Saturday, November 04, 2017

Strange that they could expend so much effort to “clear” their executives and so little effort to manage their security.
At the time, Equifax claimed that its executives had no idea about the massive data breach when they sold their stock. Today, the credit reporting company released further details about its internal investigation that cleared all four executives of any wrongdoing.
The report, prepared by a board-appointed special committee, concludes that “none of the four executives had knowledge of the incident when their trades were made, that preclearance for the four trades was appropriately obtained, that each of the four trades at issue comported with Company policy, and that none of the four executives engaged in insider trading.” The committee says it reviewed 55,000 documents to reach its conclusions, including emails and text messages, and conducted 62 in-person interviews.
Equifax’s internal investigation into the hack itself is still underway. “The Special Committee continues to review the cybersecurity incident, the Company’s response to it, and all relevant policies and practices,” [I wonder if that will include notifying senior management in a timely manner? Bob] the committee said in a statement.

Don’t worry, it couldn’t possibly happen here. Could it Mr President? (Why no, Bob. But it might happen in Guantanamo.)
US woman charged over tweet allegedly insulting Robert Mugabe
Zimbabwean police have charged an American citizen with a new offence of plotting to overthrow a constitutionally elected government, her lawyer has said.
Martha O’Donovan had earlier been charged over a tweet that appeared to insult Robert Mugabe, weeks after the president appointed a cybersecurity minister to police social media.
O’Donovan was detained on Friday morning, a US embassy spokesman told the Associated Press. Her lawyer, Obey Shava, said she faced two charges – undermining the authority of or insulting the president and plotting to overthrow the government - of tweets that police claimed were “emanating from her IT address”
The exact words of the insult are unclear. Shava said his client had been accused of tweeting “We are being led by a selfish and sick man” from the Twitter handle @matigary.

(Related) If insults are encrypted, we can arrest or otherwise intimidate the author!
Afghanistan Orders WhatsApp Blocked
Afghan authorities have ordered internet service providers to block Facebook Inc.’s WhatsApp, triggering condemnation from civil-liberties groups and protests from users on social media.
In a letter sent to service providers on Thursday, Afghanistan’s Telecommunication Regulatory Authority didn’t say why it was ordering the providers to shut WhatsApp, as well as Telegram, another encrypted messaging app, for 20 days “without delay.”

Not all free advice is bad advice. (I love the last line of this article.)
Attorney to ex-Twitter worker who deactivated Trump account: 'Get a lawyer'
A prominent attorney for cybersecurity issues has this advice to the unnamed Twitter worker said to have pulled the plug on President Trump's Twitter account: "Don't say anything and get a lawyer."
Tor Ekeland told The Hill that while the facts of the case are still unclear and the primary law used to prosecute hackers is murky and unevenly applied, there is a reasonable chance the Twitter worker violated the Computer Fraud and Abuse Act.
"You will probably see this as a law school exam question this year," said Ekeland.

Yet more and more countries (e.g. the GDPR) tries to force the world to follow their laws.
U.S. court rejects Canadian court order requiring Google to remove search results globally
After years of litigation in two countries, a federal court in the US has weighed in on a thorny question: Does Google US have to obey a Canadian court order requiring Google to take down information around the world, ignoring contrary rules in other jurisdictions? According to the Northern District of California, the answer is no.

A simple guide to propaganda?

For my Spreadsheet students.

Friday, November 03, 2017

What’s bad for Equifax is bad for everyone?
Not surprisingly, states are responding to the Equifax breach, but they are taking different approaches. Here are how two states are responding: reports that in New York:
Attorney General Eric Schneiderman is proposing comprehensive legislation to tighten data security laws and expand protections.
The Stop Hacks and Improve Electronic Data Security Act, introduced this week in the Legislature, would require companies that handle New Yorkers’ sensitive data to adopt “reasonable administrative, technical and physical protections for data” regardless of where the company is headquartered, Schneiderman’s office said in a news release Thursday. It would cover credit reporting agencies such as Equifax as well as many other types of companies that collect personally identifiable information on individuals.
And Vermont Public Radio reports:
Chittenden County Sen. Michael Sirotkin says he heard from more constituents about the Equifax breach than almost any other issue he’s dealt with as a lawmaker. Sirotkin says he’s now putting the finishing touches on legislation that would give Vermonters new legal options for similar breaches in the future.
“So what that means is that consumers will have a private right of action, if this bill passes, where they will be able to get their damages for their time and expense and their attorneys’ fees and the cost of repairing the problem,” Sirotkin said Thursday at a press conference announcing the legislation.

Another example of Equifax security?
Equifax Reopens Salary Lookup Service
Equifax has re-opened a Web site that lets anyone look up the salary history of a large portion of the American workforce using little more than a person’s Social Security number and their date of birth. The big-three credit bureau took the site down just hours after I wrote about it on Oct. 8, and began restoring the site eight days later saying it had added unspecified “security enhancements.”

When we’ll help and when we’ll hack.
At a series of events earlier in October, White House Cybersecurity Coordinator Rob Joyce announced that he is preparing to release more information about the Vulnerabilities Equities Process (VEP). 
As we’ve discussed before, the VEP is a complicated yet important process that determines whether the government will notify a digital-technology company about a cybersecurity flaw in its product or service, or choose not to disclose the flaw and use it for later hacking or intelligence-gathering purposes.

A “new tech” security issue.
Shadow IT Growth Introducing Huge Compliance Risks: Report
Shadow IT continues to grow, while senior management remains in denial. The average enterprise now uses 1,232 cloud apps (up 33% from the second half of last year), while CIOs still believe their organizations use between just 30 and 40 cloud apps and services. Within this cloud, 20% of all stored data is at risk from being 'broadly shared'.
The figures come from 1H 2017 Shadow Data Report (PDF), based on aggregated and anonymized data from 22,000 cloud apps and services, 465 million documents, and 2.3 billion emails used by Symantec's CloudSOC (CASB) customers.

For my Ethical Hackers and my Computer Security students.
Analysis of 3,200 Phishing Kits Sheds Light on Attacker Tools and Techniques
Phishing kits are used extensively by cybercriminals to increase the efficiency of stealing user credentials. The basic kit comprises an accurate clone of the target medium's login-in page (Gmail, Facebook, Office 365, targeted banks, etc), and a pre-written php script to steal the credentials -- both bundled and distributed as a zip file. Successfully phished credentials are mailed by the script to the phisher, or gathered in a text file for later collection. This is commodity phishing; not spear-phishing.
Duo Security R&D engineer Jordan Wright found and analyzed a single phishing kit; and decided to investigate the extent of their use. The results were published this week in a new report (PDF).

For my Computer Security student Midterm: How would you prevent this?
Rogue Twitter employee on last day of job deactivated Trump’s personal account, company says
President Trump boasted Friday of his social media influence after his personal Twitter account was briefly deactivated by a departing company employee, raising serious questions about the security of tweets the president wields to set major policy agendas, connect with his voter base and lash out at his adversaries.
The deactivation Thursday sparked deep and troubling questions about who has access to the president's personal account, @realDonaldTrump, and the power that access holds. The deactivation also came at a time when the social network is under scrutiny for the role it played in spreading Russian propaganda during the 2016 presidential election.
at 8:05 p.m., at the same time Trump was tweeting about tax revisions, the company posted a statement saying the president's “account was inadvertently deactivated due to human error by a Twitter employee.”
“The account was down for 11 minutes, and has since been restored,” the statement read. “We are continuing to investigate and are taking steps to prevent this from happening again.”
But two hours later, the company admitted that the deactivation wasn't an accident at all: A preliminary investigation revealed that the account was taken offline “by a Twitter customer support employee who did this on the employee's last day.”

(Related). Another potential question?
Security Sense: How Do You Do Knowledge Based Authentication When All Knowledge is Public?
Have a think about the ways you identify yourself to institutions, both commercial and government. Think about the process you go through in order to establish that you are indeed yourself and it’s not someone else pretending to be you. In particular, consider the sorts of questions you’re asked in order to establish enough confidence on behalf of that institution that they should now proceed with granting you whatever it was you contacted them for in the first place. Very often, you’re asked to partake in what’s referred to as Knowledge Based Authentication or KBA and that’s something we’ve now got a real problem with.
Consider the sorts of questions you’re usually asked, a classic one being your date of birth. This has always been a ludicrous KBA question because it’s a personal attribute we willingly share with others, simply because most of us like cake and presents. Yet we have cases like Betfair using only that and an email address to reset your password. No, you don’t have to actually receive an email, you just simply say “here’s an email and a birthdate and here’s the password I’d like that account to have”. Now that’s an extreme example and I believe they’ve since seen the futility of that approach and made some changes, but date of birth is still frequently a part of the KBA process.

Will this still be a good investment in the age of self-driving cars and Uber-like services?
Parking Spaces That Could Make You Rich
Marc Wisotsky and his partner, Jackie Lew, bought two spaces in 2005 in a parking garage near their home in Park Slope, Brooklyn, for around $45,000 each. They used one and rented out the other for $600 a month, pocketing $310 after taxes and the garage fee.
It was a tidy, reliable income, Mr. Wisotsky said, but the real payoff came when he and Ms. Lew sold their extra space last year for $285,000. “We could have gotten more — the prices just keep going up and up,” he said. “There are never as many parking spaces as residential units being built.”

If you are a JFK conspiracy nut, go away and read this. Great idea for a free demo!
E-discovery firm opens access to fully searchable database of JFK assassination records collection
by Sabrina I. Pacifici on Nov 2, 2017
ABA Journal: “The legal review software company iCONECT has digitized some JFK assassination records and is offering free access for 60 days. Launched Oct. 30, the company imported 6,701 public documents from the John F. Kennedy Assassination Records Collection to its Xera platform, including audio files. A user can now search various fields to find relevant information. This is an improvement over the National Archives’ repository of these documents, which are in PDF format and non-searchable, according to a press release. iCONECT also “built a search index, charts, graphs, quick-search folders and word-highlight reports for all the records,” according to the release. A user can even auto-mark CIA cryptonyms found throughout the document set.”

For the student toolkit.

New is not necessarily mainstream.
Blockchain development is the now second-hottest skill in the job market today, growing more than 200% since this time last year.
Blockchain developers now rank second among the top 20 fastest-growing job skills, and job postings for workers with those skills have more than doubled this year.

One Bitcoin Transaction Now Uses as Much Energy as Your House in a Week

Thursday, November 02, 2017

The joy of globalization?
Website Blindspots Show GDPR is a Global Game Changer
One of the less publicized features of the European General Data Protection Regulation (GDPR) is that US companies can be held liable even if they do not actively trade with Europe. This is because the regulation is about the collection and storage of European personal information, not about business.
Any U.S. company that operates a website that collects user information (a log-in form, or perhaps a subscription application) could unwittingly collect protected European PII. That makes the company liable -- there are GDPR requirements over how it is collected (including explicit user consent, secure collection, and limitations on what is collected). Whether European regulators could do anything about that liability if the US company has no physical presence in Europe is a different matter.

Security tool.
Standalone Signal Desktop Messaging App Released
Developed by Open Whisper Systems, Signal provides users with end-to-end encrypted messaging functionality and is already used by millions of privacy-focused Android and iOS users. The server doesn’t have access to users’ communication and no data is stored on it, thus better keeping all conversations safe from eavesdropping.
Now, the company has decided to make Signal Desktop available as a standalone application and to retire the Chrome app.
The standalone Signal Desktop application can be downloaded directly from the official website.

A follow-up to yesterday’s list.
Senate Intel Cmte Hearing – Social Media Influence in the 2016 U.S. Elections
by Sabrina I. Pacifici on Nov 1, 2017
Witnesses – Senate Judiciary Cmte Hearing – Social Media Influence in the 2016 U.S. Elections
The complete hearing before the Senate Intelligence Committee is available and KEYWORD searchable via the C-SPAN Video Library.
Vice President and General Counsel Colin Stretch – Facebook
General Counsel Sean Edgett Twitter
Senior Vice President and General Counsel Kent Walker Google

(Related). Did Russia cause this?
Americans Are Officially Freaking Out
Almost two-thirds of Americans, or 63 percent, report being stressed about the future of the nation, according to the American Psychological Association’s Eleventh Stress in America survey, conducted in August and released on Wednesday. This worry about the fate of the union tops longstanding stressors such as money (62 percent) and work (61 percent) and also cuts across political proclivities. However, a significantly larger proportion of Democrats (73 percent) reported feeling stress than independents (59 percent) and Republicans (56 percent).

Perspective. Self-contradictory answers? Bad questions or confused surveyee?
The State of Free Speech and Tolerance in America

Data – Google and Facebook now have direct influence over 70% of internet traffic
by Sabrina I. Pacifici on Nov 1, 2017
Do you use Google all the time – at work, on your personal and work mobile devices, tablets, and home/work laptops? This article by AndrĂ© Staltz, The Web began dying in 2014, here’s how, was published on October 30, 2017 and the data he references may surprise you, or not.
“Before the year 2014, there were many people using Google, Facebook, and Amazon. Today, there are still many people using services from those three tech giants (respectively, GOOG, FB, AMZN). Not much has changed, and quite literally the user interface and features on those sites has remained mostly untouched. However, the underlying dynamics of power on the Web have drastically changed, and those three companies are at the center of a fundamental transformation of the Web… What has changed over the last 4 years is market share of traffic on the Web. It looks like nothing has changed, but GOOG and FB now have direct influence over 70%+ of internet traffic. Mobile internet traffic is now the majority of traffic worldwide and in Latin America alone, GOOG and FB services have had 60% of mobile traffic in 2015, growing to 70% by the end of 2016. The remaining 30% of traffic is shared among all other mobile apps and websites. Mobile devices are primarily used for accessing GOOG and FB networks…” [I use non-Google browsers and search engines for as much of my online time as possible.]
And see also via Fortune: “The Pew Research Center finds that 67% of all Americans get their news from social media at least some of the time. Social and search platforms have won our trust, as well. People actually trust Google more than online media sites, according to a 2016 survey by Edelman. And fake news outperforms real news, according to an analysis by BuzzFeed.”

For the student toolkit.

A PowerPoint replacement or enhancement tool? Basic plan is free. Design guide is free.
Presentation Design Guide from Visme
Visme is a design tool that allows everyone to create beautiful graphics that help tell a story and engage an audience. You can use Visme to create presentations, infographics, graphics, charts, and reports. The folks at Visme have compiled over two years of research into a free 125-page digital design guide that you can download for free. The guide is especially useful for non-designers! Check out the video below to learn more about how you can use Visme to create some awesome projects.

For my website students.

Wednesday, November 01, 2017

I can’t recall a breach of credit card information where the victim was certified as being in compliance with PCI-DSS.
From the NYS Attorney General’s Office, yesterday:
Attorney General Eric T. Schneiderman today announced a $700,000 settlement with Hilton Domestic Operating Company, Inc., formerly known as Hilton Worldwide, Inc. (“Hilton”), after data security incidents exposed over 350,000 credit card numbers in two separate breaches in 2015. Attorney General Schneiderman’s investigation, conducted in collaboration with the Vermont Attorney General’s office, revealed that Hilton did not provide consumers with timely notice and did not maintain reasonable data security.
… On February 10, 2015, Hilton learned from a computer services provider that a system Hilton utilized in the United Kingdom was communicating with a suspicious computer outside Hilton’s computer network. A forensic investigation revealed credit-card targeting malware that potentially exposed cardholder data between November 18 and December 5, 2014.
On July 10, 2015, Hilton learned of a second breach through an intrusion detection system. A forensic investigation found further malware designed to steal credit card information. It found that payment card data was potentially exposed from April 21, 2015 through July 27, 2015, as well as evidence of 363,952 credit card numbers aggregated for removal by the attackers.

Keep up!
Facebook, Google and Twitter Executives Testified on Russian Disinformation
by Sabrina I. Pacifici on Oct 31, 2017
The Senate Committee on the Judiciary, Subcommittee on Crime and Terrorism hearing entitled: “Extremist Content and Russian Disinformation Online: Working with Tech to Find Solutions” October 31, 2017. This link includes video of the testimony as well as transcripts of prepared testimony by Facebook, Twitter, Google as well as two subject matter experts.
  • The Washington Post: “Tuesday’s hearing by a Senate judiciary subcommittee comes a day after the prepared testimonies of Facebook and Twitter revealed that the reach of the Russian-connected disinformation campaign on their platforms was much larger than initially reported. As many as 126 million Facebook users may have seen content produced and circulated by Russian operatives. Twitter said it had discovered that 2,752 accounts controlled by Russians, and more than 36,000 Russian bots tweeted 1.4 million times during the election. And Google disclosed for the first time that it had found 1,108 videos with 43 hours of content related to the Russian effort on YouTube. It also found $4,700 worth of Russian search and display ads…”
  • Google Blog Post – Security and disinformation in the U.S. 2016 election: “We have been conducting a thorough investigation related to the U.S. election across our products drawing on the work of our information security team, research into misinformation campaigns from our teams, and leads provided by other companies. Today, we are sharing results from that investigation. While we have found only limited activity on our services, we will continue to work to prevent all of it, because there is no amount of interference that is acceptable…”

Interesting. I wonder what other questions trigger monthly charges?
Amazon’s Alexa now knows your credit score
Consumers can now ask Amazon’s Alexa device for their credit score. But it will cost them $25 a month.
The company said it hopes the skill will especially appeal to millennials. To access a report through Alexa, the user must give their username and password by voice command, as well as a four-digit personal key, which only lasts five minutes. If a user starts a new session after five minutes, they will be prompted for the personal key again.
The cost of a device that supports Alexa ranges from $50 for the Amazon Echo to $150 for an Echo Plus. And enabling many features of the Experian service on Alexa comes with a monthly fee.
The Alexa/Experian service is only available once consumers sign up for CreditWorks, a subscription service for credit monitoring that Experian sells. It comes in a “standard” version that is free, and a “premium” version that costs a steep $24.99 a month, after an introductory month for $4.99.
Those who use the standard, free version can only use two features: Hearing a summary of their credit and debt, and credit alerts.

We love you and we hate you? We hate you but we want you?
Survey Says Tech is Embraced and Mistrusted at the Same Time
by Sabrina I. Pacifici on Oct 31, 2017
Axios: “More than 70% of Americans believe technology has had a positive or somewhat positive effect on society, according to an Axios/ SurveyMonkey poll, and most Americans are optimistic about the impact of technology on the future. But that doesn’t mean they trust tech companies — 78% thought it was a “bad thing” that tech companies are able to collect so much information about their users.”

A simple question?

Da computer biz.
Microsoft's Office 365 subscription push pays off; what it means for biz
The company now has about 120 million active monthly users, and those subscriptions appear to be generating more revenue for Microsoft than it used to get from one-time licenses. That could entice the company to push subscriptions even harder.
If just 10% of the Office audience now accounts for more than 50% of the revenue, it would seem that Microsoft has an opportunity to generate enormous amounts of revenue, assuming it eventually offers only subscriptions and can turn every user into a subscriber. Analysts believe the first is inevitable. The second? Not so much.

Could this replace PowerPoint?
Sutori Updates Allow for Additional Embedding
Sutori is a great tool that allows you to create multimedia timelines. The product was just updated to include some features that make it better than ever.
Users are now able to embed nearly anything into a Sutori including Flipgrids, Padlets, Quizlets, Thinglinks, Instagrams, Buncees, History Channel videos, Prezi, and Tweets, as well as Google Docs, Forms, Slides, Presentations, and Maps. More option will be added in the near future.
The other update is single sign-on for teachers and students using Microsoft Office 365.
Check out this video to learn more about Sutori.

Tuesday, October 31, 2017

For my Computer Security and Ethical Hacking students.
FireEye Releases Managed Password Cracking Tool
FireEye on Monday released a tool designed to help red teams manage password cracking tasks across multiple GPU servers. Called GoCrack, the open source tool provides an easy-to-use, web-based real-time UI to create, view, and manage password cracking tasks.
The server component can run on any Linux server running Docker, while users with NVIDIA GPUs can use NVIDIA Docker to run the worker in a container with full access to the GPUs.
Password cracking tools are an effective way for security professionals to test password effectiveness, develop improved methods to securely store passwords, and audit current password requirements,” FireEye’s Christopher Schmitt explained in a blog post. “Some use cases for a password cracking tool can include cracking passwords on exfil archives, auditing password requirements in internal tools, and offensive/defensive operations."
GoCrack is available for download from GitHub, along its source code.

A Security philosophy?
Life Between Absolutes - The Challenge of a Security Professional
Security has never been about being ‘secure’ or ‘insecure’; I think we as an industry of professionals can broadly agree on this. What we don’t seem to agree on, pretty much ever, is how to strike the balance of good enough security.
In what feels like a never-ending struggle, I bear witness to the results of this on a daily basis working on the provider side of the problem. Over-engineering solutions leads to resentment and distrust from the business side. Under-engineering leads to situations of blame and catastrophe. I don’t think either end is a good result.
So, where’s the middle?
Strive for a defensible result. In other words, when things go wrong, and you’re faced with a bad day, make sure you can defend your strategy and approach in front of a court of law and public opinion. Do not only what the bare minimum calls for but what is necessary and proper. It’s that last word that will get you into trouble, I think.
Lawyers will tell you that “necessary and proper” is a legal term. It’s a way to protect yourself, your customers, your shareholders and executives. It’s doing things “just right.” It’s acknowledging that there will be mistakes and accounting for them. When you have a communications breakdown and someone misses a patch or makes an unauthorized change, it’s critical to know how fast you can catch it and what you do about it.

Monday, October 30, 2017

A minor kerfuffle in a minor state. No wonder this isn’t making much mainstream news.
Who Ordered Destruction of Data That Could Have Proved Georgia Election Rigging?

KSU Says Elections Server Was Wiped After FBI Gave Clearance
Kennesaw State University says a computer server holding state election data was wiped clean after copies of it were made by the FBI and the agency told KSU its investigation into a possible hack was complete.
A group suing the state, charging Georgia’s voting system is outdated and not secure, says KSU erased the server in July after its lawsuit was filed. The group says data on the server may have revealed whether state elections were hacked.
“This was not accidental. This was something that was conducted with purpose to make sure that the information could never be recovered again,” said Richard DeMillo, a computing professor at Georgia Tech who has been closely watching the case.
… “Following the notification from the FBI that no data was compromised and the investigation was closed, the server was returned to the University’s Information Technology Services group and securely stored,” the statement said.

(Related). This is my favorite headline.
In Total Coincidence, Georgia Destroys Election Data Days After Vote Hacking Lawsuit
On July 4th, presumably while honoring freedom, Georgia Secretary of State Brian Kemp learned that his office was being sued for ignoring clear evidence that his state’s voting machines were compromised and extremely vulnerable to vote manipulation for over a year.
On July 7th, all vote count data for the summer’s special election between Karen Handel and John Ossoff, which the suit sought to have overturned, was wiped from the state’s servers.
… Kemp knows election integrity is serious and important, especially because his state’s voting machines “run on a modified version of Windows last updated by Microsoft 14 years ago,” and “had been compromised and left unprotected from intruders since at least last summer,” and “despite claims to the contrary from Georgia officials […] the state’s election machines are connected to the Internet every time they come in contact with an electronic device that’s been inserted into a computer that’s connected online.”
… Nobody has yet said who ordered the thorough destruction of the data on July 7th, nor the later destruction of all backup data, nor why it was done. It was “standard operating procedure,” according to the media office at Kennesaw State University, where Georgia’s election data is kept.
For who among us doubts that it’s the very definition of “standard” for Georgia to obliterate any possible evidence of election tampering?
The AP reports that the FBI copied at least some of the relevant data in March, during its own investigation into security issues, so everything is even better than fine.

The Equifax story is far from over.
States Push Equifax to Explain Why It Took 6 Weeks to Disclose Hack
Attorneys general in at least five states are looking into why credit-reporting firm Equifax Inc. didn’t tell the public for nearly six weeks about the massive data breach that potentially compromised the personal information of 145.5 million Americans.

An update.
NotPetya Attack Had Significant Impact on Merck Revenue
American pharmaceutical giant Merck reported last week that the recent NotPetya malware attack caused losses of hundreds of millions of dollars in revenue.
The company’s financial results for the third quarter show that worldwide sales decreased by 2 percent to $10.3 billion compared to the same quarter of 2016. This was partly blamed on sales reduced by roughly $240 million due to insufficient stock of Gardasil 9, a vaccine designed to prevent certain cancers and other diseases caused by human papillomavirus (HPV).
Merck said it had to borrow the product from the U.S. Centers for Disease Control and Prevention’s Pediatric Vaccine Stockpile due to a higher demand than originally planned and the temporary disruption to production caused by the NotPetya attack.
Additionally, as expected, revenue was unfavorably impacted by approximately $135 million from lost sales in certain markets related to the cyber-attack,” the company said in its latest SEC filing.

Each new technology revisits the learning curve of each prior technology.
We’ve Not Thought Through the Legal and Ethical Disruption of Augmented Reality
Let’s not repeat the mistakes we made with social media

Something for my Computer Security students as we discuss Disaster Recovery. Anyone can get it wrong.
Hewlett-Packard history lost to Santa Rosa fires
One of Silicon Valley's most important historic archives, that of the Hewlett-Packard company, has been destroyed in the Santa Rosa wildfires.
The Santa Rosa Press Democrat blames the loss of the archives on a decision to remove them from vaults that used to house them.
… The fires, which killed at least 23 Santa Rosa residents and destroyed 6,800 homes, left most of Keysight's campus with minor damage, but the modular buildings that housed the archives were completely destroyed.

Anything we should learn?
How Europe fights fake news
Unlike the US, where we rely on corporate efforts to tackle the problems of fake news and disinformation online, the European Commission and some national governments are wading into the murky waters of free speech, working to come up with viable ways to stop election-meddling and the violence that has resulted from false news reports.

For all my geeks.
200 universities just launched 560 free online courses
by Sabrina I. Pacifici on Oct 29, 2017
Medium – Dhawal Shah: “If you haven’t heard, universities around the world offering their courses online for free (or at-least partially free). These courses are collectively called as MOOCS or Massive Open Online Courses. In the past six years or so, close to 800 universities have created more than 8,000 of these MOOCs. And I’ve been keeping track of these MOOCs the entire time over at Class Central, ever since they rose to prominence… Here’s the full list of new free online courses…”

Tools for our App developers.
These days, there are many types of desktop devices, along with the many different operating systems that run on them. As such, getting programs that work on all of them can be a bit of a challenge. And that’s where Electron open framework comes in, as a way of helping to solve this problem.
Electron is a software framework for easy cross platform application development. This extends to most desktop operating systems, such as Windows, Mac, and Linux.

(Related) Possible applications?
Library of Congress Congressional Data Challenge
The National Data Challenge from the Library of Congress is a competition that is asking "citizen coders" to develop creative ways to use technology to analyze, visualize, and interpret data sets from as well as other platforms. The idea is to create a product that helps others discover, use, and explore the massive collection of legislative information that is available from the Library.
Some examples of what the staff at the Library of Congress envision include:
  • A visualization of how the legislative process works.
  • Tools that could be embedded on Congressional websites.
  • A tool that will allow members of congress to be matched with other members who have similar legislative interests.
The Library of Congress will award $5000 to the first prize winner and $1000 for the best high school project. Submissions must be received by April 2, 2018 and include a 2-minute video.

Sunday, October 29, 2017

Yes, this is a big deal. No, I doubt the terrorists would lose this USB device.
From the holy-shit-this-is-bad dept.
Dan Warburton reports that a man found a USB stick in the street and plugged it in to a library computer (well, ok, we can discuss that later), but what he found was breath-taking, and not in a good way: 174 documents with 2.5 GB of data that included:
  • The exact route the Queen takes when using the airport and security measures used to protect her.
  • Files disclosing every type of ID needed – even those used by covert cops – to access restricted areas.
  • A timetable of patrols that was used to guard the site against suicide bombers and terror attacks.
  • Maps pinpointing CCTV cameras and a network of tunnels and escape shafts linked to the Heathrow Express.
  • Routes and safeguards for Cabinet ministers and foreign dignitaries.
  • Details of the ultrasound radar system used to scan runways and the perimeter fence.
Read more on The Mirror.
So… who done it? Why? Is this the only copy of these files in the wild?
This is a very worrying situation for the U.K.
So far, I’m not finding any statement in media coverage as to metadata – when were these files copied on to the USB stick – and would all these files have been on the same system? There are lots of questions needing answers. [Amen! Bob]

For my Computer Security students. Identical to keeping the default password.
DUHK attack puts random number generators at risk
… The vulnerability has been dubbed DUHK, which stands for Don't Use Hard-coded Keys, and affects devices that use the ANSI X9.31 Random Number Generator (RNG) and a hardcoded seed key. Researchers Nadia Heninger and Shaanan Cohney from the University of Pennsylvania, along with cryptographer Matthew Green at Johns Hopkins University, studied the Federal Information Processing Standards (FIPS) certified products that use the ANSI X9.31 RNG algorithm and found 12 that are vulnerable to DUHK.

Privacy is already being redefined under GDPR.
Kevin Murphy writes:
Two Dutch geo-gTLDs are refusing to provide public access to Whois records in what could be a sign of things to come for the whole industry under new European privacy law.
Both .amsterdam and .frl appear to be automatically applying privacy to registrant data and say they will only provide full Whois access to vetted individuals such as law enforcement officials.
ICANN has evidently slapped a breach notice on both registries, which are now complaining that the Whois provisions in their Registry Agreements are “null and void” under Dutch and European Union law.
Read more on DomainIncite.

A more cynical blogger might call this the “auto-stalking feature.”
Google auto-detects your whereabouts to get local search results
… The tech titan has moved away from relying on country-specific domains to serve up localized results on mobile web, the Google app for iOS, as well as Search and Maps for desktop. Now, your location dictates the kind of results you'll get -- you could go to, for instance, but if you're in New Zealand, you'll still get search results tailored for your current whereabouts. You'll know the location Google recognizes by looking at the lower left-hand corner of the page

This will never be easy.
Facebook struggles to contain Russia narrative
… Some lawmakers are already pressing for more details about so-called organic content, including unpaid posts from thousands of fake, automated and hijacked user accounts. Those questions could require Facebook to divulge more details about the priceless proprietary algorithms it uses to decide what messages its users see.
Top Senate Judiciary Committee Democrat Dianne Feinstein asked Facebook CEO Mark Zuckerberg on Friday for a wealth of additional data about Russian activity on its networks, including all organic content and ads "targeted to any part of the United States" by any users who "may be connected in some way to Russia." The California senator also sent an extensive data request to Twitter CEO Jack Dorsey.

Perspective. Remember when a billion dollars was a lot of money?
The big five tech giants added $181 billion in market value on Friday
… Those five companies have gained almost $900 billion in market capitalization over the past year.

Probable that lawyers believe all clients act like this…