Thursday, February 23, 2017

A follow-up to yesterday’s first article.  Fortunately, Brian Krebs didn’t let them get away with that. 
How to Bury a Major Breach Notification
Amid the hustle and bustle of the RSA Security Conference in San Francisco last week, researchers at RSA released a startling report that received very little press coverage relative to its overall importance.  The report detailed a malware campaign that piggybacked on a popular piece of software used by system administrators at some of the nation’s largest companies.  Incredibly, the report did not name the affected software, and the vendor in question has apparently chosen to bury its breach disclosure.  This post is an attempt to remedy that.

Something to keep my Computer Security students busy.
Netflix Releases Open Source Security Tool "Stethoscope"
Netflix this week released Stethoscope, an open source web application that gives users specific recommendations for securing their computers, smartphones and tablets.
Stethoscope was developed by Netflix as part of its “user focused security” approach, which is based on the theory that it is better to provide employees actionable information and low-friction tools, rather than relying on heavy-handed policy enforcement.
Netflix believes employees are more productive when they don’t have to deal with too many rules and processes.
   The Stethoscope source code, along with instructions for installation and configuration, are available on GitHub.  

Consider this: Self-driving cars will be more “software complex” than the cars in this article.  
Technology Hangups Drive Car-Durability Complaints
   In its annual Vehicle Dependability Study, J.D. Power & Associates saw the average number of problems increase for the second year in a row, with the audio, communication, entertainment and navigation issues being the most commonly reported.

I wonder which parts of town they are surveilling?
GE, Intel, AT&T team up to put cameras, mics in San Diego
General Electric will put cameras, microphones and sensors on 3,200 street lights in San Diego this year, marking the first large-scale use of "smart city" tools GE says can help monitor traffic and pinpoint crime, but raising potential privacy concerns.
Based on technology from GE's Current division, Intel Corp and AT&T Inc, the system will use sensing nodes on light poles to locate gunshots, estimate crowd sizes, check vehicle speeds and other tasks, GE and the city said on Wednesday.  The city will provide the data to entrepreneurs and students to develop applications.
Companies expect a growing market for such systems as cities seek better data to plan and run their operations. San Diego is a test of "internet of things" technology that GE Current provides for commercial buildings and industrial sites.
   A 2014 estimate by Frost & Sullivan predicted the market for cities could be valued at $1.5 trillion by 2020, she said.

Why is this a bad thing?  Should the NSA not use tools that analyze Big Data? 
   Palantir has never masked its ambitions, in particular the desire to sell its services to the U.S. government — the CIA itself was an early investor in the startup through In-Q-Tel, the agency’s venture capital branch.
   Palantir Gotham (formerly Palantir Government) is designed for the needs of intelligence, law enforcement, and homeland security customers.  Gotham works by importing large reams of “structured” data (like spreadsheets) and “unstructured” data (like images) into one centralized database, where all of the information can be visualized and analyzed in one workspace.  For example, a 2010 demo showed how Palantir Government could be used to chart the flow of weapons throughout the Middle East by importing disparate data sources like equipment lot numbers, manufacturer data, and the locations of Hezbollah training camps.  Palantir’s chief appeal is that it’s not designed to do any single thing in particular, but is flexible and powerful enough to accommodate the requirements of any organization that needs to process large amounts of both personal and abstract data.

Interesting change in approach.  Cheapest is not always bestest? 
Federal IT Acquisition Worth $50B Cleared for Takeoff
   Under the "lowest price technically acceptable" (LPTA) method, agencies focused provider selections on cost, as long as the vendor displayed a minimum technical competency.
GSA specifically ruled out the LPTA method with Alliant 2.  Instead, GSA appeared to flip the LPTA concept around and instead focused on vendor quality with a selection criteria based on "highest technically rated, with fair and reasonable price."
What that means is that under Alliant 2, GSA first will rank vendors using a quality rating scale for various categories of IT and organizational competency.  Then, after developing a list of qualified vendors, GSA will assess whether the prices are fair and reasonable.

I may have my students design a LEGO datacenter.
   Building LEGO in the real world is great, but it can be a pain if you don’t have the right bricks to realize your imagination.  Enter LEGO Digital Designer, an entirely free and official tool that allows you to build virtual LEGO creations.  You select bricks from the vast sets and can build whatever your heart desires.  You can stack, align, rotate and color the bricks, giving you almost endless options.

No comments: