Monday, January 23, 2017
Does this suggest a major failure (holes found) or a major success (now we can fix them)? Remember, Russia (probably many countries) are doing the same thing 24X7X365. They just don’t bother telling DoD when they succeed.
Expert Hacks Internal DoD Network via Army Website
A security researcher who took part in the Hack the Army bug bounty program managed to gain access to an internal Department of Defense (DoD) network from a public-facing Army recruitment website.
Hack the Army ran via the HackerOne platform between November 30 and December 21, and the results of the program have now been made public. A total of 371 people registered, including 25 government employees, and they submitted 416 vulnerability reports – the first one came within five minutes of launch.
Roughly 118 of the reports have been classified as unique and actionable
… The most noteworthy submission came from a researcher who managed to chain multiple vulnerabilities in order to get from the goarmy.com Army careers website to an internal DoD network that can normally be accessed only by authorized users.
… Thanks to the success of these programs, similar events will likely be launched in the future.
In the meantime, researchers who find flaws in the DoD’s *.defense.gov and *.mil websites are still encouraged to report them. The Pentagon recently published its vulnerability disclosure policy in an effort to provide guidance to white hat hackers on how to legally report their findings.
For my Computer Security students.
Yahoo Faces SEC Probe Over Data-Breach Disclosures
Yahoo is facing a probe by the Securities and Exchange Commission over how it handled the disclosure of two massive data breaches. A source familiar with the matter told The Wall Street Journal the investigation will likely focus on a 2014 cyberattack that saw the personal data of 500 million users released. The company disclosed that breach only in September 2016, which may have violated civil securities laws, the report said. The investigation will also cover a 2013 breach that was only announced last December. While the SEC issued guidelines in 2011 calling for companies to disclose any security breaches, the guidelines did not specify a timeframe, meaning the Yahoo case could set a precedent and provide clarification.
For my Ethical Hacking students. This could be like texting “Fire!” in a crowded theater.
The Demon Voice That Can Control Your Smartphone
Researchers have created creepy sounds that are unintelligible to humans but still capable of talking to phones’ digital assistants.
… what if there was a way to talk to phones with sounds other than words? Unless the phones’ owners were prompted for confirmation—and realized what was going on in time to intervene—they’d have no idea that anything was being texted on their behalf.
Turns out there’s a gap between the kinds of sounds that people and computers understand as human speech. Last summer, a group of Ph.D. candidates at Georgetown and Berkeley exploited that gap: They developed a way to create voice commands that computers can parse—but that sound like meaningless noise to humans. These “hidden voice commands,” as the researchers called them, can deliver a message to Google Assistant-enabled Android phones nearby through bursts of what sounds like scratchy static.
… The primary way people interact with smartphones is by touching them. That’s why smartphone screens can be thoroughly locked down, requiring a passcode or thumbprint to access. But voice is becoming an increasingly important interface, too, turning devices into always-listening assistants ready to take on any task their owner yells their way. Put in Apple’s new wireless earphones, and Siri becomes your point of contact for interacting with your smartphone without taking it out of your pocket or bag.
The more sensors get packed into our ubiquitous pocket-computers, the more avenues someone can use to control them.
For my IT Governance students. Even small things have major impacts. How can you tell it isn’t Russian hackers?
United Airlines Computer Glitches Delay Flights, Infuriate Flyers
Tempers boiled in departure lounges around the world overnight as two separate problems with United Airlines' computer systems caused widespread delays.
… The first glitch, concerning United's luggage weighing systems, was resolved late Thursday, King said. Another issue caused more delays before being resolved at 3 a.m. ET — although King said she did not know its nature nor its cause.
… Amy Zandy, a 32-year-old sales director from Chicago, was among those affected.
"You are literally a global conglomerate," she told NBC News, referring to United. "You don't have backup systems? You don't know how to manually process this information?"
Also for my Governance students?
Privacy law scholar Daniel Solove has made two of his books freely available online:
The Digital Person: Technology and Privacy in the Information Age (2004) [296 pp] and
The Future of Reputation: Gossip, Rumor, and Privacy on the Internet (2007) [257 pp.]
Both books have inspired a lot of scholarly debate and reflection on the course of privacy and privacy law in this country.
Great thanks to Dan and the publishers for making them available. Go grab your copies now, if you don’t have copies already.
An interesting case. How should this have been handled?
Special education student who secretly recorded school administrator threatening him to be charged for violating wiretap law
It is an issue that has come up a number of times for me with one of my other “hats” on: do you send a child to school with a wire to record what’s going on in the school if they claim they are being harassed or abused so that you have proof? Maybe you’ve see bruises on them and can get no real answer from the school. Maybe your child is telling you that a school administrator is cursing them and threatening them. Maybe you don’t know what to believe. Or maybe you do believe your child, but no one else will believe what’s going on.
We know, from studies, that students with disabilities are more likely to be harassed or abused in school. We’ve all seen the horrific footage of such abuse in other cases. Now it’s your child who may be being mistreated by school personnel.
What would you do if you decide you can’t just remove your child from that school because you can’t find an alternative placement? Or maybe there are alternatives, but you decide that the school should not get away with this because they’ll continue doing it to other children, if not yours.
What would you do?
If you live in a state where two-party consent is required for audio and/or video recording, then under the law, they should not secretly record any conversation – even if, as may be in the case at hand – you have gone to the police on several occasions to no avail.
So what do you do to protect your child or to get evidence of what’s going on?
I know what we’ve done in the past, but because my lawyer would probably prefer I not publicly admit to any possible crimes, I won’t say here.
But it sounds like there may be that kind of situation in Pennsylvania, where a Woodland Hills High School administrator allegedly was verbally abusive and threatened a student with disabilities. CBS reports:
There was harsh criticism of Allegheny County District Attorney Stephen Zappala outside the Woodland Hills School District Administration building Wednesday night.
Protestors gathered for a demonstration sponsored by a group called the Alliance for Police Accountability.
Brandi Fisher, of the Alliance for Police Accountability, told the gathering, “Not only does the D.A. need to charge the principal, the D.A. needs to resign.”
The controversy stems from Zappala’s recent decision not to file charges against high school Principal Kevin Murray after an expletive-filled reprimand he gave to a student.
The student secretly recorded the conversation.
Read more on CBS Pittsburgh.
The stations’s past coverage of the case is linked from here. The recording allegedly catches the administrator saying, ““I’m going to [expletive] punch you in the face. Man-to-man, bro. I don’t care if you are [expletive] 14-years-old or not. I will punch you in your face, and when we go down to court, it’s your word against mine, and mine wins every time.”
Reading the coverage, it appears that the district decided that the recording could not legally be used against the administrator because the recording was made in violation of wiretap laws.
So police can violate the law and the evidence can be used in many cases under some “good faith” exception,” but evidence against a school administrator is not entitled to any good faith exception and would have to be suppressed? And then you charge the teenager for violating the wiretap law?
Something’s very wrong here.
Maybe Orin Kerr or Scott Greenfield can help me understand why this is a correct course of action – to not use the tape and to charge the teenager. Somehow, I doubt I will be easily convinced.
Is this how to compete in the Digital Age?
Decaf with your deposit? Bank branches transform into cafes, more
If you’re like many Americans, you may be making fewer trips to the bank and instead taking care of check deposits with a mobile app or tracking account balances with a few mouse clicks.
Digital banking is undeniably gaining ground over the old brick-and-mortar process. But about 84% of banking customers still visit branches at least occasionally, according to a March 2016 Federal Reserve report.
Interesting. I wonder if there is a truly neutral version of this? No, not the New York Times.
Local techies launch fact-focused Trump wiki site
Jan Miksovsky was worried about how citizens will be able to keep up with the Donald Trump administration.
So, in a bout of entrepreneurial spirit, he helped build a tool to address the matter.
The longtime Seattle software engineer, who spent 16 years at Microsoft before founding two Seattle startups, helped gather the crew of developers and writers behind Presterity.org, a web portal pitched as a Wikipedia-like chronicle of the Trump administration.
The aim isn’t nonpartisan.
“We’d like to create what you might call a reference desk for people to try to resist the damages of the Trump administration,” Miksovsky said.
I wondered what went wrong with the polls… A guideline for Mark Zuckerberg?
The Electoral College Blind Spot
It Wasn’t Clinton’s Election To Lose
The Invisible Undecided Voter
Something to consider in my Spring Quarter Spreadsheet class. Sounds a bit overblown.
UK research project documents decline of statistics and rise of big data
by Sabrina I. Pacifici on Jan 22, 2017
“How statistics lost their power – and why we should fear what comes next,” by William Davies, The Guardian: “The ability of statistics to accurately represent the world is declining. In its wake, a new age of big data controlled by private companies is taking over – and putting democracy in peril… In theory, statistics should help settle arguments. They ought to provide stable reference points that everyone – no matter what their politics – can agree on. Yet in recent years, divergent levels of trust in statistics has become one of the key schisms that have opened up in western liberal democracies. Shortly before the November presidential election, a study in the US discovered that 68% of Trump supporters distrusted the economic data published by the federal government. In the UK, a research project by Cambridge University and YouGov looking at conspiracy theories discovered that 55% of the population believes that the government “is hiding the truth about the number of immigrants living here”.
Perhaps I’ll ask my students to create a 3D Video. The next ‘Avatar?’
Why let Pixar have all the fun? Mindshow lets anybody make 3D movies in VR
… “It’s a lot like a cartoon that you can walk around in,” says Visionary CEO and Chief Creative Officer Jonnie Ross, “but there’s a lot more to it than that.”
In a nutshell, Mindshow is a VR sandbox that allows you to create virtual scenes, then animate them with your own body movements, voice, and imagination.