Tuesday, October 30, 2018

My tax dollars at waste. No indication they fired this guy. No indication his manager was disciplined. No indication of management at all, come to think of it.
https://techcrunch.com/2018/10/29/porn-sites-blamed-after-government-network-infected-malware/
Civil servant who watched porn at work blamed for infecting a US government network with malware
A U.S. government network was infected with malware thanks to one employee’s “extensive history” of watching porn on his work computer, investigators have found.
The audit, carried out by the U.S. Department of the Interior’s inspector general, found that a U.S. Geological Survey (USGS) network at the EROS Center, a satellite imaging facility in South Dakota, was infected after an unnamed employee visited thousands of porn pages that contained malware, which downloaded to his laptop and “exploited the USGS’ network.” Investigators found that many of the porn images were “subsequently saved to an unauthorized USB device and personal Android cell phone,” which was connected to the employee’s government-issued computer.
Investigators found that his Android cell phone “was also infected with malware.”
The findings were made public in a report earlier this month but buried on the U.S. government’s oversight website and went largely unreported.
… Investigators recommended that USGS enforce a “strong blacklist policy” of known unauthorized websites and “regularly monitor employee web usage history.”
The report also said the agency should lock down its USB drive policy, restricting employees from using removable media on government devices, but it’s not known if the recommendations have yet gone into place. USGS did not return a request for comment.






I’m going to read this carefully.
https://www.securityweek.com/92-external-web-apps-have-exploitable-security-flaws-or-weaknesses-report
92% of External Web Apps Have Exploitable Security Flaws or Weaknesses: Report
Most large companies readily admit that they have shadow IT and legacy applications they do not know, and that this at least theoretically makes them vulnerable. It is generally considered to be an acceptable risk.
The purpose of this research from High-Tech Bridge (HTB) is designed to show that the problem is far bigger and less acceptable than most companies imagine. It was prompted, at least in part, by HTB's experience with one particular U.S. government agency client.
"They told us," HTB founder and CEO Ilia Kolochenko told SecurityWeek, "'We know we have shadow IT – about 250 applications." HTB used its non-intrusive scanning tools and replied, "No, you have 8000 shadow IT applications." The implication is that this government agency has around 7,750 shadow IT applications that it doesn't know and isn't monitoring – leaving it potentially vulnerable to an unquantifiable risk.






Just saying…
https://www.securityweek.com/us-election-integrity-depends-security-challenged-firms
US Election Integrity Depends on Security-Challenged Firms
A trio of companies — ES&S of Omaha, Nebraska; Dominion Voting Systems of Denver and Hart InterCivic of Austin, Texas — sell and service more than 90 percent of the machinery on which votes are cast and results tabulated. Experts say they have long skimped on security in favor of convenience, making it more difficult to detect intrusions such as occurred in Russia's 2016 election meddling.
The businesses also face no significant federal oversight and operate under a shroud of financial and operational secrecy despite their pivotal role underpinning American democracy.
In much of the nation, especially where tech expertise and budgets are thin, the companies effectively run elections either directly or through subcontractors.






Something my students need to understand. Metadata is often sufficient to identify communication between possible targets. This will make it only slightly more difficult.
https://arstechnica.com/information-technology/2018/10/new-signal-privacy-feature-removes-sender-id-from-metadata/
New Signal privacy feature removes sender ID from metadata
Plenty of messaging apps use strong encryption to make it next to impossible for law enforcement officers or other potential adversaries to read communications sent between parties. Often, however, unencrypted metadata—such as the sender, receiver, and time a message is sent—is all the sensitive data an adversary needs. Now, the Signal app is testing a new technique called "sealed sender" that's designed to minimize the metadata that's accessible to its servers.
A beta release announced Monday will send messages that remove most of the plain-text sender information from message headers.
… Signal's beta comes 12 days after federal prosecutors revealed they were able to build a strong case against a US Treasury official by monitoring, in real-time, the messages she sent and received using an unnamed encrypted messaging app. On August 15, according to a criminal complaint, investigators used a court-issued pen register and trap and trace order to determine the official exchanged 10 messages with a BuzzFeed reporter using the encrypted app. Over the next two months, the same order showed the official and reporter traded 301 messages using the same app.
The account provided in the complaint was a reminder that encryption doesn't always provide users with anonymity unless they take extra precautions.






This seems quite confusing. Will this system prevent unauthorized people from entering the school? The article seems to suggest not.
https://motherboard.vice.com/en_us/article/j53ba3/facial-recognition-school-surveillance-v25n3
Facing Tomorrow's High-Tech School Surveillance
… Earlier this year, the school district announced it would be using tech developed by SN Technologies Corp., the Canadian company behind Aegis, a surveillance platform that comes with both facial recognition software and a tool designed to flag guns that might appear on the camera footage (provided the firearm is in someone’s hand, not in a bag). In the wake of high-profile mass school shootings across the US, Lockport, a small, conservative town of around 20,000 people, has invested in Aegis out of a belief the facial recognition system will help safeguard students, even though there’s no evidence that such a system would be an effective security measure in an active shooter scenario.
… The idea is that the school could get an extra few seconds of warning when an unwanted person arrives on campus, whether that’s an expelled student or an escaped felon. But critics of the system point out that the vast majority of school shooters are enrolled students—individuals who probably wouldn't be in the facial database.
Hundreds of documents related to Lockport’s new surveillance program, obtained by the NYCLU in late August through a Freedom of Information Law request, suggest that Lockport did not engage with the community before deciding to move ahead with installing the surveillance network, and that a security consultant who taught Lockport’s board about the tech and was later hired by the district holds licensing for Aegis through a separate company, CSI. The NYCLU found nothing in the documents outlining policies for accessing data collected by the cameras, or what faces would be fed to the system in the first place. And based on emails acquired through the same FOIL request, the NYCLU noted, Lockport administrators appeared to have a poor grasp on how to manage access to internal servers, student files, and passwords for programs and email accounts.
“The serious lack of familiarity with cybersecurity displayed in the email correspondence we received and complete absence of common sense redactions of sensitive private information speaks volumes about the district’s lack of preparation to safely store and collect biometric data on the students, parents and teachers who pass through its schools every day,” an editor’s note to the NYCLU’s statement on the Lockport documents reads.






Perspective.
http://fortune.com/longform/a-fork-in-the-road-for-avis/
A Fork in the Road for Avis
Self-driving cars and ride-hailing services could make the car-rental industry obsolete—or create a huge opportunity. Here’s how Avis Budget is adapting.






Research tool? The CAP data is free for the public to use and access.
https://www.bespacific.com/the-caselaw-access-project-expands-public-access-to-us-law/
The Caselaw Access Project expands public access to US law
Three Hundred and Sixty Years of Caselaw: “The Caselaw Access Project (“CAP”) expands public access to U.S. law. Our goal is to make all published U.S. court decisions freely available to the public online, in a consistent format, digitized from the collection of the Harvard Law Library.
What data do we have? CAP includes all official, book-published United States case law — every volume designated as an official report of decisions by a court within the United States. Our scope includes all state courts, federal courts, and territorial courts for American Samoa, Dakota Territory, Guam, Native American Courts, Navajo Nation, and the Northern Mariana Islands. Our earliest case is from 1658, and our most recent cases are from 2018. Each volume has been converted into structured, case-level data broken out by majority and dissenting opinion, with human-checked metadata for party names, docket number, citation, and date. We also plan to share (but have not yet published) page images and page-level OCR data for all volumes…”






This might be fun in my next statistics class.
https://www.bespacific.com/the-highway-drone-dataset/
The Highway Drone Dataset
Naturalistic Trajectories of 110 000 Vehicles Recorded at German Highways
Request access to the dataset! [The HighD dataset is free for non-commercial use only. If you are interested in commercial use]
“About the Dataset – The highD dataset is a new dataset of naturalistic vehicle trajectories recorded on German highways. Using a drone, typical limitations of established traffic data collection methods such as occlusions are overcome by the aerial perspective. Traffic was recorded at six different locations and includes more than 110 000 vehicles. Each vehicle’s trajectory, including vehicle type, size and manoeuvres, is automatically extracted. Using state-of-the-art computer vision algorithms, the positioning error is typically less than ten centimeters. Although the dataset was created for the safety validation of highly automated vehicles, it is also suitable for many other tasks such as the analysis of traffic patterns or the parameterization of driver models. Click here for details.”






Unfortunately, this has applications in many areas.
http://dilbert.com/strip/2018-10-30


No comments: