Saturday, November 12, 2016

Keep telling yourself “it’s only a coincidence.”
At least three major airlines report computer outages
   Most customers complained on social media that they couldn't access the airline’s app or website to book a reservation or check into their flights around the country. 
Just before 1 p.m. Friday, the major airline advised customers that the issue was resolved and was the result of a glitch with Sabre, the technology company that provides booking services to airlines. 
"Earlier today, Sabre had a brief technical issue that impacted multiple carriers, including American.  This technical issue has been resolved.
   Alaska Airlines and JetBlue Airways also reported computer problems on Friday.


Good thing I don’t have a Facebook account!  I wonder what triggers this “feature?” 
Check your Facebook account right now, you might be dead
   I can see slip ups happening like a weird news link or maybe some fake news from a content farm (that’s a problem, too), but social networking might need to do some better quality checks.  I can’t think of anything worse than telling everyone I know I’m dead.


When does a sting escalate into “aiding and abetting?”
FBI operated 23 Tor-hidden child porn sites, deployed malware from them
   according to newly unsealed documents recently obtained by the American Civil Liberties Union, the FBI not only temporarily took over one Tor-hidden child pornography website in order to investigate it, the organization was in fact authorized to run a total of 23 other such websites.
According to an FBI affidavit among the unsealed documents:
In the normal course of the operation of a web site, a user sends "request data" to the web site in order to access that site.  While Websites 1-23 operate at a government facility, such request data associated with a user's actions on Websites 1-23 will be collected.  That data collection is not a function of the NIT. Such request data can be paired with data collected by the NIT, however, in order to attempt to identify a particular user and to determine that particular user's actions on Websites 1-23.
   Security researcher Sarah Jamie Lewis told Ars that “it’s a pretty reasonable assumption” that at one point the FBI was running roughly half of the known child porn sites hosted on Tor-hidden servers.


Who is failing here? 
The best feature of AT&T’s new $35 TV subscription might be illegal
Starting sometime this month, AT&T will offer an internet-only subscription TV package, with upwards of 100 channels for $35 per month.  If the channel selection and pricing are as good as the company promises, it will be a hit.
But AT&T was banking on one other thing to really sell DirecTV Now: integration with AT&T’s cell network, which would let you stream TV channels on your smartphone without using up your data plan.  It’s the kind of deal that only AT&T could pull off, as the owner of a national cell and cable network.  But according to a letter from the Federal Communications Commission, doing so could be illegal.
In the letter, the FCC says it “believes that the terms and conditions under which Sponsored Data is offered to content providers unaffihiated with AT&T, combined with s current practice of zero-rating DIRECTV video applications for AT&T Mobility subscribers, may obstruct competition and harm consumers by constraining their ability to access existing and future mobile video services not affiliated with AT&T.”


Reinforcing prejudice with legislation?  Only in California do they attack a symptom rather than the cause.   
Revealing an actor’s age is illegal? IMDb website sues California
Many actors think there ought to be a law against posting their ages online, and California has obliged critics of ageism in Hollywood with legislation targeting a leading online source for information on movie and television figures.
The law, passed earlier this year, has been challenged in a lawsuit by the company IMDb, which is owned by Amazon and operates a repository of information on the film and television industry.
   The lawsuit said the law, known as AB 1687, was unfair because it was carefully tailored to apply only to the Delaware-based IMDb.com Inc, and not other sources of information such as media websites.


Useful resource?
Doors close fast when a big giant like Pinterest gobbles up a smaller Instapaper.  But sometimes a ray of light shines through which promises more.  The bookmark-and-read-it-later service was bought out by Pinterest in August.  Instead of shuttering it, Pinterest has decided to open it up for everyone.
In short, Instapaper Premium is now free and open for all.


One of my students is having far too much fun crushing her opponents.  I can wait to get her opinion.
Enter the Digital Dragon
As someone with a second-degree black belt in Okinawan Goju Ryu Karate, I’ve made martial-art training a big part of my life for the past 20 years.  I’m equally committed to learning how to do things online.  But I’ve always wondered: Is studying karate online a viable option for those who can’t get to a real school?

Friday, November 11, 2016

What went wrong with your analysis?  A near perfect spear phishing question. 
Russian ‘Dukes’ of Hackers Pounce on Trump Win
Less than six hours after Donald Trump became the presumptive president-elect of the United States, a Russian hacker gang perhaps best known for breaking into computer networks at the Democratic National Committee launched a volley of targeted phishing campaigns against American political think-tanks and non-government organizations (NGOs).
   Volexity reports in a blog post published Thursday morning.
   “Two of the attacks purported to be messages forwarded on from the Clinton Foundation giving insight and perhaps a postmortem analysis into the elections,” Adair wrote.”  Two of the other attacks purported to be eFax links or documents pertaining to the election’s outcome being revised or rigged.  The last attack claimed to be a link to a PDF download on “Why American Elections Are Flawed.


Was the insurance company on the hook for other costs if they didn’t pay the ransom?
Well, this is interesting: a media report says that a county’s insurer advised them to pay a ransomware demand.  Ken de la Bastide reports:
On the advice of their insurance company Madison County officials are moving forward to pay the ransom demands by a unknown group that attacked the county’s computer system.
Madison County was hit by a ransomware attack over the weekend that prevented access to county records.
The malware attack has not affected the election where the voting registration records are maintained on a separate computer server.
 […]
The amount of the ransom is not being provided by the commissioners, but Travelers Insurance, the county’s insurance carrier, will reimburse a portion of the cost, less the county’s deductible.
Read more on the Washington Times Herald.
[From the article:
Lisa Cannon, director of the county’s IT department, said the county will make sure the system is secure before new data is placed in the system.
“We’re in the process of adding a backup system,” she said.
   Lyons said her employees were taking either vacation or personal time off.
“Without the computer system there could be no work done,” Lyons said.  “We have to access all our information on the computers.”


Crazy crazy or crazy cool?  Social engineering on a national scale? 
Mark Zuckerberg Says Fake News on Facebook Affecting the Election Is a 'Crazy Idea'
A lot of questions are emerging about Facebook’s role in this year’s election cycle, especially given the proliferation of sensationalistic and even outright fake news stories, and CEO Mark Zuckerberg has responded.
“I think the idea that fake news on Facebook—of which it’s a very small amount of the content—influenced the election in any way is a pretty crazy idea,” he said on Thursday at the Techonomy conference in Half Moon Bay, Calif.


Technology for the next election?
Inside Donald Trump’s Data Analytics Team on Election Night
At a little past 9:30 p.m. Tuesday, the head of a little-known data analytics team working for Donald Trump in San Antonio sent a flurry of messages to the campaign’s New York war room: Florida had tipped and the models were predicting a more than 50% chance he would win the presidency.
Until then, the number-crunching and analytics for Mr. Trump felt more like a “data experiment,” said Matthew Oczkowski, head of product at Cambridge Analytica, who led the team for nearly six months.
   It is too early to assess the full impact Cambridge Analytica had on the Trump campaign.  While its advice aided the campaign in targeting ads, some of its polling predictions, like those from most survey firms, were off.
On Monday, Cambridge Analytica gave Mr. Trump less than a 30% chance of winning.  “So many states were close to the margin of error that it could swing either way,” Mr. Oczkowski explained.
But the unexpected win is likely to bring new attention to the company’s psychological approach, in which it used reams of information about voters harvested from databases, the internet and field operatives.


“We thought we knew what we were doing, but now we think we don’t.”
Concern about data security derails plan to expand PreCheck
The agency for a year had been working through a solicitation to bring on additional private companies to beef up the PreCheck application network as it works toward the Department of Homeland Security's goal of enrolling 25 million people in trusted-traveler programs (PreCheck and Global Entry) by 2019.  At present, PreCheck enrollment is close to 4 million, TSA says.
In late October, however, the TSA withdrew the solicitation, citing "the increased and evolving cybersecurity risks over the past year.
   Increasing enrollment in PreCheck is a goal of both the TSA and travel industry advocates, who cite the efficiency and safety enhancements [Like what?  Bob] that trusted-traveler programs bring to airport security checkpoints.  PreCheck members move more quickly through screening lines than other travelers because they don't have to remove shoes, jackets or belts, or take laptops out of carry-on bags.  


Anti-outsourcing?  “Keep our citizens in our jurisdiction.”
After LinkedIn Ban, Russia Warns Facebook And Twitter
Russia has for the first time invoked its ban on websites storing personal data outside the country.  It’s picked a high-profile target, LinkedIn – and says even bigger companies could be next on the list.
According to local media, a court has upheld a complaint by regulator Roskomnadzor, which says that LinkedIn has failed to satisfy its concerns.  Indeed, according to local news agency TASS, the company hasn’t even been in touch since the ruling was announced yesterday.
   Since the law came into effect in September last year, Russia has audited more than 1,500 companies to make sure they comply, gaining agreement from Google, eBay, Booking.com and other Western firms.


More on outsourcing.  (Interesting that California is the starting point.) 
A CIO rejects, for now, university’s IT offshoring plan
There are reservations within the University of California system about a plan to move IT work offshore and lay off employees.

After Computerworld wrote in September about the layoff plan at the university's San Francisco campus, Larry Conrad, the associate vice chancellor for IT and CIO at the Berkeley campus, wrote a memo to IT staff about it.
He noted that some on his IT staff had seen the story and he wanted to respond.
"The UCSF effort is indeed an ambitious undertaking," wrote Conrad in a memo obtained by Computerworld.  "Candidly, I am not aware of any major university in the country which has successfully implemented such a substantive IT outsourcing initiative."
The San Francisco campus, which includes a medical center, has hired India-based HCL under a five-year contract valued at $50 million.  As part the move, the university is laying off 49 permanent IT employees and cutting about 30 contractors.  Some of the IT workers say they expect to be training H-1B-visa-holding foreign replacements.


As goes Facebook, so goes the world?
Facebook CTO explains social network’s 10-year mission: Global connectivity, AI, VR
   The company is focused on three areas, which it has discussed publicly in recent years.  The first is bringing connectivity to 4.1 billion people who are still not online.
   He also cautioned patience on artificial intelligence.  As much progress as has been made, he said the ability of machines to match human intelligence is still years away.
By contrast, he said virtual reality is here, after decades of waiting.  He said components and pricing have finally caught up so that truly immersive experiences can be delivered in a meaningful way.
Here’s a video of his full talk this week:  https://www.facebook.com/WebSummitHQ/videos/1201598533239522/


Continuing to think about Blockchain. 
Fraud and privacy problems on the blockchain


I’ll be curious to see what my students are asking Santa for…
Best Buy Black Friday ad reveals $100 Windows laptop deal, $125 iPad Air 2, Pro savings


For my students.  Nice long list…
Here's where military service members can get freebies on Veterans Day

Thursday, November 10, 2016

Ethical Hacking students!  I have a contest for you with $50 prizes! 
PayPal for iOS now lets you send and request money through Siri
Publicly traded online payment company PayPal today is announcing that its app for devices running iOS 10 now lets users tell the built-in Siri virtual assistant to send or ask other people for money through PayPal.
“Simply say, ‘Hey Siri, send Bill $50 using PayPal.’  Voila!”  Meron Colbeci, senior director of core consumer products at PayPal, wrote in a blog post.


Still no indication of how this was done?
Anthony Spadafora reports:
Tesco Bank has released more details regarding the cyber attack that took control of its online accounts and led the bank to freeze all of its users online transactions.
Over the weekend the bank was hit by an attack that it initially thought affected 20,000 customers.  However, Tesco Bank has now revealed that only 9,000 accounts were compromised by the security breach.  Though the amount of customers affected is lower than first reported, some of those whose accounts were accessed during the attack lost as much as £2,000.
On Tuesday, Tesco Bank announced that it had refunded £2.5 million to all of those affected by the breach and guaranteed that no personal data was obtained during the attack.
Read more on ITProPortal.

(Related) The bank itself says…
What you need to know
Should I change all of my online banking and personal details that you hold?
Tesco Bank has not been subject to a security compromise and it is not necessary for customers to change their login or password details.  To stay safe online we do recommend that customers regularly change their passwords.

(Related)  The BBC speculates…
Tesco Bank attack: What do we know?
   Tesco did not use the "H" word in its statement and in interviews its chief executive and other people speaking on behalf of the company have been careful in their choice of language.
It has said that the attack was "sophisticated" and that an initial investigation had revealed exactly what had happened.
So far, it has not shared that information but Tesco's actions in the wake of the weekend's events do help to narrow down the possibilities.
By letting customers withdraw cash from ATMs, use cards in shops and pay bills, it suggests that whatever went wrong does not involve the core computer systems underpinning Tesco bank.  These systems used to be run by RBS but since 2008 Tesco has operated independently.
Security expert James Maude, from software company Avecto, said Tesco's decision to suspend online transactions combined with the information that so many people were hit at once clearly suggests problems with its website.
All too often, he said, maintenance or website updates can introduce errors and bugs that were not present before.  Cyber-thieves are constantly scanning valuable websites to spot changes and will swoop if one emerges.
It might also be the case that a third party connected to Tesco had a security issue and attackers got in via that route, which has happened in some of the biggest attacks in recent memory.


A heads-up for about a third of my students.
KKTV reports:
More than 2,100 Colorado veterans may have had their personal information compromised, the VA Eastern Colorado Health Care System (ECHCS) said Wednesday.
At risk are the veterans’ names, the last four digits of their Social Security number and their diagnoses.  According to the ECHCS, the information may have been compromised when a VA employee emailed unencrypted documents to their personal email account.
Read more on KKTV.


An update.  Was anyone at Yahoo managing? 
Yahoo Looking to Determine If Hacker Has Access to User Accounts
Yahoo Inc. is evaluating whether an unidentified hacker has access to its user account data, following a 2014 hack that resulted in the theft of more than 500 million user account records.
In a regulatory filing Wednesday, Yahoo said law-enforcement authorities on Monday “began sharing certain data that they indicated was provided by a hacker who claimed the information was Yahoo user account data.”  Yahoo said it would “analyze and investigate the hacker’s claim.”
   The data could shed some light on what may be the largest theft of consumer data ever.  Yahoo has said previously that it believes its networks were compromised in late 2014 by “state-sponsored” hackers who stole names, email addresses, telephone numbers and dates of birth of more than 500 million users.  But information-security firm InfoArmor Inc. later said the data had been stolen by criminals, rather than a state-sponsored group.
   The company is facing 23 class-action lawsuits following the hack, the filing said.


Next week I lecture on outsourcing to my IT Governance class, but I may post this for my Software Architecture students as well.
Offshoring roulette: lessons from outsourcing to India, China and the Philippines

(Related)
Machine intelligence makes human morals more important
Machine intelligence is here, and we're already using it to make subjective decisions.  But the complex way AI grows and improves makes it hard to understand and even harder to control.  In this cautionary talk, techno-sociologist Zeynep Tufekci explains how intelligent machines can fail in ways that don't fit human error patterns — and in ways we won't expect or be prepared for.


Try.  Long before age 13, some kids will be able to bypass any restrictions – and I think that’s fine!
Irish Legal News reports:
The Department of Justice has launched a consultation on the statutory “age of digital consent” to be applied in Ireland as part of the EU General Data Protection Regulation (GDPR).
Article 8 of the GDPR provides that, in the case of information society services offered directly to a child, parental consent is required where personal information of a child under 16 is collected and shared with other service providers.  Service providers are required to make reasonable efforts to verify that parental consent is given in each case.
However, member states are allowed to adopt a lower age threshold, which cannot be lower than 13.
Read more on Irish Legal News.


Designer pop stars?  Would they recognize another Mozart if they saw one? 
K-Pop’s Global Success Didn’t Happen by Accident
In July 2016, the mega-hit “Gangnam Style” by South Korean singer PSY surpassed 2.6 billion views on YouTube.  Big Bang, a Korean pop (K-Pop) boy band, earned $44 million in 2015, making it among the highest paid in the industry.  Is K-Pop just a passing fad — a matter of a few songs going viral?  The answer is no.  The global success of K-Pop did not happen by accident, nor is it simply an interesting cultural phenomenon.


A statistical analysis.
What A Difference 2 Percentage Points Makes

Wednesday, November 09, 2016

Once again, we have the President we deserve.  How sad.

Election hacking.  Where did those horrible Russian hackers strike? 
A Glitch Caused Donald Trump's Site to Say Whatever The Internet Wanted It to Say
Until recently, Republican presidential candidate Donald Trump’s official campaign website featured an amusing glitch that allowed Internet users to modify its headline text however they so pleased.
The campaign website’s home page auto-generated a default message that encouraged visitors to vote for the Trump ticket.  But by editing the text in the page’s URL—replacing words between its “%20” notation dividers, typical URL encoding that denotes spacing—anyone could replace those words with their own message.

(Related)  See?  The election must have been hacked!

(Related)
Hackers tried to take down pro-Clinton phone banks the day before the election, but inadvertently hit Republican calls too
Hackers tried to knock out political call centers on Monday in an effort to "harm Clinton's chances of winning," but they may have done equal damage to Republican phone lines, according to the company that was targeted.
TCN, a company that provides political phone banking services, has a number of conservative clients in addition to pro-Clinton ones, the firm's chief technology officer Jesse Bird told Wired.
"The ironic thing is that they were probably impacting Republican calls just as much as Democrat calls," Bird said.


Could this be where Russian hackers concentrated their efforts? 
Elections Usher In New Crop of Political-Tech Startups
   Hustle, a venture-backed startup that was founded in 2014, caught on early with Bernie Sanders’s grass roots organizers.
   Starting in mid-2015 Sanders field personnel started using the app, which allows users to aim texts at a long list of recipients, sending each one individually in rapid-fire, then giving the user a platform to manage their text conversations with voters.  This approach allows the campaigns to get around regulations that prevent robo-dialing mobile phone numbers.


So, who is liable?  What was promised? 
Zack Whittaker reports:
If you bought a car in the last few years, there’s a good chance your personal information may have found its way to the open internet.
Names, addresses, phone numbers and social security numbers for both customers and employees for over a hundred car dealerships have leaked online, all thanks to a centralized records system coupled with shoddy security.
The system, built and operated by DealerBuilt, an Iowa-based database software company, sells management systems for car dealerships across the US, offering a central system for sales, customer relations, and employee payroll needs.
Last week, MacKeeper security researchers found 128 dealership systems, known as LightYear machines, were backing up to DealerBuilt’s central systems without any encryption or security, allowing anyone to see what was being backed up.
Read more on ZDNet.


Are we doing the same thing here?
Matt Burgess reports:
At least 1,000 schools across the UK are using forms of ‘surveillance’ technology to monitor the activity of pupils, a new report has claimed.
Privacy advocates Big Brother Watch has published research claiming 72 per cent of secondary schools use ‘Classroom Management Software’ to keep an eye on pupils.  The system, which can check use of computers, including internet history, is installed on 819,970 school-owned devices and 1,416 private devices, the group says.
Read more on Wired (UK).


Might be fun to fiddle with…
Google to Offer SDK for Assistant in December
   Where the new Assistant is concerned, Google is soon to offer up keys to the city, so to speak, starting next month with the launch of developer tools to make it even easier for people to add their own functionality to the wider platform.
Starting in December, Google will open up the Assistant in three distinct ways, one of which will be allowing users to embed the Assistant itself inside of third-party hardware, a la Amazon’s Alexa. Direct Actions will allow services and products to offer simple, recognizable commands for the Assistant to connect other devices and services together and finally, Conversation Actions, will allow developers to add in more sophisticated features, like offering access to a bank account, going back-and-forth with the user to complete the task at hand.


For when you cut the cable?
With Kodi being a free, open source media center, it’s no surprise there are plenty of options to customize your experience when using it.  These range from changing the overall appearance of Kodi, to setting up profiles for different family members.


Perhaps if my neighbors do this I won’t need to pay the Internet!


In high school, I worked summers at a summer stock theater that hosted music on Mondays.  I got to see both Louis Armstrong and Ella Fitzgerald (not together).  Since I played trumpet (poorly) in those days, Armstrong was already a hero.  Ella is still the best jazz voice I have ever heard.  Follow this link and listen for yourself.
The Story of ‘Ella and Louis,’ 60 Years Later
by Sabrina I. Pacifici on Nov 8, 2016
Two of America’s greatest musicians- listen and fall in love with music that will stay with you a lifetime: A century-defining album’s improbable genesis “…The first of three successful collaborations between Ella Fitzgerald and Louis Armstrong, “Ella and Louis” is nearly perfect.  It is one of those works of art — and they don’t come along often — that seems to have always existed.  It features two of the greatest artists the century produced: Armstrong, the innovator and ambassador of jazz, and Fitzgerald, its most gifted singer.  The album was produced by a man almost solely responsible for bringing jazz into the realm of respectability and desegregating its audience, who founded the label which released it, and assembled the all-star team of musicians who made it so marvelous.  “Ella and Louis” helped rekindle interest in what would become known as The Great American Songbook.  Though it is something only American culture could produce, “Ella and Louis” was also something a large part of American society worked hard to prevent…”


Anything to get rid of find jobs for my students.
Facebook threatens LinkedIn with job opening features
   A Facebook spokesperson tells me, “Based on behavior we’ve seen on Facebook, where many small businesses post about their job openings on their Page, we’re running a test for Page admins to create job postings and receive applications from candidates.”
The new features could compete with LinkedIn, as well as developers like Work4, Workable and Jobscore that build “Jobs” tab applications that businesses can embed in their Facebook Pages.  Perhaps Facebook was prepping for these new features when it tested Profile Tags last year that mimic LinkedIn’s endorsements feature.

Tuesday, November 08, 2016

Something that will spread globally or will Facebook find a way to get user consent? 
Facebook halts Whatsapp data sharing in the UK
Facebook has agreed to stop using WhatsApp data to target users with advertising in the U.K. and has been warned could face legal action if it resumes the practice.
The agreement is an initial victory for Information Commissioner Elizabeth Denham, who launched an inquiry into the data sharing earlier this year after expressing concern that user data was not being properly protected.

"I don’t think users have been given enough information about what Facebook plans to do with their information, and I don’t think WhatsApp has got valid consent from users to share the information," she said in a statement on Monday.
Facebook acquired WhatsApp for $22 billion in 2014 and has been using information from the service to help target advertising on its main social network.


Perspective.  I also saw a brief TV commercial from Wells Fargo that apologized for their bogus account creations.  I think neither are enough.
Samsung runs full-page apology ads over Galaxy Note 7 recall


I’m not sure this is true, but if the Wall Street Journal says it is, then I have to consider it.
Group Chat Emerges as the Hottest Thing in IT


Interesting.  Are the voters finally tired of bailing out failed companies?
Taxpayer bailouts for banks 'too big to fail' to end by 2022
The regulations will force banks to hold enough money from their investors to absorb losses without help from the taxpayer.
If any bank does face collapse, the funds will be spent to finance an orderly wind-down.

Monday, November 07, 2016

Yesterday, this was “less than 10,000.”  How the bank was hacked is unclear, but there is plenty of speculation.  (No doubt it will be Russians trying to influence the US election)
Tesco Shares Fall After Cyber Attack at its Online Banking Group Hits 40,000 Customers
   "Tesco Bank can confirm that, over the weekend, some of its customers' current accounts have been subject to online criminal activity, in some cases resulting in money being withdrawn fraudulently," Tesco Bank CEO Benny Higgins said in a statement. 
Wholly-owned Tesco Bank, which has 136,000 current accounts, has frozen all online banking transactions from current accounts and said it would refund those which had money stolen.  Customers will be allowed to use cards to withdraw cash and to make payments, Higgins said.


Undue reliance on emails?  How would you prevent this from happening at your organization?  
Charles Lussier reports:
The top business manager for the East Baton Rouge Parish school system fell for an unsophisticated con, wiring $46,500 to someone who claimed via email to be Superintendent Warren Drake, even though the man himself was working in an office next door.
The school system on Thursday disclosed the fraud known as “phishing,” which occurred twice in May.  The details are outlined in a special audit, received late Thursday from the auditing firm Postlethwaite & Netterville, that examines what happened and suggests ways to prevent it from happening again.
Read more on The Advocate.

(Related)  Perhaps another procedure needs questioning?
It sounds like such a simple question that should have an obvious “yes” answer, but you might be surprised to see what happens when hackers taunt social media teams about hacks.  It’s an issue I’ve mentioned before:
NullCrew revealed that they had access to Bell’s server for months, and had disclosed that to them in a chat with Bell Support weeks ago.  A screenshot of the chat between NullCrew and Bell Support employee “Derek” shows that NullCrew was informing Bell that they were in possession of users’ information — DataBreaches.net, February 2, 2014.
If your business has a Twitter account, do those responsible for it know how to respond to tweets informing them of a data security breach?  — DataBreaches.net, August 24, 2015.
Last night, it happened again: a well-intentioned social media team on Twitter did not appear to understand that they were being told they had been hacked.  USAA’s Twitter team’s responses left people variously laughing at them, mocking them, or if they were a customer, worried for the security of their information.
Here was how the exchange began:
[Read the whole sorry mess.  Bob]


For my Smartphone using students.  Hackers have a great grasp of the obvious. 
Via The New York Times, hundreds of fake shopping apps have been hitting the App Store in the last few weeks, stealing recognizable brand names and logos, in an attempt to confuse App Store customers to download their counterfeit apps instead of the real thing.  The fraudsters are attempting to capitalize on the holiday shopping season.
   App Review fails to recognize most cases of trademark infringement (or it simply doesn’t look for such issues at all) which allows fake apps like these ones to appear in the App Store.
The fraudsters can then capitalize on their victims by encouraging customers to buy the ‘real’ branded products with credit cards, thereby stealing their financial information.  (Apps that sell physical goods are allowed to request users to provide payment details, bypassing the usual protections and safeguards of Apple’s sanctioned In-App Purchase system.)


“It’s a lightbulb!  We don’t need to secure it!” 
Hackers hijack Philips Hue lights with a drone
Surprise!  The Internet of Things is a security nightmare.  Anyone who was online a few weeks ago can attest to that.  The massive internet blackout was caused by connected devices, and new research from white-hat hackers expounds upon those types of vulnerabilities.  The target?  Philips Hue smart lightbulbs.  While they've been hacked in the past, Philips was quick to point out that it happening in a real-world situation would be pretty difficult.  Digital intruders would need to already be on your home network with a computer of their own -- the company claimed that directly attacking the lightbulbs wasn't exactly feasible.  But this new attack doesn't require that sort of access.
In fact, all it takes is tricking the bulbs into accepting a nefarious firmware update.  By exploiting a weakness in the Touchlink aspect of the ZigBee Light Link system (again!), the hackers were able to bypass the built-in safeguards against remote access.  From there, they "extracted the global AES-CCM key" that the manufacturer uses to encrypt and authenticate new firmware, the researchers write (PDF).
"The malicious firmware can disable additional downloads, and thus any effect caused by the worm, blackout, constant flickering, etc.) will be permanent."  What's more, the attack is a worm, and can jump from connected device to connected device through the air.  It could potentially knock out an entire city with just one infected bulb at the root "within minutes."


At least it won’t be in your pocket when it blows.
If you own a Samsung washing machine, then be afraid, be very afraid.  Samsung is being forced to recall 2.8 million of its washing machines due to the possibility of them shaking themselves apart.  Or, to put it another way, exploding.  Sound familiar?
Let’s not bury the lede here.  Samsung is recalling 2.8 million washing machines in the United States.  The voluntary recall, made in cooperation with the Consumer Product Safety Commission (CPSC), affects “certain top-load washers manufactured between March 2011 and current production dates”.


Model or anti-model?  What can we learn? 
China Adopts Cybersecurity Law Despite Foreign Opposition
   The Cyber Security Law was passed by the Standing Committee of the National People’s Congress, China’s top legislature, and will take effect in June, government officials said Monday.  Among other things, it requires internet operators to cooperate with investigations involving crime and national security, and imposes mandatory testing and certification of computer equipment. [No exploding phones in China?  Bob]   Companies must also give government investigators full access to their data if wrong-doing is suspected
   The fear among foreign companies is that requirements to store data locally and employ only technology deemed “secure” means local firms gain yet another edge over foreign rivals from Microsoft Corp. to Cisco System Inc.


I pass these on to all my students in the hope that they get filthy rich and remember who gave them the idea…
These guys built a $273 million startup from discarded computers and an almost secret source of seed money
Founded in 2010 by CEO Mohit Lad and CTO Ricardo Oliveira from their grad school work at UCLA, ThousandEyes helps ensure that when bits of the internet go down, companies can avoid being taken down too — even if the problem is on the internet and out of their control.
   And it all began with a bunch of computer servers that the founders scrounged out of big corporate electronics recycling bins and from a second-hand computer store in Sunnyvale known as Weird Stuff.
   "We could go to Sand Hill road and spend months trying to raise money, or we could try to build a product and really get it off the ground and get customers.  We chose the latter route and in hindsight it was one of the best decisions we made," Lad said.
Instead, they applied for a grant from the National Science Foundation.  That's such an unusual way to raise funds in the Valley that Lad wrote a blog post explaining it. 
"If you have an idea which is high risk, that has a lot of R&D, the NSF tends to like it," Lad told us. 


Suspiciouser and suspiciouser.  Note that “We haven’t changed our mind” is in some papers being reported as “Clinton exonerated!”  And I’ll wager that most of the emails had to do with preparing to campaign for president. 
James Comey: FBI has 'not changed its conclusions' on Clinton's email server since July decision
   A senior law enforcement official told NBC News that the FBI's review of the thousands of emails on the Anthony Weiner laptop concluded that nearly all were duplicates of emails previously seen by FBI agents investigating the email server.


Jumping the gun on “the election was rigged?”  There seems to be no hard evidence to support the headline.  But, did anyone not working for Trump actually look? 
Election Fraud in Broward County: Officials Caught Ballot Stuffing, Destroying Ballots
According to multiple sources and witnesses, Broward County Supervisor of Elections Brenda Snipes and employees are engaging in mass voter fraud in multiple forms
   It has been widely reported that black turnout in the state–and in other battleground states such as North Carolina and Ohio–is way down from 2012 levels.  In the past few days, the Clinton campaign and their Democratic surrogates have been touting “a surge” in turnout among black voters in Broward County, which is overseen by Snipes.  [Are ballots in Florida marked “Black Voter?”  How else would they know?  Bob] 
   Sources confirm Snipes was breaking the law and opened more than 153,000 ballots cast by mail in private, claiming employees were tearing up and disposing of those that were votes in support of Donald J. Trump.  The law prohibits the opening of ballots without the supervision of a canvassing board appointed to oversee and certify elections precisely because of this possibility.


Free is good!  Several, actually.
Visio may be the industry standard in the corporate world, but it comes with a huge drawback: it’s expensive ($299 for the standard version as of this writing).  Can’t afford that?  Then you’ll be happy to know that several open source alternatives exist for the low, low price of FREE.


Perhaps you could have the Billy Bass sing it for you?  (See yesterday’s blog)
Have you ever wanted to arrive home to a personal welcome?  With a Raspberry Pi and a few simple components, you can!  In this simple project we’ll use a reed switch to trigger a theme tune when a door is opened.  We shall be using a Raspberry Pi as the controller here, though you could use almost any other microcontroller for this project using the same circuit.


A Donald Trump inspired drone?

Sunday, November 06, 2016

Something new?  Whenever there is no clear indication of how the hack occurs, you must consider that this is a test of something new.  Did they hack into the bank directly or is it a hack into individual users?  Stay tuned!
ITV News reports:
Tesco Bank has blocked some customers’ cards after fraudsters seemingly targeted the banks customers.
Thousands of accounts were reportedly affected, with many people taking to social media to alert the bank to suspicious activity.
One man tweeted his available balance had dropped by £700 without him making a transaction while another said the disruption had left her “unable to feed my kids in school tomorrow”.
Read more on ITV News.
In their coverage, BBC reports that “less than 10,000” of the bank’s customers are affected and that they had all been sent alerts to notify them.  So far, none of the news outlets reporting on this have indicated how the fraud occurred.


Is Russia this subtle?  Possibly.  Is the FBI’s explanation credible?  If the Tweets were limited to the Hillary files as this article suggests, no.  "Never attribute to malice that which can be adequately explained by stupidity, but don't rule out malice." "Heinlein's Razor"
An odd thing occurred on the FBI’s Record Vault Twitter account on October 31st, drawing conspiracy theorists out of the woodwork.  After months of being almost dormant, the bot-powered account started firing out tweets related to various Clinton scandals.  Now, the FBI has launched an internal review to determine how its procedures went wrong.
Specifically, the Twitter bot managed to choose this week as the perfect time to remind people about a 15-year-old investigation into the Clinton Foundation and to post the FBI’s file on Hillary Clinton.  The first document is the most problematic.  It relates to an investigation into the Clinton Foundation and Marc Rich, who was controversially pardoned by President Bill Clinton in his final days of office.
   The FBI says that the timing of the tweets is purely coincidental.  In response to request for comment, an agency spokesman explained to Ars Technica that:
The problem was traced back to the software that handles automated Twitter posts within the FBI Vault site’s content management system.  The documents linked in the Twitter posts that were already queued for posting dated back several months.  When the software was updated, the backlog was suddenly, automatically, cleared in a spew of tweets.

(Related)
Meet the Activist Who Smelled Something Fishy With the FBI's Anti-Clinton Records Dump, and Got Internal Watchdogs Investigating
   Amid a flurry of ho-hum releases (including the Bureau's own ethics handbook) over the next two days, two stood out: a nothing-burger on Fred Trump, the father of the Republican presidential nominee; and heavily redacted documents from a 15-year-old closed investigation into President Bill Clinton’s pardon of financier Marc Rich, and the William J. Clinton Foundation.


Why is everything automatically connected to the elections?  Makes a more dramatic story?  Russia is probing everywhere.  Does anyone expect it to stop after the elections? 
Russia's Fancy Bear Attacks Microsoft, Adobe as Election Nears
Microsoft earlier this week said it had fallen victim to "Strontium," its code name for the Russian hacking group also known as "Fancy Bear," which has been linked to recent attacks on Democratic Party systems.
The group launched a spear phishing attack that targeted vulnerabilities in both the Windows operating system and Adobe Flash, according to Terry Myerson, executive vice president of Microsoft's Windows and Devices Group.
The attack, first identified by Google's Threat Analysis Group, involved two zero-day vulnerabilities in Flash and the down level Windows kernel, he explained.  It used the Flash exploit to gain control over browsers, elevate privileges to escape the browser sandbox and install a backdoor to gain access to a user's computer.


Is this based on the political divide or has social media just pointed out that your “friend” is a complete idiot
Donald Trump and Hillary Clinton supporters are unfriending each other on Facebook


The very definition of a strategy of cheating is that you must cheat wherever and whenever you can.
CARB Finds New Audi Defeat Device, German Paper Digs Up Smoking Gun Document
Engineers at the California regulator CARB found another, previously unreported defeat device, German tabloid Bild am Sonntag [paywall] reports.  The paper also found a document that is bound to affect the career of Volkswagen Group powertrain chief Axel Eiser. For Volkswagen, the find comes at an inopportune moment.  The company wants to cut a deal with the U.S. Department of Justice, and it recently reported progress in the negotiations.  The new affair “clouds the prospects” for a deal, the paper says.  The scandal also puts Audi in the cross-hairs of European tax collectors, who usually are less understanding than the EU’s paper tiger automotive regulators.


Boy, do I have a project for my geeks!
Christmas shopping will begin sooner than anyone wants it to and there is no better gift to get your DIY dad than a Big Mouth Billy Bass hooked up to Amazon’s personal assistant, Alexa—especially if you hate your father.
Brian Kane is a developer and artist who specializes in humorous projects.  For his latest work, he’s modded up the venerable novelty item and instead of hearing Alexa’s calming voice coming from an innocuous glowing hockey puck, you get to look at a reanimated piece of plastic taxidermy mouth the weather report.
Kane hasn’t given a tutorial on how he approached the Bass/Assistant horror hybrid but Amazon does have an API available that allows users to embed the tech in third party devices.


Why great ideas seldom make it into production?