Saturday, September 10, 2016
Will all those other companies face similar suits?
Shaun Nichols reports on a lawsuit filed by Seagate employees whose W-2 information was given to criminals who successfully tricked an employee via business email compromise.
The suit [PDF], originally filed in July through the Northern California District Court, accuses the hard drive maker of negligence and unfair business practices stemming from the March 1, 2016 incident when a phishing attack lead to the W‑2 information on all Seagate employees, as well as family members and beneficiaries named in employee W‑2 forms.
The suit claims that the attackers have already begun using the information lifted in the breach.
Read more on The Register.
Another “tip of the iceberg” suit?
Nicholas Iovino reports:
Yelp cannot escape claims that it invaded Apple device users’ privacy by uploading their personal data without consent, a federal judge ruled Friday.
Yelp is one of 14 app developers accused of using a “find friends” feature to mine users’ contacts without their permission.
The consolidated class action stretches back to 2012 when lead plaintiff Marc Opperman sued Apple, Yelp and others for claims of privacy invasion.
Read more on Courthouse News.
Incident response: How NOT to sound innocent.
As I commented to someone recently, a security incident involving Appalachian Regional Hospital facilities in Beckley and Summers County struck me as a really serious one because it was impacting patient care. While ARH responded promptly and initiated its emergency operations plan after detecting that its system was infected, it seemed clear that shifting to an older manual system would introduce delays in processing and in care, despite employees’ best efforts.
Since the cyberattack was first announced, some patients have complained that ARH has been less than forthright about the situation and about whether their protected health information or identity information has been acquired by bad actors. A statement by ARH on August 30 indicated that they had no indication that patient data was stolen, but I guess people want that confirmed and want updates. ARH has issued two updates since August 30, but the updates do not address whether there was any ransom demand, and do not provide any update on whether there is any evidence that PHI or PII was accessed or exfiltrated.
As I noted even before the August 30th press release was issued, my initial impression was that this was likely to be a case where the data or systems were locked up for ransom but no data had been exfiltrated. I continue to hypothesize that that’s the case, but in this day and age, it’s understandable that patients want answers quickly so that they can take steps to protect themselves.
And while I appreciate the great stress that everyone at ARH must be under during this difficult time, threatening the press who have been reporting on what is, indeed, a matter of public concern, does not strike me as an appropriate response.
The Register-Herald has been all over this story since the beginning, and it appears they’ve been threatened over their coverage. Daniel Tyson reports today how operations are still impacted. He then reports all the entities and offices the paper has contacted trying to get information about the breach and current status, and how the paper could get no response from any of the many individuals and offices they reached out to. Then… wait for it …
However, an email from ARH Chief Legal Officer Rick King Friday afternoon stated if The Register-Herald continues to “deliberately publish statements which defame ARH, or cast it in a false light, we will have no other recourse but to consult with our attorneys in WV, to determine appropriate legal action.”
Threatening the press for reporting that some people are complaining or that the hospital has not yet answered questions the public wants answered should not be part of incident response. Maybe ARH would like to see more coverage from patients who are understanding and supportive or from patients who experienced no delay in care, but the solution is to issue a statement saying what delays patients should still expect at this point and what operations are fully restored already. And while they’re at it, perhaps they should explain why they were unable to just fully restore operations from backup.
One way to restore trust and confidence is by being more transparent. Threatening the media to attempt to chill some speech is counterproductive and inappropriate.
Of course they are. “Here self-driving taxi, deliver this
package to that crowd over there.”
DOJ studying if self-driving cars pose ‘terrorist threat’
The U.S. Justice Department has formed a threat analysis team to study potential national security challenges posed by self-driving cars, medical devices and other Internet-connected tools, a senior official said.
The new group’s goal is to secure the so-called “internet of things” from exploitation by “terrorist threats” and by others who might try to hack devices to cause loss of life or achieve political or economic gain, according to Assistant Attorney General John Carlin, head of the Justice Department’s national security division.
Onward to Big Brotherlyness!
Thomas Heath reports:
Do you hog office conversations? Or not talk enough? Does your voice squeal?
Do you sit very still at your desk all day? Or do you fidget under stress? Where do you go in the office? How much time do you spend there? To whom do you talk?
An employee badge can now measure all this and more, all with the goal of giving employers better information to evaluate performance. Think of it as biometrics meets the boss.
A Boston company has taken technology developed at MIT and turned it into special badges that hang around your neck on a lanyard. Each has two microphones doing real-time voice analysis, and each comes with sensors that follow where you are in the office, with motion detectors to record how much you move. The beacons tracking your movements [The voice analysis continues? Bob] are omitted from bathroom locations, to give you some privacy.
Read more on the Washington Post.
Privacy in Canada.
David T.S. Fraser writes:
The Ontario Small Claims Court, in Halley v McCann, 2016 CanLII 58945 (ON SCSM), has recently awarded a plaintiff $9,000 in damages for breach of privacy. The case arose because the defendant disclosed the fact that the plaintiff had admitted herself to a mental health facility. The defendant is also the half-sister of the plaintiff. It was alleged that the defendant had told three people outside the facility about the plaintiff’s stay there. No other information was disclosed.
What may not be totally clear from that first paragraph is that the defendant was an employee of the mental health facility, which is how she learned of the plaintiff’s stay there. So this wasn’t just a case of a family member finding out something and sharing it with others. This was a case of an employee disclosing confidential information about a patient. Maybe her motivation to disclose had to do with the familial relationship and some animosity towards the plaintiff and maybe the familial issues made the impact on the plaintiff greater, but the main thing I would focus on is that the defendant only knew of the stay because of her work at the facility.
Read more about the case and opinion on Canadian Privacy Law Blog.
If I record your voice to train the machine, would everyone believe it was you?
Face of a Robot, Voice of an Angel?
The last time you heard a computer convert a line of text to speech, it probably jarred. Google’s machine-learning division, DeepMind, has developed a new voice synthesis system using artificial intelligence that it thinks will improve the situation.
… The results do sound compelling—you can listen to them yourself here. Compared with the concatenative and parametric approaches, it’s noticeably more humanlike.
Fool these, fool everyone?
Greenhouse (Chrome, Safari): Who Is Funding That Politician?
Change Politics (Web): Run a Mock Ballot, Talk to Candidates
Vote411 (Web): Learn About Your Community’s Candidates
Ballotpedia (Web): Everything You Need to Know About U.S. Politics
ChartsMe (Web): Are You a Democrat or a Republican?
We’ve got to get our programmers into this competition.
U.S. developers have the numbers, but China and Russia have the skills
While the United States and India may have lots of programmers, China and Russia have the most talented developers according to a study by HackerRank, which administers coding tests to developers worldwide.
… The United States and India provide the majority of competitors on HackerRank but only manage to rank 28th and 31st, respectively. "If we held a hacking Olympics today, our data suggests that China would win the gold, Russia would take home a silver, and Poland would nab the bronze," Trikha said.
… Poland was tops in Java testing, France led in C++, Hong Kong in Python, Japan in artificial intelligence, and Switzerland in databases. Ukrainian programmers led in security, while Finland was top in Ruby coding challenges.
For my next Statistics class.
Is A 50-State Poll As Good As 50 State Polls?
Why You Shouldn't Give Up on Social Commerce (Infographic)
Anything you do, someone somewhere is going to be amused or offended.
iPhone 7 Slogan Translates to 'Penis' in Hong Kong - Report
… in Cantonese, the Chinese dialect spoken in Hong Kong, the word for "seven" is pronounced "tsat," and is also slang for "penis."
Strategic Humor: Cartoons from the October 2016 Issue
It’s Saturday, again.
Hack Education Weekly News
… Via The Guardian: “US library to enforce jail sentences for overdue books.” That’s the Athens-Limestone public library in Alabama (and that’s completely fucked up).
… Via Buzzfeed: “ Online K–12 School Fights Attempt To Check If Students Really Show Up.” The school in question: the Electronic Classroom of Tomorrow.
… Via Politico: “There’s no firm deadline for the Education Department to weigh in on whether a group of investors, which includes some with deep ties to the Obama administration, are effectively allowed to buy the University of Phoenix’s parent company. But the company, Apollo Education Group, has previously said in SEC filings that it expects to get the necessary regulatory approvals to complete the sale by the end of this calendar year.”
… Via The Washington Post: “Inside Bill Clinton’s nearly $18 million job as ‘honorary chancellor’ of a for-profit college.” The for-profit: Laureate Education (which once began as the tutoring chain Sylvan Learning and is now an investor in Coursera, I always like to point out).
… Via T.H.E. Journal: “The biggest predictor of student achievement (based on their use of a learning management system) is not the amount of time they spend working with course content; nor is it how long they spend taking assessments or participating in discussion forums. It’s how frequently they check their grades online.” The claims are based on Blackboard data, published on the LMS company’s blog.
… Via the Bureau of Labor Statistics (as reported by Infodocket): “The Cost of College Textbooks Has Increased 88% Since Jan. 2006, Tuition and Fees Up 63%.”
… Mark Guzdial writes about a thesis from Yogendra Pal: “Learning CS while Learning English: Scaffolding ESL CS Learners.”
Friday, September 09, 2016
Another government providing that warm and fuzzy feeling.
Hackers have stolen 22 gigabytes of data from municipal servers in Almelo, reports NU.nl. It says that although it is unclear what data have been leaked, people’s personal data have almost certainly been affected. Hackers reportedly gained access to systems for Werkplein Twente, a partnership between the UWV benefit agency and areas in Twente that help find work for people with a disability or who are on the unemployment benefits. It is apparently unclear how long the system has been compromised as the hack was discovered by chance.
Read more on DutchNews.nl
A trivial group? We’re just used to seeing billion dollar companies.
Brian Krebs reports:
vDOS — a “booter” service that has earned in excess of $600,000 over the past two years helping customers coordinate more than 150,000 so-called distributed denial-of-service (DDoS) attacks designed to knock Web sites offline — has been massively hacked, spilling secrets about tens of thousands of paying customers and their targets.
The vDOS database, obtained by KrebsOnSecurity.com at the end of July 2016, points to two young men in Israel as the principal owners and masterminds of the attack service, with support services coming from several young hackers in the United States.
Read more on KrebsOnSecurity.com.
[From Brian’s article:
… in just four months between April and July 2016, vDOS was responsible for launching more than 277 million seconds of attack time, or approximately 8.81 years worth of attack traffic.
Allow me to introduce Bob’s First Rule of Techno-Politics: Politicians should never be allowed to use technology. (Based on the philosophy of Forrest Gump: “Stupid is as stupid does.”)
Slack Alice writes:
File under “major situational awareness issues”: A picture tweeted out by Labour’s leadership contender Owen Smith’s team inadvertently showed 16,000 people how to log into the Pontypridd MP’s phone bank system.
The pic showed the candidate at a phone canvassing session—along with a sign in the background showing the web address, ID, username, and password required to log in.
Read more on InfoSecurity Magazine.
(Related) This too could be very interesting. Will they be allowed to describe the security failures that allowed them to hack all these people? Or is the government claiming that these kids got through the best security the CIA could provide?
Two Men Arrested in U.S. for Hacking Emails of Top Officials
Two men suspected of belonging to a network that hacked the emails of top American officials including CIA chief John Brennan were arrested Thursday in North Carolina, the authorities announced.
… Police in Britain investigating the matter, in February arrested a 16-year-old student suspected of involvement.
CNN and the technology website Motherboard reported at the time that the targets of "Crackas With Attitude" included top CIA officials like Brennan, as well as senior figures in the FBI, the Homeland Security Department, the White House and other federal agencies.
In January, the US director of national intelligence James Clapper said that he, too, had been the victim of cyber pirates who had gained access to the personal account he used for internet and telephone service, managing even to intercept phone calls from his home, Motherboard reported.
Who said, “The difficult we do immediately. The impossible takes a little longer.”?
DHS chief: 'Very difficult' for hackers to skew vote
Department of Homeland Security (DHS) Secretary Jeh Johnson on Thursday downplayed concerns about malicious hackers influencing U.S. elections amid rising fears about foreign actors trying to wreak havoc on Election Day.
… Despite Johnson’s claims, however, hackers would not necessarily need to alter a particular vote count in order to inject chaos into the U.S. electoral system.
Merely tainting the integrity of the voting system might be enough to sow discord in the U.S on Election Day. In other words, even if hackers do nothing, simply claiming to have altered the results could cause the public to doubt the results.
And hackers might be able to alter ballot counts in swing districts where the outcome might have oversized importance.
A paper by James Scott, Sr. Fellow, Institute for Critical Infrastructure Technology, and Drew Spaniel, Researcher, Institute for Critical Infrastructure Technology provides an overview of what’s going on on the dark web when it comes to patient-related information. You can access it here.
Better late than never? This is so late it might as well be never.
Meet the U.S.'s First Ever Cyber Chief
Retired Air Force Brigadier Gen. Gregory Touhill just got a promotion.
The White House has named Touhill as the first ever federal chief information security officer, a role that is focused on bolstering the U.S. government’s digital defenses. The Obama administration first announced the creation of the position in February
… Touhill will be responsible for “helping to ensure the right set of policies, strategies, and practices are adopted across agencies,” they said.
… You can read more about his bio on the U.S. Air Force website here.
… The Obama administration also appointed Grant Schneider, cybersecurity policy director on the White House’s National Security Council, as Tuohill’s acting deputy information security chief—a career role, in contrast to Touhill’s.
Should any communication be governed by a single set of rules? If not, why not? IT Governance? This is what happens when you disrupt an industry.
EU looking at extending some telecom security rules to WhatsApp and Skype
The European Union is set to extend some security rules currently only applicable to telecom operators to web services such as WhatsApp, Skype and Apple Inc’s FaceTime, according to a draft proposal seen by Reuters.
… Telecom companies such as Vodafone, Orange, and Deutsche Telekom have long complained that web groups including Alphabet Inc’s Google, Microsoft and Facebook are more lightly regulated despite offering similar services and have called for the EU’s telecoms-specific rules to be repealed.
… Under the draft directive, over the top services will have to ensure the security and integrity of their services, including reporting breaches to authorities and having contingency plans and service continuity strategies.
… However the proposal does allow for some of the security obligations to be lighter for services which like, for example, WhatsApp, do not exercise control over the transmission of their services over telecom networks.
As I read this, I could post the links and not be infringing. Could commercial sites link to me?
EU court backs Playboy in Dutch hyperlinks copyright case
The European Court of Justice has ruled in favour of Playboy in a long-running case over hyperlinks to copyrighted content.
The Dutch website Geenstijl, operated by GS Media, had posted links to an Australian site that was hosting photographs from Playboy.
But the court ruled GS Media had broken copyright rules, in part because it was motivated by profit.
… now the court has ruled that GS Media's posting of the links was a "communication to the public" - making it subject to the stated checks and balances regarding copyright.
… "[W]hen hyperlinks are posted for profit, it may be expected that the person who posted such a link should carry out the checks necessary to ensure that the work concerned is not illegally published," it said.
… The decision itself is available here. [It may be copyrighted, I haven’t checked. Bob]
For my IT Governance class. What could you do to detect this?
Wells Fargo boots 5,300 employees for creating accounts its customers didn’t ask for
Wells Fargo agreed to pay the largest fine ever collected by the federal government’s new consumer protection agency after an investigation found its staff opened more than 2 million fake checking, credit card and other accounts for customers in order to meet sales targets and earn bonuses. The bank, one of the largest in the country, said it has fired 5,300 over the last five years for the conduct.
… the Wells Fargo scheme is striking because those accused included thousands of ordinary workers inside one of the country’s largest banks.
… CFPB Director Richard Cordray blamed Wells Fargo’s company culture for allowing the “reckless, unsafe or unsound practices.”
(Related?) You didn’t have to use this service?
Mastercard faces £14bn card fee claim
In 2014, the European Court of Justice ruled that regulators were right to condemn the cost of its interchange fees - the fees retailers pay banks to process card payments.
Mastercard lowered its fees but now faces a claim for damages for 16 years of charging from 1992 to 2008.
… Speaking to Radio 5 Live, Mark Barnett of Mastercard said that using card payments had reduced costs for consumers overall because it was cheaper than using cash, as there was no need to print notes and transport them across the country.
This might be worth a read.
This article is published via the Passcode – Modern field guide to security and privacy from The Christian Science Monitor”: The cypherpunk revolution-How the tech vanguard turned public-key cryptography into one of the most potent political ideas of the 21st century, by Thomas Rid, July 20, 2016.
“…But amid the hype [in the 1990s with the fast growing impact of personal computers and the internet ]and a slowly but steadily growing economic bubble, it dawned on a number of users that something was missing: privacy and secure communications. History, thankfully, was gracious. Even more than that: nature itself was generous to humans in front of plastic keyboards. Unrelated to either PCs or the internet, cryptographers had made a third and no less far-reaching discovery in the 1970s. They didn’t just invent a technology; more like explorers than innovators, they discovered an algorithm based on a beautiful mathematical truth. That truly revolutionary technology was finally unleashed for widespread public use in June 1991: asymmetric encryption, also known as public-key cryptography…”
Perspective. Can you name 9 ride sharing companies?
Today, we’re adding two more partners in the U.S., Lyft and Gett. Now Google Maps will display options from 9 ride-sharing partners in over 60 countries, allowing you to compare the fastest, most affordable ride near you, without having to download and open multiple apps.
It’s bad enough that the week before Finals is Free Pizza Week. I’m not going to duck drones too.
Google's Project Wing to deliver burritos to hungry students
Technology has been responsible for some truly life-changing advancements. Electricity. The internal combustion engine. The internet.
Virginia Tech student, she might say that all those pale in comparison to what will be happening on that campus in the coming weeks: drone-delivered burritos. That's right -- Google is teaming up with Chipotle to deliver piping hot burritos by drone. It doesn't get much better than this, folks.
Thursday, September 08, 2016
Was this just a ploy to manipulate the stock price? Is St. Jude certain the claims are false? If not, are they doomed? Stay tuned!
St. Jude Medical Sues Short Seller Over Device Allegations
St. Jude Medical Inc. on Wednesday filed a lawsuit against Muddy Waters Capital LLC, claiming the research firm intentionally made false and misleading claims about its heart devices in order to profit from a decline in its stock.
The complaint, filed in U.S. District Court in Minnesota, also names MedSec, a cybersecurity startup whose work was cited by Muddy Waters, and some executives at both Muddy Waters and MedSec.
“We felt this lawsuit was the best course of action to make sure those looking to profit by trying to frighten patients and caregivers, and by circumventing appropriate and established channels for raising cybersecurity concerns, do not use this avenue to do so again,” St. Jude Chief Executive Michael Rousseau said.
For my Ethical Hacking students.
USB Hacking Devices Can Steal Credentials From Locked Computers
Many users might think that leaving their computer unattended does not pose any security risks as long as the device is locked. However, researcher Rob Fuller has demonstrated that an attacker with physical access to the targeted device can capture its login credentials in just seconds as long as the machine is logged in.
The expert has tested the attack method using USB Armory and Hak5 LAN Turtle, two flash drive-size computers designed for penetration testing and various other security applications.
Fuller demonstrated how either of these devices can be set up to capture credentials from a locked, logged-in system by disguising them as a USB Ethernet adapter. Configuring the USB device to look like a DHCP server tricks the connected computer into communicating with it. These network communications, which include usernames and passwords, can be captured by installing Responder, an open source passive credential gathering tool, on the hacking gadget.
You know the rules don’t apply to them!
Eric Katz reports:
Customs and Border Protection released the personally identifiable information, including Social Security numbers, of thousands of individuals to dozens of federal agencies during an investigation of cheating on polygraph tests.
CBP violated some aspects of the Privacy Act in distributing the information across government, the Homeland Security Department’s inspector general found in its report. The agency collected and distributed information such as Social Security numbers, email and mailing addresses, and phone numbers of individuals who had purchased materials from two individuals who helped job applicants pass polygraphs.
Read more on Government Executive.
Should the insurance industry support this study?
Katie Courage reports on some research by Yashwant Malaiya, professor of computer science in the College of Natural Sciences at Colorado State University and Abdullah Algarni, a doctoral researcher in the same department.
Their research is oriented to developing a standard, public – and evolving – model that will permit more rigorous study on the costs of a breach.
Their work on the topic was published for the Second International Conference on Information Management earlier this year in London.
Read more on CSU.
Security consultants may be the way to go. Are you ready to invest enough to provide “adequate” security? (Is that the business you are in?)
Managed Security Services, a Mission and Service Evolution
… To address these new requirements for threat detection and incident response, as well as to help organizations overcome the challenges they face, new managed security services have emerged. Managed Detection and Response (MDR) services differ from traditional managed security services in three ways: speed, accuracy, and focus. Here’s how.
Why can’t governments manage application development? Should they even try? That is not why they exist! Another topic my IT Architecture students will debate.
Mike Lindblom reports:
Seattle’s new billing system for utilities, already afflicted by delays and cost overruns, launched Monday morning with a data flaw that sent 3,041 customers a link to other customers’ bills, including their names, addresses and energy or water use.
Along with the privacy breakdown, the city sent six to 12 redundant email notices to those same customers, marking new trouble for a computer update, nearly a year late, $34 million over budget, and expected to reach $100 million.
Read more on Government Technology.
The new normal? Didn’t Mickey lose a finger this way?
Sandra Pedicini reports:
Walt Disney World has begun requiring children from 3 to 9 years old to have their fingers scanned when they enter the theme parks, just like older kids and adults.
Disney said the new process will help block the use of stolen and shared tickets. Previously, kids’ tickets would have been easy to transfer because they had no finger images attached to them.
Parents who feel uncomfortable with having their kids’ fingers scanned can use their own instead.
Read more on Orlando Sentinel.
Will this make it harder for our students to research terrorism? If they persist, will they be flagged as security risks?
How Google aims to disrupt the Islamic State propaganda machine
… Jigsaw, the advanced research outfit created by Google, has developed a technology that would redirect anyone searching terms and phrases associated with supporting the Islamic State (known as IS or ISIS) to instead see antiextremist messages and videos.
… The effort dubbed the “Redirect Method” placed Islamic State-related search results next to ads that include links to videos denouncing the terrorist groups and its tactics from leading Muslim clerics.
Interesting, but unlikely. Still, something for my IT Architecture students to consider.
The Next Industrial Revolution
A “crisis of abundance” initially seems like a paradox. After all, abundance is the ultimate goal of technology and economics. But consider the early history of the electric washing machine. In the 1920s, factories churned them out in droves. (With the average output of manufacturing workers rising by a third between 1923 and 1929, making more washing machines was relatively cheap.) But as the decade ended, factories saw they were making many more than American households demanded. Companies cut back their output and laid off workers even before the stock market crashed in 1929. Indeed, some economists have said that the oversupply of consumer goods like washing machines may have been one of the causes of the Great Depression.
What initially looked like abundance was really something more harmful: overproduction. In economics, as in anything, too much of a good thing can be problematic.
That sentiment is one of the central theses of The Wealth of Humans, a new book by the Economist columnist Ryan Avent about how technology is changing the nature of work. In the next few years, self-driving cars, health-care robots, machine learning, and other technology will complement many workers in the office. Counting both humans and machines, the world’s labor force will be able to do more work than ever before. But this abundance of workers—both those made of cells and those made of bits—could create a glut of labor. The machines may render many humans as redundant as so many vintage washing machines.
Another Architecture article.
India's richest man offers free 4G to one billion people
Indian consumers are already celebrating the arrival of Mukesh Ambani's new Reliance Jio service, seizing on the billionaire's promise to deliver rock bottom prices and download speeds that will enable streaming video.
The 4G network, which reaches more than 80% of the country, officially went live Monday with a set of generous introductory offers. Indians will be able to use Jio for free until the end of 2016, and pay as little as 149 rupees ($2.25) a month for data after that.
… It's a market that tech industry giants desperately want to crack. Google ( ) has installed free Wi-Fi at train stations across India, and Facebook ( , Tech30) tried to offer a free version of its platform.
… Rival networks have responded to the launch of Reliance Jio with special offers of their own, making a price war a near certainty. Airtel has slashed its prices for 3G and 4G service by 80%, and Vodafone ( ) has boosted the amount of data in its plans by nearly 70%.
For my geeks.
If it is not as successful as Pokémon, is it a failure?
Super Mario's iPhone Surprise Sends Nintendo Shares Soaring
… Investors are betting the new game, Super Mario Run, will be another mobile hit for the Japanese company akin to the wildly popular Pokemon GO, as it moves away from its console-focused strategy and embraces on-the-go gaming.
Is that new term really new?
Google Books Ngram Viewer Overview
The Google Books Ngram Viewer is a search tool that displays when and how often a term appears in books indexed by Google Books. By using the Ngram Viewer you can discover when a term starts to appear in literature, how often a term appears, and when a term loses popularity in literature.
Video Cliff Notes?
Two Crash Courses on Classic Literature
A few years ago John Green started a Crash Course series on classic literature. The early episodes featured Hamlet, The Great Gatsby, and The Odyssey amongst about a dozen other works. That series is embedded below.
This summer John Green began publishing a new set of Crash Course literature videos. The new series includes videos about Huckleberry Finn, Lord of the Flies, and 100 Years of Solitude. The new series is included in an oddly constructed playlist that for some unclear reason includes videos about physics, the Olympics, and gaming. Sort through the playlist and you'll find the literature lessons.
All of these videos include Green's commentary on the stories along with the summaries of key points in the plots. Much like Cliff Notes, watching these videos is not a replacement for actually reading the stories. You may also want to remind your students that Green's opinions about the stories are just that, opinions.
This makes me feel old.
Star Trek’s 50th Star Date Anniversary
Wednesday, September 07, 2016
“It’s not hacking if we just pay hackers for hacking.”
Denmark will pay an anonymous source for information about hundreds of Danish nationals mentioned in a data leak from a Panama-based law firm linked to tax-dodging schemes, the Danish minister of taxation said Wednesday.
Karsten Lauritzen welcomed the fact that parliament’s tax committee broadly supported the scheme, but noted “there is a risk when doing deals with an anonymous seller.”
Read more on About Croatia.
[From the article:
Jim Sorensen, a division head at the authority, told broadcaster DR that a sample received earlier this year proved to be credible.
"We feel the data is good and we can use it for tax cases and to get an overview of tax evasion in general," he said.
There’s hacking and then there’s counter-hacking. You might even say it’s Ethical Hacking.
Hacker takes down CEO wire transfer scammers, sends their Win 10 creds to the cops
… The director of SEC Consult's Singapore office has made a name striking back at so-called "whaling" scammers by sending malicious Word documents that breach their Windows 10 boxes and pass on identity information to police.
Whaling is a well-oiled social engineering scam that sees criminals dupe financial controllers at large lucrative organisations. Whalers' main method is to send emails that appear to originate from chief executive officers, bearing instructions to wire cash into nominated bank accounts.
It works. The FBI estimates some $2.2bn (£1.7bn, A$2.9bn) in losses have arisen from nearly 14,000 whaling cases in the seven months to May this year. Some $800m (£601m, A$1bn) in losses occurred in the 10 months to August 2015.
… "Someone impersonated the CEO of an international company requesting urgent wire transfers and a couple of hours later they realise it was a scam … we worked together with law enforcement to trick the fraudsters," Lukavsky says.
"We sent them a prepared PDF document pretending to be transaction confirmation and they opened it which led to Twitter handles, usernames, and identity information."
"We were able to get the Windows 10 usernames and hashes which are tied by default to Outlook."
Those Windows 10 password hashes only last a few hours when subjected to tools like John the Ripper.
The information Lukavsky passed on to police from that attack late last year lead to the arrest of the scammers located in Africa.
I agree with Dissent. Also, this is a very rare mention of Change Control as a security tool. Knowing that a someone has modified your software might give you clue that you have been hacked!
I occasionally come across breach notifications that impress me quite favorably.
This notification by Nourse Farms is a good example of a strong incident response described in a strong letter that will be more likely to reassure customers than infuriate them.
Wasn’t this already obvious?
Dustin Volz reports:
The U.S. Office of Personnel Management (OPM) did not follow rudimentary cyber security recommendations that could have mitigated or even prevented major attacks that compromised sensitive data belonging to more than 22 million people, a congressional investigation being released on Wednesday has found.
Two breaches at the federal agency detected in 2014 and 2015 were made worse by lax security culture and ineffective leadership, which failed to harness available tools that could have stopped or limited the intrusions, according to the report from the Republicans on the U.S. House of Representatives’ Committee on Oversight and Government Reform, a copy of which was seen by Reuters.
Read more on Reuters, keeping in mind that this was not a panel of our most respected security experts but a politically charged process. Not surprisingly, the Democrats did not concur with the Republicans. As Volz reports:
Representative Elijah Cummings, the top Democrat on the oversight panel, rejected the report’s findings in a memo to other Democrats. He claimed the report had factual deficiencies and did not account for mistakes made by federal contractors.
Infosecurity is hard enough without politicians who can’t even manage to fund urgently needed public health initiatives trying to score political points after a data breach.
All that said, do read Brian Krebs’ coverage of the report, as he pulls out the kind of findings that you may find interesting about what went amiss.
[It’s here: The OPM Data Breach: How the Government Jeopardized Our National Security for More than a Generation
(Related) Learn from the failure of others, what a concept!
The Denver Channel reports that Noodles & Company has been sued by financial institutions who allege that they suffered injury as a result of a databreach first reported in May – a breach they claim could have been avoided had Noodles & Company learned from all the hacks of other major retailers and deployed adequate security.
What should Congress know?
Classifieds website asks Supreme Court to block congressional subpoena
The classified advertising website Backpage.com is asking the Supreme Court to block a congressional subpoena for documents into the website’s process of screening for sex trafficking ads.
Backpage.com claims the court order violates CEO Carl Ferrer’s First Amendment rights.
“This case highlights a disturbing — and growing — trend of government actors issuing blunderbuss demands for documents to online publishers of content created by third parties (such as classified ads) in a manner that chills First Amendment rights,” the company claims in its petition to chief Justice John Roberts for immediate stay on Tuesday.
… The October 2015 subpoena seeks any documents concerning the website's editing of ads, relating to its policies, manuals, memoranda, and guidelines, as well as any material involving “reviewing, blocking, deleting or modifying” ads, according to court documents.
“The record suggests Backpage would not have been the target of PSI’s fishing expedition if did not host ads that some find distasteful.
The Balkanization of data? Take that, government subpoena!
Azure, Office 365: Microsoft's two new cloud regions tackle data privacy issues
Microsoft has officially opened two new cloud regions, offering Azure and Office 365 from multiple datacenter locations in the UK for the first time.
The new UK regions take to 28 the number of Microsoft generally-available regions for its cloud infrastructure and platform services.
For UK enterprise customers, the regional services are also designed to provide a better option for meeting requirements to store certain data locally.
… However, Microsoft is also taking a different approach to providing its services in Europe. Two of Microsoft's six new regions include two new datacenters in Germany slated for launch by the end of the year.
These two German regions be operated by 'data trustee' Deutsche Telekom subsidiary T-Systems. Under this arrangement, Microsoft won't have access to customer data and any government request for such data will need to go through T-Systems.
Would you call the ACLU “activists?”
Activists to FBI: Show Us Your Warrant for Mass Hack of TorMail Users
Mass hacking is now one of the FBI's established tactics for fighting crime on the dark web. In February 2015, the agency hit at least 4,000 computers all over the world in an attempt to identify visitors of a child pornography site.
But questions remain about another FBI operation from 2013, in which the agency may have hacked users of a dark web email service called TorMail even if they weren’t suspects of a crime. Now, the American Civil Liberties Union (ACLU) is trying to unseal the court docket sheet containing the search warrant used to deploy malware against users of the service. If the ACLU were then to get access to the warrant itself, it may reveal the true scale of the FBI’s controversial hacking campaign.
(Related) King George didn’t need no stinking warrant!
Lindsay Whitehurst reports:
The Drug Enforcement Administration wants to block the American Civil Liberties Union of Utah from stepping into a court case over whether investigators can do warrantless searches of a database of all prescription drug records in the state.
More than 40 states keep similar databases, but Utah recently passed a law requiring investigators to get a warrant before they search it.
DEA lawyers argue they’re exempt from that law because they’re a federal agency, but state officials contend they have to follow it like other investigators.
Read more of AP’s report on the Salt Lake Tribune.
Some teens hide their text, parents of some of them find ways to hack into their texts. Are we talking a significant number?
So kids take steps to protect their privacy, and rather than respect that, some parents take countermeasures to invade their privacy in the name of protecting them?
Parents are using spyware in an effort to monitor their children’s social media interactions.
CBS2’s Emily Smith reported different types of spyware can combat against free apps that hide texts and phone calls children don’t want their parents to see. One app looks like a calculator with a percentage sign next to it.
Marlowe said once a child starts paying for their cellphone it’s time for parents to take a step back, but until that day, parenting experts said it’s all fair game.
Experts added that at the very least parents should have their children’s passwords and know what to look for in the ever-changing digital world.
Read more on CBS.
“At the very least, parents should have the passwords?” I never once asked my kids for their passwords. What a terrible parent I was…
A model for selling used textbooks? Garage sales R us?
Japan’s Mercari Brings Its Bazaar App to the U.S.
TOKYO—In an increasingly competitive global e-commerce market, it is rare for an Asian startup to challenge American giants such as Amazon.com Inc. and eBay Inc. on their own turf.
That is what Tokyo-based Mercari Inc. is trying to do with its app for people buying and selling used goods like $35 purses and $15 videogames—and it is making some inroads.
Downloads of Mercari’s flea-market app reached 19 million in the U.S. at the end of August, up from 12 million a month earlier, the company said Tuesday. Downloads in Japan have climbed to 35 million. At one point recently, Mercari’s app rose as high as No. 3 in rankings for U.S. downloads, according to analytics firm App Annie.
… Significantly, Mercari focuses almost exclusively on smartphone users—a big difference from other used-goods sites like eBay and Craigslist that date back to the desktop computer era. The app is designed so sellers can upload photos quickly and buyers can make one-click purchases. It also handles the payment process.
Once a buyer purchases a listed item, the money goes first to Mercari, which informs the seller that payment has been received, greenlighting shipment. The seller is paid only after the buyer confirms receipt—preventing instances where sellers pocket payments without shipping anything.
It is certainly making my grading of papers a real pain in the butt.
Bad Writing Is Destroying Your Company’s Productivity
… I surveyed 547 businesspeople in the first three months of this year. I looked specifically at people who write at least two hours per week in addition to email. They told me that they spend an average of 25.5 hours per week reading for work. (About a third of that is email.)
And 81% of them agree that poorly written material wastes a lot of their time. A majority say that what they read is frequently ineffective because it’s too long, poorly organized, unclear, filled with jargon, and imprecise.
Entry-level employees get little training in how to write in a brief, clear, and incisive way. Instead, they’re immersed in first-draft emails from their managers, poorly edited reports, and jargon-filled employee manuals. Their own flabby writing habits fit right in. And the whole organization drowns in productivity-draining blather.