Saturday, January 02, 2016

More like hacker “wanna be”
'Anti-IS group' claims BBC website attack
… The group, calling itself New World Hacking, said it had carried out the attack as a "test of its capabilities".
… "We realise sometimes what we do is not always the right choice, but without cyber hackers... who is there to fight off online terrorists?
"The reason we really targeted [the] BBC is because we wanted to see our actual server power."
Earlier, New World Hacking had said: "It was only a test, we didn't exactly plan to take it down for multiple hours. Our servers are quite strong."
… Ownz said his group used a tool called Bangstresser - created by another US-based "hacktivist" - to direct a flood of traffic against the BBC, and had supplemented the attack with requests from its own personal computer servers.

A cautionary tale for my Computer Security students.
2016 Reality: Lazy Authentication Still the Norm
My PayPal account was hacked on Christmas Eve. The perpetrator tried to further stir up trouble by sending my PayPal funds to a hacker gang tied to the jihadist militant group ISIS. Although the intruder failed to siphon any funds, the successful takeover of the account speaks volumes about why most organizations — including many financial institutions — remain woefully behind the times in authenticating their customers and staying ahead of identity thieves.
On Christmas Eve morning, I received an email from PayPal stating that an email address had been added to my account. I immediately logged into my account from a pristine computer, changed the password, switched my email address back to to the primary contact address, and deleted the rogue email account.
I then called PayPal and asked how the perpetrator had gotten in, and was there anything else they could do to prevent this from happening again? The customer service person at PayPal said the attacker had simply logged in with my username and password, and that I had done everything I could in response to the attack. The representative assured me they would monitor the account for suspicious activity, and that I should rest easy.
Twenty minutes later I was outside exercising in the unseasonably warm weather when I stopped briefly to check email again: Sure enough, the very same rogue email address had been added back to my account. But by the time I got back home to a computer, my email address had been removed and my password had been changed. So much for PayPal’s supposed “monitoring;” the company couldn’t even spot the same fraudulent email address when it was added a second time.
… In my second call to PayPal, I insisted on speaking with a supervisor. That person was able to tell me that, as I suspected, my (very long and complex) password was never really compromised. The attacker had merely called in to PayPal’s customer support, pretended to be me and was able to reset my password by providing nothing more than the last four digits of my Social Security number and the last four numbers of an old credit card account.

Might make an interesting student paper: “What are your employees authorized to do?”
Amy R. Worley writes:
As the year draws to a close, employer claims under the Computer Fraud and Abuse Act (“CFAA”) against departing employees for stealing or otherwise diverting employer information without authorization to do so are dying slow deaths in many federal courts across the nation. As noted over on the Non-Compete and Trade Secrets Report, the U.S. federal circuits are split regarding whether an employee acts “without authorization” under CFAA when he or she steals employer confidential data at or near termination. The Second, Ninth and Fourth Circuits hold that as long as the employee was permitted to be on a computer for any purpose, diversion of employer information is “authorized” under CFAA. In contrast, the First, Fifth, Seventh, and Eleventh Circuits have adopted a broad construction, allowing CFAA claims alleging an employee misused employer information that he or she was otherwise permitted to access.
Now, in North Carolina at least, employers may have better luck under fighting malevolent employees under the North Carolina statutory corollary to CFAA.

What is “appropriate?” What can the software do and what is inappropriate?
Andrea Castillo reports:
The American Civil Liberties Union recently slammed Fresno Police Department for testing social media screening programs, suggesting police could use them to monitor protest groups and accusing the department of keeping the public in the dark about the testing.
But police say they’ve only been testing services for possible use in monitoring violent crime and terrorism – not for spying on critics. They add that the public will get a chance to weigh in when a final recommendation goes before the City Council.
Read more on The Fresno Bee.
[From the article:
Fresno police last year participated in free trials from the social media monitoring programs Geofeedia, LifeRaft and Media Sonar. They remain on an extended free trial for Beware, a data-mining program that includes social media and, upon request, assigns a “threat rating” to people and addresses.
Fresno activists alerted ACLU representatives about Beware earlier this year. So the ACLU sent out a Public Records Act request to find out how the police department was tracking social media, and got 88 pages of documents in return.
… Casto said social media is currently used only once officers have the name of a suspect and can look them up like anyone else would.
“If someone was threatening to bring a gun to a specific high school or mall we could do a geofence (using Google maps) and monitor for a gun or mass shooting,” he said. [Doesn't that contradict the previous sentence? Bob]

Does this kill those “shoplifter identification” databases? How about known card sharps in casinos?
Wendy Davis reports:
In a first, a federal judge has ruled that a biometric privacy law in Illinois potentially prohibits Web companies from compiling databases of faceprints.
U.S. District Court Judge Charles Norgle in Illinois this week rejected online photo service Shutterfly’s bid to dismiss a lawsuit alleging that it violated the Illinois Biometric Information Privacy Act. That law, which dates to 2008, prohibits companies from storing people’s “biometric identifiers,” including scans of face geometry, without their consent.
Read more on MediaPost. This could be a game-changer.

In short, “It depends...”
Measuring Privacy: Using Context to Expose Confounding Variables
by Sabrina I. Pacifici on Jan 1, 2016
Martin, Kirsten E. and Nissenbaum, Helen, Measuring Privacy: Using Context to Expose Confounding Variables (December 31, 2015). Available for download at SSRN:
“Past privacy surveys often omit important contextual factors and yield cloudy, potentially misleading results about how people understand and value privacy. We revisit two historically influential measurements of privacy that have shaped discussion about public views and sentiments as well as practices and policies surrounding privacy: (1) Alan Westin’s series of surveys establishing that people in their valuations of privacy persistently fall into three categories: fundamentalists, pragmatists, and unconcerned and (2) Pew Foundation’s survey of individuals’ ratings of ‘sensitive’ information. We find, first, the relative importance of types of sensitive information on meeting privacy expectations is highly dependent on the contextual actor receiving the information as well as the use of information. Respondents differentiate between contextual, appropriate use of information and the commercial use of information. Second, Westin’s privacy categories were a relatively unimportant factor in judging privacy violations of different scenarios. Even privacy unconcerned respondents rated the vignettes to not meet privacy expectations on average, and respondents across categories had a common vision of what constitutes a privacy violation. While groups differed slightly, contextual factors explained the tremendous variation within Westin’s groups. In sum, respondents were highly nuanced in their judgments about information by taking into consideration the context, actor, and use as well as the type of information. In addition, respondents had common concerns about privacy across Westin’s privacy categories. Significant for public policy we demonstrate that teasing out confounding variables, reveals significant commonality across respondents in their privacy expectations. For firms, our work reveals that respondents’ judgments of privacy violation are highly sensitive to how the information is shared and used after disclosure.”

Gosh, does TSA know about this? What does the Constitution say?
Papers, Please! wants you to know that no matter what the TSA suggests, you don’t need to show any ID to fly:
We’re quoted in an article today in the New York Times about the Federal government’s efforts to use the threat of denial of air travel to scare state legislators into connecting their state drivers license and ID databases to the distributed national “REAL-ID” database through the REAL-ID “hub” operated by the American Association of Motor Vehicle Administrators (AAMVA).
We welcome the Times’ coverage of this issue. But some readers might be misled by the Times’ headline, “T.S.A. Moves Closer to Rejecting Some State Driver’s Licenses for Travel“.
As Edward Hasbrouck of the Identity Project, who was quoted in the New York Times story, discussed in detail in this presentation earlier this year at the Cato Institute in Washington, the most important thing you need to know about this issue is that you do not — and you will not, regardless of how or when the TSA “implements” the REAL-ID Act — need to show any ID to fly. People fly, legally, every day, without showing any ID, and that will continue to be the case. You have a legal right to fly, and the REAL-ID Act does not and cannot deprive you of that right.
Read more on Papers, Please!

U.S. says its Internet speeds triple in three-and-a-half years
… The Federal Communications Commission (FCC) said in a report on Wednesday average download connection speeds had increased to nearly 31 megabits per second (Mbps) in September 2014 from about 10 Mbps in March 2011.
… The FCC says video accounts for more than 60 percent of U.S. Internet traffic, a figure that may rise to 80 percent by 2019.
Still, the United States only ranks 25 out of 39 nations in 2013, according to the FCC.
… To read the complete 2015 Measuring Broadband America report, visit:

Inevitable. Pander to the Great Unwashed and eventually someone will notice the smell.
Qaeda Affiliate Uses Video of Donald Trump for Recruiting
Al Qaeda’s branch in Somalia released a recruitment video on Friday that criticized racism and anti-Muslim sentiment in the United States and contained footage of the Republican presidential candidate Donald J. Trump announcing his proposal to bar Muslims from entering the country.

Interesting. Because I'm cheap enough to appreciate free stuff. (And because Winston Churchill is on the list.)
The Public Domain Review Class of 2016
by Sabrina I. Pacifici on Jan 1, 2016
“Founded in 2011, The Public Domain Review is an online journal and not-for-profit project dedicated to the exploration of curious and compelling works from the history of art, literature, and ideas. In particular, as our name sugggests, the focus is on works which have now fallen into the public domain, that vast commons of out-of-copyright material that everyone is free to enjoy, share, and build upon without restriction. Our aim is to promote and celebrate the public domain in all its abundance and variety, and help our readers explore its rich terrain – like a small exhibition gallery at the entrance to an immense network of archives and storage rooms that lie beyond…”
  • “Pictured [here] is our top pick of those whose works will, on 1st January 2016, be entering the public domain in many countries around the world. Of the eleven featured, five will be entering the public domain in countries with a ‘life plus 70 years’ copyright term (e.g. most European Union members, Brazil, Israel, Nigeria, Russia, Turkey, etc.) and six in countries with a ‘life plus 50 years’ copyright term (e.g. Canada, New Zealand, and many countries in Asia and Africa) — those that died in the year 1945 and 1965 respectively. As always it’s a sundry and diverse rabble who’ve assembled for our graduation photo – including two of the 20th century’s most important political leaders, one of Modernism’s greatest poets, two very influential but very different musicians, and one of the most revered architects of recent times…”

The fun never stops.
Hack Education Weekly News
… Happy New Year. From US News & World Report: “For technology companies in California, ringing in the New Year will mean adjusting to a new privacy law that limits how they can collect and use student data. The data privacy legislation was originally signed into law by Gov. Jerry Brown in 2014 and goes into effect Jan. 1. It prohibits the operators of education websites, online services and apps from using any student’s personal information for targeted advertising or creating a commercial profile, as well as the selling of any student’s information.”

No comments: