Saturday, September 16, 2017

“Release the scapegoats!”
Top Equifax Executives Announce Immediate Retirement After Massive Data Breach
Equifax says its chief information officer and chief security officer are leaving the company, following the enormous breach of 143 million Americans' personal information.
The credit data company said Friday that Susan Mauldin, who had been the top security officer, and David Webb, the chief technology officer, are retiring from Equifax immediately. Mauldin, a college music major, had come under media scrutiny for her qualifications in security. Equifax did not say in its statement what retirement packages the executives would receive.

(Related). Is it enough?
Two Equifax executives will retire following massive data breach
… At least two congressional hearings on the Equifax breach have been announced. The first scheduled panel will take place on Oct. 3, when Smith is expected to testify. A bipartisan group of 36 senators have asked the Justice Department and the U.S. Securities and Exchange Commission to investigate reports Equifax executives sold stock after learning about the breach but before it was made public. The Federal Trade Commission took the unusual step of announcing it is conducting a probe into the Equifax breach.
… Senate Minority Leader Charles E. Schumer (D-N.Y.) said on Thursday the company's chief executive and board of directors should step down unless they take five steps to correct their mishandling:
notify affected consumers;
provide free credit monitoring to them for at least 10 years,
offer to freeze their credit for up to 10 years;
remove forced arbitration clauses from their terms of use;
and comply with fines or new standards that come out of investigations.

“It’s only right that the CEO and board step down if they can’t reach this modicum of corporate decency by next week,” he said.

(Related). Scary, if true. I bet Equifax hopes this is “Fake News.”
Wow. Just wow.
Read this. Those suing Equifax are going to find a lot in that report that will undoubtedly be referenced in any complaint alleging negligence.
Update: I should have added to the above that I have no way of knowing if any of it is true or if it is all fabricated. But I can see where people are going to be citing this – unless it’s disproved.
[From the article:
I asked the hackers one last request before disconnecting. I asked, "How did you manage to get the passwords to some of the databases?" Surely the panels had really bad security but what about the other sections to them? Surely there was encrypted data stored within these large archives no? Yes. There was. But guess where they decided to keep the private keys? Embedded within the panels themselves. The picture above shows exactly that, all the keys stored nicely, alongside any sub companies to Equifax. All pwned.

Like the HBO breach? When you just can’t wait to find out what happens next?
Todd Spangler reports:
A notorious hacker group broke into the servers of music-streaming service Vevo, releasing more than 3 terabytes of internal documents and video content online — before removing them later Friday morning at Vevo’s request.
The purloined cache, posted by hacking and security collective OurMine, included videos, a batch of documents labeled “premieres,” as well as marketing info, international social-media documents, and other internal files, as first reported by tech site Gizmodo.
Read more on Variety.

Apple probably wouldn’t like it if I started calling this a “mugshot feature.”
Apple X’s Face ID Feature Places Spotlight on Facial Recognition Technology, Raising Numerous Mobile Privacy and Data Usage Issues
… One issue that I thought was particularly interesting, however, relates to the ability of apps residing on a phone to interact with facial captures. Unless disabled, Face ID could potentially be “always on,” ready to capture facial images to authenticate the unlocking of the phone, and possibly capturing facial images as the user interacts with the unlocked phone. So, clients have asked: Will the apps on the phone be able to access and use those facial captures?
Fascinating question! Imagine the applications. An app would be able to discern all kinds of new demographic information about users, and possibly gauge information about a person’s mood, location, age, and health. Moreover, could an app evaluate on a real-time basis a user’s emotional response to interactions with a particular app or web page?

Should we know who sells those white hoods to the KKK?
Google Appears to Allow Racist Ad Targeting Like Facebook, Says BuzzFeed
Google's advertising platform can be used to create ads targeting racist or bigoted people, according to a report from BuzzFeed News on Friday.
BuzzFeed put in its own keywords which were supplemented by keywords suggested by the Google platform, to create a targeted ad. The news comes a day after ProPublica reported that Facebook algorithms allowed ads targeting anti-semitic audiences.
Such test cases show that the same technology used to sell legitimate products and services can be turned to more nefarious purposes.

(Related). Gee. Maybe all Social Media does this.
Twitter Says It Fixed ‘Bug’ That Let Marketers Target People Who Use the N-Word
… The Daily Beast reported Friday that Twitter Ads returned 26.3 million users who may respond to the term “wetback,” 18.6 million to “Nazi,” and 14.5 million to “n**ger.”

Perspective. Could you tell from looking at the tweet or reading the story that is was machine generated?
It’s been a year since The Washington Post started using its homegrown artificial intelligence technology, Heliograf, to spit out around 300 short reports and alerts on the Rio Olympics. Since then, it’s used Heliograf to cover congressional and gubernatorial races on Election Day and D.C.-area high school football games, producing stories like this one and tweets like this:

… Media outlets using AI say it’s meant to enable journalists to do more high-value work, not take their jobs. The AP estimated that it’s freed up 20 percent of reporters’ time spent covering corporate earnings and that AI is also moving the needle on accuracy. “In the case of automated financial news coverage by AP, the error rate in the copy decreased even as the volume of the output increased more than tenfold,” said Francesco Marconi, AP’s strategy manager and AI co-lead.
… All this goes back to the ad-supported — and stressed — pageview model of journalism. Publishers need to get readers or other groups to pay to support their business models. “Right now, automated journalism is about producing volume. Ultimately, media companies will have to figure out how to go beyond the pageview,” said Seth Lewis, a journalism professor at the University of Oregon whose focuses include the rise of AI in media.
… Right now, the Post can count the stories and pageviews that Heliograf generated. Quantifying its impact on how much time it gives reporters to do other work and the value of that work is harder. It’s also hard to quantify how much engagement, ad revenue and subscriptions can be attributed to those robo-reported stories.

Backstory? A long tale of the FBI’s interest in messaging Apps. Interesting read…
The Crypto- Keepers

“Rudolph the Red Nosed Drone!”
All of the other aircraft
Used to laugh and call them names
They never let poor Rudolph
Join in any aircraft games
Then one day after Irma,
The FAA, the Air National Guard, Customs and Border Protection, insurance companies, And Florida Power and Light came to say,
Rudolph with your nose so bright,
Won't you guide my relief effort tonight

Drones playing critical role in hurricane relief efforts
Drones have been playing an “invaluable” role in Hurricane Irma relief efforts, the Federal Aviation Administration (FAA) said Friday.
After Florida and the Caribbean suffered widespread destruction from Irma’s winds and floodwaters, the FAA issued 132 airspace authorizations for drones to help with recovery and response efforts.
The Air National Guard, for example, is deploying drones that are normally used for combat operations to help perform aerial surveys, assess disaster-stricken areas quickly and decide which need the most assistance.
Customs and Border Protection is using unmanned aircraft systems to help map areas in Key West, Miami and Jacksonville and using radar to survey key geographic points on infrastructure.
In the private sector, commercial drone companies are helping provide clearer images of damaged homes to insurance companies so that they can more quickly act on claims.
And Florida Power and Light is using dozens of drone teams to help restore electricity and air conditioning in the area by sending out drones to survey parts of the state that are still not accessible by vehicles.

Friday, September 15, 2017

If the US had a similar law, would Equifax have done anything differently?
Under EU General Data Protection Regulation large fines result from failure to protect consumer data
by Sabrina I. Pacifici on Sep 14, 2017
eSecurity Planet: “The massive Equifax breach that recently affected 143 million consumers would have led to hugely significant fines if the European Union’s General Data Protection Regulation (GDPR), which takes effect in May 2018, had already been in place. Under the new rules, organizations that fail to protect sensitive data can be fined up to 4 percent of annual global turnover, or 20 million Euros, whichever is greater. Since Equifax had $3.15 billion in operating revenue in 2016, if the breach had taken place after the GDPR had gone into effect, the company could have faced fines of up to $126 million. What’s more, CipherCloud founder and CEO Pravin Kothari told eSecurity Planet by email, GDPR may well just be the beginning. “We expect GDPR to serve as a model for similar regulations in the U.S. and around the world, helping to protect individual privacy and thus minimize the economic threat from future breaches,” he said…”

(Related). Cause and effect. The stock wasn’t impacted because of the breach but only when the FTC gets ready to investigate?
Equifax shares plunge after FTC announces probe of data breach
Equifax stock plunged in value Thursday morning after the Federal Trade Commission (FTC) announced an investigation into the security breach that exposed the personal information of roughly 143 million people to hackers.
Shares of the embattled credit reporting company dropped nearly 10 percent after the market opened Thursday morning, sinking as low as $90.64 per share, about $8 lower than Wednesday’s close. Equifax stock recovered slightly by 11 a.m., reaching $95 per share.
FTC’s announcement shook the market, given that the regulator typically doesn't announce pending investigations.

(Related). Worth a listen.
How Equifax Botched Its Data Breach Response
Wharton legal studies and business ethics professor Peter Conti-Brown, University of Michigan professor Erik Gordon and William Black, a professor at the University of Missouri-Kansas City, recently appeared on the on the Knowledge@Wharton show, which airs on SiriusXM channel 111, to discuss the breach, the mistakes that were made in the credit giant’s response, and what consumers can do to protect their credit going forward.
In terms of Equifax’s response, “this is an absolute case study in doing virtually everything wrong,” Black said.

“We should do something” or “We need to do something” are not the same as “We will do something.”
Senators blast internet subsidy program
Senators on the Homeland Security and Government Affairs Committee on Thursday criticized a subsidy program for phone and internet access that was the subject of a recent watchdog report detailing cases of fraud and abuse.
Sen. Ron Johnson (R-Wis.), the panel’s chairman, said at a hearing that there “probably” needs to be a complete overhaul of the Federal Communications Commission’s (FCC) Lifeline program, which offers low-income households a monthly $9.25 subsidy for mobile and broadband internet access.
We need to completely rethink how we distribute that subsidy,” Johnson told reporters.
The Government Accountability Office (GAO) put out a report in June that found that $1.2 million in subsidies went to fake or deceased people enrolled in the program. The GAO could not verify the eligibility of 36 percent of the program’s subscribers.
… “Why are we providing these companies with this massive opportunity for fraud?” McCaskill said. [Maybe because you delegated the creation and administration of the program to the companies that get the money? Bob]

Win some, lose some.
Google takes hit in fight with feds over foreign data
In the filings, which were first reported on by Politico, Chief Judge Beryl Howell of the U.S. District Court for the District of Columbia rejected a move by Google to challenge a warrant demanding data from the company being stored overseas.
On Sept. 5, Howell decided to hold the search giant in contempt for not turning over the documents, and fined Google $10,000 a day until it complies.

Toward automating lawyers?
Twitch co-founder Justin Kan unveils tech platform for law firms
Justin Kan, co-founder of startups like and Exec, is pulling the curtains off his new tech platform for law firms, Legal Technology Services. The first law firm to use LTS is Atrium, co-founded by Augie Rakow and BeBe Chueh. Both are launching today to bring a full-stacked technology-enabled law firm to startups.
What makes Atrium different from traditional law firms, Kan told me, is its technology and upfront pricing. With most law firms, it’s not always clear to the customer how much they’re going to have to pay.
Atrium, which has 30 startup customers focused on everything from cryptography to autonomous cars to medical tech, offers two products. One is Atrium Counsel, which offers ongoing services with fixed-rate, upfront pricing. It sort of functions as preventative legal services, Kan told me. The other is Atrium Financings, a fixed-fee service for startups to navigate the legal intricacies of their financing rounds from start to finish.
… Behind the scenes, doing all the technical work at Atrium, is LTS, co-founded by Kan and Chris Smoak. It provides the technical backbone to Atrium with its suite of tools, like document creation and e-signing, and project management workflows.
It does everything except give advice,” Kan said.

I guess Facebook is no longer a ‘neutral’ utility that does not promote or sensor. These ‘categories’ were automagically generated by collecting ‘like comments.’ Similar groups might include “Trump haters,” “Hillary haters,” “Math haters,” “lovers of Starbucks Moca-Frapa-whatsit.” Who gets to choose which groups are inappropriate? Wouldn’t it be better in the long run to try educating these people rather than driving them underground?
Facebook allowed advertisers to reach anti-Semitic individuals: report
Facebook allowed advertisers to target advertisements toward anti-semitic individuals, according to ProPublica.
The social media giant has taken down categories that advertisers could gear their ads towards like “Jew hater,” “How to burn jews,” or, “History of ‘why jews ruin the world,’ ” after ProPublica reached out them.
The outlet purchased $30 worth of ads targeting the mentioned categories to test the feature. Facebook reportedly approved the three ads within 15 minutes.

(Related). What Facebook had to say...
Updates to our ad targeting

Facebook’s Heading Toward a Bruising Run-In With the Russia Probe
We’ve seen a handful of very interesting articles over the last few days about Russian efforts to spread pro-Trump political propaganda on Facebook as part of their larger 2016 dis-information operation. As we noted last week, the seemingly paltry sum of $100,000 may belie the reach that was possible for that amount of money, given the way that the Facebook ecosystem can be used to amplify messages through a mix of highly targeted advertising and troll armies. The Facebook campaign also seems to include the first evidence of Russian operatives attempting to organize actual political events on American soil, as opposed to just spreading memes and fake news on the web.
… A separate article by Yahoo’s Mike Isikoff reports that Trevor Potter, a former FEC Chair and president of the Campaign Legal Center, wrote a letter to Facebook and Chairman Mark Zuckerberg yesterday calling on Facebook to release the information and upping the ante by writing this (emphasis added):
“[B]y hosting these secretly-sponsored Russian political ads, Facebook appears to have been used as an accomplice in a foreign government’s effort to undermine democratic self-governance in the United States. Therefore, we ask you, as the head of a company that has used its platform to promote democratic engagement, to be transparent about how foreign actors used that same platform to undermine our democracy.”
Facebook has said that it can’t release its findings because that would violate its own ‘internal policies’ which protect user privacy. That’s rich.

Another problem with algorithm controlled advertising?
Exclusive: Google is cracking down on sketchy rehab ads
Overnight, the search giant has stopped selling ads against a huge number of rehab-related search terms, including “rehab near me,” “alcohol treatment,” and thousands of others. Search ads on some of those keywords would previously have netted Google hundreds of dollars per click.
“We found a number of misleading experiences among rehabilitation treatment centers that led to our decision, in consultation with experts, to restrict ads in this category,” Google told The Verge in a statement.
Google is the biggest source of patients for most treatment centers. Advertisers tell Google how much they want to spend on search ads per month, which keywords they’d like those ads to run against, and then pay Google every time someone clicks on their ad.
While many treatment centers market themselves ethically, there are also significant numbers of bad actors using deceptive and even illegal tactics to get “heads in beds.” Last week, The Verge published a story uncovering how marketers use the internet to hook desperate addicts and their families, from hijacking the Google business listings of other treatment centers to deceiving addicts about where a treatment center is located.
… The exact keywords affected by the change still seem to be in flux. Yesterday, for instance, I noticed Googling “rehab near me” didn’t load any AdWords, but “rehabs near me” did. An hour after I reached out to Google’s spokespeople, “rehabs near me” no longer showed ads. Fischer says the list of blocked keywords continues to grow. [Suggests manual correction of computer generated lists Bob]

Perspective. Hedging their bet?
Google in talks to invest in Lyft
Google has held talks to invest around $1 billion in Lyft, Axios has learned from multiple sources. Bloomberg is reporting the same. It is unclear which group within Google would make the investment — the company has several investment arms and also invests off its balance sheet — but word is that this is being driven by top-level executives like Alphabet CEO Larry Page.
Why it matters: It would be a stunning move, given that Google was an early investor in Lyft rival Uber, even though the two companies have since gotten litigious over allegations of trade secret theft. Or, as one Uber investor explained it to Axios: "That is seriously messed up."

Perspective. “A TV in the hand is worth two in the home?”
Pew – 6 in 10 young adults in U.S. primarily use online streaming to watch TV
by Sabrina I. Pacifici on Sep 14, 2017
“The rise of online streaming services such as Netflix and HBO Go has dramatically altered the media habits of Americans, especially young adults. About six-in-ten of those ages 18 to 29 (61%) say the primary way they watch television now is with streaming services on the internet, compared with 31% who say they mostly watch via a cable or satellite subscription and 5% who mainly watch with a digital antenna, according to a Pew Research Center survey conducted in August. Other age groups are less likely to use internet streaming services and are much more likely to cite cable TV as the primary way they watch television. Overall, 59% of U.S. adults say cable connections are their primary means of watching TV, while 28% cite streaming services and 9% say they use digital antennas. Among the other findings of the survey:
  • Women are more likely than men to say their primary way of watching TV is via cable subscription (63% vs. 55%).
  • Men are more likely than women to say their primary pathway is online streaming (31% vs. 25%).
  • Those with a college education or more are more likely than those with less education to say their primary way to watch TV is online streaming. Roughly a third of college-educated Americans (35%) say they mainly watch via streaming, compared with 22% of those who have a high school diploma or less.
  • Those in households earning less than $30,000 are more likely than others to say they rely on a digital antenna for TV viewing. Some 14% say this, compared with just 5% who live in households earning $75,000 or more…”

I get to do Spreadsheets next Quarter.
Even people who thought they knew every trick in the book will occasionally stumble across a new feature that they were previously unaware of. Here are three amazing Excel 2016 tricks you definitely (ok, probably) overlooked.

Thursday, September 14, 2017

To Manage or not to Manage…
Equifax identity-theft hackers exploited flaw experts flagged in March
Security workers discovered, and created a fix for, the vulnerability that allowed attackers into the Equifax network two months before the company was hit by hackers.
Equifax told USA TODAY late Wednesday that the criminals who potentially gained access to the personal data of up to 143 million Americans had exploited a website application vulnerability known as Apache Struts CVE-2017-5638.
The fix for that flaw was first released March 10, though it was later modified, according to the National Vulnerability Database.
Equifax said that the unauthorized access began in mid-May. That's a period of two months in which the company could have, and should have, say experts, dealt with the problem.
… "Equifax has been intensely investigating the scope of the intrusion with the assistance of a leading, independent cybersecurity firm to determine what information was accessed and who has been impacted," the company said late Wednesday.
The company also indicated that it had not yet had determined the full impact of the breach.

(Related). Poor management everywhere.
Ayuda! (Help!) Equifax Has My Data!
… Earlier today, this author was contacted by Alex Holden, founder of Milwaukee, Wisc.-based Hold Security LLC. Holden’s team of nearly 30 employees includes two native Argentinians who spent some time examining Equifax’s South American operations online after the company disclosed the breach involving its business units in North America.
It took almost no time for them to discover that an online portal designed to let Equifax employees in Argentina manage credit report disputes from consumers in that country was wide open, protected by perhaps the most easy-to-guess password combination ever: “admin/admin.”

Thank You for Calling Equifax. Your Business Is Not Important to Us

Our government, always watching out for our security, has noticed (after only 20 years!) that Kaspersky Lab is a Russian Company! (Perhaps they read it on their website.) They also noticed that like all the US anti-virus vendors, they work with the government.
Kaspersky Lab Has Been Working With Russian Intelligence
Russian cybersecurity company Kaspersky Lab boasts 400 million users worldwide. As many as 200 million may not know it. The huge reach of Kaspersky’s technology is partly the result of licensing agreements that allow customers to quietly embed the software in everything from firewalls to sensitive telecommunications equipment—none of which carry the Kaspersky name.
That success is starting to worry U.S. national security officials concerned about the company’s links to the Russian government. In early May six U.S. intelligence and law enforcement agency chiefs were asked in an open Senate hearing whether they’d let their networks use Kaspersky software, often found on Best Buy shelves. The answer was a unanimous and resounding no.
… Most major cybersecurity companies maintain close ties to home governments, but the emails are at odds with Kaspersky Lab’s carefully controlled image of being free from Moscow’s influence.

(Related). Note that they never say Kaspersky is doing anything other than what they say they do (protect against viruses, etc.). Also note that this is the first Directive of 2017 – I find that curious.
DHS Statement on the Issuance of Binding Operational Directive 17-01

Social Media as a weapon?
NYT – How the Kremlin built one of the most powerful information weapons of the 21st century
by Sabrina I. Pacifici on Sep 13, 2017
“…After RT [Russia’s state-financed international cable network] and Sputnik gave platforms to politicians behind the British vote to leave the European Union, like Nigel Farage, a committee of the British Parliament released a report warning that foreign governments may have tried to interfere with the referendum. Russia and China, the report argued, had an “understanding of mass psychology and of how to exploit individuals” and practiced a kind of cyberwarfare “reaching beyond the digital to influence public opinion.” When President Vladimir V. Putin of Russia visited the new French president, Emmanuel Macron, at the palace of Versailles in May, Macron spoke out about such influence campaigns at a news conference. Having prevailed weeks earlier in the election over Marine Le Pen — a far-right politician who had backed Putin’s annexation of Crimea and met with him in the Kremlin a month before the election — Macron complained that “Russia Today and Sputnik were agents of influence which on several occasions spread fake news about me personally and my campaign…. RT might not have amassed an audience that remotely rivals CNN’s in conventional terms, but in the new, “democratized” media landscape, it doesn’t need to. Over the past several years, the network has come to form the hub of a new kind of state media operation: one that travels through the same diffuse online channels, chasing the same viral hits and memes, as the rest of the Twitter-and-Facebook-age media. In the process, Russia has built the most effective propaganda operation of the 21st century so far, one that thrives in the feverish political climates that have descended on many Western publics…”

(Related). We broke up the USSR, Russia wants to break up the US?
How Russia Created the Most Popular Texas Secession Page on Facebook
… One other arena these actors may have targeted: secession movements within the U.S. At this point, it’s little secret that a number of American secession movements — including Puerto Rico, Hawaii, and both white and black nationalists — have constructed links with Russian actors, including those funded by the Kremlin. Tracing these links has become an unexpected hobby of mine, and I’ve written on the topic a handful of times, from The Diplomat to Slate to The Daily Beast.

Perhaps they will issue another Directive?
Homeland Security hit with lawsuit over phone, laptop searches
The American Civil Liberties Union and the Electronic Frontier Foundation sued the Department of Homeland Security on Wednesday for searching the phones and laptops of 11 plaintiffs at the US border without a warrant.
The group of plaintiffs includes 10 US citizens and one lawful permanent resident, several of whom are Muslims or people of color. Among the group are journalists, a veteran and a NASA engineer. All were reentering the US following business or personal travel. Some plaintiffs had their devices confiscated for weeks or months. None were accused of wrongdoing following the searches.
… CBP, which is a Department of Homeland Security agency, states on its website that "no court has concluded that the border search of electronic devices requires a warrant." But many travelers, including the plaintiffs in this case, have cited concerns about officers reading private emails and messages on their phones and laptops.

Something strange here? What kind of “progress” would make secrecy no longer useful?
The Government Has Dropped Its Demand That Facebook Not Tell Users About Search Warrants
… According to court papers filed jointly by Facebook and the US attorney's office in Washington on Wednesday, prosecutors determined that the underlying investigation that prompted the search warrants — the details of which are under seal — had "progressed ... to the point where the [nondisclosure orders] are no longer needed."
The announcement came less than 24 hours before an appeals court in Washington, DC, was set to hear arguments in the case. According to the joint filing, a lower court judge vacated the nondisclosure orders at the government's request, making Facebook's appeal of those orders moot.

How many people should have access to your social media accounts and what training should they receive? I’m going to suggest my Computer Security class for starters. (If no one on the staff was required/asked to take the blame, I’m guessing it was not a staffer who hit like.)
For Hill staffers, Cruz’s ‘liked’ porn tweet a nightmare scenario
Sen. Ted Cruz’s (R-Texas) Twitter mishap late Monday night involving a pornographic account is nightmare fuel for congressional staffers who are increasingly tasked with managing social media for their bosses.
Twitter and Facebook have become crucial communication tools for members of Congress, helping them stake out their positions, interact with constituents and attract media attention. As a result, staffers spend many of their work hours managing and cultivating lawmakers’ social media presences.
But in an era where an inadvertent retweet or insensitive Facebook comment can balloon into controversy, the task can be perilous. And smartphone apps have only further blurred the line between work and personal accounts.
… Cruz this week began trending on social media after his official political Twitter account “liked” a two-minute pornographic video. The Texas Republican blamed the incident on a “staffing issue,” with many speculating the failure to switch from an official account to a personal one could be responsible for the action.
“There are a number of people on the team that have access to the account, and it appears that someone inadvertently hit the like button,” Cruz told reporters on Tuesday.

Ooh! All kinds of nifty science-fictiony kinds of scenarios leap to mind. If I can make one of those ‘Mission Impossible’ face masks, I could drain your bank account, steal your car, drive to your house and unlock the front door, etc. Thanks Apple!
What happens if a cop forces you to unlock your iPhone X with your face?
Imagine you've been detained at customs, waiting to cross the border. Or maybe you've been pulled over for a traffic violation. An officer waves your cellphone at you.
“Look at this. Is this yours?” he asks.
Before you can respond, a tiny infrared sensor in the phone has scanned your face. Matching those readings against the copy of your face that is stored in its archive, the phone concludes that its owner is trying to unlock it. The device lowers its defenses, surrendering its contents in moments to the law enforcement officer holding your phone. [Would that then be considered “in plain sight?” Bob]

Tips for my Computer Security students.
Online translation applications may pose security risk
by Sabrina I. Pacifici on Sep 13, 2017
Quartz: “…On Sept. 3, the Norwegian news agency NRK reported that sensitive Statoil information—contracts, workforce reduction plans, dismissal letters, and more—were available online because employees had used the free translation service, which stored the data in the cloud. The news traveled fast in Scandinavian countries. In response, the Oslo Stock Exchange even blocked employee access to and Google Translate…”

For my Computer Security students.
If you don’t already use Keybase, you will have to go through a few initial steps to get the app up and running for use on Facebook, Twitter, Reddit, Github, and HackerNews.

Something for continuing education?
Google’s Inside Search offers two training modules: Power Searching with Google and Advanced Power Searching.

Wednesday, September 13, 2017

For my Digital Forensics students.
New Bluetooth vulnerability can hack a phone in 10 seconds
Security company Armis has found a collection of eight exploits, collectively called BlueBorne, that can allow an attacker access to your phone without touching it. The attack can allow access to computers and phones, as well as IoT devices.
“Armis believes many more vulnerabilities await discovery in the various platforms using Bluetooth.
… As you can see from this video, the vector allows the hacker to identify a device, connect to it via Bluetooth, and then begin controlling the screen and apps. It’s not completely secretive, however, because in activating the exploits you “wake up” the device.

Since the DoE budget is over $28 Billion, this is not a big deal.
U.S. Energy Department Invests $20 Million in Cybersecurity
Nine national laboratories in California, Illinois, Idaho, Tennessee, Washington, Colorado and New Mexico have been selected for a total of 20 projects focusing on protecting energy infrastructure from cyber threats and improving information sharing.

If downloading or installing or using the App is illegal, can the arrests be legal?
Turks detained for using encrypted app 'had human rights breached'
Tens of thousands of Turkish citizens detained or dismissed from their jobs on the basis of downloading an encrypted messaging app have had their human rights breached, a legal opinion published in London has found.
The study, commissioned by opponents of the Turkish president, Recep Tayyip Erdoğan, argues that the arrest of 75,000 suspects primarily because they downloaded the ByLock app is arbitrary and illegal.
… “The evidence that the [ByLock] app was used exclusively by those who were members or supporters of the Gülen movement [is] utterly unconvincing and unsupported by any evidence,” the two barristers say. “There is a great deal of evidence ... which demonstrates that the app was widely available and used in many different countries, some of which had no links to Turkey.”

This is going to have an impact on my students. Do they know how to find similar articles elsewhere?
Google Offers Olive Branch to Publishers by Relaxing Policy on Subscription Sites
Google Inc. is planning to end its "first click free" policy that enables users of its search engine to bypass paywalls on news websites, a move that could help publishers boost subscriptions, News Corp Chief Executive Robert Thomson said Tuesday.
Google for years has encouraged publishers to be part of the program, which allows search users to access a limited amount of content on subscription-based news sites free of charge. Some publishers say the policy has hurt subscription growth and say their sites are penalized in Google's search rankings if they don't participate in the program.
The Wall Street Journal, which is owned by News Corp, opted out of the program this year and saw its traffic from Google search fall 38% last month compared with a year earlier because its stories were demoted in search results, a spokesman said. [Note that this article is similar to the one in the WSJ that popped up on my RSS Feed. Bob]
… Up to now, subscription-based sites that didn't participate in first click free have been disadvantaged in Google's search results, because its algorithm only scanned the portions of articles outside the paywall. Under its new approach, Google's technology will be scanning the full article, despite any paywalls, according to one of the people familiar with the situation.

But would President Trump ever ride in one?
Department Of Transportation Rolls Out New Guidelines For Self-Driving Cars
The Department of Transportation released its revised guidelines on automated driving systems Tuesday, outlining its recommended — but not mandatory — best practices for companies developing self-driving cars. The first such guidelines released under the Trump administration, the Vision for Safety 2.0 scales back some of the recommendations outlined last year under President Obama.

Tesla's Autopilot system is partially to blame for a fatal crash, federal investigators say
The National Transportation Safety Board said Tuesday that aspects of Tesla's Autopilot played a role in a fatal crash involving Joshua Brown, 40, in May 2016.
The NTSB, an independent government investigative agency, met on Tuesday to "determine the probable cause" of the fatal crash last year in Williston, Florida. The board cannot issue recalls or force regulatory changes, but it can make recommendations.
The NTSB said Autopilot played a contributing role in the crash because the system allows drivers to avoid steering or watching the road for long periods. Autopilot was also not designed to be used on the type of road where the crash occurred, the agency said.
… Brown had his hands on the wheel for 25 seconds during the 37 minutes Autopilot was activated, the NTSB wrote in a June report. The Model S displayed a visual asking Brown to hold the steering wheel seven times during the trip, and six of those were followed by auditory warnings, it wrote.

Could be educational or a sleep aide.
NY Appellate Division, First Dept. to Broadcast Oral Arguments in Real Time
by Sabrina I. Pacifici on Sep 12, 2017
Presiding Justice Rolando T. Acosta announced that effective Tuesday, September 12, 2017, oral argument of cases before the New York State Supreme Court, Appellate Division, First Judicial Department will be broadcast live over the internet. The public may watch the webcasts from most internet connected devices, including smart phones and tablet computers, by visiting the Court’s website at Additionally, a digital archive of oral arguments will be made available on the website for on-demand viewing, generally within five business days. Oral arguments will be screened [How can they do this while streaming live? Bob] to prevent the disclosure of confidential information, and such information will not be included in the digital archive…”

Also for my Digital Forensics students.
Network issues suck. When you can’t get online, you likely get frustrated and want to get connected again as soon as you can. We’ve outlined the basic process for diagnosing network problems, and you can be even more prepared for your next outage by knowing how to use native Windows tools and downloading a few third-party utilities.

Tuesday, September 12, 2017

I can see more students taking our Ethical Hacking class.
Security Researcher Predicts Creepy Scenario for Hacked Sex Robots
If people weren’t worrying about killer sex robots before, last year’s Westworld firmly put the idea in viewers’ heads. But the actual danger of real-life sex robots isn’t that they might suddenly gain sentience and look to exact vengeance against their human owners.
According to Deakin University cybersecurity researcher Nick Patterson, the true murderous peril is that companies will start making their robots wifi-enabled. While robots, sexual or otherwise, blur the line between machine and person, the danger here is a relatively conventional extension of the danger a spyware-addled computer might pose.
As Patterson explains in an interview with the U.K. newspaper The Daily Star, the sentient beings to worry about aren’t the robots but rather hackers, who could gain control of a future, internet-enabled sex robot and use it to attack people.

Automated law. What could possibly go wrong?
DoNotPay bot wants to help you sue Equifax
DoNotPay bot is now able to help people file lawsuits against Equifax. The bot can file suits in all 50 U.S. states, creator Joshua Browder told VentureBeat. DoNotPay is suing Equifax at the state small claims court level for the maximum amount allowed. In some states this can mean being awarded up to $25,000.
The bot asks a series of simple questions about your address, phone number, and zip code, and DoNotPay helps you fill in a PDF. In California, it’s an SC-100 form to file a suit in small claim’s court.
Last Friday, Equifax acknowledged that it had been hacked and the personal information of 143 million people exposed. Since then, at least 23 class action lawsuits have been filed, according to USA Today.
It is particularly exciting that a lawyer is never needed in the process. The class action lawsuit against the company will only give successful consumers around $500 (with the rest going to greedy lawyers in commissions),” Browder said in an email to VentureBeat. “I hope that my product will replace those lawyers, and, with enough success, bankrupt Equifax.”
… DoNotPay is best known for disputing parking tickets, a service that has successfully saved residents of London and New York hundreds of thousands of dollars.
This summer, DoNotPay expanded to provide more than 1,000 legal services for U.S. and U.K. residents who typically can’t afford to hire a lawyer for things like getting a deposit back from a landlord, applying for maternity leave at work, or drawing up paperwork in the event of the loss of a loved one.

Advice for the recently hacked: Don’t Panic! Take a minute and think before you act. Your security has just been PROVEN to be inadequate. Perhaps you should consider getting a second opinion before you start changing (or creating new) things.
Equifax Fixes Woefully Insecure PINs Issued To Hack Victims Attempting To Freeze Credit Reports
… Equifax used a PIN that "protected" each user's credit report to prevent the information from being used, but the PINs were reportedly generated in such a way that they were left vulnerable to brute force hacking. Customers have found that these PINs aren't randomly generated and were nothing more than a timestamp of the time the user enrolled.
Tony Webster tweeted, "OMG, Equifax security freeze PINs are worse than I thought. If you froze your credit today 2:15pm ET for example, you'd get PIN 0908171415."

Equifax's credit report monitoring site is also vulnerable to hacking

Allow me to repeat. Each new technology must relearn everything older technologies have learned about Security and Privacy, even though nothing is different.
New on LLRX – The ‘internet of things’ is sending us back to the Middle Ages
by Sabrina I. Pacifici on Sep 11, 2017
The Internet of Things (IoT) has permeated all facets of our lives – professional, family, social – more quickly and expansively than many are willing to acknowledge. The repercussions of IoT are multifaceted – and directly impact issues that span privacy, cybersecurity, intellectual property rights, civil liberties and the law. Law and technology scholar Joshua A.T. Fairfield discusses the ramifications of allowing our environment to be seeded with sensors that gather our personal data using a plethora of devices we now consider to be essential conveniences.

(Related). Another technology we must learn to control.
Understanding Crypto Regulations
In light of the recent actions by the US Securities and Exchange Commission and People’s Bank of China, we’re receiving a lot of questions about regulation. In this post, we’ll provide some frameworks to understand how governments can enforce regulations on public blockchains.
First we’ll discuss how regulators can (or cannot) regulate the blockchain networks directly by examining historical network regulation. Then we’ll dive into fiat-crypto on ramps and decentralized exchanges, and lastly touch on the SEC’s recent guidance regarding crypto ICOs.

Because if you contribute to ___A___ we love you and want to ask you for more.
Because if you contribute to ___B___ we hate you and want to add you to the suspected terrorist list.
Bradley Smith and Paul Gessing write about legislation in New Mexico that regardless of where you reside, should make you sit up and take notice. Do we really want the states requiring residents to disclose every donation we make to every cause and then compiling that information into a publicly searchable database? If you live in an area where a donation to Planned Parenthood, for example, could create backlash against you, your family, or your business, would you rather keep your donation private?
Read this commentary and then think about your state and whether campaign finance reform proposals or laws may go too far:
Doug Nickle’s recent column (“Campaign reporting proposal creates necessary, nation-leading disclosure in NM) is an example of Orwellian doublespeak at its best.
Nickle’s purpose is to drum up support for “Secretary of State Maggie Toulouse Oliver’s proposed rules and regulations addressing campaign finance reporting,” which, Nickle notes, is based on legislation that was vetoed by Governor Martinez earlier this year due to her concerns about the invasion of privacy triggered by the legislation. So, Nickle now wants Oliver to impose the failed legislation through bureaucratic fiat.
(Editor’s note: Oliver did just that last week, after this column was submitted for publication.)

There’s no business like
monkey business…
Who Owns a Monkey Selfie? Settlement Should Leave Him Smiling
In 2011, Naruto, a curious 6-year-old monkey in Indonesia, peered into a camera lens, grinned and pressed the shutter button on the unattended camera. Little did the endangered crested macaque know that he may have been providing for his future.
The selfie of his bucktooth smile and wide amber eyes made Naruto an internet celebrity. But the widely shared image became embroiled in a novel and lengthy lawsuit over whether the monkey owned the rights to it. Naruto lost the first round in federal court in California in 2016, but won a victory of sorts in a settlement on Monday for himself and his friends.
The camera’s owner, David J. Slater, agreed to donate 25 percent of future revenue of the images taken by the monkey to charitable organizations that protect Naruto, who lives in the Tangkoko Reserve on the Indonesian island of Sulawesi, and other crested macaques. Lawyers for Mr. Slater, a British photographer, and People for the Ethical Treatment of Animals, which sued Mr. Slater on Naruto’s behalf, also asked the United States Court of Appeals for the Ninth Circuit, which was hearing an appeal in the case, to drop the lawsuit and vacate a lower decision that found the monkey could not own the image’s copyright.

Perspective. Not the breakdown I would have guessed.
Pew – How People Approach Facts and Information
by Sabrina I. Pacifici on Sep 11, 2017
“When people consider engaging with facts and information any number of factors come into play. How interested are they in the subject? How much do they trust the sources of information that relate to the subject? How eager are they to learn something more? What other aspects of their lives might be competing for their attention and their ability to pursue information? How much access do they have to the information in the first place? A new Pew Research Center survey [PDF Bob] explores these five broad dimensions of people’s engagement with information and finds that a couple of elements particularly stand out when it comes to their enthusiasm: their level of trust in information sources and their interest in learning, particularly about digital skills. It turns out there are times when these factors align – that is, when people trust information sources and they are eager to learn, or when they distrust sources and have less interest in learning. There are other times when these factors push in opposite directions: people are leery of information sources but enthusiastic about learning. Combining people’s views toward new information – and their appetites for it – allows us to create an “information-engagement typology” that highlights the differing ways that Americans deal with these cross pressures. The typology has five groups that fall along a spectrum ranging from fairly high engagement with information to wariness of it. Roughly four-in-ten adults (38%) are in groups that have relatively strong interest and trust in information sources and learning. About half (49%) fall into groups that are relatively disengaged and not very enthusiastic about information or about gaining more training, especially when it comes to navigating digital information. Another 13% occupy a middle space: They are not particularly trusting of information sources, but they show higher interest in learning than those in the more information-wary groups…”

Good news for my Data Management class? Looks like there should be a huge market for them. Can data really be this bad?
Most managers know, anecdotally at least, that poor quality data is troublesome. Bad data wastes time, increases costs, weakens decision making, angers customers, and makes it more difficult to execute any sort of data strategy. Indeed, data has a credibility problem.
Still, few managers have hard evidence or any real appreciation for the impact of bad data on their teams and departments. They are thus unable to give data quality its due. To address this issue, in our teaching in executive programs in Ireland, we ask participants — executives that come from a wide range of companies and government agencies, and departments such as customer service, product development, and human resources — to develop such evidence using the Friday Afternoon Measurement (FAM) method.
The method is widely applicable and relatively simple: We instruct managers to assemble 10-15 critical data attributes for the last 100 units of work completed by their departments — essentially 100 data records. Managers and their teams work through each record, marking obvious errors. They then count up the total of error-free records. This number, which can range from 0 to 100, represents the percent of data created correctly — their Data Quality (DQ) Score. It can also be interpreted as the fraction of time the work is done properly, the first time.
… Our analyses confirm that data is in far worse shape than most managers realize — and than we feared — and carry enormous implications for managers everywhere:
  • On average, 47% of newly-created data records have at least one critical (e.g., work-impacting) error.
  • Only 3% of the DQ scores in our study can be rated “acceptable” using the loosest-possible standard.
  • The variation in DQ scores is enormous. Individual tallies range from 0% to 99%

An interesting Marketing (anti-marketing?) question.
What to Do When Nazis Are Obsessed With Your Field
Nazis love Taylor Swift. She is thin, blonde, pale, and rich. She doesn't talk politics much, which might be just a savvy marketing decision, but it also enables wild speculation about her views on Donald Trump, feminism, and whether black lives matter. Nazi devotion to Swift was first reported by Broadly over a year ago, but recent right-wing public celebration of her new album has sparked coverage in the Daily Beast, Dazed, and Elle UK. The latter two articles have mysteriously gone offline. At the pop-culture site Kobini, writer Ella Page called Swift the "blank space the alt-right has been craving." If she's not going to fill the space with explicitly articulated anti-racist views, the argument goes, Nazis can project anything they want onto her white visage.
I'm telling you about Taylor Swift because slightly more people care about her than the current controversies embroiling Medieval Studies. Both the mega pop star and the esoteric field face the same problem: Nazis love us and we're not used to overtly signaling our disdain. I can't speak for Taylor, but Medieval Studies must do better.

Interesting and potentially useful.
Try This: The most useful apps, tools and sites we used during Hurricane Irma
… Watching Irma take aim at Florida, evacuating and worrying about friends who decided to stay was a harrowing experience. But a few tools apps and websites helped. I hope you never have to use them, but bookmark them in case you do.

Some interesting tools for my students.
5. BriefTube (Chrome): Auto-Generate a Table of Contents for Videos
Many of the online lectures are hosted on YouTube. BriefTube smartly creates a Table of Contents for the video you are watching, so you can skip to the relevant section instantly.
The extension also includes a simple search function for the transcript. Search for any word in the video and you can instantly move to that time stamp. The professor might be mid-sentence though, so remember, you can use the Ctrl + Left arrow YouTube keyboard shortcut to rewind 10 seconds.

Monday, September 11, 2017

If you collect everything that a hacker could possibly want into one, poorly protected database, you should expect hackers to try for it.
Shashank Shekhar reports:
Damning details related to Aadhaar card security have emerged after the Uttar Pradesh Special Task Force on Sunday arrested 10 members of a gang allegedly involved in issuing fake biometric cards. Investigators told Mail Today that the gang members had not only hacked the secure ‘source code’ to access the application but also cloned fingerprints of authorised issuing authorities by using gelatin gel, laser and silicon.
The exposure raises serious questions on the Centre’s efforts to link its various schemes, PAN, individual bank accounts and mobile numbers with Aadhaar card, hitherto considered foolproof.
Read more on India Today.
[From the article:
"The operators made copies of the login details used by valid enrolment centres, issued by UIDAI, the nodal authority mandated to issue the 12-digit unique number. They were also able to crack and replicate the application for the retinal scanning, an ocular-based biometric technology."
… Singh said the team was yet to ascertain the enormity of the operation as these members are believed to have shared or sold these codes to other centres as well.
… "These gang members may have got the access to that source code and tampered the biometric authentication like fingerprints and IRIS. So now, these illegal centres had software to login to Aadhaar sever without using any biometric details, which is worrisome," the web security expert added.

A most interesting email from the “IRS.” If this is real, it is very poorly done. Perhaps this is just the government being uniquely strange, but I can think of no legitimate reason to change a username. I’m waiting for email number two which will point me to a bogus IRS site.
“Due to system updates, the IRS has changed your username for IRS online services. No action is required on your part.”
One clue this is a phishing email:
Your password has not changed.”
So I go to their site and enter a real password which they can then use to connect to my IRS account?

We will discuss this a lot in my Digital Forensics class.
From the law firm of Bryan Cave LLP:
A comprehensive analysis of class action lawsuits involving data security breaches filed in United States District Courts.
2016 was another year in which data breaches continued to dominate the headlines, a constant reminder to people that their personal information was vulnerable and the target of criminal attacks. Yet, despite the fact that data breaches do not appear to be going away anytime soon, the risk that a company will face litigation following a data breach remains relatively low year-after-year. The reason is likely tied to the difficulty plaintiffs continue to face establishing that they were injured by a breach and, therefore, have standing as a matter of law to bring suit.
Nonetheless, fear is a powerful marketing strategy, and we continue to see misinformation disseminated to the public about the likelihood of being sued after a data breach. This is not to say that companies should not continue to devote significant resources to breach preparation, information security, and breach response. But we are firm believers in allocating resources in proportion to the risk of harm, and litigation arising from a breach generally does not occur except in cases of public breaches involving large quantities of highly sensitive information.
Bryan Cave LLP began its survey of data breach class action litigation five years ago to rectify the information gap and to provide our clients, as well as the broader legal, forensic, insurance, and security communities, with reliable and accurate information concerning the risk associated with data breach litigation. Our annual survey continues to be the leading authority on data breach class action litigation and is widely cited throughout the data security community.
Our 2017 report covers federal class actions initiated over a 12 month period from January 1, 2016 to December 31, 2016 (the “Period”). Our key findings are:
  • Modest increase in filings. 76 class actions were filed during the Period. This represents a modest 7% increase in the quantity of cases filed as compared to the 2016 Data Breach Litigation Report (the “2016 Report”).
  • Continued “lightning rod” effect. Consistent with prior years, many of these lawsuits cluster around the same high-profile breaches. When multiple filings against single defendants are removed, there were only 27 unique defendants during the Period. This indicates a continuation of the “lightning rod” effect noted in previous reports, wherein plaintiffs’ attorneys file multiple cases against companies who had the largest and most publicized breaches, and generally bypass the vast majority of other companies that experience data breaches.
  • Decrease in filings as a function of the quantity of breaches. Approximately 3.3% of publicly reported data breaches led to class action litigation. Unlike in prior years, in which the percentage of class action lawsuits has remained relatively steady at 4 or 5% of publically reported breaches, 2016 saw a slight decrease in litigation relative to the number of breaches.
  • Litigation forums cluster around location of defendants. The Northern District of California, the Middle District of Florida, and the District of Arizona were the most popular jurisdictions in which to bring suit in 2016. Choice of forum, however, continues to be primarily motivated by the states in which the company-victims of data breaches are based.
  • Medical industry disproportionately targeted by the plaintiffs’ bar; but may still be underweighted. Like the previous year, the medical industry was disproportionately targeted by the plaintiffs’ bar. Although 70% of publicly reported breaches related to the medical industry, only 34% of data breach class actions targeted the medical industry or health insurance providers.
  • Credit card breach litigation is flat. The percentage of class actions involving the breach of credit cards stayed relatively constant as compared to the 2016 Report, with credit and debit cards data accounting for 21% of the type of data involved in data breach class actions in 2016, slightly down from 23% for the previous reporting period. This may reflect the lack of high profile credit card breaches as in past years, difficulties by plaintiffs’ attorneys proving economic harm following such breaches, and relatively small awards and settlements in previous credit card related litigation.
  • Plaintiffs continue to experiment with legal theories. Plaintiffs’ attorneys continue to allege multiple legal theories. Plaintiffs alleged a total of 21 legal theories during this period.
  • Negligence has emerged as the clear theory of preference. While negligence was the most popular legal theory in the 2016 (and 2015) Report, it has increased from being included in 75% of cases to being included in nearly 95% of all cases.
  • Plaintiffs are focusing on sensitive categories of information. Plaintiffs’ attorneys overwhelmingly focused on breaches in this Period that involved information such as Social Security Numbers, medical treatment information, health insurance information, and security questions and answers, with 89% of cases in 2016 involving a breach of sensitive data.
Click here to read the full report.

No doubt many will quote this study without reading the details.
UBI to Add Trillions of Dollars to U.S. Economy, Study Finds
… In the United States, a report claims that UBI will have a very positive impact on the country’s economy which can attain a growth of as much as $2.5 trillion.
Roosevelt Institute research director Marshall Steinbaum, Michalis Nikiforos of Bard College’s Levy Institute, and Gennaro Zezza of the University of Cassino and Southern Lazio in Italy have recently published their study that shows the remarkable effects of three versions of UBI in an eight-year period based on the Levy Institute macroeconometric model.
The Levy model, however, presupposes that the potential of the economy is constrained due to low household income. A highly-debatable opinion which the authors have themselves admitted in the report.
… According to the authors, “Fundamentally, the larger the size of the UBI, the larger the increase in aggregate demand and thus the larger the resulting economy is.”
However, this kind of growth could only be achieved if the UBI will be paid by increasing federal debt not taxes.
“When paying for the policy by increasing taxes on households, the Levy model forecasts no effect on the economy,” the authors have further stated in their report. “In effect, it gives to households with one hand what it takes away with the other.”

A trend for geeks.
The Incredible Growth of Python
… You can see on Stack Overflow Trends that Python has been growing rapidly in the last few years

I don’t know if I can agree with them.
The Rise of the Twitter Thread
The compelling, incendiary literary form of the Trump era.
We don’t get to choose the literary genre of our epoch, and in this worst-of-times-worst-of-times political era, we have the Twitter thread. A series of tweets, written by one person and strung together by Twitter’s vertical border wall, the thread has emerged as this year’s ascendant form of argument: urgent, galloping, personality-driven and—depending on your view of the topic—either tacky and misleading or damned persuasive.
… A form that requires precise and lively storytelling, and the braiding together of seemingly disparate details and history, has naturally attracted both literary and legal minds.
… Sexton described threading to me as a “linguistic exercise to see how the mind works in quick succession while confined within a certain space.” Abramson has edited or written more than a dozen books, mostly on or of poetry, and is also a graduate of Harvard Law School and former public defender. He calls threading “a formal gesture in the same way a sonnet is.”

I’m sure my students think like Dilbert when I take points off.