Saturday, June 18, 2016
A most interesting hack.
Fund Based on Digital Currency Ethereum to Wind Down After Alleged Hack
… Founders of the fund, DAO, which was built around a digital currency called Ethereum and which raised more than $150 million this spring, said Friday morning they have been forced to shut down the fund and plan for its unwinding.
The attack spirited away roughly 3.6 million Ethereum coins, valued at around $55 million, from DAO to another account.
… The DAO’s founders are planning to “fork” the code and effectively void the hacker’s transactions.
“The DAO’s journey is over but all funds are safe,” said Stephan Tual, the founder of Slock.It, the group that created DAO, which stands for Decentralized Autonomous Organization. “All stolen funds will be retrieved from the attacker.”
… DAO was set up in May as an experiment in using digital currencies and self-operating digital contracts to create a venture-capital fund that could run itself. But it was criticized early on for being poorly constructed, and there were calls for it to halt operations while it worked out its bugs. Those criticisms now appear prescient.
… One investor in the DAO, Menno Pietersen, said he opposed the rescue and called the incident a “horrible mess.” The DAO’s creators “messed up” and didn’t take the time to build their product correctly, he said. He acknowledged that he himself didn’t vet the investment carefully enough, but said that as a backer of Ethereum, he was against any fix that would invalidate the goal of creating a decentralized platform. If trades can simply be erased, he asked, “what will they do next?”
Because no one is perfect. Perhaps penetration testing should be continuous? (Pay attention Ethical Hacking students.)
How Hired Hackers Got “Complete Control” Of Palantir
Palantir Technologies has cultivated a reputation as perhaps the most formidable data analysis firm in Silicon Valley, doing secretive work for defense and intelligence agencies as well as Wall Street giants. But when Palantir hired professional hackers to test the security of its own information systems late last year, the hackers found gaping holes that left data about customers exposed.
Palantir, valued at $20 billion, prides itself on an ability to guard important secrets, both its own and those entrusted to it by clients. But after being brought in to try to infiltrate these digital defenses, the cybersecurity firm Veris Group concluded that even a low-level breach would allow hackers to gain wide-ranging and privileged access to the Palantir network, likely leading to the “compromise of critical systems and sensitive data, including customer-specific information.”
… Virtually every company is vulnerable to hacks, to varying degrees. In recent years, red teams generally have had a high success rate in getting deep inside of companies’ networks, and they virtually always find at least some security flaws, according to an industry source. That Palantir did a red team exercise shows that it wanted to identify and repair any such flaws. The Veris report notes multiple strengths in Palantir’s defenses, including an “excellent” response by its security staff.
I’ll bet this is not their policy. If they have a policy. Something my Computer Security students need to think about.
For today’s object lesson (and maybe abject lesson), I give you FIS Global and Guaranty Bank and Trust. I’ve written up the incident in more detail over on the Daily Dot, but the short version is a hacker (@1×0123) found a vulnerability in FIS Global’s client portal login and tweeted about it. FIS didn’t respond to him directly. Instead, they got his Twitter account locked and the screenshots removed.
Getting a hacker’s Twitter account locked. What could possibly go wrong, right?
It wasn’t just the hacker they failed to respond to. FIS also failed to respond to two inquiries by this blogger to their communications department and one attempt to reach their Twitter team.
Trying a different route, and not knowing at the time whether the vulnerability had been addressed, this blogger also reached out to contact the bank client whose data was being exposed on the Internet. They didn’t reply to two voicemails left with two different executives.
C’mon, folks. Don’t you want people to let you know if they find a vulnerability that’s exposing your customer data or proprietary information? Are you familiar with behaviorism?
If you keep ignoring people when they take time out of their lives to try to alert you to a situation, well, then the next time someone finds a vulnerability, they’ll either just keep it to themselves, exploit it, or share it with others who will exploit it. Is that what you really want? When someone notifies you, then even if you were already aware of the situation, take a damned moment to let them know you got their message and appreciated it.
At the very least, try not to tick off the hacker, okay, because it just may make a difference in their decision to publicly dump your data.
Read my report on the Daily Dot
I thought this might happen. Firefox is allowing anyone to have a personal account, a business account, a dating account, a job search account, a ‘say outrageous things’ account, a ‘don’t let this screw up my credit’ account, etc. No doubt the FBI (et al) will want to make connections that users would like to keep separate.
Firefox Containers Help You Browse The Web Using Separate Identities
In the physical world, when interacting with other people, we like to think that we have a strong, recognizable personality, but the truth is we often tend to change it according to the context we’re in. We behave differently when we are among friends than with our boss, our parents or our children. At work we’re one person, on holiday another.
So far this has been hardly possible to replicate online, mainly because our surfing experience is tracked and monitored in every possible way in order to build a single, identifiable profile, which advertisers can use to target us.
Enters “Containers”, a new interesting feature Mozilla is testing in version 50 of the Nightly build of its popular Firefox browser. As security engineer Tanvi Vyas writes in the company’s blog, with Containers “users are able to portray different characteristics of themselves in different situations”.
Say you have two twitter accounts and want to login to them at the same time? No need to open a secondary browser or launch a desktop application like TweetDeck. With Nightly, you could just open the File menu and select the “New Container Tab” option, choosing between the Personal, Work, Shopping, and Banking options.
… Imagine you’re trying to book a flight and you don’t want the airline to adjust the price according to your browsing history: you won’t have to delete all your cookies any more, just open a separate tab.
As Vyas acknowledges, the idea of contextual identities is not new, but so far it has been hard to implement, mainly because it’s difficult to figure out what the best user experience should be.
The model I’ve proposing for years!
Municipal fiber network will let customers switch ISPs in seconds
Most cities and towns that build their own broadband networks do so to solve a single problem: that residents and businesses aren't being adequately served by private cable companies and telcos.
But there's more than one way to create a network and offer service, and the city of Ammon, Idaho, is deploying a model that's worth examining. Ammon has built an open access network that lets multiple private ISPs offer service to customers over city-owned fiber. The wholesale model in itself isn't unprecedented, but Ammon has also built a system in which residents will be able to sign up for an ISP—or switch ISPs if they are dissatisfied—almost instantly, just by visiting a city-operated website and without changing any equipment.
Perspective. My students will be shocked. They thought Uber was always profitable.
Uber points to profits in all developed markets
Uber says it has now reached profitability in all its developed markets, underscoring the business case for the new ride-hailing models that are disrupting the transportation industry.
Travis Kalanick, chief executive, told the FT that Uber is making money in North America, Australia and in its Europe, Middle East and Africa region, on a basis that excludes interest and tax.
“We have hundreds of cities that are profitable globally,” he said. “That allows us to invest in new places, and to sustainably invest in a very expensive place like China.”
Mr Kalanick also disclosed that China — where the company is fighting a costly subsidy battle with rival Didi Chuxing — is now Uber’s biggest market by number of rides, accounting for a third of the company’s daily trips.
Because crazy people…
Active Shooter Event: Quick Reference Guide – DHS
by Sabrina I. Pacifici on Jun 17, 2016
Department of Homeland Security guide – quick reference guide to assist friends, family, colleagues, co-workers, organizations – “An “active shooter” is an individual who is engaged in killing or attempting to kill people in a confined and populated area; in most cases, active shooters use firearms(s) and there is no pattern or method to their selection of victims.”
Hack Education Weekly News
… “A Swedish college has been ordered to refund tuition fees to an American business student for giving her a poor economics education,” the AP reports. “The Vastmanland court ruled Tuesday the Malardalen University’s two-year program ‘Analytical Finance’ that Connie Askenback attended from 2011 to 2013 ‘had no practical value.’”
… From the press release: “Achieving the Dream Launches Major National Initiative to Help 38 Community Colleges in 13 States Develop New Degree Programs Using Open Educational Resources.” More via The Chronicle of Higher Education.… Via the Detroit Free Press: “Wayne State drops math as general ed requirement.” [5 out of 4 students thrilled! Bob]
… Via The Chronicle of Higher Education: “Facebook Reveals How It Decides if a Research Project Is Ethical.”
Friday, June 17, 2016
Another e-milestone. Google tells me that this is Blog number 3650 – that’s one Blog post per day for 10 years! (Ignoring leap years and those days when all I said was, “I have nothing to say.”) And just for your amusement, here’s a map showing my loyal(?) fans on one recent post.
(I have no idea why Poland leads the list, unless some professor there has been using me as a “Bad Example.”)
Does Janet Yellen know this is what happens when the economy stagnates?
FBI: Business e-mail scam losses top $3 billion, a 1,300% increase in since Jan.
The FBI’s Internet Crime Complaint Center (IC3) this week said the scourge it calls the Business Email Compromise continues to rack-up victims and money – over $3 billion in losses so far.
The BEC scam is typically carried out by compromising legitimate business e-mail accounts through social engineering or computer intrusion to conduct unauthorized transfers of funds, the IC3 stated.
… The IC3 said that the latest variant of the scam goes like this: “Fraudulent requests are sent utilizing a business executive’s compromised e-mail. The entity in the business organization responsible for W-2s or maintaining PII, such as the human resources department, bookkeeping, or auditing section, have frequently been identified as the targeted recipient of the fraudulent request for W-2 and/or PII. Some of these incidents are isolated and some occur prior to a fraudulent wire transfer request. Victims report they have fallen for this new BEC scenario, even if they were able to successfully identify and avoid the traditional BEC incident.
I see this as rather disingenuous. Am I wrong?
CIA chief argues for action on encryption before Senate panel
The head of the CIA told congressional overseers on Thursday that the law is failing to keep up with rapidly evolving technology, potentially giving foreign terrorists an avenue to escape U.S. intelligence agents' eyes.
During his testimony before the Senate Intelligence Committee, John Brennan appeared to endorse bipartisan legislation that would create a commission examining how the government should exert authority over encrypted technologies that protect people’s data — even from government agents with a warrant.
… Lawmakers have struggled to deal with the wide adoption of encryption tools, torn between concerns of security and privacy. Critics of the trend say the digital barriers prevent government officials from gathering crucial evidence from criminals and terrorists. But defenders warn that undermining encryption would erode Americans’ rights to privacy and degrade security for everyone.
Sens. Dianne Feinstein (D-Calif.) and Richard Burr (R-N.C.), the Intelligence Committee's leaders, have pushed for legislation that would require companies to provide “technical assistance” to the government to unlock data in the course of an investigation. The legislation was made public on the heels of a high-profile legal fight between the FBI and Apple over the iPhone used by one of the killers in the San Bernardino, Calif., attack last year.
“What we had hoped is that we would start a national debate,” Burr said on Thursday.
But Brennan notably appeared to ignore that bill.
This is a bit of a stretch.
Lawsuit claims social media companies liable for Paris attack
The family of one of the victims in the 2015 Paris terrorist attack has filed a lawsuit in U.S. federal court, accusing social media companies of providing material support to the Islamic State in Iraq and Syria (ISIS).
The civil lawsuit filed earlier this week against Twitter, Google and Facebook asks the court to hold the companies liable for enhanced damages, and rule that the companies “violated, and [are] continuing to violate, the Anti-Terrorism Act.”
… The lawsuit alleges that the companies have not done enough to block the spread of terror recruitment and communication online. It also claims the companies, which are driven by digital ad sales, have profited from ISIS postings.
“For years, Defendants have knowingly permitted the terrorist group ISIS to use their social networks as a tool for spreading extremist propaganda, raising funds and attracting new recruits,” according to the lawsuit.
The future is here?
Meet Olli, America's first driverless public shuttle bus
What do you get when you cross self-driving artificial intelligence, 3-D printing, and public transportation? Olli, an autonomous, electric shuttle with room for 12 passengers.
… To test Olli, Local Motors plans to offer free rides to the public around the development in what is believed to be the first public trial of a completely self-driving vehicle in the United States, reported The Washington Post. In February, the Netherlands launched a fleet of WEpod driverless buses, which can carry six passengers, on the campus of Wageningen University in a central Dutch agricultural town.
Miami-Dade County has bought two Olli shuttles, and Las Vegas has bought one. The two municipalities are expected to pilot the shuttles by the fourth quarter of this year
… Olli has services powered by IBM Watson, the company's artificial intelligence platform. That means Ollie can process information, interact with passengers and ask them their destination, explain why they made certain driving decisions and even use face recognition to identify them and their favorite destinations, according to Local Motors.
When words fail you?
Twitter Introduces Emoji-Based Targeting
… Advertisers can make the most of the cartoonish icons by targeting consumers who have tweeted or engaged with tweets that feature emoji. That means someone in Chicago who tweets a pizza emoji can now be targeted by a local restaurant to come in for a delicious slice of deep dish.
Keeping an eye on the competition. Whatever make your employees happy? I bet we could turn this to our advantage.
Amazon says it will share employee training know-how with other firms
Amazon.com wants to spread the knowledge of how it put together an ambitious employee-training program that prepares entry-level, mostly warehouse workers for better-paying careers outside the company.
Juan Garcia, Amazon’s global leader for career advancement, said in a LinkedIn post that the company is “open-sourcing” the program, known as Career Choice. That’s basically providing the blueprint free to other companies so they can “build upon it, tailor it for their own use cases, and improve upon it,” Garcia wrote.
Career Choice is an Amazonian twist on the tuition-reimbursement programs common among many employers. The difference is that Amazon prepays 95 percent of the cost, and staffers aren’t required to study something related to furthering their Amazon career.
In fact, Amazon will pay for training only in high-demand fields that could lead to better-paying jobs, CEO Jeff Bezos said in a recent interview at a Recode conference in California. That means jobs in health care or, say, as an airplane mechanic. The program is 4 years old.
“The last thing any enlightened company wants is for any employee in their company to feel trapped in that job,” he said. “If they want to be there, great. But if they want to be a nurse, then help them do that.”
… Career Choice works with community colleges to offer classes right at the warehouses.
An Amazon spokeswoman said that the information the tech and retail giant plans to share with other companies includes how to pick what courses to pay for, how to run the administration of the program, how to do the classes on-site “as well as lessons we’ve learned along the way about what works and what doesn’t.”
Something for my ESL students?
Cortana Can Be Your Personal Dictionary in Windows 10
… Cortana, the assistant who wears many hats, is happy to define any words you send her way.
Simply pull up Cortana by pressing the Windows Key on your keyboard or by clicking her icon on the left side of the Taskbar and type What does mumpsimus mean? and she would tell you that it means “a traditional custom or notion adhered to although shown to be unreasonable.” You can also phrase the question by typing “define sialoquent.”
This brings you a brief definition, which might not be enough for some words. If you need more info, hit Enter or click on the definition to bring up an expanded box with more info on the word, including origins and translations.
If that still doesn’t satisfy your quest for word knowledge, hit Enter again to search for the word on Bing and receive all the info you could ever need.