Saturday, July 16, 2016

Interesting.  Is the date part of mandatory disclosure?
I almost have to admire this defense logic: if you don’t know when our breach occurred or can’t allege it, you can’t prove any claims as to whether something happened before or after the breach, so we get to walk away from the consolidated class action lawsuit…?
Law360 has more, if you have a subscription.  But I was so curious that I actually acquired the filing from PACER (you can all chip in towards the $3.00 fee), and have uploaded the filing here (47 pp, pdf).
But here is the overview of the argument:
Most fundamentally, plaintiffs do not allege the date on which the breach occurred.  Yet, they speculate that they suffered damages because of Experian’s “delay” in providing notice of the breach.  But the absence of an alleged date of beach renders these claims infirm.  After all, no one was injured by delayed notification if there was no delay in providing notice.  Some plaintiffs assert that they were victims of identity theft or fraud, speculating that the attacker must have used the data it stole to commit such crimes.  But because plaintiffs do not allege a date of breach, it is unclear whether these alleged injuries occurred before or after the breach.  If they occurred before the breach, they could not possibly have been caused by the breach.  Some of the plaintiffs’ claims are grounded in fraud, yet none are pleaded with the particularity required by Rule 9(b).
I thought the breach occurred in October, 2015??  Why wasn’t there anything on that in the complaint, or was there?


Another legal defense?
I was wondering how many lawsuits we might see by employees whose firms fell for phishing schemes involving W-2 data.
From what Law360 reports, HAECO employees did sue their employer, who’s arguing that the employees can’t sue for invasion of privacy because the employees had given their information to their employer willingly.
Okay, that defense makes sense, but then what could the employees sue their employer for?  And the fact that your own employees are suing you, well…. maybe your incident response wasn’t as good as it could have been?  Just wondering….


It’s kinda like leaving your wallet behind…
Seen on FourthAmendment.com:
Defendant fled a taxicab to avoid the fare but left his cell phone behind.  The police used the phone to call 911 to capture his name, phone number, and other 911 information.  This wasn’t a search, and it was governed by Smith, that information voluntarily turned over to another is not protected by a reasonable expectation of privacy.  [The complete answer to that is that defendant didn’t turn over the information voluntarily; the police dialed 911 to make the call, and was that a seizure?  The court botches this one by deciding it this way.  Abandonment of the phone wasn’t even decided, and it clearly was the easier and more logical argument than attempting say there was a lack of a reasonable expectation of privacy without having to strain to make something up to sound profound.]  State v. Hill, 2016 Ga. App. LEXIS 432 (July 13, 2016)


Read more on FourthAmendment.com, via Joe Cadillic.
And while we’re on the Fourth Amendment, do note this development in Congress, which I’m actually happy about:  The Fourth Amendment Gets Its Own House Caucus to Demand Its Respect.


They just didn’t pay attention.  They hired an Australian firm that the Chinese them bought – and no one noticed. 
Bernard Keane and Asher Wolf write:
The ballots from the 2016 Australian election are being secured by a company owned by one of China’s most important security firms, with links deep inside the communist state’s vast surveillance system.
In 2014, the Australian Electoral Commission hired the company SecureMonitoring to provide “Security Alarm System Monitoring for AEC Warehouses and National Office”, for $360,000 over three years.
Read more on Crikey.


Perhaps my University’s Tech Support could help.  They certainly have the ability to disrupt my classroom. 
U.S. military has launched a new digital war against the Islamic State
An unprecedented Pentagon cyber-offensive against the Islamic State has gotten off to a slow start, officials said, frustrating Pentagon leaders and threatening to undermine efforts to counter the militant group’s sophisticated use of technology for recruiting, operations and propaganda.
The U.S. military’s new cyberwar, which strikes across networks at its communications systems and other infrastructure, is the first major, publicly declared use by any nation’s military of digital weapons that are more commonly associated with covert actions by intelligence services.
   But defense officials said the command is still working to put the right staff in place and has not yet developed a full suite of malware and other tools tailored to attack an adversary dramatically different than the nation-states Cybercom was created to fight.
In an effort to accelerate the pace of digital operations against the Islamic State, the Cybercom commander, Adm. Michael S. Rogers, created a unit in May headed by Lt. Gen. Edward Cardon that is tasked with developing digital weapons — fashioned from malware and other cyber-tools — that can intensify efforts to damage and destroy the Islamic State’s networks, computers and cellphones.
   scruffy insurgents aren’t the best target for high-tech weapons.”
The simple fact that the Pentagon has ordered its first major cyber-offensive campaign, and has acknowledged it publicly, is a milestone.
   Whenever the military undertakes a cyber-operation to disrupt a network, the intelligence community may risk losing an opportunity to monitor communications on that network. So military cybersecurity officials have worked to better coordinate their target selection and operations with intelligence officials.


For the Crypto chapter in the Computer Security class. 
Use Tor? Riffle promises to protect your privacy even better
Privacy-minded people have long relied on Tor for anonymity online, but a new system from MIT promises better protection and faster performance.

Dubbed Riffle, the new system taps the same onion encryption technique after which Tor is named, but it adds two others as well.  First is what's called a mixnet, a series of servers that each rearranges the order in which messages are received before passing them on to the next server.
If messages arrive at the first server in the order A, B, C, for example, that server would send them to the second server in a different order, such as C, B, A.  The second server would them reshuffle things again when sending the messages on.  The advantage there is that a would-be attacker who had tracked the messages’ points of origin would have no idea which was which by the time they exited the last server.  
   The overall result is that Riffle remains cryptographically secure as long as one server in the mixnet remains uncompromised, according to MIT.


Best analysis I’ve seen so far.
Analysis: Why the Turkey coup failed and what's likely to come next
The great irony in the coup attempt that failed in Turkey was evident.  President Recep Tayyip Erdogan has tried for years to stifle the operating freedom of social networks and has accused them of being dark forces attempting to undermine his rule.  It was these same social media networks which helped him to put down the coup.
Erdogan broadcast from his smart phone a statement to the people, tweeted to his supporters and relied on the media, even those whom he deathly hates, to spread his message in the critical first hours of the coup attempt when uncertainty gripped the country.

(Related)  I guess anyone can learn to use social media if the need is there…
As coup attempt unfolds, Turkish president appears via Facetime on live TV
Turkish President Recep Tayyip Erdogan placed what appeared to be a Facetime call to a national news broadcast early on Saturday while the world tried to figure out if a military coup against him had succeeded.
Erdogan appeared on a journalist's iPhone, held up to the camera so viewers could see and hear what he had to say.  He claimed that he remained in control and urged the public to take to the streets to oppose the coup attempt.
Erdogan's use of modern technology to speak to the nation comes with a heap of irony.  He has been keen to shut off access to the Internet during sensitive times and go after those who try to get around such bans and those who insult him.  Reporters Without Borders says Erdogan has "systematically" censored the Internet.


For the next time I teach spreadsheets.
9 Tips for Formatting an Excel Chart in Microsoft Office


I find this brilliant!  Jump on anything that hot.  (At least one third of my RSS feed articles were Pokémon related.
How 'Pokemon Go' could help you sell your house
On a steamy summer night near Manhattan's Washington Square Park, real estate agent Jay Glazer hoped a redesigned roof deck might help draw potential buyers to the open house at his $1.5 million listing but, just in case, he added this to the ad:
"I'm fairly certain there is a PIKACHU at this open house, don't miss it."
Of the dozen or so people who showed up, only one knew exactly what "Pokemon Go" was, but Glazer said it was still worth adding the app as something of an appetizer to the ad.

(Related)  But this is better!
Yelp Now Lets You Search Businesses by Pokestop
The Pokeconomy is growing by leaps and bounds as Pokemon Go continues to break app download and daily active user records.  Now, Yelp has rolled out a new filter letting users search directly for local Pokestops.
The new filter works the same way as any other.  When you open the app to search for a bar, restaurant, or other business, open the filter options and scroll down.  Right next to filters like free delivery and outdoor seating, you can now swipe to enable a "Pokestop Nearby" filter.
Local small to midsize businesses (SMBs) are already buying and dropping Lures—an in-game functionality that draws people to certain locations—and using social media to capitalize on Pokemon Go foot traffic.  The game's publisher Niantic is also teasing sponsored locations.

(Related)  A clue for cheaters?
How to Play Pokémon GO on Your Windows PC
   Warning: To play Pokémon GO on your home PC, i.e., without physically moving around, you need to engage a method called GPS spoofing.  Strictly speaking, this is a violation of the developer’s Terms of Service and could get you temporarily or permanently banned from the game.  Use at your own risk!


It must be Saturday.
Hack Education Weekly News
   Conservatives in Kansas are trying to rebrand public education with the label “government schools.”  [They are, aren’t they?  Bob] 
   5.3 Reasons Pokemon Go will Replace the LMS” by Tom Woodward.
   According to a survey by CDW-G, “67% of school IT solutions are now delivered either in part or in full through the cloud.”  [Architecture  Bob]

Friday, July 15, 2016

Robbing an ATM just got much more interesting! 
Hackers steal millions from ATMs without using a card
Taiwan is trying to figure out how hackers managed to trick a network of bank ATMs into spitting out millions.
Police said several people wearing masks attacked dozens of ATMs operated by Taiwan's First Bank on Sunday.  They spent a few minutes at each of the machines before making off with the equivalent of $2 million stashed in a backpack.
They didn't use bank cards but rather appeared to gain control of the machines with a "connected device," possibly a smartphone, the police said in a statement Thursday.  Authorities are now hunting the thieves, who they say came from Russia and eastern Europe.
   Prosecutors said the machines were infected with three different malware files that instructed them to "spit out cash" and then deleted evidence of the crime.  They described the case as the first of its kind in Taiwan.


If nothing else, this is a great “targeting” tool. 
Maxthon Browser Sends Sensitive Data to China
Security experts have discovered that the Maxthon web browser collects sensitive information and sends it to a server in China.  Researchers warn that the harvested data could be highly valuable for malicious actors.
Developed by China-based Maxthon International, the browser is available for all major platforms in more than 50 languages.  In 2013, after the NSA surveillance scandal broke, the company boasted about its focus on privacy and security, and the use of strong encryption.
Researchers at Fidelis Cybersecurity and Poland-based Exatel recently found that Maxthon regularly sends a file named ueipdata.zip to a server in Beijing, China, via HTTP.  Further analysis revealed that ueipdata.zip contains an encrypted file named dat.txt.  This file stores information on the operating system, CPU, ad blocker status, homepage URL, websites visited by the user (including online searches), and installed applications and their version number.
While dat.txt is encrypted, experts easily found the key needed to decrypt it, giving them access to the information.  Exatel researchers demonstrated how a man-in-the-middle (MitM) attacker could intercept the data as it travels from the client to the Maxthon server in China.


Should you expect to be hacked?  At least create a way for someone to let you know when it happens.
From LeakedSource:
Shortly after the hack of MuslimMatch.com, Shadi.com another dating site was hacked around July 10th, 2016.  LeakedSource has obtained and added a copy of this data to its ever-growing searchable repository of leaked data.
This data set contains 2,035,020 records.  Each record contains an email address and one password.  Passwords were stored with no hashing or encryption (plaintext).
Read more on LeakedSource.
I searched Shadi.com for some message to its members.  Finding none – and also finding no way to contact them about a security breach, I used their customer support ticket system to send them a notification and an inquiry.  If I get a response, this post will be updated.


Should you expect your data to be kidnapped and held for ransom?
I hate it when I tweet something but forget to post it.  In today’s installment of “Smacking Myself in the Forehead,” I remember to tell readers that HHS has issued a new guidance on ransomware and HIPAA.
A recent U.S. Government interagency report indicates that, on average, there have been 4,000 daily ransomware attacks since early 2016 (a 300% increase over the 1,000 daily ransomware attacks reported in 2015).1  Ransomware exploits human and technical weaknesses to gain access to an organization’s technical infrastructure in order to deny the organization access to its own data by encrypting that data.  However, there are measures known to be effective to prevent the introduction of ransomware and to recover from a ransomware attack.  This document describes ransomware attack prevention and recovery from a healthcare sector perspective, including the role the Health Insurance Portability and Accountability Act (HIPAA) has in assisting HIPAA covered entities and business associates to prevent and recover from ransomware attacks, and how HIPAA breach notification processes should be managed in response to a ransomware attack.
You can find the guidance here (pdf).
A few points of note about the guidance:
While the question as to whether an incident is a reportable incident under HIPAA is fact-specific (see below), a ransomware incident is, undoubtedly, a security incident under HIPAA:
The presence of ransomware (or any malware) on a covered entity’s or business associate’s computer systems is a security incident under the HIPAA Security Rule.  A security incident is defined as the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system.  See the definition of security incident at 45 C.F.R. 164.304.  Once the ransomware is detected, the covered entity or business associate must initiate its security incident and response and reporting procedures.  See 45 C.F.R. 164.308(a)(6).
But do you need to report it under HIPAA?  From the guidance:
A breach under the HIPAA Rules is defined as, “…the acquisition, access, use, or disclosure of PHI in a manner not permitted under the [HIPAA Privacy Rule] which compromises the security or privacy of the PHI.” See 45 C.F.R. 164.402.6.
When electronic protected health information (ePHI) is encrypted as the result of a ransomware attack, a breach has occurred because the ePHI encrypted by the ransomware was acquired (i.e., unauthorized individuals have taken possession or control of the information), and thus is a “disclosure” not permitted under the HIPAA Privacy Rule.
Unless the covered entity or business associate can demonstrate that there is a “…low probability that the PHI has been compromised,” based on the factors set forth in the Breach Notification Rule, a breach of PHI is presumed to have occurred.  The entity must then comply with the applicable breach notification provisions, including notification to affected individuals without unreasonable delay, to the Secretary of HHS, and to the media (for breaches affecting over 500 individuals) in accordance with HIPAA breach notification requirements. See 45 C.F.R. 164.400-414.
Although this guidance does not address the question of whether HHS recommends paying any ransom, a previous interagency technical guidance does address this question:
There are serious risks to consider before paying the ransom. We do not encourage paying a ransom. We understand that when businesses are faced with an inability to function, executives will evaluate all options to protect their shareholders, employees, and customers. As you contemplate this choice, consider the following risks:
·         Paying a ransom does not guarantee an organization will regain access to their data; in fact, some individuals or organizations were never provided with decryption keys after having paid a ransom.
·         Some victims who paid the demand have reported being targeted again by cyber actors.
·         After paying the originally demanded ransom, some victims have been asked to pay more to get the promised decryption key.
·         Paying could inadvertently encourage this criminal business model.
Those are all valid points and concerns, as I acknowledged in another post this morning as to whether entities should pay ransom demands.  But there’s a difference between your operations being affected and patient data being sold, so each case – and the consequences – need to be carefully considered.


Should we believe the politicians?
State health employees fired after giving data to lawmakers
HELENA, Mont. (AP) — Montana health officials fired two state employees for turning over personal information, including Social Security numbers, of scores of childcare providers to three state legislators, according to documents and interviews with people involved in the terminations.
   Hansen is contesting his firing through his union, he told the AP.  He declined to answer questions about the data other than to say he turned it over after the legislators requested it from him.
Chris Gallus, an attorney for Burnett, R-Bozeman, disputed Hansen's account.
"He provided information that we did not request from him, and (the information) had already been disposed of before the department made any inquiry," Gallus said.
   Webb, R-Billings, said he told Opper in a phone call that the claims in Opper's letter were unfounded, but would not say whether he received information from the former state employee.
"I've got lots of information that is not public record from the department," Webb said.  He declined to elaborate.


We were just waiting for the interest levels to go down.
John Riberio reports:
A Federal Aviation Administration reauthorization bill that was passed by the Senate on Wednesday excludes key privacy provisions, including a requirement that commercial and government users of drones disclose whether they collect personally identifiable information.
The bill, which is a compromise short-term extension to ensure continued funding at current levels to the FAA, next goes to President Obama to be signed into law, two days before the current authorization is to expire.  It was earlier passed by the House of Representatives.
Read more on Computerworld.


All (100%) of my students have SmartPhones. 
From Quartz:
When it comes to privacy controls, we may now have too much of a good thing.  Smartphone owners must now make more than 100 privacy decisions about how how much data their apps can share on Apple’s iOs and Google’s Android operating systems.  That number will only climb as privacy settings affect more of our devices and software.
[…]
Tired of waiting for the tech giants to fix the problem, Norman Sadeh’s team at Carnegie Mellon University developed a personal privacy assistant app powered by machine learning.  The app learns your preferences by asking a few key questions about privacy, and a machine learning algorithm uses this data to group users into distinct profiles.  The app can then make recommendations and give users a single dashboard to manage their data and privacy settings.
Read more on Quartz.


Interesting graphic. 
The Economist – The data of the dark web
by Sabrina I. Pacifici on Jul 14, 2016
The data of the dark web  Jul 14th 2016 by THE DATA TEAM
“SINCE the launch of the Silk Road five years ago, dark-web markets have represented a shadowy and much-maligned corner of the internet.  And the secretive nature of such sites makes them difficult to study.  But last year a researcher using the pseudonym Gwern Branwen cast some light on them.  Roughly once a week between December 2013 and July 2015, programmes he had written crawled 90-odd cryptomarkets, archiving a snapshot of each page .  The Economist has extracted data from the resulting 1.5 terabytes of information for around 360,000 sales on Agora, Evolution and Silk Road 2.  There are, inevitably, flaws in the data. Mr Branwen’s scrapes probably missed some deals….”
[From the article:
In total the deals were worth around $50m. Of those MDMA (ecstasy) sold the most by value while marijuana was the most popular single product, with around 38,000 sales.  Legal drugs such as oxycodone and diazepam (Valium) were also popular.  A third of sales did not belong in any of our categories: these included drug kit such as bongs, and drugs described in ways that buyers presumably understood, but we did not (Barney’s Farm; Pink Panther; Gorilla Glue).
Read our full analysis of dark-web markets, the price of online drugs and how competition is changing the narcotics industry here.


Why this blogger blogs.  Sounds very familiar to me.
Don’t ask me why I agreed.  Maybe they caught me on an off-day.  Maybe I thought it would give me a chance to reflect on where this site has been.  I don’t know, as I usually avoid interviews.  But I agreed to do an interview with John Norris of vpnMentor.com and you can read it all here.


My international students didn’t understand the argument, 
Microsoft wins landmark appeal over seizure of foreign emails
A federal appeals court on Thursday said the U.S. government cannot force Microsoft Corp and other companies to turn over customer emails stored on servers outside the United States.
The 3-0 decision by the 2nd U.S. Circuit Court of Appeals in Manhattan is a defeat for the U.S. Department of Justice and a victory for privacy advocates and for technology companies offering cloud computing and other services around the world.
Circuit Judge Susan Carney said communications held by U.S. service providers on servers outside the United States are beyond the reach of domestic search warrants issued under the Stored Communications Act, a 1986 federal law.
   Thursday's decision reversed a July 2014 ruling by then-Chief Judge Loretta Preska of U.S. district court in Manhattan requiring Microsoft to turn over the emails.  It also voided a contempt finding against the company.
   The case is In re: Warrant to Search a Certain E-Mail Account Controlled and Maintained by Microsoft Corp, 2ndU.S. Circuit Court of Appeals, No. 14-2985.

(Related)
Why Microsoft's Victory in Irish Email Case Matters
   It is an important ruling with major implications for international relations -- especially between the U.S. and Europe.  It will make U.S. business conformance with the General Data Protection Regulation (GDPR) simpler, and make the Privacy Shield stronger.
   The court's decision does not mean that the government will never be able to obtain the information it seeks.  The most likely outcome is that it will be forced to use the route it originally rejected as too slow and cumbersome: the use of a Mutual Legal Aid Treaty (MLAT) that will ensure judicial overview of the process.

(Related)  On the other hand…
If you read the European Commission’s announcement on the EU-US Privacy Shield (summary here), you may have come away with a more positive impression of its protections than is actually warranted.
Here’s one of the critiques that have appeared in the past few days.  Klint Finley reports:
Companies like Facebook and Google can continue transferring data from the European Union to their servers in the US under a new deal between the two governments that privacy advocates still say isn’t good enough.
[…]
Under the Privacy Shield, US companies will be able to “self-certify” that they follow the privacy principles outlined in the framework.  The agreement establishes an “ombudsperson” in the US State Department who will address privacy-related questions and complaints from people in the EU.
Privacy advocates say those protections are inadequate and want to see the Privacy Shield quashed.  The ombudsperson will have limited power to fix problems and won’t be all that independent since that person will report to the Secretary of State, argues Privacy International.
Read more on Wired.


A game going viral.  Accessing everything on your phone.  People walking into traffic.  What’s next? 
All around the world, authorities are worrying about Pokemon Go
   parallel to the near-global obsession have been the concerns of, well, grown-ups around the world worried about the app's effects.  These include security flaws posed by the app itself, as well as myriad cases of robbers and other assailants exploiting the game's mechanics to lure unsuspecting victims.
Then, there's the simple issue of propriety.  In Washington, the Holocaust Museum and Arlington National Cemetery have been compelled to put out stern notices, requesting visitors to refrain from chasing around Pokemon while on the premises.
   Police in the Belgian port city of Antwerp, for example, issued a warning about the potential dangers of pedestrians playing the game.
"Players will only have eyes for their screen, and so captivated will they be by the game that they may no longer be paying attention to the traffic,” the police said.  They also warned of "criminals using the game as a means to hunt down victims and steal from them."
In some corners of the Muslim world, the reaction to the game took on a particular moral valence.  Earlier this week, my colleague Sudarsan Raghavan blogged about the 2001 fatwa against the original Pokemon game, issued by an Egyptian cleric, who said the game taught children gambling through the use of "Masonic and Zionist symbols."  But now, the deputy chief of Cairo's Al-Azhar, the most important scholarly institution of Sunni Islam, has declared Pokemon Go to be as illicit as alcohol.

(Related)  Wait until the ad start attracting players.  Ronald McPoke? 
Pokémon Gamers Could Soon be Flocking to McDonald's
   “There is a second component to our business model at Niantic, which is this concept of sponsored locations,” John Hanke, Chief Executive of Niantic, the development team of Pokémon Go, told the Financial Times.
This component would draw Pokémon Go players to sponsored locations by making them gyms or Pokéstops -- and it looks as if that component is already in the works.
A 13-year-old student in Sydney, Australia, Manmeet Gill, decompiled the Android version of Pokémon Go and found a string that he believes indicates a sponsorship with McDonald's.  The string hasn’t been activated for players yet.
“I found the string as I was scrolling through the metadata of the game,” Gill says.  “It alludes to the McDonald’s stores being some kind of Pokémon store. It also says that it is a sponsorship.”

(Related)  Just because…
The 5 Most Ridiculous Pokémon Go Stories of the Week


For my Data Management and IT Architecture students. 
Gallup – Successful Predictive Analytics Demand a Data-Driven Workplace
by Sabrina I. Pacifici on Jul 14, 2016
  • The global data push is stronger than ever
  • Data-driven companies are more productive and profitable
  • Leaders need to develop and sustain a data-driven culture
The data movement is growing exponentially, not only regarding the sheer quantity of data but also in the ways companies use data for strategic decision-making.  International Data Corporation estimates that global data doubles in size every two years and that by 2020, it will reach over 44 trillion gigabytes — increasing tenfold from 2013.  In tandem with the data explosion, a growing digital economy and advances in data science dramatically amplify the analytic value of big data.  As a result, companies can better connect data for greater predictive power and high-impact insights.  Business use of predictive analytics is on the rise because many companies recognize the competitive advantage that data and analytics can offer to their decision-making.  According to one estimate, companies in the top third of their industry for data-driven decision-making are 5% more productive and 6% more profitable than their competitors.  Predictive analytics enable leaders to make radical discoveries about their companies and dissect and solve complex business problems, thereby enabling better business strategies and performance….”

(Related)  Again both classes should read this article!
7 Questions to Ask Before Your Next Digital Transformation


For my IT Architecture students.  What kind of infrastructure allows you to run on any device, securely?   
masterpass Aims To Take Commerce Anywhere
“Consumer expectations are changing, and they’re getting higher.  Consumers don’t think about technology as technology; it just is,” said mastercard Chief Innovation Officer Garry Lyons at the unveiling of mastercard’s new digital payments strategy yesterday (July 14).  That strategy is one designed to enable commerce anywhere that a consumer and a connected device happen to be.  And one that leverages mastercard’s global acceptance network to power issuer-branded digital payments credentials anywhere buyers and sellers want to do business, including the “yet-to-be-imagined” connected devices that sit on the edge of that network.
Including refrigerators.


My Computer Security students must decrypt the instructions for their encryption project.  I’ll add this article just to amuse them.
Don’t Believe These 5 Myths About Encryption!


For my gaming students.  Perhaps we could host a game creation contest? 
How to Make a Video Game in a Week Using Buildbox
Buildbox is an all-in-one game-making tool and asset package that is designed to be user-friendly, even for people with no coding experience whatsoever.  With it, games can be conceptualized, designed, and built in a matter of days or even hours.


I still want my students to create their own textbook.  One of these looks like a viable tool! 
Three Good Options for Creating eBooks in Your Web Browser
Creating a multimedia ebook can be a great way for students to showcase examples of their best work.  Writing a multimedia ebook can also be a nice way for students to illustrate and or further explain portions of fiction and non-fiction stories that they compose.  The following three platforms make it possible for students to create and publish multimedia ebooks in their web browsers.
Widbook is a platform designed to help people collaboratively create multimedia books.  The service is part multimedia book authoring tool and part social network.

Thursday, July 14, 2016

All of my students have smartphones.
Just Watching a YouTube Video Can Compromise Your Smartphone
Among the multiple ways of compromising a mobile device, a new method was recently analyzed by researchers that humans can’t detect: hidden voice commands.
The research was driven by the emergence of voice interfaces for computers and was conducted on Android and iOS devices with the "Google Now" feature activated.  With modern smartphones and wearable devices adopting an "always-on" model in which they continuously listen for possible voice input, researchers wanted to learn whether hidden commands that are unintelligible to human listeners could be issued.
In a paper (PDF) describing the experiment, researchers from Berkeley and Georgetown University revealed that hidden commands that are effective against existing systems can be issued, and that humans are unlikely to understand them and might not even notice them.  The mobile devices, one the other hand, will react to these commands.
   researchers say that it is possible to broadcast hidden commands from a loudspeaker at an event or to embed them in a trending YouTube video.


Unfortunately, we seem to have a government of “no consequences.” 
Chinese Hacks on FDIC Covered Up by CIO
Threat actors believed to be from China breached the systems of the U.S. Federal Deposit Insurance Corporation (FDIC), but the agency’s chief information officer attempted to cover up the incident, according to a report published this week by the House of Representatives Science, Space and Technology Committee.
The report revealed that a threat group presumably sponsored by the Chinese government breached FDIC systems in 2010, 2011 and 2013.  The attackers managed to plant malware on 12 workstations and 10 servers belonging to the banking regulator, including computers used by the chairman, chief of staff and general council.
According to the report, Russ Pittman, who was the FDIC’s CIO at the time, had instructed employees not to discuss or proliferate information about the attack to avoid jeopardizing the confirmation of Martin Gruenberg in the position of FDIC chairman.
   Pittman is not the only CIO accused of wrongdoings.  The agency’s current CIO, Lawrence Gross, has been called out for failing to notify Congress of major incidents (i.e. incidents involving more than 10,000 records).
   The agency and its CIO attempted to downplay the extent of the incident until the FDIC Office of Inspector General (OIG) conducted an investigation and prompted the organization to report the breach to Congress.  Furthermore, Gross reportedly removed a CISO who disagreed with him about whether the Florida incident should have been reported to Congress.  Gross’ ability to serve as CIO of FDIC is now being brought into question.


So this is e-trespassing raised to the equivalent of a “make my day” law?  Can I ask the FBI to stay away from my website?
Orin Kerr writes:
The U.S. Court of Appeals for the 9th Circuit has handed down a very important decision on the Computer Fraud and Abuse Act, Facebook v. Vachani, which I flagged just last week.  For those of us worried about broad readings of the Computer Fraud and Abuse Act, the decision is quite troubling.  Its reasoning appears to be very broad.  If I’m reading it correctly, it says that if you tell people not to visit your website, and they do it anyway knowing you disapprove, they’re committing a federal crime of accessing your computer without authorization.
Read more on Washington Post.  As always, Orin provides a lot of food for thought.
By now, I’ve only read the opinion once, and oddly, perhaps, what caught my eye was fn4:
Simply bypassing an IP address, without more, would not constitute unauthorized use.  Because a blocked user does not receive notice that he has been blocked, he may never realize that the block was imposed and that authorization was revoked.  Or, even if he does discover the block, he could conclude that it was triggered by misconduct by someone else who shares the same IP address, such as the user’s roommate or co-worker.
So someone going directly to a file on a server from search results – without going through the site’s or server’s front door – is not necessarily engaging in “unauthorized use” under CFAA without more?  But what more would be needed in that situation to make criminal application of CFAA appropriate?  And if that’s the case, think of the raid on Justin Shafer who accessed files on a Patterson FTP server when there was nothing he saw that would have suggested he didn’t have authorization.


Will the government let this stand?  I rather doubt it. 
Court rules DEA needs warrant to use mobile tracking device
A federal judge in New York on Tuesday ruled that law enforcement officers need a warrant before using a device that mimics cellphone towers to help track a person’s mobile phone. 
Observers said the ruling was the first of its kind in federal court.  But it is unclear how important the precedent will be since the government has already changed its policy to require warrants going forward.
   “Absent a search warrant, the Government may not turn a citizen’s cell phone into a tracking device,the judge wrote in his opinion.  “Perhaps recognizing this, the Department of Justice changed its internal policies, and now requires government agents to obtain a warrant before utilizing a cell-site simulator.”
The new Justice Department policy last year to require warrants came only a week after the DEA carried out its search of the home of Raymond Lambis, the defendant in the case.

(Related)  So why question this? 
Judge Koh Grilled at Hearing for 9th Circ. Slot
A Republican senator grilled U.S. District Judge Lucy Koh on Wednesday about why she said police need warrants to access cellular location data.
   From her bench in San Jose, Koh made headlines roughly this time last year in blocking the government from accessing data called cell-site location information without a warrant, saying such data has Fourth Amendment protections.
   The senator called Koh's ruling last year the only of its type.  No other courts ruled that non-content, or meta-data, was subject to protection under the Fourth Amendment.
Koh, 47, emphasized that she had no precedent to follow, either from the U.S. Supreme Court, or the Ninth Court, which hears appeals from 15 judicial districts, including Koh's and three others in California.
Koh said she did her diligence by surveying other circuit cases and state laws on probable cause.
A 2012 decision by the Supreme Court guided Kohn in particular.
The ruling U.S. v. Jones "held that GPS [vehicular] tracking movements on public roads for 28 days did violate the Fourth Amendment and did require a warrant, and in this particular instance, it was equally a tracking of movement over 60 days instead of 28 days with tracking without a warrant," Koh noted.


Everyone is buying tools to surveil themselves.  All the video goes to Nest and/or Google. 
Nest's outdoor camera and Google A.I. tell you when someone's at your door
   This particular unit requires an outlet and does not run on batteries...the use of main power means the Nest Cam can continue recording and uploading footage...without needing to turn itself off and activate once movement is detected...  On the flip side, should you happen to lose power to your home, the camera becomes decoration.
There's no built-in storage...so you'll need to make sure your Wi-Fi remains up and running.  That said...all video streamed is encrypted.  Sound like the perfect solution to add to your security setup?  You can pre-order it now for $199.
   What about the accompanying app?  How is that going to work with the new outdoor camera?  Turns out, it is getting an upgrade, and will be using Google-power A.I. to detect people via the outdoor camera.
Subscribers to the Nest Aware service will get a new feature called “person alerts.”  This server-based algorithm will analyze the feed from your camera in real time to distinguish a human being from anything else that might appear.  If the algorithm determines that it’s a person, it will send an alert to the app.  Nest's person alerts won't use facial recognition to try to identify who the person in front of the camera is. [Yet.  Bob] 

(Related)  Government says surveillance earns you a discount – in reality, insurance companies will just charge more if you don’t surveil yourself.
Joe Cadillic writes:
Big Brother and auto insurance companies have devised a devious new way to encourage Americans to spy on each other.  They’re offering motorists an insurance discount, if they purchase and install dashcams in their own vehicles!
New York Assembly member Alicia Hyndman and NY Senator Jose Peralta have introduced a bill, that would give New York drivers a 5% auto insurance discount for having a dash camera installed in their car.  Fyi, insurance companies are also secretly identifying motorists and passengers using facial biometrics.
Read more on MassPrivateI.


Come on students, try and keep up!
Pokémon Go is Literally Taking Over the World. Here’s What Marketers Can Keep in Mind
Pokémon Go launched a week ago.  That’s right- seven days.  And in that time, there have been more downloads of the game then of Snapchat.  According to an article on Forbes website, more people are using Pokémon Go than Instagram and Whatsapp.  People are knocking on strangers’ doors, taking impromptu trips, and allegedly, discovering dead bodies while playing the game.  In short: Pokémon Go is a global phenomenon, the likes of which we have not seen in some time.

(Related)
The beginner’s guide to Pokémon Go: A FAQ on how to catch 'em all


Self-promotion is still marketing.  Don’t believe me?  Ask Donald Trump. 
Let Selena Gomez Help You Get Those Double-Taps: Her 7 Tips for Becoming the Most-Followed Person on Instagram
With 89.2 million followers, Selena Gomez is the most followed person on Instagram, trumping her BFF Taylor Swift by 4 million and her ex-boyfriend Justin Bieber by about 15 million.  Not to mention, she's also beat out all the selfie masters in the Kardashian/Jenner family.
So how did SelGo do it?  In an interview with The Hollywood Reporter, the singer admits she really didn't do much of anything at all—and that might just be the key to her success.
   With that being said, here are 7 tips she suggests for gaining a massive following:


Something to share with my students.  Just the math tips make it worthwhile. 
This Cool Website Will Teach You Hundreds of Google Search Tips
This cool website called SearchyApp features an insane amount of tips that’ll help you make the most of Google.


An update.
Tom Brady’s appeal request denied by federal court, so his suspension stands

(Related)  I only included the article above so I could ask: “Does Ruth like Tom better than Donald?” 
Ruth Bader Ginsburg is the key to Tom Brady’s short-term fate
   Seeking justice will include seeking a stay of the suspension from Justice Ruth Bader Ginsburg, the member of the U.S. Supreme Court designated to handle cases arising from the Second Circuit.  If an appeal is filed, she’ll inevitably be asked to maintain the status quo until the Supreme Court decides whether to take up the case.
Here’s where it gets very interesting — and potential very political.  Ordinarily, Justice Ginsburg’s ideology and philosophies ordinarily would make her more likely than not to grant the stay.  In this case, however, there’s a potential complication.  His name is Donald Trump.
Brady has made no bones about his friendship with Trump.  And Justice Ginsburg has made no bones about her disdain for Trump.

Wednesday, July 13, 2016

How would the average company respond to a phone call like this?  There are probably no procedures in place…
Dell Cameron reports:
A leaky database has exposed the physical security of multiple Oklahoma Department of Public Safety facilities and at least one Oklahoma bank.
The vulnerability—which has reportedly been fixed—was revealed on Tuesday by Chris Vickery, a MacKeeper security researcher who this year has revealed numerous data breaches affecting millions of Americans.
The misconfigured database, which was managed by a company called Automation Integrated, was exposed for at least a week, according to Vickery, who said he spoke to the company’s vice president on Saturday.  Reached on Tuesday, however, an Automation Integrated employee said “no one” in the office was aware of the problem.
Read more on the Daily Dot.
[From the article:
“This is an example of excellent incident response,” Vickery said of the Automation Integrated whom he alerted of the breach . “The guy didn’t try to call me a hacker, he didn’t try to claim that it was a fake database filled with dummy-data, and he didn’t try to deflect responsibility onto another company.  What he did do was fix the issue promptly, verify with the original reporter that the issue was fixed, and he appreciated the fact that someone would go out of their way to make sure an issue like this was taken care of.”


No wonder card issuers are willing to pay to move to the chip-imbedded cards. 
ACI – Globally, Nearly 1 in 3 Consumers Victimized by Card Fraud
by Sabrina I. Pacifici on Jul 12, 2016
“Thirty percent of consumers globally have experienced card fraud in the past five years, according to new global benchmark data from ACI Worldwide and Aite Group.  The global fraud study of more than 6,000 consumers across 20 countries revealed that, compared to ACI’s 2014 benchmark study, card fraud rates—unauthorized activity on three types of payment cards (debit, credit and prepaid)—is on the rise worldwide.  14 out of the 17 countries surveyed both years reported an increase in card fraud between 2014 and 2016.  Risky behaviors, such as leaving a smartphone unlocked when not in use, have a direct correlation to fraud—and the overall risk for fraud is rising due to the global increase in smartphone and tablet usage…”


Marketing tools look remarkably like surveillance tools.
Twitter will tell brands more about people who see their tweets, visit their sites
Twitter knows a lot about a person based on their Twitter account.  Like whether they’re male or female, what language they speak, what kind of music they like, which TV shows they watch, what major city they live in and who their cell service provider is.  Now Twitter is making it easier for more brands to access that information.
On Tuesday Twitter-owned data platform Gnip officially opened up its Audience API so that any brand can use the analytics tool to get a cheat sheet of demographic and interest data about any group of Twitter accounts.  And it’s making it easier for any brand using the tool to find out about people who may have come across the brand’s tweets or stumbled onto its website.
   Brands can also pull this data about people who are in their customer databases.  A brand would just need to upload a list of people’s email addresses, phone numbers or the mobile advertising IDs that brands can collect when someone uses their mobile app.  And if a brand has placed Twitter’s Tailored Audience tag on its site — which Twitter uses to connect site visitors to their Twitter accounts — they will be able to create audience segments of those site visitors as well.
Twitter isn’t adding any new types of demographic or interest data that it hasn’t already exposed during the Audience API’s beta period.  But here’s a quick refresher on what categories of information brands will be able to access.


Automobiles look remarkably like surveillance tools.
Your Car’s Been Studying You Closely and Everyone Wants the Data
As you may have suspected, your car is spying on you.  Fire up a new model and it updates more than 100,000 data points, including rather personal details like the front-seat passenger’s weight.  The navigation system tracks every mile and remembers your route to work.  The vehicular brain is smart enough to help avoid traffic jams or score parking spaces, and soon will be able to log not only your itineraries but your internet shopping patterns.
The connected car will be a wonderful convenience or an intrusive nightmare, depending on your tolerance.  For automakers, it could be a gold mine, which is why the industry is building firewalls to keep the likes of Google Inc. and Apple Inc. at bay -- and hoping to pry you away from their phones and apps when you’re motoring.
   The dashboard battle is gearing up as cockpit technology rapidly advances.  Once self-driving cars are the norm, people will have the downtime to become truly mobile consumers. 


Of course, Hillary didn’t “intend” to delete these emails that are required by law to be kept.
FBI to give deleted Clinton emails back to State Dept.
The FBI will give the State Department thousands of deleted work-related emails that it uncovered while investigating Hillary Clinton's private server.
The bureau said in a letter filed with a federal court late Tuesday afternoon that, now that the investigation into Clinton is over, it would turn over the emails over to the State Department for record-keeping.
   According to FBI Director James Comey, investigators “discovered several thousand work-related" messages that were not among the roughly 30,000 emails Clinton gave to the government in 2014.  The former secretary of State and her lawyers deleted approximately half of the 60,000 emails on her server, claiming at the time that they were purely personal and did not belong in the government’s hands.
The FBI recovered the emails through digital traces left on decommissioned servers and via the inboxes of people with whom Clinton communicated, Comey said.
The State Department did not indicate whether it would release the thousands of new emails to the public, as it did with the 30,000 emails she had already handed over.  [If they don’t, this looks like a good way to hide a smoking gun.  Bob]  


You gotta have an App for that, no matter what “that” is.
The Avis Now app could end our car rental nightmare
   “We’re re-engineering of entire rental process," Avis CEO Larry DeShon told me on Tuesday. 
A 10-year Avis veteran, DeShon assumed the Avis CEO job in January.  Since then, he’s been busy trying to reinvent car rental for a new generation of customers, namely millennials.
   The new app, which is live today in Apple’s App Store and Google Play, is designed to handle virtually the entire Avis car rental process.
Customers who register with Avis will be able to use the Avis Now app to book rental cars, receive notifications, change car selections, find the car in the lot and unlock it.
   Avis’s DeShon contends that end-to-end app-based car rental is a first in his industry, but the process is not new.  In fact, Avis learned it from subsidiary Zip Car.
Zip Car is a long-time innovator in the car rental experience.  It started letting people share cars and rent them by the hour through web sites, and later apps, years ago.  Avis bought Zip Car in 2013.


Well, I think this is an interesting article.  Do you?  My answer?  Those that survive will.
Will AI Companies Make Any Money?
I was recently consulting with a publishing company that is exploring various ways to digitize and contextualize its content.  Knowing that some of the company’s competitors had signed deals with IBM’s Watson, I asked several executives why they had not done a Watson deal themselves.  “We think that the market for AI software is rapidly commoditizing, and we believe we can assemble the needed capabilities ourselves at much lower cost,” was this company’s party line.  Some particularly knowledgeable managers mentioned that they expected the company would instead make use of open source cognitive software made available from various providers.  These potential open source providers are not small vendors; they include, for example, Google, Facebook, Microsoft, Amazon, and Yahoo.


Think how this will translate to personal use.  (It’s like the model I proposed for leasing computers to grandma.) 
Microsoft debuts “Surface as a Service” program aimed at getting devices into the enterprise
Microsoft announced this morning a new program aimed at expanding Surface’s footprint in the enterprise, dubbed “Surface as a Service.” The initiative will allow businesses to lease Surface devices, alongside subscriptions to Office 365 and Windows 10.
   Surface has been a growing business at Microsoft, the company also notes, having grown in the past year from generating $1 billion in revenue per year to $1 billion per quarter.
   The program’s launch also follows the recent unveiling a Surface Membership program, which lets consumers buy Surface devices by making low monthly payments.  The plan was also aimed at businesses, not consumers, and offered access to Surface Book, Surface Pro 4 and Surface 3 models.  It included free upgrades when new models became available.


Something for history buffs and researchers.
International Coalition on Newspapers Metadata Search
by Sabrina I. Pacifici on Jul 12, 2016
Via Center for Research Libraries (CRL) – “The ICON database is the most comprehensive source of information about significant newspaper collections in print, digital and micro formats.  The large and growing database is designed to inform library decisions on the development, management and preservation of newspaper collections.  Current statistics: 47,222,880 issues from 171,518 publications dating from 16492015.  See more ICON statistics and visualizations.