Sunday, May 22, 2016

Look what I found…  Too late for my students to submit papers.
Symposium on Usable Privacy and Security (SOUPS)
(co-located with the 2016 USENIX Annual Technical Conference, June 22–24, 2016)
Denver Marriott City Center, 1701 California Street, Denver, CO 

I’d like to share the emails with my Computer Security students.  They must be pretty convincing.  What information would you have to supply to make the emails believable? 
KWCH reports that the Barton County Treasurers Office has become the latest victim of an email scam that resulted in a wire transfer of $48,000 to a bank in Georgia.
Barton County Sheriff Brian Bellandir said on May 13, the treasurer’s office received several emails which appeared to be from the Barton County Administrator’s Office.
The emails instructed $48,000 be transferred by bank wire from the county general fund to a bank in Georgia.
On May 17, an employee of the treasurer’s office requested information as how the transfer should be recorded.  The County Administrator’s Office said replied and said it had no knowledge of the transfer.
Read more on KWCH.

Tools and techniques.  Is this feature available on all smartphones and could my Ethical Hackers use it to find anyone?  (This is similar to one method used for targeting missiles.)  
Gay Dating Apps Promise Privacy, But Leak Your Exact Location
   I installed the gay hookup app Grindr.  I set my profile photo as a cat, and carefully turned off the “show distance” feature in the app’s privacy settings, an option meant to hide my location.  A minute later I called Nguyen Phong Hoang, a computer security researcher in Kyoto, Japan, and told him the general neighborhood where I live in Brooklyn.
   Within fifteen minutes, Hoang had identified the intersection where I live.  Ten minutes after that, he sent me a screenshot from Google Maps, showing a thin arc shape on top of my building, just a couple of yards wide.  “I think this is your location?” he asked.  In fact, the outline fell directly on the part of my apartment where I sat on the couch talking to him.
Hoang says his Grindr-stalking method is cheap, reliable, and works with other gay dating apps like Hornet and Jack’d, too.  (He went on to demonstrate as much with my test accounts on those competing services.)  In a paper published last week in the computer science journal Transactions on Advanced Communications Technology, Hoang and two other researchers at Kyoto University describe how they can track the phone of anyone who runs those apps, pinpointing their location down to a few feet.
   If Grindr or a similar app tells you how far away someone is—even if it doesn’t tell you in which direction—you can determine their exact location by combining the distance measurement from three points surrounding them, as shown in the image

The National Telecommunications and Information Administration (part of the Department of Commerce) spent a year (and probably lots of my tax dollars) coming up with this?  I am not impressed. 
Stephanie Condon reports:
After working for the past year with consumer privacy advocates, industry groups and companies like Amazon, a U.S. federal agency has finally released a set of drone privacy guidelines.
The guidelines, from the National Telecommunications and Information Administration (NTIA), focus on protecting personally identifiable information but leave plenty of room for big data collection.  The NTIA guidelines are currently completely voluntary, but they do represent the first step in creating federal drone privacy standards.
Read more on ZDNet.
See also Covington & Burling Inside Privacy for their summary of the guidelines.
[In short: 
1. If you can, tell other people you’ll be taking pictures or video of them before you do.
2. If you think someone has a reasonable expectation of privacy, don’t violate that privacy by taking pictures, video, or otherwise gathering sensitive data, unless you’ve got a very good reason.
3. Don’t fly over other people’s private property without permission if you can easily avoid doing so.
4. Don’t gather personal data for no reason, and don’t keep it for longer than you think you have to.
5. If you keep sensitive data about other people, secure it against loss or theft.
6. If someone asks you to delete personal data about him or her that you’ve gathered, do so, unless you’ve got a good reason not to.
7. If anyone raises privacy, security, or safety concerns with you, try and listen to what they have to say, as long as they’re polite and reasonable about it.
8. Don’t harass people with your drone.

FAA Releases Drone Registration Location Data
by Sabrina I. Pacifici on
“The Federal Aviation Administration (FAA) posted [May 18, 2016] a large database showing the city, state and zip code of each registered drone owner.  Release of the database responds to a number of Freedom of Information Act (FOIA) requests submitted since the new unmanned aircraft registration system began operating on December 21, 2015.  The FAA is not posting the names and street addresses of registered owners because the data is exempt from disclosure under a FOIA exemption that protects information in agency files from a clearly unwarranted invasion of personal privacy.  The FAA based its determination to post only city, state and zip code on several factors, including, in part, that many of the registrants are minors and only hobbyists or recreational users.  In addition, when the FAA published its Federal Register notice pertaining to the new unmanned aircraft registration system it specifically advised the public that name and addresses would only be available by the registration number issued to the registrant.  For these reasons, the FAA believes the privacy interest in such data outweighs any public interest.  

Might be useful.
Microsoft Academic: intelligent bots at your service
by Sabrina I. Pacifici on
Microsoft Research Blog: “Progress in AI research and applications is exploding, and that explosion extends to our own team working on academic services.  Continuing our work supercharging Bing and Cortana, we are also applying new technologies to Microsoft Academic, which serves the research community.  If you’re not familiar with Microsoft Academic, this online destination helps researchers connect with the papers, conferences, people, and ideas that are most relevant, using bots that read, understand, and deliver the scientific news and papers researchers need to further their work.  Designed by and for researchers like myself, the site puts the broadest and deepest set of scientific information at your fingertips, with the ability to go beyond keywords to the contextual meaning of the content.  Recently, we further enhanced the analytic content so users can see the latest research, news, and people, ranked by importance and credibility.  Users can even drill down on the people, events, and institutions they care most about.  Behind the scenes, we are taking advantage of the fact that machines do not require time to sleep or eat, and have superior memory to humans. We have trained our AI robots to read, classify, and tag every document published to the web in real time.  The result is a massive collection of academic knowledge we call the Microsoft Academic Graph (MAG), which is growing at roughly 1 million articles per week.  While one set of robots is busy gathering knowledge from the web, another set of robots is dedicated to analyzing citation behaviors and computing the relative importance of each node in the MAG so that users are always presented with information they need and want…”

No comments: