Saturday, March 18, 2017

Disappointing.  I bet the guns were locked in the trunk. 
Secret Service laptop, pins, radio stolen
A Secret Service computer containing sensitive security information about Trump Tower was stolen from an agent’s vehicle in New York on Thursday, along with a set of security perimeter pins, a personal laptop, and other items, federal and New York City law enforcement sources told POLITICO.  
   Two of the sources said that some items stolen from the vehicle — including a set of lapel pins that allow agents entry into security perimeters around dignitaries protected by the Secret Service — had been recovered in the vicinity soon after the break-in.
   The statement stressed that agency-issued laptops “contain multiple layers of security including full disk encryption” that prevent unauthorized individuals from accessing their contents.
   The closed-circuit agency radios are encrypted, said the person who is in contact with the Secret Service.  Nonetheless, the incident provoked alarm among law enforcement officials.  [Probably no login required.  Bob] 

Probably not well considered.  Who failed to see this and stop it?  Why do we never ask that question? 
Did no one really understand what “enhanced data sharing” would permit until now?
Laura Donnelly reports:
The medical records of 26 million patients are embroiled in a major security breach amid warnings that the IT system used by thousands of GPs is not secure.
The Information Commissioner is investigating concerns that records held by 2,700 practices – one in three of those in England – can be accessed by hundreds of thousands of strangers.
Privacy campaigners last night said the breach was “truly devastating” with millions of patients having no idea if their records had been compromised.
Read more on The Telegraph.
[From the article:  
Unbeknown to doctors, switching on “enhanced data sharing” - so records could be seen by the local hospital - meant they can also be accessed by hundreds of thousands of workers across the country.
It means receptionists, clerical staff, healthcare assistants and medics working in pharmacies, hospitals, GP surgeries, care homes and prisons can look up sensitive information about individuals - even if there is no medical reason to do so.

An old problem.  User account numbers are part of the URL.  Change the number, see another user’s data.  
Hackernoon writes:
This is published under our responsible disclosure policy
The McDonald’s India app, McDelivery is leaking personal data for more than 2.2 million of its users which includes name, email address, phone number, home address, accurate home co-ordinates and social profile links.  We contacted McDelivery on 7th Feb and received an acknowledgement from a Senior IT Manager on 13th Feb (33 days ago).  The issue has not been fixed yet and our continued effort to get an update for the fix after the initial acknowledgement has failed.
An unprotected publicly accessible API endpoint for getting user details coupled with serially enumerable integers as customer IDs can be used to obtain access to all users personal information.
Read more on Hackernoon.
[From Hackernoon: 
UPDATE: McDonald’s India has replied to us that they have fixed the issue and would be releasing an official statement urging their users to upgrade the app.

Not surprising. 
WikiLeaks Won’t Tell Tech Companies How to Patch CIA Zero-Days Until Its Demands Are Met
   This week, Assange sent an email to Apple, Google, Microsoft and all the companies mentioned in the documents.  But instead of reporting the bugs or exploits found in the leaked CIA documents it has in its possession, WikiLeaks made demands, according to multiple sources familiar with the matter who spoke on condition of anonymity.
WikiLeaks included a document in the email, requesting the companies to sign off on a series of conditions before being able to receive the actual technical details to deploy patches, according to sources.  It's unclear what the conditions are, but a source mentioned a 90-day disclosure deadline, which would compel companies to commit to issuing a patch within three months.
The companies, however, are not sure what to do next because the vulnerabilities come from highly-classified documents (which may have been illegally obtained), as well as the suspicion that, perhaps, these documents and hacking tools were leaked to WikiLeaks by the Russian government.

(Related).  Hardly news, but it’s good to know they have already eliminated Russia. 
U.S. prosecutors reportedly probing leak of CIA materials to WikiLeaks
   U.S. agencies have made only vague public comments on the latest WikiLeaks disclosures, but security and law enforcement officials familiar with the investigation said in the wake of the leaks that it is focused on whether an intelligence contractor was responsible.  At this point, they said, investigators do not think Russia or another foreign government was involved.

Have Samsung’s trust issues been resolved? 
Samsung's New S8 to Adopt Facial Recognition for Payments
Samsung Electronics Co.’s new Galaxy S8 will employ facial-recognition technology for mobile payments within months of release, adding cutting-edge security to help the marquee device stand out from rivals such as Apple Inc.’s iPhone, people familiar with the matter said.
The Galaxy S8 to be unveiled later this month will blend fingerprint, iris and facial detection to verify users accessing mobile services including Samsung Pay, the people said.  It’s already working with banks to help them embrace facial recognition systems in coming months, they said, asking not to be identified talking about a private matter.  Samsung declined to comment.

Sounds good, does not match the facts.  (Sounds Trump-like?) 
Bill Gates wants to tax robots, but one robot maker says that's 'as intelligent' as taxing software
   "If you look at economies with the lowest unemployment rates in the world and correlate it with robotics: Germany, Japan, South Korea have the highest robotics rates with more than 300 robots per 10,000 workers, and they have the lowest unemployment rates," Spiesshofer said.  "So robotization and automation, wealth and prosperity go hand-in-hand."

Walmart going after Amazon in areas where Amazon is not (yet) strong?  
Walmart Acquires Online Women’s Clothing Retailer ModCloth
The deal, which closed Friday and included both assets and operations, was part of an effort to increase Walmart's e-commerce footprint, the company said in a statement.  The good will be sold on, an e-commerce site owned by Walmart.
   Due to the acquisition, designers selling on ModCloth will now have an opportunity to expand their client base through Walmart's e-commerce sites, the company said.
ModCloth was founded in 2002 in a college dorm room by Susan Gregg Koger and Eric Koger, according to the company's website.

(Related).  Will they tell you that you should not wear that bikini to church? 
Amazon will now tell Prime members what to wear via a new “Outfit Compare” feature
Amazon has been steadily pushing its way into fashion over the past several years, with investments in its own private labels – from workwear to activewear – plus increased fashion ad spending and even its own trend-obsessed TV show, Style Code Live.  Now the online retailer is looking to dole out its fashion advice to the masses, too, through a new feature called “Outfit Compare,” which is currently available to Prime members.
   Outfit Compare works as you’d think. It prompts shoppers to share two photos of themselves wearing two different outfits they’re deciding between.
A minute later, you’ll get a response from an Amazon stylist who will tell you which outfit looks better on you.  This determination will be made based on a number of factors, Amazon explains, including how the clothes fit, what colors look best on you, how they’re styled, and what’s on trend.

Friday, March 17, 2017

Just when you thought the risks of social media were limited to a few million dollars, now you have to worry about the 82 Airborne dropping in.  Or, you could shout “fake news!”  (If this was a real hack, we really, really need to know how it happened.)
McDonald's tweets to Trump: 'You are actually a disgusting excuse of a President'
"@realDonaldTrump You are actually a disgusting excuse of a President and we would love to have @BarackObama back, also you have tiny hands," the tweet read.
McDonald's later said in a statement that the account was hacked and apologized.
"Based on our investigation, we have determined that our Twitter account was hacked by an external source.  We took swift action to secure it, and we apologize this tweet was sent through our corporate McDonald’s account," spokeswoman Terri Hickey said.

It “only” took them a couple of years to discover this? 
And this, kids, is why you need to monitor employee access to patient records and audit over longer periods.
Kyle Spurr reports:
A caregiver at St. Charles Health System accessed nearly 2,500 patients’ electronic medical records without authorization from the hospital.
The caregiver told the hospital she viewed the files out of curiosity.  Her actions are not considered criminal.  She signed an affidavit stating she never used or shared any of the confidential patient information for the purpose of committing fraud, financial crimes or other crimes against the patients whose records she viewed.
On Jan. 16, the hospital launched an investigation and audit of all of the patient files accessed by the caregiver.  The audit found between Oct. 8, 2014 and Jan. 16, the caregiver may have reviewed as many as 2,459 files containing patients’ names, addresses, dates of birth, health insurance information, driver’s license numbers and health information such as diagnoses, physicians’ names, medications and treatment information.
Read more on Bend Bulletin.

(Related).  A different approach in Canada.  
John Chippa reports:
A Justice of the Peace in Goderich has handed down the stiffest fine to date in Canada for a health privacy breach.
A university student who was on an educational placement with the family health team in Central Huron has been ordered to pay a $20,000 fine and a $5,000 victim surcharge for accessing personal health information without authorization.
The student pled guilty to willfully accessing the personal health information of five individuals.
As part of her plea, she agreed that she accessed the personal health information of 139 individuals without authorization between September 9th, 2014 and March 5th, 2015.
Read more on Blackburn News.
A $25,000 fine is the biggest fine to date in Canada for a health privacy breach?  Wow.

For my Ethical Hacking students. 
Advanced Persistent "Bad Bots" are Rampant
In 2016, 40% of all web traffic originated from bots -- and half of that came from bad bots.  A bot is simply a software application that runs automated tasks over the internet.  Good bots are beneficial.  They index web pages for the search engines, can be used to monitor web site health and can perform vulnerability scanning.  Bad bots do bad things: they are used for content scraping, comment spamming, click fraud, DDoS attacks and more.  And they are everywhere.
Findings from Distil's 2017 Bad Bot Report (PDF) released Thursday show that the problem is rising again after a brief improvement in 2015.

“Hey, somebody is guilty!”  Since they have the guy’s photo, perhaps an image search of Facebook would be a better method? 
Thomas Claburn reports:
A US judge has granted cops a search warrant to direct Google to provide personal details about anyone searching for a specific name in the town of Edina, Minnesota.
Tony Webster, who describes himself as a web engineer, public records researcher, and policy nerd, published a portion of the warrant out of concern that administrative subpoenas and search warrants are being used for what amounts to fishing expeditions.
Under the Fourth Amendment, searches and seizures must be reasonable and as such are generally limited in their scope, to balance privacy expectations.  At issue is whether a warrant for the Google account data of anyone searching for a given term is unconstitutionally broad.
Read more on The Register.
[From the article: 
According to the warrant, seen in full by The Register, the case involves bank fraud in which an unknown party used the victim's name to wire $28,500 from Spire Credit Union to Bank of America.  The credit union relied on a faxed copy of the victim's passport to verify the transaction, but the document was faked.
The search warrant, filed by Edina Police Detective David Lindman, says that when investigators searched Google Images for the victim's name, they found the photo used to make the fake passport – an image of someone who resembled the victim but was not the same person.  This led police to believe that the person responsible searched Google for the victim's name.

Horsefeathers!  But, as long as the tools are available…
No One Wants the Internet of Things …
… Except Big Brother
The CIA wants to spy on you through your dishwasher and other “smart” appliances. Slate reported in 2012:
Watch out: the CIA may soon be spying on you—through your beloved, intelligent household appliances, according to Wired.
Read more on WashingtonsBlog.

“We’re the government.  Failure to follow the rules is normal!”
Three out of Five Federal Agencies Flout New FOIA Law
by Sabrina I. Pacifici on Mar 16, 2017
National Security Archive: “Three out of five of all federal agencies are flouting the new law that improved the Freedom of Information Act (FOIA) and required them to update their FOIA regulations, according to the new National Security Archive FOIA Audit released today to celebrate Sunshine Week.  The National Security Archive Audit found that only 38 out of 99 federal agencies have updated their FOIA regulations in compliance with the FOIA Improvement Act of 2016 that was passed with bipartisan, bicameral support.  The new law required agencies to update their FOIA regulations within 180 days of passage – that was June 30 so December 27, 2016 was the deadline.  Updated regulations were supposed to include the law’s new improvements, such as requiring agencies provide requesters with no less than 90 days to file an appeal, prohibiting agencies from charging “search or duplication fees when the agency fails to meet the notice requirements and time limits set by existing law,” and mandating agencies notify requesters of their right to seek assistance from either the agency’s FOIA Public Liaison or to seek dispute resolution services with the Office of Government Information Services (OGIS), the FOIA ombudsman…”

I wonder if J.K Rowling owns the copyright on ‘Defense against the dark arts?” 
Paper – Defense Against the Dark Arts of Copyright Trolling
by Sabrina I. Pacifici on Mar 16, 2017
Sag, Matthew and Haskell, Jake, Defense Against the Dark Arts of Copyright Trolling (March 14, 2017).  Available at SSRN:
“In this Article, we offer both a legal and a pragmatic framework for defending against copyright trolls.  Lawsuits alleging online copyright infringement by John Doe defendants have accounted for roughly half of all copyright cases filed in the United States over the past three years.  
   We also undertake a detailed analysis of the legal and factual underpinnings of these cases.  Despite their underlying weakness, plaintiffs have exploited information asymmetries, the high cost of federal court litigation, and the extravagant threat of statutory damages for copyright infringement to leverage settlements from the guilty and the innocent alike.  We analyze the weaknesses of the typical plaintiff’s case and integrate that analysis into a comprehensive strategy roadmap for defense lawyers and pro se defendants.  In short, as our title suggests, we provide a comprehensive and useful guide to the defense against the dark arts of copyright trolling.” 

Tread lightly, Google.  You don’t want to tell them that your Behavioral Advertising AI suggested this ad placement because people going to those sites respond best to (click on) the government ads. 
Google summoned to appear before the UK government to explain why ads keep appearing next to extremist YouTube videos
LONDON — Google has been summoned to appear in front of the UK government to explain why taxpayer-funded ads are appearing next to extremist content on YouTube, The Times reported.
The Times found government ads — and also those from the BBC, The Royal Air Force, and The Royal Navy — appearing next to videos from American white nationalist David Duke, a pastor who praised the killing of 49 people in an Orlando gay nightclub, and videos from Michael Savage, who the newspaper describes as a "homophobic shock-jock."
   The issue is not only the juxtaposition of government ads next to inappropriate content, but the fact that those ads are making money for the video creators.  The Times says a YouTube user earns $7.60 on average for every 1,000 times an ad is viewed.
On Thursday, the government suspended all of its YouTube advertising until Google can make assurances that ads from public-funded bodies would not appear in unsafe environments.

On the other hand, this one looks like a slam dunk for Google.
Someone Copied The Wrong Person On An Email, And It Just Might Destroy Uber
On Dec. 13, an employee at Waymo, a self-driving startup founded by Google, was accidentally copied on an email from one of its vendors.  Where was the email supposed to go?  Why, to Uber ― or, more specifically, to Uber’s newly acquired startup Otto.
Included in the email were schematics for a circuit board, one that looked remarkably similar to a board designed at considerable expense by Waymo.  Without that circuit board and the “LiDAR” (laser-based surveying) technology it made possible, neither Otto nor Waymo would be going on a self-driving jaunt any time soon.
   Levandowski abruptly resigned from Waymo in January 2016, then founded Otto and sold it to Uber for $680 million that summer.  (You can read a complete, surprisingly riveting timeline of the saga here, via the New Zealand tech blogger Daniel Compton.)
The vendor’s misaddressed email has spurred an investigation by Waymo into Levandowski’s activities.  Waymo declined to speak about the email or the ensuing investigation, instead directing The Huffington Post to a company blog post on the matter:

Some things are clearly inevitable.
Google Tests Waters of Voice Ads on Speaker
Google’s smart home speakers on Thursday played an unprompted promotion for Walt Disney Co.’s new “Beauty and the Beast” movie, the first sign of how the world’s largest advertising company could shoehorn ads into its growing number of voice interactions with users.

Thursday, March 16, 2017

Another phone system hit.  Last time it was AT&T that could not call 911.  Before that it was a link to an App that dialed 911 then hung up.
   The Mayor said anyone could run into trouble if there's a surge in calls, but the odds are worse for some cell phone customers.  "If you've got a T-Mobile phone service be very, very careful because you may not be able to get into 911," he said.
   The City of Dallas reported that T-Mobile phones were spontaneously dialing 911, a problem that has been reoccurring since November, tying up the call center for up to hours at a time.  At one point on Saturday, the city reported that 422 calls were on hold.

No culture of customer service at Samsung?
From the add-this-to-the-list-of-concerns-about-Samsung dept.
Matt Metzger writes:
About four months ago, I ordered a new TV directly from Samsung’s online store.  A few days later, I received a tracking link via email.
Reusing Tracking Numbers
When I first received the link, it showed an order that wasn’t my own. I assumed there was some sort of clerical error, but I was too busy at the time to contact Samsung about it.  When I checked back later in the day, there were now two orders showing at the link Samsung sent me — my own, and the other order.
Read more on Medium.  Matt not only identifies the scope of the problem – which goes beyond just the tracking info – and the risks, but he also includes Samsung’s totally-less-than-acceptable-and-pretty-outrageous response to his notification that they have a problem.
Whether the problem starts with Samsung or their shipper is irrelevant: it is Samsung customer data, and Samsung should damned well step up to the plate and get these problems addressed.  And until they do, if you don’t want all your personal information shared on the internet and indexed by Google, maybe you should think twice about ordering anything from them that requires shipment to your home.

If it had been packaged for sale, this database may now exist in several locations.
Millions of records leaked from huge US corporate database
Millions of records from a commercial corporate database have been leaked.
The database, about 52GB in size, contains just under 33.7 million unique email addresses and other contact information from employees of thousands of companies, representing a large portion of the US corporate population.
Dun & Bradstreet, a business services giant, confirmed that it owns the database, which it acquired as part of a 2015 deal to buy NetProspex for $125 million.
The purchased database contains dozens of fields, some including personal information such as names, job titles and functions, work email addresses, and phone numbers.
   The data is now searchable in Have I Been Pwned.
But it's not known exactly how the data was exposed, or who is to blame for the leak.

Lawyers are not security experts.  That’s not an excuse for being unsecure.
A senior barrister who failed to keep clients’ sensitive personal information secure has been fined £1,000 by the Information Commissioner’s Office (ICO).
Information belonging to up to 250 people, including vulnerable adults and children, was uploaded to the internet when the barrister’s husband updated software on the couple’s home computer.
Some 725 unencrypted documents, which were created and stored on the computer, were temporarily uploaded to an internet directory as a back up during the software upgrade.
They were visible to an internet search engine and some of the documents could be easily accessed through a simple search.
Six of those files contained confidential and highly sensitive information relating to people who were involved in proceedings in the Court of Protection and the Family Court.
Source: Information Commissioner’s Office

Update.  The Indictment of the Yahoo hackers.  These guys are from Russia and Canada.  I guess President Trump doesn’t understand the “virtual immigrant” problem. 
U.S. Charges Russian FSB Officers and Their Criminal Conspirators for Hacking Yahoo and Millions of Email Accounts

(Related).  On the other hand…  I’ll send this article to my Ethiopian student. 
John Ribeiro reports:
An appeals court has barred an Ethiopian-born U.S. citizen from filing a civil suit against the African country, which allegedly infected his computer with spyware and monitored his communications.
The U.S. Court of Appeals for the District of Columbia Circuit ruled Tuesday that foreign states are immune from suit in a U.S. court unless an exception to the Foreign Sovereign Immunities Act (FSIA) applies.
Read more on CSO Online.

For my Ethical Hackers.  See what can be done.
Pwn2Own 2017: Experts Hack Edge, Safari, Ubuntu
Bug bounty hunters have managed to hack Microsoft Edge, Safari, Ubuntu and Adobe Reader on the first day of the Pwn2Own 2017 competition taking place these days alongside the CanSecWest conference in Vancouver, Canada.
The prize pool for this year’s event is $1 million and 11 teams have signed up to hack products in four categories.  On the first day of the competition, participants earned a total of $233,000 for the exploits they disclosed.

Also for my Ethical Hacking students.  Includes some comments on Privacy. 
CRS – Dark Web
by Sabrina I. Pacifici on Mar 15, 2017
CRS report – Dark Web, Kristin Finklea, Specialist in Domestic Security. March 10, 2017. [via FAS]
[From the PDF: 
Surface Web.  The magnitude of the web is growing.  According to one estimate, there were 334.6 million Internet top-level domain names registered globally during the second quarter of 2016.10  This is a 12.9% increase from the number of domain names registered during the same period in 2015.11  As of February 2017, there were estimated to be more than 1.154 billion websites.12  As researchers have noted, however, these numbers “only hint at the size of the Web,” as numbers of users and websites are constantly fluctuating.13
Deep Web.  The Deep Web, as noted, cannot be accessed by traditional search engines because the content in this layer of the web is not indexed.  Information here is not “static and linked to other pages” as is information on the Surface Web.14  As researchers have noted, “[i]t’s almost impossible to measure the size of the Deep Web.  While some early estimates put the size of the Deep Web at 4,000–5,000 times larger than the surface web, the changing dynamic of how information is accessed and presented means that the Deep Web is growing exponentially and at a rate that defies quantification.”15
Dark Web.  Within the Deep Web, the Dark Web is also growing as new tools make it easier to navigate.16  Because individuals may access the Dark Web assuming little risk of detection, they may use this arena for a variety of legal and illegal activities.  It is unclear, however, how much of the Deep Web is taken up by Dark Web content and how much of the Dark Web is used for legal or illegal activities.

The UK has a strategy.  (And a Commissioner!)  What do we have?
From: Surveillance Camera Commissioner   First published:14 March 2017

A long post, but still nothing on those of us who are phone-less. 
Over the last few days, both ProPublica and the ACLU have published pieces on your rights in terms of Customs & Border Patrol searches. Reading both their articles, below, makes clear how complicated the situation can be for travellers. 

Yoicks!  Am I a journalist?
Court: FBI’s Secret Rules for Spying on Journalists Can Remain Secret
by Sabrina I. Pacifici on Mar 15, 2017
FindLaw – “In 2015, the Freedom of the Press Foundation sued the Department of Justice under the Freedom of Information Act in an attempt to force the DOJ to publish its rules for conducting warrantless spying on journalists in the United States.  The DOJ responded that it had supplied all of the documentation the Foundation requested, aside from information that fell under certain FOIA exceptions.  This week, a U.S. District judge in California ruled that the unpublished rules on media surveillance could remain unpublished, ending the Foundation’s lawsuit.”  A copy of the decision is here.”

Because they need it more than second class citizens, like me?
William Petroski reports:
The Iowa Senate approved a bill Wednesday providing for the confidentiality of personal information about Iowa law enforcement officers in an effort to protect their safety.
Sen. Dan Dawson, R-Council Bluffs, who is an Iowa Division of Criminal Investigation agent, said the legislation is a response to “numerous instances” over the years in which Iowa law enforcement officers and their families have expressed concerns about personal information being disclosed to individuals. [Gosh, why didn’t I think of that!  Bob]
Read more on Des Moines Register.

The pendulum swings again.
Matthew J. Siegel of Cozen O’Connor writes:
A split continued to develop in the federal courts last month as the Fourth Circuit denied Article III standing to the plaintiffs in a data breach case whose alleged injuries were limited to the increased risk of future identity theft and the cost of measures to protect against it.  The Fourth Circuit joins the First and Third Circuits in rejecting this theory as grounds for standing, finding it too great of a stretch. In contrast, the Sixth, Seventh and Ninth Circuits have all recognized in certain circumstances that, at the pleading stage, plaintiffs can establish an injury-in-fact based on possible future injury.
In the Fourth Circuit case, Beck v. McDonald, No. 15-1395 (4th Cir. Feb. 6, 2017), veterans in two consolidated cases alleged that the William Jennings Bryan Dorn Veterans Affairs Medical Center (Dorn VAMC), had violated the Privacy Act of 1974 and the Administrative Procedure Act (APA) after a laptop containing their unencrypted personal information, such as names, birthdates, and the last four digits of their social security numbers was stolen; and, in another case, four boxes of pathology reports containing confidential patient information went missing.  The plaintiffs sought declaratory relief and monetary damages under the Privacy Act, and broad injunctive relief under the APA, potentially placing the entire VA’s privacy program under judicial oversight.
Read more on Lexology.

Duopoly watch: Google and Facebook gobble up even more ad dollars
A new eMarketer study estimates Google and Facebook will continue to devour the $83 billion U.S. digital ad market, with Facebook growing to account for 1/3 of all display advertising and Google growing to take 78% of all search ad revenue this year.
Why it matters: Google and Facebook have an effective "duopoly" over digital ad revenue, eating up more than 90% of all new ad dollars.  eMarketer's new report reinforces the difficult position digital publishers are in to create revenue opportunities amid a scarce digital ad environment.  

Perspective.  Maybe there is something about holding a book.  Somehow, I doubt Amazon is too worried. 
Ebook sales continue to fall as younger generations drive appetite for print
Readers committed to physical books can give a sigh of relief, as new figures reveal that ebook sales are falling while sales of paper books are growing – and the shift is being driven by younger generations.
More than 360m books were sold in 2016 – a 2% jump in a year that saw UK consumers spend an extra 6%, or £100m, on books in print and ebook formats, according to findings by the industry research group Nielsen in its annual books and consumer survey.  The data also revealed good news for bricks-and-mortar bookshops, with a 4% rise in purchases across the UK.
While sales through shops increased 7% in 2016, ebook sales declined by 4%.

Amusing?  Who controls classification?  Background for student SciFi films? 
Physicist declassifies rescued nuclear test films
by Sabrina I. Pacifici on Mar 15, 2017
“The U.S. conducted 210 atmospheric nuclear tests between 1945 and 1962, with multiple cameras capturing each event at around 2,400 frames per second.  But in the decades since, around 10,000 of these films sat idle, scattered across the country in high-security vaults.  Not only were they gathering dust, the film material itself was slowly decomposing, bringing the data they contained to the brink of being lost forever.  For the past five years, Lawrence Livermore National Laboratory (LLNL) weapon physicist Greg Spriggs and a crack team of film experts, archivists and software developers have been on a mission to hunt down, scan, reanalyze and declassify these decomposing films.  The goals are to preserve the films’ content before it’s lost forever, and provide better data to the post-testing-era scientists who use computer codes to help certify that the aging U.S. nuclear deterrent remains safe, secure and effective.  To date, the team has located around 6,500 of the estimated 10,000 films created during atmospheric testing.  Around 4,200 films have been scanned, 400 to 500 have been reanalyzed and around 750 have been declassified.  An initial set of these declassified films — tests conducted by LLNL — were published today in an LLNL YouTube playlist (link is external).  These films are stunning – silent, black and white explosions that resonate in a way that drive home in the starkest terms the ramifications of the use of these weapons.

Power to the professors!  I have enough trouble with students who don’t understand those squiggly red lines under some words in their papers.  Now I can tell them to write right or I’ll sue? 
The ruling in this Maine labor dispute hinged on the omission of an Oxford comma
“For want of a comma, we have this case.”
Those words open Maine Circuit Judge David Barron’s opinion on a labor dispute between a dairy company and its delivery drivers.  The ruling from the First Circuit Court of Appeals, in favor of the drivers, hinged on the omission of an Oxford comma, also known as the “serial” comma, the “final comma in a list of things,” as Grammarly’s blog explains.
   The Appeals Court sided with the drivers, saying the absence of a comma created ambiguity and that when there is ambiguity, the court is bound to go with the purpose of the law, which was to make sure that employers were fair in the payment of overtime.

Could be useful, or a pain in the…
Facebook’s new ‘Town Hall’ feature helps you find and contact your government reps
In Facebook CEO Mark Zuckerberg’s nearly 6,000-word manifesto published last month, he laid out a number of global ambitions he had for the social network in the days ahead — including one where its users became more “civically-engaged” and voted more often.  Now it seems Facebook has taken its first steps toward making that possible, through a new feature it’s calling “Town Hall.”
This latest addition has just popped up on the “More” menu in Facebook’s mobile app, and offers a simple way for users to find and connect with their government representatives on a local, state and federal level.
To use Town Hall, you only have to enter your address — which Facebook says is not displayed or shared (though it doesn’t say it’s not “saved,” so be advised).  We understand this information will be used to power future civic engagement products, like finding a polling place or previewing a ballot.

For next Quarter’s spreadsheet students.
   A printed spreadsheet isn’t very useful at all compared to a digital document.  If you cut out your printer, you can take advantage of Windows 10’s handiest features, make your spreadsheet interactive, and take a copy of your file with you wherever you go.

I’ve got to ask my students how this would translate to the US. 
Rent Chickens, Sell the Eggs: Eye on Chinese Media

(Related).  Perhaps, like this? 
Lab-Grown Chicken Strips Could Change the Meat Industry Forever

Wednesday, March 15, 2017

Strange that they didn’t target President Trump.  Or have they been doing that for months? 
'Turkey backers' target Amnesty, BBC and other major Twitter accounts
Twitter accounts, including Amnesty International, Unicef USA and BBC North America, have been hacked by attackers claiming to back Turkey's government.
The hackers tweeted in Turkish including the words "Nazi Germany, Nazi Holland", and posted the Turkish flag.
   Twitter says it has located and removed the source of the hacking attack.
A company spokesperson is quoted as saying that the source had been tracked to a third party app whose permissions had been removed.
The spokesperson provided no further details.
   The hackers also targeted business publisher Forbes, government agencies and celebrities.

A rare example of someone who got it right!  Ransomware as an irritant, not a catastrophe. 
Scott Liles reports:
A cyber attack on the server of the Mountain Home Water Department led to the city refusing to pay a ransom and wiping the machine, Water Department Director Alma Clark said.
The server was re-installed from a backup created the night before and no information was lost or stolen, Baxter County Computer Services owner Mark Thomas told The Baxter Bulletin.
Read more on The Baxter Bulletin.

If Justice could find these guys (relatively) quickly, how poor was Yahoo security to never even notice they had been hacked? 
The Justice Department Is Ready to Unveil Charges Over the Massive Hack Attacks on Yahoo
U.S. Justice Department officials are expected to announce indictments on Wednesday against suspects in at least one of a series of hacking attacks on Yahoo Inc, according to a source briefed on the matter.
The accused men live in Russia and Canada, the source said, with the Canadian far more likely to face arrest.  Russia has no extradition treaty with the United States.
It could not immediately be learned whether the accused are suspected in the hacking of data about 1 billion Yahoo users, or a separate hack of 500 million email accounts.

For my Computer Security students.  (and a mere $600)
Online cybersecurity course targets business professionals
   MIT is launching a new online course for business professionals titled, Cybersecurity: Technology, Application and Policy.
   The six-week course offers a holistic, comprehensive view of key technologies, techniques and systems.  The goal, said Shrobe, is for participants to walk away with a broad understanding of hardware, software, cryptography, and policy to make better, safer long-term security decisions.

For my Ethical Hacking students.
Sound waves could be used to hack into critical sensors in a broad array of technologies including smartphones, automobiles, medical devices and the Internet of Things, University of Michigan research shows.
The new work calls into question the longstanding computer science tenet that software can automatically trust hardware sensors, which feed autonomous systems with fundamental data they need to make decisions.
The inertial sensors involved in this research are known as capacitive MEMS accelerometers.  They measure the rate of change in an object's speed in three dimensions.
It turns out they can be tricked.  Led by Kevin Fu, U-M associate professor of computer science and engineering, the team used precisely tuned acoustic tones to deceive 15 different models of accelerometers into registering movement that never occurred.  The approach served as a backdoor into the devices—enabling the researchers to control other aspects of the system.

Similar to a Russian App I blogged about last year only this one is ‘fake news!’ 
Cara McGoogan reports:
A facial recognition app that can identify strangers from a photograph has been created by a British entrepreneur.
Facezam can identify people by matching a photo of them with their Facebook profile.  All users have to do is take a picture of someone on the street and run it through the app, which will tell them who it thinks the person in the photo is.
“Facezam could be the end of our anonymous societies,” said Jack Kenyon, founder of Facezam.  “Users will be able to identify anyone within a matter of seconds, which means privacy will no longer exist in public society.”
Read more on The Telegraph.

An interesting problem when reviewing photos.
Facebook—in hate crime clash with MPs—claims it’s “fixed” abuse review tool
Facebook has claimed that it tweaked its community standards review system that allows users to report abusive, offensive, and illegal images and posts in light of a BBC investigation that highlighted the ease with which obscene material could be found on the site.
In a clash with MPs, the company's UK policy director Simon Milner told the home affairs committee chair Yvette Cooper that the images reported by the BBC were "rather innocent" but added that comments below the pictures were "horrible."
Facebook's community standards team—made up of thousands of people based in Dublin, Texas, California, and Hyderabad—didn't scrutinise, in detail, reports made via the company's review tool because, Milner said, it was the comments rather than the image that was abhorrent.  It meant the system failed to flag up the abusive content.

Will we ever allow ‘global warrants?’ 
Apple, Amazon, and Microsoft are helping Google fight an order to hand over foreign emails
Apple, Microsoft, Amazon, and Cisco have filed an amicus brief in support of Google, after a Pennsylvania court ruled that the company had to hand over emails stored overseas in response to an FBI warrant.  

Was this a test or did someone panic?  Either way, I wanted to make a note of it.
Small drone 'shot with Patriot missile'
A Patriot missile - usually priced at about $3m (£2.5m) - was used to shoot down a small quadcopter drone, according to a US general.
The strike was made by a US ally, Gen David Perkins told a military symposium.
"That quadcopter that cost 200 bucks from did not stand a chance against a Patriot," he said.
   "In fact, if I'm the enemy, I'm thinking, 'Hey, I'm just gonna get on eBay and buy as many of these $300 quadcopters as I can and expend all the Patriot missiles out there'."

What to do if there’s not an App for that?
Thunkable - Design and Publish Your Own Apps
Thunkable is a free platform for designing, testing, and publishing your own Android apps (support for iOS apps is coming soon).  Through Thunkable you can create your apps even if you don't know how to write code.  That is possible because Thunkable uses a drag-and-drop design framework.  That framework, based on the MIT App Inventor, shows you jigsaw-like pieces that have commands labeled on them.  Your job is to put the pieces together to make your apps work.
Thunkable offers detailed written tutorials and video tutorials.

Think of it as a software toolkit in your pocket.
Portable apps, as opposed to traditional software, don’t require installation onto a computer.  Their entire data set sits nicely in one folder, and terminate completely once closed.  Whether you prefer using them for a clean machine or like to carry around a flash drive with loads of programs, portable apps are pretty awesome.