Saturday, January 16, 2016

Since there have been laptops, there have been people who just can't imagine why anyone would steal them. I hope my Computer Security students don't fail like this.
Montana Public Radio reports that New West Health Services is notifying 25,000 members after a laptop with their PHI was stolen. Here’s the statement that was posted on New West Medicare’s site today, with one interruption by me for a short, but tasteful, rant:
New West Health Services d/b/a New West Medicare has unfortunately learned of an incident involving a company laptop computer that was stolen from an off-site location. The computer contained electronic files with personal information from past and present New West customers. The computer was password protected, [Worthless Bob] and there is no evidence to suggest that the information stored on the laptop was the target of the theft or that any customer information has been accessed or misused.
… Based on the forensic investigation, New West believes that the laptop contained customers’ names, addresses and, in certain instances, driver’s license numbers and Social Security numbers or Medicare claim numbers. The laptop may have also contained limited information related to some individuals’ payment of Medicare premiums, including electronic funds transfer information (bank account number, account holder name, account type and bank routing number) or credit card information (card holder name, credit card account number, expiration date and CVV (“Card Verification Value”) number). Additionally, the laptop may have contained some customers’ health information, including dates of birth, medical history and condition, diagnosis and/or prescription information.
… out of an abundance of caution, New West is proactively notifying impacted members so they can take steps to safeguard their personal information going forward.
Okay, they should not be allowed to claim that they are (only) notifying out of an “abundance of caution,” when they are required by law to notify.

These tools would allow us to write less ambiguous policies in many areas. Definitely worth looking at!
Automated Comparisons of Ambiguity in Privacy Policies and the Impact of Regulation
by Sabrina I. Pacifici on Jan 15, 2016
Reidenberg, Joel R. and Bhatia, Jaspreet and Breaux, Travis and Norton, Thomas B., Automated Comparisons of Ambiguity in Privacy Policies and the Impact of Regulation (January 9, 2016). Fordham Law Legal Studies Research Paper Forthcoming. Available for download at SSRN:
“Website privacy policies often contain ambiguous language that undermines the purpose and value of privacy notices for site users. This paper compares the impact of different regulatory models on the ambiguity of privacy policies in multiple online sectors. First, the paper develops a theory of vague and ambiguous terms. Next, the paper develops a scoring method to compare the relative vagueness of different privacy policies. Then, the theory and scoring are applied using natural language processing to rate a set of policies. The ratings are compared against two benchmarks to show whether government-mandated privacy disclosures result in notices less ambiguous than those emerging from the market. The methodology and technical tools can provide companies with mechanisms to improve drafting, enable regulators to easily identify poor privacy policies and empower regulators to more effectively target enforcement actions.”

Reasonable? Until they miss something…
The National Security Agency has released its Transparency Report on the implementation of the USA Freedom Act — as well as the minimization procedures to be used for the new non-bulk telephone metadata program — giving us a first glimpse of how the law’s reforms are being cashed out in practice. There are some useful points of clarification here — including one or two surprises — but also many questions left unanswered.

There is political puffery and then there is outright lying. Can Congress tell the difference?
FBI Director James Comey recently told the Senate Judiciary Committee that encryption routinely poses a problem for law enforcement. He stated that encryption has “moved from being available [only] to the sophisticated bad guy to being the default. So it’s now affecting every criminal investigation that folks engage in.”

Another case of government being government.
The Freedom of Information Act is Broken: A Report from House Oversight Cmte.
by Sabrina I. Pacifici on Jan 15, 2016
U.S. House of Representatives Committee on Oversight and Government Reform, Jason Chaffetz (UT-3), Chairman – FOIA Is Broken: A Report Staff Report, 114th Congress, January 2016.
“The Freedom of Information Act established a right for the public to access federal agency records. The statute simply requires requesters to reasonably describe the records they wish to receive and the agency is required to produce those records in 20 working days. In practice, however, the FOIA process is much more complicated and difficult to navigate. Many of the complications are engineered into the process by the federal agencies themselves. The FOIA process is broken. Unnecessary complications, misapplication of the law, and extensive delays are common occurrences. Agencies fail to articulate reasons for delays or explain how to navigate the process. Requesters wait months, not weeks, before receiving any response. Even a denial on a technicality can be significantly delayed because the agency may fail to read the request for months. Unreasonable requests for detail and repeated ultimatums to respond within narrow windows or start all over reinforce the perspective that the process is designed to keep out all but the most persistent and experienced requesters.”

They're crazy, right? What constitutes propaganda? The best propaganda is truth. ISIS is using Trump in their marketing pitch because “Trump hates Muslims” is seems as true. Will I be branded a terrorist for saying that?
Can Twitter Be Liable for ISIS Tweets?
Islamic State has been able to mobilize followers via social media sites like Twitter. Could those social media sites be held liable for such online activity?
A civil lawsuit filed against Twitter Inc. in California federal court this week could offer some answers.
The lawsuit was brought by a plaintiffs’ class-action law firm on behalf of the wife of a Florida defense contractor who was one of two Americans killed in a shooting spree attack in Jordan last November. It alleges that ISIS was responsible for the attack and that Twitter helped contribute to the bloodshed by allowing the terrorist group to use the site to spread propaganda, attract new recruits and raise money.
Twitter says the suit has no merit. “While we believe the lawsuit is without merit, we are deeply saddened to hear of this family’s terrible loss….. Violent threats and the promotion of terrorism deserve no place on Twitter and, like other social networks, our rules make that clear,” a Twitter spokesman said in a statement Thursday.
The lawsuit “will be a very big deal if it survives a motion to dismiss, but that is a very big if,” wrote Brookings Institution fellow Benjamin Wittes and Harvard Law School student Zoe Bedell in an analysis of the complaint posted on Lawfare Blog,

I'm sure the price is nice, but binge watching is good too.
Amazon Prime price slashed 25% this weekend to celebrate Golden Globe win
This weekend Amazon is celebrating its Golden Globe wins for the series Mozart in the Jungle with a price drop on an annual Prime membership. Starting at 9 p.m. Pacific on Friday and lasting until 11:59 p.m. local time on Sunday, Amazon is selling an annual Prime subscription for $73—a $26 dollar price cut.
… During the same time as Amazon is offering the cheap Prime price, the retailer is allowing free streaming of seasons one and two of Mozart in the Jungle for everyone—not just Prime subscribers.

A poster for the next time I teach spreadsheets.
Be The Smartest Person At Work With These Excel Tricks

For my Geeky students.
15 Incredible Firefox Addons For Geeks

More ways to harrass teach my students!
4 Free Tools for Creating & Playing Interactive Quiz Games
The following are interactive quiz game tools that I've used with great success in my classroom and or in my workshops.
This is the obvious one to include in this post as it did inspire the post. Kahoot provides a fun way to gather feedback from a group through their phones, iPads, Chromebooks, or any other device that has a web browser and an Internet connection. You can include pictures and or videos as part of each question that you create and share in a Kahoot activity. Players are awarded points for answering correctly and quickly. Or you can turn off the points system to use Kahoot in a non-competitive environment.
Socrative Space Race:
Socrative is a free student response system that allows you to gather feedback from students through any Internet-connected device. One of my favorite aspects of Socrative is the variety of ways in which you can pose prompts and questions to your students. The Space Race feature has been a hit everywhere that I've shown it over the years. The Space Race feature allows you to create virtual teams for answering questions or prompts. The screen students see masks their classmates' names, but as the teacher you can see your students' names and download a report of students' responses.
Quizalize is a free quiz game platform. Students play your quiz games on their laptops or tablets by going to the Quizalize website then entering their names and a class code. Students are awarded points for correctly answering questions quickly. Students are given feedback instantly on every quiz question that they answer. A total score is presented to students at the end of every quiz. Creating quizzes on Quizalize is a simple process. To get started just name your quiz and tag it with a subject label. As you write each quiz question you can include a picture and up to four answer choices. You can specify a time limit of 5 to 120 seconds for each question. Quizalize offers a marketplace in which you can find quizzes created by other users. Some of the quizzes are free and others are sold for a dollar or two. To be clear, creating and playing your own quizzes is completely free.
Triventy uses a concept that is similar to Kahoot. To play a Triventy quiz game the teacher projects the game questions at the front of the room and students answer the questions on their mobile devices or laptops. Points are awarded for answering correctly. Bonus points are awarded for answering quickly. Students join the quiz game by going to and entering the game pin assigned to your game.

Saturday silly.
Hack Education Weekly News
… President Obama delivered his final State of the Union address Tuesday evening . “Education” showed up several times in the speech, including the idea that every students need to learn to “write computer code.”
Via The Hill: “House Oversight Committee Chairman Jason Chaffetz (R-Utah) is warning that a hack on the Department of Education would dwarf last year’s massive breach at the Office of Personnel Management. ‘Almost half of America's records are sitting at the Department of Education,’ Chaffetz said at a Brookings Institution event on Thursday. ‘I think ultimately that’s going to be the largest data breach that we've ever seen in the history of our nation.’”
… “Bronx Science Bans Cellphones From Wi-Fi as Students Devour It,” says The New York Times. [Potentially dangerous Bob]
… Tech and business training company General Assembly is expanding to Denver.
The Apollo Education Group announced that it was exploring selling off the University of Phoenix, the biggest for-profit university in the US. More via Phil Hill.
… “Oral Roberts University is now requiring all freshmen to wear tracking devices to monitor their physical activity,” News on 6 reports. “It appears as though school staff and instructors will be able to access the fitness tracking information gathered by the students’ devices. ‘The Fitbit trackers will feed into the D2L gradebook, automatically logging aerobics points,’” according to the university’s website.
The opening paragraphs from Education Week’s look at “the future of big data and analytics” in education: “Imagine classrooms outfitted with cameras that run constantly, capturing each child’s every facial expression, fidget, and social interaction, every day, all year long. Then imagine on the ceilings of those rooms infrared cameras, documenting the objects that every student touches throughout the day, and microphones, recording every word that each person utters. Picture now the children themselves wearing Fitbit-like devices that track everything from their heart rates to their time between meals.” Imagine.
Via The Washington Post: “The U.S. Education Department’s new planned system of records that will collect detailed data on thousands of students – and transfer records to private contractors – is being slammed by experts who say there are not adequate privacy safeguards embedded in the project.”

Friday, January 15, 2016

Update. Still not clear. Are those Hyatt's processing systems or a third party?
Card Breach Affects 250 Hyatt Hotels Worldwide
Following an investigation into a breach of its payment processing systems, Chicago-based hotel operator Hyatt Hotels has determined that the incident affects 250 hotels worldwide.
According to the company, the investigation revealed unauthorized access to data associated with payment cards used at Hyatt-managed locations, mainly restaurants, between August 13, 2015 and December 8, 2015.
Customers for whom Hyatt does not have any contact information are advised to check the list of affected hotels to determine if they are impacted.
… “Though it is common to see malware capture credit cards at the time of the swipe, in this instance, the malware collected card data while it was being routed through the affected payment processing systems, according to Hyatt’s statement,” said Brad Cyprus, chief of security and compliance at Netsurion, a provider of remotely-managed security services for multi-location businesses.

I would have expected attacks to drop like the price of oil. (Unless of course you are trying to slow production to raise prices.)
Oil and Gas Industry Increasingly Hit by Cyber-Attacks: Report
According to the study, which was conducted by Dimensional Research in November 2015, 82 percent of oil and gas industry respondents said their organizations registered an increase in successful cyber-attacks over the past 12 months. Moreover, 53 percent of the respondents said that the rate of cyber-attacks has increased between 50 and 100 percent over the past month.
The report also reveals that 69 percent of respondents said they were “not confident” in their organizations’ ability to detect all cyber-attacks.

Sad to see that this still happens. Does no one know how the technology they use every day works?
Earlier this week, Jigsaw Security noted that they had discovered that improper redaction of documents posted on the Virginia Dept of Human Resource Management website was potentially exposing employees’ personal information:
A PDF posted by this organization contained information that was obfuscated by blocks but was a layered image so if you edit the document the blocks can be removed and the original content is then visible.
The Jigsaw Security Operations Center sent a standard notification advising them of the issue but they have failed to respond to the request.
Because there were many improperly redacted files putting employees’ SSN, salary, and other details at risk, Jigsaw reached out to to help with the notification. On January 12, this site sent a notification to the same DHRM liaison that Jigsaw had attempted to notify, but also contacted DHRM’s media contact to ask for a statement. When there was no response from either party, this site sent a second request to their media contact. That one got their attention, and they asked me for my real name and documentation. I sent them a link to Jigsaw’s post and offered to send them screenshots showing unmasked employee information. I also told them I would delay publication to give them a chance to remove the files from view.
That seemed to produce results. DHRM thanked me for reaching out to them and the next day, they informed this site that DHRM was addressing the security concern by:
  • Removal of the referenced documents and links from DHRM’s servers so that data is no longer exposed that might impact employee privacy and security;
  • Software that has proper redacting capability was being supplied to users; and
  • Staff training was introduced to ensure that no lapses will occur in the future.
DHRM’s ITECH director and security officer also reached out to Jigsaw Security, who provided DHRM with additional assistance with the issue and also provided them with information about other vulnerabilities the intel firm had spotted. Hopefully, DHRM is addressing those issues, too.
And thus ends another adventure in trying to notify entities of security problems. But it shouldn’t be difficult to notify state agencies of security problems. Hopefully, DHRM is addressing that, too, so the next time a white hat tries to alert them to a problem, they get the notification.

“We gonna protect everything, except for almost everything.”
Bill Fitzgerald (@FunnyMonkey) writes:
….As described in this FERPA directory information model form, “Directory information, which is information that is generally not considered harmful or an invasion of privacy if released, can also be disclosed to outside organizations without a parent’s prior written consent.”
The list of information included as part of directory information – or “information that is generally not considered harmful or an invasion of privacy if released” – is pretty complete:
  • Student’s name
  • Address
  • Telephone listing
  • Electronic mail address
  • Photograph
  • Date and place of birth
  • Major field of study
  • Dates of attendance
  • Grade level
  • Participation in officially recognized activities and sports
  • Weight and height of members of athletic teams
  • Degrees, honors, and awards received
  • The most recent educational agency or institution attended
  • Student ID number, user ID, or other unique personal identifier used to communicate in electronic systems
  • A student ID number or other unique personal identifier that is displayed on a student ID badge
If this information was compromised as part of a data breach, it would be considered substantial – yet, this information about children can be shared without parental consent, for their entire K12 experience.
Read more on his blog.
Note that if these data are breached, if student ID is not SSN, then many states would not even require breach notification under their statutes. And we know that the U.S. Education Dept. has never withheld federal funds from any k-12 institution over a breach.
Consequences for breaches at the post-secondary level can be more costly for universities and colleges who may find themselves sued (generally unsuccessfully), but again, federal enforcement is lacking: USED does nothing and FTC has no authority other than enforcing the Safeguards Rule if financial information is involved – an authority it seemingly declined to use in the case of the massive MCCCD breach that I reported on
If student privacy is to be truly protected, it’s time to revise FERPA to make sharing of “directory” information opt-in, not opt-out. And it’s time to recognize that Google is not a school official – it’s a vendor that is not in business to be charitable. There is no such thing as a free lunch when it comes to student data and tech.

Does Facebook have to drop the people who signed up because of this? Being aggressive had benefits that this court can't reverse.
Harro ten Wolde reports:
Germany’s highest court has declared unlawful a feature that encourages Facebook users to market the social media network to their contacts, confirming the rulings of two lower courts.
A panel of the Federal Court of Justice ruled that Facebook’s “friend finder” promotional feature constituted advertising harassment in a case that was filed in 2010 by the Federation of German Consumer Organisations (VZBV).
Read more on Reuters.

My tax dollars at work? Guideline promising more guidelines?
Overnight tech: Feds look to boost self-driving cars
Transportation Secretary Anthony Foxx was in Detroit on Thursday to announce that the administration will request close to $4 billion over ten years to "accelerate the development and adoption of safe vehicle automation through real-world pilot projects." The testing would take place in certain areas of the country, according to a release, and the program would "work with industry leaders to ensure a common multistate framework for connected and autonomous vehicles."
… The National Highway Traffic Safety Administration also rolled out new policy guidance on autonomous vehicles, which included a commitment to produce policy guidelines within six months for states grappling with how to regulate self-driving cars.
… California's Department of Motor Vehicles recently released draft regulations that would require a licensed human driver behind the wheel of every autonomous vehicle.

Might be useful for Data Mining and Analytics.
Yahoo Releases Largest Cache of Internet Data
… On Thursday, the embattled Internet company said it would release the largest cache of Internet behavior data—the clicks, hovers and scrolls of some 20 million anonymous users on Yahoo’s sports, finance, news, real estate and other pages. The trove, which will be available only to universities, is expected to give researchers a rare, real-world look at how large numbers of people behave online.
… The Yahoo data set weighs in at 13.5 terabytes, about two-thirds the size of the library of Congress.
That is larger than anything available to the vast majority of academic computer scientists, and so big that it likely will have to be stored outside a university system, possibly in a cloud computing center run by Inc. or Alphabet Inc. ’s Google, said Carnegie’s Moore, a former Google executive.

Jordan Pearson reports:
Yahoo Labs, the research wing of Yahoo, just released what the company is calling the “largest ever” machine learning dataset for artificial intelligence researchers to use in their work, for free. For example, to create a Facebook-like recommendation algorithm.
In doing so, Yahoo also released information that could potentially be used by researchers who download the database—and anyone they share it with—to identify Yahoo customers.
The behemoth dataset consists of 13.5 terabytes of user interactions with news items from some 20 million users, which the company says have been “anonymized.” While there are no names attached to the data, seven million users in the database also had information about their age, gender, the city they were in when they accessed the page, whether they used a mobile device or a desktop, and a timestamp of when they accessed the news item, included in the dataset.
Read more on Motherboard.

“Bragging for Budget?” Politics as usual.
January Terror Threat Snapshot: 21 ISIS-linked Plots in the US
… The report also mentions 139 terrorist cases involving homegrown Islamist extremists since 9/11, along with a running tally of ISIS supporters arrested in the U.S. to date: 79 people.

How does this relate to the profit made selling toxic mortgages? Did everyone return their commissions and bonuses?
Goldman Sachs Reaches $5.1 Bln Settlement Over Mortgage-Backed Securities
The Goldman Sachs Group Inc. (GS) said Thursday that it agreed to a $5.1 billion settlement to resolve U.S. and state claims related to securitization, underwriting and sale of residential mortgage-backed securities from 2005 to 2007. The agreement in principle will reduce earnings for the fourth quarter of 2015 by about $1.5 billion on an after-tax basis.
… As per the terms of the agreement in principle, the firm will pay a $2.385 billion civil monetary penalty, make $875 million in cash payments and provide $1.8 billion in consumer relief. [Leaving 400 million for the lawyers? Bob]

A significant economic development? Certainly an opportunity, if we can learn from Bitcoin's failures.
The resolution of the Bitcoin experiment
I’ve spent more than 5 years being a Bitcoin developer. The software I’ve written has been used by millions of users, hundreds of developers, and the talks I’ve given have led directly to the creation of several startups. I’ve talked about Bitcoin on Sky TV and BBC News. I have been repeatedly cited by the Economist as a Bitcoin expert and prominent developer. I have explained Bitcoin to the SEC, to bankers and to ordinary people I met at cafes.
From the start, I’ve always said the same thing: Bitcoin is an experiment and like all experiments, it can fail. So don’t invest what you can’t afford to lose. I’ve said this in interviews, on stage at conferences, and over email. So have other well known developers like Gavin Andresen and Jeff Garzik.
But despite knowing that Bitcoin could fail all along, the now inescapable conclusion that it has failed still saddens me greatly. The fundamentals are broken and whatever happens to the price in the short term, the long term trend should probably be downwards. I will no longer be taking part in Bitcoin development and have sold all my coins.

“There's an App (or website or social network or ...) for every purpose under heaven.” (apologies to Pete Seeger)
How Big Is You Won’t Believe These Stats & Facts
There’s a video service on the Internet that’s pretty popular called Even if you’ve never played a video game in your life, you’ve probably heard of it.
But just how big is Twitch? How much time do people spend watching others play video games? You seriously won’t believe some of these facts about just how popular it is:
  • Twitch has over 100 million unique users. That’s not 100 million page views, which would be impressive for most websites, but the actual number of people who come to the site every month.
  • The average Twitch user watches 1 hour and 46 minutes of video per day.
  • In total, users watch 16 billion minutes of content on the service each month.
  • It’s not just viewers, as 1.7 million people actually broadcast themselves playing games on Twitch.
  • Of those, more than 12,000 of them are partners, meaning they get paid to stream!

As I read it, there are only three or four skills that aren't completely “techie.”
LinkedIn's Top 25 Most In-Demand Career Skills

Thursday, January 14, 2016

DHS seems to see almost everything as a threat.
Bob Knudsen writes that our beloved Department of Homeland Security (DHS) wants hotels to report guests for having too much sex.
Ostensibly the request is to quell sex trafficking, despite that fact that sex trafficking is a relatively minor problem in the United States. To be sure, there are certainly instances of the illicit sex trade taking place in the nation, but the numbers have been vastly overinflated to the point of being meaningless. Sadly, all it takes to allow citizens’ rights to be eroded is to stoke fears and play on their emotions, as we have seen recently with attempts at gun control and the war on terror.
DHS is asking hotel staffs to report guests who have “many” condoms in their garbage (whatever that means), rooms that smell like cigarettes, and even tattoos that are “unusual.” Those are just a few of the highlights from the list of 18 items and behaviors to look out for, almost all of which could be considered normal behavior for anybody who doesn’t live in Pleasantville.
Read more on The Examiner.

(Related) If it truly was anonymous, would answering “352” raise concerns?
Nancy Dillon reports:
A survey of students’ carnal knowledge sparked a national controversy Tuesday — and led to an apology from the University of Southern California.
The clash was over a mandatory online class that asked students to tally and reveal the number of sex partners they had been with over the last three months, multiple students confirmed to the Daily News.
The course grew out of a federal mandate to address sexual assault on campus and was a prerequisite for all incoming and continuing students at USC, an email to undergrad Jacob Ellenhorn said.
Read more on NY Daily News.
And if this story is triggering deja vu for you, yes, I reported on exactly the same problem back in 2014 when a South Carolina university also had this as part of their Title IX compliance.
[From the article:
"It said it was anonymous, but at the same time, they were keeping track of whether I was answering or not, because I wouldn't be able to take classes or graduate without completing it," he told The News.
"It's tied to my account somehow," he said.

Not uncommon.
Yahoo settles e-mail privacy class-action: $4M for lawyers, $0 for users
In late 2013, Yahoo was hit with six lawsuits over its practice of using automated scans of e-mail to produce targeted ads. The cases, which were consolidated in federal court, all argued that the privacy rights of non-Yahoo users, who "did not consent to Yahoo's interception and scanning of their emails," were being violated by a multi-billion dollar company.
Now, lawyers representing the plaintiffs are singing a different tune. Last week, they asked US District Judge Lucy Koh to accept a proposed settlement (PDF). Under the proposal, the massive class of non-Yahoo users won't get any payment, but the class lawyers at Girard Gibbs and Kaplan Fox intend to ask for up to $4 million in fees. (The ultimate amount of fees will be up to the judge, but Yahoo has agreed not to oppose any fee request up to $4 million.)
While users won't get any payment, Yahoo will change how it handles user e-mails—but it isn't the change that the plaintiffs attorneys were originally asking for. Yahoo won't stop scanning e-mails. Instead, the company has agreed to make a technical change to when it scans e-mails. In the settlement (PDF), Yahoo has agreed that e-mail content will be "only sent to servers for analysis for advertising purposes after a Yahoo Mail user can access the email in his or her inbox." [That does not seem to be much of a change. Bob]

“Thanks for the free stuff, but I have to hate you now.”
The Convenience-Surveillance Tradeoff
… A new Pew Research Center report found that many people in America are upset about the extent to which their personal data is being collected, but feel it is largely out of their control.
“The data is there, and it’s being used, and there isn’t a damn thing most of us can do about it, other than strongly resent it,” one respondent told Pew. “The data isn’t really the problem. It’s who gets to see and use that data that creates problems. It’s too late to put that genie back in the bottle.”
… “Free is a good price,” Pew said in its report. People like no-cost services, and are willing to forfeit some privacy in exchange for them. An individual’s data has become its own kind of currency.

Amusing. (Does this closely parallel “fair use?”)
Recently, Orin Kerr and I had a brief conversation on Twitter regarding the Fourth Amendment and the content/non-content distinction. Specifically, Orin asked those of us who subscribe to the mosaic theory of intelligence if some large amount of metadata can become content, can some small amount of content become metadata by the same logic? That is, if non-content in sufficient quantities can become content under the Fourth Amendment, shouldn’t the inverse of this function mean that sufficiently small amounts of content can become non-content? (Remember that content receives great constitutional protection than non-content.) There is a fair amount of unpacking to do in this short question, so let’s start by exploring the mosaic theory as it applies to Fourth Amendment law.

Perspective. More players and the beginning of niche markets?
Comparing Cloud Storage Alternatives: Beyond the Big Three
A recent InfoStor article called Cloud Storage Comparison covered Gartner’s view of the public marketplace and gave a rundown of the top three players, Google, Microsoft and Amazon. Gartner – surprising no one – places Amazon in top the spot.
… The Nasuni 2015 State of Cloud Storage Report noted that 2013 and 2014 were record-setting years for cloud service adoption in the enterprise.

Why do I get the feeling that this has never happened before in the history of real estate and that it can only happen in Miami and NY? Oh yeah, that's what the government is saying.
U.S. Boosts Scrutiny of N.Y., Miami Cash Real Estate Deals
President Barack Obama’s administration, citing concern about the origin of funds used for all-cash purchases of luxury real estate, said it is stepping up scrutiny of transactions in New York City and Miami.
The Financial Crimes Enforcement Network said on Wednesday that it will temporarily require title insurance companies to identify individuals behind companies that pay cash for high-end residential real estate in Manhattan and Miami-Dade County.

Something I'll mention to my students who think I'm speaking Greek.
All Skype for Windows users get real-time translation
Skype today announced that its Skype Translator tool is now built directly into its main app for all Windows users. This means Skype for Windows users no longer need a separate app to translate conversations in seven languages (Chinese Mandarin, English, French, German, Italian, Portuguese, and Spanish) and 50 messaging languages.

Wednesday, January 13, 2016

Perhaps the hacker's high school would qualify for extra STEM grants from the same government they are hacking. If teenagers can consistently hack “people who should know better” what can China do?
US Spy Chief's Personal Accounts Hacked
US spy chief James Clapper's personal online accounts have been hacked, his office confirmed Tuesday, a few months after CIA director John Brennan suffered a similar attack.
Clapper's Office of the Director of National Intelligence confirmed the hack but refused to provide details.
A teen hacker who goes by "Cracka" claimed to have hacked Clapper's home telephone and Internet accounts, his personal email, and his wife's Yahoo email, online magazine Motherboard reported.
Cracka told Motherboard that he had changed the settings on Clapper's Verizon account so that calls to his home were rerouted to the California-based Free Palestine Movement.

For my Ethical Hacking students. Likely this is a flaw in the phone, not PGP.
Cops Say They Can Access Encrypted Emails on So-Called PGP BlackBerrys
Dutch investigators have confirmed to Motherboard that they are able to read encrypted messages sent on PGP BlackBerry phones—custom, security-focused BlackBerry devices that come complete with an encrypted email feature, and which reportedly may be used by organized criminal groups.
“We are capable of obtaining encrypted data from BlackBerry PGP devices,” Tuscha Essed, a press officer from the Netherlands Forensic Institute (NFI), told Motherboard in an email. The NFI is a body that assists law enforcement in forensic evidence retrieval, and which, according to its website, deals with most of the forensic investigations in criminal cases in the Netherlands.
… Very little information is available regarding the specific technique that the NFI use to access encrypted communications on custom BlackBerrys.
The Crime News report says that out of 325 encrypted emails recovered from a device, only 279 were deciphered, and that the workaround is only applicable when law enforcement have physical access to the device.

(Related) Well, they would be, wouldn't they?
Iain Thomson reports:
Claims by the Netherlands Forensic Institute (NFI) that it has successfully decrypted emails stored on BlackBerry smartphones have caused bafflement at the Canadian firm.
Documents seen by Dutch blog Crime News show the NFI claiming to have decrypted 275 out of 325 emails encrypted with PGP from a handset in their possession. The NFI reportedly used software from Israeli firm Cellebrite to crack the encryption.
Read more on The Register.

Patrick Howell O’Neill reports:
The French Parliament is considering a legislative provision that would ban strong encryption by requiring tech companies to configure their systems so that police and intelligence agencies could always access their data.
The amendment to the vast “Digital Republic” bill was introduced in the French National Assembly, parliament’s lower house, by eighteen politicians from the conservative Republican Party.
Read more on Daily Dot.

Only in Europe?
Kevin Rawlinson reports:
The European Court of Human Rights (ECHR) said a firm that read a worker’s Yahoo Messenger chats sent while he was at work was within its rights.
Judges said he breached the company’s rules and that his employer had a right to check he was completing his work.
Such policies must also protect workers against unfettered snooping, they said.
The judges, sitting in the ECHR in Strasbourg, handed down their decision on Tuesday. It binds all countries that have ratified the European Convention on Human Rights, which includes Britain.
Read more on BBC.

Part of the “Double secret probation” program? How many “little-known” lists are there? Are they all controlled through a single office in DHS?
Muslim professor blocked from game because his name was on US blacklist
Epic Games has apologised after mistakenly barring an American professor from playing its online game Paragon because someone who has the same name as him was on a US government blacklist.
Muhammad Zakir Khan, an assistant professor at Florida’s Broward College, had tried to sign up for the beta of first-person shooter Paragon, a multiplayer game inspired by esports hits such as Dota2. But instead of being given an account for the game, Khan was hit with an unusual error message.
“Your account creation has been blocked as a result of a match against the Specially Designated Nationals list maintained by the United States of America’s Office of Foreign Assets Control,” the message read, before advising Khan to email Epic’s customer service.
The Specially Designated Nationals list is a little-known blacklist produced by the US government as part of its enforcement of economic sanctions against nations such as Iran, Syria and Russian-controlled Crimea, in order to help companies avoid accidentally doing business with high-profile citizens of, or corporations controlled by, those blocked nations.
… Khan tweeted his issue to Epic Games, with the hashtag #iamnotaterrorist. In a reply, Tim Sweeney, the founder of the company, apologised, and said that the ban was a result of errors on top of errors. Not only should Khan’s name not have matched against the list at all, a simple name match shouldn’t have been enough to spark a block.
What’s more, the filter wasn’t supposed to have even been applied to the simple consumer-level ability to sign up to the beta for Paragon. Instead, Sweeney explained, it was intended to control access to Epic’s game creation tools – built around the Unreal Engine – for large commercial projects. The company had re-used the code without considering how it would work with orders of magnitude more names running through it.
Khan tweeted that he was thankful for Sweeney’s apology, but added that despite it, he was still concerned by the issues it raised.
“First, the fact that the problem existed in the first place frustrates me. Someone designed Epic’s system without thinking of its impacts. Second, someone overseeing said system being put into place didn’t provide oversight of said system. Thus, they were careless and sloppy. Third, if they had just taken a moment to think about what they had done they could realise how hurtful it could be for someone.

This should be no surprise to my Computer Security students.
IoT Devices Easily Hacked to be Backdoors: Experiment
Many consumer-grade Internet of Things (IoT) products, such as Wi-Fi security web cameras, include security flaws that allow attackers to reprogram them and use them as persistent backdoors, Vectra Networks warns.
According to the security firm, which focuses on detection of cyber-attacks, insecure IoT devices enable potential attackers to remotely command and control an attack while avoiding detection from traditional security products. By turning an IoT device into a backdoor, attackers gain 24x7 access to an organization’s network without infecting a laptop, workstation or server, which are usually protected by firewalls, intrusion prevention systems and antivirus software.
The researchers explain in a blog post that the reprogramming process started with taking the camera apart and dumping the content of the flash memory chip on the PCB (printed circuit board) for further analysis.
As Rafal Los, director of solutions research and development within the Office of the CISO for Optiv, explains in a SecurityWeek column, many of these IoT devices (even secured and not hacked) are always-on, always connected, which could pose a privacy risk to end-users and a security risk to companies, if they are brought at the office. After all, companies might not have a policy for bringing IoT devices, although they might have BYOD policies in place.
The industry joined hands last year and launched the Internet of Things Security Foundation (IoTSF) in September to address concerns regarding the security of IoT devices.
In November 2015, security researchers presented at the DefCamp conference in Bucharest the findings of a study on the firmware of IoT devices, explaining that such firmware images are often susceptible to multiple security flaws because manufacturers do not properly test them for security flaws. Also in November, IT security consultancy SEC Consult revealed that millions of IoT devices use the same cryptographic secrets, which expose them to various malicious attacks.

Interesting hypothetical. What if the “instructions” are actually a review of a video game?
Suppose a laptop were found at the apartment of one of the perpetrators of last year’s Paris attacks. It’s searched by the authorities pursuant to a warrant, and they find a file on the laptop that’s a set of instructions for carrying out the attacks.
The discovery would surely help in the prosecution of the laptop’s owner, tying him to the crime. But a junior prosecutor has a further idea. The private document was likely shared among other conspirators, some of whom are still on the run or unknown entirely. Surely Google has the ability to run a search of all Gmail inboxes, outboxes, and message drafts folders, plus Google Drive cloud storage, to see if any of its 900 million users are currently in possession of that exact document. If Google could be persuaded or ordered to run the search, it could generate a list of only those Google accounts possessing the precise file — and all other Google users would remain undisturbed, except for the briefest of computerized “touches” on their accounts to see if the file reposed there.
A list of users with the document would spark further investigation of those accounts to help identify whether their owners had a role in the attacks — all according to the law, with a round of warrants obtained from the probable cause arising from possessing the suspect document.

I can't tell you how many times my students have suggested my next destination. “Professor, you can go to ...”
… Among a few other updates in Maps v9.19 spotted by Android Police, Google has introduced a new ‘Driving Mode’. While you’re driving around town without a destination dialed in, Google will use your frequent locations and search history to come up with a predicted destination, and then push traffic information or news about road closures as you’re driving, so you can adjust the route as you see fit.

Old social media site never die, do they?
Twitter Inc in Renovation Mode, Places Periscope up Front
Twitter Inc shares closed at an all-time low Monday and company is looking for anything to help bring its stock back to prominence, even integrating Periscope, the live streaming video service, into your timeline.
… Beginning Tuesday, some mobile users will be able to watch live broadcasts within the Twitter timeline. As the new feature enhances the real-time capabilities of the social network, Periscope, which was purchased early last year, could be introduced to millions of new users.
… iOS users can only take advantage of the Periscope integration. Users can watch live broadcasts and replay old broadcasts until they expire.

Perspective. Even if there is an App for that (and there is) it doesn't do us phoneless folks any good!
Lyft Works To Connect Smartphoneless Seniors To The Digital Age
… Said simply: The older Americans get, the less likely they are to be holding a smartphone. About a quarter of the U.S. population over 65 doesn’t have a smartphone, and that is rather unevenly distributed (many 65-year-olds, particularly those still in the workforce, are avid smartphone users) among the age cohort.
But Lyft, as a disruptive innovator that never met a citizen it didn’t think it could give a ride to, is not about to let the small issue of lack of enabling technology stand in the way of seniors on the go. The ridesharing service has announced a partnership with National MedTrans Network that will provide seniors in New York City a way to access Lyft for non-emergency medical appointments, even if they don’t have a smartphone they call their own.

Yeah, I ain't buying it. There is something else going on here. Call up a map of the Gulf. Draw a line from easternmost Kuwait to easternmost Bahrain. Note that the lone comes no closer to Farsi Island than roughly 20 miles. Even if one boat had mechanical problems (Both engines?) the other boat should have been able to tow it. So what really happened? GPS was down? The Navy can't read a compass? Something sounds fishy.
Iran Releases U.S. Sailors Accused of ‘Trespassing’
Iran has released two United States Navy patrol boats and 10 crew members who were described as “trespassing” in Iranian waters near a major naval base, state news media reported on Wednesday.
… The American sailors were aboard two riverine patrol boats — 38-foot, high-speed boats that are used to patrol rivers and littoral waters. One official said the two vessels, which often patrol shallow waters near Bahrain, had failed to make a scheduled meeting with a larger ship to refuel.

I know which cause I would place my money on…
GOP report slams FCC on open records
The Federal Communications Commission might be deliberately withholding public records, according to a Republican-led report released this week.
The House Oversight and Government Reform Committee report concluded that the FCC's is either incompetent or intentionally misused redactions under the Freedom of Information Act to withhold internal communication about its controversial Internet regulations.
… The conclusion was reached in a 40-page report that concluded the open records process is broken within the broader federal government. About a quarter of the report was dedicated to side-by-side comparisons of FCC documents, which were redacted when sent to journalists but provided in full to the committee.

Actually, zip guns are easy. It used to be that the bottom section of telescoping car antennas was almost exactly .22 caliber.
The 3-D-Printed Gun Is Retro, Not Futuristic
You don’t need 3-D-printing technology to make your own gun.
Individuals have been fashioning homemade firearms for as long as guns have existed. Zip guns, crude but functional weapons often made from taped-together pieces of pipe and rubber bands, were particularly popular in the 1940s and 1950s.
… For instance, it’s not illegal to print your own gun for personal use, but there are rules about selling homemade guns, and restrictions on what materials can be used when you make them. All-plastic guns, undetectable by weapon-screening scanners, are prohibited. One of the more alarming prospects of a world in which 3-D printing might be widely used for home gun-making is not just that firearms might be built to slip through metal detectors, but that the guns would’t be traceable at all. There would be no official serial numbers, no records of ownership, nothing.

When we understand gravity we may be able to generate it – or generate anti-gravity. If that is so, then we can go to the stars.
This morning, the Internet erupted with rumors that physicists have finally observed gravitational waves; ripples in the fabric of spacetime predicted by Albert Einstein a century ago. While it isn’t the first time we’ve heard excited whispers about the elusive phenomena, the gossip feels more promising in light of the recently upgraded detector at the Laser Interferometer Gravitational Wave Observatory (LIGO) that’s behind all the hubbub.

Or you could teach.
Highbrow - Learn a New Subject or Skill in Small Chunks
Highbrow is a neat service that delivers short courses to your email inbox in bite-size chunks. When the service launched last year the course offerings were fairly limited. I took another look at the site today and noticed that course catalog has expanded. You will now find courses in history, logic, science, and art. There are also courses designed to help you improve your health and your productivity habits.
The idea behind Highbrow is to provide you with one short (5-10 minutes) lesson per day for your chosen course. Lessons are delivered in the form of videos, images, and text. Courses contain 10 to 20 lessons.
Highbrow allows you to create your own courses that people can subscribe to. Using Highbrow might be a good way to deliver to students a course on studying habits, test-taking skills, or content to supplement your in-person instruction.

For my iPad toting friends. Join the BYOD generation.
Free eBook: iPad at Work for Dummies
… The book digs into how to use the iPad for productivity-related tasks. It also covers things like syncing the iPad so you can use it at work and home, backing up data, and other basic tasks that will help you make the most of the iPad as a useful tool.
A lot of the stuff in this book is about teaching you to use your iPad for things you’d traditionally turn to a computer for. Tasks like working with spreadsheets, enterprise-level word processing, task management, graphic design, communication, and much more are covered in-depth.
Not only does it go over how to actually get these things done, but it also breaks down the best apps for actually doing everything.
… To redeem your copy and download the free eBook, just head over to this page and sign up for a free account. The process will take just a few seconds, and then you will be sent an email with a link to download a free copy.

How statisticians follow the game.
Everyone Is Freaking Out About The $1.5 Billion Powerball, And The Stats Agree
… In all the trajectories of the model we’re playing around with, there’s a ballpark 95 percent chance someone wins this.
Here’s where we stand: based on the old forecast — the one we used for Friday’s estimate — we’d estimate about 1.008 billion tickets will be sold for Wednesday’s jackpot. Based on that number — which is totally unprecedented and based on far too much extrapolation, keep in mind — we’d estimate a 97 percent chance of at least one winner on Wednesday’s drawing.

Tuesday, January 12, 2016

This was only for show. Intelligence is too important to ignore just because you are embarrassed or angry.
Tina Bellon reports:
Germany’s BND intelligence agency has resumed joint internet surveillance with the U.S. National Security Agency (NSA) after halting collaboration with Washington last year following a row over spying practices, German media reported.
Read more on Reuters.

Don't say you were not warned. (Not that I see China learning much from our Education system.)
Teri Robinson reports:
The Department of Education is primed for a large data breach that could eclipse the one experienced by the Office of Personnel and Management (OPM), House Oversight Committee Chairman Jason Chaffetz (R-Utah) said last week at a Brookings Institute function.
With its rich set of data, including 139 million Social Security numbers and information on 40 million students who’ve taken out federal loans, and an “F” rating by the Inspector General based on the criteria established under the Federal Technology Acquisition Reform Act (FITARA), a breach at the agency could be more devastating than OPM’s.
Read more on SC Magazine.

Are my Computer Security students intelligent enough? (Those who pass probably are.)
Distinguishing Threat Intelligence From Threat Data
Specific malicious payloads, URLs and IP addresses are so ephemeral that they may only be used once in the case of a true targeted attack. The 2015 Verizon Data Breach Investigation Report (PDF) illustrates this in stark detail.
The Verizon report found that 70-90% of malware used in breaches were unique to the organization that was infected. Clearly, if a threat is only used once, faster signatures alone aren’t going to solve the problem.

Remove a slice of the market, reduce the need to supply it? No. Just ignore all those Jihadists with obviously phony IDs.
Jonah Bennett reports:
New figures show that the number of identification theft investigations collapsed by 30 percent in California after a program allowing illegal aliens to apply for driver’s licenses was implemented in 2015, according to a FOIA request obtained by The Daily Caller News Foundation.
Breitbart News reported in late January 2015 that the California Department of Motor Vehicles (DMV) told investigators to ignore cases alleging identity thefts committed by illegal aliens who were applying for drivers’ licenses under a new program. An anonymous DMV source provided Breitbart with internal documents revealing the policy.
Read more on Daily Caller.

Speaking of Jihadists… (Would this be considered “harm?”)
Colin Miner reports:
A data breach by militia at the Malheur Wildlife National Refuge has led the US Fish and Wildlife Service to ask some of its employees to relocate from their homes until the situation is resolved, sources told KOIN 6 News.
While Ammon Bundy has told reporters that his group has not accessed computer files, a reporter for OPB witnessed them doing just that.
Read more on WJHL.

Is it me or does California try many of these technologies before the rest of the country? Are they over-selling this to themselves?
The new way police are surveilling you: Calculating your threat ‘score’
As a national debate has played out over mass surveillance by the National Security Agency, a new generation of technology such as the Beware software being used in Fresno has given local law enforcement officers unprecedented power to peer into the lives of citizens.
Police officials say such tools can provide critical information that can help uncover terrorists or thwart mass shootings, ensure the safety of officers and the public, find suspects, and crack open cases. They say that last year’s attacks in Paris and San Bernardino, Calif., have only underscored the need for such measures. [Yet nothing in the article addresses prevention of crime. Bob]

(Related) These technologies spread quickly.
Cyrus Farivar reports:
A local activist has won an important intermediary step in his legal quest to force the Chicago Police Department (CPD) to produce documents that fully explain the department’s use of cell-site simulators, also known as IMSI catchers.
In a Monday opinion in Martinez v. Chicago Police Department, Cook County Circuit Judge Kathleen Kennedy denied the city’s motion to dismiss. This decision paves the way later this month for a closed-door hearing (in camera review) where the judge gets to privately review the documents in question.
Read more on Ars Technica.

(Related) Perhaps there is hope…
Michael Byrne reports:
Computer scientists at the University of Pennsylvania have developed an algorithmic framework for conducting targeted surveillance of individuals within social networks while protecting the privacy of “untargeted” digital bystanders. As they explain in this week’s Proceedings of the National Academy of Sciences (PNAS), the tools could facilitate counterterrorism efforts and infectious disease tracking while being “provably privacy-preserving”—having your anonymous cake and eating it too.
Read more on Motherboard.

Suggests that if I want to know all your darkest secrets, I should ask your friends? Sell your friends out for success in your video game? I want to build that App!.
My privacy is worth more to me than yours is. At least, that seems to be the findings of a new study by Penn State researchers. Alexa Lewis reports:
On Dec. 14, a team of Penn State researchers reported at the International Conference on Information Systems in Fort Worth, Texas, that people are more concerned about sharing their own personal information with third-party app developers than they are about sharing their friends’ information.
The problem, Grossklags said, is known as interdependent privacy. It means that the privacy of individual consumers depends not only on their own online decisions, but the decisions of their friends.
According to a Penn State press release, the researchers found that participants valued data in their own social media profiles at $2.31 and valued their friend’s social media data at $1.56, when the information was irrelevant to the app’s function. When the data was necessary for the app’s function, the economic value of their own data dropped by $.27, but the value of their friends’ data dropped by $.58.

I thought for a second that someone had developed an App to identify “good customers” but I guess that one is still available.
Tinder is internally ranking its users based on 'desirability'
… It’s called the “Elo score,” a term used in chess to rank player skill levels. In short, the ranking system helps the company facilitate matches based on score compatibility. So if you’re really desirable, you have a better chance of ending up with another really desirable person. And if you’re not so desirable, then tough luck.
This all sounds like it’s connecting hotties with hotties, right? According to Tinder CEO Sean Rad, wrong. He emphasizes the rating isn’t really just a measure of attractiveness.
… "It’s not just how many people swipe right on you," Rad said. "It’s very complicated.
It took us two and a half months just to build the algorithm because a lot of factors go into it."
… It might seem a little questionable at first, but it makes sense that a dating app has some sort of internal rating system, and it would be no surprise if other dating apps had similar tools. Dating apps do actually want to get their users to match. That’s why, for example, OkCupid makes you answer a whole bunch of questions and shares your compatibility percentage with other users.

Help me out here. If I want to browse the data my Texas employer has on Donald Trump's mental health, just for my own amusement, that's Okay?
Shawn E. Tuma writes that Texas just amended its unauthorized access of computers law to specifically address misuse by insiders. Here’s a snippet from his detailed post:
Nothing was removed from the prior version of the law; the following language in blue italics was added as Section 33.02 (b-1)(2) of the Texas Penal Code:
It is a crime for a person to, with the intent to defraud or harm another or alter, damage, or delete property … knowingly access[] … a computer, computer network, or computer system:
(A) that is owned by:
(i) the government; or
(ii) A business or other commercial entity engaged in a business activity;
(B) in violation of:
(i) A clear and conspicuous prohibition by the owner of the computer, computer network, or computer system; or
(ii) A contractual agreement to which the person as expressly agreed; and
(C) with the intent to obtain or use a file, data, or proprietary information stored in the computer, network, or system to defraud or harm another or alter, damage, or delete property.
Read more on his site.

Perspective. If Blogging becomes useful, everyone will start Blogging.
The rise and proliferation of political science blogging in America
by Sabrina I. Pacifici on Jan 11, 2016
How the Monkey Cage Went Ape by Alexander C. Kafka January 10, 2016 – The Chronicle of Higher Education
“”The rise of political-science public engagement has been so massive and rapid that it is paradoxically easy to miss,” writes Marc Lynch, a Middle East specialist at George Washington University and a regular blogger for the Cage, in a forthcoming article for Perspectives on Politics. “A decade ago, very few political scientists had either the opportunity or the incentive to engage with the political public in a direct, unmediated way.” Engagement has gone from “something exotic to something utterly routine.” In fact, while the top blogs were initially popular as rare outlets for scholars to reach a broader public, they’re now popular, Lynch writes, as curators of “a deluge of analysis, information, and argument.”

Perspective. Free is good! But not everyone knows how to get “Free” or what to do with it once it is in hand. Isn't that a marketing problem? Are the other 34 countries successful?
Facebook Tried To Give Everyone In Egypt The Internet — It Didn’t Work
Only two months after it launched, one of Facebook’s flagship programs for free internet was abruptly canceled. Egyptian officials say was a licensing issue, but others say it was part of a widening crackdown by Egyptian authorities.
… But since Free Basics launched in late 2015 to in 36 countries, Facebook has faced problems in two of its biggest markets — Egypt and India — along with criticism that it provides a limited service only through the select partners that meet its technological requirements. In India, the program has become subject to a regulatory battle, with detractors arguing that the initiative favors certain apps and sources of information over others. In Egypt, the program was quietly shut down on Dec. 30, just two months after it was launched. It was, said many Egyptians, perhaps not as easy to bring the internet to Egypt as Zuckerberg expected.
… “There was no advertisement of this program in Egypt, no one knew about it,” said Mohammed, in a sentiment echoed by several other Egyptians interviewed by BuzzFeed News in Cairo.
… “Egypt will stop every website, they will kick everyone off Facebook, if it means they will stop another revolution from happening,” one activist told BuzzFeed News by phone. He asked to remain anonymous due to the arrests of several of his friends in recent years. “They took the whole country offline in 2011, why doesn’t the world think they would do it again?

Have I been mispronouncing the school my lawyer friends attended?