Wednesday, December 20, 2017

Unless something bigger happens, this is probably the breach I’ll talk about in my first Computer Security class. Not just another case of: “The default is ‘Public’ and we forgot to change it.” Amazon has changed the default to “Specified users only.” These bozos changed it to, “Anyone with a free Amazon Web Services Account!”
Massive leak exposes data on 123 million US households
… Though no names were exposed, the data set included 248 different data fields covering a wide variety of specific personal information, including address, age, gender, education, occupation and marital status. Other fields included mortgage and financial information, phone numbers and number of children in the household.
"From home addresses and contact information, to mortgage ownership and financial histories, to very specific analysis of purchasing behavior, the exposed data constitutes a remarkably invasive glimpse into the lives of American consumers," UpGuard researchers Chris Vickery and Dan O'Sullivan wrote in their analysis.
… The repository contained massive data sets belonging to Alteryx partner Experian, a consumer credit reporting agency that competes with Equifax, and the US Census Bureau, researchers said.


(Related). More details…
Home Economics: How Life in 123 Million American Households Was Exposed Online
While the Census data consists entirely of publicly accessible statistics and information, Experian’s ConsumerView marketing database, a product sold to other enterprises, contains a mix of public details and more sensitive data. Taken together, the exposed data reveals billions of personally identifying details and data points about virtually every American household.
… While, in the words of Experian, “protecting consumers is our top priority,” the accumulation of this data in “compliance with legal guidelines,” only to then see it left downloadable on the public internet, exposes affected consumers to large-scale misuse of their information - whether through spamming and unwanted direct marketing, organized fraud techniques like “phantom debt collection,” or through the use of personal details for identity theft and security verification.
… On October 6, 2017, UpGuard Director of Cyber Risk Research Chris Vickery discovered an Amazon Web Services S3cloud storage bucket located at the subdomain “alteryxdownload” containing sensitive consumer information. While the default security setting for S3 buckets would allow only specifically authorized users to access the contents, this bucket was configured via permission settings to allow any AWS “Authenticated Users” to download its stored data. In practical terms, an AWS “authenticated user” is “any user that has an Amazon AWS account,” a base that already numbers over a million users; registration for such an account is free. Simply put, one dummy sign-up for an AWS account, using a freshly created email address, is all that was necessary to gain access to this bucket’s contents.
… While the spreadsheet uses anonymized record IDs to identify households, the other information in the fields - as well as another spreadsheet in the bucket, to be discussed shortly - are sufficiently detailed as to be not merely often identifying, but with a high degree of specificity.
[A very long list of fields follows this paragraph. Bob]




Good News: The threat from North Korea is temporarily reduced. Bad News: Angering the “little fat guy” might result in an attack like the one on Sony.
U.S. says Facebook and Microsoft disabled North Korean cyber threats
Facebook Inc and Microsoft Corp disabled a number of North Korean cyber threats last week, a White House official said on Tuesday, as the United States publicly blamed Pyongyang for a May cyber attack that crippled hospitals, banks and other companies.


(Related).
Australia, Canada, Others Blame North Korea for WannaCry Attack
The United States is not the only country to officially accuse North Korea this week of being behind the WannaCry ransomware campaign. Canada, Japan, Australia and New Zealand have also blamed Pyongyang for the attack.
The U.K. accused North Korea in late October, and the other Five Eyes countries and Japan have now done the same.


(Related).
Three Questions on the WannaCry Attribution to North Korea
… Nonetheless, the attribution raises several important questions.
1. Where’s the evidence?
2. What should be the respective roles of the government and private companies?
3. Did North Korea violate international law?




If any of my Computer Security students admit to using one of these passwords, they immediately fail the course.




An excellent example of a social media “Oopsie!”
Elon Musk accidentally tweets his private phone number
Energy and transport entrepreneur Elon Musk accidentally tweeted his private phone number to his 16.7 million followers on Tuesday.
The Telsa and SpaceX CEO divulged the number in what was meant to be a message to John Carmack, head of technology at virtual reality firm Oculus.
"Do you have a sec to talk? My cell is ..." Mr Musk wrote.




Social media monitoring? We don’t offer that class, yet. (Had some training on similar topics last night though.)
The People Who Read Your Airline Tweets
… Nowadays, people have gotten used to having back-and-forths with customer service representatives. In any given hour, JetBlue makes public contact with 10, 15, 20 different people. American Airlines receives 4500 mentions an hour, 70 to 80 percent of them on Twitter. Both companies staff their social teams with long-time employees who are familiar with the airlines’ systems. Both hire internally out of the “reservations” team, so they know how to rebook flights and make things happen. At American, the average social-media customer-support person has been at the company for 17 years.
Every major airline has a team like this. Southwest runs what it calls a “Listening Center.” American Airlines calls it their “social-media hub” in Fort Worth, Texas. Alaska has a “social care” team in Seattle that responds to the average tweet for help in two minutes and 34 seconds, according to a report by Conversocial.




“We settled on this, so it’s a new law?”
Cory L. Andrews of Washington Legal Foundation has an OpEd that begins:
The Federal Trade Commission (FTC) has developed a well-known penchant for using individually negotiated settlement agreements and consent decrees to announce for the first time what qualifies as “unfair” or “deceptive” conduct under the FTC Act. In the data-privacy arena, FTC views these enforcement actions (and the resulting consent decrees) as a source of “common law” that places the business community on sufficient notice of what data-security practices § 5 of the FTC Act requires.
The U.S. District Court for the Western District of Washington recently ratified that view in a controversial ruling, Veridian Credit Union v. Eddie Bauer. The case arose following a 2016 cyberattack on Eddie Bauer’s network that compromised customers’ payment-card data. Veridian Credit Union, whose cardholders had their data stolen after shopping at Eddie Bauer, brought suit under Washington’s Consumer Protection Act (CPA), which like § 5 of the FTC Act also allows courts to award treble damages to private plaintiffs who are injured by “unfair” or “deceptive” acts. Veridian alleged that Eddie Bauer’s failure to adopt data-security measures that FTC has required in other cases constitutes an “unfair” practice under the Washington CPA.
Read more on Forbes.
The concerns raised in this piece will sound familiar to those who have followed the LabMD case and/or the academic scholarship of Dan Solove and Woodrow Hartzog, who have written extensively about the consent decrees as a source of “common law.”




I suppose I will need to explain the “Streisand Effect” to my Computer Security students.
So I’m not sure whether to tag this as “shoot the messenger” or an attack on press freedom – or maybe both, but MANX Radio reports:
The firm at the centre of the Paradise Papers says it’s pursuing legal action against those who made allegations.
Appleby, which has a large office in Douglas, had millions of confidential files leaked earlier this year, sparking a global debate about tax ethics.
Many of them surrounded the affairs of wealthy individuals operating in the Isle of Man.
There has been speculation over the legality of the data leak since it went public in November – and now Appleby has formally hit back, saying it is ‘obliged’ to file proceedings against the UK outlets who broke many of the stories.
I know that press rules are different in the UK and other areas than they are here, but I’d love to know exactly what law(s) Appleby alleges have been violated – are they claiming that the news outlets violated law by simply receiving/possessing the leaked documents?
Bosses have demanded The Guardian and the BBC hand over the documents they’ve seen and used in investigations.
Oh my. I don’t know how that works elsewhere, but over here, there would certainly be vigorous resistance to any such demand.
The firm is also seeking damages, claiming there was ‘no public interest’ in any of the stories published.
Did the public read the stories and discuss them? Did they seek more coverage? And if so, was their interest just idle curiosity or was there something meaningful to the public about revelations in the news reports?
Both media outlets have vowed to defend themselves in any future proceedings.
I wonder if Appleby’s has heard of the Streisand Effect. I just don’t see this litigation really helping them.




Interesting. Could the state of Colorado do the same?
High-speed broadband to be legal right for UK homes and businesses
Government says internet providers will be legally obliged from 2020 to meet user requests for speeds of at least 10Mbps




Perspective.
Here come the drones
December 19, 2017 – 8% of Americans say they own a drone, while more than half have seen one in operation: “Drones are catching on as consumer goods. As of mid-2017, 8% of Americans say they own a drone and 59% say they have seen one in action, according to a Pew Research Center survey. But while drones – that is, aircraft without on-board human pilots – are more prevalent than they were a few years ago, many have reservations about where and under what circumstances their use should be allowed. The survey shows modest differences in rates of ownership by gender and age. Slightly more men (11%) than women (6%) say they own a drone, as do more people ages 18 to 49 (12%) compared with those 50 and older (4%).




Perspective.
New consumer survey shows cable subscribers are now EVEN with Netflix
… In an October study with nearly 2,000 American participants aged 18 to 59, the percentage of consumers who utilized cable TV and Netflix in 2017 were even.
The report reveals that 73 percent of respondents were subscribed to pay-TV this year, which is 'down from 76 per cent last year and 79 per cent the year before,' according to the survey conducted by PricewaterhouseCoopers.
Likewise, the same percentage said they were subscribed to Netflix this year.
Another shocking part of the survey finds that a whopping 82 per cent of sports watchers admit they would 'end or trim their pay-TV subscription if they no longer needed it to access live sports.'




As we expand our use of the “flipped classroom” these become more useful. Ans not just on Chromebooks.
Seven Ways to Create Screencasts on Chromebooks
With the addition of Screencast-O-Matic there are now seven tools that teachers and students can use to create screencast videos on their Chromebooks.
If you missed yesterday's news, Screencast-O-Matic is currently offering a public beta of their Chrome app. To use Screencast-O-Matic on your Chromebook you will need to go to this page while on your Chromebook, click launch recorder, install the Chrome app when prompted, and then start recording your screen. Screencast-O-Matic on a Chromebook will let you record for up to fifteen minutes per video. You can include your own narration as well as sounds from your Chromebook in your screencasts. Completed videos can be saved to Chromebook or saved directly to Google Drive.
Loom is a free screencasting tool that works on Chromebooks, Macs, and Windows computers. Loom is a Chrome extension. With Loom installed you can record your desktop, an individual tab, and or your webcam. That means that you could use Loom to just record a webcam video on a Chromebook. Of course, this also means that you can use Loom to record your webcam while also recording your desktop. Loom recordings can be up to ten minutes long. A completed recording can be shared via social media and email. You can also download your recordings as MP4 files to upload to YouTube or any other video hosting service.
Soapbox is a free tool from Wistia that makes it easy to create great screencast videos on a Chromebook or any computer that is using the Chrome web browser. With Soapbox installed in the Chrome web browser you can quickly record your screen and your webcam at the same time. The most distinguishing feature of Soapbox is that you can have your video transition from your screen to your webcam to a combination of the two. Soapbox includes some simple editing tools for zooming in on an area of your screen and calling attention to specific parts of your screen.
ViewedIt is a free Chrome extension that makes it quick and easy to create and share screencast videos. With the extension installed you can record your entire screen or just one window tab. ViewedIt will let you record yourself with your webcam too. The best part of ViewedIt is that you can track who watches your video. To record on ViewedIt you simply have to click the extension icon then choose what you want to record. When you're done recording your video is automatically stored on ViewedIt. From ViewedIt you can share your video via email and social media. If you choose to share via email, you will be able to track who watched your video.
Nimbus Screenshot is my favorite tool on this list because of its ease of installation and it is the only tool on this list that provided a customizable countdown timer. I like the countdown timer because it gives me a few seconds to prepare to start talking over my screencast. The other tools just started recording the second that I hit the record button. Nimbus Screenshot was also the easiest to install and configure on my Chromebook. Screencasts recorded with Nimbus Screenshot can be saved to your local drive or to an online Nimbus account. I usually choose to save to my local drive then upload to my YouTube channel. You can also save to your local drive then send it to Google Drive or another online storage service.
CaptureCast lets you record your webcam while recording your screen which you cannot do with the Nimbus tool. You can choose to record your screen, your screen and your webcam, or just your screen or just your webcam. CaptureCast gives you three options for recording definition. So if you're on a slower network you can choose a lower resolution recording to save processing time. CaptureCast lets you save a recording locally or send it to YouTube or to Vimeo.
Screencastify might have the most name recognition in this list, but I don't like it as much as some other tech bloggers like it. The set-up process asks a lot questions that could confuse new users. The free version limits recordings to ten minutes and puts a watermark on the recording. On the upside, there is an option to upload directly to YouTube.




Since Math is a prerequisite for any of the programming classes, this could become useful too.
ADA Project - An Open Multimedia Mathematics Textbook
ADA Project is a great resource being developed by a mathematics teacher named Sam Powell. The ADA Project is an open multimedia mathematics textbook that covers everything from basic arithmetic through calculus.
When you visit the ADA Project's homescreen you can choose a category then choose a topic. Within each topic you will find a set of sample problems. Each sample problem is accompanied by a link to reveal the answer, the solution, a video about the solution, and a link to a discussion forum. Take a look at this set of long division problems to get a sense of how the ADA Project works.
Teachers are invited to contribute to the ADA Project's development by submitting problems, solutions, videos, and discussions. You can submit one or all four of those pieces for inclusion in the ADA Project. The submission form is found here.
Although it is off to a great start, the ADA Project is still a work in progress. At this point it will make a good supplement to the textbook and other reference materials that you use in your mathematics lessons.
The ADA Project will get better through the contributions of other mathematics teachers who make submissions to it.


No comments: