Saturday, April 22, 2017

An everyday occurrence.  So why no encryption?
   Lifespan is investigating the theft of an employee’s laptop from a car that was broken into on February 25, 2017.  Several items were stolen, including a MacBook laptop used by the employee for work purposes.  Upon discovering the theft, the employee immediately contacted law enforcement and reported the incident to Lifespan.  Lifespan promptly began an investigation and changed the employee’s credentials used to access Lifespan system resources out of an abundance of caution.
   Lifespan is committed to protecting the security and confidentiality of our patients’ information, and we deeply regret this incident occurred.  In order to help prevent a similar incident from reoccurring, we are re-educating our employees and enhancing our policies and procedures related to the security of MacBooks.
SOURCE: Lifespan
According to local media who received a press release on the matter, Lifespan is notifying 20,000 patients.

You watch TV, TV watches you. 
WikiLeaks Details Samsung Smart TV Hacking Tool
WikiLeaks has released a document detailing yet another hacking tool allegedly used by the U.S. Central Intelligence Agency (CIA).  This time, the organization has published information on a tool designed to record audio via the built-in microphone of some Samsung smart TVs.
The tool, dubbed “Weeping Angel,” is apparently based on “Extending,” an implant allegedly developed by British security service MI5 – the agencies are said to have worked together on this project.
   The newly released guide, dated February 2014, describes an implant for Samsung F series smart TVs.  The implant can record audio from a device via the built-in microphone and either store or exfiltrate the recordings.
The Weeping Angel implant can be installed by connecting a USB device to the targeted TV, and data can be exfiltrated either via a USB stick or a compromised Wi-Fi hotspot.

“We are not covered by HIPAA but we act like we are?” 
HealthITSecurity reports:
Patient records from the New York Organ Donor Network are not liable to HIPAA regulations, according to a recent New York Supreme Court ruling.
A former network official claimed that four patients had not yet been declared legally dead before their organs were harvested, and had argued that the records in question were protected under HIPAA.
Plaintiff Patrick McMahon also claimed that he had been fired for being a whistleblower and stating that organs were being taken prematurely.
McMahon argued that the network was not a HIPAA covered entity and the four patients’ medical records should be turned over.  The records “are material and necessary because plaintiff insists that each person showed signs of brain activity when their organs were harvested.”
The network reportedly acknowledged that it is not a HIPAA covered entity, but said it still must maintain patient confidentiality
Read more about the case on HealthITSecurity.

It’s not stalking, it’s determining how your business is doing.  (You can’t turn it around if you don’t know where it’s heading.)
10 Easy Ways Small Businesses Should Track Competitors
One of the most important yet often unvalued requirements when running a small business is to track and monitor competition.  Having a clear understanding of competitors’ business operations, such as what they are charging, what clients they have, and what new products and services they are offering, can help a company develop their own successful business models and strategies.

Investigating with a view to a change or just to be able to say they are “doing something?” 
U.S. Homeland Security probes possible abuse in Twitter summons case
The U.S. Homeland Security Department's inspector general said on Friday he was investigating possible abuse of authority in a case that triggered a lawsuit against the department by Twitter Inc.
   In a lawsuit on April 6, Twitter disclosed that it received a summons in March from the U.S. Bureau of Customs and Border Protection, an agency within Homeland Security, demanding records about an account on the social media platform identified by the handle @ALT_uscis.
The account has featured posts critical of President Donald Trump's immigration policies, leading Twitter to complain in its lawsuit that the summons was an unlawful attempt to suppress dissent.
The agency dropped its demand of Twitter the day after the suit was filed.
   "DHS OIG is also reviewing potential broader misuse of summons authority at the department," he added.

These two events could not possibly be related.  Unless someone was practicing to take everything down?
Power outage cripples San Francisco for seven hours
A massive power outage threw San Francisco into chaos for most of the work day on Friday, knocking out traffic signals, paralyzing businesses and halting the city's famed cable cars.

Why a Midtown Power Failure Snarled Your Morning Subway Commute

Something my students will use, please!
Three Tools That Help Students Analyze What They Write
Probably every high school teacher since the dawn of time has asked his or her students to have someone else proofread their essays before turning them in for a grade.  Unfortunately, students don't always comply with that request.  And even when they do get someone to proofread, some items might go undetected.  That's why an online writing analysis tool can be helpful to students. Here are three free services that help students analyze their writing.
Slick Write is a free tool that helps you analyze your writing or that of others.  To use Slick Write you can write new text in the provided text editor or copy and paste chunks of existing text into Slick Write's text editor.  Either way Slick Write will provide you with an analysis of your writing.  That analysis will include typical things like a word count, a readability score, and an estimated reading time for your document.  Slick Write will also analyze your use of adverbs and prepositional phrases throughout your document.
The Hemingway App, found at, provides students with lots of helpful information about their text.  To use the service students just paste some text into the Hemingway editor and it will provide you with a bunch of information about that text.  Hemingway highlights the parts of your writing that use passive voice, adverbs, and overly complex sentences.  All of those factors are accounted for in generating a general readability score for your passage.  The short video embedded below shows how easy it is to use to analyze your writing.
Paste your text into Analyze My Writing and it will generate a ton of information about your writing.  Analyze My Writing will give you a break-down of the readability of your writing on five indices.  The analysis will include listings of the most common words and most common word pairs in your writing.  A listing of how frequently you use punctuation and punctuation types is included in the analysis provided by Analyze My Writing.  Finally, a word cloud is included at the end of the analysis of your writing.

Friday, April 21, 2017

Computer Security means never having to say “Oops!”
Millions Download "System Update" Android Spyware via Google Play
Millions of users looking to get Android software updates have been tricked into downloading spyware on their devices through the Google Play marketplace, Zscaler reveals.
Posing as a legitimate application called “System Update” and claiming to provide users with access to the latest Android software updates, the spyware made it to Google Play in 2014, and has registered between 1,000,000 and 5,000,000 downloads by the time Google was alerted and removed it from the store.

Is there no one responsible for Security in the White House?
Confide gets slapped with a lawsuit that says it’s not as secure as it claims
A new lawsuit claims that Confide, a privacy-focused messaging app reportedly used by several politicians including those in the Trump administration in February, may not be as secure as it has advertised.
Filings from a proposed class-action lawsuit in New York say that Confide's contention that it does not allow its users to take screenshots of their messages isn't true.  It specifically accuses Confide of breaching false advertising and deceptive business practices laws.
The inability to keep a record of Confide messages is one of the product's most-touted features.  [Are we looking at another “Hillary email” problem if the White House does not keep messages?  Bob]  If someone tries to take a picture of a conversation, Confide is supposed to kick out the person who took the screenshot and alert the other person in the conversation.
   The court filing includes screenshots of full messages that the complaint says were taken on personal computers running the Windows version of the app.

(Related).  Apparently, security is not a priority.
Trump blows his deadline on anti-hacking plan
President-elect Donald Trump was very clear: “I will appoint a team to give me a plan within 90 days of taking office,” he said in January, after getting a U.S. intelligence assessment of Russian interference in last year’s elections and promising to address cybersecurity.
Thursday, Trump hits his 90-day mark.  There is no team, there is no plan, and there is no clear answer from the White House on who would even be working on what.  

It’s one of the last great intellectual challenges available.  That’s why I like to get students thinking like White hats.  It costs nothing to start.  Tools are available online for free.
The National Crime Agency has today published research into how and why some young people become involved in cyber crime.
The report, which is based on debriefs with offenders and those on the fringes of criminality, explores why young people assessed as unlikely to commit more traditional crimes get involved in cyber crime.
The report emphasises that financial gain is not necessarily a priority for young offenders.  Instead, the sense of accomplishment at completing a challenge, and proving oneself to peers in order to increase online reputations are the main motivations for those involved in cyber criminality.
During his debrief, Subject 7, who was jailed for Computer Misuse Act and fraud offences, told officers, “…it made me popular, I enjoyed the feeling… I looked up to those users with the best reputations”.
The report identifies that some offenders begin by participating in gaming cheat websites and ‘modding’ (game modification) forums before progressing to criminal hacking forums.
The assessment notes that off-the-shelf tools such as DDOS-for-hire services and Remote Access Trojans (RATs) are available with step by step tutorials at little to no cost to the user, making the skills barrier for entry into cyber crime lower than it has ever been.
It also highlights that whilst there is no socio-demographic bias, with people across the country from different backgrounds among offenders, the average age of cyber criminals is significantly younger than other crime types.  In 2015, the average age of suspects in NCA cyber crime investigations was 17 years old, compared to 37 in NCA drugs cases and 39 in NCA economic crime cases.
Subject 1, a member of a hacking collective who sold DDoS tools and Botnet services, told officers that a warning from law enforcement would have made him stop his activities.
The report also identifies education and opportunities to use skills positively as helpful in steering potential offenders towards a future career in cyber security.
Richard Jones, Head of the National Cyber Crime Unit’s Prevent team, said:
“Even the most basic forms of cyber crime can have huge impacts and the NCA and police will arrest and prosecute offenders, which can be devastating to their future.  That means there is great value in reaching young people before they ever become involved in cyber crime, when their skills can still be a force for good.
“The aim of this assessment has been to understand the pathways offenders take, and identify the most effective intervention points to divert them towards a more positive path.
“That can be as simple as highlighting opportunities in coding and programming, or jobs in the gaming and cyber industries, which still give them the sense of accomplishment and respect they are seeking.”
The full report can be viewed and downloaded here.

For my serious Computer Security students.

The future of credit card security?
Mastercard Launches Fingerprint-Based Biometric Card
Mastercard announced on Thursday the launch of a biometric card that combines chip technology with fingerprints in order to allow consumers to easily authorize financial transactions and verify their identity when making a purchase.
Before using the fingerprint feature, cardholders need to register the card with their bank.  During this process, the user’s fingerprint is converted into an encrypted digital template and stored on the card.
When making an in-store payment, customers dip their card into the point-of-sale (PoS) terminal and scan their fingerprint on the embedded sensor.  If the fingerprint matches the one stored on the card, the user is authenticated and the transaction is approved.

The objection was made in 2015.  Nothing has changed? 
Alex Emmons reports:
In her first appearance representing the American public before the top-secret Foreign Intelligence Surveillance Court in 2015, Amy Jeffress argued that the FBI is violating the Fourth Amendment by giving agents “virtually unrestricted” access to data from one of the NSA’s largest surveillance programs, which includes an untold amount of communications involving innocent Americans.
Read more on The Intercept.
[From the article:  
The ACLU obtained the hearing transcript and other legal documents related to the secret court proceedings under the Freedom of Information Act, and released them to the public on Friday.

For my “everybody has one” students.
Can mobile phones give you a brain tumor? An Italian court just ruled yes.

Public statements can be confusing.  That’s one reason why we have satellites.  (Remember, Russia shares a small part of its border with North Korea and Vladivostok is easily in range of those missiles Kim is playing with.)  
Russia denies it is moving troops close to North Korea
Russian authorities are denying reports that they are moving troops to the border with North Korea over growing tensions in the Korean peninsula.

Russia refuses to deny troops amassing on North Korea border
Vladimir Putin is refusing to comment on media reports that Russia is quietly moving military hardware and troops towards the border with North Korea.
According to the RIA news agency, Kremlin spokesman Dmitry Peskov said that deployments of Russian troops inside Russia’s own borders were not a public matter.

An interesting article recalling Google’s big loss.
Torching the Modern-Day Library of Alexandria

No comment. 
How Did NY Gov. Andrew Cuomo Make $783,000 In Royalties From A Book That Sold Only 3,200 Copies?
   In 2015, the governor reportedly earned zero income from book sales and in the nearly three years that it's been on the market, it has sold just 3,200 copies.  But Cuomo, the Buffalo News found, reported that he received a total of $783,000 from HarperCollins in book sales over the past three years, a number that would translate to royalty payments of nearly $244.69 per copy.  On Wednesday, the book was selling on Amazon for $13.05.
A spokesperson for Gov. Cuomo told International Business Times, “This payment was contractual and per the agreement with the publisher.”

Can my students “reverse engineer” this to get a job at Google?
Google shares hiring documents and techniques
by Sabrina I. Pacifici on Apr 20, 2017
Structure your hiring process with these re:Work tools: “Hiring someone new is a critical decision for a team or organization, and every step of the hiring process contributes to the final outcome.  Use these resources from Google to help you approach hiring in a fair and structured way.

Thursday, April 20, 2017

Apparently, management is unable to learn from their mistakes. 
Nothing new in UK Govt cyber security survey
The 2017 UK Govt produced Cyber Security Breaches Survey is out and it says nothing new.  Across 66 pages it repeats what businesses and the industry already know.  Businesses are under prepared, under skilled and prone to cyber security breaches.  What is worrying is that this is a situation that is not getting better.
   The numbers from the report say that 46% of all UK businesses identified at least one cyber security breach or attack.  The larger the business the more attacks they reported.  The number was 66% for medium-sized business and 68% for large companies.
[British Chambers of Commerce report:   BCC Digital Economy Survey Part 3

Might be educational.
Mike Carter reports:
In Russian cybercrime mastermind Roman Seleznev, the Department of Justice is boasting it finally caught and convicted a big fish in the often impenetrable world of global computer theft — and now the agency intends to make a lesson of him.
Federal prosecutors will ask a Seattle judge Friday to sentence the 32-year-old Seleznev to 30 years in prison for operating a massive — maybe unprecedented — credit-card theft scheme from behind keyboards in Vladivostok, Russia, and Bali, Indonesia.  Over a decade, Seleznev stole and sold on the black market more than 2 million credit-card numbers, resulting in losses of at least $170 million, and maybe into the billions, according to documents filed in U.S. District Court in Seattle.
Read more on Seattle Times. It’s a good read with a lot of background on Seleznev.

What were they thinking?
Gareth Corfield reports:
London gun owners are asking questions of the Metropolitan Police after the force seemingly handed the addresses of 30,000 firearm and shotgun owners to a direct mail marketing agency for a commercial firm’s advertising campaign.
The first any of the affected people knew about the blunder was when the leaflet (pictured below) landed on their doormats in Tuesday’s post.
Read more on The Register.

Should be amusing to watch.
These Popular Headphones Spy on Users, Lawsuit Says
The audio maker Bose, whose wireless headphones sell for up to $350, uses an app to collect the listening habits of its customers and provide that information to third parties—all without the knowledge and permission of the users, according to a lawsuit filed in Chicago on Tuesday.
The complaint accuses Boston-based Bose of violating the WireTap Act and a variety of state privacy laws, adding that a person's audio history can include a window into a person's life and views.
"Indeed, one’s personal audio selections – including music, radio broadcast, Podcast, and lecture choices – provide an incredible amount of insight into his or her personality, behavior, political views, and personal identity," says the complaint, noting a person's audio history may contain files like LGBT podcasts or Muslim call-to-prayer recordings.

Are articles like this appearing around the world?  Probably.
The Register's guide to protecting your data when visiting the US
Summary: You're (mostly) screwed without preparation

Just one autonomous car will use 4,000 GB of data/day
Two real-life, practical, semi-autonomous vehicle launches next year are an indication that the self-driving car is really happening.
Audi is expected to make its up-to-35-mph hands-free driving system available late next year in some 2018 vehicles.
And Volvo will start testing Drive Me, an autopilot that will introduce 100 Swedish XC90 owners to autonomous driving, according to an Automotive News supplement produced for the Los Angeles Auto Show last month.
Two mega-strides forward.  But if you’re impatient and wondering why it’s taking so long for car makers to offer full autonomy, as in eye-free driving, one clue is in the data.  The amounts of datasets that need to be produced and then shared in real time to make it all work are absolutely staggering.

Vehicles will generate and consume roughly 40 terabytes of data for every eight hours of driving, according to Intel CEO Brian Krzanich, speaking at the auto show’s technology pavilion, Automobility.  [1 TB = 1000 GB so, either this paragraph or the headline is wrong.  Bob]  

We need an in-car App that blocks/jams phone reception when the car is in gear. 
Motor vehicle fatalities increase as drivers continue phone use
by Sabrina I. Pacifici on Apr 19, 2017
Axios: “…Zendrive studied actual device use among 3.1 million drivers over 5.6 billion miles of driving and found that in 88 percent of trips, drivers made at least some use of their phones.  On average, drivers spent 3.5 minutes per hour on their device.  Some important context: The number of traffic deaths has been increasing since 2015 after a 40-year decline, with more than 40,000 people dying on the roads last year for the first time in a decade.  It is estimated that a 2-second distraction increases the risk of a collision by 20 times.”

Even the government is going mobile and using social media!  
GPO Launches New website
by Sabrina I. Pacifici on Apr 19, 2017
“The U.S. Government Publishing Office (GPO) launches a newly designed, user-friendly agency website for customers, vendors, Federal agencies, libraries and the public looking for access to Government information, the latest GPO news, and GPO products and services.  The beta site features a simple, mobile-friendly structure that connects the user in a more streamlined digital manner with GPO.  Once out of beta, this site will replace the current site that was launched in 2009.  Try our new site:
Some of the new features include:
  • mobile friendly
  • improved internal site search
  • improved user experience
  • easy access to GPO products and services
  • easy access events and training
  • easy access to GPO social media platforms
  • locating Federal Depository Libraries”

Perspective.  (And something my spreadsheet class could do for Denver light rail?) 
New York City Rents By Subway Stop 2017

Venezuela announces it no longer needs foreign inventors. 
GM says Venezuelan car plant is seized by government

Wednesday, April 19, 2017

This could be huge.  Why are some franchise owners refusing to have their systems examined? 
Brian Krebs reports:
In December 2016, KrebsOnSecurity broke the news that fraud experts at various banks were seeing a pattern suggesting a widespread credit card breach across some 5,000 hotels worldwide owned by InterContinental Hotels Group (IHG).  In February, IHG acknowledged a breach but said it appeared to involve only a dozen properties.  Now, IHG has released data showing that cash registers at more than 1,000 of its properties were compromised with malicious software designed to siphon customer debit and credit card data.

New rules!  Better?
Michael B. Katz and Cynthia J. Larose of  Mintz Levin write:
After a quiet winter there has been significant activity in state legislatures to enact, strengthen or clarify their data breach notification statutes.  The latest happenings are summarized below and we have updated our “Mintz Matrix” to reflect these new and pending laws.
Read more on Privacy & Security Matters Blog.  The authors also link to the full text of the new statutes.

Why Can’t We End Spam? Ask An Economist
Last week, Russian hacker Pyotr Levashov was arrested in Barcelona in an operation jointly undertaken by Spain and the US FBI.  Levashov is allegedly the hacker behind the Kelihos botnet, a network of up to 100,000 compromised computers that have been used to run a giant, distributed spam operation (all unknownst to the owners of the computers in the network.)
   Security expert Brian Krebs estimated that Levashov’s botnet was capable of sending 1.5 billion emails a day, and attributes more than $438,000 in revenue from online pharmacy spam sent through that botnet over a 3-year period.  Economics research suggest that the scale and the profitability of spam are inseparable: in their article on “The Economics of Online Crime,” Moore et al. cite the results of a research project that
infiltrated a large botnet and altered the spam e-mails sent out so that they linked to a benign duplicate website under the researchers’ control.  They were able to provide the first independent answer to a long-standing question: how many people respond to spam?  It turns out that 28 sales resulted from 350 million spam e-mails advertising pharmaceuticals—a conversion rate of 0.00001 percent.

Now that is quotable!
Artificial intelligence is a hot topic right now.  Driven by a fear of losing out, companies in many industries have announced AI-focused initiatives.  Unfortunately, most of these efforts will fail.  They will fail not because AI is all hype, but because companies are approaching AI-driven innovation incorrectly.  And this isn’t the first time companies have made this kind of mistake.

Today exit, tomorrow entry and eventually at every embassy and consulate? 
Facial recognition is coming to US airports, fast-tracked by Trump
   Called Biometric Exit, the project would use facial matching systems to identify every visa holder as they leave the country.  Passengers would have their photos taken immediately before boarding, to be matched with the passport-style photos provided with the visa application.  If there’s no match in the system, it could be evidence that the visitor entered the country illegally.  The system is currently being tested on a single flight from Atlanta to Tokyo, but after being expedited by the Trump administration, it’s expected to expand to more airports this summer, eventually rolling out to every international flight and border crossing in the US.
   “We currently have everyone’s photo, so we don’t need to do any sort of enrollment.  We have access to the Department of State records so we have photos of US Citizens, we have visa photos, we have photos of people when they cross into the US and their biometrics are captured into [DHS biometric database] IDENT.”
   Homeland Security estimates that roughly half a million visitors to the US overstay their visas each year — but without a verifiable exit process, the government has no way to determine how many visitors are actually overstaying or who they are.
   Those systems also raise serious civil rights questions that agencies still haven’t answered.  Under the FBI, facial recognition has become a powerful and controversial tool for tracking criminals.  If that tool extends to face photos taken at airports, it could mean a subtle but profound change in law enforcement’s powers at the airport.
“Right now, other than the no-fly list, you do not have law enforcement checks on who can fly,” says Alvaro Bedoya, who studies facial recognition at Georgetown Law’s Center on Privacy & Technology.  “But once you take that high-quality photograph, why not run it against the FBI database?  Why not run it against state databases of people with outstanding warrants?  Suddenly you’re moving from this world in which you’re just verifying identity to another world where the act of flying is cause for a law enforcement search.”

Perspective.  Is the Internet going to the dogs?
PetSmart is acquiring for $3.35 billion in the largest e-commerce acquisition ever
   The deal is a huge one by any standard — bigger than Walmart’s $3.3 billion deal for last year — and especially for a retail company like PetSmart, which was itself valued at only $8.7 billion when private equity investors took it over in 2015.
But has been one of the fastest-growing e-commerce sites on the planet, registering nearly $900 million in revenue last year, in what was only its fifth year in operation.  The company had been a potential IPO candidate for this year or next, but was taken out by its brick-and-mortar competitor before that.  It was not profitable last year. [My students always find this amazing.  Bob]

Yet another opportunity to expand the intellect of my students.
Starcraft and Starcraft: Brood War Free Download for Windows PC and macOS

Free is good!
Apple Makes iMovie, GarageBand, and iWork Apps for Mac and iOS Free for All Users

Tuesday, April 18, 2017

I try not to be repetitious or redundant, but allow me to reiterate: Determining how big your breach was is not that difficult if you keep adequate records!
Maria Nikolova reports:
More than a month has passed since Japanese provider of payment processing services GMO Payment Gateway Inc confirmed that personal data leakage that had affected the websites of two of its clients – the Tokyo Metropolitan Government and the Japan Housing Finance Agency.
At the end of last week, GMO Payment Gateway updated the numbers for the data leaked, referring to “doubling of information”.
Read more on FinanceFeeds.
[From the article: 
According to the initial assessments, the number of “units of information” leaked through the Tokyo Metropolitan Government website was 676,290, including 614,629 email addresses, as well as 61,661 credit card numbers and credit card expiration dates.  The number of “units” of credit card information reportedly leaked from the Japan Housing Finance Agency was 43,540, including credit card numbers, credit card expiration dates, security codes, credit card payment registration dates, addresses, email addresses, names, phone numbers, as well as dates of birth and payment joining dates.  The revised data lowers the numbers nearly two times.

Another oft repeated meme.  “Hey!  Let’s put all of the data on a portable device without encryption and then leave it in the car!” 
Aaron Gould Sheinin reports on yet another breach involving Georgia voters’ information:
State officials are investigating the theft last week of equipment from a Cobb County precinct manager’s car that could make every Georgia voters’ personal information vulnerable to theft.
The equipment, used to check-in voters at the polls, was stolen Saturday evening, Secretary of State Brian Kemp said Monday.
Read more on AJC.

Sources for my Computer Security students.
Cybercrime diaries: All the hacks and data breaches in one place
Global cybercrime damages are predicted to exceed $6 trillion annually by 2021, up from $3 trillion in 2015.  The first quarter cybercrime diaries, published by Cybersecurity Ventures, have hit the stands, breaking down cybercriminal activity by category.
Reading through the diaries, one might wonder if the $6 trillion figure is an underestimate.  The cybercrime diaries are a series of blogs that provide CIOs, CSOs, CISOs and IT security teams with bulleted datelines and high-level summary commentary on the most noteworthy cybercriminal activity in a quarterly period.
Hack Blotter diary.

Talking points for my Computer Security students.
How CISOs can explain privacy to the C-suite
    It’s the CISO’s role to help inform the C-suite, investors and board of directors about potential security.
If CISOs are wondering where to start, Malcolm Harkins, chief security and trust officer at Cylance and Ruby Zefo, vice president of the Law and Policy Group at Intel Corporation have put together four privacy and security topics to talk with stakeholders about.
1.      Privacy is not equal to security
2.      Blind spots do exist:
3.      Prep execs for tough questions
4.      BYOD and monitoring:

Not ‘amateur’ surveillance.
Lorenzo Franceschi-Bicchierai and Joseph Cox report:
Morgan Marquis-Boire is a security researcher who has spent months digging into the consumer spyware industry, and has seen it used in domestic violence cases first hand.  He has also spent years researching spyware used by governments.  For him, the former kind of surveillance, which can be also called stalkerware or spouseware, deserves more attention because it’s more common and widespread than many may think, and the victims are everyday people,” he said.
Sophisticated government malware or cyberattacks on individuals are like “a rare bloodborne pathogen,” whereas consumer spyware is more like “the common cold” or flu.  It’s not as exotic, but “it does kill a lot of people every year,” Marquis-Boire told Motherboard.
Read more on Motherboard.

When Troy goes on a rant, he is fun to read!
Mandatory ISP data retention and the law of unintended consequences
Well, good one Australia, UK and whoever else has embarked on this hare-brained scheme, you've just made things a whole lot worse.  Our respective governments (in all their ivory-towered wisdom), have decided that because one of us could one day decide to become a terrorist, they'd better keep a big whack of our internet browsing history just in case.  The theory these genius policy makers have is that if they can probe into all our lives far enough, they'll be able to see when we're doing terrorist kinda stuff.  And really, what better way is there than siphoning up info on the websites we go to?  Job done, beer o'clock, glad we solved that one.

In the UK, you have to be able to Follow your car’s directions!  (Obey your computer overlords?)  
U.K. driving tests will soon add GPS navigation as a required skill
If your car doesn’t already have GPS navigation technology built directly into the dashboard, then you probably at least have a smartphone mount for your windshield so you can use Google Maps for turn-by-turn directions.  Put simply, if you own a car, computer-based navigation likely plays a central role in your journeys.
And this is why the U.K. government will soon require all learner drivers to follow directions from a sat nav as part of their driving test.  The Driver and Vehicle Standards Agency (DVSA) will provide all driving examiners with a sat nav unit to give to budding drivers for their test — but this isn’t about having an ability to search for a route through a sat nav, it’s purely about being able to follow directions.  From December 4, 2017, learners will be expected to follow a pre-set route provided by the examiner.

Turns Out, a Horrifying Number of People Use Their Phones While Driving
   a new study indicates that damn near everybody uses their phone while behind the wheel, damn near all the time.  Using sensor data from more than 3 million drivers and 5.6 billion miles of trips, driving analytics company Zendrive found drivers are using their phones on 88 percent of their journeys.  The average driver spends 3.5 minutes on the phone per one hour trip, a stat that sounds worse when you realize just a two-second distraction increases your risk of crashing by 20 percent.

Model laws?
Mike Maharrey writes:
On Friday, Montana Gov. Steve Bullock signed two bills into law that will increase privacy protections in the state and hinder at least two federal surveillance programs.  The new laws will ban warrantless collection of data from an electronic device in most situations, and limit the use of Automated License Plate Readers (ALPRs) in the state.
Rep. Daniel Zolnikov (R-Billings) sponsored both House Bill 149 (HB149) and House Bill 147 (HB147).
Read more on Tenth Amendment Center.
Montana is looking more and more attractive these days, isn’t it?

A reaction to potential federal crackdown?
Ariana Rakhshani reports:
Some worried about the federal implications of marijuana are rejoicing.
Governor Kate Brown signed a bill protecting those who shop at pot retailers.  Dispensaries have been required to keep customers’ personal information; it allowed the state to audit dispensaries to make sure they were only selling the legal amount to someone within a 24 hour period.
Now, dispensaries are not allowed to keep any personal information.
Read more on KTVL.

Perspective.  For those who can’t read? 
Netflix Touts U.S. Growth—and the Market Believes It
Can Netflix keep adding U.S. subscribers quarter after quarter?  The company's CEO seems to think so, painting a rosy picture of growth even as the streaming service hits 50 million customers and faces stiff competition from Amazon.
   In a letter to investors and in the video, Netflix also dropped other nuggets of good news.  These included claims that the much-hyped Dave Chappelle exclusive, which premiered in March, was the "most viewed comedy special ever," and that subscribers have spent more than half a billion hours "enjoying" specials involving actor Adam Sandler.

(Related).  A different number?
Netflix Nears 100 Million Subscribers, But Q1 Gains Fall Short of Expectations
Netflix added fewer subscribers than expected for the first three months of 2017, while the No. 1 subscription-video provider said it will surpass the 100-million mark this coming weekend.
   In 2017, the company plans to spend more than $1 billion marketing its content, Netflix said in the shareholder letter.

Perspective.  For those who can read. 
Amazon expands its literary horizons, making big imprint in translation niche
The literary translation community in the U.S. has a tradition of being highbrow, a carefully tended yet narrow reflection of the stirrings of global culture beyond the Anglosphere.
Then jumped in, like a whale into a koi pond.
   AmazonCrossing, the publishing unit devoted to scouring the world for good tales, has in a short time become the most prominent interpreter of foreign fiction into English, accounting for 10 percent of all translations in 2016, more than any other publishing house in a field populated by small imprints.
   Yet Amazon’s shine has been tarnished by a contentious relationship with New York publishing houses, bookstores and some authors.  Many bookstores — hurt by the online retailer’s dominance in book sales and its pricing power — have boycotted titles published by Amazon.  They’re also less likely to get reviewed by the traditional literary outlets, experts say.

This could be amusing just for the potential comparisons!  
Steve Ballmer Serves Up a Fascinating Data Trove
   On Tuesday, Mr. Ballmer plans to make public a database and a report that he and a small army of economists, professors and other professionals have been assembling as part of a stealth start-up over the last three years called USAFacts.  The database is perhaps the first nonpartisan effort to create a fully integrated look at revenue and spending across federal, state and local governments.
   Using his website,, a person could look up just about anything: How much revenue do airports take in and spend?  What percentage of overall tax revenue is paid by corporations?

For my geeks.
If you’re thinking of learning Python, you might be overwhelmed by the initial setup process.  You need to install Python on your system, then learn how to use the command line to process code, or learn how to use the interactive shell, or learn how to set up a Python IDE.
Ignore all of that. It’s unnecessary until you know whether Python is right for you.
Instead, we recommend using an online interactive shell, which is just a website that lets you write and execute Python code and instantly see the results.  No need to install anything.

Worth a look?

Monday, April 17, 2017

Any action?  Like activating the motion sensors or the GPS by moving the phone? 
Answering What Constitutes a Search of a Cellphone after Riley Through a ‘Use-Based’ Approach
by Sabrina I. Pacifici on Apr 16, 2017
Jacobsen, Kristen M., Let’s Get Physical, Physical: Answering What Constitutes a Search of a Cellphone after Riley Through a ‘Use-Based’ Approach (January 24, 2017).  Criminal Law Bulletin Volume 53, Issue 4, 2017.  Available at SSRN:
“Investigating and prosecuting in the twenty-first century requires that the government have clear and workable rules to determine what action constitutes a Fourth Amendment search of a cellphone.  The use-based approach provides this guidance.  The use-based approach, which will substitute for the physical trespass doctrine, holds that any physical manipulation of the cellphone or any act that requires, or prompts, internal action on the part of the cellphone internally constitutes a Fourth Amendment search.  This approach prevents advancements in technology from eradicating Fourth Amendment protections, while the already-established exceptions allow law enforcement the latitude necessary to conduct investigations.”

Many smartphone owners don’t take steps to secure their devices
by Sabrina I. Pacifici on Apr 16, 2017
“Cybersecurity experts recommend that smartphone owners take a number of steps to keep their mobile devices safe and secure.  These include using a pass code to gain access to the phone, as well as regularly updating a phone’s apps and operating system.  Many Americans, however, are not adhering to these best practices, [No surprise.  Bob] according to a Pew Research Center report released earlier this year.”

(Related).  Works for lawyers, too.
Secure computing for journalists
by Sabrina I. Pacifici on Apr 16, 2017
Matthew Green: “…Classical (desktop and laptop) operating systems were designed primarily to support application developers.  This means they offer a lot of power to your applications.  An application like Microsoft Word can typically read and write all the files available to your account.  If Word becomes compromised, this is usually enough to pwn you in practice.  And in many cases, these applications have components with root (or Administrator) access, which makes them even more dangerous.  Modern phone operating systems like Android and iOS were built on a different principle.  Rather than trusting apps with much power, each app runs in a “sandbox” that (mainly) limits it to accessing its own files.  If the sandbox works, even a malicious application shouldn’t be able to reach out to touch other apps’ files or permanently modify your system.  This approach — combined with other protections such as in-memory code signing, hardware secret storage and routine use of anti-exploitation measures — makes your system vastly harder to compromise…”

Are you willing to face an unethical car? 
Incorporating Ethics into Artificial Intelligence
by Sabrina I. Pacifici on Apr 16, 2017
“This article reviews the reasons scholars hold that driverless cars and many other AI equipped machines must be able to make ethical decisions, and the difficulties this approach faces.  It then shows that cars have no moral agency, and that the term ‘autonomous’, commonly applied to these machines, is misleading, and leads to invalid conclusions about the ways these machines can be kept ethical.  The article’s most important claim is that a significant part of the challenge posed by AI-equipped machines can be addressed by the kind of ethical choices made by human beings for millennia.  Ergo, there is little need to teach machines ethics even if this could be done in the first place.  Finally, the article points out that it is a grievous error to draw on extreme outlier scenarios—such as the Trolley narratives—as a basis for conceptualizing the ethical issues at hand.  Published in the Journal of Ethics; click here for the full text (fee).” 

Something for my Security and Forensics students. 
Amazon Echo - Here's how to listen to EVERYTHING your Echo has EVER heard
   If you want to check-out your old recordings, you’ll need to download the Alexa companion app on your Android or iOS smartphone.
Launch the app, then tap on the Settings menu, then History.
   Tap on any of the recordings, which are listed in chronological order, to listen to the audio, review what Alexa thought you asked, and delete the file from Amazon’s servers.
If you want to delete more than one audio file, Amazon does provide a quick way to delete your entire back catalogue of voice commands.
To do this, head to in your web browser.
From the list of devices registered to your Amazon account, select your chosen Alexa device, then tap Manage Voice Recordings, followed by Delete.

Interesting question. 
   there is an emerging debate over the competitive implications of big data.  Some observers argue that companies amassing too much data might inhibit competition, so antitrust regulators should preemptively take action to cut “big data” down to “medium data.”  Others say there is nothing new here, and existing competition law is more than capable of dealing with any problems.

A video manifesto?
Cleveland manhunt underway after video of murder uploaded to Facebook
A Cleveland man is at large after reportedly killing someone and uploading the footage to Facebook.  The video appears to show a man identified by police as 37-year-old Steve Stephens approaching a 74-year-old man, before asking him to say a name and shooting him in the head.  Some time after the murder, Stephens also began broadcasting on Facebook Live.  The video and broadcast were among multiple Facebook posts made by Stephens on Sunday afternoon, in which he claimed to have killed up to 15 people as part of an “Easter Day slaughter.”
   Facebook has removed the video and Stephens’ account, but it took the company several hours to take them down after Stephens started his attack at around 2PM local time.
   It’s not clear whether Facebook acted on its own to remove the posts, or reacted to requests from local law enforcement officials to take them down.

"The laddie doth protest too much, methinks,"  Or, is a trustworthy personality as important for a CEO as it is for a Presidential candidate?  (Last election notwithstanding.)  
Selling Mark Zuckerberg
The Facebook CEO’s likability blitz isn’t a presidential campaign, it’s a focus group for his 1.8 billion constituents — and part of a high stakes campaign to win your likes.
   Zuckerberg, now a 32-year-old dad with one daughter and another on the way, has evolved considerably in the intervening decade.  He hired speechwriters.  He spruced up his uniform from Valley schlub to monochrome minimalism.  He took on a series of annual self-improvement challenges that made him into a “lifestyle guru” for some male tech workers, according to the New York Times Style section.  (The paper said his announcements “sometimes have the feel of software upgrades,” but disciples admire Zuckerberg’s ability to reinvent himself “as a better human being.”)
“One of the things I’ve noticed over the years, he has improved his EQ,” Swisher told BuzzFeed News.  (EQ is shorthand for emotional quotient, a popular rubric for measuring interpersonal skills in Silicon Valley.)  “He was super, super awkward to talk to and he knew that he had a problem and he was fully aware.  He cared about changing it.”  He may even have challenged himself to improve.  I’m really shy, I should learn not to be so shy!  I can see him saying that,” Swisher said.

Want to be a Congressman?
Updates to the My Congressional District Tool
by Sabrina I. Pacifici on Apr 16, 2017
“The U.S. Census Bureau recently updated the My Congressional District web application for the 115th Congress. Other updates include:
  • Statistics from the 2015 American Community Survey and maps for the congressional districts within the states that were redistricted in September 2016 (Florida, Minnesota, North Carolina and Virginia).
  • Embeddable functionality.
  • Re-enabled ability to download a .csv file for a single district or all districts within a state.
My Congressional District allows quick and easy access to statistics from the 2015 American Community Survey and 2014 County Business Patterns for the nation’s 435 congressional districts.  The American Community Survey provides detailed demographic, social, economic and housing statistics every year for the nation’s communities.  County Business Patterns provide annual statistics for businesses with paid employees at a detailed geography and industry level.  To see previous updates to the My Congressional District web application, click here.”