Saturday, May 07, 2016

There goes that Guinness World Record.
Garbage in, garbage out: Why Ars ignored this week’s massive password breach
Earlier this week, mass panic ensued when a security firm reported the recovery of a whopping 272 million account credentials belonging to users of Gmail, Microsoft, Yahoo, and a variety of overseas services.  "Big data breaches found at major email services" warned Reuters, the news service that broke the news.  Within hours, other news services were running stories based on the report with headlines like "Tech experts: Change your email password now."
Since then, both Google and a Russia-based e-mail service unveiled analyses that call into question the validity of the security firm's entire report.
"More than 98% of the Google account credentials in this research turned out to be bogus," a Google representative wrote in an e-mail.  "As we always do in this type of situation, we increased the level of login protection for users that may have been affected."  According to the report, the compromised credential list included logins to almost 23 million Gmail accounts.

Here's how I verify data breaches

A continuous process.  Nothing new there.  Perhaps if we combine IBM’s Watson with their Quantum Computer…
Mohit Kumar writes:
Defense Advanced Projects Agency (DARPA) is offering funding for security researchers who can help the agency to develop algorithms that can identify hackers under its new game-changing initiative called ‘Enhanced Attribution Program’.
Although organizations and countries give their best to identify cyber campaigns who infiltrated their critical infrastructure, tracking down the culprits has always been a difficult task — thanks to TOR, Virtual Private Networks (VPNs), and other methods used to hide the attack source.
However, through this new initiative, the United States military research agency DARPA hopes that agencies would quickly track and identify sophisticated hackers or criminal groups by monitoring their exact behavior and physical biometrics.
The aim of Enhanced Attribution program is to track personas continuously and create “algorithms for developing predictive behavioral profiles.
“The goal of the Enhanced Attribution (EA) program is to develop technologies for generating operationally and tactically relevant information about multiple concurrent independent malicious cyber campaigns, each involving several operators; and the means to share such information with any of a number of interested parties without putting at risk the sources and methods used for collection,” reads the project’s official site.
In other words, the Enhanced Attribution Program will not only help the government characterize the cyber criminal but also share the criminal’s modus operandi with potential victims and predict the attacker’s next target.
Read more on The Hacker News.
Wait… “without putting at risk the sources and methods used for collection?”  That sounds to me like a response to recent court cases where the government has dismissed cases rather than reveal their surveillance methods

Does Congress know about this?  Do computers have a “Right to Privacy?”  Perhaps a “Right to be left alone?” 
Lindsay Tonsager writes:
In a blog post published on the Federal Trade Commission (FTC) website, Jessica Rich, Director of the FTC’s Bureau of Consumer Protection, recently stated that:
“we regard data as ‘personally identifiable,’ and thus warranting privacy protections, when it can be reasonably linked to a particular person, computer, or device.  In many cases, persistent identifiers such as device identifiers, MAC addresses, static IP addresses, or cookies meet this test.”
The post (which reiterates Ms. Rich’s remarks at the Network Advertising Initiative’s April meeting) suggests a shift in the FTC’s treatment of IP addresses and other numbers that identify a browser or device.   The FTC previously has taken the position that browser and device identifiers are deserving of privacy protections, but the FTC generally has avoided classifying these identifiers as equivalent to personally identifiable information (such as name, email, and address) except in the narrow context of children’s privacy.
Read more on Covington & Burling Inside Privacy.

I don’t post much from Kellogg.  I’m not sure why that is.
Is Reading Someone’s Emails Like Entering Their Home?
   In the late nineteenth century, when considering laws about intercepting confidential messages, Congress debated whether the telegraph was comparable to the postal service.  Protecting the privacy of a telegram, after all, only made sense if everyone agreed that telegrams were analogous to personal letters—a view that, though it never became an official act of Congress, was eventually supported by state laws.
But the rise of electronic communications has made this analogical reasoning even more of a headache.  By 1995, courts were debating whether encryption software belonged on a list of regulated munitions (alongside bombs and flamethrowers) or whether encryption was in fact a “language act” protected by the first amendment.

Wouldn’t this fall under the same exemption as your fingerprints?  It’s pretty hard NOT seeing your face, does a photograph make that much of a difference?
Defeat for Facebook in Court Is Bad News for Firms That Scan Faces
Who owns your face?
A California judge on Thursday ruled against Facebook in a lawsuit that says the company violated user privacy by scanning their faces without permission and inviting others to “tag” them in photographs.
The case is significant because it’s one of the first to test the boundaries of how companies use facial recognition software, a rapidly-advancing technology that treats faces as the modern-day equivalent of a fingerprint.  (At Facebook, the company has internally referred to the tool as a “faceprint.”)
   In the ruling, which you can read here, U.S. District Judge James Donato agreed that Facebook’s scanning and tagging feature qualified as a use of biometric identifier covered by the statute.  On a key procedural issue, he refused Facebook’s request to decide the case under California law, where companies don’t face restrictions on the use of biometrics.

Statistically backed assertions. 
   How large is this secret ECPA docket?  Extrapolating from a Federal Judicial Center study of 2006 federal case filings, I have estimated that more than 30,000 secret ECPA orders were issued that year alone.  Given recent DOJ disclosures, the current annual volume is probably twice that number.  And those figures do not include surveillance orders obtained by state and local authorities, who handle more than 15 times the number of felony investigations that the feds do.  Based on that ratio, the annual rate of secret surveillance orders by federal and state courts combined could easily exceed half a million.  Admittedly this is a guess; no one truly knows, least of all our lawmakers in Congress.  That is precisely the problem.

Some interesting (or at least amusing) speculation.
Panama Papers Source Offers to Aid Inquiries if Exempt From Punishment
The anonymous source behind the huge leak of documents known as the Panama Papers has offered to aid law enforcement officials in prosecutions related to offshore money laundering and tax evasion, but only if assured of protection from punishment.
“Legitimate whistle-blowers who expose unquestionable wrongdoing, whether insiders or outsiders, deserve immunity from government retribution,” the source, who has still not revealed a name or nationality, said in a statement issued Thursday night.

This should amuse my researching students.
OSoMe: The IUNI observatory on social media
by Sabrina I. Pacifici on
OSoMe: The IUNI observatory on social media. PeerJ Preprints 4:e2008v1
“The study of social phenomena is becoming increasingly reliant on big data from online social networks.  Broad access to social media data, however, requires software development skills that not all researchers possess.  Here we present the IUNI Observatory on Social Media, an open analytics platform designed to facilitate computational social science.  The system leverages a historical, ongoing collection of over 70 billion public messages from Twitter.  We illustrate a number of interactive open-source tools to retrieve, visualize, and analyze derived data from this collection.  The Observatory, now available at, is the result of a large, six-year collaborative effort coordinated by the Indiana University Network Science Institute.”

Wisdom from my favorite statistical website.  (I think #4 will become critical)
The Four Things I Learned From The Donald Trump Primary
1. Don’t rule out the ahistorical when there’s little history.
2. Take a nuanced view of the polls.
3. Maybe favorability ratings aren’t as hard to change as we thought.
4. Don’t assume the party knows what it’s doing.
Let’s give some credit to Trump himself!  No, I don’t think that Trump is a strategic and tactical mastermind who planned every move he made, or even that every move was successful.  On the whole, though, more of what he did worked than didn’t work.  Trump generated a ton of free media coverage; that helped him.  He was willing to challenge Republican orthodoxy; that, at the very least, didn’t hurt him.  I don’t know whether he’s built a new political coalition or the Trump phenomenon is sui generis, but whatever the guy did, it worked.

Universities developing cybersecurity degrees to fill jobs gap
If they want to continue to protect our nation’s most valuable data from cyber-attacks, leading security practitioners need to look to the future of the security industry and develop ways to grow the talent needed to fill the looming jobs gap.

My Saturday sillies.
Hack Education Weekly News
   The Justice Department has warned North Carolina that its new anti-trans bathroom law violates the Civil Rights Act.  According to the AP, “North Carolina’s prized public universities could be the biggest losers as state leaders defend a new law limiting the rights of LGBT people.  The 17-university system, which includes the University of North Carolina at Chapel Hill and North Carolina State University as well several historically black colleges, risks losing more than $1.4 billion in federal funds if the Republicans who run the Legislature don’t reverse the law.  The U.S. Justice Department wants an answer by the end of business on Monday.”  The new head of the UNC system, “Margaret Spellings Is Caught Between Her State and the Federal Government.  Now What?” asks The Chronicle of Higher Education.
   Via Inside Higher Ed: “The Federal Trade Commission announced Thursday that the operators of agreed to settle deception charges. is an education lead-generation company based in Orlando, Fla., that claims to prescreen job applicants for employers. However, the company was instead gathering information for for-profit colleges and career training programs, according to the FTC.”

For my Computer Security and Ethical Hacking students.
Pay What You Want for the Ethical Hacker and Pentester Pro Learning Bundle
   Anyone can start learning them with the Ethical Hacker and Pentester Pro Bundle at MakeUseOf Deals.
It combines nine high-quality video courses, and you can pay what you want for the tuition.  Read on to find out more.
   All of these courses come with lifetime access, and you can stream the lessons on desktop and mobile devices.  Best of all, you can claim a certificate of completion to put on your CV when you master each subject.
   You can name your price on the last two courses in this deal, but to unlock the full bundle, you simply need to beat the average price paid.  These nine courses are normally worth $1,431 put together, so grab the bundle now to enjoy a huge markdown!

No comments: