Saturday, January 21, 2017

A useful post on the taxonomy of security breaches.  (You can’t tell the players without a scorecard.)
For the past year, I’ve been criticizing entities that describe their data leaks as “hacks” (cf, this article of mine on The Daily Dot or this post as examples).  More recently, Zack Whittaker has also forcefully raised that issue on ZDNet.  Whether other journalists will adapt their language and correctly report incidents as “leaks” instead of “hacks” – regardless of what the entity may claim – remains to be seen over time.  But there’s a second language issue that this blogger would also like to see addressed: overuse or misuse of the word “ransomware.”
[Much more follows.  Bob]

Satan RaaS Promises Large Gains With Zero Coding Needed
A newly discovered family of ransomware is being offered via the Ransomware-as-a-Service (RaaS) business model, allowing cybercriminals to easily customize their own versions of the malware, researchers explain.
Dubbed Satan, the new ransomware family was discovered by security researcher Xylitol and is available for any wannabe criminal, as the service only requires the creation of an account to get started.  The profits are split with the malware authors, who claim to retain only a 30% cut, thus making the RaaS sound highly interesting to many.

This is not a good thing!  It means anyone can attack your systems!
Cyber Threat Intelligence Shows Majority of Cybercrime is NOT Sophisticated
It’s a new year and while some things change, some things stay the same (or similar).  There’s lots of FUD about the sophisticated cyber attacks that are multi-threaded and obfuscated.  Certainly there are attacks that fall into this category, but if you look at all of the cybercrime activity from the past year, it’s clear that the majority of threats do not have the level of sophistication that is often talked about. 
Rather, what cyber threat intelligence is showing us is that most threats simply exploit a series of well-documented vulnerabilities and other weak points to move along the path of least resistance – and the most profit.  Let’s look at some of the top threats out there today through the prism of the threat triangle, which is the actor’s capability, intent and opportunity: 

What Computer Security managers should be thinking about.
Sami Paracha of Taylor Wessing has an article on cyber-extortion and ransom demands from a UK perspective.  It makes for interesting reading.  The article begins:
Cyber Security is an omnipresent risk for most businesses.  And it is a growing risk given the more frequent and serious cyber attacks, higher costs for proactively managing these risks (or curing a cyber security breach), and potentially higher fines following a breach with implementation of the GDPR [General Data Protection Regulation  Bob] on the horizon.  The approximately 500 million recently compromised Yahoo accounts are a pertinent reminder of these risks.  CFC Underwriting has also recently commented that it is being notified of claims under its policies at a rate of more than one a day, particularly from SMEs with revenue under £50m and “ransomware” is behind a significant number of claims[1].
Cyber extortion, including threats and/or ransom demands connected with cyber attacks, is a risk which can cause great uncertainty for businesses – particularly in relation to how the extortion threat should be handled, for example, whether a ransom demand should be paid, whether such payment is legal and whether insurers may cover the ransom payments.
Read more on Lexology, and ask yourself whether you know if your insurance policy would cover a ransom or extortion demand, and under what conditions.  Of course, that’s a somewhat separate question of whether entities should pay a ransom demand, and the questions Paracha raises are the same ones we’ve seen elsewhere, i.e., they do not appear to be country-specific.

My students were discussing this last week.  I don’t think they are ready to give up banks altogether, but I did get them thinking.
Much has been made of the fact that a new breed of financial technology (or fintech) companies is unbundling banks in the developed world.  Startups are attacking all of the components of the traditional bank value proposition (e.g., accounts, portfolio management, mortgages, car loans, person-to-person payments).  Over the past five to six years there has been a rush of capital and talent into startups; investment in them has grown nearly eightfold since 2011.  While their innovative products have been a boon to consumers in mature economies, the resulting efficiency and security benefits have largely bypassed the 2 billion consumers in the developing world who lack formal banking services altogether.
However, there are signs that this is changing.  Encouraged by the dramatic increase in the number of people with mobile phones in the developing world, new fintech players are attempting to disrupt the existing financial order in these markets: the money lenders and informal remittance services that often have been the only option for much of the population.
Our initiative, the Digital Financial Services Lab, is trying to be a catalyst for this transformation.  To that end, it is working with entrepreneurs to introduce innovative solutions to the developing world.  A number of the companies mentioned in this article are in DFS Lab’s portfolio.

Because, yes you really do need one.
You’ve heard it a thousand times: you need antivirus protection.  Macs need it.  Windows PCs need it. Linux machines need it.  Modern antivirus apps have gotten so easy to download and run that you barely need to do anything at all.  Plus you can get some of the best ones for free.  You really have no excuse.  So grab one of these ten and start protecting your computer!

Friday, January 20, 2017

Not the richest target, but perhaps an easy one.  
WTAE reports:
Hackers have infected every public computer in the St. Louis Public Library system, stopping all book borrowing and cutting off internet access to those who rely on it for computers.
[…] According to the library, hackers demanded $35,000 in the electronic currency Bitcoin — but the library refuses to pay.  Instead, it’ll wipe the entire computer system and reset it, which could take days or weeks.
Read more on WTAE.

Ethical Hacking for fun and ….  for fun!
You can learn to be an ethical hacker and possibly launch a new career with these courses from MakeUseOf Deals for a limited time!  We have three bundles that will teach you all the skills you need to know!  And they’re all heavily discounted!

For my Computer Security students. 
How to get fired in 2017: Have a security breach
There are many reasons why IT professionals can be fired, but six out of the top nine are related to security, said a survey released this morning.
For example, having a tech investment that leads to a security breach was considered a fireable offense by 39 percent of organizations, according to Osterman Research, which conducted the survey.
A data breach that becomes public was a fireable offense for 38 percent of companies.
Other fireable offenses included failing to modernize a security program, data breaches with unknown causes, data breaches that do not become public, and the failure of a security product or program investment.

Failing to meet regulatory compliance and getting a large fine or penalty, was the top offense, with 68 percent of organizations considering it reason for dismissal.
Some of this may not, strictly speaking, be the employee's fault.  If a very dedicated attacker, such as a foreign country, is committed to getting the data, there's very little that an organization can do to stop them.

More information just in time for my Computer Security class.  
Number of U.S. Data Breaches Increased in 2016: Report
The number of data breaches disclosed by organizations in the United States has increased by 40 percent in 2016 compared to the previous year, according to a report released on Thursday by CyberScout (formerly IDT911) and the Identity Theft Resource Center (ITRC).
ITRC has counted 1,093 breaches and more than 36 million exposed records across sectors such as financial, business, education, government and military, and healthcare.  While this is an all-time record high and a significant increase from the 780 breaches reported in 2015, experts believe this upwards trend is also due to more states disclosing incidents on their websites.
It’s also worth noting that while 36 million records might not seem much, ITRC has pointed out that half of the breach notifications did not disclose the number of exposed records.
   The complete list of breached organizations and information on each incident are available in ITRC’s 2016 Data Breach Report.

Another article for my Computer Security students.
DHS Publishes National Cyber Incident Response Plan
   The NCIRP has three main goals: define the responsibilities and roles of government agencies, the private sector and international stakeholders; identify the capabilities required to respond to a significant incident; and describe how the government will coordinate its activities with the affected entity.

I bet no one is ready to train their employees.  Who does this kind of training?
Christian B. Nagel, Todd R. Steggerda, Ronald L. Fouse, David G. Dargatis, and Edwin O. Childs of McGuireWoods LLP write:
Beginning January 19, federal government contracts will contain additional training requirements for contractors who deal with personally identifiable information (PII) or with a system of records.
Affected contractors must provide privacy training to their employees, and be prepared to provide documentation of the training to the appropriate contracting officer.
Read more on Lexology.

Why did you keep asking, “Where’s the best place to hide a body?” 
How to find, view, and delete everything the Amazon Echo and Google Home know about you
   In order to fulfill your requests, however, both of these voice-activated digital assistants must upload your verbal commands to the cloud.  Just what does that entail?  The short answer is that your commands are saved to your Amazon or Google account respectively.  And the more you use these devices, and the more services you link to them, the more their respective manufacturers will know about you.  Those insights can range from what kinds of movies and music you like to what time you go to bed.

Is this really the first lawsuit asking for this information?
EPIC Sues FBI for Details of Russian Interference with 2016 Election
by Sabrina I. Pacifici on Jan 19, 2017
“EPIC today filed a Freedom of Information Act lawsuit against the Federal Bureau of Investigation in federal district court in Washington, DC.  The case is designated EPIC v. FBI, No. 17-127 (D.D.C. filed Jan. 18, 2017).  The complaint states “EPIC challenges the FBI’s failure to make a timely decision concerning EPIC’s request for expedited processing of the FOIA request for records about the Russian interference with the 2016 Presidential Election.”

I can see the ads now: “Government tested, government approved!”  
NHTSA’s full final investigation into Tesla’s Autopilot shows 40% crash rate reduction
The U.S. National Highway Traffic Safety Administration has released its full findings following the investigation into last year’s fatal crash involving a driver’s use of Tesla’s semi-autonomous Autopilot feature.  The report clears Tesla’s Autopilot system of any fault in the incident, and in fact at multiple points within the report praises its design in terms of safety, and highlights its impact on lowering the number of traffic incidents involving Tesla vehicles overall.
The full report is embedded below, but some sections of note include a section where NHTSA notes that crash rates involving Tesla cars have dropped by almost 40 percent since the wide introduction of Autopilot.  It also notes that its investigation did not find any defects in the design or implementation of Tesla’s automatic emergency braking systems (AEB) or its Autopilot cruise features.  The report also states that Tesla properly anticipated the potential for driver misuse in the design of Autopilot, studied those potential effects and incorporated it into the product’s final design before broad rollout.

One of the new business models in the Automotive industry.  Just a step down the road to an all ‘transportation by App’ economy? 
Cadillac wants to eliminate the headache of car ownership
Cadillac is diving into the world of premium subscription services with Book — a program that removes some of the minutiae of owning a car.  Much like subscription services including Spotify and Netflix, Cadillac Book will let you enjoy the car without having to put in the legwork usually associated with ownership.  Sure, the price — $1,500 a month — might make dealing with insurance companies, paying taxes and registration fees slightly more attractive but you also get open access to the entire line of brand-new Cadillacs.
   Car requests are made via smartphone app and delivered to the customer by a concierge service … which means you could jump from commuting in a CT6 during the week to ruining the tires on a CTS-V for the weekend.

Not all transitions of power are smooth.
Gambia crisis: Jammeh given last chance to resign as troops close in
Mr Jammeh was given until noon to leave office or be forced out by UN-backed regional forces, but the deadline was extended to allow last-ditch talks.
Troops have been told to halt their advance until the talks are over.
The Economic Community of West African States (Ecowas) is acting in support of new President Adama Barrow, who was sworn in on Thursday.
His legitimacy as president has been recognised internationally, after he was voted in last month.

"When in trouble or in doubt, run in circles, scream and shout."  You can send me my consulting fee in Euros.  This is not the ‘Bully Pulpit’ Teddy Roosevelt was using.
Companies drafting emergency plans for Trump tweets
Companies and industry groups are turning to lobbyists with a pressing question: What should we do if President-elect Donald Trump attacks us on Twitter?
   “The Washington ecosystem has had no catch-up time to understand it and learn how to engage it in an effective way,” he said.
Murray said companies used to have a window of time to figure out their response to criticism from lawmakers and public officials.  Thanks to social media, that time is gone. 

I toss this in because our system of teaching seems broken to me.
Should all countries use the Shanghai maths method?
The life of a teacher in a Shanghai primary school differs quite a bit from that of teachers in most other countries.  For one thing each teacher specialises in a particular subject - if you teach maths, you teach only maths.
These specialist teachers are given at least five years of training targeted at specific age groups, during which they gain a deep understanding both of their subject and of how children learn.
After qualifying, primary school teachers will typically take just two lessons per day, spending the rest of their time assisting students who require extra help and discussing teaching techniques with colleagues.
"If you compare that to an English practitioner in a primary school now, they might have five days of training in their initial teacher training year, if they're doing the School Direct route, for example," says Ben McMullen, head teacher of Ashburnham Community School, London.

Have I mentioned that I like lists?  I like seeing what others consider important.  Occasionally I learn new things. 
In no particular order, let’s step through twelve Windows apps everyone should install right away, along with alternatives for each category.

Thursday, January 19, 2017

What is cheaper?  Scientific research or hacking?  Note that an Admin actually looked at traffic! 
New "Quimitchin" Mac Malware Emerges Targeting Scientific Research
   It was discovered when an IT admin noticed unusual traffic coming from a particular Mac.  Investigation led Malwarebytes to the espionage malware it now describes as Quimitchin (named after Aztec spies who would infiltrate other tribes -- the spies and the code are both ancient).
   Its primary purpose seems to be screen captures and webcam access, making it a classic espionage tool.  "It seems that this malware is trying to exfiltrate data from anything it can access.  Since this has been seen infecting Macs at biomedical facilities, we believe it's being used for espionage to steal scientific data -- but we don't know at this point who might be behind the malware," he said.
Somewhat surprisingly the code uses antique system calls.  "These are some truly ancient functions, as far as the tech world is concerned, dating back to pre-OS X days," he wrote in the blog post.  "In addition, the binary also includes the open source libjpeg code, which was last updated in 1998."
   Quimitchin consequently presents a conundrum.  It is simple in design, yet seems to have been undetected for several years.  "The only reason I can think of that this malware hasn't been spotted before now," suggests Reed, "is that it is being used in very tightly targeted attacks, limiting its exposure.

Interesting.  I wonder if we can get the raw data to do some more detailed research?
Cyber Skills Gap Quantified in Terms of Supply and Demand, which describes itself as the world's number one jobs site, has now provided facts and figures from its own experiences.  It does this by comparing security vacancies (industry demand) against click-interest (supply) from job seekers.  The difference between the two figures demonstrates the size of the skills gap in terms of both security specifics and global region.  Since Indeed is able to compare the difference today with the difference from two years ago, it is also able to quantify whether the skills gap is widening or narrowing.

Some of these files address topics I thought were urban legends.  Silly me. 
Welcome to the new CIA Freedom of Information Act Electronic Reading Room
by Sabrina I. Pacifici on Jan 18, 2017
The CIA’s declassified database is now online.  Thanks to a MuckRock lawsuit and Mike Best’s diligence, you can now read over 13 million pages of Agency records – Back in December, we wrote about how the CIA would be placing its previously-inaccessible CREST database online.  The move was a response to our lawsuit, handled pro bono by with Kel McClanahan of National Security Counselors, as well as Mike Best’s diligence in trying to manually print and scan the archive.  Today, we’re happy to announce that all 25 years worth of declassified documents are now available – no trip to the National Archives required.”

Stuff I can use in class.
Free for All: NYPL Enhances Public Domain Collections For Sharing and Reuse
by Sabrina I. Pacifici on Jan 18, 2017
New York Public Library – “Today we are proud to announce that out-of-copyright materials in NYPL Digital Collections are now available as high-resolution downloads.  No permission required, no hoops to jump through: just go forth and reuse!  The release of more than 180,000 digitized items represents both a simplification and an enhancement of digital access to a trove of unique and rare materials: a removal of administration fees and processes from public domain content, and also improvements to interfaces — popular and technical — to the digital assets themselves.  Online users of the NYPL Digital Collections website will find more prominent download links and filters highlighting restriction-free content; while more technically inclined users will also benefit from updates to the Digital Collections API enabling bulk use and analysis, as well as data exports and utilities posted to NYPL’s GitHub account.  These changes are intended to facilitate sharing, research and reuse by scholars, artists, educators, technologists, publishers, and Internet users of all kinds.  All subsequently digitized public domain collections will be made available in the same way, joining a growing repository of open materials.  

Wednesday, January 18, 2017

Interesting.  Obviously, he’s not Russian or he’d be trying to take it down now.
DDoS attack against eyed as a valid protest
When Donald Trump is inaugurated as the U.S. President on Friday, Juan Soberanis intends to protest the event -- digitally.
His San Francisco-based protest platform is calling on Americans to oppose Trump’s presidency by visiting the site and overloading it with too much traffic.  In effect, he’s proposing a distributed denial-of-service attack, an illegal act under federal law.  But Soberanis doesn’t see it that way.  [They never do.  Bob] 

You have to plan for and manage any change. 
I think a study I saw recently said about 69% of entities reported data loss or breaches associated with departing employees.  Vic Ryckaert reminds us what can help if you don’t have control of all administrator credentials before you terminate an employee:
Indianapolis-based American College of Education fired its information technology employee last year, according to court documents, but not before an administrative password was changed.
The online college then asked the man to unlock the Google account that stored email and course material for 2,000 students, according to a lawsuit filed by the college.  The man said he’d be willing to help — if the college paid him $200,000.
Read more on IndyStar.
[From the article:  
In May, returning students could no longer access their email accounts, papers and other course work.  Google suspended access after too many failed login attempts to the administrative account.
School officials asked Google for help.  Google, the college said, refused to grant access to anyone other than Williams, who was listed as the account's sole administrator. [Do you see a simple solution here?  Bob]
When officials called Williams, he directed them to his lawyer.
"In order to amicably settle this dispute, Mr. Williams requires a clean letter of reference and payment of $200,000," attorney Calvita J. Frederick wrote in a letter to the college's attorney.

You see why the ‘Best Practice’ is to avoid reuse of passwords.
Credential Stuffing: a Successful and Growing Attack Methodology
Credential theft occurs when attackers breach a system and steal users' access credentials -- usually ID and password.  The ID is most commonly the user's email address.  Credential spilling is when those credentials are made available to other criminals.  Credential stuffing is the large scale use of automated means to test stolen passwords against other unrelated websites.
It is made possible because of the tendency for users to recycle their passwords for multiple accounts.  This means that if criminals can crack stolen passwords from one account, they have legitimate credentials that have quite likely been used on other accounts.

Something for my Computer Security demonstration team to try?
It’s shockingly easy to hijack a Samsung SmartCam camera
Smart cameras marketed under the Samsung brand name are vulnerable to attacks that allow hackers to gain full control, a status that allows the viewing of what are supposed to be private video feeds, researchers said.
The remote code-execution vulnerability has been confirmed in the Samsung SmartCam SNH-1011, but the researchers said they suspect other models in the same product line are also susceptible.
   It stems from the failure to properly filter malicious input included in the name of uploaded files.  As a result, attackers who know the IP address of a vulnerable camera can exploit the vulnerability to inject commands that are executed with unfettered root privileges.
   The researchers provided more technical details here and also included the following video demonstration:

So, what should the Best Practice be?
Police Body-Worn Camera Legislation Tracker
by Sabrina I. Pacifici on Jan 17, 2017
Via Urban Institute: “Laws governing how and when police body-worn cameras can be used and whether the footage is released vary considerably across the country.  Use our legislation tracker, which we will update periodically, to find out more about passed and pending legislation in your state.  For the latest commentary, click here.”

A ‘promise’ vs. ‘our current policy?’
John Ribeiro reports:
A privacy lawsuit against WhatsApp in India over its new data sharing policy has got momentum with the country’s top court seeking responses from Facebook, WhatsApp and the federal government.
The privacy policy of WhatsApp at launch in 2010 did not allow sharing of user data with any other party, and after Facebook announced its acquisition of the messaging app in 2014, it was “publicly announced and acknowledged” by WhatsApp that the privacy policy would not change, according to the petition filed by Indian users of WhatsApp.
WhatsApp sparked off a furore last year when it said it would be sharing some account information of users with Facebook and its companies, including the mobile phone numbers they verified when they registered with WhatsApp.
Read more on PC World.
If WhatsApp was feeling a tad beleaguered this week, it would be understandable.  In other WhatsApp news, they’ve been addressing accusations that they have a “backdoor” that allows government snooping, an accusation they have firmly denied.  The “backdoor” claims started with a researcher’s report.  You can read a recap of the kerfuffle on Economic Times.

Try to keep up with the terminology, Bob!
Hyperconvergence: What’s all the hype about?
One of the hottest trends in data center technology is hyperconvergence, with early adopters reaping the benefits of cost savings, enhanced data protection, increased scalability and ease of management.
So, what is hyperconvergence?  It’s a way to simplify data center operations and management by combining compute, storage and networking in a single, software-driven appliance.

It’ll never fly.  (Unless Uber is investing in it.  Are they?)  Sounds like ‘fake news’ to me.
Airbus CEO sees 'flying car' prototype ready by end of year
Airbus Group plans to test a prototype for a self-piloted flying car as a way of avoiding gridlock on city roads by the end of the year, the aerospace group's chief executive said on Monday.
Airbus last year formed a division called Urban Air Mobility that is exploring concepts such as a vehicle to transport individuals or a helicopter-style vehicle that can carry multiple riders.  The aim would be for people to book the vehicle using an app, similar to car-sharing schemes.

I have used the Venetian Arsenal as an example of ‘just in time’ manufacturing in use centuries before it became the next big thing.  Those who do not study history…
Most organizations would be happy to last for centuries, as the Venetian Republic did.  From 697 to 1797 AD, Venice’s technological acumen, geographic position, and unconventionality were interlocking advantages that allowed the Most Serene Republic to flourish.  But when change comes suddenly, it can turn strengths into weaknesses and sweep away even thousand-year success stories.
   But, like a lot of successful entities, Venice reached a point where it focused more on exploitation than exploration: Venetian traders followed existing paths to success.  Entrepreneurs chose not to move away from traditional pathways.  Established practices and preferences became more popular than exploration and speculation.  Merchants and traders played the game of incremental innovation by focusing on efficiency and optimization.
   What’s the lesson for entrepreneurs and innovators today?  The stronger the assumption that the future will function as today does, the greater the gravitational force of the status quo.  Organizations set in their ways slow down and never strive for new horizons.  They are doomed to wither.

Something for my students to think about.

As goes Target, so goes the retail industry?  Is that why Walmart is pushing itself online? 
Target Joins Long List of Retailers Killed by Online Shopping
   Same-store sales for November and December decreased 1.3%, Target said on Wednesday. Sales in Target's stores dived 3%, while sales online rose more than 30%.  Target saw sales declines in most of its product categories, led by a high-single-digit drop in electronics and entertainment.

“I’m shocked.  Shocked I tell you!”
Most Americans think Trump's tweets are a bad idea: poll
WSJ/NBC poll finds 47% of Republicans also uneasy
Americans have a clear message for Donald Trump: Stop tweeting!
A new Wall Street Journal/NBC News poll finds that a strong majority believes that the president-elect's prolific use of Twitter is a bad idea.
Some 69% of adults agreed with the statement that his use of Twitter is bad because "in an instant, messages can have unintended major implications without careful review."

Tuesday, January 17, 2017

Ignore warnings at your peril. 
McDonald's Website Flaws Allow Phishing Attacks
A researcher has disclosed a couple of unpatched vulnerabilities affecting the official McDonald’s website after the company ignored his attempts to responsibly report the issues.
Dutch security enthusiast Tijme Gommers discovered a reflected cross-site scripting (XSS) vulnerability in the search functionality of the McDonald’s website.
   According to the researcher, the McDonald’s website decrypts the password client side using a cookie that is valid for an entire year.  Since the same key and initialization vector are used for every customer, it’s easy to obtain a password in plain text.
An attacker can create a link that exploits the XSS vulnerability to load an external JavaScript file.  Once the user clicks on the malicious link, their password is decrypted and sent to the attacker.  Gommers said the vulnerabilities also expose names, addresses and other details.

For my Computer Security students.  Does this become a Best Practice by default? 
Google reveals its servers all contain custom security silicon
Google has published a Infrastructure Security Design Overview that explains how it secures the cloud it uses for its own operations and for public cloud services.
Revealed last Friday, the document outlines six layers of security and reveals some interesting factoids about the Alphabet subsidiary's operations, none more so than the revelation that “we also design custom chips, including a hardware security chip that is currently being deployed on both servers and peripherals.  These chips allow us to securely identify and authenticate legitimate Google devices at the hardware level.

For my Computer Forensics students and this is probably useful for researchers in general.
You might have heard about The Internet Archive.  It’s that dusty place on the web for all digital artifacts.  It’s not a tomb, but a cache of knowledge that makes up our digital experience.
Its web crawlers collect data from all corners of the web to build an historical collection that we can browse for free anytime.  If you think that’s a usable bit of work, then you will like what the Wayback Machine Chrome extension can do.
The Wayback Machine Chrome extension detects dead web pages and gives you the option to view an archived version of the page.

No matter how few numbers reside in your head, hopefully you know your own phone number!  However, there may be times when you need to look up the number of the phone you’re using.  Perhaps you had a brief bout of amnesia or are trying to return a lost phone.

Continuing a discussion with my students about the difference between ‘profitable’ and ‘successful.’  (and between ‘revenue’ and ‘profit!’)
Investors Try to Tap Into the Next Craiglist, Regardless of Earnings
In the race to find and fund the next Craigslist, venture investors aren’t letting a lack of revenue stand in the way.
The two leading contenders offering app-based classified listings have raised some $300 million in the past six months, despite generating virtually zero revenue.

For my student researchers.  What’s on your RSS feed?

For my gamers.  Do you want to play or get rich?  (Not bad for half a year.)
Pokémon Go generated revenues of $950 million in 2016
Pokémon Go generated an estimated $950 million in revenues in 2016, according to a report by market researcher App Annie.
Niantic Labs launched Pokémon Go on July 6, 2016, and it became a smash hit.  Within a couple of months, Niantic announced that it had been downloaded more than 500 million times.

With the Trump Circus replacing P.T. Barnum’s, this seemed appropriate.  (Do you see some anti-Trumpisms in them?)
10 Memorable Quotes From the 'Worlds Greatest Showman' P.T. Barnum