Saturday, October 22, 2016

The future I’m trying to prepare my IT Governance students for.
When the Entire Internet Seems to Break at Once
For more than two hours on Friday morning, much of the web seemed to grind to a halt—or at least slow to dial-up speed—for many users in the United States.
More than a dozen major websites experienced outages and other technical problems, according to user reports and the web-tracking site  They included The New York Times, Twitter, Pinterest, Reddit, GitHub, Etsy, Tumblr, Spotify, PayPal, Verizon, Comcast, EA, the Playstation network, and others.
How was it possible to take down all those sites at once?
Someone attacked the architecture that held them together—the domain-name system, or DNS, the technical network that redirects users from easy-to-remember addresses like to a company’s actual web servers.  The assault took the form of a distributed denial-of-service attack (DDoS) on one of the major companies that provides other companies access to DNS.  A DDoS attack is one in which an attacker floods sites “with so much junk traffic that it can no longer serve legitimate visitors,” as the security researcher Brian Krebs put it in a blog post Friday morning.

How Much Will Today’s Internet Outage Cost?
   For more than one-third of companies, a single hour of a DDoS attack can cost up to $20,000, according to a 2014 report by the security firm Imperva Incapsula.  (For some companies, the cost of an attack can exceed $100,000 per hour.)  Given that the majority of attacks continue for more than six hours, these losses add up quickly.  In a particularly stark example, the airline Virgin Blue lost $20 million in period of IT outages that spanned 11 days in 2010.
Other estimates have been even more dramatic.  One 2012 study, by the Ponemon Institute, a security and data protection researcher, found the average company’s cost for every minute of downtime during a DDoS attack was $22,000.  (“However, the cost can range from as little as $1 to more than $100,000 per minute of downtime,” the report said.)

Another one bites the dust.
Lisa Vaas reports:
We already know that if you threaten to shoot up a school on the ostensibly anonymous social media messaging platform Yik Yak, the law will come knocking, and that gossamer veil of not-really privacy will be shredded. 
Now, researchers have found that Yik Yak anonymity can be erased even without a warrant or Yik Yak’s compliance with US laws that force it to turn over user information.  The researchers did it by relying on publicly available location data from the app, mixed with location-spoofing and message-recording on a device outfitted with simple machine learning.
Read more on Naked Security.

For my Architecture and Governance students.  Would you have a way to prevent this?
Sulina Gabale and Jason Gordon of Reed Smith write:
This month, the Indianapolis Colts, app developer Yinzcam, Inc., and ultrasonic technology provider Lisnr, Inc., were hit with a federal class action lawsuit in Pennsylvania for violating the Electronic Communications Privacy Act by allegedly allowing the Colts fan app to listen in on users’ personal phone conversations, and use that information for advertising purposes without obtaining adequate consent.
The app provides Colts fans with team stats, scores, and other relevant news.  The app also uses Lisnr, a service that utilizes web beacons, ultrasonic frequencies and audio signals in order to allegedly track how users interact with advertisements.  The complaint alleges that Lisnr’s software determines a user’s precise location by activating the user’s built-in microphone, and listening for nearby Lisnr audio beacons in order to allow the Colts app to target specific consumers and send them tailored content, promotions and advertisements based on their location.

A cost/benefit analysis.
Gigabites: An Unexpected Gig Gift
   Who needs a gigabit anyway?  Well it turns out that even if you're not planning to buy up every virtual reality application coming to market, there's still a very good reason to hope gigabit broadband makes it to your neighborhood.  A new study by the Fiber-to-the-Home (FTTH) Council finds that when a city gets gigabit service, the cost for other broadband speed tiers goes down.
In the top 100 US markets, the FTTH Council reports that the price for broadband speed tiers of 100 Mbit/s or more drops by about 25% when there's also a gigabit service on offer.  That percentage equates to about $27 per month, and it goes even higher when more than one gigabit service is available.  According to the Council, when there are two gigabit providers in a region, the average price of secondary speed tiers drops in the range of 34% to 37%, or $57 to $62 per month.

Something to amuse my student geeks.
2017 will be the year of interactive email
   Virtually no one knows interactive emails are even technically possible
Since emails have no JavaScript, the programming language behind most web interactions, we tend to think of emails as a “read-only,” one-way channel; good for sharing calls to action that get people back to your website.
If you think this, you are completely wrong.
CSS3 does allow for basic interactions, like switching tabs, without any JavaScript at all.  Mark Robbins of RebelMail describes a technique called “Punch Card Coding” that uses CSS alone to allow users to click buttons that change what they see on screen, essentially by having every permutation as a different “tab.”
The following GIF shows interaction within a shopping cart inside the email client.
The “buy now” button takes the user directly to online payment.  This is a really big deal.  There’s no need to download and install a separate app.  No need to sign-in to an account.  All you need to distribute this simple application is an email address.

Is it just me or are we seeing a lot of mergers nearing the $100 billion dollar mark?
That Was Quick: AT&T to Buy Time Warner for $85B
Late Friday, AT&T and Time Warner were reported to have entered an agreement in principle for the former to take over the latter for $85 billion.
Thomson Reuters cited unnamed sources who said AT&T Inc. (NYSE: T) is set to pay $110 a share.  With some legal jots and tittles left to take care of, the deal could be finalized as early as Sunday.

Interesting how they can cling to (huge) profitability.  
The real reason Big Tobacco is getting even bigger
British American Tobacco said on Friday that it has offered to buy U.S. tobacco giant Reynolds American in a $47 billion deal that would create the world’s largest publicly traded tobacco company.
   The new company would enjoy a “leading position in the US tobacco market” and “significant presence in high growth emerging markets across South America, Africa, the Middle East and Asia,” the company wrote.
   Vivian Azer, an analyst with the Cowen Group, said that tobacco companies are currently in a strong position.  In the US, “tobacco profits have accelerated for three consecutive years,” she said.  She attributes that primarily to the ability of tobacco companies to raise prices in order to compensate for a diminishing number of customers.
The deal also would help the combined company capitalize on a growing customer base.  British American Tobacco said that the merger would also create “a world class pipeline of vapour and tobacco heating products,” such as e-cigarettes.

Ah, it must be Saturday!
Hack Education Weekly News
   Via The Chronicle of Higher Education: “A Closer Look at Income-Based Repayment, the Centerpiece of Donald Trump’s Unexpected Higher-Ed Speech.”
   Via The New York Times: “The New Jersey State Senate on Thursday unanimously approved a bill requiring the state’s student loan agency to forgive the debts of borrowers who die or become permanently disabled.”
   Anne Trubek writes in the JSTOR Daily about “Student Writing in the Digital Age,” drawing on a study by Andrea and Karen Lunsford.  Among the findings: “Students in first-year composition classes are, on average, writing longer essays (from an average of 162 words in 1917, to 422 words in 1986, to 1,038 words in 2006), using more complex rhetorical techniques, and making no more errors than those committed by freshman in 1917.”
   Via Edsurge: “The Top Skills Employers Need in 2016, According to LinkedIn.”

Friday, October 21, 2016

So simple, even a caveman could do it?  So easy to avoid, why can’t a politician do it?
Lorenzo Franceschi-Bicchierai reports:
On March 19 of this year, Hillary Clinton’s campaign chairman John Podesta received an alarming email that appeared to come from Google.
The email, however, didn’t come from the internet giant.  It was actually an attempt to hack into his personal account.  In fact, the message came from a group of hackers that security researchers, as well as the US government, believe are spies working for the Russian government.  At the time, however, Podesta didn’t know any of this, and he clicked on the malicious link contained in the email, giving hackers access to his account.
Read more on Motherboard.

“We don’t know what happened but we’re ‘improving security.’”  Sounds like they had waited on some security measures they knew they should have implemented.  Typical.
Weebly Breach Affects Over 43 Million Users
Hackers have managed to steal information associated with more than 43 million accounts belonging to customers of Weebly, a San Francisco-based web hosting service that provides a drag-and-drop website builder.
According to LeakedSource, the attackers stole 43,430,316 accounts after breaching the company’s systems in February.  The compromised information includes usernames, email addresses, IPs and password hashes.
Weebly has been in touch with LeakedSource and confirmed that the exposed information is genuine.  The company has notified affected users and reset their passwords.  On its website, Weebly claims to have more than 40 million users, which indicates that the breach has affected a large majority, if not all, of its customers.
Weebly is still trying to determine the cause of the breach, but the company says it has already started improving network security.

Update.  On Wednesday I posted they had lost a mere 600,000.  Funny how these breaches seem always to grow worse.
Millions of Indian debit cards 'compromised' in security breach
A number of major Indian banks are taking safety measures amid fears that the security of more than 3.2 million debit cards has been compromised.
Some of the affected banks have been asking their customers to change security codes.  They are also blocking and replacing debit cards.
The breach is thought to have been caused by malware on an ATM network.     
Some customers are complaining that large sums of money have been taken from their accounts.
Indian banks have issued nearly 700 million debit cards.
   But while the government has been trying to sell cards as a risk free method of payment compared to using physical money, not many are convinced that banks are taking enough cyber security measures. [Exactly what my students told me.  Bob]

Hackers learn.  Do businesses?
Twitter and Much of The Internet Suffered a Meltdown on Friday
   Twitter users reported getting a DNS error message.  But the DNS snafu was much bigger than Twitter.  On its status page, Amazon Web Services said it was looking into “elevated errors resolving DNS host names used to access some AWS services” in its massive U.S. east region operating out of data centers in Northern Virginia.
   Popular tech site Hacker News reported many other sites were affected including Etsy, Spotify, Github, Soundcloud, Dyn, and Heroku were also affected.

Blockchain is the new “big thing.”
Visa Taps Blockchain for Cross-Border Payment Plan
Visa Inc. is putting a bitcoin-style network to work as it aims to take on a new market, the large and complex cross-border payments made between businesses.
The new offering, Visa B2B Connect, will use technology developed in partnership with Chain Inc., a tech startup in which Visa is an investor.  Chain is one of a handful of firms aiming to use the same type of network that records moves of cryptocurrency bitcoin, known generally as a blockchain, for other assets such as stocks and payments.
   Visa and Chain’s system represents a new effort to challenge the Swift messaging network as the dominant method for moving large sums of money across borders between banks on behalf of businesses.  Swift has been the subject of recent high-profile hacks and is under intensive regulatory scrutiny.

(Related) Something my students can play with.
R3's Corda Blockchain Platform Goes Open-Source
Blockchain is variously described as the future of computing or a hype bubble that has already burst, depending on which author you read.  In the Fiancial Times (FT), 14 October, 2016, Oliver Bussmann wrote, "As the former group chief information officer of UBS, where we championed blockchain early on, and as an adviser to banks and fintech companies today, I am cautious.  My experience tells me it may be a while before we see large-scale adoption in the financial industry."  This is not the hope of R3, a finance technology firm that includes a consortium of more than 70 of the world's leading financial institutions.
This week R3 announced that its Corda platform source code will be released as open-source to the Hyperledger project -- a Linux Foundation Collaborative Project seeking to advance blockchain technology. 

The new politics?  Support you candidate by writing a bot? 
A third of pro-Trump tweets are generated by bots
University researchers who track political activity on Twitter have found that traffic on pro-Trump hashtags was twice as high as pro-Clinton hashtags during the first presidential debate.
But the team of academics, led by Oxford University professor Philip Howard, also found that 33% of pro-Trump traffic was driven by bots and highly automated accounts, compared to 22% for Clinton.

Thursday, October 20, 2016

The hits keep coming!  It never rains but it pours.  Murphy was an optimist.
Caleb Pershan reports:
California Attorney General Kamala Harris is leading an investigation into whether criminal identity theft took place at Wells Fargo, a bank embroiled in a scandal that may involve up to two million bank and credit card accounts allegedly created without customers’ approval as part of an unscrupulous, sales-driven corporate culture.
The LA Times has learned through a public records request of a warrant served on October 5th to search Wells Fargo’s San Francisco headquarters.
Read more on SFist.

There are many ways that governments can interfere with businesses.  Consider the impact of a government that suggests Microsoft was helping them spy on Brazil, for example. 
Microsoft allows Brazil to inspect its source code for ‘back doors’
Microsoft, still stung by accusations that it installed “back doors” for the U.S. government to access customers’ communications, opened a center in Brazil on Wednesday where officials will be able to inspect its programming code, in an attempt to allay suspicions in the region that its software programs are vulnerable to spying.
Behind reinforced walls and with strict security settings, the world’s biggest software company showed off its fourth ‘Transparency Center’ in Brasilia, where experts from Latin American and Caribbean governments will be able to view the source code of its products.
   At the new site, visited on Wednesday by officials including the speaker of Brazil’s Congress, no electronics will be allowed into the secure viewing room. [Because no one understands the intricacies of operating systems like a politician!  Bob]
Microsoft prevents anyone from copying the massive amount of coding on display – as much as 50 million lines for its email and server products.  Viewers inspect copies of source code on computers connected only to local servers and cut off from the internet.  The copies are later deleted. [This is refered to as “hiding the evidence.” Bob]
Viewers can use software tools to examine the code, Microsoft said, but it was not immediately clear whether experts would be able to run deep code analysis necessary to uncover back doors or other bugs. [So how will they prove to themselves that there are no back doors?  Bob]
   The Brasilia facility is Microsoft’s fourth transparency center after the NSA scandal.  It set up the first one at its Redmond, Washington headquarters in the United States in 2014, one in Brussels last year and one in Singapore earlier this month.  It will soon open another in Beijing.

Flailing about?  My students agreed they would walk away from the deal for Verizon to buy Yahoo.  The problem is, if Verizon wants to compete with Google and Facebook, they need a company like Yahoo.  Who else is there?
Yahoo demands ‘transparency’ from National Intelligence director over security order
Yahoo revealed on Wednesday that it has submitted a letter to the Director of National Intelligence (DNI) James Clapper demanding transparency involving national security orders issued to tech companies around obtaining user data.  The move is intended to provide citizens insight about what the U.S. government is looking for.
The company acknowledged that while its communication makes “specific reference to recent allegations” levied against it, “it is intended to set a stronger precedent of transparency for our users and all citizens who could be affected by government requests for user data.”  Yahoo once again denied reports that stated it secretly scanned customer emails on behalf of the intelligence community: “The mail scanning described in the article does not exist in our systems.” [Not one of those broad denials… Bob]

Do they know something we don’t know?  Does this have anything to do with Russian hackers? 
Regulators to Toughen Cybersecurity Standards at Nation’s Biggest Banks
U.S. regulators on Wednesday unveiled an initial plan to bolster the ability of the country’s largest banks to withstand a major cyberattack, a move aimed at protecting the U.S. financial system in the event of a technology failure.
The plan, released jointly by the Federal Reserve, the Federal Deposit Insurance Corp. and the Office of the Comptroller of the Currency, would strengthen the way agencies oversee how large U.S. banks and foreign banks operating in the U.S. with $50 billion or more in assets manage and address threats to cybersecurity.
   The draft plan would impose the toughest restrictions on firms considered to pose the greatest risk to the financial system.  Those firms would have to prove they can get their core operations running within two hours of a cyberattack or major IT failure.  The new rules also would apply to nonbank financial companies deemed systemically risky by a panel of regulators headed by Treasury Secretary Jacob Lew.

This is one of those subject that I honestly have not begun to think about.
Orin Kerr writes:
I’ve blogged twice before about whether it is a Fourth Amendment search for the government to scan the magnetic stripe of a seized credit card.  In my view, the answer is yes.  But the cases so far are coming out the other way: The Sixth Circuit held that the answer is no, as did a divided Eighth Circuit panel.
The Fifth Circuit has now ruled on the question.  In an opinion by Judge Gregg Costa involving gift cards, United States v. Turner, the court agreed with the Sixth Circuit and the Eighth Circuit that scanning the magnetic stripe is not a search.
I’m a fan of Judge Costa’s work, but I think this decision is wrong.  I thought I would expand on my prior posts and say more on why it’s wrong — and why I think it matters.
Read more on The Volokh Conspiracy.

Perspective.  I never would have bet that this could happen.  Why can’t taxis adapt?
Uber and Lyft Are Now Bigger than Taxis and Rental Cars Combined
For the first time in the third quarter of 2016, more business travelers are choosing ride-hailing services like Uber and Lyft than traditional taxis and rental cars combined, according to statistics from the expense report software company Certify.
Of the over 10 million ground transportation receipts Certify processed during the three months that ended in September, 52% of them were for the two ride-hailing services, VentureBeat reports.  Uber was the overwhelming victor, with 48% compared to Lyft’s 4%. The numbers cover North America.
   The numbers showing ride-hailing becoming the dominant business transportation option come just a day after Uber co-founder and CEO Travis Kalanick said at Vanity Fair’s New Establishment Summit in San Francisco that the ride-hailing giant had reached than 40 million monthly active riders worldwide.  He added that he company paid out between $1.5 billion and $2 billion to drivers in the last month, after taking its cut, and that an average Uber rider spends $50 monthly on the service.

For my Architecture students.  This may be the world you will work in.
Gartner’s 10 strategic predictions for 2017….and beyond
The overarching theme, Plummer said, is digital disruption, which is not only happening, but is increasing in scale over time.  Here are the 10 predictions:
1.      By 2020, 100 million consumers will shop in virtual reality.
2.      By 2020, 30% of web browsing sessions will be done without a screen.
3.      By 2019, 20% of brands will abandon their mobile apps.
4.      By 2020, algorithms will alter behavior of billions of global workers in a positive way.
5.      By 2022, a blockchain-based business will be worth $10 billion.
6.      By 2021, 20% of activities will involve at least one of the seven digital giants.
7.      Through 2019, every $1 that enterprises invest in innovation will require an additional $7 in core execution.
8.      Through 2020, the Internet of Things will increase data center storage demand by less than 3%.
9.      By 2022, IoT will save consumers and businesses $1 trillion a year.
10.  By 2020, 40% of employees can cut healthcare costs by wearing a fitness tracker.

Blockchain keep popping up.  I keep finding new perspectives on how it will be used.
How the Blockchain Could Change Corporate Structure
UP UNTIL NOW, a centralized company has been the best way to create a network that solves a large need: Uber connected riders with drivers, banks connected savers with borrowers, and Twitter connected content writers with content consumers.  But thanks to the invention of the blockchain, we will no longer need central companies to act as the middleman.  The business models of the future will be software protocols developed, governed and owned by the communities they support.
   Every centralized company based on a network has to overcome the chicken-and-egg problem regarding customer acquisition: No riders want to start using an Uber network with just one driver, and no one wants to drive for an Uber network with no riders.  The successful companies often have bizarre tales of how they overcame this problem.  Uber individually coordinated private black-car drivers, Facebook ripped Harvard’s student pages, and Twitter convinced a few celebrities to start blasting content.  But many more would-be useful networks failed before they ever got started.
The decentralized blockchain model circumvents this problem by incentivizing early adopters, who are rewarded if the network grows, not just the central company that owns it.  Imagine if the first Uber drivers and riders had gotten a stake in the network.  This model will be applied to other services, such as a Dropbox disrupter where you can pay to store your files or get paid to contribute your hard-disk space, or decentralized global marketplaces where payments are escrowed on a blockchain.

I’ve been wondering what I should do with all those violins I’ve been collecting.

Wednesday, October 19, 2016

My Governance students should learn from this, before it comes out of their salaries.
St. Joseph Health (SJH) has agreed to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules following the report that files containing electronic protected health information (ePHI) were publicly accessible through internet search engines from 2011 until 2012.  SJH, a nonprofit integrated Catholic health care delivery system sponsored by the St. Joseph Health Ministry, will pay a settlement amount of $2,140,500 and adopt a comprehensive corrective action plan.
…On February 14, 2012, SJH reported to the U.S. Department of Health and Human Services, Office for Civil Rights (OCR) that certain files it created for its participation in the meaningful use program, which contained ePHI, were publicly accessible on the internet from February 1, 2011, until February 13, 2012, via Google and possibly other internet search engines.  The server SJH purchased to store the files included a file sharing application whose default settings allowed anyone with an internet connection to access them.  Upon implementation of this server and the file sharing application, SJH did not examine or modify it.  
   The Resolution Agreement and Corrective Action Plan may be found on the OCR website at
Note that this incident was covered on this site back in 2012. A settlement of a class-action lawsuit stemming from the breach was announced in March of this year.

Failure to use Best Practices?  
Andrew Blake reports:
A Republican Party website that sells bumper stickers and T-shirts advertising presidential candidate Donald Trump was compromised earlier this year by hackers who spent several months silently stealing credit card details and other personal information from purchasers, according to a Dutch security researcher.
The digital storefront used by the National Republican Senatorial Committee (NRSC) to sell products ranging from “Never Hillary” stickers to “Make America Great Again” bracelets was compromised for nearly six months starting March 16, researcher Willem de Groot wrote in a recent report.
Read more on Washington Times.

Gosh, how unexpected!
Mirai Increasingly Used for DDoS Attacks After Source Code Leak
The first reports about Mirai were largely ignored by the industry, but the massive distributed denial-of-service (DDoS) attacks launched against the website of journalist Brian Krebs and hosting provider OVH brought the Trojan into the spotlight.
When he decided to release the source code, the author of Mirai claimed his creation had infected as many as 380,000 devices, but the number had started to drop after the malware made the news.
Researchers at Level3 Communications have been monitoring Mirai and determined that the number of bots more than doubled following the source code leak.

Another look at an Ethical Hacking resource.
Sandra Chereb reports:
Auditors delayed release of a report detailing security vulnerabilities in state databases to protect the information of tens of thousands of current and former state employees and their beneficiaries, a legislative committee was told Tuesday.
Douglas Peterson, information systems audit supervisor, told the Legislative Audit Subcommittee it was the first time he can recall in 20 years with the state that a decision was made to withhold an audit until problems are fixed.
Read more on the Las Vegas Review-Journal.
How bad was it, you wonder? From the key findings of the audit:
Confidential information about state employees was stored unencrypted in the Division’s databases, increasing the risk of unauthorized access of this information.
… State security standards require that confidential personal data be encrypted whenever possible.
   Enterprise Information Technology Services (EITS) support staff, who manage the Division’s databases, indicated they were not aware that there was a requirement to encrypt this information.

…and a Computer Security resource.
17 October 2016
The Hague
More than 2 500 victims were able to decrypt their devices thanks to No More Ransom
Just three months after the successful launch of the No More Ransom project, law enforcement agencies from a further 13 countries have signed up to fight ransomware together with the private sector.
   More law enforcement agencies and private sector organisations are expected to join the programme in the coming months.  Their collaboration will result in more free decryption tools becoming available, helping even more victims to decrypt their devices and unlock their information, and damaging the cybercriminals where it hurts the most: their wallets.
   The aim of the online portal is to provide a helpful resource for victims of ransomware.  Users can find information on what ransomware is, how it works and, most importantly, how to protect themselves.
SOURCE: Europol 

Something for my IT Governance students from India.  Have they been informed?
Sugata Ghosh and Sachin Dave report:
A month ago, an official of Axis Bank– India’s third largest private sector lender — received an unexpected telephone call. The caller, an engineer at Kaspersky Lab, the well-known Moscow-headquartered cyber security firm, rattled off the names of several Axis computers which, he claimed, have been breached.
The Kaspersky man said his firm had stumbled on the information in the course of a separate probe. When an Axis team looked into the bank’s servers, it found out that there was indeed an unauthorized login by an unnamed, offshore hacker.

ToI reports:
Pune: In one of the biggest card replacements in Indian banking, State Bank of India has said that it will re-issue around six lakh debit cards to customers, which have been blocked following a malware-related security breach in a non-SBI ATM network.
“It’s a security breach, but not in our banks’ systems.  Many other banks also have this breach — right now and since a long time,” Shiv Kumar Bhasin, SBI’s chief technology officer (CTO), told TOI, adding that customers who used their cards only at SBI-run ATMs have not been affected by this.  “A few ATMs have been affected by a malware.  When people use their card on infected switches or ATMs, there is a high probability that their data will be compromised,” Bhasin said.
Read more on Times of India.
Note: 6 lakh = 600,000 

Perspective.  (How do I encrypt my face?)
Half of American Adults Are in Police Facial-Recognition Databases
   These findings were published Tuesday in a report from Georgetown Law’s Center for Privacy and Technology.  It details the results of a year-long investigation that drew upon more than 15,000 pages of records obtained through more than 100 freedom-of-information requests.
The study’s authors—Clare Garvie, Alvaro Bedoya, and Jonathan Frankle—attempted to fill in large gaps in public knowledge about how facial-recognition technology is used, and the existence of policies that constrain how police departments can use it.  Some details about the FBI’s use of facial scanning were previously known, but the scale of local and state law-enforcement involvement is only now starting to come to light.
   Only five states have any laws that touch on how law enforcement can use facial recognition, and none of them take on more than one aspect of the issue, the report found.

Yes, Colorado has laws.
David Raths reports:
To help school administrators, families, technology companies and state legislators sort through the patchwork quilt of state legislation on student privacy, the Center for Democracy & Technology (CDT), an advocacy group, has developed a state-by-state survey of student privacy laws in partnership with the law firm BakerHostetler.
THE Journal recently spoke with Michelle De Mooy, the acting director of CDT’s Privacy & Data Project, about the survey’s findings.  In its review on student privacy legislation in all 50 states and the District of Columbia, CDT found that California is the model in terms of comprehensiveness, with clear requirements about data retention limits and data security programs.  “California’s Student Online Personal Information Protection Act is definitely a model for updated student privacy protection, we think,” said De Mooy.
Read more on T|H|E Journal

This is brilliant, but unlikely to get to enough airports fast enough to keep customers happy.  Would “global flash services” be a profitable enterprise?
Samsung Sets Up Galaxy Note 7 Exchange Stations At Airports Around The Globe
  The exchange booths first appeared in South Korea at the Incheon International Airport.  The stations have now appeared throughout the world.  Flyers have reported exchange booths at LAX and San Francisco International Airport, while the Samsung Australia page directs flyers to stations at seven different airports.  Rumor has it that these exchange booths will be coming to the United Kingdom soon.  

For my IT Architecture students.
Banking group unveils guidelines for new financial technology
The American Bankers Association (ABA) released its FinTech playbook, standards for banks to follow as they adopt new technologies to expand their services.

The future?  If it works in Europe, can it work here?
Amazon Eyes Internet Service Offering is considering offering internet service directly to consumers in Europe, said a person briefed on the discussion.  That would allow Amazon to bundle internet access with its Prime streaming video offering, the person said, making it more competitive with cable operators which already offer a similar broadband-video package.

Something for my students to consider.
   the truth is that companies rarely succeed by adapting to market events.  Rather, successful firms prevail by shaping the future.  That can’t be done through agility alone, but takes years of preparation to achieve.  The truth is that once you find yourself in a position where you need to adapt, it’s usually too late.

Are they right about cash? 
Apple's Next Goal Is Killing Paper Money Once and For All
Apple CEO Tim Cook has an idea for the future—eliminating cash.
Apple Pay could be the “catalyst” that ultimately gets the world to switch from cash to digital payments, he told the Japanese news service Nikkei in an interview published on Monday.
“We would like to be a catalyst for taking cash out of the system,” Cook said.  “We don’t think the consumer particularly likes cash.”

This will make the next Apple Super Bowl ad amusing.  Imagine Microsoft ninjas sneaking into the Patriot locker room and deflating all the footballs… 
New England Patriots coach Bill Belichick puts Surface tablet on the inactive list
In the National Football League’s march toward technology, Bill Belichick is calling a timeout.
The New England Patriots head coach says he’s “done” with Microsoft’s Surface tablets, the devices that line NFL sidelines during games to help players and coaches review images of past plays.
“They’re just too undependable for me,” he said in a rant at a press conference that reporter Zack Cox of NESN clocked at 5 minutes, 25 seconds long.  The tirade eventually touched on a range of Belichick’s concerns with the NFL’s technology regime.
Belichick, a winner of four Super Bowls, including the championship game in 2015 against the Seattle Seahawks, says he’ll stick with paper printouts from here on out.
Microsoft in 2014 inked a five-year sponsorship deal with the NFL for a reported $400 million.

Believe it or not, we have a very active student Movie Club that streams movies on the huge TV/white boards we have.
   Vudu is a offering a sweet deal here.  Although a Vudu account IS required, you don’t even need to have payment information on file to access the free, ad-supported content.  So while Vudu’s ultimate goal is to draw you into buying or renting other movies or TV shows, at least it isn’t being too pushy about it.

Tuesday, October 18, 2016

It seems that this should be a simple fix – just check for a valid “Installer.”  But that may be impossible.
Hundreds of Thousands of Android Trojans Installed from Unknown Sources Daily
Tens of millions of applications are being installed on users’ smartphones daily, but nearly one third of them come from sources that cannot be tracked, and most of the mobile Trojans are installed via these unknown sources, researchers say.  However, some malicious apps also slip into Google Play, while other malware might come pre-installed on mobile devices right out of the box, Cheetah Mobile says.
[From the Cheetah report:
According to the statistics, about 1/3 applications are downloaded and installed to users’ phones without setting ‘installer’, meaning that the sources of these apps cannot be tracked.

Now that they acknowledge their crime it’s no longer a crime? 
Privacy International challenge of UK hacking operations
by Sabrina I. Pacifici on Oct 17, 2016
PCWorld: “The U.K.’s spy agencies breached the European Convention on Human Rights for years by secretly collecting almost everything about British citizens’ communications except their content, a U.K. court has ruled.  However, now that the U.K. government has admitted what it is doing, the collection is legal, the Investigatory Powers Tribunal ruled Monday.  It has yet to rule on the issue of proportionality, or whether the agencies’ actions were reasonable given the threat they sought to counter.  Responding to a June 2015 complaint by campaign group Privacy International, the tribunal said the secret intelligence agencies had breached the ECHR for years because of the way they gathered bulk communications data (BCD) and bulk personal data (BPD)…”

I think I posted this before, but I have a new class of IT Governance students who probably haven’t seen it yet.
The OPM breach report: A long time coming
   Hackers, said to be from China, were inside the OPM system starting in 2012, but were not detected until March 20, 2014.  A second hacker, or group, gained access to OPM through a third-party contractor in May 2014, but was not discovered until nearly a year later.
These and dozens of other depressing details are in a timeline that is part of a 241-page report released last month by the House Committee on Oversight and Government Reform, bluntly titled, “The OPM Data Breach: How the Government Jeopardized Our National Security for More than a Generation.”

Kinda like a “Get out of jail free” card!  
FTC says it may be unable to regulate Comcast, Google, and Verizon
The Federal Trade Commission is worried that it may no longer be able to regulate companies such as Comcast, Google, and Verizon unless a recent court ruling is overturned.
The FTC on Thursday petitioned the 9th US Circuit Court of Appeals for a rehearing in a case involving AT&T’s throttling of unlimited data plans.  A 9th Circuit panel previously ruled that the FTC cannot punish AT&T, and the decision raises questions about the FTC’s ability to regulate any company that operates a common carrier business such as telephone or Internet service.
While the FTC's charter from Congress prohibits it from regulating common carriers, the agency has previously exercised authority to regulate these companies when they offer non-common carrier services.  But the recent court ruling said that AT&T is immune from FTC oversight entirely, even when it’s not acting as a common carrier.

Why didn’t I think of this?  So simple even a cave man can do it? 
Voyager and Microsoft Ventures invest $9M in business text messaging platform Zipwhip
   Zipwhip’s technology lets companies text their customers from the web, desktop computers and smartphones, working across the U.S. wireless carriers.  Founded in 2007, the company originally targeted consumers and set out to be the “Facebook of text messaging.”  But it pivoted around 2013, taking a different approach by enabling hundreds of millions of landlines to receive and send text messages for the first time.  This allowed companies to text with their customers from landline phones and toll-free numbers.
   “Businesses are late adopters,” Zipwhip CEO John Lauer told GeekWire.  “They don’t want the new thing and they don’t want to What’s App-enable or Facebook Messenger-enable their business.  They just want to text-enable because everyone has texting.”
   Zipwhip describes itself as a software-as-a-service company, versus a text messaging API — “a car dealership or dentist’s office has no idea what to do with an API,” Lauer noted.  Its platform lets customers log into a web portal to read and send text messages.

Next time I teach spreadsheets, promise!
Visual Basic for Applications (VBA) is the Microsoft Office programming language that allows you to create macros and userforms, add a message box, execute code inside a document in response to a trigger, and much more. With VBA you can supercharge your Excel spreadsheets. And you just have to learn a little bit about coding.


I wonder if my niece is ready for this.
Pandora Unveils Promotional Tools for Artists, Labels
   Pandora is now making a new tool kit available to any artist or label that could help solve one of the biggest conundrums of releasing music in the digital age: fans tend to prefer music they’ve heard before, and online services make it easier than ever to skip the unfamiliar.  FM radio stations have long established familiarity by repeatedly bombarding listeners with a small number of songs.  But digital services that allow users to choose, skip or thumb up and down their music don’t offer the same ability to create hits.
Now, though, artists and labels who use Pandora’s two-year-old “Amp” platform can record audio messages on their smartphones asking their fans to give new songs a chance, while instructing the service to play a certain song more often for a given period.  The automated system also prompts artists to take these and other actions based on how listeners are responding to their music.

Monday, October 17, 2016

“Ha!  This will surely stop those nasty hackers!”
Companies Try Out Selfies as Password Alternatives
   Companies and government agencies—ranging from the ride-hailing service Uber Technologies Inc. and credit-card giant MasterCard Inc. to the Alabama Department of Revenue—are asking people to snap self-portraits on their smartphones as proof of identity.
As the quality of smartphone cameras improves and facial-recognition software becomes more affordable, the digital future might involve fewer convoluted passwords and more selfies.  But there’s a downside: some cybercrime experts worry that people might be too quick to offer up their smiling faces, saying the technology is rife with privacy and security concerns.

(Related) Surely this was to be expected.  Anything required to gain access to your data/money will be targeted/gathered by hackers.  (This is more than my bank asks for!) 
Stupid Is As Stupid Does: Android Trojan Asks Victims For A Selfie Holding Their ID
CHEESE!  Smile for the malware that is trying to steal your identity!  One Android banking Trojan is asking victims for a selfie with their ID card.
This past year victims were asked to provide information like their “mother’s maiden name” so that hackers could unearth security question answers and break into bank accounts.  McAfee Labs Mobile Research Team recently discovered this latest evolution of Android banking Trojan Acecard.  The ID selfie not only helps cybercriminals to access bank accounts, but social networks as well.  
   The Trojan Acecard completes its scam with a three-step identification process.  The first two steps require the victim to upload pictures of the front and back of the ID cards.  The last step asks the victim to take a selfie with the ID card for further validation.

(Related) How the government does it?  
Thomas Fox-Brewster reports:
In what’s believed to be an unprecedented attempt to bypass the security of Apple iPhones, or any smartphone that uses fingerprints to unlock, California’s top cops asked to enter a residence and force anyone inside to use their biometric information to open their mobile devices.
FORBES found a court filing, dated May 9 2016, in which the Department of Justice sought to search a Lancaster, California, property.  But there was a more remarkable aspect of the search, as pointed out in the memorandum: “authorization to depress the fingerprints and thumbprints of every person who is located at the SUBJECT PREMISES during the execution of the search and who is reasonably believed by law enforcement to be the user of a fingerprint sensor-enabled device that is located at the SUBJECT PREMISES and falls within the scope of the warrant.”
Read more on Forbes.
[From the article:
Legal experts were shocked at the government’s request.  “They want the ability to get a warrant on the assumption that they will learn more after they have a warrant,” said Marina Medvin of Medvin Law.  “Essentially, they are seeking to have the ability to convince people to comply by providing their fingerprints to law enforcement under the color of law – because of the fact that they already have a warrant.  They want to leverage this warrant to induce compliance by people they decide are suspects later on.  This would be an unbelievably audacious abuse of power if it were permitted.”

For both my Architecture and Governance students as we follow the decline of Samsung.   
Samsung Self-Tested Batteries in Galaxy Note 7 Phone
The batteries used in Samsung Electronics Co. ’s troubled Galaxy Note 7 were tested by a lab that belongs to the South Korean electronics giant, a practice that sets it apart from other smartphone manufacturers.
To sell smartphones at major U.S. carriers, phone makers are required to test phone batteries at one of the 28 labs certified by the U.S. wireless industry’s trade group, the CTIA, to ensure compliance with standards set by the Institute of Electrical and Electronics Engineers.
Samsung is the only such manufacturer using in-house battery-testing facilities for CTIA certification, according to the association.
   In a statement Friday, Samsung said its plans to make “significant changes” in its quality-assurance processes in light of the Note 7 crisis.  [Sound familiar?  Bob]

For my IT Governance students.
Organizations Struggle to Protect Growing Number of Endpoints
A recent study conducted by Dimensional Research has revealed that most organizations don’t have a security strategy in place to protect the growing number of endpoints on their networks.
According to the study, just 33% of the survey’s respondents admitted that such a security strategy was in place, while the rest either said they were in the process of building such a strategy (51%), or that they didn’t have plans on the matter (16%).  The stats are worrying, because the compromise of critical endpoints could have dire fiscal or operational consequences for an organization.
Traditionally, devices with which users could interact, such as desktops, tablets or phones, have been considered endpoints, but employee-owned devices, virtual machines, point-of-sale terminals, Internet of Things (IoT) devices and servers have been recently added to the list as well.  The number of critical endpoints on enterprise networks has been growing fast despite security risks, with over 200 billion connected devices forecast by 2020.
According to the study, conducted on behalf of Tripwire, organizations also lack insight on whether the devices connected to their networks receive security updates in a timely fashion.  When asked if they were confident that these devices were kept up to date, only 40% of respondents said they were.

Is this good news?
Driverless cars offer new blueprint for safety regulators
New federal guidelines for driverless cars may set the stage for how the government approaches emerging technologies in the future.
Washington has long wrestled with how to keep pace with Silicon Valley, and federal regulators sought out a different and more flexible approach for automated vehicles.
The Department of Transportation (DOT) decided to craft voluntary, non-binding guidance, which was widely applauded across the industry for leaving room for innovation.
It could also serve as the new federal model for years to come.
“For better or for worse, this is the world we now live in,” Adam Thierer, a senior research fellow at George Mason University, said during a Capitol Hill panel this week.  “Guidance documents like this are going to be a regular thing.”

(Related) A question for my students: is the software required for a closed loop significantly different (simpler?) than that for over the road vehicles?
France’s Navya raises $34M for its self-driving shuttle bus, reportedly at a $220M valuation
When it comes to self-driving cars, the public tends to focus on developments for private vehicles for individuals, but there are also some significant advances underway in other categories such as shuttle busses.
   Meeting demand from municipal organizations, and companies that have closed but large campuses that require transportation to move from point A to B, the aim is to have 30 vehicles in use by the end of this year, the company said.

Automating pro bono?  (But not in Colorado)
ABA launches Free Legal Answers
by Sabrina I. Pacifici on Oct 16, 2016
Free Legal Answers is a virtual legal advice clinic.  Qualifying users post their civil legal question to their state’s website.  Users will then be emailed when their question receives a response.  Attorney volunteers, who must be authorized to provide pro bono assistance in their state, log in to the website, select questions to answer, and provide legal information and advice.  Volunteer attorneys will not answer criminal law questions.  Participating states have their own page where qualifying residents will post their question.  Look at your state’s page for more information.  Free Legal Answers is a project of the American Bar Association’s Standing Committee on Pro Bono and Public Service.  If you would like more information about the Free Legal Answers site, contact the National Site Administrator here.  Please be advised, the National Site Administrator will not respond to email requests for legal assistance.”

Move Over Twitter, Facebook – Snapchat is the Most Engaged Social Platform
   According to a Piper Jaffray 2016 national survey of 10,000 high school students and their consumption trends, photo sharing app Snapchat is now the most engaged and most preferred social network among the teen demographic.
Piper’s semi-annual study “Taking Stock With Teens” asked survey takers about fashion and beauty, restaurants and media and device preference.  A massive 80% said they used Snapchat at least once per month and 35% said it was their favorite platform.  Instagram came in second place with 27%, followed by Twitter and Facebook.

Something for my security students?
Additional START Datasets Now Available
by Sabrina I. Pacifici on Oct 16, 2016
National Consortium for the Study of Terrorism and Responses to Terrorism – “Utilizing the Dataverse Network Project, START has created its own repository of datasets and databases on terrorism, conflict, and preparedness.  This collection includes research funded by START as well as research for which START has been given permission to release.  Users can read over detailed information about each dataset regarding its time period, geographic coverage, and sampling procedure.  Additionally, the system allows users to download codebooks, data collection instruments, and the data itself, providing a simple interface for researchers to access START-related data.
New datasets will be added periodically and announced on the START homepage.  Click here to go to the START Data Collections Page