Thursday, May 18, 2017

For my Computer Security students.  Train, rinse, repeat.  (And keep repeating!) 
Wanna stop WannaCrypt? Don't pay ransoms, backup data, and train employees

A common refrain: What did they know and when did they know it?
In Freedom of Information Act lawsuit EPIC v. FBI, EPIC has obtained the FBI notification procedures that would have applied to the Russian cyberattacks during the 2016 Presidential election.  The documents obtained by EPIC establish that the FBI Cyber Division is to “notify and disseminate meaningful information to victims and the CND [Computer Network Defense] community.”  The Cyber Division specifically notifies the “individual, organization, or corporation that is the owner or operator of the computer at the point of compromise or intrusion.”  The analysis to determine whether or not to notify the victim, as well as FBI procedures for approval or deferral of notification, the timing of notification, the method of notification, and more were all redacted by the agency.  EPIC intends to challenge theses withholdings.  The FBI’s response raises questions about whether the agency fulfilled the obligation to properly notify the victims of the Russian cyberattacks.  The Intelligence Community assessed that both major US political parties were attacked.  The FBI also produced notification procedures for threats to life or serious bodily injury, and certain procedures under the Foreign Intelligence Surveillance Act.  Next in the case, EPIC anticipates the release, on May 26, of FBI communications with political organizations and federal agencies concerning the Russian interference.

Amusing.  Makes you wonder where their lawyers were trained.  (Is there a Trump School of Law?)  Some interesting details in this long post! 
On May 3, Kromtech Security’s research team, conducting routine research, found that confidential and sensitive patient information was exposed on a misconfigured rsync backup device.  As best as they could determine, the data were from patients of Bronx-Lebanon Hospital Center in New York City, but the vendor responsible for the backup device was iHealth Solutions.
As is also their practice, Kromtech downloaded some of the data for verification and research purposes, then attempted to notify the entities.  Kromtech generally does not go public with their findings until after they have been able to reach an entity to ensure that the data are secured.
When Kromtech was not able to reach anyone on May 3 to notify them, they contacted to request assistance in trying to contact the vendor or the hospital.  It took some time – including some frustratingly long calls to the hospital to try to reach an actual person – but eventually, messages were left for both the vendor and the hospital that they had a problem requiring urgent attention.
On May 4, I was gratified to receive several phone calls confirming that the data had been secured and thanking me for my efforts to notify them.
It was a brief honeymoon.  On May 9, Kromtech published their report and I published my first report on the incident without any statement from the hospital or vendor, neither of whom had provided a promised statement.
Then on May 12, coordinated threat letters arrived via email from external counsel for both iHealth and Bronx-Lebanon Hospital. understands that Kromtech Security also received similar letters.

Some good, some bad. 
What you should know about Twitter’s latest privacy policy update
When you visit a site that features a tweet button or an embedded tweet, Twitter is able to recognize that you’re on that site and use that information to target you with ads.  And now it’s going to hang onto that information for a bit longer but give you more control over it.
Twitter updated its privacy policy on Wednesday so that it can use the information it collects about people’s off-Twitter web browsing for up to 30 days, as opposed to the previous 10-day maximum, according to the updated document that takes effect on June 18.
   Coinciding with the update, Twitter has also added a new section to the settings menu on its site and in its mobile apps that details the information Twitter uses to target a person with ads and lets that person deselect individual interest categories and request a list of the companies that use Twitter’s Tailored Audiences option to target them with ads based on information like their email address, Twitter handle or whether they visited the advertiser’s site or used its mobile app.
At the same time Twitter is giving people more control over how they are targeted, it is removing support for Do Not Track, which people can use to ask every website they visit not to track their behavior in order to target them with ads.

What will be “the next big thing?”  Here are a couple of possibilities. 
The five big announcements from Google I/O
1/ Google Lens
It will be a while before Google Lens is available, but today it was the centrepiece of the keynote.
The app uses image recognition to identify objects appearing in your camera lens in real-time. It means you can point a smartphone at a flower and be told exactly what it is.
Or, and this feature drew a massive cheer here, you can point it at the sticker on the back of a wifi router - the one containing the long password you need to enter - and the app will know it’s a wifi password and automatically connect you to the network without the need for manual input. [A “must have” for my Ethical Hacking students!  Bob]
Other uses could be pointing it at a restaurant and getting instant reviews or menus, or even scanning a menu in a different language, having it translated, and being able to ask “what does that dish look like?” and be shown a photograph of the meal.  
4/ VPS - visual positioning system
Most of us are familiar with GPS - global positioning system - but that technology can only get you so far.  Though terrific for travelling around large areas outside, GPS has real limitations when you need something more accurate.
Google thinks VPS - visual positioning system - is how to fill that gap.  Using Tango, a 3D visualisation technology, VPS looks for recognisable objects around you to work out where you are, with an accuracy of a few centimetres.  

A day late and a dollar short?  Does this mean taxis will charge like Uber? 
Square Will Replace Meters in Washington Taxis
Washington, D.C., is enlisting Square Inc.’s help as its taxi commission tries to help the city’s cabbies compete with Uber drivers.  By the end of August, all of the taxis in Washington have to tear out their traditional meters and start using smartphones or tablets, in what the city government has been describing as a complete reimagining of how the cab system works.  On Wednesday, the Department of For-Hire Vehicles is announcing that Square will process the payments going through those mobile devices.  

How to add a few million potential customers in countries where smartphones are a bottleneck…
Google and Indian e-taxi giant Ola unveil Progressive Web App that brings native experience to low-end smartphones
Ola, the Uber of India, has announced a partnership with Google to launch a so-called Progressive Web App (PWA) designed to open its platform to millions of users who don’t yet have the latest and greatest smartphones.
   Basically, they offer many benefits over traditional native apps, including being lightweight and requiring less data to operate.  This is key in emerging markets where access to affordable mobile internet and powerful smartphones is limited.

(Related).  Keeping the flow of cheap phones coming?  
Apple Is Now Assembling a Low-Cost iPhone in Southern India

Perspective.  How do we make money from this? 
Pew – Tech Adoption Climbs Among Older Adults
by Sabrina I. Pacifici on May 17, 2017
“A record 46 million seniors live in the United States today, and older Americans – those age 65 and older – now account for 15% of the overall U.S. population.  By 2050, 22% of Americans will be 65 and older, according to U.S. Census Bureau projections.  At the same time America is graying, recent Pew Research Center surveys find that seniors are also moving towards more digitally connected lives.  Around four-in-ten (42%) adults ages 65 and older now report owning smartphones, up from just 18% in 2013.  Internet use and home broadband adoption among this group have also risen substantially.  Today, 67% of seniors use the internet – a 55-percentage-point increase in just under two decades.  And for the first time, half of older Americans now have broadband at home.”

Apparently, not a big deal? 
E.U. Fines Facebook $122 Million Over Disclosures in WhatsApp Deal
Europe’s love affair with Facebook may be coming to an end.
On Thursday, the European Union’s powerful antitrust chief fined the social network 110 million euros, or about $122 million, for giving misleading statements during the company’s $19 billion acquisition of the internet messaging service WhatsApp in 2014.
The fine — one of the largest regulatory penalties against Facebook — comes days after Dutch and French privacy watchdogs ruled that the company had broken strict data protection rules.  Other European countries, notably Germany, are clamping down on social media companies, including issuing potentially hefty penalties for failing to sufficiently police hate speech and misinformation.
The European Union’s antitrust chief, Margrethe Vestager, said that Facebook had told the European Commission, the executive arm of the European Union, that the social network would not combine the company’s data with that of WhatsApp, which has more than one billion users.
Yet last August, Facebook announced that it would begin sharing WhatsApp data with the rest of the company.  That could allow it to gain an unfair advantage over rivals, by giving it access to greater amounts of data to help support its online advertising business.
   In response, Facebook said that it had acted in good faith in its deliberations with Europe’s antitrust officials, and that it would not appeal the financial penalty.
“The errors we made in our 2014 filings were not intentional,” Facebook said in a statement.  “The commission has confirmed that they did not impact the outcome of the merger review.”

Trends are trending! 
US Courts – Interactive Database Aids the Study of Judiciary Trends
by Sabrina I. Pacifici on May 17, 2017
“A recently enhanced database that houses information about civil and criminal federal cases dating to 1970 is now available to researchers and the public on the Federal Judicial Center’s website as part of a partnership with the Administrative Office of the U.S. Courts.  The interactive database contains docket information from district, appellate, and bankruptcy court filings and terminations, including plaintiff and defendant names, filing date, termination date, disposition of the case, type of lawsuit, jurisdiction, and docket number.  It excludes judges’ names as a preventative measure against judge-shopping by plaintiffs.  Use of the database is free and it allows for multiyear data analyses.  Data can be downloaded in annual and multi-year batches, or users can select their target cases using the database’s interactive feature.  For several decades it has been a frequent tool for academic researchers studying workload trends in the federal Judiciary.  For example, it’s been used in the past to examine how plea bargaining and charging outcomes have changed over time in response to changes in sentencing laws and to analyze the market impacts of corporate lawsuits involving publicly traded companies.  It is also useful as a sort of “shopping list” for the PACER database, the federal Judiciary’s online service that makes judicial opinions, motions, pleadings and other actual records of cases available to the public.  Using the database on the FJC’s site in conjunction with PACER can help users zero in on the types of records sought, saving unnecessary document downloads.  The revamped database adds in some data sets that were not in earlier versions: civil-case plaintiff and defendant names and docket numbers.  It will also be updated with recent case information more frequently than in the past.

Tools for geeks?
Google opens Android Instant Apps SDK to all developers
At its I/O 2017 developer conference today, Google launched the Android Instant Apps SDK.  Now all developers can write Android Instant Apps, as opposed to just a handful of partners.

For the toolkit.
   Along with biking directions that take you along the friendliest routes, Google Maps can display elevation levels, which are pulled from geographical data.  If you are searching for the most bicycle-friendly routes, take advantage of this information!
   Serious cyclists don’t mind a hill or two. Because they know that if there’s a tough climb, then there’s also a pleasant descent.  Either way, give Google Maps a try the next time you decide to push the pedals.  There are many bicycling websites and bike apps that can help you find the best bike paths, and Google Maps should be one of them.

I’m not a big fan either, but this may help me communicate with my students.  Also, Colorado seems to be mentioned a lot. 
The Emoji States of America – a new way to present government data
by Sabrina I. Pacifici on May 17, 2017
I admit to not being and emjoi aficionado, so to make up for this apparent deficit, I offer you The Emoji States of America – via Axios Visuals Editor Lazaro Gamio:
“This visualization is a modified version of Chernoff Faces, a technique that maps multiple statistical values to the features of a face. Because it’s 2017, we expanded on the technique and made Chernoff Emojis. Each part of the emoji is controlled by the state’s ranking in a given metric, which range from the uninsured rate to the percent of adults who report getting enough sleep.”
  • Eyebrows: The more furrowed the brow, the lower a state ranks in the unemployment rate. (Worst: New Mexico; best: Colorado)
  • Eye size: The larger the eyes in each face, the larger the share of adults over 25 with a bachelor’s degree. (First: Colorado; last: West Virginia)
  • Chin: The more noticeable this feature is, the higher this state ranks in obesity rates. (Highest: Louisiana; lowest: Colorado).”

No comments: