Saturday, January 02, 2016

More like hacker “wanna be”
'Anti-IS group' claims BBC website attack
… The group, calling itself New World Hacking, said it had carried out the attack as a "test of its capabilities".
… "We realise sometimes what we do is not always the right choice, but without cyber hackers... who is there to fight off online terrorists?
"The reason we really targeted [the] BBC is because we wanted to see our actual server power."
Earlier, New World Hacking had said: "It was only a test, we didn't exactly plan to take it down for multiple hours. Our servers are quite strong."
… Ownz said his group used a tool called Bangstresser - created by another US-based "hacktivist" - to direct a flood of traffic against the BBC, and had supplemented the attack with requests from its own personal computer servers.

A cautionary tale for my Computer Security students.
2016 Reality: Lazy Authentication Still the Norm
My PayPal account was hacked on Christmas Eve. The perpetrator tried to further stir up trouble by sending my PayPal funds to a hacker gang tied to the jihadist militant group ISIS. Although the intruder failed to siphon any funds, the successful takeover of the account speaks volumes about why most organizations — including many financial institutions — remain woefully behind the times in authenticating their customers and staying ahead of identity thieves.
On Christmas Eve morning, I received an email from PayPal stating that an email address had been added to my account. I immediately logged into my account from a pristine computer, changed the password, switched my email address back to to the primary contact address, and deleted the rogue email account.
I then called PayPal and asked how the perpetrator had gotten in, and was there anything else they could do to prevent this from happening again? The customer service person at PayPal said the attacker had simply logged in with my username and password, and that I had done everything I could in response to the attack. The representative assured me they would monitor the account for suspicious activity, and that I should rest easy.
Twenty minutes later I was outside exercising in the unseasonably warm weather when I stopped briefly to check email again: Sure enough, the very same rogue email address had been added back to my account. But by the time I got back home to a computer, my email address had been removed and my password had been changed. So much for PayPal’s supposed “monitoring;” the company couldn’t even spot the same fraudulent email address when it was added a second time.
… In my second call to PayPal, I insisted on speaking with a supervisor. That person was able to tell me that, as I suspected, my (very long and complex) password was never really compromised. The attacker had merely called in to PayPal’s customer support, pretended to be me and was able to reset my password by providing nothing more than the last four digits of my Social Security number and the last four numbers of an old credit card account.

Might make an interesting student paper: “What are your employees authorized to do?”
Amy R. Worley writes:
As the year draws to a close, employer claims under the Computer Fraud and Abuse Act (“CFAA”) against departing employees for stealing or otherwise diverting employer information without authorization to do so are dying slow deaths in many federal courts across the nation. As noted over on the Non-Compete and Trade Secrets Report, the U.S. federal circuits are split regarding whether an employee acts “without authorization” under CFAA when he or she steals employer confidential data at or near termination. The Second, Ninth and Fourth Circuits hold that as long as the employee was permitted to be on a computer for any purpose, diversion of employer information is “authorized” under CFAA. In contrast, the First, Fifth, Seventh, and Eleventh Circuits have adopted a broad construction, allowing CFAA claims alleging an employee misused employer information that he or she was otherwise permitted to access.
Now, in North Carolina at least, employers may have better luck under fighting malevolent employees under the North Carolina statutory corollary to CFAA.

What is “appropriate?” What can the software do and what is inappropriate?
Andrea Castillo reports:
The American Civil Liberties Union recently slammed Fresno Police Department for testing social media screening programs, suggesting police could use them to monitor protest groups and accusing the department of keeping the public in the dark about the testing.
But police say they’ve only been testing services for possible use in monitoring violent crime and terrorism – not for spying on critics. They add that the public will get a chance to weigh in when a final recommendation goes before the City Council.
Read more on The Fresno Bee.
[From the article:
Fresno police last year participated in free trials from the social media monitoring programs Geofeedia, LifeRaft and Media Sonar. They remain on an extended free trial for Beware, a data-mining program that includes social media and, upon request, assigns a “threat rating” to people and addresses.
Fresno activists alerted ACLU representatives about Beware earlier this year. So the ACLU sent out a Public Records Act request to find out how the police department was tracking social media, and got 88 pages of documents in return.
… Casto said social media is currently used only once officers have the name of a suspect and can look them up like anyone else would.
“If someone was threatening to bring a gun to a specific high school or mall we could do a geofence (using Google maps) and monitor for a gun or mass shooting,” he said. [Doesn't that contradict the previous sentence? Bob]

Does this kill those “shoplifter identification” databases? How about known card sharps in casinos?
Wendy Davis reports:
In a first, a federal judge has ruled that a biometric privacy law in Illinois potentially prohibits Web companies from compiling databases of faceprints.
U.S. District Court Judge Charles Norgle in Illinois this week rejected online photo service Shutterfly’s bid to dismiss a lawsuit alleging that it violated the Illinois Biometric Information Privacy Act. That law, which dates to 2008, prohibits companies from storing people’s “biometric identifiers,” including scans of face geometry, without their consent.
Read more on MediaPost. This could be a game-changer.

In short, “It depends...”
Measuring Privacy: Using Context to Expose Confounding Variables
by Sabrina I. Pacifici on Jan 1, 2016
Martin, Kirsten E. and Nissenbaum, Helen, Measuring Privacy: Using Context to Expose Confounding Variables (December 31, 2015). Available for download at SSRN:
“Past privacy surveys often omit important contextual factors and yield cloudy, potentially misleading results about how people understand and value privacy. We revisit two historically influential measurements of privacy that have shaped discussion about public views and sentiments as well as practices and policies surrounding privacy: (1) Alan Westin’s series of surveys establishing that people in their valuations of privacy persistently fall into three categories: fundamentalists, pragmatists, and unconcerned and (2) Pew Foundation’s survey of individuals’ ratings of ‘sensitive’ information. We find, first, the relative importance of types of sensitive information on meeting privacy expectations is highly dependent on the contextual actor receiving the information as well as the use of information. Respondents differentiate between contextual, appropriate use of information and the commercial use of information. Second, Westin’s privacy categories were a relatively unimportant factor in judging privacy violations of different scenarios. Even privacy unconcerned respondents rated the vignettes to not meet privacy expectations on average, and respondents across categories had a common vision of what constitutes a privacy violation. While groups differed slightly, contextual factors explained the tremendous variation within Westin’s groups. In sum, respondents were highly nuanced in their judgments about information by taking into consideration the context, actor, and use as well as the type of information. In addition, respondents had common concerns about privacy across Westin’s privacy categories. Significant for public policy we demonstrate that teasing out confounding variables, reveals significant commonality across respondents in their privacy expectations. For firms, our work reveals that respondents’ judgments of privacy violation are highly sensitive to how the information is shared and used after disclosure.”

Gosh, does TSA know about this? What does the Constitution say?
Papers, Please! wants you to know that no matter what the TSA suggests, you don’t need to show any ID to fly:
We’re quoted in an article today in the New York Times about the Federal government’s efforts to use the threat of denial of air travel to scare state legislators into connecting their state drivers license and ID databases to the distributed national “REAL-ID” database through the REAL-ID “hub” operated by the American Association of Motor Vehicle Administrators (AAMVA).
We welcome the Times’ coverage of this issue. But some readers might be misled by the Times’ headline, “T.S.A. Moves Closer to Rejecting Some State Driver’s Licenses for Travel“.
As Edward Hasbrouck of the Identity Project, who was quoted in the New York Times story, discussed in detail in this presentation earlier this year at the Cato Institute in Washington, the most important thing you need to know about this issue is that you do not — and you will not, regardless of how or when the TSA “implements” the REAL-ID Act — need to show any ID to fly. People fly, legally, every day, without showing any ID, and that will continue to be the case. You have a legal right to fly, and the REAL-ID Act does not and cannot deprive you of that right.
Read more on Papers, Please!

U.S. says its Internet speeds triple in three-and-a-half years
… The Federal Communications Commission (FCC) said in a report on Wednesday average download connection speeds had increased to nearly 31 megabits per second (Mbps) in September 2014 from about 10 Mbps in March 2011.
… The FCC says video accounts for more than 60 percent of U.S. Internet traffic, a figure that may rise to 80 percent by 2019.
Still, the United States only ranks 25 out of 39 nations in 2013, according to the FCC.
… To read the complete 2015 Measuring Broadband America report, visit:

Inevitable. Pander to the Great Unwashed and eventually someone will notice the smell.
Qaeda Affiliate Uses Video of Donald Trump for Recruiting
Al Qaeda’s branch in Somalia released a recruitment video on Friday that criticized racism and anti-Muslim sentiment in the United States and contained footage of the Republican presidential candidate Donald J. Trump announcing his proposal to bar Muslims from entering the country.

Interesting. Because I'm cheap enough to appreciate free stuff. (And because Winston Churchill is on the list.)
The Public Domain Review Class of 2016
by Sabrina I. Pacifici on Jan 1, 2016
“Founded in 2011, The Public Domain Review is an online journal and not-for-profit project dedicated to the exploration of curious and compelling works from the history of art, literature, and ideas. In particular, as our name sugggests, the focus is on works which have now fallen into the public domain, that vast commons of out-of-copyright material that everyone is free to enjoy, share, and build upon without restriction. Our aim is to promote and celebrate the public domain in all its abundance and variety, and help our readers explore its rich terrain – like a small exhibition gallery at the entrance to an immense network of archives and storage rooms that lie beyond…”
  • “Pictured [here] is our top pick of those whose works will, on 1st January 2016, be entering the public domain in many countries around the world. Of the eleven featured, five will be entering the public domain in countries with a ‘life plus 70 years’ copyright term (e.g. most European Union members, Brazil, Israel, Nigeria, Russia, Turkey, etc.) and six in countries with a ‘life plus 50 years’ copyright term (e.g. Canada, New Zealand, and many countries in Asia and Africa) — those that died in the year 1945 and 1965 respectively. As always it’s a sundry and diverse rabble who’ve assembled for our graduation photo – including two of the 20th century’s most important political leaders, one of Modernism’s greatest poets, two very influential but very different musicians, and one of the most revered architects of recent times…”

The fun never stops.
Hack Education Weekly News
… Happy New Year. From US News & World Report: “For technology companies in California, ringing in the New Year will mean adjusting to a new privacy law that limits how they can collect and use student data. The data privacy legislation was originally signed into law by Gov. Jerry Brown in 2014 and goes into effect Jan. 1. It prohibits the operators of education websites, online services and apps from using any student’s personal information for targeted advertising or creating a commercial profile, as well as the selling of any student’s information.”

Friday, January 01, 2016

It's just practice and “proof of concept.” When they get serious, everything will go offline at the same time.
Web attack knocks BBC websites offline
All the BBC's websites were unavailable early on Thursday morning because of a large web attack.
The problems began about 0700 GMT and meant visitors to the site saw an error message rather than webpages.
Sources within the BBC said the sites were offline thanks to what is known as a "distributed denial of service" attack.

WhatsApp suffers outage on New Year's Eve
Popular free messaging service WhatsApp was temporarily down on Thursday for users across the globe.
The New Year’s Eve outages were mostly concentrated in Europe, but the service was also briefly unavailable in several U.S. and South American locations, according to Down Detector, which tracks Internet sites and mobile apps in real time.
As of early afternoon, WhatsApp said it had gotten the Facebook-owned service back up and running.

Worth a read.
Paul Karlsgodt writes:
The burgeoning area of privacy class action litigation showed no signs of slowing down in 2015. Here are some of the most significant developments from the past year, as well as some things to watch for in the coming year. For purposes of this article, we include in the definition of “privacy” class action litigation class actions arising out of data security breaches; litigation involving the collection, use, or transfer of consumer information; and litigation involving alleged intrusions upon privacy interests.
Read more on BakerHostetler Data Privacy Monitor.

What is it that a company like Carrier IQ knows (or can do) that a company that has been in the phone business since the phone business started (1875) does not know?
AT&T acquires parts of phone-monitoring company Carrier IQ
Carrier IQ came under scrutiny in 2011 as the public learned about its practices of capturing the user data on more than 140 million mobile devices. The company logged where and when people made calls or sent text messages, which apps they used, how they used the web and other mobile habits, and it was employed by major carriers including Sprint, Apple, AT&T and HTC. Now, in a post-Snowden world, Carrier IQ appears to have shut down, and AT&T has picked up its software and some staff, a spokesperson tells TechCrunch.
"We use CIQ software solely to improve the customer's network and wireless service experience," the AT&T spokesperson says.

?We are fully automated. Nothing can go wrong. ...go wrong. ...go wrong.” (It's actually a Y2K kind of problem.)
Why Facebook is saying you and your friends go back 46 years
Like many of you out there in Internet land, I woke up this morning to an interesting bug on my Facebook page. According to my own account, I had a lot to celebrate today, as I'd apparently become friends with 226 people 46 years ago today, on Dec. 31, 1969:
… That, by the way, is just shy of two decades before I was born. I've been called an old soul before, but this seems ridiculous — especially given that Facebook itself is only 11 years old.
A Facebook spokeswoman said in a statement that the company has "identified this bug and the team's fixing it now so everyone can ring in 2016 feeling young again."
… That term refers to the way that systems with a Unix base, such as Macs and many servers, calculate time. The start of time, according to Unix, is midnight, GMT on Jan. 1, 1970 — apparently a mostly arbitrary starting point — and these systems keep track of time by calculating the number of seconds that have elapsed since then. (Excluding leap seconds, in case you're wondering.) When systems don't have a time for something, they will sometimes reset to zero. That results in emails occasionally being sent from 1970 — or late 1969, depending on your time zone.

Let the hilarity begin!
Twitter to restore tool that tracks deleted tweets
Twitter has reached an agreement with transparency organizations to restore the tool that archived lawmakers’ deleted tweets around the world.
The company announced Thursday that it had negotiated an agreement with the Sunlight Foundation and the Open State Foundation — the two groups that ran the archiving tool known as Politwoops.

Perhaps this could be next – after we get the self-driving cars debugged.

Do you suspect someone in your congregation of plotting mass murder? Your fear is illogical and very irritating. It is frightening the children and those with childish minds.
Joe Cadillic writes:
Police State America has invaded churches and places of worship in America. Churches now join private companies, schools, colleges, sports stadiums, malls and hospitals that are conducting active shooter drills. For more information, read my December article titled: ‘Hospitals and private companies are conducting mass shooter drills with police.’
In Alabama, a Presbyterian church wanted to be able to hire its own police for protection. And the Federal Emergency Management Agency (FEMA) has been holding specialized training for congregations for active shooter incidents.
Police across the country are speaking at places of worship, drumming up fear and telling churches to have greeters (security) welcome worshippers and look for anything that might be out of the ordinary.
On a FEMA webinar last Wednesday on protecting houses of worship, the chief security executive at The Potter’s House, the Rev. TD Jakes’ megachurch in Dallas, gave tips about behavior that should raise concern, such as a congregant arriving in a long coat in hot weather. If needed, church greeters could give a hug and feel for weapons, said the executive, Sean Smith.
“I call it the Holy Ghost pat-down,” Smith said.
Read more on MassPrivateI.

Thursday, December 31, 2015

Their “reasons” seem to fall short.
Joseph Menn reports on some poor decision-making by Microsoft that left hacking victims in the dark that their communications had been intercepted:
Microsoft Corp experts concluded several years ago that Chinese authorities had hacked into more than a thousand Hotmail email accounts, targeting international leaders of China’s Tibetan and Uighur minorities in particular – but it decided not to tell the victims, allowing the hackers to continue their campaign, according to former employees of the company.
On Wednesday, after a series of requests for comment from Reuters, Microsoft said it will change its policy and in the future tell its email customers when it suspects there has been a government hacking attempt.
Read more on Reuters.
[From the article:
The first public signal of the attacks came in May 2011, though no direct link was immediately made with the Chinese authorities. That's when security firm Trend Micro Inc announced it had found an email sent to someone in Taiwan that contained a miniature computer program.
The program took advantage of a previously undetected flaw in Microsoft's own web pages to direct Hotmail and other free Microsoft email services to secretly forward copies of all of a recipient's incoming mail to an account controlled by the attacker.
Trend Micro found more than a thousand victims, and Microsoft patched the vulnerability before the security company announced its findings publicly.

For my Computer Security students.
The Biggest Cybersecurity Threat at Your Office Could Be You (Infographic)

...and likely Google isn't the only one.
Andrea Peterson reports:
Google is a major player in U.S. education. In fact, in many public schools around the country, it’s technically a “school official.” And that designation means parents may not get a chance to opt out of having information about their children shared with the online advertising giant.
Read more on Washington Post.

Perspective. Size isn't everything.
A Billion Users May Not Be Enough for India's Phone Industry
India just signed up its billionth mobile-phone customer, joining China as the only countries to cross that milestone.
Yet that 10-digit base may not be enough to keep the industry from struggling. Asia’s third largest economy is crowded with a dozen wireless carriers -- more than in any other country -- spectrum is hard to come by and regulatory risks are high. Add it all up and it’s no wonder they deliver lower profitability than phone operators in other parts of Asia, according to Sanford C. Bernstein & Co.

Census Bureau Projects U.S. and World Populations on New Year’s Day
by Sabrina I. Pacifici on Dec 30, 2015
“As our nation prepares to ring in the new year, the U.S. Census Bureau today projected the United States population will be 322,762,018 on Jan. 1, 2016.
… The Census Bureau’s U.S. and World Population Clock simulates real-time growth of the U.S. and world populations.”

Egypt joins India? What is the concern?
Free Internet service for over 3 million Egyptians shut down
… It was not immediately clear why the program was halted. Neither Etisalat nor Egyptian officials could immediately be reached for comment. The program was recently highlighted at an entrepreneurship fair in Cairo.
Facebook and other social media sites are extremely popular in Egypt, and were used to organize protests during the 2011 uprising that toppled longtime autocrat Hosni Mubarak.

“When you're a government you waste money. It's what you do.” You also claim success before you do anything else.
DHS Claims Success with Fifth Attempt to Virtually Secure the Border
… The largest attempt to bridge these gaps began in 2006 under the umbrella of the Secure Border Initiative, known as SBInet. US Customs and Border Protection (CBP) began a project nicknamed the “virtual fence” that would link decades-old underground sensors, radar towers, and communications networks into an integrated invisible surveillance system.
The contract with Boeing was supposed to be completed in two years and cost roughly $220 million. However, cost increases, time delays, and general human incompetence caused the virtual fence project to get pushed back to 2011 and costs to skyrocket to almost $1 billion.
… However, after two years of searching for a solution provider and crafting a strategy, DHS believes the current iteration of its virtual barrier is the final answer. Arizona is currently the test bed for the Integrated Fixed Tower project—formally known as the Arizona Border Surveillance Technology Plan—which aims to erect 52 sensor-laden towers along the southwest border by the year 2020.
… Why DHS officials are so confident the Arizona plan will work better than previous solutions is unclear, and there are already signs of delays and management problems.

Global Warming?
Record breaking North Pole Storm Pushes Temps to [sic] 50 degrees
by Sabrina I. Pacifici on Dec 30, 2015
Washington Post: “A powerful winter cyclone — the same storm that lead to two tornado outbreaks in the United States and disastrous river flooding — has driven the North Pole to the freezing point this week, 50 degrees above average for this time of year. From Tuesday evening to Wednesday morning, a mind-boggling pressure drop was recorded in Iceland: 54 millibars in just 18 hours. This triples the criteria for “bomb” cyclogenesis, which meteorologists use to describe a rapidly intensifying mid-latitude storm. A “bomb” cyclone is defined as dropping one millibar per hour for 24 hours. NOAA’s Ocean Prediction Center said the storm’s minimum pressure dropped to 928 millibars around 1 a.m. Eastern time, which likely places it in the top five strongest storms on record in this region…”

Wednesday, December 30, 2015

Any publicity is good publicity? Nobody died so it's worth the risk? What (if anything) are they thinking?
Ashley Madison surges back, says 4.6M have joined infidelity website since data breach
… The extramarital affair website Ashley Madison says it has gained nearly 4.6 million members since hackers posted the names of the website's users in August. A counter on the site's front page claimed more than 43.4 million “anonymous members” Tuesday — up from about 38.9 million Aug. 18, the day hackers posted users' private information online.

I thought Microsoft and others wanted to get out of the “We can decrypt it” boondoggle?
ONE OF THE EXCELLENT FEATURES of new Windows devices is that disk encryption is built-in and turned on by default, protecting your data in case your device is lost or stolen. But what is less well-known is that, if you are like most users and login to Windows 10 using your Microsoft account, your computer automatically uploaded a copy of your recovery key — which can be used to unlock your encrypted disk — to Microsoft’s servers, probably without your knowledge and without an option to opt out.

Someone has been collecting useful tips & tricks.
How to delete your personal info. from the internet

What did they know that we didn't know? What did we know that we were worried they might know? Did they have a better argument than we did? Did they have fact that we didn't? (Should I believe that Israeli security is so poor their Prime Minister does not use an encrypted phone?)
US snooping on Israel also caught talks with lawmakers: report
The U.S. captured communications from Israeli Prime Minister Benjamin Netanyahu and his aides and swept up the content of private conversations with U.S. lawmakers, giving the Obama administration insight into Israel's lobbying efforts against the international nuclear deal with Iran, according to a new report.
The Wall Street Journal reported Tuesday that the National Security Agency (NSA) swept up information that White House officials considered valuable as it sought to counter Netanyahu's vocal opposition to the nuclear deal between Iran, the U.S. and other world leaders.
… The Journal also reported that White House officials were worried about the politics of asking for swept-up communications between Israeli officials and members of Congress, allowing the NSA to decide what to share.
"We didn't say, 'Do it,' " a senior U.S. official told the Journal. "We didn't say, 'Don't do it.' " [Oh, that makes everything okay then. Bob]

How much is 'not enough?'
Twitter cracks down on harassment by rearranging paragraphs in its terms of service
In the wake of former CEO Dick Costolo admitting the company "suck[s] at dealing with abuse," Twitter has devoted many blog posts to explaining how seriously it takes the issue. It hired more people to enforce its abuse policies, and added new tools for reporting harassment. And to cap off the year, today the company rearranged some paragraphs in its terms of service, and celebrated the move in a new blog post.
"The updated language emphasizes that Twitter will not tolerate behavior intended to harass, intimidate, or use fear to silence another user's voice," Megan Cristina, the company's director of trust and safety, wrote in a blog post. "As always, we embrace and encourage diverse opinions and beliefs — but we will continue to take action on accounts that cross the line into abuse." That sounded like a good thing, but when I pulled up Twitter's new rules, they looked an awful lot like Twitter's old rules.
The one significant addition is a new section that bans "hateful conduct" that targets users on the basis of their race, nationality, sexual orientation, gender, gender identity, age, disability, or disease. The rule also bans creating multiple accounts for the primary purpose of inciting harm toward others based on those categories. At the same time, the old harassment rules likely prevented this sort of behavior as well.
The truth is that updated rules are meaningless unless the company strictly enforces them.

Perspective. Something for my Data Management class? Interesting points.
At our Enterprise Information and Master Data Management Summit this year (back in the Spring) we mentioned, as part of the keynote, the phrase, “from information asset to information access”. See Information is the new source of economic value, May 2015. This perhaps innocuous phrase captures a significant part of the message from the keynote: the digital, now algorithm economy, will herald significant economic shifts.

Perspective. You have to ask, “Could this happen here?”
Amazon is about to go head-to-head with Britain's struggling supermarkets
… The news that Amazon is to ramp up its grocery delivery business will come as a blow to the “big four” supermarket chains – Tesco, Asda, Sainsbury’s and Morrisons – which are already under pressure as a result of changing shopping habits. Large grocers have been battling falling sales as households abandon the weekly shop in favour of discount supermarkets, regular local top-up shopping and online ordering.

For e-tourists.
Google provides digital walk through of British Museum exhibits
by Sabrina I. Pacifici on Dec 29, 2015

For readers.
32 Places to Get Free Kindle Books

Tuesday, December 29, 2015

This has been going on since TSA set up their screening protocol, not just for the last two years. Who reviews their procedures?
TSA increases screening of airport and airline employees
The Transportation Security Administration is increasing random checks of airport and airline employees who hold badges that enable them to bypass security checkpoints.
The decision follows instances in the past two years in which employees used restricted entrances to smuggle guns and launder money.
… The American memo, for instance, reminded employees that if they work in a secure area and plan to travel after their shift is over, they must exit the sterile area and go through TSA screening, with their carry-on luggage, in order to board a flight.

Interesting summary.
How does the Cybersecurity Act of 2015 change the Internet surveillance laws?
The Omnibus Appropriations Act that President Obama signed into law last week has a provision called the Cybersecurity Act of 2015. The Cyber Act, as I’ll call it, includes sections about Internet monitoring that modify the Internet surveillance laws. This post details those changes, focusing on how the act broadens powers of network operators to conduct surveillance for cybersecurity purposes. The upshot: The Cyber Act expands those powers in significant ways, although how far isn’t entirely clear.

For students studying Homeland Security and searching for all those keywords on the DHS watch list.
Here’s How to Search Google Without Being Tracked
… You could always use another search engine that’s privacy-focused (such as DuckDuckGo), but maybe you can’t pull yourself away from Google’s results. After all, Google is still the king of results.
Enter StartPage, a search engine that makes Google searches private. When you type your query, StartPage anonymously submits it to Google and displays the results back to you. By adding this middle man, your privacy is protected since Google is not placing tracking cookies on your browser or logging your IP address to associate you with those searches.

Perspective. What is Free?
China doesn't allow Facebook. Just because India does, that doesn't mean the country should welcome Facebook CEO Mark Zuckerberg's plan to carve the Internet into pocket boroughs, let alone his preaching that this is a great way to connect a billion people to their digital future.
Facebook's "Free Basics" service, which gave some wireless subscribers in India access to a clutch of pre-selected websites without having to pay data charges, was put in abeyance recently at the request of the Telecom Regulatory Authority of India. Activists say the program threatens net neutrality, the principle that all Internet sites should be equally accessible. The regulator is yet to decide whether a differential pricing regime for some websites or applications will be allowed.

(Related) The world according to Mark
Free Basics protects net neutrality
In every society, there are certain basic services that are so important for people’s wellbeing that we expect everyone to be able to access them freely.
We have collections of free basic books. They’re called libraries. They don’t contain every book, but they still provide a world of good.
We have free basic healthcare. Public hospitals don’t offer every treatment, but they still save lives.
We have free basic education. Every child deserves to go to school.
And in the 21st century, everyone also deserves access to the tools and information that can help them to achieve all those other public services, and all their fundamental social and economic rights.
That’s why everyone also deserves access to free basic internet services.

Where there's a market, there's a broker?
Here’s How You Can Exchange That Unwanted Gift Card
… Target is offering shoppers an easy way to exchange it, reported the Star Tribune.
The retail chain started a new trade-in program last month that allows customers to exchange various store gift cards for a Target gift card, usually at a de-valued rate. For example, if a customer wanted to trade a $100 Walmart gift card, he or she could get a $85 Target card in exchange.
… The process works much like existing gift card exchange websites, including and In fact, a shopper could get an even better deal for that $100 Walmart gift card on, which is a partner with Target. Based on what Fortune found on December 28, the store credit would amount to $93, delivered via check from CardPool.
However, Target’s program is all about convenience. The trade is instantaneous, and a customer can walk away immediately with their Target card in-hand.

Because you may not be paranoid enough.
How to Use Your Phone to Detect Hidden Surveillance Cameras at Home
… While it might seem like something straight out of a James Bond movie, it is possible to use your smartphone to detect hidden cameras, as well as other 007 devices. In general, two common methods are used to achieve this.
The first is by using the smartphone hardware to detect electromagnetic fields. With the installation of a single app, you can move your phone around the area you suspect a camera to be hidden, and if a strong field is detected, you can be sure there is a camera secreted within the wall or object.
Another way that smartphones can be used is by detecting light reflecting from a lens. While this method isn’t quite as reliable, it is still worth having such an app, if only to find small objects dropped on a carpet!

(Related) On the other hand…
How to Use an Old Smartphone or Tablet as a Security Camera

Backup is good! (and easy)
Backing Up Your Microsoft Outlook Emails Made Simple
… Archiving and backing up emails is simply a matter of setting up Outlook to archive old emails to a special file, and then setting up a schedule to archive those files to some safe location for long-term storage. In this article you’ll see just how simple this process is.

New resources for my Statistics students.
Which Cities Share The Most Crime Data?
Open data has contributed to dramatic improvements in a wide array of fields over the past few decades, affecting how we look at astronomy, genetics, climate change, sports and more. But until recently, crime has gone without the open analysis prevalent in other fields because crime data has been closely held by law enforcement agencies and has usually only been released in bulk at monthly, quarterly or annual intervals.
Now, thanks to efforts from the federal government and individual municipalities, crime analysis is positioned for a leap forward as cities place unprecedented quantities of data online.
… Born out of recommendations from President Obama’s Task Force on 21st Century Policing, the initiative was launched in May to encourage police departments to “better use data and technology to build community trust.” As of late November, 27 agencies had committed to providing public access to law enforcement data as part of the initiative.

Denver Police Department

Monday, December 28, 2015

We could send everyone an email telling them why they would be fools not to vote for Donald Trump. Let's do it fast, before he does. Read this entire post, it's worth your time.
Personal, public, and some non-public information on 191 million registered voters exposed
– Efforts to identify database’s owner to notify them unsuccessful
– Database still exposed
A misconfigured database leaking the personal information of over 191 million voters was reported to by researcher Chris Vickery. This report includes some of the results of an investigation by Vickery,, and Steve Ragan of Salted Hash.

You probably didn't see this in the major news sources. Why?
Time Warner cable services go down Sunday in national outage
Troubles with its national network toppled Time Warner TV and Internet service Sunday afternoon from the Carolinas to California.

Should provide some amusement for my Computer Security students.
Seeking Anonymity in an Internet Panopticon
by Sabrina I. Pacifici on Dec 27, 2015
“The Dissent project is a research collaboration between Yale University and UT Austin to create a powerful, practical anonymous group communication system offering strong, provable security guarantees with reasonable efficiency. Dissent’s technical approach differs in two fundamental ways from the traditional relay-based approaches used by systems such as Tor:
  • Dissent builds on dining cryptographers and verifiable shuffle algorithms to offer provable anonymity guarantees, even in the face of traffic analysis attacks, of the kinds likely to be feasible for authoritarian governments and their state-controlled ISPs for example.
  • Dissent seeks to offer accountable anonymity, giving users strong guarantees of anonymity while also protecting online groups or forums from anonymous abuse such as spam, Sybil attacks, and sockpuppetry. Unlike other systems, Dissent can guarantee that each user of an online forum gets exactly one bandwidth share, one vote, or one pseudonym, which other users can block in the event of misbehavior.
Dissent offers group-oriented anonymous communication best suited for broadcast communication: for example, bulletin boards, wikis, auctions, or voting. Members of a group obtain cryptographic guarantees of sender and receiver anonymity, message integrity, disruption resistance, proportionality, and location hiding. For a high-level overview of Dissent and where it fits among various approaches to anonymous communication, see our article Seeking Anonymity in an Internet Panopticon, to appear in Communications of the ACM. For technical details we recommend starting with our CCS ’10, OSDI ’12, and USENIX Security ’13 papers describing the experimental protocols underlying Dissent. Also feel free to check out the source code at the link to the right, keeping in mind that it is an experimental prototype and not yet ready for widespread deployment by normal users.”

Is this the perfect “Bad Example?”
Inside North Korea's Totalitarian Operating System
The goal of a totalitarian regime is to control everything in a country: information, resources, and power. In the 21st century, that even includes omnipotence over the code that the country's computers use.
Enter RedStar OS: North Korea's own Linux based operating system, designed to monitor its users and remain resilient to any attempts to modify or otherwise exert control over it. On Sunday at Chaos Communication Congress, a security, art, and politics conference held annually in Hamburg, Germany, researchers Niklaus Schiess and Florian Grunow presented their in-depth investigation of the third version of the operating system.
… whenever a USB storage device containing documents, photos or videos is inserted into a RedStar computer, the operating system takes the current hard-disk's serial number, encrypts that number, and then writes that encrypted serial into the file, marking it.
The purpose “is to track who actually has this file, who created this file, and who opened this file,” Schiess said.

Amazon lifts the veil on Prime
… The Prime service, an offering combining free two-day shipping on many items with access to video streaming, had a "record-setting" holiday, an Amazon press release said. More than 3 million members joined the service in the third week of December, bringing its total membership to "tens of millions," it said.
… Amazon also highlighted Monday that 200 million more items received free shipping this year, reaching a record. It added that holiday viewing hours of its Prime service's video-streaming doubled from a year earlier and music streaming globally rose 350 percent on the year.
… Earlier this month, Macquarie Capital analyst Ben Schachter told CNBC that his company estimated that around 25 percent of U.S. homes had already signed up for the Prime service. Macquarie estimates that by year-end, Amazon will capture 51 percent of U.S. e-commerce growth and 24 percent of retail growth.
The company can have a huge influence over online shopping in general. Earlier this month, the latest CNBC All-America Economic Survey found that 40 percent of all adults search Amazon "always" or "most of the time" when shopping online, compared to just 10 percent who say they never include Amazon in an online search.
Other figures from the survey were more striking: The conversion rate, or the number of visits to the website that result in a purchase, is massive. Some 50 percent of those Americans searching Amazon most frequently are actually making a purchase. That compares with the widely cited retail industry average for turning online searches into purchases at a mere 3 percent.

Potentially valuable tools. Add to your RSS feeds?
New on LLRX – Competitive Intelligence – A Selective Resource Guide
by Sabrina I. Pacifici on Dec 27, 2015
Via LLRX.comCompetitive Intelligence – A Selective Resource Guide. Sabrina I. Pacifici’s comprehensive current awareness guide focuses on leveraging a selected but wide range of reliable, topical, predominantly free websites and resources. The goal is to support an effective research process to search, discover, access, monitor, analyze and review current and historical data, news, reports, statistics and profiles on companies, markets, countries, people and issues, from a national and a global perspective. Sabrina’s guide is a “best of the Web” resource that encompasses search engines, portals, government sponsored open source databases, alerts, data archives, publisher specific services and applications. All of her recommendations are accompanied by links to trusted content targeted sources that are produced by top media and publishing companies, business, government, academe, IGOs and NGOs.

Sunday, December 27, 2015

Interesting. Are politicians immune as well as ignorant?
Kate Raddatz reports:
A Minneapolis City Council member is under fire for a series of tweets she posted online after attending the Black Lives Matter protest at the Mall of America this week.
The tweets published personal information of constituents who criticized her involvement in the protest.
Councilmember Alondra Cano, who represents Ward 9, tweeted out screen shots of what several constituents emailed her via the city’s public contact forum.
Apparently her tweets included their names, postal and e-mail addresses, and their comments.
Read more on CBS, while I ponder why Twitter didn’t suspend her account for posting personal information, in violation of their policies.

A most interesting forensic tale.
The Tax Sleuth Who Took Down a Drug Lord
… Back in the summer of 2013, it was not hard, even for Mr. Alford, to understand why it took him time to win over the others on the case.
… Mr. Alford also detected the sort of organizational frictions that have hindered communication between law enforcement agencies in the past.
… “I’m not high-tech, but I’m like, ‘This isn’t that complicated. This is just some guy behind a computer,’” he recalled saying to himself. “In these technical investigations, people think they are too good to do the stupid old-school stuff. But I’m like, ‘Well, that stuff still works.’ ”
Mr. Alford’s preferred tool was Google. He used the advanced search option to look for material posted within specific date ranges.

Interesting. I wonder if it's because there are no trees to fly into?
A Silicon Valley for Drones, in North Dakota