Saturday, April 29, 2017

Yesterday’s Privacy Foundation ( ) seminar on Artificial Intelligence and Privacy was quite educational.  The panelists agreed AI is not far in the future, it is here today.  Lots of interesting examples, but of course we couldn’t cover everything.  For example: 
How AI Will Help Us Defeat Aging
   “I think that applying AI to aging is the only way to bring it under the comprehensive medical control.  Our AI ecosystem is comprised of multiple pipelines.  With our drug discovery and biomarker development pipelines we can go after almost every disease and we even have several projects in ALS…  And since we are considering aging as a form of disease, many of the same algorithms are used to develop biomarkers and drugs to prevent and possibly even restore aging-associated damage.”
Renowned futurist Peter Diamandis envisions that in the next one to two decades, AI will bring in demonetization of our major everyday expenses and therefore considerably bring down the cost of living, including health care.  But before that happens, Dr. Zhavoronkov believes that AI can help bring about the cure for aging and maybe other notorious diseases like cancer.

(Related).  Something for my students to ponder.
Bill Gates could be the world's first trillionaire, but Jeff Bezos is hot on his heels
   According to a recent report from Oxfam, an international network of organizations working to alleviate poverty, given the exponential growth of existing wealth, the world could have its first trillionaire in the next 25 years.  Gates would be 86 then; Bezos, 78.
   For its analysis, Oxfam researchers applied the average growth rate of the ultra-rich — 11 percent per year since 2009 — to Gates' current levels of wealth, which was about $84 billion at the time of the study.
   Their fellow billionaire Mark Cuban has another prediction for who will first cross that finish line: entrepreneurs working with artificial intelligence.
"I am telling you, the world's first trillionaires are going to come from somebody who masters AI and all its derivatives and applies it in ways we never thought of," the star investor of ABC's "Shark Tank" told audiences at the SXSW Conference and Festivals.

See?  It can happen to anyone. 
Exclusive: Facebook and Google Were Victims of $100M Payment Scam
When the Justice Department announced the arrest last month of a man who allegedly swindled more than $100 million from two U.S. tech giants, the news came wrapped in a mystery.  The agency didn’t say who was robbed, and nor did it identify the Asian supplier the crook impersonated to pull off the scheme.
The mystery is now unraveled.  A Fortune investigation, which involved interviews with sources close to law enforcement and other figures, has unearthed the identities of the three unnamed companies plus other details of the case.
The criminal case shows how scams involving email phishing and fake suppliers can victimize even the most sophisticated, tech-savvy corporations.  But the crime also raises questions about why the companies have so far kept silent and whether—as a former head of the Securities and Exchange Commission observes—it triggers an obligation to tell investors about what happened.

Great news Australia: We've had our first metadata breach
   The AFP today revealed one of its officers "illegally" accessed the metadata of an Australian journalist's phone calls, "earlier this year."
"[The breach] was identified by the AFP as a result of our own review," said AFP Commissioner Andrew Colvin.
Commissioner Colvin said police destroyed all data once it was clear they had breached the laws, and that data did not form part of any police investigations.
"Put simply, this was human error.  It should not have occurred."
Australia's mandatory data retention laws passed with bipartisan support in March 2015. Under the bill, internet service providers and telcos are required by law to store metadata about customer communications -- including names, addresses and the time, location and duration of communications -- for two years.
The laws also include provisions requiring police to get a warrant to access journalists' metadata.  [Non-journalists have no protection?  Bob] 
   "We have breached in respect to a journalist's particular circumstances on this occasion," he added.  "I don't think that gives cause to say that the public should have their confidence shattered in the system."
The spectre of a major data breach has been looming since the laws were first mooted, with critics warning that creating a trove of metadata on every single Australian with a phone or an internet connection was a recipe for a major data breach, or a major hack

I’ll grab at least one of these each week while teaching Computer Security.  I’m hoping they get the message.  Why no encryption?  Do people still believe that passwords can protect a laptop? 
From a notification filed on behalf of Donaldson Company, Inc.:
On March 24, 2017, a Donaldson employee’s company-issued, user ID and password-protected laptop was stolen from the employee’s vehicle while it was located off Donaldson’s premises.  On March 29, 2017, Donaldson discovered that the laptop contained, in electronic form, certain Donaldson employees’ personal information, specifically employee hiring information, employee number, name, birthdate, Social Security number, citizenship, and address.
The incident involved the personal information of 4,487 individuals,

Doesn’t every politician attempt to influence voters?  Are they always dealing in facts?  Don’t they too drift into opinion or even fantasy?  Will we simply muzzle all opposing viewpoints?  Could be difficult to determine where the line is… 
Facebook gearing up to fight political propaganda
Facebook is acknowledging that governments or other malicious non-state actors are using its social network to influence political sentiment in ways that could affect national elections.

How to Detect Fake News in Real-Time

Speaking of influence…
Microsoft hires former FTC commissioner
Former Federal Trade Commission (FTC) Commissioner Julie Brill is joining Microsoft to head its privacy lobbying department, the company announced Friday.
As corporate vice president and deputy general counsel of Microsoft’s privacy and regulatory affairs group, Brill will oversee the company’s lobbying on cybersecurity, privacy and telecommunications regulation.

For my students.  Get a job with a technology company! 
Google CEO Sundar Pichai received nearly US $200 million salary last year
HOUSTON: Google's 44-year-old India-born CEO Sundar Pichai received nearly US $200 million in compensation last year, double the amount he got in 2015.
Pichai received a salary of US $650,000 last year, slightly less than the US $652,500 he earned in 2015.
But the long-time Google employee, who was named CEO during the company's re-organisation in August 2015, received a stock award of US $198.7 million in 2016, roughly double his 2015 stock award of US $99.8 million.
The company's compensation committee attributed the lavish pay to Pichai's promotion to CEO and "numerous successful product launches", the CNN reported.  [Compensation for failure is a lot lower.  Bob]

Tools for that first draft?
Two Free Speech-to-Text Tools
This morning on Practical Ed Tech Live I answered a request for a free speech-to-text tool.  There were two that I suggested.  One was and the other was Dictanote.
On you can simply click "start dictation" then start having your voice transcribed into a text document.  No registration is required in order to use  More than two dozen languages are support on  
In Google Chrome you can use the Dictanote Speech Recognizer app available for free through the Chrome Web Store.  To use the Dictanote Speech Recognizer just install it from the Chrome Web Store, launch it, then click the microphone to start taking and recording your voice.  The Speech Recognizer will type out your text when you finish recording.  You can then copy and paste your text to the paragraph box below the Speech Recognizer or to a document you have open in Google Docs.

Friday, April 28, 2017

The upside is, we already know how to deal with these older attacks.  For example, Keep reminding employees not to click on those bad links. 
Hackers Get Back to the Basics
   Last year, one in every 131 emails sent were malicious, according a new report from Symantec, the computer-security company.  That’s a marked increase from the two previous years, when the rate was one in 230, on average.
   Macros embedded in Word or Excel documents, for example, saw a surprising comeback in 2016.  Macros are mini-programs that automate tedious tasks inside a document, like formatting a table in a certain way, or filling out a long form with personal information.  But since they’re designed to execute a series of commands—and aren’t confined to the document they live in—they can be maliciously repurposed.
   This resurgence of phishing and social engineering might be a result of improvements in defenses.  “It gets harder and harder to fool the computer, but there’s still a good chance of fooling the end user,” said Kevin Haley, the director of Symantec’s Security Response team and a contributor to the report.  

Another opinion.
Cyberespionage, ransomware big gainers in new Verizon breach report
Verizon released its tenth annual breach report this morning, and cyberespionage and ransomware were the big gainers in 2016.
Cyberspionage accounted for 21 percent of cases analyzed, up from 13 percent last year, and was the most common type of attack in the manufacturing, public sector, and education.
In fact, in the manufacturing sector, cyberespionage accounted for 94 percent of all breaches. External actors were responsible for 93 percent of breaches, and, 91 percent of the time, the target was trade secrets.

There is a belief that Security gets in the way of innovation.  I think it also points out poor innovators.
   According to a recent study by IBM Security and the Ponemon Institute, 80% of organizations do not routinely test their IoT apps for security vulnerabilities.  That makes it a lot easier for criminals to use IoT devices to spy, steal, and even cause physical harm.

Makes you wonder if the intelligence agencies have a way to filter out fake news.  (See the articles below)
Government requests for Facebook user account data up 9% in second half of 2016, but content restrictions declined
Facebook today released its latest report on global government requests for the second half of 2016, noting there has been a 9 percent increase in requests for user account data compared with the earlier part of that year, but a 28 percent decrease in content restrictions for violating local law.  However, that latter decrease doesn’t necessarily indicate that content restriction-related requests are dropping as a trend, but rather that earlier reporting had been impacted by unusually inflated figures.  This was due to a sizable number of requests related to a single image from the terror attack in Paris in 2015.

Is there a solution?  If a politician’s “spin” is reported accurately, should that avoid a “fake news” tag?  (Did Huey Long really call his opponent a “flagrant heterosexual?”)
Facebook 'observed propaganda efforts' by governments
Facebook has admitted that it observed attempts to spread propaganda on its site, apparently orchestrated by governments or organised parties.
The firm has seen "false news, disinformation, or networks of fake accounts aimed at manipulating public opinion", it revealed in a new report.
"Several" such cases during the US presidential election last year required action, it added.
Some of the activity has been of a "wide-scale coordinated" nature.

(Related).  How could this be done at all?
The most important part of Facebook's disinformation strategy is what it leaves out
   while the report lays out a number of new measures, the most striking thing is what it leaves out: a strategy for combating the creation of false and malicious material at its source, and a sense of Facebook's responsibility when genuine users share those links.  As described in the report, almost all the important elements of disinformation campaigns are outside of Facebook’s control.  When the campaigns do venture onto Facebook, the associated posts tend to behave the same way any piece of news or content would.  And while similar campaigns continue across Europe, today’s report suggest there’s no easy fix for the problem — or at least not from Facebook.

Has anyone considers that he might want to buy Ford?
Zuckerberg tours Ford assembly plant
   Zuckerberg and his wife announced plans earlier this year to visit all 50 states.
He has denied speculation that he is considering a White House bid for 2020.  Last summer, Zuckerberg specifically created a new class of Facebook shares that would allow him to serve in elected office for two years without resigning from Facebook.

A response to my students who are amazed that I do not own a smartphone.
How to Break Your Smartphone Addiction
by Sabrina I. Pacifici on Apr 27, 2017
“When people talk about addiction, the first thing that comes to mind are illegal drugs, alcohol and tobacco.  But in the mobile era, behavioral addiction is much more prevalent and pervasive — and the culprit is the ubiquitous smartphone.  Adam Alter, a marketing and psychology professor at New York University, says it’s an addiction by design — and one that’s insidiously hard to break.  In his new book, Irresistible: The Rise of Addictive Technology and the Business of Keeping Us Hooked, he explains how humans are hardwired for addiction and offers suggestions on how to break the habit.  He discussed his findings on the Knowledge@Wharton show, which airs on SiriusXM channel 111.”

‘cause everyone wants a faster computer!

Thursday, April 27, 2017

Phishing for political influence?
Trend Micro breaks down Pawn Storm tactics, methods and goals
An in depth look at the cyberespionage gang Pawn Storm by Trend Micro reveals an incredibly complicated and capable group that has penetrated several important political and government organization and for the most part has done so on the back of one of the most well-worn attack methodologies available. Phishing.
Trend Micro made its case in a 41-page report entitled Two Years of Pawn Storm.

How does one stop security faux pas?
Robert Radick writes:
Just over a year ago, this blog took note of a governmental letter that powerfully underscored the dangers of cyberattacks in the healthcare industry.  The letter, which then-Senator Barbara Boxer had sent to FBI Director James Comey, discussed the serious risks that hospitals and other institutional health care providers face from cyberattacks, ransomware, and a range of other malicious efforts to infiltrate their networks.
How is it that, according to the FDA, Abbott’s cardiac devices are alleged to be in violation of the FDCA?  Although the FDA’s warning letter is a complex document that makes for anything but easy reading, the letter boils down to two primary assertions – first, that Abbott allegedly underestimated the risk and potential consequences of the premature failure of batteries that a third-party manufacturer had supplied for the implantable cardiac devices; and second, that based on allegedly erroneous “cybersecurity risk assessments” for cardiac devices, Abbott had found that the device’s risk estimations were acceptable, when, according to the FDA, an outside report had concluded that “several risks” – including, apparently, the risk of hacking and cyberattacks on the devices themselves – “were not adequately controlled.”
Read more on Forbes.

“Give us everything, we’ll sort it out.” 
UK Government Complains After Twitter Cuts Data Access
The British government has complained to Twitter over a block on access to data from the social network, which it was reportedly using to track potential terror attacks, officials said Wednesday.
"The government has protested against this decision and is in ongoing discussions with Twitter to attempt to get access to this data," a Home Office spokesman said.
Prime Minister Theresa May's spokesman declined to specify exactly what the data was and why it was important, saying only that "we wish to have access to this information".
But he told reporters: "The fight against terrorism is not just one for the police and the security services. Social media and tech companies have a role to play."

Sale of Donald Trump masks to soar!  Why reference law enforcement databases?  Will they ignore some illegals crossing the border to pursue other illegals with prior convictions?  Shouldn’t they just arrest them all and sort them out later? 
In what could prove to be a Frankenstein combination of invasive technologies, the Department of Homeland Security is considering a project to arm Customs and Border Patrol (CBP) with drones using facial recognition scanning at the border.  Specifically, the proposal states that “DHS is interested in sUAS [small drone] sensor technology with the following attributes …. Identification of humans via facial recognition or other biometric at range” and describes the potential for “A USBP agent [t] deploy[] a sUAS to make observations …. [T]he sensor technology would have facial recognition capabilities that allow it cross-reference any persons identified with relevant law enforcement databases.”

Last year was officially the much-awaited “year of mobile” in the advertising industry.
For the first time, mobile advertising represented more than half of the spending that marketers funneled into digital advertising overall in the U.S. in 2016.  According to a new report conducted by PwC US for the Interactive Advertising Bureau, mobile ad spending accounted for 51% of the record $72.5 billion in total U.S. digital ad spending last year.

Something for those of us who have reached geezer-hood?  Probably not.  Note that multiple accounts allows you to give up the password to one account at the border and keep your terrorist connections private. 
How to Instagram like a teen
   In a previous life of working in digital strategy and academia, I spent a lot of time trying to understand what young people were doing with social media, and Instagram was (and continues to be) one of the top apps for them.  I loved seeing the secret visual language they used — the inside jokes, the fun selfies, the clothes, the emojis — and I guess you could say that I not only picked up a few tips and tricks, but I also went native.  Believe it or not, teens can teach us a lot about how to use Instagram.
   For adolescents, Instagram is a way to articulate identity, and at that age, you might want to shift from identity to identity.  For this reason, lots of teens have “fake Instagrams” or “Finstas.”  Maybe one account only features (and is shared by) you and fellow members of your basketball team.  Maybe another is the one you use as your public-facing, family-friendly account.  Although keeping multiple Instagram accounts sounds unnecessarily exhausting to most of us, you might consider opening both a personal Instagram account and another purely for professional purposes and personal branding.  Use that one to send people to your blog or business, for example.

(Related).  Probably all terrorists…
Instagram is growing faster than ever and now has 700 million users
It took the company just four months to add 100 million new accounts.

For my Spreadsheet students.

Plenty geeky, but are they useful?
3D and VR plugin developer Tim Dashwood is joining Apple and has since made all of his 3D and 360 VR plugins completely free.  Compatible with Adobe Premiere, After Effects, Final Cut Pro, and Motion — the available plugins, once worth over $1,000, can be downloaded for free from FxFactory.
   To use Dashwood’s plugins, you’re going to have to install FxFactory — an app store of visual and audio plugins for video software — on your Mac.  Unfortunately, it will only work if you’re running Sierra or El Capitan. Once FxFactory is installed, use the app’s search function to look for “Dashwood”.

Wednesday, April 26, 2017

No matter who dumped the data, this indicates that your security sucks!
Joseph Cox reports:
The industry for so-called encrypted or secure phones is a lively one.  Several firms sell custom BlackBerry or Android devices that may come pre-loaded with tools such as PGP email for sending messages, and some of these companies’ products have allegedly been used by organized crime.
But it’s also a competitive market.  Customer data from one company, including email addresses and unique IMEI numbers from users’ phones, is now available online for anyone to dig into, and Ciphr, the victim company, claims the data dump was the work of a competitor.
Read more on Motherboard.

Risky burritos.  With 2,000 locations, this could be big. 
Melissa Stephenson reports:
Chipotle Mexican Grill announced Tuesday that they have detected a data security breach.
The company believes the breach may have affected transactions from March 24 through April 18.
Read more on WTKR.

Not bad enough you were hacked, now you have blackmailers using the hacked data against you.
Graham Cluley reports:
Blackmailers are once again trying to make money out of the notorious Ashley Madison hack, which exposed the details of registered members of the cheating website in 2015.
Robin Harris writes on ZDNet that he has received a blackmail threat, alerting him that unless he pays up $500 worth of Bitcoin his personal details will be shared on a new website being created by the extortionists.
The site, which the blackmailers claim will be launched on May 1 2017, is said to be called “Cheater’s Gallery”:
“On May 1 2017 we are launching our new site — Cheaters Gallery – exposing those who cheat and destroy families.  We will launch the site with a big email to all the friends and family of cheaters taken from Facebook, LinkedIn and other social sites.  This will include you if do not pay to opting out.”
Read more on HotForSecurity.

Do you really want to play around in Tony Soprano’s back yard?
Paul Milo reported this yesterday:
Hackers have disabled some City of Newark computers and are now demanding about $30,000 worth of the online currency Bitcoin to render them operable once again, TAPInto reported Monday.
The computers were infected over the weekend with an encryption that affects nearly all files that operate on a desktop, according to a document obtained by TAPInto.

A hardcoded key is the same as an unchangeable default password. 
Flaws in Hyundai App Allowed Hackers to Steal Cars
The Blue Link application, available for both iOS and Android devices, allows users to remotely access and monitor their car.  The list of features provided by the app includes remote engine start, cabin temperature control, stolen vehicle recovery, remote locking and unlocking, vehicle health reports, and automatic collision notifications.
   Versions 3.9.4 and 3.9.5 of the Blue Link apps upload an encrypted log file to a pre-defined IP address over HTTP.  The name of the file includes the user’s email address and the file itself contains various pieces of information, such as username, password, PIN, and historical GPS data.
While the log file is encrypted, the encryption relies on a hardcoded key that cannot be modified.  A man-in-the-middle (MitM) attacker — e.g. via a compromised or rogue Wi-Fi network — can intercept HTTP traffic associated with the Blue Link application and access the log file and the data it contains.

“How brave a world where devices doth conspire!”  A possible AI Shakespeare?  
Man Arrested in Wife's Murder After Fitbit Data Pokes Holes in His Alibi
A Connecticut man was arrested and charged with the murder of his wife after police found that Fitbit data didn't match his alibi.
Connecticut's Richard Dabate was accused of killing his wife Connie, who was found dead from gunshot wounds at their home in December 2015.  Dabate said an unknown intruder broke into their house before shooting his wife and subduing Dabate with precision use of pressure points.  But investigators have uncovered inconsistencies between his account and that of the devices he and Connie used, including the fitness tracker she wore on her wrist.
Evidence from her Fitbit, which works as a digital pedometer to keep track of the wearer's daily activity, shows she was up and moving an hour after Dabate claimed she had been attacked.  It further pokes holes into his account of her morning, noting just how far she moved after arriving home.  Electronic records from e-mail, phone, and text messages also contribute to a complicated picture, showing a marriage in trouble and the presence of a pregnant girlfriend.  Dabate claimed his wife's life insurance policy the day after the crime.

A source of used Stingrays?
Mike Maharrey writes:
…Arizona Gov. Doug Ducey signed a bill that bans the use of “stingrays” to track the location of phones and sweep up electronic communications without a warrant in most situations.  The new law will not only protect privacy in Arizona, but will also hinder one aspect of the federal surveillance state.
Sen. Bob Worsley (R-Mesa) introduced Senate bill 1342 (SB1342) back in January.  The legislation will help block the use of cell site simulators, known as “stingrays.”  These devices essentially spoof cell phone towers, tricking any device within range into connecting to the stingray instead of the tower, allowing law enforcement to sweep up communications content, as well as locate and track the person in possession of a specific phone or other electronic device.
Read more on Tenth Amendment Center.

Determining what to block or take down in real time is almost impossible.  Perhaps AI can speed up detection, but can it anticipate a user’s post?  When do you merely block or take down and when do you notify the police? 
Thai Police Will Review Ways to Take Down Content After Man Murders Baby in Facebook Video
Police in Thailand on Wednesday said they would discuss how to speed up taking down "inappropriate online content" after a man broadcast himself killing his 11-month-old daughter in a live video on Facebook.

(Related).  Tips for hackers.  Problems for Forensic students. 
A Trick That Hides Censored Websites Inside Cat Videos
A pair of researchers behind a system for avoiding internet censorship wants to deliver banned websites inside of cat videos.  Their system uses media from popular, innocuous websites the way a high schooler might use the dust jacket of a textbook to hide the fact that he’s reading a comic book in class.  To the overseeing authority—in the classroom, the teacher; on the internet, a government censor—the content being consumed appears acceptable, even when it’s illicit.
The researchers, who work at the University of Waterloo’s cryptography lab, named Slitheen after a race of aliens from Doctor Who who wear the skins of their human victims to blend in.  The system uses a technique called decoy routing, which allows users to view blocked sites—like a social-networking site or a news site—while generating a browsing trail that looks exactly as if they were just browsing for shoes or watching silly videos on YouTube.

For my Computer Security students.  Possible exam question: There are 65000 X 2 ports, name them! 
Securing risky network ports
Data packets travel to and from numbered network ports associated with particular IP addresses and endpoints, using the TCP or UDP transport layer protocols.  All ports are potentially at risk of attack.  No port is natively secure.
   There is a total of 65,535 TCP ports and another 65,535 UDP ports; we’ll look at some of the diciest ones. 

Also, an issue for my Computer Security students to consider.  (AKA: Need to know)  All new files should start with a “no one can access” rule and that will change only when managers specifically authorize a change. 
Organizations Fail to Maintain Principle of Least Privilege
Security requires that confidential commercial data is protected; compliance requires the same for personal information.  The difficulty for business is the sheer volume of data generated makes it difficult to know where all the data resides, and who has access to it.  A new report shows that 47% of analyzed organizations in 2016 had at least 1,000 sensitive files open to every employee; and 22% had 12,000 or more.
These figures come from the Varonis 2016 Data Risk Assessments report.  Each year Varonis conducts more than 1,000 risk assessments for both existing and potential customers.
   Varonis believes that organizations spend too much time and money in defending specific threats to keep attackers off the network; rather than protecting the data itself from both opportunistic insiders and hackers that breach the 'perimeter'.  In January of this year, a separate report (PDF) from Forrester (commissioned by Varonis) concluded that "an overwhelming majority of companies face technical and organizational challenges with data security, are focused on threats rather than their data, and do not have a good handle on understanding and controlling sensitive data."

Only China?  No other country is a risk?  Wake up, DHS. 
Adam Schwartz writes:
EFF has joined a coalition effort, led by Asian Americans Advancing Justice (AAAJ), to oppose the federal government’s proposal to scrutinize the social media activities of Chinese visitors.  Specifically, U.S. Customs and Border Protection (CBP) seeks to ask certain visa applicants from China to disclose the existence of their social media accounts and the identifiers or handles associated with those accounts.
Last year, EFF opposed a similar CBP proposal concerning foreign visitors from countries that participate in the Visa Waiver Program (VWP). CBP finalized this proposal in December 2016.
Read more on EFF.

My students seem reluctant to use self-driving cars.  Will they even consider self-flying?
Uber plans to rule the skies by 2020
Uber has revealed plans to team up with Aurora Flight Sciences to create and test out a network of aerial taxis for passengers to hire by 2020.
On Tuesday at Uber's Elevate Summit in Dallas, Texas, the companies said the electric vertical takeoff and landing (eVTOL) aircraft will be part of the Uber Elevate Network, a scheme designed to eventually give Uber users the opportunity to use both land and air to reach their destination. [What?  No submarines?  Bob] 

My Indian students seem to think it is already an equal to Amazon.
Funding Flipkart: Can India’s Internet ‘Unicorn’ Take on Amazon?

Let’s hope this is not United’s fault. 
United Airlines investigates giant bunny death
United Airlines is investigating the death of a giant rabbit which was being transported on one of its planes.
The 90cm-long bunny, called Simon, was found dead in the cargo hold when the flight arrived at Chicago's O'Hare airport from London Heathrow.
Reports in UK media say the 10 month-old giant rabbit was being delivered to a new "celebrity" owner.
   Owner Annette Edwards told the paper: "Simon had a vet's check-up three hours before the flight and was fit as a fiddle.
"Something very strange has happened and I want to know what.  I've sent rabbits all around the world and nothing like this has happened before."

Something to record my lectures for later listening?
This Online Audio Editor Is Beautiful
Beautiful Audio Editor is a free audio editor that you can use in the Chrome and Firefox web browsers.  Beautiful Audio Editor lets you record spoken audio directly and or import audio that you have previously recorded in MP3 and WAV formats.  You can edit and blend multiple tracks in the Beautiful Audio Editor.  When your audio editing project is complete you can download it as an MP3 file, download it as a WAV file, or you can save it in Google Drive.

Tuesday, April 25, 2017

Someday, management will begin to understand that encryption is relatively cheap. 
A recent HHS settlement that included a relatively small monetary penalty, $31,000, didn’t seem to get a lot of media attention.  Maybe today’s announced settlement stemming from a laptop theft that resulted in a steep monetary penalty will get attention?  From HHS:
The U.S. Department of Health and Human Services, Office for Civil Rights (OCR), has announced a Health Insurance Portability and Accountability Act of 1996 (HIPAA) settlement based on the impermissible disclosure of unsecured electronic protected health information (ePHI).  CardioNet has agreed to settle potential noncompliance with the HIPAA Privacy and Security Rules by paying $2.5 million and implementing a corrective action plan.  This settlement is the first involving a wireless health services provider, as CardioNet provides remote mobile monitoring of and rapid response to patients at risk for cardiac arrhythmias.
In January 2012, CardioNet reported to the HHS Office for Civil Rights (OCR) that a workforce member’s laptop was stolen from a parked vehicle outside of the employee’s home.  The laptop contained the ePHI of 1,391 individuals. OCR’s investigation into the impermissible disclosure revealed that CardioNet had an insufficient risk analysis and risk management processes in place at the time of the theft.  Additionally, CardioNet’s policies and procedures implementing the standards of the HIPAA Security Rule were in draft form and had not been implemented.  Further, the Pennsylvania –based organization was unable to produce any final policies or procedures regarding the implementation of safeguards for ePHI, including those for mobile devices.
“Mobile devices in the health care sector remain particularly vulnerable to theft and loss,” said Roger Severino, OCR Director.  “Failure to implement mobile device security by Covered Entities and Business Associates puts individuals’ sensitive health information at risk.  This disregard for security can result in a serious breach, which affects each individual whose information is left unprotected.”
The Resolution Agreement and Corrective Action Plan may be found on the OCR website at
More than five years from report of the theft to HHS settlement?  It would be great if HHS had the resources to investigate and pursue more cases in a way that resolves them more quickly.

My students would never do this.  I’m almost positive.  
The University of Professional Studies, Accra (UPSA) has sacked 22 of its students who hacked into the school’s computer system to manipulate their results.
A notice of dismissal from the university said it took the decision after meeting on the issue at an emergency meeting on Wednesday, 15th February, 2017 by the Academic Board.
The affected students are to leave with school campus with immediate effect.
Source: Ghana/  Although the students were dismissed for hacking, other coverage suggests that there was one hacker, hired and paid by the other students.
Unlike the U.S., where FERPA might prevent disclosure of some of the details, there’s apparently less such prohibition in Ghana, as The Citizen’s Ghana published the names and pictures of some of the 22.

Does Russia really prefer Le Pen, the Trump-like candidate?  
French Presidential Candidate Targeted by Russia-Linked Hackers
A notorious cyber espionage group linked to the Russian government has targeted the political party of French presidential candidate Emmanuel Macron, according to a report published on Tuesday by Trend Micro.
   Macron’s campaign has confirmed for The Wall Street Journal that staffers received phishing emails, but claimed the hacking attempts had failed.  The National Cybersecurity Agency of France (ANSSI) also confirmed the attacks, but refused to comment on their origin, Reuters reported.
   According to Trend Micro, the En Marche phishing site was set up in mid-March.  The security firm also discovered a phishing domain apparently set up to target the Konrad-Adenauer-Stiftung (KAS) political foundation in Germany.  The KAS phishing site, named, was created in early April.

For my Computer Security students.  It’s not always preparation for Cyber War.  Sometimes it’s just about the money.  (Ignore the specifics, concentrate on the strategy.)
China's hand caught in the cookie jar
China’s hand in the cookie jar?  Nation state or corporate espionage?  Some themes change and others stay the same, this theme continues to morph as the China, its state-owned enterprises and conglomerates with ties to the government continue to vacuum up global technologies.
Why?  Obtaining the fruits of the labors of other’s research and development via subterfuge and skullduggery is much more cost efficient than conducting principal research directly
   Those who have poo-pooed the efficacy of security awareness programs, should take heed.
Siemens did not detect the theft of the intellectual property via sophisticated data loss prevention technologies.  They may have used those technologies to verify the employee’s activities, but it was one employee noting something was not quite right and reporting it in an appropriate and actionable manner.  Self-policing at its best.
If an employee does not exceed their professional brief, that is their normal and natural access necessary to conduct their duties, it is near impossible to detect their having broken trust with their employer, except through their non-technical behavior, which is observable by colleagues.

How valuable would this data be?
I started covering Aadhaar years ago on as a data protection mega-disaster waiting to happen.  Those early posts are no longer available online, but I’ve continued to watch for news on its implementation and concerns.  And while India’s government keeps reiterating that everything is secure and fine, I keep seeing breach/leak reports.  So I was pleased to see that Nikhil Pahwa has compiled a list of Aadhaar leaks.
I realize that when we’re talking about a database with more than 1 BILLION individuals’ records, small leaks – even 1 million – may seem like a drop in the bucket, but I still fear it’s only a matter of time before we read about a breach that will dwarf the headline-grabbing Yahoo! breach.

An interesting thought. 
The Threat to Critical Infrastructure - Growing Right Beneath Our Eyes
Nation-States do Not Fear Reprisal and are Likely to use ICS Artacks as a Component of Geo-Political Conflict
   The “red lines” that conventional wisdom once held would prevent disruptive or destructive attacks against critical infrastructure have now been crossed numerous times, and we can safely assume they will be again. 
The notion of cold-war era “Mutually Assured Destruction” as a deterrent force has dimmed and nation-states, jihadists and even cyber-criminals have taken notice.
   Nation-states do not fear reprisal and are likely to use ICS attacks as a component of geo-political conflict.  Alarmingly, offensive cyber tools are becoming commonplace, lowering the bar for rogue nations, jihadists and hacktivists to get into the ICS attack game.  And, cyber-criminals are figuring out that ICS networks are critical and therefore valuable, meaning it is only a matter of time until we see major ransomware trends in ICS.

Trade in your Smartphone for an Artificially Intelligent phone? 
If this continues, one day my husband will be considered far-sighted for refusing to give up his little old flip phone.
Bernie Suarez writes:
The march towards an Orwellian future where every form of human behavior is being monitored by AI-driven appliances and electronics is quickly becoming a reality.  This was the plan from the start and as we can see the ruling elite have not slowed down one bit in their attempt to create this kind of world.
It is thus no surprise that Samsung is releasing a new smart phone this week called the S8 and S8+ that has a software called “Bixby” which will be studying your behavior in real-time and will be reacting, responding and “learning” from you accordingly.
The new Samsung S8 smart phone represents one of the first portable devices released to the general public in which the owner will be officially creating a 2-way relationship with the machine.
Read more on Activist Post.

Interesting.  I’ll ask my students if anyone would like to go for a ride…
Waymo’s self-driving minivans are now offering rides to real people in Arizona
Starting today, residents of the greater Phoenix metropolitan area can sign up to go for a ride in a self-driving minivan.  As often as they want.  For free.
Waymo, the self-driving car startup spun off from Google late last year, announced today that it’s offering its services to members of the public for the first time.  Waymo is calling it an “early rider program,” intent on cataloguing how on-demand, driverless cars will factor into people’s everyday lives.  Interested participants can sign up on the company’s website, and Waymo will select riders depending on the the types of trips they want to take and their willingness to use the self-driving service as their primary mode of transportation.  

Making language irrelevant?  Making it possible for everyone to read the ads? 
Google adds support for more Indian languages to Gboard, Maps, Translate; to leverage neural machine learning
   Having a smartphone is a boon in the digital age, but is the language becoming a barrier for the majority of Indians from tapping the fullest potential of a smart device or internet in general?
Internet giant Google sees an opportunity of growth in the vernacular segment.  While it has already added Indian language support to some of its services, the company today announced further expansion to the number of Indian languages supported.  It also revealed plans to leverage machine learning to further improve its services with the Indian languages.  Starting today, Google‘s products including Maps, Translate, Chrome, and Gboard will support over 30 Indian languages.
   It is estimated that by 2021, Hindi speaking users will overtake English speaking Internet users.  Furthermore, 9 out of 10 users in the next four years are likely to be Indian language users.

Monday, April 24, 2017

Is it war?  Is it preparation for war?  Is it the equivalent of taking pictures of the defenses at Normandy? 
Denmark Says Russia Hacked Defense Ministry Emails
Denmark on Monday denounced Moscow's "aggressive" behavior after a report accused Russian hackers of infiltrating the defense ministry's email accounts.
"This is part of a continuing war from the Russian side in this field, where we are seeing a very aggressive Russia," Defense Minister Claus Hjort Frederiksen told Danish news agency Ritzau.
A report published Sunday by the Centre for Cyber Security accused a group of pro-Kremlin hackers of breaking into the emails of defense ministry employees in 2015 and 2016.
"The hacked emails don't contain military secrets, but it is of course serious," Frederiksen said.

Inside the Hunt for Russia’s Hackers
Russia’s cyberwarfare operations are built on the back of their cybercriminal networks. Can the US and its allies take them down?

We learned not to do this 50+ years ago.  Why do we still do it? 
Hardcoded Credentials Give Attackers Full Access to Moxa APs
   Researchers at Cisco’s Talos intelligence and research group have analyzed Moxa’s AWK-3131A AP/bridge/client product, which is recommended for any type of industrial wireless application, and discovered hardcoded credentials corresponding to an account that cannot be disabled or removed.
According to researchers, an attacker can leverage the username “94jo3dkru4” and the password “moxaiwroot” to log in to an undocumented account that provides root privileges.

See students?  I am not unique.
Pew – Not everyone in advanced economies is using social media
by Sabrina I. Pacifici on Apr 23, 2017
Pew: Despite the seeming ubiquity of social media platforms like Facebook and Twitter, many in Europe, the U.S., Canada, Australia and Japan do not report regularly visiting social media sites.  But majorities in all of the 14 countries surveyed say they at least use the internet.  Social media use is relatively common among people in Sweden, the Netherlands, Australia and the U.S.  Around seven-in-ten report using social networking sites like Facebook and Twitter, but that still leaves a significant minority of the population in those countries (around 30%) who are non-users.  At the other end of the spectrum, in France, only 48% say they use social networking sites.  That figure is even lower in Greece (46%), Japan (43%) and Germany (37%).  In Germany, this means that more than half of internet users say they do not use social media.  The differences in reported social media use across the 14 countries are due in part to whether people use the internet, since low rates of internet access limit the potential social media audience.  While fewer than one-in-ten Dutch (5%), Swedes (7%) and Australians (7%) don’t access the internet or own a smartphone, that figure is 40% in Greece, 33% in Hungary and 29% in Italy…”

Sounds like Jack is channeling Paul David’s paper, The dynamo and the computer.
Alibaba’s Jack Ma predicts 30 years of pain as technology disrupts every industry
“In the next 30 years, the world’s pain will be much greater than its happiness,” Ma told a Chinese entrepreneurial conference over the weekend.  “Social conflicts over the next 30 years will hugely impact every industry.”  Ma has lately become a mix of futurist, business seer, and conference-circuit speaker.  Last year, in a letter to Alibaba shareholders, Ma imagined the difficult future for old businesses.  “Throughout history, technological disruptions have followed similar trajectories: 20 years of technological disruption followed by 30 years of further rapid change as new technologies are applied throughout society,” he wrote, before predicting the change would benefit Alibaba, as retailers turned to its technologies to transform China’s $4.5 trillion retail market. 

Something for my nephew.  He is in high school.  Time to start a business! 
This teen made a million bucks selling socks out of his backyard
A Portland, Oregon teenager has sold $1 million in custom socks, and he hasn't even graduated high school.
Brennan Agranoff is the founder and CEO of HoopSwagg, an online custom-design sock business that he runs from his backyard.
   He gets about 100 new sock orders every day for the more than 500 designs that he comes up with himself.