Saturday, April 02, 2016

British politicians are no more delusional that US politicians.
The Terrorist Justification for Mass Surveillance
The UK government's attempts to ease the passage of the hugely controversial Investigative Powers Bill continued this week with a Telegraph opinion piece from William Hague (former First UK Secretary of Sate and former leader of the Conservative Party): The Brussels attacks show the need to crack terrorist communications.
In this piece Hague continues the usual confused approach over encryption while concentrating on the need for bulk data collection and retention. Discussing the Brussels terrorists he comments, "the mobile phones they carried had evidently not been used before and showed no record of texts, chat or emails. Whatever means of co-ordination they used, it was sufficiently private or encrypted that the authorities do not seem to have been aware of it."
Nevertheless he continues on the standard theme that what amounts to mass surveillance will help the intelligence agencies discover what he has just admitted wasn't there, while simultaneously demonizing the Snowden whistleblowing. Lee Munson, a researcher with Comparitech suggests that Hague is 'sadly deluded'.
Security expert and commentator David Harley is more measured. Hague, he suggests is basing his arguments on at least two assumptions. Firstly, that "since intelligence agencies weren't aware of whatever messages may have been passed between the terrorists, they must have been been using super-private, super-encrypted technology. Actually it’s at least as likely that they were communicating by such lo-tech routes that they didn’t show up on the authority’s radar."
The second concern is that Hague is trying to differentiate bulk collection from mass surveillance when it is effectively, if not semantically, the same thing. Even then, wonders Harley, "if bulk data interception didn’t pick up relevant traffic on this occasion, will spending more money on it help? Or will we have to lean further in the direction of mass surveillance?"

Perhaps they can try those “don't tell the judge” agreements they used for intercepting cellphones?
FBI weighs if it can share hacking tool with local law enforcement
The FBI and Justice Department are debating whether the hacking tool that helped the bureau unlock the iPhone of one of the San Bernardino, Calif., terrorists can be used to help state and local law enforcement, officials said Friday.
That will be a challenge because the bureau has classified the tool, making it difficult to use in state and local criminal prosecutions requiring disclosure of evidence to defendants, officials said.
… Moreover, the tool itself likely will have a shelf life of only a few months, as tech companies may find and fix the vulnerabilities that the tool exploits, and they periodically update the underlying software.
The firm that helped the bureau — not the Israeli company Cellebrite, as had been widely rumored — charged a one-time flat fee, officials said.
The bureau is not releasing the company’s name and has declined to discuss details of the solution.
… To referee the issue, the government has an interagency process headed by the attorney general to decide which capabilities should be classified. This is separate from the “vulnerabilities equities process” managed by the White House, which decides which software flaws should be disclosed to the software maker. [So if the White House says “share” the DoJ can say “Classified?” Bob]

My Data Management students were wondering about that.
Exclusive: Egypt blocked Facebook Internet service over surveillance - sources
Egypt blocked Facebook Inc's (FB.O) Free Basics Internet service at the end of last year after the U.S. company refused to give the Egyptian government the ability to spy on users, two people familiar with the matter said.
… The Egyptian government suspended the service on Dec. 30 and said at the time that the mobile carrier Etisalat had only been granted a temporary permit to offer the service for two months.
Two sources with direct knowledge of discussions between Facebook and the Egyptian government said Free Basics was blocked because the company would not allow the government to circumvent the service's security to conduct surveillance. They declined to say exactly what type of access the government had demanded or what practices it wanted Facebook to change.

Interesting. How would they make it work?
The Music Industry Has Had It With The Digital Millennium Copyright Act
The music industry is tired of playing whack-a-mole and is appealing to the U.S. Copyright Office and Congress to help. Hundreds of artists, managers and industry organizations signed petitions sent to the U.S. Copyright Office Thursday demanding reform of the Digital Millennium Copyright Act, a law they say has placed undue burdens on them to scour the internet for people and websites illegally sharing their work.
… “It’s impossible for tens of thousands of individual songwriters and artists to muster the resources necessary to comply with its application.”
… Rightsholders and other artists claim this growth is proof of a dizzying responsibility that they cannot be expected to handle while continuing to make art. Yet other stakeholders frame that growth as proof the system is working.
The Computer and Communications Industry Association, a trade group that counts Google, Amazon and Yahoo among its members, filed its own comments on the DMCA this week making that exact point, saying filing takedown requests has grown easier, cheaper and more efficient.

For my Computer Security students.
Survey: With all eyes on security, talent shortage sends salaries sky high

The industry that makes students smarter?
Hack Education Weekly News
Via the Mail and Guardian Africa: “An Africa first! Liberia outsources entire education system to a private American firm. Why all should pay attention.” The United Nations Special Rapporteur on the right to education, Kishore Singh, has said that “Such arrangements are a blatant violation of Liberia’s international obligations under the right to education, and have no justification under Liberia’s constitution.” The company in question is Bridge International Academies, which has received funding from the Gates Foundation, Learn Capital, and Mark Zuckerberg’s investment company the Chan Zuckerberg Initiative (among others). [But, what if it works? Bob]
From the Detroit Free Press: “In its latest crackdown on school corruption in Detroit, the federal government today dropped a legal bomb on 12 current and former principals, one administrator and a vendor – all of them charged with running a nearly $1-million bribery and kickback scheme involving school supplies that were rarely ever delivered.” [See above? Bob]
Via The Wall Street Journal: “Judge Says Bankrupt Law Grads Can Cancel Bar Loans.” Federal student loans cannot be discharged by declaring bankruptcy, so this is an interesting ruling.
… “Getting banned from Facebook can have unexpected and professionally devastating consequences,” writes the EFF’s Jillian York.
Via NPR: “Software Flags ‘Suicidal’ Students, Presenting Privacy Dilemma.”
Via the Star Tribune: “Two faculty unions are up in arms over a new rule that would allow Minnesota’s state colleges and universities to inspect employee-owned cellphones and mobile devices if they’re used for work. The unions say the rule, which is set to take effect on Friday, would violate the privacy of thousands of faculty members, many of whom use their own cellphones and computers to do their jobs.”

Friday, April 01, 2016

Another swing of the pendulum.
The use of a Stingray/Hailstorm device to track a cell phone is a search under the Fourth Amendment. The Nondisclosure Agreement is essentially unconstitutional because of the state’s argument they don’t have to disclose what they were doing. The court also finds the third party doctrine inapplicable. State v. Andrews, 2016 Md. App. LEXIS 33 (March 30, 2016)
Read more about the opinion on
[From the article:
We observe that such an extensive prohibition on disclosure of information to the court—from special order and/or warrant application through appellate review—prevents the court from exercising its fundamental duties under the Constitution. To undertake the Fourth Amendment analysis and ascertain “the reasonableness in all the circumstances of the particular governmental invasion of a citizen’s personal security,” Terry v. Ohio, 392 U.S. 1, 19 (1968), it is self-evident that the court must understand why and how the search is to be conducted.

Beware of amateurs offering security advice.
CNBC's Password Security Lesson Fails Spectacularly
CNBC earlier this week published a piece with the goal of helping users strengthen their password security, but the attempt backfired badly.
An interactive tool provided to help readers detect the strength of their passwords was to blame.
Readers were asked to enter potential passwords into a field, and see how long it would take the system to crack them. They were told that adding capital letters, numbers and symbols would help strengthen a password, and they were assured that no passwords were being stored.
Google security engineer Adrienne Porter Felt raised the alarm shortly after the piece was published.
The site was not encrypted, she said.
Data apparently was sent in the clear to a Google spreadsheet.
CNBC has since taken down the piece. It did not respond to our request to provide further details.
… The data was shared to more than 30 third parties – advertisers and analytics providers – that pulled data from CNBC's site, Soltani said.

For my Ethical Hacking students, because to secure cameras you have to know every point of vulnerability.
How to Make Your Wireless Security Cameras Untouchable to Hackers

(Related) I've been looking for fun projects!
Researchers Can Now Register to Hack The Pentagon
Starting today, interested security researchers can now officially register to test their hacking skills against the DoD.
The initiative, run through a partnership with bug bounty platform provider HackerOne, is the first of its kind in the history of the federal government.
San Francisco-based HackerOne offers a software-as-a-service platform that provides the technology and automation to help organizations run their own vulnerability management and bug bounty programs.
The Hack the Pentagon bug bounty pilot will start on Monday, April 18 and end by Thursday, May 12.

It is what you don't say.
Reddit deletes surveillance 'warrant canary' in transparency report
Social networking forum reddit on Thursday removed a section from its site used to tacitly inform users it had never received a certain type of U.S. government surveillance request, suggesting the platform is now being asked to hand over customer data under a secretive law enforcement authority.
Reddit deleted a paragraph found in its transparency report known as a “warrant canary” to signal to users that it had not been subject to so-called national security letters, which are used by the FBI to conduct electronic surveillance without the need for court approval.

That will teach them to advocate privacy! Perhaps if they created an “internet service provider” non-profit they would have been exempt?
Seattle police raid home of privacy activists who maintain Tor anonymity network node
Police in the US are continuing to raid the homes of people who operate exit nodes for the Tor anonymity network, most recently searching the condo belonging to a pair of outspoken privacy activists in Seattle.
On 30 March, Seattle Privacy Coalition cofounders Jan Bultmann and David Robinson were woken up at 6.15am at their condominium by a team of six detectives from the Seattle Police Department with a search warrant looking for child pornography, according to Seattle's alternative weekly newspaper The Stranger.
The married couple were made to sit outside the apartment while the police searched their property and examined their electronic equipment. In the end, police acknowledged that no child pornography was found, so Bultmann and Robinson were not arrested, and none of their assets were seized.
Nevertheless, the experience left the couple shaken and upset, particularly since many "hints and comments [were] made about our cars, our jobs, our histories... revealing that we were thoroughly researched".
… Researchers at King's College London recently found in a new study that 57% of all the websites hidden on the Dark Web are actively facilitating criminal activity such as the sale of drugs, illicit finance and extreme pornography.
And unfortunately, because some bad people use Tor to encrypt their traffic and disguise their activities on the Dark Web, when US law enforcement trace the IP address of said user, it will reflect the IP address of the exit node that Tor randomly assigns to the user, meaning the police think that whoever operates the node is the perpetrator of the crime.

(Related) Another perspective. Is this specific to certain companies?
CloudFlare: 94 percent of the Tor traffic we see is “per se malicious”
More than ever, websites are blocking users of the anonymizing Tor network or degrading the services they receive. Data published today by Web security company CloudFlare suggests why that is.
In a company blog post entitled "The Trouble with Tor," CloudFlare CEO Matthew Prince says that 94 percent of the requests the company sees coming across the Tor network are "per se malicious."
… The study on Tor published last month shows some of the limits already being placed on Tor users. Wikipedia, for instance, allows them to read but not edit articles. Google allows home page access but increasingly presents CAPTCHAs or block pages to Tor searchers. Bank of America won't allow a login from Tor.

Sometimes free speech makes you uncomfortable. But if you block it, how will you know who to laugh at? Launches Inaugural Report
by Sabrina I. Pacifici on Mar 31, 2016
Via EFF: “We’re proud to announce today’s release of’s first report looking at how content is regulated by social media companies.—a joint project of EFF and Visualizing Impact (VI) that won the 2014 Knight News Challenge—seeks to encourage social media companies to operate with greater transparency and accountability toward their users as they make decisions that regulate speech.”

“We help our customers by giving them sub-standard quality.”
FCC in agreement: Agency can't regulate Netflix
… Last week, it was revealed that Netflix slows the download speed of its streaming video over mobile networks such as Verizon and AT&T. The company said it has taken this action, which degrades video quality, for at least five years in order to help customers stay below their monthly data caps imposed by wireless providers.
Observers have said the Netflix's decision not to inform its customers could possibly violate Federal Trade Commission rules.
But nearly all the FCC commissioners are in agreement that Netflix is outside the scope of their own agency. GOP Commissioner Michael O'Rielly gave a speech on the subject earlier this week. And Commissioner Ajit Pai said the same Thursday.
… The regulations are meant to protect customers and Web companies like Netflix that create content. Because of that, the rules only apply to Internet service providers like Comcast or Verizon that haul Internet traffic between users.

Are we nearing a tipping point?
This Startup Aims to Lead the Drone Takeover at the World's Biggest Companies
… San Francisco-based Airware announced today that it has raised $30 million in a series C funding round led by prestigious venture capital firm Next World Capital and the 20-year CEO of software giant Cisco, John Chambers. Elite venture capital firms Andreessen Horowitz and Kleiner Perkins Caufield & Byers are also participating in the round, according to a statement released by Airware today.
The commercial drone industry is poised to throw many markets into transition,” says Chambers in the written statement. In addition to investing in Airware, Chambers says he has agreed to take a seat on Airware's board.
… That’s the motivation behind Airware’s suite of services for big businesses. The startup helps big businesses walks enterprise-size companies through every step of the process, starting with applying for regulatory approval all the way through analyzing and reporting data collected from commercial drones.

Starts the same day as my next Computer Security class.
Cybersecurity and You: Issues in Higher Education and Beyond
by Sabrina I. Pacifici on Mar 31, 2016
“The University of Maryland, Baltimore Thurgood Marshall Law Library, Health Sciences and Human Services Library, and Center for Information Technology Services have organized a cybersecurity conference that is free and open to the public. You can find details, RSVP, and a link to watch the livestream here:

If I can get my students a job, maybe they'll go away!
5 Top Resume Builder Sites to Create Your Resume Online

Thursday, March 31, 2016

Much easier and cheaper. No need for a get-away car (you can do it from any country that does not have an extradition treaty with your target country). No need for a fence to launder the cash.
When mobsters meet hackers: the new and improved bank heist
The unprecedented heist of $81 million from the U.S. account of Bangladesh’s central bank is the latest among increasingly large thefts by criminals who have leveraged the speed and anonymity of hacking to revolutionize burgling banks.
Hundreds of millions of dollars, and perhaps much more, have been stolen from banks and financial services companies in recent years because of this alliance of traditional and digital criminals, with many victims not reporting the thefts for fear of reputational damage. [Is 'reputational' a real word? Bob]
… There’s no evidence that old-fashioned bank robberies are in the decline. But there are increasing instances of the cyber variety of the crime.
Last year, researchers at Russian security software maker Kaspersky Lab publicized the activities of the prolific Carbanak gang, which it says hacked into banks, then ordered fraudulent money transfers and also forced ATMs to spit out cash. Kaspersky estimates the group hit as many as 100 banks, with losses averaging from $2.5 million to $10 million per heist.

(Related) This is far too complicated for a Hollywood movie plot. (So why haven't they grabbed the money already?)
Philippines Can Recover Big Chunk of Stolen Bangladesh Millions: MP
Almost half of the $81 million that hackers stole from Bangladesh and funneled into Philippine casinos can still be recovered, a senior Filipino lawmaker investigating the audacious cyber heist said Thursday.
As much as $34 million remained in two casinos and a foreign exchange brokerage, senator Ralph Recto said, citing testimonies from a marathon hearing on Tuesday.
A casino junket operator, Kim Wong, testified in the Senate on Tuesday that two high-rollers from Beijing and Macau shifted the $81 million to dollar accounts in Manila's Rizal Commercial Banking Corp (RCBC).
Wong said he did not know that the money was stolen from Bangladesh and that he merely helped the two men – who are also his casino clients – open bank accounts.
He offered to return $4.3 million of the money, which he said remained in his account in Solaire, one of the Philippine capital's gleaming billion-dollar casinos.
But by Recto's own calculations, far more can be recovered including $17 million that Wong claimed was still with exchange brokerage Philrem, $10 million from a destitute casino in the north, $5.5 million that Wong picked up from the house of Philrem's owner and a further $2.3 million in the Solaire casino account of the Macau man who allegedly brought the $81 million to the Philippines.

Where we stand. (For my Computer Security students)
BakerHostetler has released its second annual data security incident response report, which is based on 300 cases they advised on last year. The report provides some statistics on causes of incidents, which industries were most affected, and what happens after a security incident is detected – from containment, to notification, to regulatory investigations and even lawsuits. A final section in the report provides the eight components of being compromise ready and identifies measures companies should take to minimize the impact of an incident.
Key findings from the report include:
  • Cause of incidents: phishing/hacking/malware (31%), employee actions/mistakes (24%), external theft (17%), vendor-related incidents (14%), internal theft (8%), and lost or improper disposal (6%).
  • No industry is immune: the healthcare industry (23%) was affected more than any other. Rounding out the top three are financial services (18%) and education (16%).
  • Number of individuals notified: for incidents in 2015 where notification was made, the average number of individuals notified was 269,609 and the median was 190,000.
  • 52% of the incidents that BakerHostetler helped manage in 2015 were self-detected.
  • Detection time – the time from when an incident first began until it was detected – ranged from 0 days to more than 400 days. The average amount of time from incident to discovery for all industries was 69 days, with healthcare taking nearly twice as long as other industries. Average amount of time from discovery to containment was 7 days.
  • Notification – the average amount of time from discovery to notification – was 40 days.
  • Not all incidents require notification to individuals or the public at large. In about 40% of the incidents that BakerHostetler helped manage in 2015, notification or public disclosure was not necessary.
  • Credit monitoring was offered in 53% of the incidents that BakerHostetler advised on in 2015 and the average redemption rate was 10%. [I don't recall seeing that number before. Bob]
  • Regulatory inquiries resulted from 24% of incidents reported, and litigation commenced after 6% of the incidents were made public.
Note that the average time from discovery to notification was 40 days. For HIPAA-covered entities, that may not be a problem, but some states now have notification requirements where a 40-day gap would be problematic.

I'm so glad the government decided to drop the “Total Information Awareness” program. I'm sure it only looks like they are creating several smaller projects that cumulatively do exactly the same thing.
From EPIC:
In comments to DHS, EPIC criticized a proposedInsider Threat” database that would gather vast amounts of personal data on individuals outside the federal agency. EPIC urged DHS to limit the scope of data collection and drop proposed Privacy Act exemptions. Citing the recent surge in government data breaches, including the breach of 21.5 m records at OPM, EPIC warned that DHS data practices pose a risk to federal employees. EPIC has previously advocated for privacy protections in background checks and consistently warned against inaccurate, insecure, and overbroad government databases.

I suppose this is one way to avoid all those pesky Fifth Amendment issues. This is probably as good a place as any to ask what would happen if the decrypted files documented activity (online or geographic) that showed the suspect was otherwise occupied when the crime(s) took place? (I know I can manufacture 'instant alibis' as needed.)
J. M. Porup reports:
At a court hearing earlier this month, the UK’s National Crime Authority (NCA) demanded that Lauri Love, a British computer scientist who allegedly broke into US government networks and caused “millions of dollars in damage,” decrypt his laptop and other devices impounded by the NCA in 2013, leading some experts to warn that a decision in the government’s favor could set a worrisome precedent for journalists and whistleblowers.
Arrested in 2013 for the alleged intrusions but subsequently released, Love was re-arrested in 2015 and is currently fighting extradition to the United States. He has so far refused to comply with a Section 49 RIPA notice to decrypt the devices, a refusal that carries potential jail time. However, British authorities have not charged Love with any crime, leading him to counter-sue in civil court for the return of his devices.
Read more on Ars Technica.
I think Love’s lawyer, Ekeland, is exactly right in what he told Ars and that any evidence the UK would obtain would be handed on a silver platter to the U.S. for our government’s prosecution of Love.

Why Do the Feds Usually Try to Unlock Phones? It’s Drugs, Not Terrorism
… On Tuesday the ACLU released the results of a series of FOIA requests it filed along with the Stanford Center for Internet and Society to the US Justice Department, seeking information about any cases in which the feds had used the All Writs Act to ask that Apple or Google assist in accessing data on locked phones or tablets. It found that since 2008, there have been at least 63 of those cases across the country, showing that Apple’s standoff with the FBI was about more than “one iPhone,” as FBI director Jim Comey had argued. And in the two-thirds of those cases in which the ACLU could determine the crime being investigated, the group tells WIRED that 41 percent were related to drugs, far more than any other category of crime.
… The ACLU’s numbers contrast slightly with statistics released by the Manhattan District Attorney’s office in March, which showed that of 205 locked iPhones the Manhattan DA’s lab had attempted and failed to access without Apple’s assistance, 25 percent were related to drug cases. It lumped larceny, cybercrime, forgery, and ID theft into another category of cases that accounted for 35 percent of the locked iPhones.
… In fact, federal law enforcement has been so focused on drug cases for the last 30 years that they’ve often been the first domestic cases used to pioneer new surveillance techniques, from thermal imaging cameras to GPS tracking to drones. Even the NSA’s bulk metadata collection that scandalized the public when it was revealed by NSA leaker Edward Snowden was first used by the Drug Enforcement Administration. And in 2014 the FBI went so far as to subpoena security researchers at Carnegie Mellon for a technique that could crack the anonymity software Tor’s protections for hidden websites, which was then used to take down the Silk Road 2 drug market and dozens of other dark web sites.

(Related) If they keep sharing this tool, it will eventually leak to my Ethical Hackers.
FBI agrees to help Arkansas prosecutors open iPhone after hack of San Bernardino device
… Cody Hiland, prosecuting attorney for Arkansas' 20th Judicial District, said that the FBI's Little Rock field office had agreed to help his office gain access to a pair of locked devices owned by two of the suspects in the slayings of Robert and Patricia Cogdell. [So the tool has been distributed to all the field offices? Bob]
It was not immediately clear whether the FBI planned to use the same method it used to access data on Syed Rizwan Farook's phone. [Maybe there was never a “third party tool?” Bob]

I can recall discussing “virtual companies” as far back as the early 1990s. Nice to see that the politicians are about to start thinking about the same things… They might start understanding them in a few decades.
Digital disruption on the Potomac
The way the world conducts business and how we live our daily lives is fundamentally changing. Some has termed this change a "digital disruption wave." Consider the following passage from Tom Goodwin — variations of which have gone viral on social media — that encapsulates this phenomenon:
Uber, the world's largest taxi company, owns no vehicles. Facebook, the world's most popular media owner, creates no content. Alibaba, the most valuable retailer, has no inventory. And Airbnb, the world's largest accommodation provider, owns no real estate.
How does this private-sector digital disruption potentially translate to federal government sectors like health, security, education, transportation, agriculture, energy, etc.? There are recent initiatives (among others) that comprise government's transition to digital citizen services: Open Data, Smart Cities and the Opportunity Project.

Typical government response: The OPM is unmanageable – let's build another agency and put the OPM in charge! Bigger government, higher taxes to pay for it, another slot for political supporters – how could any politician resist?
Following OPM Personnel Data Hack New Agency To Process Federal Security Clearances
by Sabrina I. Pacifici on Mar 30, 2016
Federal News Radio – “The Office of Management and Budget and Office of Personnel Management are standing up a new agency to assume responsibility of the federal security clearance process. The National Background Investigations Bureau (NBIB) will have a specific, presidentially appointed director and member of the Performance Accountability Council, who will report to OPM. The new agency will absorb the Federal Investigative Services (FIS), the organization that currently conducts about 95 percent of federal background checks.”

Has Microsoft made a bunch of money because the NFL uses their Surface tablets? Have a lot of colleges and high schools purchased Surface tablets? Perhaps Microsoft thought football fans would want to see what the coaches see?
Baseball’s Latest Recruit Is an iPad
There will be a new player in Major League Baseball dugouts this season: the iPad. Apple Inc. and MLB signed a multi-year agreement to equip every team with iPad Pro tablets to help coaching staffs make better use of data.
Teams will be able sift through performance stats from current and past seasons, weigh potential pitcher-hitter matchups, look at “spray charts” showing where a player is likely to hit a ball, even cue up videos of plays from previous games.
… The data available on the iPads will be proprietary to each team, rather than drawing from a league-wide database.
At launch, the Dugout app’s data will be preloaded before each game. In the future, the MLB would like to have data that is closer to real time. Testing began in games during the postseason last year.
… Though Microsoft’s investment with the NFL started off badly—with glitchy devices and broadcasters calling Surface tablets “iPads” during games—the exposure has been valuable overall, said Matt Powell, an analyst with the NPD Group Inc. research firm. “Everyone knows that being the ‘official whatever-type-of-product of a league’ is something companies pay for,” Mr. Powell said. “When you see athletes and coaches actually using a product and technology in games, it’s a whole other level.” he said.
… The NFL mandates that Surface tablets must be visible on every sideline during games; MLB is making iPad use optional. But the commissioner thinks that most teams will use the tablets in both dugouts and pitching bullpens during games and training.

(Related) Can technology change this? (The article also gives you some idea how many statistics MLB gathers)
A Baseball Mystery: The Home Run Is Back, And No One Knows Why

My students will enjoy this.
Microsoft unveils Desktop App Converter, a developer tool for bringing existing Win32 apps to the Windows Store
Microsoft today unveiled the Desktop App Converter, which lets developers bring existing Windows applications to the Windows Universal Platform (UWP). The company is hoping to bring the 16 million existing Win32/.Net applications to the Windows Store.
UWP allows developers to build a single app that changes based on your device and screen size. One app can work on your Windows 10 computer, Windows 10 tablet, Windows 10 Mobile smartphone, Xbox One console, and eventually HoloLens headset.
… The best part is that this works for games as well.

My students should be able to do this too. If every technology student in the US does their own App, will the FBI give up?
I don’t know if there’s been any real security audit of this app, but I do love seeing teens focused on developing privacy tools. Gary Haber reports:
A high school student with a cellphone can get into a lot of trouble.
A hastily sent Facebook post or Twitter message can last forever and come back to bite someone when they’re applying for college or a job. Then there are the prying eyes of parents who can see what their children post online.
As a high school student, privacy is something Nick Pitoniak takes seriously.
Pitoniak, a senior at York Suburban High School who lives in Spring Garden Township, developed a cellphone app called Mutter Mail, which he says lets users send messages back and forth without leaving any trace. The messages disappear within 30 seconds, Pitoniak said.
Read more on WUSA.

For the next time I teach Statistics.
The 8-Bit Game That Makes Statistics Addictive
Guess the Correlation is the brainchild of Omar Wagih, a graduate student at the European Bioinformatics Institute, and nefarious devourer of the thing I once called “my free time.” On paper, it sounds incredibly boring. In practice, it is inexplicably addictive. Try it.

A project for my geeky students or maybe all of them?
Google Cardboard

Wednesday, March 30, 2016

New management means people might think procedures have changed. Good time to try phishing.
Bryan Clark reports:
A finance executive fell victim to a phishing scam that saw the Los Angeles-based maker of children’s toys wire a cool $3 million to Chinese hackers.
Expertly timed during a period of corporate change, the email hit the inbox of the unnamed executive and requested a new vendor payment in the amount of $3 million to a vendor in China. Mattel, of late, has been in a period of change as new CEO Christopher Sinclair had only officially taken over after Mattel had fired his predecessor — a move that aided the con artists.
Read more on TheNextWeb.

Security is important, but not (yet) a law school class. So lawyers can tell clients their data is confidential and extremely well protected, and still admit they are “not aware” of the data stolen.
Hackers Breach Law Firms, Including Cravath Swaine and Weil Gotshal
Hackers broke into the computer networks at some of the country’s most prestigious law firms, and federal investigators are exploring whether they stole confidential information for the purpose of insider trading, according to people familiar with the matter.
… Other law firms also were breached, the people said, and hackers, in postings on the Internet, are threatening to attack more.
… Cravath said the incident, which occurred last summer, involved a “limited breach” of its systems and that the firm is “not aware that any of the information that may have been accessed has been used improperly.” The firm said its client confidentiality is sacrosanct and that it is working with law enforcement as well as outside consultants to assess its security.
… The attacks on law firms appear to show thieves scouring the digital landscape for more sophisticated types of information. Law firms are attractive targets because they hold trade secrets and other sensitive information about corporate clients, including details about undisclosed mergers and acquisitions that could be stolen for insider trading.

Clear implications for Apple? I wonder if (back when telephones were new) anyone tried to keep wiretap information away from defense lawyers?
FBI Is Pushing Back Against Judge's Order to Reveal Tor Browser Exploit
Last month, the FBI was ordered to reveal the full malware code used to hack visitors of a dark web child pornography site. The judge behind that decision, Robert J. Bryan, said it was a “fair question” to ask how exactly the FBI caught the defendant.
But the agency is pushing back. On Monday, lawyers for the Department of Justice filed a sealed motion asking the judge to reconsider, and also provided a public declaration from an FBI agent involved in the investigation.
In short, the FBI agent says that revealing the exploit used to bypass the protections offered by the Tor Browser is not necessary for the defense and their case. The defense, in previous filings, has said they want to determine whether the network investigative technique (NIT)—the FBI's term for a hacking tool—carried out additional functions beyond those authorised in the warrant.

Ignorance is bliss just ignorance. Are we looking an another political “campaign” meme?
Dark Web’s Got a Bad Rep: 7 in 10 People Want It Shut Down, Study Shows
Speculation—no matter how baseless—that online black markets for weapons helped make the terrorist attacks in Paris and Brussels possible hasn’t helped the reputation of the dark web’s anonymous corner of the internet. But one new study shows that even before that dubious link between online anonymity and terror attacks, global opinion on the dark web was already overwhelmingly negative.
On Tuesday, the Canadian think tank the Center for International Governance Innovation released the results of a survey of more than 24,000 individuals in 24 countries, asking their opinion of the dark web—the collection of anonymous web sites that can only be accessed via tools like the anonymity software Tor. In total, 71 percent of the respondents—and 72 percent of Americans in particular—said they believed the “dark net” should be shut down.

Perspective. Google, the phone company. Soon, the “anything digital” company?
Google Fiber Completes Triple Play By Adding Phone Service
People in cities where Google’s high-speed Fiber Internet service is available will soon be able to add another Google product to their homes: Fiber Phone.
Google announced the upcoming Internet phone service on Tuesday in a blog post. For an extra $10 per month on top of their Internet bills, Fiber Phone subscribers will get unlimited local and nationwide calling. For international calls, Google will use the same rates charged by its Google Voice Internet phone service.
Current Fiber customer plans range from free for basic service (in a limited number of cities) to $130 for TV service and a gigabit-speed Internet connection.
… Further piggybacking off of Google Voice, Fiber Phone will transcribe voicemails and send the text via email or as a text message. Users will also have the option to forward incoming calls from a Fiber Phone number to their cellphones when away from home.

Will the next government in China eventually look back at this as a really bad move?
China Seeks More Legal Muscle to Block Foreign Websites
China is considering new Internet rules that would pressure service providers to cut off access to foreign websites, adding to the government’s growing legal framework bolstering its control of cyberspace.
… If fully implemented, the regulations would effectively wall off the world’s most populous country from vast swaths of the Internet. Other, similar rules have been weakly enforced in the past, but with Chinese President Xi Jinping dramatically tightening political controls, it is unclear how meaningful the changes would be, analysts said.

Perspective. It should be interesting to see if my students agree.
What’s trending in the IoT space
… we decided to create an easy to read overview for others to get up to speed on this trending space of IoT. Here is our full report; the following is a summary of what we learned.
Our view is that there are five major battlegrounds for IoT and hardware innovation and market growth in the consumer space: connected homes, wearables, healthcare, robotics and drones and transportation.

For history geeks? Try searching for “computer”
A Mapped & Searchable Archive of American Newspapers
The U.S. News Map is a great resource produced by Georgia Tech and the University of Georgia. The U.S. New Map is an archive of American newspapers printed between 1836 and 1925. You can search the archive by entering a keyword or phrase. The results of your search will be displayed on an interactive map. Click on any of the markers on the map and you'll be shown a list of newspaper articles related to your search term. Click on a listed article to read it on the Library of Congress' Chronicling America website.
The U.S. News Map has a neat playback feature that you can use to see the frequency with which a term or topic appeared in newspapers between 1836 and 1925. That playback feature could be a nice way to show students developments in technology. For example, search the term "telephone" and you'll see peaks and valleys in the frequency with which articles were written about telephones.

Shakespeare 2.0?
An AI's Novella Passes First Round of Japanese Literary Contest
… The novella, The Day a Computer Writes a Novel, was co-written and edited by a team of humans. The story itself follows a computer program as it recognizes its talent for writing and leaves behind its preprogrammed duties.

Perhaps the university could become more “social?”
The Social Intranet Insights on Managing and Sharing Knowledge Internally
by Sabrina I. Pacifici on Mar 29, 2016
IBM Center for the Business of Government – The Social Intranet: Insights on Managing and Sharing Knowledge Internally, March 2016: “Corporate America increasingly relies on social intranets to leverage employees’ knowledge and foster collaboration in ways that speed up work and reduce costs. While much of the federal government lags behind, some agencies are pioneers in the internal use of social media tools. What lessons and effective practices do they have to offer other agencies? “Social intranets,” Dr. Mergel writes, “are in-house social networks that use technologies—such as automated newsfeeds, wikis, chats, or blogs—to create engagement opportunities among employees.” They also include the use of internal profile pages that help people identify expertise and interest (similar to Facebook or LinkedIn profiles), and those that are used in combination with other social intranet tools such as online communities or newsfeeds. The report documents four case studies of government use of social intranets—two federal government agencies (the Department of State and the National Aeronautics and Space Administration) and two cross-agency networks (the U.S. Intelligence Community and the Government of Canada.”

Smarter than the cellphone that looks like a gun.
Man invents gun that looks exactly like a cell phone
Kirk Kjellberg from Minnesota says he came up with the "Ideal Conceal" pocket gun, designed to look identical to a smartphone, after a little boy pointed out Kjellberg's own larger, not-so-concealed gun at a restaurant.
… It hasn't even hit the market yet, and already the double barrelled .380 derringer-style cell phone look-alike is triggering a lot of debate on social media.
While Kjellberg says he already has 4,000 orders for "Ideal Conceal," a lot of people are calling the smartphone weapon a dumb idea.

Could be something I'll sic my students on.
Zaption Expands Free Options for Creating Flipped Lessons
Zaption is a popular tool for creating video-based lessons and quizzes. The service operates on a freemium model in which they offer a mix of free and paid options. Last week Zaption announced that the free options have been expanded. Teachers can now utilize all of the video lesson creation tools that Zaption offers. Those tools include adding required questions that students must answer before moving forward in a video lesson. The other enhancement to the free version of Zaption is the removal of the limitation on the number of viewers your lessons can have.
To create a quiz on Zaption you start by creating a "tour" in your account. A tour is a combination of videos, images, and text arranged into a sequence. To add a video to a tour you can search and select one within Zaption. Zaption pulls videos from YouTube, Vimeo, PBS, or National Geographic. After choosing your video, start watching it then pause it when you want to add a question. You can add questions in the form of multiple choice, open response, or check box response. When students watch the video they will see your questions appear in the context in which you set them.
Zaption can be a great tool for creating flipped lessons to share with your students. Students do not have to have Zaption accounts in order to use the tours that you create. The free version of the service used to only allow only one video per tour/ lesson, but it now allows you to include multiple videos within a lesson/ tour.

My students need something to help with citations.
By Search Request - Bibliography Tools for Students
Over the weekend I was looking at the Google Analytics for and noticed that last week one of the most frequently searched terms that directed people to this blog is "bibliography generators." I took that as a clue that more than a few people are interested in that topic. To that end, here are the tools that I frequently recommend for creating bibliographies. As with any tool that automates a process, teach your students to check the accuracy of the citations created by any of these tools.
For Google Docs users the EasyBib Bibliography Creator is my go-to tool for creating bibliographies. The EasyBib Bibliography Creator makes it easy to properly cite resources and format a bibliography in APA, MLA, or Chicago style. Click here for directions for the process of using this add-on.
RefMe is currently my favorite tool for creating bibliographies outside of the Google Docs environment. RefMe offers browser extensions, a free Android, and a free iPad app for saving resources and generating bibliographies from your collection of resources. Watch my video embedded below to learn more about how to use RefMe in your web browser.

Also for my students.
Tap to Learn Grammar
Tap to Learn produces a bunch of educational apps for Android and iOS. The Tap to Learn Grammar app for Android offers more than 200 self-paced grammar lessons. The lessons don't have videos embedded in them, but there are links to external videos hosted on YouTube. After working through a lesson students can test their new skills in a series of quizzes. Instant feedback is provided in the skills quizzes within Tap to Learn Grammar. The free app records and tracks students' progress for them.

Tuesday, March 29, 2016

Really not much available other than the FBI is claiming success. If this is something that Apple has already fixed, I suspect they will quietly give the process to Apple. If the vulnerability is still there, they will likely keep it from Apple.
U.S. Says It Has Unlocked iPhone Without Apple
The Justice Department said on Monday that it had found a way to unlock an iPhone without help from Apple, allowing the agency to withdraw its legal effort to compel the tech company to assist in a mass-shooting investigation.
… Yet law enforcement’s ability to now unlock an iPhone through an alternative method raises new uncertainties, including questions about the strength of security in Apple devices. The development also creates potential for new conflicts between the government and Apple about the method used to open the device and whether that technique will be disclosed. Lawyers for Apple have previously said the company would want to know the procedure used to crack open the smartphone, yet the government might classify the method.
… “I would hope they would give that information to Apple so that it can patch any weaknesses,” she said, “but if the government classifies the tool, that suggests it may not.”
In a two-paragraph filing on Monday, the Justice Department said it had “now successfully accessed the data stored on Farook’s iPhone and therefore no longer requires the assistance from Apple.”

Encryption Is a Luxury
Last year, a team of technology experts warned against giving law enforcement special access to encrypted communications. They explained that this special access would “undermine and reverse” the technology industry’s efforts to bolster digital security.
The landmark paper addressed a conflict between technology companies and the government that had been brewing for some time.
… Most Android phones don’t encrypt the data that’s stored on the device, and many come with messaging services that don’t encrypt data that’s sent back and forth between devices.
… Google recently required that all new Android devices encrypt device data by default—but exempted slower (and therefore cheaper) phones, making encryption a de-facto luxury feature.

(Related) The Apple v FBI issue will never arise in China.
Dow Jones Business reports:
China’s top three Web browsers collected and transmitted data in insecure ways, making hundreds of millions of users’ personal information vulnerable to unauthorized access, according to a human-rights research group.
In a report published Tuesday, the University of Toronto’sCitizen Lab said Tencent Holdings Ltd.’s QQ Browser had been transmitting users’ data to its servers either with weak encryption or without encryption—a method of encoding information to protect it.
Read more on NASDAQ.

India denied Apple's “Free Basics” for just these reasons. Were they smarter than the FCC?
Groups ask FCC for action on 'zero-rating'
Public interest groups are urging the Federal Communications Commission to take action under its net neutrality rules against the increasing number of Internet providers who allow customers to access some services without charging them for the data.
“As currently offered, these plans enable ISPs to pick winners and losers online or create new tolls for websites and applications,” said public interest advocacy groups in a joint letter to FCC Chairman Tom Wheeler
“As a result, they present a serious threat to the Open Internet: they distort competition, thwart innovation, threaten free speech, and restrict consumer choice — all harms the rules were meant to prevent.”
The letter was signed by more than 40 groups, including Demand Progress, the Electronic Frontier Foundation and Free Press.
They are responding to the rise of the practice, known as zero-rating, that allows customers to consume data free of charge, broadly speaking, as long as they use certain services or websites.

Police are interested because it works. Some concerns are a bit beyond current capabilities.
Predictive Policing: the future of crime-fighting, or the future of racial profiling?
There’s a new kind of software that claims to help law enforcement agencies reduce crime, by using algorithms to predict where crimes will happen and directing more officers to those areas. It’s called “predictive policing,” and it’s already being used by dozens of police departments all over the country, including the Los Angeles, Chicago, and Atlanta Police Departments.
Aside from the obvious “Minority Report” pre-crime allusions, there has been a tremendous amount of speculation about what the future of predictive policing might hold. Could people be locked up just because a computer model says that they are likely to commit a crime? Could all crime end altogether, because an artificial intelligence gets so good at predicting when crimes will occur?

MIT for Managers: How Insecure Is The Internet of Things?
… Based on reports from people who attended the MIT Media Lab-sponsored Security of Things hackathon on March 4-5, 2016, the challenge of protecting WiFi- and Bluetooth-enabled devices from motivated hackers may be more daunting than even the most seasoned attendees expected.
I believe we’re at a tipping point for the ‘Internet of Things,’” says Tal Achituv, a research assistant at the media lab and an organizer of the event. “While most people now have several networked devices in their homes — everything from light bulbs and home alarm systems to baby monitors — very few people appreciate just how vulnerable many of these devices are.”

Another Thing in the Internet of Things. Will the airlines allow more batteries on flights? Will terrorists find the location information useful?
With $3.5M In Funding, Raden Is The Latest Smart Luggage Company Aimed At Tech-Savvy Travelers
Raden is a new smart luggage company aiming to change the future of travel. All Raden bags are equipped with an integrated scale, built-in-charger and location awareness technology. Customers are able to use a sleek companion app to track their case and attain relevant information about one’s travels including an estimated security wait time.

Not for my students. (Slightly different in older Word versions)
How to Get the Readability Score of Any Word Document
… Note that readability here refers to the ease of comprehending written word, not checking to ensure aesthetics like font size and color are clear. If this is the type of readability you were looking for, check out how to make text easier to read in Windows.
You could always get readability information through a tool on the Web if you need more info, but Word can give you a base overview without ever leaving. Here’s how.

Might be fun for my students to play with.
5 Alternative Virtual Assistant Apps You’ve Never Heard Of
… We’ve covered free alternatives to Siri in the past, and rounded up the three major virtual assistants to find out which is best. We’ve even explored using Cortana on the desktop.
But a lot of great alternatives to these apps have popped up since we wrote about any of that, and we wanted to round up a few.
Hound (Android, iOS): Fast Responses to a Bunch of Questions
Sirius: The Open Source Siri Alternative
Evi (Android, iOS): Quick Answers to Questions
Cloe: Text Messaging Concierge
Google Voice Search (Chrome): Search Using Your Voice Anywhere
It almost seems like cheating to include this, but we’ve somehow not really mentioned it before. If you’re using Google Chrome on the desktop, you can use voice search right now and get a voice response back, just like on your phone.

For my Spring Computer Security class.
So pleased to see this announcement from Bill Fitzgerald:
One of the unspoken issues in working on security and privacy in educational software is that, while many people are passionate about privacy and security, many people don’t know how to start evaluating software or how to assess any potential risks they might uncover. One of the explicit goals of the District Privacy Evaluation Initiative is to decrease these barriers to entry and to help more people have a more informed conversation about what constitutes sound security and privacy practices. While the full realm of information security is a broad subject, we wanted to provide a concrete starting point. Based on observations of issues we have seen — and continue to see — within software, we compiled a primer and are happy to announce the release of the Information Security Primer for Evaluating Educational Software.
The primary audience for the primer is district staff and education technology vendors, but the usefulness of this information goes far beyond these two primary audiences. We hope and anticipate that it will be used by parents, students, privacy advocates, teachers, and anyone else with an interest in learning more about how to evaluate the security of the software we build and use.
As the title implies, this document is a primer, not a comprehensive guide. We intend for this document to grow and evolve over time. Future versions will include more advanced testing scenarios, but for the initial version, we wanted to provide resources to allow people to learn how to do security reviews safely. We anticipate updates throughout the year, with published “official” releases happening one to two times annually. The “published” version will be available on Graphite, with the working version maintained openly on GitHub.
The primer covers the basics of information security testing, starting with a grounding in responsible disclosure. The tests run in the primer make extensive use of work from the Open Web Application Security Project, or OWASP. The primer leverages the Zed Attack Proxy, an open-source intercepting proxy supported as part of OWASP. The full suite of resources available from OWASP are incredibly valuable, and the content we cover in the primer just scratches the surface. As one example, an item not covered in the primer that should be recommended reading for developers building Web applications is the OWASP Application Security Verification Project.
As with all of our work on the District Privacy Evaluation Initiative, we welcome community involvement and input. If you work at a school or district and would like to get involved in our ongoing work, please sign up! If you would like to contribute to the content of the primer, please join the effort over on GitHub. We will be responding to questions in the issue queue and approving and/or discussing any pull requests we receive.
SOURCE: Graphite