Monday, August 29, 2016
A local kerfuffle.
Back in May and then again in July, I noted several articles about Lewis-Palmer School District 38 in Colorado.
A parent had raised concerns about whether the Infinite Campus platform might have compromised more than 2,000 students’ personal and academic information. The parent also alleged that the district had known about the problem since September but had taken no action to address the security concerns.
Sherrie Peif of The Complete Colorado described it as a “probable” security breach and reported that after being walked through the process, they discovered that
anyone could easily access the personal information of any student in the district, including names, addresses, and phone numbers for students, parents, siblings, and emergency contacts; schedules; attendance records; grades; locker numbers and combinations; transportation details, including where and when bus pickups take place; and health records.
Rather than forthrightly acknowledge the problem and address it, the district had taken the position that maybe there was a vulnerability but that anyone who exploited it would be engaging in criminal conduct. [Does that make them guilty of aiding and abetting any crime committed with their data? Bob] On further investigation, and having discovered that some files were accessed, they shut down the student portal access and student accounts.
Bill Fitzgerald commented on the original post and then wrote his own article on the security concerns and the district’s response.
In July, the district reported that an independent investigation had concluded that no security breach or compromise of student information had occurred in May.
But now the district is trying to get criminal charges filed against the concerned parent who raised the issue and kept calling attention to it.
And that’s just plain wrong on so many levels.
The Complete Colorado, which has been doing an admirable job of local investigative reporting, revealed more about the vulnerability, and from their description, the parent was absolutely justified in sounding alarms and persisting in trying to get the inadequate security remedied:
The district uses Google Apps for Education (GAFE), a hosting solution by Google that incorporates Google mail, calendar, and chat services. Lewis-Palmer used it for student email accounts, which at that time consisted of the student’s district identification number. system [sic] used by the district allowed anyone with email address in the system to download a complete contact list of district students. The list identified students’ names and district email addresses. Because student email accounts were comprised of the student ID, anyone who gained access to this list only needed to know the students’ birthdays to access another program, Infinite Campus, which contains the personal data of possibly thousands of students.
Pfoff and others maintain there was additional knowledge needed to gain access or “advanced cracking skills,” but they have not addressed the fact that information was provided by the district on the home page of the Infinite Campus website for nearly three years. On Aug. 9, 2013 the district posted: “Due to a security enhancement within Infinite Campus, your network and IC passwords have been changed! You must now enter the prefix LP@ before your regular birthday password (i.e. LP@031794).”
It is unknown how many contact lists were downloaded and shared over that time. But the district only contracted for the last year to be scrutinized.
Read more on The Complete Colorado, where they also provide a chronology of this case and information from a recorded conversation between a parent and school district personnel.
For my students who use the Opera browser.
Opera sync system hacked, passwords of 1.7 million users reset
Opera says the sync feature on its browsers was recently hacked, and data of some of its users was compromised. As a security measure, the Norway-based software firm is forcing all sync users to reset their passwords.
Update. If true, I hope they bought lots of “Call” options. If false, God help them – I guess they’ll try to make it to Brazil before anyone finds out. Their statement reads like wishful thinking by their lawyers. Have they actually tried the hack MedSec says works?
St. Jude Refutes Medical Device Vulnerability Claims
… According to a report published on Thursday by MedSec and Muddy Waters, St. Jude’s products lack proper encryption and authentication. While the report contains only limited technical details, MedSec says it has developed proof-of-concept exploits that could be used to cause cardiac devices to malfunction or drain their battery at a very fast rate.
Instead of reporting its findings to St. Jude through the company’s responsible disclosure program, MedSec contacted Muddy Waters, which used the information to short St. Jude stock.
… In a statement published on its website on Friday, St. Jude said it examined the allegation made by Muddy Waters and MedSec and determined that the report is “false and misleading.”
Update. More details on the ATM theft my students found so amusing. Sounds like ATMs are easy to hack.
The malicious software used earlier this month to steal 12 million baht ($346,000) from ATMs at banks in Thailand might be a new ATM malware variant called RIPPER, FireEye researchers reveal.
The new malware sample was originally observed on Aug. 23, 2016, when it was uploaded to VirusTotal from an IP address in Thailand, just minutes before the 12 million baht theft made it to the headlines. According to FireEye researchers, the sample also uses some techniques not seen before.
… The group behind this operation installed malware into multiple cash machines run by Thailand's state-run Government Savings Bank (GSB) in late July. The thieves were linked to the previously revealed $2.5 million heist in Taiwan, where a group of foreigners stole money from cash machines using a similar method.
The new malware variant packs a series of features that tie it to previous ATM malware, such as its ability to target the same ATM brand, or the use of the same strategy as Padpin (Tyupkin), SUCEFUL, and GreenDispenser, to expel currency.
… However, the sample also shows a range of new capabilities, starting with its ability to target three of the main ATM Vendors worldwide, something that no other malware did before, FireEye says. What’s more, RIPPER is being installed on the ATM through the insertion of a specially manufactured ATM card with an EMV chip that serves as the authentication mechanism.
Eventually, it will be better than I am at recognizing faces. I wonder what their ‘false positive’ rate is?
New York's smarter face recognition catches more ID thieves
Sometimes, behind-the-scenes tech upgrades can make a big difference. New York's Governor Cuomo reports that an overhaul of the state DMV's face recognition software in January has led to more than 100 arrests and 900 open investigations so far. The trick? The new system checks 128 points on a face instead of 64, dramatically increasing the chances that it'll match a photo against the DMV's database.
… New York isn't alone in using face recognition in the US, let alone the world. As Ars Technica notes, there are 39-plus states relying on it in some capacity
Somehow (years of experience perhaps) I knew they would be inadequate for the job. Perhaps nothing will be totally successful, but the more people trying the better.
U.S. Revamps Line of Attack in Social-Media Fight Against Islamic State
Recent initiatives by technology companies to push back against Islamic State’s social-media messaging highlight a sobering fact: The U.S. government’s battle on that front has mostly sputtered.
In a number of terrorist attacks over the past year, the attackers were found to have been inspired by Islamic State propaganda and videos, which are often described as Hollywood-level productions. Despite numerous military victories against Islamic State, U.S. officials acknowledge they have struggled to counteract the terrorist group’s online campaign.
Is this just another way of saying “class action?”
The Information-Forcing Role of the Judge in Multidistrict Litigation
by Sabrina I. Pacifici on Aug 28, 2016
Bradt, Andrew and Rave, D. Theodore, The Information-Forcing Role of the Judge in Multidistrict Litigation (August 23, 2016). California Law Review, Forthcoming. Available for download at SSRN: http://ssrn.com/abstract=2828461
“In this article, we address one of the most controversial and current questions in federal civil procedure: What is the proper role of the judge in the settlement of mass-tort multidistrict litigation, or MDL? Due to the Supreme Court’s hostility to class actions, MDL proceedings have begun to dominate the federal civil docket. To wit, nearly half of the federal civil caseload is MDL. Although MDL is structurally different from a class action, the procedure replicates — and in many ways complicates — the principal-agent problems that plagued the class action. Like a class action, nearly all MDL cases are resolved by a comprehensive global settlement agreement, but, unlike a class action, in MDL the judge has no authority to reject a settlement agreement as unfair to the potentially thousands of parties ensnared in the litigation. Here, we argue that, given this limitation, the judge should act as an “information-forcing intermediary,” who reserves the right to offer a non-binding opinion about the fairness of the settlement to send an easy-to-understand signal directly to the parties about their lawyers’ performance. Such a signal will mitigate many of the agency problems inherent to MDL and allow parties to exercise informed consent when choosing whether to accept a settlement. More generally, this article is a call for judges to embrace an information-forcing role at the head of consolidated MDL proceedings.”
Interesting. I wondered if there really was a market for people to watch others play video games, then I remembered that people watch poker on TV. So, maybe?
Facebook has finally made its move against one of Amazon's biggest properties
How to Automatically Send Pocket Articles to Your Kindle
If there are any two platforms that belong together it’s read-it-later service Pocket and Amazon’s Kindle e-reader or app. If you want to connect the two, you can not only do that but can also automate the process.
With P2K, you can choose from a weekly, daily, or one-time digest. You can choose the exact time the digest will be delivered, and how many articles it will include.
… In order to create that connection between P2K and your Kindle account, you will need to provide the Kindle email address necessary to deliver the articles. This email address can be found on your Kindle settings page under the “Send-to-Kindle E-Mail Settings” heading.
You will also need to add the address firstname.lastname@example.org to the “Approved Personal Document E-mail List”, which can be found on the same settings page.
A couple of these are new to me.
26 must-have apps for college life
Reverso Translator (Free)
Another great tool if you're taking a language class. It's time you graduated from Google Translate, because Reverso actually gives you vocabulary in real contexts. Now you can really figure out if you mean bonita or bastante (big difference).
Smart Voice Recorder & Voice Recorder Free
As long as you don't put it on the Internet or something, recording lectures is a great idea. Review them for finals, clarify something for your notes, or share lectures with friends. hese apps are a great if you want something a little better than Voice Memos, but that's sufficient as well.
Also something my students should look into.
How to Access Lynda.com’s Online Courses for Free
… The potentially good news is that you may be able to access all of Lynda.com for free. All you have to do is visit one of your local libraries and see if they provide free Lynda.com access to members (library membership is free).