Saturday, October 21, 2017

Not a bad summary.
EquiFIX - Lessons Learned From the Most Impactful Breach in U.S. History

Another useful article for my Computer Security students. Don’t forget your own security while you learn to protect your organization’s security.

Your postal service is out to get you!
USPS ‘Informed Delivery’ Is Stalker’s Dream
A free new service from the U.S. Postal Service that provides scanned images of incoming mail before it is slated to arrive at its destination address is raising eyebrows among security experts who worry about the service’s potential for misuse by private investigators, identity thieves, stalkers or abusive ex-partners. The USPS says it hopes to have changes in place by early next year that could help blunt some of those concerns.
… Signing up requires an eligible resident to create a free user account at, which asks for the resident’s name, address and an email address. The final step in validating residents involves answering four so-called “knowledge-based authentication” or KBA questions. KrebsOnSecurity has relentlessly assailed KBA as an unreliable authentication method because so many answers to the multiple-guess questions are available on sites like Spokeo and Zillow, or via social networking profiles.
Once signed up, a resident can view scanned images of the front of each piece of incoming mail in advance of its arrival. Unfortunately, because of the weak KBA questions (provided by recently-breached big-three credit bureau Equifax, no less) stalkers, jilted ex-partners, and private investigators also can see who you’re communicating with via the Postal mail.
Perhaps this wouldn’t be such a big deal if the USPS notified residents by snail mail when someone signs up for the service at their address, but it doesn’t.

This is the flip side of “We can, therefore we must!” Can’t wait to see how this plays out.
How many posts have I posted by now about government over-reach on surveillance and the need to vigorously defend our right to privacy? A lot, right?
And I realize that I am really only pseudoanonymous, but I think I’ve made it perfectly clear to most parties that I do not cheerfully tolerate people invading my privacy or trying to.
So imagine my reaction the other evening when I received an email from Twitter Legal telling me that they had been hit with a grand jury subpoena for details of my @PogoWasRight Twitter account.
To their great credit, Twitter had fought the subpoena for my account details as well as the account details of four other accounts, but now there was apparently nothing more they could do, so they notified me so that I could file a motion to quash the subpoena.
Yes, grand juries have a lot of power. And yes, journalists do not have a real shield law and even journalists can be subpoenaed.
Right now, I’m going to withhold details of what the subpoena is about, although I know. And I know enough to be infuriated that a grand jury would so cavalierly and casually demand my personal information.

Should it really surprise anyone that they are lawyering-up?
Tech giants' choice of Russia witnesses draws concern
Facebook, Twitter and Google all announced on Thursday that they will send their general counsels to testify at House and Senate Intelligence Committee hearings on Russian election interference — a move that has drawn fire from critics who want more transparency from the tech giants.
The companies’ decision to send their top attorneys marks a step forward from when they had not publicly stated if they would attend the hearings, causing the Senate Intelligence Committee’s top Democrat Sen. Mark Warner (D-Va.) to threaten that he would subpoena the tech giants into testifying.
But some observers say that sending the lawyers, instead of top executives or technical experts, could limit how many questions the companies can answer.

How People Inside Facebook Are Reacting To The Company’s Election Crisis
… To truly understand how Facebook is responding to its role in the election and the ensuing morass, numerous sources inside and close to the company pointed to its unemotional engineering-driven culture, which they argue is largely guided by a quantitative approach to problems. It’s one that views nearly all content as agnostic, and everything else as a math problem. As that viewpoint has run headfirst into the wall of political reality, complete with congressional inquiries and multiple public mea culpas from its boy king CEO, a crisis of perception now brews.

Should FEMA contract with Loon for future disasters or try to construct its own balloon army? Or should this be a requirement for any telecommunication company’s disaster recovery plan?
Project Loon's LTE balloons are floating over Puerto Rico
About a month after Hurricane Maria's devastating landfall on Puerto Rico and a couple of weeks after the FCC gave clearance, Project Loon is bringing wireless internet to people on remote parts of the island.

Friday, October 20, 2017

I like it! (But it probably won’t happen.)
Equifax Deserves the Corporate Death Penalty
Equifax is in trouble. The credit reporting company failed to protect the personal financial data of as many as 143 million Americans. Equifax's failure exposed not just names and addresses, but also Social Security numbers, birth dates, drivers' license numbers, and credit card numbers. The Federal Trade Commission, Congress, and about 40 state attorneys general are investigating the data breach, and both the Massachusetts attorney general and the city of San Francisco are suing on behalf of residents whose information was compromised.
That's a start. But it's not enough. Equifax's failure calls for the corporate death penalty, through a rare but vital procedure called judicial dissolution.
Under the law of Georgia, where Equifax is incorporated, the state attorney general may file a lawsuit in state court to dissolve a corporation if the corporation "has continued to exceed or abuse the authority conferred upon it by law." (All 50 states have similar provisions.) State attorneys general don't invoke these corporate death penalty statutes often, especially not against large, well-known corporations. But Equifax could not have obtained its unusually important position in our economy without the privileges of a corporate charter conferred by law, and it has forfeited its claim to those privileges.

This happens with patches for any useful flaw.
Russian Hackers Exploit Recently Patched Flash Vulnerability
The Russia-linked cyber espionage group known as APT28 has been using a recently patched Adobe Flash Player vulnerability in attacks aimed at government organizations and aerospace companies, security firm Proofpoint reported on Thursday.
APT28, which is also known as Fancy Bear, Pawn Storm, Strontium, Sofacy, Sednit and Tsar Team, started launching attacks using CVE-2017-11292 on October 18, Proofpoint said. It’s unclear if APT28 discovered the exploit on its own, purchased it, or reverse engineered the one used in the BlackOasis attack.
Nevertheless, Proofpoint pointed out that the cyberspies are likely trying to take advantage of the recently fixed vulnerability before Adobe’s patch is widely deployed by users.

Another “why change the default” problem?
Since 2015, this site has been reporting on data leaks due to misconfigured databases or devices that are indexed on or other specialized search engines. Many of the leaks I have reported on involve AWS S3 buckets. And despite the fact that Amazon has issued reminders and guidance to its customers about securing buckets, there is still widespread leakage.
We all know you can lead a horse to a security tool or advice, but you can’t make them use it. With that in mind, kudos to Kromtech Security for developing and making freely available a tool to help administrators check whether their Amazon S3 bucket is allowing public access when it shouldn’t be.
We decided to make a Simple tool that can help Amazon S3 users quickly check their S3 buckets for public access. The tool gives users a report that they can then use to shut down any unwanted public access to the S3 buckets and the valuable data they contain. This free tool can provide an extra layer of security so that users can be confident that their data is well-protected and is not accessible or being downloaded by unauthorised users.
Read more here and get the tool here.

Can we keep generating public interest or will boredom (apathy) allow DoJ to win in the end?
Tim Cushing reports:
It’s amazing what effect a little public scrutiny has on government overreach. In the wake of inauguration day protests, the DOJ started fishing for information from internet service providers. First, it wanted info on all 1.2 million visitors of a protest website hosted by DreamHost. After a few months of bad publicity and legal wrangling, the DOJ was finally forced to severely restrict its demands for site visitor data.
Things went no better with the warrants served to Facebook. These demanded a long list of personal information and communications from three targeted accounts, along with the names of 6,000 Facebook users who had interacted with the protest site’s Facebook page. Shortly before oral arguments were to be heard in the Washington DC court, the DOJ dropped its gag order.
Read more on TechDirt.

A Calendar of Our Safety Work
As we said last week, we’re updating our approach to make Twitter a safer place. This won’t be a quick or easy fix, but we’re committed to getting it right. Far too often in the past we’ve said we’d do better and promised transparency but have fallen short in our efforts. Starting today, you can expect regular, real-time updates about our progress.
… Here is a calendar of the upcoming changes we plan to make to the Twitter Rules, how we communicate with people who violate them, and how our enforcement processes work.

Perspective. Maybe Denver doesn’t need Amazon.
Denver-based email company SendGrid files for initial public offering of stock
After months of speculation, SendGrid made it official and filed documents this week for an initial public offering.
… The company expects to list its common stock on the New York Stock Exchange under the ticker symbol “SEND.”
SendGrid joins a rare list of Colorado tech companies that have gone public in recent years. Earlier this month, the parent of Golden-based HomeAdvisor acquired Angie’s List and combined the two into a new company, ANGI Homeservices, which began trading on the Nasdaq. In May, cable provider WideOpenWest in the Denver Tech Center began trading on the NYSE. In 2013, Boulder-based Rally Software went public, though it was later acquired by software firm CA Technologies. Boulder-based telecom Zayo Group went public in 2014.

Think Fortune can predict the future?
Welcome to the inaugural Fortune Future 50, our new ranking of companies best positioned for breakout growth. Produced in partnership with BCG, the Future 50 is divided into two lists: the 25 Leaders (companies with a market value above $20 billion) and the 25 Challengers (those below $20 billion when the ranking was done).

A stray thought: Should we ask AlphaGo Zero to determine what we should ask it to learn?
Google DeepMind AlphaGo Zero AI Can Now Self-Train Without Human Input
The new AI is the followup to the original AlphaZero AI that dominated all human players in an ancient Chinese game called "Go".
… AlphaGo Zero completed three days of self-learning and then challenged AlphaGo for a match. Zero decimated its predecessor winning 100 games out of 100. "AlphaGo Zero not only rediscovered the common patterns and openings that humans tend to play ... it ultimately discarded them in preference for its own variants which humans don’t even know about or play at the moment," said AlphaGo lead researcher David Silver.

The Future of Truth and Misinformation Online
by Sabrina I. Pacifici on Oct 19, 2017
Pew Report, October 19, 2017Experts are evenly split on whether the coming decade will see a reduction in false and misleading narratives online. Those forecasting improvement place their hopes in technological fixes and in societal solutions. Others think the dark side of human nature is aided more than stifled by technology… A Pew Research Center study conducted just after the 2016 election found 64% of adults believe fake news stories cause a great deal of confusion and 23% said they had shared fabricated political stories themselves – sometimes by mistake and sometimes intentionally.

For my students, cable cutters or not.
Have you dreamed of cutting the cord but never been sure it’s right for you? Well, you’re in luck. This weekend, you’ll be able to dip your toes in the water and see how it feels.
It’s all thanks to Sling TV. The popular television streaming provider is offering a whole day of free viewing on Sunday, October 22. But what precisely will be available? And how do you get involved? Keep reading to find out.

For my Spreadsheet students. Is this going to be better? ALWAYS worth looking.
Coda is a next-generation spreadsheet designed to make Excel a thing of the past
… Mehrotra began to fixate on a question: what would documents and spreadsheets look if they were invented today?
Coda, a company Mehrotra co-founded with his fellow former Googler Alex DeNeui, represents his answer to that question.

Thursday, October 19, 2017

Equifax Hack: Keep Your Friends Close, but Your Supply Chain Closer
After more than 145 million customer records were compromised in the Equifax data breach, the company’s stock plummeted by more than 30 percent. That amounted to market capitalization losses north of $5 billion. The hack was one of the largest in history, and the records stolen included Social Security and driver’s license numbers.
And yet, that could be just a drop in the bucket compared to the fallout yet to come. It wasn’t just Equifax that was hacked. Suppliers to Equifax may also be at risk of compromise, which could expose the information of millions of more customers.
For instance, both Visa and MasterCard recently sent alerts to banks notifying them about 200,000 credit cards that may have also been compromised. Indeed, there’s been a spike in attempted credit card fraud this August, with a 15 percent increase year-over-year.
Visa and MasterCard – which both explicitly blamed Equifax – may be the first of many companies to come forward with statements that their data was also compromised in the Equifax data breach. Any company that has interacted with Equifax is at risk.
The risk that companies inherit from their suppliers is a pervasive problem for cyber security. Dynamic supply chains are a necessity in today’s fast-paced business environment, but every new supplier expands a company’s threat surface.

Investigators found the source before the company noticed?
Bill Cooke reports:
With the help of self-professed “data and crypto addict” Flash Gordon, iAfrikan CEO Tefo Mohapi connected the leak to GoVault.
GoVault is a platform operated by Dracore, and is billed as a “goldmine of information” which offers access to the contact details of South African consumers and homeowners.
Read more on GearsofBiz. @s7nsins (aka “Flash Gordon”) had informed of this leak, and is not surprised to read how he helped others try to track down the source of the leak. He is one of a number of dedicated researchers who scour the net to see what can be viewed that shouldn’t be viewable.

Questions about the Massive South African "Master Deeds" Data Breach Answered

(Related). Same thing, different country?
VIJANDREN reports:
This is not looking good. Late yesterday, we received a tip off that someone was selling huge databases of personal details belonging to Malaysians on Lowyat Forums.
While we did brush it off as just another scammer looking to make a quick buck at first, we decided to dig a little further and discovered that this could be one of the biggest data breaches ever in Malaysian history.
What is up for sale – for an undisclosed amount in bitcoin is millions of personal data of Malaysians belonging to, the Malaysian Medical Council, the Malaysian Medical Association, Academy of Medicine Malaysia, the Malaysian Housing Loan Applications, the Malaysian Dental Association and the National Specialist Register of Malaysia.
Thats not all, the mother load however is customer data from a huge list of Malaysian Telcos, that include Altel, Celcom, DiGi, Enabling Asia, Friendimobile, Maxis, MerchantTradeAsia, PLDT, RedTone, TuneTalk, Umobile and XOX.

Some breach analysis.
You can access their report here. Once again, we saw insider wrongdoing breaches taking a long time to discover. Hacking accounted for 50% of the 46 breaches we recorded for the month, and eight of the hacks also involved extortion demands. If you’re thinking, “That sounds like TheDarkOverlord,” give yourself a pat on the back. Yes, the 8 extortion-hacks were all by TheDarkOverlord.
You can find information on many of the 46 incidents disclosed in September by searching this site.

How should Twitter be penalized? (It’s not really a problem until everyone agrees it’s a problem?) It’s hard to accept anyone would believe some of these stories.
Twitter Was Warned Repeatedly About This Fake Account Run By A Russian Troll Farm And Refused To Take It Down
Twitter took 11 months to close a Russian troll account that claimed to speak for the Tennessee Republican Party even after that state's real GOP notified the social media company that the account was a fake.
The account, @TEN_GOP, was enormously popular, amassing at least 136,000 followers between its creation in November 2015 and when Twitter shut it down in August, according to a snapshot of the account captured by the Internet Archive just before the account was "permanently suspended."

For my Computer Security students.
CRS Report – Dark Web
by Sabrina I. Pacifici on Oct 18, 2017
Dark Web, Kristin Finklea, Specialist in Domestic Security. March 10, 2017. via FAS
“The layers of the Internet go far beyond the surface content that many can easily access in their daily searches. The other content is that of the Deep Web, content that has not been indexed by traditional search engines such as Google. The furthest corners of the Deep Web, segments known as the Dark Web, contain content that has been intentionally concealed. The Dark Web may be used for legitimate purposes as well as to conceal criminal or otherwise malicious activities. It is the exploitation of the Dark Web for illegal practices that has garnered the interest of officials and policymakers. Individuals can access the Dark Web by using special software such as Tor (short for The Onion Router). Tor relies upon a network of volunteer computers to route users’ web traffic through a series of other users’ computers such that the traffic cannot be traced to the original user. Some developers have created tools—such as Tor2web—that may allow individuals access to Tor- hosted content without downloading and installing the Tor software, though accessing the Dark Web through these means does not anonymize activity. Once on the Dark Web, users often navigate it through directories such as the “Hidden Wiki,” which organizes sites by category, similar to Wikipedia. Individuals can also search the Dark Web with search engines, which may be broad, searching across the Deep Web, or more specific, searching for contraband like illicit drugs, guns, or counterfeit money. While on the Dark Web, individuals may communicate through means such as secure email, web chats, or personal messaging hosted on Tor. Though tools such as Tor aim to anonymize content and activity, researchers and security experts are constantly developing means by which certain hidden services or individuals could be identified or “deanonymized.”…”

How do you control a “major threat?” Probably not by automating waivers.
Onward and Skyward! FAA Launches Automated Drone Approval Process
The Federal Aviation Administration (FAA) has approved a fast-track, automated approval process that allows commercial drone operators instant access to controlled airspace. The move helps reduce wait times to seconds for businesses, which previously had to seek approval over a months-long process.
… "Based on customer feedback, we know most of their jobs are in controlled airspace [Somehow, I doubt that. Bob] and getting access to fly in these areas is one of their largest business pain points," Mariah Scott, co-president of Skyward, said in a statement. "Operators have had to wait 60 to 90 days to receive authorization under the existing system. Now, with Skyward and LAANC, enterprises can get approval to fly in just two clicks. With this hurdle gone, we can expect to see substantial adoption of drone technology at the enterprise level."

My spreadsheet class is small, so I can show them lots of tricks that are “outside the textbook.”
Charts help shorten the decision-making process, as we can immediately see our results and where we need to make changes. The difficulty in handling data and charting is that you constantly have to go back to the chart and update it for new data.
Well, no more! I’m going to show you three easy steps to creating charts in Excel that self-update. All you’ll have to do is add data to the spreadsheet, and the chart will automatically graph it. You won’t have to depend on others to manipulate or mess up the chart, and you won’t have to do all that extra work either. You don’t need any Visual Basic skills, but you do need to understand the basic fundamentals of Excel charts.

Wednesday, October 18, 2017

“Hey, we’re boring old lawyers. Who would want our data? Encryption? Never heard of it.”
Joe Eskenazi reports:
Car break-ins in San Francisco have reached epidemic proportions, and city employees aren’t immune.
Now it’s the Office of the District Attorney’s turn. Thankfully, it wasn’t a gun stolen from a car this time. But the item lost to a burglar or burglars is tied to San Francisco homicides.
An alert sent to San Francisco police officers this week noted that a stolen work laptop left overnight in a DA employee’s car contained “sensitive information related to SFDA homicide cases.”
Read more on Mission Local.
And don’t you just love lines like, “DA spokesman Max Szabo said that his office was in the process of drafting policy regarding the stowing of work laptops in cars prior to the theft.” Right. I wish the reporter had filed under FOIA to see for how long they had presumably been drafting that policy. Because if the damned burglar had only waited a week or so, there would have been nothing to steal, right?
Why was the DA’s office years – and I do mean years – behind in having a firm policy in place already?

A huge theft that hasn’t been noticed yet? Or noticed and suppressed?
Andrew Fraser reports:
A huge trove of data, containing the personal information of millions of South Africans, including property ownership, employment history, income and company directorships, has been discovered by information security researcher Troy Hunt.
Hunt, the founder of, said the breach contains data of more than 30m unique South African ID numbers.
The data trove was discovered among a large dump of other breaches, and Hunt could identify it as South African source by the personal address details contained in it. He said that to date he hasn’t seen it offered for sale, but that “it is definitely floating around between traders”.
Read more on TechCentral.
[From the article:
The date of the database file indicates that the breach took place in March 2017, or perhaps before. The actual data includes information from at least as far back as the early 1990s.

Probably not the best message to send. The IRS seems to be saying that so many identities have already been stolen that a few million more won’t make a noticeable difference. (What’s an extra 45%?)
Many Equifax Hack Victims Had Info Stolen Prior to Breach: IRS
The U.S. Internal Revenue Service (IRS) believes the recent Equifax breach will not make a significant difference in terms of tax fraud considering that many victims already had their personal information stolen prior to the incident.
IRS Commissioner John Koskinen told the press on Tuesday that 100 million Americans have had their personally identifiable information (PII) stolen by hackers, according to The Hill. He also advised consumers to assume that their data has already been compromised and act accordingly.
The Equifax breach, which affected more than 145 million individuals, allowed cybercriminals to access social security numbers, dates of birth and other information. Despite this being one of the largest data breaches in history, Koskinen said it likely “won’t make any significantly or noticeable difference.”

Some interesting ideas, but I suspect many who might need this level of security won’t bother to implement it.
Google now offers special security program for high-risk users
Today, Google rolled out a new program called Advanced Protection for personal Google accounts, intended to provide much higher account security to users of services like Gmail and Drive who are at a high risk of being targeted by phishers, hackers, and others seeking their personal data. The opt-in program makes Google services much less convenient to use, but it's built to prevent the sorts of breaches that have been making recent headlines.
Examples of users who could benefit include journalists, politicians, and other public figures who may be running up against hostile actors with considerable resources—and also for private individuals in dangerous situations, like those escaping abusive relationships. In its blog post announcing this program, Google specifically named "political campaign managers," which harkens back to the breach of Hillary Clinton Presidential Campaign Chairman John Podesta's e-mails, which led to a release from WikiLeaks that may have played a significant role in the US presidential election last year.

You don’t need a “X9$$wordy” password.
NIST – Passphrases are the new way to protect your digital world
by Sabrina I. Pacifici on Oct 17, 2017
NIST Blog, Mike Garcia: “…First, I’m going to share the takeaways from our new password guidance. Simply put: Use passphrases, not passwords. Then, I’m going to explain the absolute most important thing to know about passwords: Try not to use them at all. And if you do, don’t rely on passwords, or even passphrases, alone. Over the years, our reliance on passwords, and the ease with which our adversaries can defeat those passwords, resulted in a negative feedback loop where users were subjected to increasingly complex, stressful and exhausting composition rules (upper, lower, and special characters, oh my!), increasing length requirements, password rotation requirements, and on and on. Like pounding out more and more miles faster and faster, these looked like gains on paper but undermined the outcome we wanted: a safer and more convenient online experience…”

Adding vulnerabilities to your home?
Common Internet of Things Devices May Expose Consumers to Cyber Exploitation
by Sabrina I. Pacifici on Oct 17, 2017
From FBI News Release, October 17, 2017: “In conjunction with National Cyber Security Awareness Month, the FBI is re-iterating the growing concern of cyber criminals targeting unsecure Internet of Things (IoT) devices. The number of IoT devices in use is expected to increase from 5 billion in 2016 to an estimated 20 to 50 billion by 2020. Once an IoT device is compromised, cyber criminals can facilitate attacks on other systems or networks, send spam e-mails, steal personal information, interfere with physical safety, and leverage compromised devices for participation in distributed denial of service (DDoS) attacks. [h/t Pete Weiss]
IoT refers to a network of physical devices, vehicles, buildings, and other items (often called “smart devices”) embedded with electronics, software, sensors, actuators, and network connectivity enabling these objects to collect and exchange data. Below are examples of IoT devices:
  • Home automation devices (e.g., devices which control lighting, heating and cooling, electricity, sprinklers, locks);
  • Security systems (e.g., alarm systems, surveillance cameras);
  • Medical devices (e.g., wireless heart monitors, insulin dispensers);
  • Wearables (e.g., fitness trackers, clothing, watches);
  • Smart appliances (e.g., refrigerators, vacuums, stoves);
  • Office equipment (e.g., wireless printers, computer mouse, outlets, interactive whiteboards);
  • Entertainment devices (e.g., DVRs, TVs, gaming systems, music players, toys); and
  • Hubs (devices that control other IoT devices through a single app)….”

I did not see this App coming. If I had done more than laugh at all those celebrity nude photos, I might have thought of this myself.
Nude is a next-generation photo vault that uses AI to hide your sensitive photos
Nudes are an inconvenient truth of the mobile era. The combination of ever-more-powerful cameras and ever-more-convenient sharing mechanisms has made the exchange of explicit pictures a fact of life for nearly everyone seeking romantic connections online.
… Private photo vault apps have existed for years. Nude, a new app from two 21-year-old entrepreneurs from UC Berkeley, attempts to create the most sophisticated one yet. Its key innovation is using machine learning libraries stored on the phone to scan your camera roll for nudes automatically and remove them to a private vault. The app is now available on iOS

Good news and bad news? Good for Mom and Dad, not so good if you are being stalked by that crazy ex-boyfriend.
WhatsApp’s Live Location feature lets friends track each other in real time
WhatsApp has announced a notable new feature today, one that may prove popular with millions of security-conscious, nosy, and impatient people globally.
Landing on both Android and iOS “in the coming weeks,” the new Live Location feature allows WhatsApp users to share their real-time location with friends and family. It’s worth noting here that WhatsApp already allows you to share your current location, however that feature is static — if you’re moving around, friends are not able to see where you’re going.
The new Live Location feature, on the other hand, lets people track where you are for a period of time stipulated by you.

With the same intent, Russia is bad but it’s okay for Google and Facebook?
Facebook and Google Helped Anti-Refugee Campaign in Swing States
In the final weeks of the 2016 election campaign, voters in swing states including Nevada and North Carolina saw ads appear in their Facebook feeds and on Google websites touting a pair of controversial faux-tourism videos, showing France and Germany overrun by Sharia law. French schoolchildren were being trained to fight for the caliphate, jihadi fighters were celebrated at the Arc de Triomphe, and the “Mona Lisa” was covered in a burka.

Report: Google ran hoax news ads on fact-checking sites
Google has been running hoax news ads on fact-checking sites like Politifact and Snopes, The New York Times reported on Tuesday.
The newspaper found that the ads would often mislead readers with false headlines about celebrities, and the articles that the ads led to would invariably be about skin cream products.

Curious. Logic overcoming bias?
Facebook Executives Find A New Crisis Communications Tool: Twitter
As Facebook grapples with the unprecedented crisis that's arisen around its role in the 2016 US presidential election, some of the company's top executives have begun doing damage control on an unlikely platform — Twitter.
In recent weeks, these executives — Facebook Chief Security Officer Alex Stamos, VP of Augmented and Virtual Reality Andrew Bosworth, and News Feed chief Adam Mosseri — have been engaging in public and sometimes heated discussion on Twitter, sounding off in what has been a largely Facebook-antagonistic conversation about Russia's effort to use the company's platform to undermine American democracy.
Facebook's leadership has long ignored Twitter — Mark Zuckerberg last tweeted in 2012 and Sheryl Sandberg in 2013 — and its decision to do so has essentially freed reporters, academics, and the general public to criticize and lambast the company unchallenged by those who know it best. Now, with Facebook executives wading deep into a particularly fraught Twitter discussion, it's clear the company has begun to view it as a tool critical to shaping public perception. Facebook might prefer to ignore Twitter, but it can't afford to do so when a conversation shaping how people perceive its most grave crisis is unfolding there.

Boeing has only one rival, Airbus. Did they really not see this as driving Bombardier into their arms? Someone at Boeing needs to rethink their future!
Boeing’s future plans threatened by Airbus-Bombardier pact
Airbus’s surprise move to swallow Bombardier’s CSeries airplane program gives it a new small-jet family without spending the billions of dollars it would take to develop one itself.
Besides the likely impact of the deal on the Boeing-instigated U.S. trade case against Bombardier, that leg up for Airbus could trigger a serious strategy shift for Boeing.
The deal Airbus announced Monday, giving it control of Bombardier’s freshly introduced two-model family of small narrowbody jets — the 110-seat CS100 and the 130-seat CS300, — could ultimately force Boeing to redraw the road map of new airplane development that it had settled on.

Can we learn anything from developing countries? Please?
Intellectual Property for the Twenty-First-Century Economy
by Sabrina I. Pacifici on Oct 17, 2017
Intellectual Property for the Twenty-First-Century Economy, Joseph E. Stiglitz, Dean Baker, Arjun Jayadev. October 17, 2017.
“Developing countries are increasingly pushing back against the intellectual property regime foisted on them by the advanced economies over the last 30 years. They are right to do so, because what matters is not only the production of knowledge, but also that it is used in ways that put the health and wellbeing of people ahead of corporate profits… The IP standards advanced countries favor typically are designed not to maximize innovation and scientific progress, but to maximize the profits of big pharmaceutical companies and others able to sway trade negotiations. No surprise, then, that large developing countries with substantial industrial bases – such as South Africa, India, and Brazil – are leading the counterattack. These countries are mainly taking aim at the most visible manifestation of IP injustice: the accessibility of essential medicines. In India, a 2005 amendment created a unique mechanism to restore balance and fairness to patenting standards, thereby safeguarding access. Overcoming several challenges in domestic and international proceedings, the law has been found to comply with WTO standards. In Brazil, early action by the government to treat people with HIV/AIDS resulted in several successful negotiations, lowering drug prices considerably…”

Perspective. If you can’t come here, we’ll invest heavily in countries you can get to. Take that potential immigrants!
Mexico tech industry benefits from U.S. anti-immigration stance
Amazon, Facebook and other U.S. tech companies are expanding operations south of the border as Mexico works to capitalize on the Trump administration’s anti-immigration stance.

Clearly, we ain’t there yet. (Assuming that is where we want to go.)
Research – The enduring power of print for learning in a digital world
by Sabrina I. Pacifici on Oct 17, 2017
The Conversation: “Today’s students see themselves as digital natives, the first generation to grow up surrounded by technology like smartphones, tablets and e-readers. Teachers, parents and policymakers certainly acknowledge the growing influence of technology and have responded in kind. We’ve seen more investment in classroom technologies, with students now equipped with school-issued iPads and access to e-textbooks. In 2009, California passed a law requiring that all college textbooks be available in electronic form by 2020; in 2011, Florida lawmakers passed legislation requiring public schools to convert their textbooks to digital versions. Given this trend, teachers, students, parents and policymakers might assume that students’ familiarity and preference for technology translates into better learning outcomes. But we’ve found that’s not necessarily true. As researchers in learning and text comprehension, our recent work has focused on the differences between reading print and digital media. While new forms of classroom technology like digital textbooks are more accessible and portable, it would be wrong to assume that students will automatically be better served by digital reading simply because they prefer it… To explore these patterns further, we conducted three studies that explored college students’ ability to comprehend information on paper and from screens…”

For my geeks.
When Apple announced Swift way back in 2014, people were rightfully skeptical. Nobody knew if it would catch on, and many questioned the need for yet another programming language to learn.
But then Swift went open source in 2015, and though it didn’t explode overnight, the language has steadily grown. There’s never been a better time to learn! We’ve covered online Swift tutorials as well as mobile Swift tutorials, so start there if you’re brand new.
Once you’re comfortable with the language, consider testing your skills with these Swift coding challenges.

With a virtual machine like VirtualBox you can virtually install multiple operating systems, without having to buy any new hardware.
Maybe you’ve heard of virtual machines (VM), but never tried one out yourself. You might be scared that you won’t set it up correctly or don’t know where to find a copy of your preferred operating system (OS). VirtualBox is the best virtual machine for home users, and you can use this virtualization software with our help.

Hey! It can’t hurt!
Writing is different from good writing. It is the difference between a dime novel and an NYT Bestseller. It can mean the difference between letting your ideas die or using them to sharpen your communication skills.
The good news is that you can hone your wordsmithery. The art can be mastered step-by-step. In our continuing series on the best Udemy classes, let’s see how we can take a step in that direction.

Sometimes I feel like Dilbert after class.

Tuesday, October 17, 2017

It’s depressing to see that they have not yet closed the holes that allowed the attack on the Bank of Bangladesh.
North Korean hacker group linked to Taiwan bank cyberheist
Lazarus, a hacking group linked to North Korea, may have been behind this month’s theft of $60 million from Taiwan’s Far Eastern International Bank, according to BAE Systems PLC researchers.
The cyberattack, in which malware was used to steal the money through the international Swift banking network, bore “some of the hallmarks” of Lazarus, according to a BAE blog post on Monday.
Lazarus and its offshoots have been blamed for attacks ranging from last year’s heist of Bangladesh’s central bank to assaults on cryptocurrency exchanges and South Korean ATMs. North Korea is becoming increasingly starved of hard currency as the United Nations imposes sanctions amid a standoff with the U.S. over Kim Jong Un’s nuclear weapons program.

Here’s a good indicator of how seriously people are taking that WiFi vulnerability.
Here's every patch for KRACK Wi-Fi vulnerability available right now
… According to security researcher and academic Mathy Vanhoef, who discovered the flaw, threat actors can leverage the vulnerability to decrypt traffic, hijack connections, perform man-in-the-middle attacks, and eavesdrop on communication sent from a WPA2-enabled device.
US-CERT has known of the bug for some months and informed vendors ahead of the public disclosure to give them time to prepare patches and prevent the vulnerability from being exploited in the wild – of which there are no current reports of this bug being harnessed by cyberattackers.

Hackers might find a list of unpatched vulnerabilities rather valuable.
Microsoft responded quietly after detecting secret database hack in 2013
Microsoft Corp’s secret internal database for tracking bugs in its own software was broken into by a highly sophisticated hacking group more than four years ago, according to five former employees, in only the second known breach of such a corporate database.
… The database contained descriptions of critical and unfixed vulnerabilities in some of the most widely used software in the world, including the Windows operating system. Spies for governments around the globe and other hackers covet such information because it shows them how to create tools for electronic break-ins.
… “Bad guys with inside access to that information would literally have a ‘skeleton key’ for hundreds of millions of computers around the world,” said Eric Rosenbach, who was U.S. deputy assistant secretary of defense for cyber at the time.

Refreshing. Starting to design Privacy into their phones?
Apple responds to Senator Franken’s Face ID privacy concerns
Apple has now responded to a letter from Senator Franken last month in which he asked the company to provide more information about the incoming Face ID authentication technology which is baked into its top-of-the-range iPhone X, due to go on sale early next month.
… In its response letter, Apple first points the Senator to existing public info — noting it has published a Face ID security white paper and a Knowledge Base article to “explain how we protect our customers’ privacy and keep their data secure”. It adds that this “detailed information” provides answers “all of the questions you raise”.
But also goes on to summarize how Face ID facial biometrics are stored, writing: “Face ID data, including mathematical representations of your face, is encrypted and only available to the Secure Enclave. This data never leaves the device. It is not sent to Apple, nor is it included in device backups. Face images captured during normal unlock operations aren’t saved, but are instead immediately discarded once the mathematical representation is calculated for comparison to the enrolled Face ID data.”
… Notably Apple hasn’t engaged with Senator Franken’s question about responding to law enforcement requests — although given enrolled Face ID data is stored locally on a user’s device in the Secure Element as a mathematical model, the technical architecture of Face ID has been structured to ensure Apple never takes possession of the data — and couldn’t therefore hand over something it does not hold.
The fact Apple’s letter does not literally spell that out is likely down to the issue of law enforcement and data access being rather politically charged.

How about the Fourth? If I had to keep a finger on the phone for it to operate, would that change the court’s thinking? Somewhere along the line, we need to get lawyers involved in the design process. makes us aware of this opinion:
An order compelling persons to provide fingerprints to unlock Apple devices doesn’t violation the self-incrimination clause of the Fifth Amendment. In re Search Warrant Application for [Name Redacted by the Court], 2017 U.S. Dist. LEXIS 169384 (N.D. Ill. Sept. 18, 2017):
The United States seeks review of the magistrate judge’s denial of one aspect of the government’s search-warrant application in this investigation: authorization to require the four residents of a home to apply their fingers and thumbs (as chosen by government agents) to the fingerprint sensor on any Apple-made devices found at the home during the search. Ordinarily, review of the magistrate judge’s decision on a warrant application would be ex parte. But because the magistrate judge’s thoughtful opinion addressed a novel question on the scope of the Fifth Amendment’s privilege against self-incrimination, the Court invited the Federal Defender Program in this District to file an amicus brief to defend the decision (the government did not object to the amicus participation). The Court is grateful for the Federal Defender Program’s excellent service in fulfilling this request. After reviewing the competing filings and the governing case law, the Court holds that requiring the application of the fingerprints to the sensor does not run afoul of the self-incrimination privilege because that act does not qualify as a testimonial communication.

It’s important, so try to get around to it before the next Ice Age.
DHS Orders Federal Agencies to Use DMARC, HTTPS
The U.S. Department of Homeland Security (DHS) has issued a binding operational directive requiring all federal agencies to start using web and email security technologies such as HTTPS, DMARC and STARTTLS within the next few months.
Within the next 30 days, agencies will have to develop a plan of action for implementing the requirements of Binding Operational Directive (BOD) 18-01.
Agencies have been given 90 days to configure all Internet-facing email servers to use STARTTLS, a protocol command that allows clients to indicate that they want unprotected connections upgraded to a secure connection using SSL or TLS.
The DHS also wants them to gradually roll out DMARC (Domain-based Message Authentication, Reporting and Conformance), an email authentication, policy, and reporting protocol designed to detect and prevent email spoofing.
The decision to order the use of these security technologies comes just months after Senator Ron Wyden urged the DHS to get federal agencies to deploy DMARC for .gov domains.
A study conducted recently by email security firm Agari showed that many Fortune 500, FTSE 100 and ASX 100 companies still haven’t properly implemented DMARC.

My Computer Security students might find this interesting.
New Pluralsight Course: Emerging Threats in IoT
Play by Play: Emerging Threats in IoT is now live on Pluralsight!

So, nothing Russia or North Korea can do (cyber wise) would be considered an at of war?
Cybersecurity, Encryption and United States National Security Matters
by Sabrina I. Pacifici on Oct 16, 2017
Cybersecurity, Encryption and United States National Security Matters, Senate Armed Services Committee, September 13, 2016 (published September 2017), via FAS.
Steven Aftergood, Secrecy News: “What constitutes an act of war in the cyber domain? It’s a question that officials have wrestled with for some time without being able to provide a clear-cut answer. But in newly-published responses to questions from the Senate Armed Services Committee, the Pentagon ventured last year that “The determination of what constitutes an ‘act of war’ in or out of cyberspace, would be made on a case-by-case and fact-specific basis by the President.” “Specifically,” wrote then-Undersecretary of Defense (Intelligence) Marcel Lettre, “cyber attacks that proximately result in a significant loss of life, injury, destruction of critical infrastructure, or serious economic impact should be closely assessed as to whether or not they would be considered an unlawful attack or an ‘act of war.'” Notably absent from this description is election-tampering or information operations designed to disrupt the electoral process or manipulate public discourse. Accordingly, Mr. Lettre declared last year that “As of this point, we have not assessed that any particular cyber activity [against] us has constituted an act of war.”

Have I been missing something here? Why would a security clearance be required to say “This account is Russian?” Is the threat of government investigators looking at Facebook’s code that likely?
Facebook Is Looking for Employees With National Security Clearances
Facebook Inc. is looking to hire people who have national security clearances, a move the company thinks is necessary to prevent foreign powers from manipulating future elections through its social network, according to a person familiar with the matter.
Workers with such clearance can access information classified by the U.S. government. Facebook plans to use these people -- and their ability to receive government information about potential threats – to search more proactively for questionable social media campaigns ahead of elections, according to the person, who asked not to be identified because the information is sensitive. A Facebook spokesman declined to comment.
… Without employees who can handle classified material, Facebook would need to give government investigators access to its system to investigate threats, according to Scott Amey, general counsel of the Project on Government Oversight, a Washington-based group that studies national security issues. So the move to hire people with clearances may be aimed at controlling access to the inner workings of its platform, like code and user data, he said.

Yet another App I have never heard of… (Maybe because it’s not available in Colorado?)
Facebook acquires anonymous teen compliment app tbh, will let it run
Today, Facebook announced it’s acquiring positivity-focused polling startup tbh and will allow it to operate somewhat independently with its own brand.
tbh had scored 5 million downloads and 2.5 million daily active users in the past nine weeks with its app that lets people anonymously answer kind-hearted multiple-choice questions about friends who then receive the poll results as compliments. You see questions like “Best to bring to a party?,” “Their perseverance is admirable?” and “Could see becoming a poet?” with your uploaded contacts on the app as answer choices.
tbh has racked up more than 1 billion poll answers since officially launching in limited states in August, mostly from teens and high school students, and spent weeks topping the free app charts. When we profiled tbh last month in the company’s first big interview, co-creator Nikita Bier told us, “If we’re improving the mental health of millions of teens, that’s a success to us.”

Is this paper detailed enough to allow us to create an App to write contracts?
FCL: A Formal Language for Writing Contracts
by Sabrina I. Pacifici on Oct 16, 2017
Farmer W.M., Hu Q. (2018) FCL: A Formal Language for Writing Contracts. In: Rubin S., Bouabana-Tebibel T. (eds) Quality Software Through Reuse and Integration. FMI 2016, IRI 2016 2016. Advances in Intelligent Systems and Computing, vol 561. Springer, Cham
“A contract is an artifact that records an agreement made by the parties of the contract. Although contracts are considered to be legally binding and can be very complex, they are usually expressed in an informal language that does not have a precise semantics. As a result, it is often not clear what a contract is intended to say. This is particularly true for contracts, like financial derivatives, that express agreements that depend on certain things that can be observed over time such as actions taken of the parties, events that happen, and values (like a stock price) that fluctuate with respect to time. As the complexity of the world and human interaction grows, contracts are naturally becoming more complex. Continuing to write complex contracts in natural language is not sustainable if we want the contracts to be understandable and analyzable. A better approach is to write contracts in a formal language with a precise semantics. Contracts expressed in such a language have a mathematically precise meaning and can be manipulated by software. The formal language thus provides a basis for integrating formal methods into contracts. This paper outlines fcl, a formal language with a precise semantics for expressing general contracts that may depend on temporally based conditions. We present the syntax and semantics of fcl and give two detailed examples of contracts expressed in fcl. We also sketch a reasoning system for fcl. We argue that the language is more effective for writing and analyzing contracts than previously proposed formal contract languages.”

When we’re done with the computer labs?
Feel like helping people but don’t have the time, money, or energy? Well, there’s an app for that. Or rather, there are several. From something as simple as opening a tab to playing some games, here’s how to help.
For several of these, all you need to do is install an app or open a tab. The app or tab will then access the unused processing power of your computer and use it to run calculations. It then shares these with millions of other such computers via the internet. The result is a virtual supercomputer for scientists to run complex calculations.

Monday, October 16, 2017

Another one bites the dust...
One of the 'Biggest Online Security Threats Ever'? Wi-Fi Security May Have Been Cracked
WPA2, the security protocol used to protect most Wi-Fi connections, has reportedly been cracked. This means that wireless internet traffic could be vulnerable to eavesdroppers and attacks.
At 8 a.m. EDT October 16, researchers plan to share the findings of their proof-of-concept exploit called KRACK, which is short for Key Reinstallation Attacks.
US-CERT, the Computer Emergency Readiness Team, issued the following warning, first published by Ars Technica:
“US-CERT has become aware of several key management vulnerabilities in the 4-way handshake of the Wi-Fi Protected Access II (WPA2) security protocol. The impact of exploiting these vulnerabilities includes decryption, packet replay, TCP connection hijacking, HTTP content injection, and others. Note that as protocol-level issues, most or all correct implementations of the standard will be affected. The CERT/CC and the reporting researcher KU Leuven, will be publicly disclosing these vulnerabilities on 16 October 2017.”
The details and severity of the threat will become clearer once the findings have been released. However, if the vulnerability of WPA2 is similar to that of earlier security standards like WEP, this could be one of the “biggest online security threats ever.” Mashable reports that regardless of the strength of your password, Wi-Fi connections could be open to hackers, and users concerned about the security of their connection should avoid using Wi-Fi entirely until a solution is in place.

Learn to hack properly: Take our Ethical Hacking class.
Easy-to-get hacking device puts KU professors’ information in student’s hands
… The KU hacker was an engineering student who used a keystroke logger to pry into professors’ computers and change all his failing grades to A’s.
“He may never even have gotten caught, but he got greedy,” said Ron Barrett-Gonzalez, a engineering professor at KU. “It does look a little suspicious when you are on academic probation and the dean’s honor roll at the same time.”

If you should decide to hack back, remember the immortal words of Elmer Fudd, “Be vewy, vewy careful!”
Active Cyber Defense Certainty Act
by Sabrina I. Pacifici on Oct 15, 2017
The Register: “Two members of the US House of Representatives today introduced a law bill that would allow hacking victims to seek revenge and hack the hackers who hacked them. The Active Cyber Defense Certainty Act (ACDC) [PDF] amends the Computer Fraud and Abuse Act to make limited retaliatory strikes against cyber-miscreants legal in America for the first time. The bill would allow hacked organizations to venture outside their networks to identify an intruder and infiltrate their systems, destroy any data that had been stolen, and deploy “beaconing technology” to trace the physical location of the attacker. “While it doesn’t solve every problem, ACDC brings some light into the dark places where cybercriminals operate,” said co-sponsor Representative Tom Graves (R-GA). “The certainty the bill provides will empower individuals and companies use new defenses against cybercriminals. I also hope it spurs a new generation of tools and methods to level the lopsided cyber battlefield, if not give an edge to cyber defenders. We must continue working toward the day when it’s the norm – not the exception – for criminal hackers to be identified and prosecuted.”
  • “I never thought of it this way. It’s basically the cyber version of being allowed to murder someone for entering your property.” — MalwareTech (@MalwareTechBlog) October 13, 2017

Big company, small country? Does Microsoft need the Netherlands?
Peter Bright reports:
The lack of clear information about what Microsoft does with the data that Windows 10 collects prevents consumers from giving their informed consent, says the Dutch Data Protection Authority (DPA). As such, the regulator says that the operating system is breaking the law.
To comply with the law, the DPA says that Microsoft needs to get valid user consent: this means the company must be clearer about what data is collected and how that data is processed. The regulator also complains that the Windows 10 Creators Update doesn’t always respect previously chosen settings about data collection. In the Creators Update, Microsoft introduced new, clearer wording about the data collection—though this language still wasn’t explicit about what was collected and why—and it forced everyone to re-assert their privacy choices through a new settings page. In some situations, though, that page defaulted to the standard Windows options rather than defaulting to the settings previously chosen.
Read more on Ars Technica.

Small company, big country? This could never happen here, could it?
Russia Fines Telegram For Not Giving Backdoor Access
A Russian court on Monday fined the popular Telegram messenger app for failing to provide the country's security services with encryption keys to read users' messaging data.
According to a scan of the complaint posted online by Durov, the FSB had sent a letter to Telegram in July demanding "information necessary to decode users' sent, received, delivered and processed electronic messages".

(Related). Perhaps it could happen here!
Inside Privacy writes:
In a speech delivered at the United States Naval Academy on October 10, Deputy Attorney General Rod Rosenstein waded into the public debate between data privacy and law enforcement interests. As part of a discussion moderated by former Covington cybersecurity attorney Jeff Kosseff, Rosenstein’s remarks discussed cyber issues facing law enforcement with a particular focus on the advent of “warrant-proof” encryption. In his view, warrant-proof encrypted data and devices are unable to be intercepted or unlocked by law enforcement, even with a court order.
Noting that “[p]rivate sector entities are crucial partners” in the fight against cyber threats, Rosenstein expressed concerns about the role played by tech companies in advancing warrant-proof encryption. While recognizing the need to balance important privacy interests against law enforcement priorities, Rosenstein argued that “[w]arrant-proof encryption defeats the constitutional balance by elevating privacy above public safety.”
Read more on Covington & Burling Inside Privacy.

The new rules of the road?
Alphabet is training law enforcement on how to handle self-driving car crashes
Alphabet’s self driving car division Waymo has been testing its fleet of robot cars in four states across the country — Washington, California, Arizona, and Texas — and it has started to work with local law enforcement agencies and first responders to figure out what to do after a collision and create new protocols.
That includes what a fully driverless car should do when it hears a siren coming toward it — yes, Waymo driverless cars can hear — as well as how police officers, or first responders can access the cars in emergency situations.
In a new 43-page report (pdf) that Waymo published Thursday, the company detailed some of its efforts to respond to (and avoid) collisions. Those efforts can be broken up into three parts: How the cars stop in unsafe working conditions; how the cars respond to sirens/emergency vehicles; and what happens after an accident.

Perspective. Poor Mark Zuckerberg is going to be broke. Maybe that’s why he want to run for President?
Nearly half of U.S. teens prefer Snapchat over other social media
Snapchat is more popular among U.S. teens than ever, according to new research from investment firm Piper Jaffray. The company surveys teens in the U.S. about their media habits every spring and fall.

Hey, it’s a start!
Pen America Report – Faking News: Fraudulent News and the Fight for Truth
by Sabrina I. Pacifici on Oct 15, 2017
“Warning that the spread of “fake news” is reaching a crisis point, Faking News: Fraudulent News and the Fight for Truth evaluates the array of strategies that Facebook, Google, Twitter, newsrooms, and civil society are undertaking to address the problem, stressing solutions that empower news consumers while vigilantly avoiding new infringements on free speech. Faking News rates the range of fact-checking, algorithmic, educational, and standards-based approaches being taken to counter the proliferation of fake news and sounds a warning bell for tactics that risk suppressing controversial speech, such as giving government new powers to regulate or calling on social media companies to block specific content entirely. Arguing that Facebook, Google, and Twitter—which are many Americans’ primary channels for news consumption—must play a critical and transparent role in curbing the spread of false news, the report spells out a series of specific strategies that center on empowering news consumers with access to fact-checking initiatives and news literacy programs. The “News Consumers Bill of Rights and Responsibilities” outlines what consumers should expect from the outlets and social media platforms that convey news and how they can protect themselves and others. The report also includes an executive summary that outlines the report’s key findings.”

I love lists like this. I wonder how many Top Ten Techs have completely fizzled?
Gartner Top 10 Strategic Technology Trends for 2018
by Sabrina I. Pacifici on Oct 15, 2017
Gartner: “Artificial intelligence, immersive experiences, digital twins, event-thinking and continuous adaptive security create a foundation for the next generation of digital business models and ecosystems…”