supreme Court review. But it does leave the private search doctrine in computer searches ripe for Supreme Court review in other cases working their way through the courts.
Read more on The Volokh Conspiracy.
[From the article:
Because the Fourth Amendment applies only to the government and its agents, the Fourth Amendment is not triggered when private parties not associated with the government conduct searches. When a private party conducts a search and finds evidence of crime, the private party often goes to the police and voluntarily shows the police what she has found. The Supreme Court uses what I have called the “private-search reconstruction” doctrine to regulate what the police are allowed to see without a warrant. The police can reconstruct the private party search, seeing what the private party saw, but they can’t exceed the search the private party conducted.
On to the important legal question: When a private party searches a computer, sees a suspicious file and reports the finding to the police, what kind of government search of the computer counts as merely reconstructing the private search and what kind of search counts as exceeding the private search?
… In 2005, the 5th Circuit ruled that the entire computer was searched. In 2012, the 7th Circuit agreed with the 5th Circuit that the entire computer was searched. In May, the 6th Circuit handed down a ruling concluding that the unit should be data or the file, so that government observation of anything not actually viewed by the private party exceeds the scope of the private search.
The new case, Johnson, also adopts the data or file approach — thus deepening the 2-1 split into a 2-2 split.

I doubt this is what Belgium had in mind.
Facebook will block Belgians without accounts from access to its content
Facebook has outlined its plans to follow a court ruling in Belgium requiring it not to track people who do not have accounts on the social networking website.
The company said it was giving the details ahead of the order being served on it by the Belgian Privacy Commission, which is expected later this week.
Among the steps Facebook plans to take is to require people without Facebook accounts in Belgium to create accounts and log in to the social networking website before they can see its publicly available pages and other content, the company said.
"Today, anyone can see Facebook pages for small businesses, sports teams, celebrities and tourist attractions without logging into Facebook—typically found using a search engine," a Facebook spokesman said in an email.
… The dispute largely hinges around Facebook's use of a special cookie called 'datr' that it claims helps it distinguish between legitimate and illegitimate visits to its website, and identifies browsers and not individuals. Facebook claims that by using the security cookie it protected Belgian people from more than 33,000 takeover attempts in the past month.

I think they have a point! (Do we need a division of marketers?)
The ‘Soft Power’ War ISIS Doesn’t Want
For too long, ISIS’ digital influence in social media has gone largely unchecked. We have failed to match their commitment to content, imagery, emotion and reach. (President Obama describes them as “killers with good social media” who recruit in “far flung” places.) In the wake of the Paris attacks and our response, ISIS has “upped” their online game of intimidation and terror.
… In the first 24 hours following the attacks on Paris, there were hundreds of thousands of celebratory tweets from supporters of ISIS. An estimated 50,000 Twitter accounts — each having thousands of followers — streamed photo essays, audio, video, news bulletins and theological writings.
Remarkably, there was no organized response from the West or majority of Muslim countries.

If you don't want to do something, don't say you will!
… Internet provider Cox Communications is facing a lawsuit from BMG Rights Management which accuses the ISP of failing to terminate the accounts of subscribers who frequently pirate content.
BMG claimed that Cox gave up its DMCA safe harbor protections due to this inaction, something District Court Judge Liam O’Grady agreed on last week in a summary judgment.
… “The record conclusively establishes that before the fall of 2012 Cox did not implement its repeat infringer policy. Instead, Cox publicly purported to comply with its policy, while privately disparaging and intentionally circumventing the DMCA’s requirements,” the memorandum (pdf) reads.

Let the debate begin!
Google Calls Out EFF Over Bogus Claims That It Snoops On Students With Its Chromebooks
… "EFF bases this petition on evidence that Google is engaged in collecting, maintaining, using, and sharing student personal information in violation of the 'K-12 School Service Provider Pledge to Safeguard Student Privacy' (Student Privacy Pledge), of which it is a signatory,” alleged the EFF in its initial FTC complaint.
Google takes such allegations very seriously, and has thus responded to every claim brought forth by the EFF. “While we appreciate the EFF’s focus on student data privacy, we are confident that our tools comply with both the law and our promises, including the Student Privacy Pledge, which we signed earlier this year,” said Jonathan Rochelle, the Director of Google Apps for Education.
With respect to Google Apps for Education Core Services (GAFE), Rochelle asserts that all student data stored is “only used to provide the services themselves” and that student data isn’t used for advertising purposes, nor are ads served to students.

For my students. See, It's not just the big guys. Use it just to annoy the FBI director?
Encrypted messaging app Signal now available for desktops
The much-lauded encryption app Signal has launched a beta program for a desktop version of the app, which will run through Google's Chrome browser.
Signal Desktop is Chrome app that will sync messages transmitted between it and an Android device, wrote Moxie Marlinspike, a cryptography expert who had helped develop Signal, in a blog post on Wednesday.
… Signal Desktop won't be able to sync messages with iPhone just yet, although there are plans for iOS compatibility, Marlinspike wrote. It also won't support voice initially.
Signal, which is free, has stood out in a crowded field of encrypted messaging applications, which are notoriously difficult to engineer, and has been endorsed by none other than former U.S. National Security Agency contractor Edward Snowden. [Paid endorsement? Bob]
… Open Whisper Systems itself can't see the plain text of messages or get access to phone calls since it doesn't store the encryption keys.
Signal is open source, which allows developers to closely inspect its code.

Local news.
Uber is partnering with Enterprise Rent-A-Car, and—as the slogan goes—they’ll pick you up! By “they” I mean the poor schmucks who sign up to pay around $1000 a month to work for Uber.
The pilot program, which launched in Denver, gives people access to a discounted rental car at $210 a week, plus taxes and fees.
… In addition to the base payments, drivers will have to pay a $500 refundable deposit and a $40 sign-up fee. If they go over 2800 miles a month (90 miles a day) there’s also an additional $0.25 per mile fee tacked on.

Amazon Dominated 36% of Online Black Friday Sales, Says Slice
Slice Intelligence, which gathers e-commerce data from receipts linked to its Slice package tracking app, tells TechCrunch that Amazon dominated online Black Friday sales, accounting for 35.7 percent in e-commerce spending on November 27. A distant second, Best Buy brought in 8.23 percent of total online revenue, followed by Macy’s at 3.38 percent, Walmart at 3.35 percent and Nordstrom at 3.11 percent.

For my students… Please.
Quickly Improve Your Handwriting with These Fantastic Resources

Wednesday, December 02, 2015

Another breach where the numbers have grown far beyond the initial estimate guess. My initial post on Nov. 28 quoted, “nearly 5 million parents and more than 200,000 children.”
6.4m kids - Vtech hack in numbers
Children's toy company Vtech announced it was hacked last week - with millions of children's accounts accessed.
The stolen data includes names and addresses, as well as, reportedly, pictures and chat logs.
Vtech they are still investigating the full extent of the hack.
On Tuesday, the company shared more information about the breach.
It admitted: "Our database was not as secure as it should have been."
Here's what we now know:
6,368,509 children's accounts affected
4,854,209 parental accounts accessed
Countries most affected:
- USA (2,894,091 children)
- France (1,173,497)
- UK (727,155)

In total, 16 "countries" are affected - Vtech lists Latin America as a single country, so the actual number is unclear.

If someone is pretending to be China, should we expect the Chinese to track them down and stomp on them? Would the US do that?
Chris Uhlmann reports:
China is being blamed for a major cyber attack on the computers at the Bureau of Meteorology, which has compromised sensitive systems across the Federal Government.
Multiple official sources have confirmed the recent attack, and the ABC has been told it will cost millions of dollars to plug the security breach, as other agencies have also been affected.
The bureau owns one of Australia’s largest supercomputers and provides critical information to a host of agencies.
China denies any involvement in the attack:
“As we have reiterated on many occasions, the Chinese government is opposed to all forms of cyber attacks,” Chinese foreign ministry spokeswoman Hua Chunying said.
Read more on ABC (AU).

(Related) Something for my Computer Security students to ponder.
Chased by the Dragon: Containment is the New Detection
... Visiongain estimates today’s cybersecurity market to be worth $75B worldwide and Gartner estimates it will grow to $100B+ by 2018, a CAGR of roughly 10 percent. Contrast that with overall IT spending, which is crawling along with an annual growth rate in the low single digits.
Perhaps the singular focus on detecting cyber incursions is not the answer.
Perhaps a coequal focus on containing attacks after they occur is equally as important.
If we have learned one thing in the past few years, relying exclusively on detection technologies such as IDS and APT will cause significant problems. We must also look at how attacks spread laterally and remain active over extended periods of time, especially in data center and cloud environments. It is now time to prioritize visibility and containment, augmenting the priority of looking for suspicious and anomalous communications to the attack surface.
A recent SANS Institute survey, The State of Dynamic Data Center and Cloud Security in the Modern Enterprise Survey and Research Report, underscores that most IT professionals are unhappy with the level of visibility and containment provided by the traditional tools they use to monitor traffic between data centers and internal or external clouds. Nowhere is this more evident than in the time these technologies take to stop and contain breaches: fewer than 50% of breaches are detected and contained within 24 hours.

It is hard to explain technology to juries, particularly when lawyers try to do it.
Molly Willms reports on a case before the U.S. Supreme Court that touches on “exceeding authorized access” under CFAA:
The confusion that plagued a jury in a computer hacking trial has followed the case all the way to the U.S. Supreme Court, where hypotheticals and technical questions abounded during oral argument Monday.
Michael Musacchio was convicted in May 2013 of one felony count of conspiracy to make unauthorized access to a protected computer and two felony counts of hacking. He was sentenced to 63 months in prison.
The jury in Musacchio’s case received the erroneous instruction that it had to find proof that he had accessed a private computer without authorization and exceeded his authorized access, according to the Fifth Circuit ruling. The jury found him guilty on all three counts, after which he claimed that the government failed to prove both elements of the charge as it was explained to the jury.
Read more on Courthouse News. The transcript of yesterday’s oral argument can be found here (pdf).

As if Greece didn't have enough problems.
Ashley Carman reports:
Three unnamed Greek banks are the most recent victims of an extortion campaign in which a hacker group is attempting to fully take down their websites. The group, calling itself the Armada Collective, apparently made its first demand on Thursday of last week, at which point it also launched the first of its distributed denial-of-service (DDoS) attacks. Those attacks succeeded in disrupting transactions at every bank, the Financial Times reported. DDoS attacks overload websites’ servers in an effort to take them fully offline, and the Armada Collective has a set price to stop its efforts: each bank must pay 20,000 Bitcoin, or $7,208,200. The financial institutions aren’t bending under pressure, however, and are instead strengthening their DDoS defenses. Greece’s central bank and its police electronic crime unit are also monitoring the banks’ computer systems.
Read more on The Verge.

Something for my Computer Security students to debate. I include this because I don't agree with all of his points.
The Moral Character of Cryptographic Work
by Sabrina I. Pacifici on Dec 1, 2015
The Moral Character of Cryptographic Work, Phillip Rogaway, Department of Computer Science, University of California, Davis, USA. December 1, 2015
“Cryptography rearranges power: it con figures who can do what, from what. This makes cryptography an inherently political tool, and it confers on the field an intrinsically moral dimension. The Snowden revelations motivate a reassessment of the political and moral positioning of cryptography. They lead one to ask if our inability to effectively address mass surveillance constitutes a failure of our field. I believe that it does. I call for a community-wide effort to develop more effective means to resist mass surveillance. I plea for a reinvention of our disciplinary culture to attend not only to puzzles and math, but, also, to the societal implications of our work.”

Advanced research on potential Ad targets?
Google Deceptively Tracks Students’ Internet Browsing, EFF Says in FTC Complaint
San Francisco—The Electronic Frontier Foundation (EFF) filed a complaint today with the Federal Trade Commission (FTC) against Google for collecting and data mining school children’s personal information, including their Internet searches—a practice EFF uncovered while researching its “Spying on Students” campaign, which launched today.
… Google’s practices fly in the face of commitments made when it signed the Student Privacy Pledge, a legally enforceable document whereby companies promise to refrain from collecting, using, or sharing students’ personal information except when needed for legitimate educational purposes or if parents provide permission.

Would it be worth creating a false phone “trail?” Probably not. But automating the process will reduce cost.
Lending Startups Look at Borrowers’ Phone Usage to Assess Creditworthiness
A handful of Silicon Valley-backed startups are looking to revolutionize lending in the developing world, where banks are scarce and many would-be borrowers have no credit history.
Their strategy: Show me your smartphone, and my app will find out how creditworthy you are.
Smartphones can dramatically reduce the cost of lending, experts say, because the apps they run generate huge amounts of data—texts, emails, GPS coordinates, social-media posts, retail receipts, and so on—indicating thousands of subtle patterns of behavior that correlate with repayment or default.
The loans average $30, enough for a taxi driver to pay for gas or a fruit seller to stock up on produce. Branch charges between 6% and 12% interest—based on the borrower’s creditworthiness—and loans are usually repaid between three weeks and six months later.

We're thinking of a 3D printer class. Could be fun!
Gartner Predicts 2016: 3D Printing Disrupts Healthcare and Manufacturing
Strategic Planning Assumption: By 2019, 10% of people in the developed world will be living with 3D-printed items that are on or in their bodies.
Strategic Planning Assumption: By 2019, 3D printing will be a critical tool in over 35% of surgical procedures requiring prosthetic and implant devices (including synthetic organs) placed inside and around the body.
Strategic Planning Assumption: By 2019, technological and material innovation will result in 10% of counterfeit drugs and pharmaceuticals being produced with 3D printers.
Strategic Planning Assumption: By 2019, 10% of all discrete manufacturers will be using 3D printers to produce parts for the products they sell or service.

Are you ready for any of these? Infographic.
Have The Coolest Home On The Block With These Gadgets

A number of interesting graphs to share with my Statistics students. I really like the “CORRELATION vs. CAUSATION” graph. Might be fun to try a few myself.
Our Favorite Examples Of How The Internet Talks
About two weeks ago, we published our Reddit Ngram interactive — a tool that lets you search for any term to see how frequently it has been used in Reddit comments since late 2007. And readers (plus a few FiveThirtyEighters) have been sharing some interesting findings, especially on Twitter and, of course, Reddit. Below are some of our favorites so far.

Cellphone-only homes becoming the norm, CDC finds
New statistics from the Centers for Disease Control and Prevention (CDC) released Tuesday found 47 percent of homes only use cellphones and do not have a landline phone.
That is about 5 percentage points higher than homes that use both wireless and landline phones, which still represent 41 percent of households.
… Pollsters are most likely to see wireless-only homes among individuals aged 24-34, where 68 percent to 71 percent only use cellphones. About 85 percent of adults living with nonrelated roommates live in a cellphone-only house. Renters are also far more likely than homeowners to only use cellphones.
The CDC has asked the telephone question since 2003 to help it along with health-related survey research.

For all my students, Computer Security in particular.
5 Best Free Internet Security Suites for Windows
As a Windows user, you have three possible paths when it comes to system security: use the built-in Windows Defender, install third-party security software, or ignore security altogether (the last option isn’t possible on Home versions of Windows 10). The path you take is crucial.
In our piece on important facts about Windows Defender, we noted that Windows Defender is good enough for most users — but do you really want to settle for “good enough” when your security is at stake? Seems like an unnecessary risk to take…
So here are five of the best free security suites for Windows, all of which offer anti-virus, anti-malware, and real-time protection features. Some of these lack firewall functionality, but you can always supplement with a free third-party Windows firewall.

Something for all of our business students. (Remember to “tip: your professor with 1% of your founders stock.)
Free eBook: ‘Startup Best Practices from 15 Serial Entrepreneurs’
… Today, we have a free eBook called “Startup Best Practices from 15 Serial Entrepreneurs” that will teach you about starting a business from the past experiences of the people who have seen it all.
… To redeem your copy and download the free eBook, just head over to this page and sign up for a free account. The process will take just a few seconds, and then you will be sent an email with a link to download a free copy.

Handy for my niece who is doing a semester abroad in Chile.
How to Make Free Calls to Any U.S. Number From Anywhere
urn to Google Voice. Whether you’re in Brazil or Ireland, all you need is an account in order to make free calls to the United States and Canada. The most common method is to call through the PC app, but calls can also be made with both the Google Voice and Google Hangouts apps on Android.
As of now, Google calls are limited to 3 hours in duration, but there aren’t any restrictions on how many times you can redial the same number.
… You can try these free apps for calling to the U.S. as well.

Another tool for students.
GrammarFlip - Online Grammar Lessons for Students
GrammarFlip is a free service that offers an extensive set of grammar lessons. The basic format of the lessons in GrammarFlip is a video and slideshow followed by a couple of review exercises. The content of the video is based on the slideshow. The video in the lesson is essentially a narration of the slides. The review exercises in GrammarFlip lessons are a mix of multiple choice questions and fill-in-the-blank questions.
Teachers can register on GrammarFlip and create online classrooms. Once you have created a classroom on GrammarFlip students can join it by entering an access code that you assign to the room. Within your GrammarFlip classroom you can distribute lessons and track your students' progress on the lessons that you have assigned to them.

For my next batch of IT Governance students,
Corporate Governance in the Age of Cyber Risks

How to Quickly Find Your Lost Mouse Cursor on Every OS
For Windows users: Search for Mouse in the Start menu, and switch to the Pointer Options tab. At the bottom, check the box for Show the location of the pointer when I press the Ctrl key. Now, anytime you can’t find your cursor, just tap either Ctrl key and a ring will pulse around your cursor to help you find it.

Tuesday, December 01, 2015

Doesn't sound so good now, does it?
Lorenzo Franceshi-Bicchierai has a follow-up to his early report on VTECH:
Over the weekend, the hacker, who asked to remain anonymous, told me that VTech left other sensitive data exposed on its servers, including kids’ photos and chat logs between children and parents. This data is from the company’s Kid Connect, a service that allows parents using a smartphone app to chat with their kids using a VTech tablet. In online tutorials, the company encourages parents and kids to take headshots and use them in their apps.
Read more on Motherboard.
The VTech hack is getting a lot of mainstream media attention, and understandably so, as it’s a cautionary tale. But keep in mind that so far, it doesn’t sound like this hacker has any intention of misusing the data. If s/he did, it would have been put up for sale and not helpfully disclosed to Motherboard. It sounds like the hacker wants to make a point about security. Yes, it’s still a crime, and everyone – company and parents – need to be more cautious going forward, but it’s not clear what the real and imminent risk is from this particular hack.

Yet another follow-up. How can you manage what you don't know exists?
OPM Just Now Figured Out How Much Data It Owns
... According to its inspector general, at the time of the breaches, OPM did not have a complete inventory of the servers, databases, and network devices that it owns, maintains, and operates. Not having the inventory “drastically diminishe[d] the effectiveness of its security controls,” wrote Michael Esser, the agency’s assistant inspector general for audits, in an oversight report published this month.
“Failure to maintain an accurate IT inventory undermines all attempts at securing OPM’s information systems,” the report read.
… The high-profile data breaches have kept OPM in the news, but it’s far from the only government agency that has fallen short of basic IT standards.
A recent report compiled by the House Oversight Committee graded federal agencies on their implementation of a key federal IT law. The majority of agencies—including OPM—received a D grade. Three agencies received an F: the Department of Education, the Department of Energy, and NASA. No agency received an A.

This week, my Computer Security students are discussing encryption.
BlackBerry Exits Pakistan Over Backdoor Request
The Canadian smartphone maker revealed that the Pakistani government was looking for means to monitor all BlackBerry Enterprise Service traffic in the country. However, as BlackBerry refused to comply with this demand, the government decided to prohibit BlackBerry’s BES servers from operating in Pakistan starting in December.

Definitely one for my Computer Security students to discuss.
Target Website’s Near Cyber Monday Crash: In Ironic Twist, Customers Forced To Wait On Line
The website for Target, one of the largest retailers in the U.S., almost crashed on Cyber Monday, due to a huge number of bargain hunters attempting to access the site simultaneously. To manage the deluge, the store set up a queue reminiscent of in-store Black Friday lines, in which Web customers were required to wait behind others who were already shopping.
… By just midday, according to the company, traffic on the site had already doubled that of the formerly most busy day in Target website history.

Another article for my Computer Security students.
The attack that broke the Dark Web—and how Tor plans to fix it

Backup. Backup. Backup.
British Man Blames Apple For Erasing His iPhone’s Data, Wins $3,000 In Lawsuit
… it appears that at least one British man didn’t use enough caution when he took his malfunctioning iPhone in to be serviced at a local Apple Store. Deric White claims the Apple Geniuses never asked him if he had backed up his iPhone 5, and took it upon themselves to reset the iPhone, wiping out all of its data in the process, in order to solve his issues.
“It was only after staff fiddled around they asked if I’d backed my things up,” said White, who was obviously distraught over the fact that he lost 15 years worth of contacts and countless photos with sentimental value.
… The judge said that Apple had acted negligently in erasing the data from Mr. White’s phone while performing a reset.
… If Mr. White had an iCloud account, he would have been able to easily restore his data (including contact information and photos). But in this case, he didn’t even setup an iCloud account, stating that he “[didn’t] like the databank in the sky.” Likewise, an iTunes backup would have made for an even quicker way to restore his iPhone 5 to its previous state before he visited the Apple Store. This method of backing up data also eluded Mr. White.

The overreaction to 9/11 continues.
Revealed: FBI can demand web history, phone location data without a warrant
The FBI can compel companies and individuals to turn over vast sums of personal data without a warrant, it has been revealed for the first time.
In a case that's lasted more than a decade, a court filing released Monday showed how the FBI used secret interpretations to determine the scope of national security letters (NSLs).
Nicholas Merrill, founder of internet provider Calyx Internet Access, who brought the 11-year-old case to court after his company was served a national security letter, won the case earlier this year.
National security letters are almost always bundled with a gag order, preventing Merrill from speaking freely about the letter he received.
… In a statement on Monday, Merrill revealed the FBI has used its authority to force companies and individuals to turn over complete web browsing history; the IP addresses of everyone a person has corresponded with; online purchase information, and also cell-site location information, which he said can be used to turn a person's phone into a "location tracking device."
According to a release, the FBI can also force a company to release postal addresses, email addresses, and "any other information which [is] considered to be an electronic communication transactional record."
Merrill said in remarks: "The FBI has interpreted its NSL authority to encompass the websites we read, the web searches we conduct, the people we contact, and the places we go. This kind of data reveals the most intimate details of our lives, including our political activities, religious affiliations, private relationships, and even our private thoughts and beliefs."
Merrill is the first person who has succeeded in completely lifting a national security letter gag order.

Yes, it's a big deal. Now all they need do is get others to use the yuan.
China needs more users for 'freely usable' yuan after IMF nod
The International Monetary Fund's decision to add China's yuan to its reserves basket is a triumph for Beijing, but the fund's verdict that the currency met its "freely usable" test will have little financial impact unless Beijing recruits more users.
The desire of Chinese reformers to internationalize the currency has a clear economic rationale; a yuan in wide circulation overseas would reduce China's dependence on the dollar system and on policy set in Washington.
It would also make it easier for Chinese firms to invoice and borrow offshore in yuan, reducing the risk of exchange rate fluctuations and prompting China's inefficient state-owned banks to improve their performance or lose business.
Those concerned about a potential global liquidity crisis caused by overdependence on the United States might also welcome the yuan as an alternative to the dollar, as would countries locked out of dollar capital markets by sanctions.

ITU: 3.2B People Now Online Globally, Mobile Broadband Overtakes Home Internet Use
… according to International Telecommunication Union, which today published its annual global survey

Perspective. “Out, out damned driver! Out, I say!” (If Lady MacBeth was a programmer)
The High-Stakes Race to Rid the World of Human Drivers

Perspective. Remember, this is not an Internet First company, like Amazon.
Walmart: Nearly Half Of Orders Since Thanksgiving Placed On Mobile Device
… Mobile is making up more than 70 percent of traffic to, and now, nearly half of our orders since Thanksgiving have been placed on a mobile device - that's double compared to last year."

Want to Obtain FBI Records a Little Quicker? Try New eFOIA System
by Sabrina I. Pacifici on Nov 30, 2015
The FBI recently began open beta testing of eFOIA, a system that puts Freedom of Information Act (FOIA) requests into a medium more familiar to an ever-increasing segment of the population. This new system allows the public to make online FOIA requests for FBI records and receive the results from a website where they have immediate access to view and download the released information. Previously, FOIA requests have only been made through regular mail, fax, or e-mail, and all responsive material was sent to the requester through regular mail either in paper or disc format. “The eFOIA system,” says David Hardy, chief of the FBI’s Record/Information Dissemination Section, “is for a new generation that’s not paper-based.” Hardy also notes that the new process should increase FBI efficiency and decrease administrative costs. The eFOIA system continues in an open beta format to optimize the process for requesters. The Bureau encourages requesters to try eFOIA and to e-mail with any questions or difficulties encountered while using it. In several months, the FBI plans to move eFOIA into full production mode.”

An article to leave on my wife's chair… Hint, hint babe.
A New Delivery Service Gives Beer Geeks Their Monthly Fix
… Customers reply to the daily e-mails if they want the beers on offer, and Tavour stockpiles the orders for a monthly delivery. Recent prices range from $2.50 to $20 a beer. Regardless of how many it’s sending you, the company charges $15 shipping to any of the seven states it covers so far: Arizona, California, Colorado, New Mexico, Ohio, Oregon, and Washington.

Storage, for my Math students.
Storage Enters the Age of Erasure Coding
Its appeals are obvious: it's a data protection system that's more space efficient than straight replication, and one which tolerates more faults and allows you to recover lost data far more quickly than is possible with traditional RAID systems.
Here are just a few examples of storage offerings that are getting serious about the technology: Intel and Cloudera are developing erasure coding in HDFS for release in Hadoop 3.0, and Nutanix has begun showing off its own proprietary erasure coding called EC-X in the current versions of its Nutanix OS in preparation for its launch in NOS 5. Ceph, the open source software storage platform, introduced erasure coding last year with the Firefly (v0.80) release, and erasure coding is at the heart of Cleversafe's dispersed storage systems. (Earlier this month IBM announced that it had acquired Cleversafe for an undisclosed sum.)
How Erasure Coding Works
Erasure coding works by splitting a file in to a number of equally sized pieces, and then doing some fancy mathematics [Not so fancy… Bob] encoding to produce a larger number of pieces. For example, you could start with a single file, split it in to 6 pieces, and then do the encoding to produce 10 pieces.
What's clever about the encoding is that you would only need 6 of the 10 encoded pieces to get back to the original file – you can lose any four and without resulting in any data loss.
To get an idea of how EC works, let's look at a very simple example where you split a file into 2 pieces, and then encode those in to 4 encoded pieces.
So we start with a single file, split it into 2 pieces which we'll call P1 and P2, and then encode those into 4 encoded pieces EP1, EP2, EP3 and EP4
So what happens if two if these encoded pieces, EP2 and EP4 are lost?
We are left with EP1 and EP3, and we know that EP1 is identical to P1, and EP3 is simply P1 +P2. So with a little mathematical equation solving it is possible to get the original file back from just these two encoded pieces.
That's the principal. In fact erasure coding is more complex than that. A common form of erasure coding is called Reed-Solomon (RS) erasure coding, invented in 1960 at MIT Lincoln Laboratory by Irving S. Reed and Gustave Solomon. It uses linear algebra operations to generate extra encoded pieces, and can be configured in different ways so that a file is split in to k pieces, and then encoded to produce an extra m encoded pieces which are effectively parity pieces.

My students will be writing Apps next Quarter.
Microsoft takes wraps off PowerApps mobile-app creation service
… Microsoft's goal in developing PowerApps is to allow business users to harness the power of data scattered throughout their organizations in both software-as-a-service and on-premises apps without having to know how to write a single line of code.

May 'splain y my students don't right gud.
OMG! In Text Messages, Punctuation Conveys Meaning
… A Binghamton University research team has apparently identified one such indicator: Whether or not you put a period at the end of a reply.
In the journal Computers in Human Behavior, researchers led by psychologist Celia Klin report that college students perceive text messages that end with a period to be less sincere than ones that do not.