Saturday, March 05, 2016

Yesterday, one of my former students sent me an email explaining how his company had been phished. It really is an epidemic (translations: It really works!)
Add AmeriPride and Actifio to the ever-growing list of companies whose employees’ W-2 info was snagged by criminals via phishing.
If your company didn’t urgently re-train employees about this growing problem with phishing and business email compromises, do it now.
Update 1: Add Evening Post Industries to the list of those whose employees fell for business email compromise, resulting in employees’ W-2 data in criminals’ hands.

Have they found an antidote? When was the last time you tested your backup plan?
Kat Hall reports:
North Dorset District Council is working with police to identify the source of a ransomware attack this week, the latest incident in what security experts believe to be a growing problem for local authorities.
According to an email seen by The Register, the attack had infected 6,000 files on the council’s servers by Tuesday.
However, the council said yesterday evening the problem had been fixed.
Read more on The Register.
[From the article:
He added that with more sophisticated encryption targets have little choice between restoring their systems from a backup or paying the ransom.
Eddy Willems, security specialist at G-Data, said attackers were deliberately targeting organisations which appear more likely to pay the ransom to get back online. "Some of these organisations do not have the latest backup [systems] installed," he said.

When you fear that facts and logic are against you, make stuff up? If I was the judge, that would really make me wonder what else was pulled from “thin air.”
What is a “lying-dormant cyber pathogen?” San Bernardino DA says it’s made up [Update]
One day after the San Bernardino County district attorney said that an iPhone used by one of the San Bernardino shooters might contain a "lying-dormant cyber pathogen," the county's top prosecutor went on the offense again. DA Michael Ramos said Apple must assist the FBI in unlocking the phone because an alleged security threat might have been "introduced by its product and concealed by its operating system."
… The fact no one has heard of a pathogen that might carry devastating qualities has us and others wanting to know exactly what is a "lying-dormant cyber pathogen?" We asked Ramos' office to elaborate. Ars' e-mail and phone messages, however, were not returned.
… But late Friday, Ramos told The Associated Press that his cyber doom suggestion was out of thin air.
… The prosecutor suggested in a court filing yesterday that the iPhone—a county phone used by Farook and recovered after the shooting—might be some type of trigger to release a "lying-dormant cyber pathogen" into the county's computer infrastructure. On Friday, the district attorney again demanded that a federal magistrate presiding over the dispute command Apple to help decrypt the phone.

(Related) “Mon Dieu! The FBI wants us to become French!”
Iain Thomson reports:
The French parliament has voted in favor of punishing companies that refuse to decrypt data for government investigators – by threatening businesses with big fines and possible jail terms for staff.
This comes amid the FBI’s high-profile battle with Apple in the US to unlock a dead killer’s encrypted iPhone.
French deputies voted to add an amendment to a penal reform bill that would fine companies €350,000 (US$385,350) for a refusal to decrypt and give up to five years in jail for senior executives. Telecommunications company executives would face smaller fines and up to two years in jail for not cooperating with the authorities.
Read more on The Register.

(Related) Flipping their flop for political or privacy reasons? Will they reverse again in a few months? (Does their policy favor privacy or convenience?)
Amazon reverses course on encryption for its Fire tablets
It's been only one day since -- in the midst of a national debate over encrypted devices -- Amazon started pushing a new Fire OS 5 to its tablets that ditched support for device encryption. Just yesterday, the company said that was because customers weren't using the feature. [How did they know? Bob] Tonight, the company tells Engadget that it will bring the option back in another update that is due to arrive this spring. Given the attention Apple's battle with the FBI has brought to this security feature it seems logical that encryption remains at least available as an option, even on a device intended for casual usage.

Another FBI kerfuffle in the works? Sounds like they are targeting the Young Republicans.
Sarah Lazare writes:
Under new guidelines, the FBI is instructing high schools across the country to report students who criticize government policies and “western corruption” as potential future terrorists, warning that “anarchist extremists” are in the same category as ISIS and young people who are poor, immigrants or travel to “suspicious” countries are more likely to commit horrific violence.
Based on the widely unpopular British “anti-terror” mass surveillance program, the FBI’s “Preventing Violent Extremism in Schools” guidelines, released in January, are almost certainly designed to single out and target Muslim-American communities. However, in its caution to avoid the appearance of discrimination, the agency identifies risk factors that are so broad and vague that virtually any young person could be deemed dangerous and worthy of surveillance, especially if she is socio-economically marginalized or politically outspoken.
Read more on AlterNet.

For my Computer Security class to consider. (Kind of a fluff piece.)
How the 'Internet of Things' could be fatal

Another article for my Computer Security students. Serious actors planning extensively – sounds to me like they would try a few “test hacks” like maybe OPM or Sony. Just saying.
Inside the Cunning, Unprecedented Hack of Ukraine’s Power Grid
… The hackers who struck the power centers in Ukraine—the first confirmed hack to take down a power grid—weren’t opportunists who just happened upon the networks and launched an attack to test their abilities; according to new details from an extensive investigation into the hack, they were skilled and stealthy strategists who carefully planned their assault over many months, first doing reconnaissance to study the networks and siphon operator credentials, then launching a synchronized assault in a well-choreographed dance.
… Ukraine was quick to point the finger at Russia for the assault. Lee shies away from attributing it to any actor but says there are clear delineations between the various phases of the operation that suggest different levels of actors worked on different parts of the assault. This raises the possibility that the attack might have involved collaboration between completely different parties—possibly cybercriminals and nation-state actors.
… Regardless, the successful assault holds many lessons for power generation plants and distribution centers here in the US, experts say; the control systems in Ukraine were surprisingly more secure than some in the US, since they were well-segmented from the control center business networks with robust firewalls. But in the end they still weren’t secure enough—workers logging remotely into the SCADA network, the Supervisory Control and Data Acquisition network that controlled the grid, weren’t required to use two-factor authentication, which allowed the attackers to hijack their credentials and gain crucial access to systems that controlled the breakers.
The power wasn’t out long in Ukraine: just one to six hours for all the areas hit. But more than two months after the attack, the control centers are still not fully operational, according to a recent US report. Ukrainian and US computer security experts involved in the investigation say the attackers overwrote firmware on critical devices at 16 of the substations, leaving them unresponsive to any remote commands from operators. The power is on, but workers still have to control the breakers manually.

Thou shalt not fish for evidence?
Andrea Noble reports:
In a historic victory for privacy rights advocates, the Maryland Court of Special Appeals upheld a ruling that barred prosecutors from using evidence discovered through the Baltimore Police Department’s use of secret cellphone tracking technology.
The ruling, issued late Wednesday, marks the first time any appellate court in the country has thrown out evidence obtained through warrantless use of the secretive devices, often known by the brand name Stingray.
The brief order, signed by Judge Andrea Leahy, offered no explanation of the reasoning behind the decision but indicated that an opinion would be forthcoming.
Read more on The Washington Times.

(Related) “When we specify phone calls, we mean everything including phone calls.”
John Frank Weaver writes:
In July 2015, I wrote an article about Fourth Amendment protection for self-driving cars that referenced Commonwealth v. Dorelas, a Massachusetts case that considered how specific a warrant must be before police can search a smartphone. (Full disclosure: I helped the American Civil Liberties Union of Massachusetts draft its amicus brief.) Briefly: Defendant Denis Dorelas was arrested following a shooting. While investigating the shooting, witnesses told police that Dorelas had received threatening phone calls and text messages from the other individual involved in the shooting. Based on this evidence, police applied for and received a warrant to search Dorelas’ iPhone…..
Read more on Slate.
[From the article:
In the decision, which was released in January, the Supreme Judicial Court ruled that the warrant was constitutionally granted because electronic communications “can come in many forms” and the issuing judge “could conclude that the evidence sought might reasonably be located in the photograph file,” despite the fact that the only evidence supporting the search of the iPhone was testimony that referenced phone calls and texts. Equating texts and phone calls with all electronic communications is a huge expansion of those forms of evidence and grants broad discretion to police to search all the data on a phone as long as there is evidence suggesting that any data on the phone could be related to criminal activity.

I can think of a few reasons why it would simplify things at Facebook (No warrants asking them to identify users) But it ruins my New Yorker cartoon, “On the Internet, nobody knows you're a dog.”
Facebook can nix German users with fake names
… The German court's decision rested on the fact that Facebook's European headquarters are in Ireland. The company therefore only needs to comply with orders from the Irish data protection authority. Ireland decided back in 2011 that Facebook's real-name policy did not violate people's right to privacy.

History is written by the winners, except in the EU.
Google makes narrow expansion of 'right to be forgotten' official
… Google said on Friday that it would delist the links from all of its domains when they are accessed in the country where the petition to remove the content originated.
… Google portrayed its announcement Friday as one that would mollify privacy regulators without infringing too much on the sanctity of its platform.
“We’re changing our approach as a result of specific discussions that we’ve had with EU data protection regulators in recent months,” wrote Global Privacy Counsel Peter Fleischer in a blog post. “We believe that this additional layer of delisting enables us to provide the enhanced protections that European regulators ask us for, while also upholding the rights of people in other countries to access lawfully published information.”

Something my Data Management students can use to get rich?
How Netflix Knows Exactly What You Want to Watch
Netflix’s rise to being the world’s primary media streaming service was no fluke. It was based on a complex recipe of data manipulation and emotion that means the company knows what you want to watch even before you know yourself.
… It is Netflix’s secret sauce of algorithms, big data, and gut instinct that fuel this unstoppable growth. It’s this secret sauce that allows Netflix to not just consistently recommend content that users will (likely) love, but also to fund the creation of that content, confident that it will be a success.
It’s no surprise that big data plays a big part in Netflix’s ability to recommend and fund the right content. What is surprising, however, is the kind of data and amount of data that Netflix tracks every time you use the service.

I had no idea – and I still don't but looking at the illustration, they have several ways to make money. .
How Snapchat brings celebrities millions of views and offers advertisers a young audience

Another snapshot of my indusrty.
Hack Education Weekly News
Via The Harvard Crimson: “Harvard jointly filed an amicus brief to the National Labor Relations Board on Monday arguing against the unionization of graduate students, joining six other Ivy League universities, Stanford, and MIT in a call for the board to uphold existing rulings that define the relationship between private universities and graduate students as strictly academic.”
Via SF Gate: “Hackers compromised a UC Berkeley computer network containing the financial data of 80,000 people.”
… This week in rebranding bullshit: “Ubiquitous learning could push the term ‘online’ out of education.”
… “Minnesota State University at Moorhead has announced an unusual scholarship program,” Inside Higher Ed reports. “Four $2,500 scholarships and two $1,000 scholarships will be awarded (on top of other aid for which students are eligible) based on tweets.”
… The “Transcript of Tomorrow”!
… According to a survey of 4000 community college students, “about 50 percent of students reported having one or more mental-health condition,” The Chronicle of Higher Education reports.

Friday, March 04, 2016

I make it 16 briefs and three letters in support of Apple. Plenty of fodder for my students to chew as they write their papers on cryptography this week.
Apple Is Rolling Up Supporters in Privacy Fight Against F.B.I.
Google, Amazon, Facebook, Microsoft and a parade of other technology companies filed a barrage of court briefs on Thursday, aiming to puncture the United States government’s legal arguments against Apple in a case that will test the limits of the authorities’ access to personal data.

(Related) On the FBI side, wild speculation? No evidence of this, so why suggest it?
San Bernardino DA says seized iPhone may hold “dormant cyber pathogen”
The San Bernardino District Attorney told a federal judge late Thursday that Apple must assist the authorities in unlocking the iPhone used by Syed Farook, one of the two San Bernardino shooters that killed 14 people in a killing rampage in December. The phone, which was a county work phone issued to Farook as part of his Health Department duties, may have been the trigger to unleash a "cyber pathogen," county prosecutors said in a brief court filing.
"The iPhone is a county owned telephone that may have [Surely it was connected at some time? Bob] connected to the San Bernardino County computer network. The seized iPhone may contain evidence that can only be found on the seized phone that it was used as a weapon to introduce a lying dormant cyber pathogen that endangers San Bernardino's infrastructure," according to a court filing (PDF) by Michael Ramos, the San Bernardino County District Attorney.
The development represents the first time any law enforcement official connected to the investigation provided any indication of what the authorities might discover on the phone.

(Related) A government divided. (Nothing new there)
Pentagon Chief Wary of Tech 'Back Doors'
US Secretary of Defense Ashton Carter has said he opposes high-tech "back doors" that would allow the government access to encrypted data on people's phones and other devices.

Apparently not everyone is convinced encryption is the way to go. Let's hope they find out why Amazon did it.
Amazon Quietly Removes Device Encryption in Fire Devices
Fire OS 5 is based on the Android 5.0 Lollipop release, which was revealed in October 2014 with multiple security enhancements built in, including full device encryption enabled by default on first boot.
To further boost the security of devices, Google announced in October 2015 that full-disk encryption was mandatory in devices running Android 6.0 Marshmallow. Thus, the company required that all manufacturers enabled the feature out-of-the-box for new devices that support a secure lockscreen and which have high memory resources.
Amazon’s Fire devices had encryption enabled, and users still running iterations of Fire OS 4 can take full advantage of the security feature. However, those who decided to upgrade to the newer Fire OS 5 platform release could no longer enjoy the same capabilities it seems.
Although it did not make an official announcement on the matter, Amazon did inform users on the change, and even suggested they refrain from upgrading to the newer OS version to continue taking advantage of encryption. Basically users need to choose from two equally bad options: update and leave their data unprotected, or continue running outdated software on their devices.
SecurityWeek has contacted Amazon requesting comment and we will update the story as soon as we receive a response.

Never engage in a battle of wits when you are only half armed.
GOP lawmaker: Ban government from buying Apple products
Rep. David Jolly (R-Fla.) is proposing a way to punish Apple for refusing to abide by a court order directing the company to unlock an iPhone used by one of the San Bernardino shooters: Stop buying its products for government use.

Deliver what you promise, promise only what you can deliver.” What make that so hard to understand? Looking at the dates, the Feds need to move faster!
Feds go after online payment firm for deceptive cybersecurity
Federal regulators on Thursday sent a major signal to financial technology companies, settling charges against an online payment firm for deceiving customers about data security.
The company, Dwolla, has agreed to pay $100,000 to settle the allegations.
The move is a new step for the Consumer Financial Protection Bureau (CFPB), and represents one of the first enforcement actions taken against a financial technology company for allegedly misrepresenting security practices.
… The CFPB claims that from late 2010 until 2014, Dwolla falsely assured customers that its data security practices exceeded industry standards and guarded customer data with “safe” and “secure” transactions. The agency also said the company misled users about how much personal information was encrypted.
… In a statement, the firm also stressed there was no indication of a data breach in the company’s five years of existence. [Significant. That is usually how the government gets involved. Bob]
… With Thursday’s enforcement action, the CFPB has positioned itself next to other federal agencies — such as the Federal Trade Commission and Securities and Exchange Commission — as a de facto data security regulator.

This will not be the last “cross technology” issue. Cable companies offer Internet but claim TV delivered to computers (rather than to your TV) is not an Internet service.
Consumer group calls for action against Comcast streaming video
Consumer advocates are urging regulators to take action against Comcast's new video service, Stream TV.
The service, which was launched last year, allows people to purchase and watch TV on their computers and phones without it counting against their Internet data caps.
Advocacy group Public Knowledge filed a 30-page complaint against Comcast Wednesday night, charging that the streaming service violates conditions from its 2011 merger with NBC-Universal.
… According to the 2011 merger conditions, Comcast agreed that if it imposed Internet data caps, it would not treat its own video services differently than others. Because Comcast's own Stream TV is exempt from data caps in a process known as "zero rating," Public Knowledge argues it is giving itself favorable treatment.

For my next Disaster Recovery class. No matter how extensively you plan, there seems to be something you overlooked – and it will happen. Who knew there were birds in the area!
Bird droppings apparently caused NY nuclear reactor outage
… In a report to the Nuclear Regulatory Commission last month, the New Orleans-based company said the automatic reactor shutdown was apparently from bird feces that caused an electric arc between wires on a feeder line at a transmission tower.
"If it has nowhere to send its electricity, the generator senses that and automatically shuts down," Entergy spokesman Jerry Nappi said.
Plant managers told the NRC they were revising preventive maintenance for additional inspection and cleaning and installing bird guards on transmission towers.

Without video or audio to accompany these slides, it becomes a list you have to research yourself. Still, it is probably worth looking at the ones I don't know about.
Best of the Web - Spring 2016
This afternoon at the NCTIES 2016 conference I had the privilege to once again give my Best of the Web presentation to a packed room (conservative guess of 350 people). The presentation features short overviews of my favorite new and or updated ed tech resources of the last year. Almost all of today's presentation featured things that I haven't included in past Best of the Web presentations. The slides from the presentation are embedded below.

Thursday, March 03, 2016

I wonder if I could convince Nils to give a guest lecture to my Ethical Hackers?
Police Drone Can Be Hacked With Tech Worth $40
While drones are being used by cops, border security forces, military and even first responders to an emergency, one researcher has shown that one government-ready drone model can be hacked from over a mile away to be taken control of by a malicious hacker, WIRED reports.
… Rodday discovered that the drone’s telemetry module was fitted with an Xbee radio chip. The Wi-Fi connection used between the telemetry module and the user’s application is WEP or ‘Wired-Equivalent Privacy” encryption, a legacy protocol that can be infiltrated in seconds by any proficient hacker. With this alone, an attacker in the Wi-Fi range to break that connection could potentially send a “deauth” command to boot the drone operator off the network and take over.

(Related) A word to my Ethical Hackers: “Be vewy, vewy careful.”
Tara Seals reports:
Announcing what it calls “the first cyber bug bounty program in the history of the federal government,” the Department of Defense is inviting hackers to test the department’s cybersecurity profile.
The Hack the Pentagon initiative is a pilot program that will use commercial sector crowdsourcing to uncover vulnerabilities and probe around for flaws on the department’s public webpages. According to a list published by the Defense Department, it currently manages 488 websites, which are devoted to everything from the 111th Attack Wing and other military units to the Yellow Ribbon Reintegration Program.
Read more on InfoSecurity Magazine.

Quickly remedied. Still, you have to wonder about the initial confusion.
Facebook Exec Sprung From Brazilian Jail
A Brazilian judge on Wednesday ordered the release of Facebook Regional Vice President Diego Dzodan, one day after Brazilian police placed him under arrest for WhatsApp's failure to produce messages the government believed relevant to a drug ring investigation. Judge Ruy Pinheiro concluded the exec's detainment amounted to coercion, according to press reports.
Judge Marcel Maia ordered the arrest on Tuesday, after WhatsApp failed to comply with requests by police and the court to produce messages created in the app.
… This isn't the first time WhatsApp has been in hot water in Brazil where, according to The Guardian, it's been the most popular app download for the past two years, and is used by about half of the country's 200 million people. In December, the app was shut down for 48 hours for twice failing to comply with court orders for information.
… "Much like the Apple case, they're in a situation where because they've created such a secure device, they cannot give law enforcement what they're asking for," she told TechNewsWorld.
"It's not even an issue of conflict of laws," Butler said. "It's an impossibility."
Conflicts between law enforcement and high-tech companies are going to increase in the future because of encryption, she added.

“It's all there in black and white (or bits and bytes) as plain as a large team of lawyers can make it.”
You know those Terms & Conditions you always click “I agree” to without reading? Well, they can come back to bite you if you sue. Katherine Proctor reports:
Facing claims that it violates users’ privacy by storing biometric face-recognition data, Facebook called one of its software engineers to the witness stand on Wednesday in Federal Court.
In a 2015 class action, lead plaintiff Carlo Licata accused Facebook of holding the largest privately held stash of such data in the world, in violation of the Illinois Biometric Information Privacy Act of 2008.
At Wednesday’s evidentiary hearing, Facebook called on software engineer Joachim De Lombaert to testify about the source code for the site’s registration process, in which users agree to Facebook’s terms and conditions.
Read more on Courthouse News.
[From the article:
U.S. District James Donato asked whether users who registered from cellphones were required to check such a box, and De Lombaert said they were not.

Did he get immunity in exchange for ratting out Hillary? Would he need it if he did nothing wrong – or does everyone in Washington demand immunity before talking to anyone?
Justice Dept. grants immunity to staffer who set up Clinton email server
The Justice Department has granted immunity to a former State Department staffer, who worked on Hillary Clinton’s private email server, as part of a criminal investigation into the possible mishandling of classified information, according to a senior law enforcement official.
… As part of the inquiry, law enforcement officials will look at the potential damage had the classified information in the emails been exposed. The Clinton campaign has described the probe as a security review. But current and former officials in the FBI and at the Justice Department have said investigators are trying to determine whether a crime was committed.
“There was wrongdoing,” said a former senior law enforcement official. “But was it criminal wrongdoing?” [Perhaps it was good old “We don't have to follow the rules like second class citizens doing.” Bob]

This should liven up the debate. Do you think this would work in Denver? Call for a ride and some guy in Hell's Angels leathers shows up?
As Ola and Uber join the fray, are bike taxis the next big thing in India?
Uber and Ola, the two biggest ride-sharing companies in India, have simultaneously launched motorcycle taxis in the country, starting with the southern Indian city of Bengaluru.
Aimed at commuters looking for short-distance and affordable trips, this will be the cheapest service offered by both Uber and Ola. The simultaneous launch suggests a new focus on affordable forms of transport in India, in the absence of integrated public transport systems and last-mile connectivity in most cities. Two wheelers also constitute the largest number of vehicles in the country.
UberMOTO will be priced at a base fare of Rs 15, followed by rate of Rs 3 per kilometre and Rs per minute. Uber is also giving away free rides worth Rs 100 to first-time users. Ola Bike has an introductory fare of Rs 2 per kilometre and Rs 1 per minute. While UberMOTO's minimum fare is Rs 15, it is Rs 30 for Ola Bike.

(Related) ...and they will bring me pizza! (My favorite pizzeria does not deliver)
Uber's GrubHub killer is finally in the US — here's the inside story on its big bet on food
… For the first time, the company has broken a product out into its own standalone app. On Tuesday, the company launched its long-awaited UberEats app in the US, kicking it off in Los Angeles. Availability will roll out in the rest of the country throughout the month.
While it had been just a lunch service, the new app will allow instant lunch or dinner deliveries for select dishes or full-menu options from restaurants. Once you place your order, a specially trained Uber driver carrying lunch bags to keep the food warm or cold will deliver it while you track their progress on your screen.

The Future? If everyone had a peer to peer connection, would we need ISPs?
GoTenna, the startup that lets you text without cell signal, raises $7.5M and launches with REI
GoTenna … has created a lightweight device (1.8 ounces) that uses Bluetooth technology to pair with your smartphone and then generates long-range radiowaves to connect with other goTenna devices. That means you can send text messages and share your location (via pre-downloaded maps) even when you don’t have a cell connection.

Perspective. Let's hope this does not become a trend. Are they saying the fines collected won't pay for more courts?
You Won't Be Arrested For Public Drinking, Urination in Manhattan: NYPD, DA
The NYPD will no longer arrest people for minor infractions such as drinking alcohol in public, urinating or littering in Manhattan, city officials announced Tuesday.
Beginning March 7, police will have the discretion to determine if someone is a public safety risk before arresting them in a move the Manhattan District Attorney's Office — which will also no longer prosecute low-level offenses — said will remove 10,000 cases each year from the courts and help reduce its backlog.

Wednesday, March 02, 2016

No bias here!
Apple speaks with congress, FBI continues fear-mongering
Apple's Statement
Apple sent Senior Vice President and General Counsel Bruce Sewell to speak with this United States House of Representatives Committee of the Judiciary.
… You can see the entire statement by Bruce Sewell via the House online.
FBI's Statement
The FBI sent its director James Comey to speak with this same congressional panel. After speaking for several paragraphs about how the FBI valued electronic privacy and citizen's right to communicate with one another without unauthorized government surveillance, Comey began listing how terrible it'd be if "criminals and terrorists" got ahold of an iPhone.
… You can read the entire FBI statement if you'd like to go further in-depth via the House.

(Related) There is something a bit “off” here. The FBI has a pretty good forensics team. They would have known what happens when you force a password change.
FBI director admits mistake was made with San Bernardino iCloud reset
FBI Director James Comey on Tuesday conceded it was a mistake to ask San Bernardino County to reset the password of an iCloud account that had been used by gunman Syed Farook.
Changing the password to the account prevented the phone from making a backup to an iCloud account, which Apple could have accessed without bypassing the encryption and security settings on the phone.

Apple is not the only company that law enforcement, the courts or entire governments feel are “under-cooperating.”
Facebook Exec Jailed in Brazil as Court Seeks WhatsApp Data
… While details of the case remain murky, court officials said the judge in Brazil resorted to the arrest after issuing a fine of 1 million reais ($250,000) to compel Facebook to help investigators access WhatsApp messages relevant to their drug-trafficking investigation.
That is likely impossible because WhatsApp began using end-to-end encryption technology in 2014 that prevents the company from monitoring messages that travel across its network, said Christopher Soghoian, principal technologist with the American Civil Liberties Union.
“They are using technology to try to take themselves out of the surveillance business,” Soghoian said.

Ah, the French. The very definition of unpredictable.
David Chazan reports:
French parents are being warned to stop posting pictures of children on social networks in case their offspring later sue them for breaching their right to privacy or jeopardising their security.
Under France’s stringent privacy laws, parents could face penalties as severe as a year in prison and a fine of €45,000 (£35,000) if convicted of publicising intimate details of the private lives of others — including their children – without their consent.
Read more on The Telegraph.

For my Computer Security students. Infographic
A Visual Guide to the Deep and Dark Web
The creatively named Dark Web is a part of the Internet even the almighty Google doesn’t index. But is the dark web a bad place filled with villainy, or is it just misunderstood?

Drones are not fully autonomous, yet. Remember, these are civilian drones. I imagine the military drones are closer to Terminator smart.
DJI Phantom Drone 4 Is Smart And You Can't Hide From It
Fly With Tap
DJI is making it easier for users to fly the Phantom Drone 4 through the iOS or Android apps. All they have to do is to double tap the screen to fly.
The drone's Obstacle Sensing System keeps the drone safe while flying. The system makes use of two forward-facing optical sensors to make sure that the drone will not hit trees, walls and rooftops while maintaining its flight direction.
Visual Tracking
The ActiveTrack feature allows users to track their subject automatically. Pilots will simply tap their subject in the camera's frame. The Phantom 4 will then pick up on the object and keep it in the center of the image even when it changes direction.
… The new Phantom costs $1,399

I've been ignoring the broadcast v cable v satellite war. Perhaps it's time for another look.
Look Ma, No Dish! AT&T To Launch DirecTV Internet Streaming Service
As more and more people cut the cable cord, cable companies, media companies and content creators alike are scrambling to make sure that those who want access to their services have it. Over the past couple of years, we've seen many examples of companies dropping their cable TV exclusivity, with Dish being one of the most notable. Last February, the Dish released a $20/mo package through Sling TV, and without much of a delay, AMC jumped on board, and so did HBO.
AT&T ... just announced that it also will be offering premium content services to those without a cable subscription. You don't even need a current AT&T product to jump on board.

Perspective. And Uber didn't even have to lobby!
MBTA to end late-night service by mid-March
Late-night hours on the MBTA will end March 18, after board members voted unanimously Monday to ax the service.
… Proponents of late-night hours — which extended MBTA service on all subway lines and some bus lines to 2 a.m. on Fridays and Saturday, from the usual 12:30 — have called it a safe alternative for students and service industry workers. They said it was a blow to low-income residents in an increasingly unaffordable city.

For the political junkies?
The AP debuts “Election Buzz,” a tool that uses Twitter and Google data to track the U.S. elections
Just in time for Super Tuesday, the AP has launched a new tool in partnership with Google and Twitter that helps voters visualize what people are saying about the current elections, candidates and issues, as well as how that interest has changed over time. Effectively, the product, called AP Election Buzz, is a lot like a political-focused Google Trends tool mashed up with Twitter data. And while the online dashboard won’t tell you who to vote for, it does help to display which candidates are dominating online conversation (ahem, Trump) and which topics and issues are currently in the forefront of voters’ minds.

Could be amusing. (This is turn-of-the-20th-century)
Download 2,000 Turn-of-the-Century Art Posters from NYPL
by Sabrina I. Pacifici on Mar 1, 2016
New York Public Libraries Digital Collections – “Explore 674,208 items digitized from The New York Public Library‘s collections. This site is a living database with new materials added every day, featuring prints, photographs, maps, manuscripts, streaming video, and more.” A recent addition is a collection of over 2,000 Turn of the Century Posters. The collection offers a magical tour of diverse styles and periods, and often recognizable images from magazines, print advertisements, magazine and journals covers.

I should try this… My International students might benefit from it as well.
Quickly Dictate Notes in Multiple Languages on is a good tool to add to yesterday's list of free tools for dictating notes. On you can simply click "start dictation" then start having your voice transcribed into a text document. No registration is required in order to use More than two dozen languages are support on The video embedded below provides a demonstration of doesn't require students to register in order to use it. It also supports more than two dozen languages. Those two aspects of make it accessible to students who don't have Google Docs accounts and to those who don't speak English as their first language.

Tuesday, March 01, 2016

Geeks at war! At least we have shifted to the offense. (The first acknowledgment anyway)
W. J. Hennigan reports:
Military commanders have mounted a cyberoffensive against Islamic State in Iraq and Syria in recent weeks by deploying hackers to penetrate the extremist group’s computer and cellphone networks, according to the Pentagon.
The cyberassault, which Defense Secretary Ashton Carter authorized last month, marks the first time teams from U.S. Cyber Command have been integrated into an active battlefield since the command was established in 2009.
Read more on The Columbian.

Reasonably large, poorly secured.
Joseph Cox reports:
A hacker on the dark web forum Hell claims to have sold the email addresses and plaintext passwords of over 27 million users of dating site
“Their server was compromised and the MySQL database was dumped,” the hacker, who asked to remain anonymous, told Motherboard. “I had shell/command access to their server.”
Read more on Motherboard.
There doesn’t seem to be any statement on’s web site as of the time of this posting.
[From the article:
On Monday, this reporter clicked the "forgotten password" feature on Mate1's login page. The full, plaintext password was then emailed, further corroborating that the site does indeed store passwords without any hashing.

Need some insider/personal data? Just ask!
Snapchat Admits Getting Scammed and Leaking Employee Data
On Sunday, the ephemeral messaging app revealed on its blog that the data of some of its employees, current and past, has been compromised. On Friday, a scammer impersonated the company’s CEO, Evan Spiegel, and sent a phishing email asking for payroll information to an employee in that department. Unfortunately, neither Snapchat’s security system, nor the employee realized it was a scam, and the data was “disclosed externally,” the company explains.
Snapchat says it took action within four hours, confirming it was an isolated phishing incident and reporting it to the FBI.

Want to own the police computers? Someone on the inside will fall for your phishing email.
Aaron Leibowitz reports:
Hackers stole the encryption key to a software system at the Melrose Police Station on Thursday evening, compelling the department to pay the hackers one Bitcoin to regain control, Chief Michael Lyle told the Free Press on Monday.
The attack came in the form of an email sent to the entire department around 7 p.m. Thursday, Lyle said. One person opened the email, [I'll bet there was more than one. Bob] setting off a virus that voided the department’s control of a program it uses to log incident reports, known as TriTech.
[From the article:
The Melrose Police did not lose any data, but officers were forced to put all log entries and incident reports in Microsoft Word documents until the problem was addressed, according to Lt. Mark DeCroteau.
They also had to book arrested parties on paper – “the old fashioned way,” DeCroteau said.

Are critical switches (circuit breakers, valves, etc.) available over the Internet?
Utilities Cautioned About Potential for a Cyberattack After Ukraine’s
The Obama administration has warned the nation’s power companies, water suppliers and transportation networks that sophisticated cyberattack techniques used to bring down part of Ukraine’s power grid two months ago could easily be turned on them.
After an extensive inquiry, American investigators concluded that the attack in Ukraine on Dec. 23 may well have been the first power blackout triggered by a cyberattack — a circumstance many have long predicted. Working remotely, the attackers conducted “extensive reconnaissance” of the power system’s networks, stole the credentials of system operators and learned how to switch off the breakers, plunging more than 225,000 Ukrainians into darkness.

For my Computer Security students. Re-program to remove that “assume” when the other vehicle is controlled by a mere human?
Google Self-Driving Car Hits A Bus In Los Angeles And It's At Fault: Here's What Happened
… The Google AV was driving in the far right side of the three-lane boulevard, preparing to take a right turn onto Castro Street. However, it couldn't smoothly do so because of sandbags that surrounded a storm drain, and it had to move to the center to make the turn.
The Lexus did let a couple of cars pass before it proceeded to maneuver around the obstruction, but a bus approaching at 15 mph was right behind it. According to the accident report, the bus was visible in the left mirror. It then collided with the bus, incurring damage on its front-left fender, wheel and sensor.
"A public transit bus was approaching from behind. The Google AV test driver saw the bus approaching in the left side mirror, but believed the bus would stop or slow to allow the Google AV to continue. Approximately three seconds later, as the Google AV was reentering the center of the lane, it made contact with the side of the bus," the report says (PDF).
… Placed in the same situation that drivers face every day, the Google AV predicted that the bus would allow it to pass first, as it's positioned ahead of the incoming vehicle. The occupant also thought the same. Apparently, they were both wrong.
Google says the company itself and the AV in question are at fault to a certain degree, making this the first case under that condition.

The (probably) never-ending story continues. Might be interesting to see what Apple argued in this case. (I assume their lawyers were there?)
N.Y. judge backs Apple in encryption fight with government
The U.S. government cannot force Apple Inc (AAPL.O) to unlock an iPhone in a New York drug case, a federal judge in Brooklyn said on Monday, a ruling that bolsters the company's arguments in its landmark legal showdown with the Justice Department over encryption and privacy.
The government sought access to the phone in the Brooklyn case in October, months before a judge in California ordered Apple to take special measures to give the government access to the phone used by one of the shooters in the San Bernardino, California, attacks.
U.S. Magistrate Judge James Orenstein in Brooklyn ruled that he did not have the legal authority to order Apple to disable the security of an iPhone that was seized during a drug investigation.
His ruling echoed many of the arguments that Apple has made in the San Bernardino case, particularly his finding that a 1789 law called the All Writs Act cannot be used to force Apple to open the phone. Orenstein also found that Apple was largely exempt from complying with such requests by a 1994 law that updated wiretapping laws.
… Orenstein said his ruling in Apple’s favor was not a decision on "whether the government should be able to force Apple to help it unlock a specific device; it is instead whether the All Writs Act (AWA) resolves that issue and many others like it yet to come."
Orenstein concluded that "the government posits a reading of the latter phrase so expansive – and in particular, in such tension with the doctrine of separation of powers – as to cast doubt on the AWA's constitutionality if adopted."
He also wrote: "The implications of the government's position are so far-reaching – both in terms of what it would allow today and what it implies about Congressional intent in 1789 – as to produce impermissibly absurd results."
Orenstein also found that Communications Assistance for Law Enforcement Act, passed in 1994, exempted Apple from this sort of request.
[The ruling:

(Related) A peek ahead.
Here's what Apple’s top lawyer will tell Congress tomorrow

(Related) Note that this is largely built in to sites like Google. It is not individuals encrypting their communications.
Study finds about half of Web traffic is encrypted
About 49 percent of Internet traffic is encrypted, according to a new study released Monday.
That is a 36 percentage point jump from April 2014, when only about 13 percent of traffic was being encrypted. The results Monday confirm other studies that have seen a large uptick in encryption, with the increase predicted to continue.
The study found that 24 of the top 50 sites encrypt their traffic by default, usually signaled on a users’ browser by a lock and the letters “https” ahead of the web address. The study also found 42 of the top 50 sites either encrypt by default or shift to encryption after log in.

(Related) ...and if you don't encrypt, it's your own fault! (Would lawyers expect the same “exemption?”)
Joseph Lazzarotti of Jackson Lewis highlights an important note in recent OCR guidance:
What is a covered entity’s obligation under the Breach Notification Rule if it transmits an individual’s PHI to a third party designated by the individual in an access request, and the entity discovers the information was breached in transit?
If a covered entity discovers that the PHI was breached in transit to the designated third party, and the PHI was “unsecured PHI” as defined at 45 CFR 164.402, the covered entity generally is obligated to notify the individual and HHS of the breach and otherwise comply with the HIPAA Breach Notification Rule at 45 CFR 164, Subpart D. However, if the individual requested that the covered entity transmit the PHI in an unsecure manner (e.g., unencrypted), and, after being warned of the security risks to the PHI associated with the unsecure transmission, maintained her preference to have the PHI sent in that manner, the covered entity is not responsible for a disclosure of PHI while in transmission to the designated third party, including any breach notification obligations that would otherwise be required. Further, a covered entity is not liable for what happens to the PHI once the designated third party receives the information as directed by the individual in the access request.
Read more on Lexology.

My guess is he enjoyed the way Scalia asked the questions.
Justice Clarence Thomas breaks 10-year streak, asks question in court

Another look into the future of the Internet of Things. Perhaps my bottle will send a “Bring me another Fat Tire Dear” to my wife as I near the end of my beer?
With 'Smart' Brita Pitcher, Amazon Aims To Change How Consumers Buy Everyday Essentials
This is not your mother’s water pitcher. [I expect to see this in many ads. Bob]
Amazon is testing the waters for ways to render brick-and-mortar shopping virtually obsolete — at least when it comes to everyday necessities.
The online giant has launched the new Wi-Fi-enabled Brita Infinity pitcher, which is designed to automatically order a new filter through its Amazon Dash Replenishment reordering program when the existing filter nears its capacity.

Coca Cola tried this last week with their 12-packs. Perhaps more kids have smartphones in Sweden?
Kids will soon be able to turn their Happy Meals into VR goggles in Sweden
Fast food juggernaut McDonald's is rolling out a pilot program in Sweden that turns Happy Meal boxes into virtual reality goggles. With a few flips and folds, kids can transform the box into a smartphone holder, which provides a kinda-sorta VR experience similar to Google Cardboard.

Because my students should at least talk like they understand this stuff!
Are You Confused by the Windows App Terminology?

Monday, February 29, 2016

Signaling that you can not anonymize data?
Mikkael A. Sekres, MD, MS and Brian J. Bolwell, MD have an OpEd on FoxNews of note as the issue they address goes beyond cancer patients and potentially affects all of us.
… Articles about cancer research in scholarly journals are the lifeblood of the fight against cancer. For doctors and researchers, flagship journals such as The New England Journal of Medicine, the Journal of the American Medical Association (JAMA) and The Lancet are critical for keeping up to date with the latest breakthroughs, establishing new standards of care, and improving treatments for patients.
In January, a proposal was put forward by the editors of these publications, the International Committee of Medical Journal Editors, that poses a serious threat to the privacy of patient data. In it, the editors would require that investigators of clinical trials make publically available within six months of publication de-identified (i.e., anonymous), individual patient data underlying the results presented in the trial.
Read more on FoxNews about the risks of re-identification and its impact on cancer patient privacy.

I've been trying to explain the First Amendment to my international students. (It relates to Apple v FBI) This should cloud the waters…
I’ve been hoping some lawyer(s) would discuss the lawsuit filed by Jason Pierre-Paul (“JPP”) against ESPN and Adam Schefter because frankly, although I wasn’t happy that Schefter posted a medical record – and Schefter later acknowledged there’s an issue of sensitivity here – I can’t see how any lawsuit against the journalist could prevail because…. freedom of press. Now sports lawyer Tony Iliakostas has offered his analysis and prognosis for the case. It provides a useful recap of the claims, Florida law, and Iliakostas’s predictions.
For those not familiar with the case, the short version is that Schefter somehow obtained JPP’s medical record showing surgery on JPP’s fingers after an accident JPP had. Schefter tweeted the actual image of the medical record showing surgery was performed. Not surprisingly, Jackson Memorial Hospital investigated to determine what employee(s) may have leaked the record to Schefter and subsequently fired two employees. JPP sued the hospital for breach of his privacy. The hospital settled. But this lawsuit against ESPN and Schefter is a separate lawsuit filed over the incident under Florida law.
Iliakostas writes that in suing ESPN and Schefter over the tweet, JPP alleges
that Adam Schefter violated Florida Statute § 456.057, which states in a nutshell that medical records maintained by hospital, clinical laboratories, and other health care practtioners shall be kept confidential. Specifically under subsection 7(a) of the Florida Statute, records shall only be provided to the patient, his/her legal representatives, and other health care providers. Medical records under this statute shall not be disclosed to anyone else without the patient’s written consent. The complaint specifically asserts that Schefter is in violation of § 456.057(11) which states that a third party in receipt of medical records is “prohibited from further disclosing any information in the medical record” without the patient’s express written consent. Likewise, the complaint holds Jackson Memorial Hospital accountable for disclosing the records in the first place without his consent.
So that’s different: Florida law imposes a duty to maintain confidentiality on a third party recipient of a medical record. If you are not a health care professional and received a medical record from a patient in Florida, would you know you had that duty to maintain confidentiality? I wouldn’t. [But the ESPN's lawyers probably did Bob] But let’s continue…
Jason Pierre-Paul also accuses Schefter of invading his privacy. Invasion of privacy is a common law tort offense that comes in various forms. Here, it comes in the form of public disclosure. Pierre-Paul alleges that this medical information about his amputated fingers was private and that publishing them on a very large scale was offensive to him. To prove any public disclosure-invasion of privacy claim, the plaintiff has the burden of proving that 1) private information pertaining to him was disseminated to a large audience and 2) the information that was shared is not of public concern.
The lawsuit also holds ESPN responsible for Schefter’s actions under the respondeat superior doctrine, which is a very fancy legal term which states that employers are held accountable for the actions of their employees that are performed in the course of their employment.
We’ve seen that last argument before in other lawsuits where employees of a clinic or hospital breached a patient’s privacy. The results have been mixed on that. In one case, Walmart was held liable for what its pharmacist did in breaching a patient’s privacy. In another case, a clinic was found not liable for what its employee did in snooping in a patient’s records and sharing that information with others.
Iliakostas does not think JPP will prevail on any of the claims. Keep in mind that the hospital is not a defendant in this suit, having settled already. He writes, in part, that JPP’s accident and surgery were matters of public concern, although he makes no attempt to distinguish between matters of public concern and matters that are just of public interest or curiosity. But here’s the part of his analysis I want to zoom in on:
No matter how you slice or dice this case, there is one defense that unequivocally protects Adam Schefter: under the First Amendment’s right to freedom of press, he had a right to share the medical records. Jason Pierre-Paul’s fireworks injury was certainly newsworthy because not only was he a staple in the New York Giants defense, but there was a very real possibility that his time in the NFL came to an end. Thankfully, he still will be in a Giants uniform playing.
Needless to say, Schefter was simply doing what any great journalist does best, which is to share the news. Whether it was right for him to tweet the medical records is more a matter of journalistic ethics. ProFootballTalk opined on this matter, questioning whether Adam Schefter really needed to share Jason Pierre-Paul’s medical records to the whole world. But as a matter of law, Schefter and ESPN seem to be in the clear and I would expect this case to be dismissed.
Will part of Florida’s statute be declared an unconstitutional infringement of freedom of press? This is an important case to follow for a number of reasons. Can JPP prove harm or injury from the tweeted medical records? And even if he could, doesn’t Schefter’s protections as a journalist trump that in this case?
Stay tuned…

Kudos to Federal Times, who obtained a tremendous amount of data from HHS about security incidents involving their component systems. Aaron Boyd reports on their analysis of data, which was obtained through a Freedom of Information request. The analyses look at types of attacks by components of HHS. Here’s some of their analysis and findings:
The records — which include a tally of security incidents reported by HHS components between January 2013 and September 2015 — provide a very high-level view of the challenges the department faces. On the whole, HHS reported 26,381 incidents over a 30-month period: 40 percent of which were categorized as unauthorized access; 14 percent as scans, probes or attempted access; and 12 percent as malicious code.
But certain trends become apparent after parsing the data.
For instance, over that time period, CMS reported 7,600 incidents of unauthorized access, a category the National Institute of Standards and Technology defines as “a person [gaining] logical or physical access without permission to a network, system, application, data or other IT resource.” These incidents — accounting for 56 percent of all reported incidents — could signal a network breach by a malicious actor. More often than not though, such incidents are merely an employee or contractor accessing a system outside the scope of their work. That’s a violation of protocol perhaps, but not malicious.
In contrast, CMS only discovered 250 instances of malicious code embedded in its systems, the lowest among the major incident categories reported, accounting for less than 2 percent of its total reported incidents. The majority of HHS components followed this same track, though not to the same extreme.
CDC and NIH were exceptions. For both, malware stood as a predominant threat vector.
Read more on Federal Times. Then see their follow-up, where they make the data publicly available for download and for your own analyses. You can also create your own data visualization using

Perspective. You can tell I'm an old geezer because I still wear a wrist watch. My students (who are not Uber drivers) use Uber to get to school.
Why buy the car when you can buy the trip? How the ‘Peak Car’ era is ending
One thing that is becoming obvious is that, at least in the bigger cities, the age of the automobile has passed its prime.
… “We’re seeing a phenomenon where younger people who finish college and get their first jobs in an urban area have accumulated a lot of student debt and they’re paying high rents,” Metz says. “They find that they don’t need a car for an urban lifestyle where they’ve got alternative means of transport available.”
… Even as large numbers of people make the decision to delay car buying or refuse ownership altogether, opportunities have flowered for distributed rental enterprises such as Zipcar and Car2Go, as well as freelance taxi services like Uber and Lyft.

Making Personalized Marketing Work
… The key to relevant messaging lies with data, but the challenge is no longer collecting it. Each day, we create 2.5 quintillion bytes of data. Today’s challenge is using data to deliver customers more contextual, personalized impressions.
… There are other techniques your company can use to make your marketing more personalized.
1. Get (more) social.

Pentagon plans huge, swift upgrade to Windows 10
Microsoft is highlighting the department’s plans in a pair of blogposts Wednesday, but the news emerged in a little-noticed November memo by Terry Halvorsen, the Pentagon’s chief information officer.
Halvorsen said the department must rapidly transition to Windows 10 to improve cybersecurity and streamline and lower the costs of its information-technology footprint. He set a goal of completing the migrations by January 2017. It’s unclear what the project will cost.

For my geeky students.
Supercharged Raspberry Pi 3 adds Wi-Fi, Bluetooth, and more speed, but still costs $35