Saturday, January 13, 2018

Never leave your computer unattended.
Simple Attack Allows Full Remote Access to Most Corporate Laptops
Researchers have discovered a flaw in Intel's Advanced Management Technology (AMT) implementation that can be abused with less than a minute of physical access to the device.
An Evil Maid attack could ultimately give an adversary full remote access to a corporate network without having to write a single line of code.
The flaw was discovered by F-Secure senior security consultant Harry Sintonen, and disclosed today.
"In practice, it can give an attacker complete control over an individual's work laptop, despite even the most extensive security measures."
The problem is that setting a BIOS password (standard procedure) does not usually prevent access to the AMT BIOS extension – the Intel Management Engine BIOS Extension (MEBx). Unless this separate password is changed, and usually it is not, the default 'admin' password will give the attacker access to AMT.

Have politicians learned anything about security?
Shane Harris reports:
The Russian hackers who stole emails from the Democratic National Committee as part of a campaign to interfere in the 2016 election have been trying to steal information from the U.S. Senate, according to a report published Friday by a computer security firm.
Beginning last June, the Russian hackers set up websites that were meant to look like an email system available only to people using the Senate’s internal computer network, said the report by Trend Micro Inc. The sites were designed to trick people into divulging their personal credentials, such as usernames and passwords.
The Associated Press was first to write about the report.
Read more on Washington Post.

I wonder what the FBI uses?
Microsoft Brings End-to-End Encryption to Skype
Microsoft this week announced that end-to-end encrypted communications are now available for preview to Skype insiders.
Called Private Conversations, the newly introduced feature secures both text chat messages and audio calls, Microsoft Program Manager Ellen Kilbourne revealed.
Furthermore, end-to-end encryption is also applied to any files users send to their conversational partners, including images, audio files, and videos. Not only will the contents of these conversations be hidden in the chat list, but they won’t appear in notifications either, to keep user’s information private.
Private Conversations, Kilbourne explains in a post, is using the industry standard Signal Protocol by Open Whisper Systems. The protocol is already providing end-to-end encryption to users of popular messaging applications such as Signal, WhatsApp, and Facebook Messenger.

Getting you ducks in order.
The road to AI leads through information architecture
… The evolution of the auto industry is similar in form to the currently nascent world of artificial intelligence . And like the auto industry, in order for AI to flourish, organizations must adopt and embrace a prerequisite set of conditions, or building blocks. For example, AI requires machine learning, machine learning requires analytics, and analytics requires the right data and information architecture (IA). In other words, there is no AI without IA. These capabilities form the solid rungs of what we call the “AI Ladder” — the increasing levels of analytic sophistication that lead to, and buttress, a thriving AI environment.

I want to talk this through with my Data Management class. Think of what is required to implement it?
U.S. Supreme Court to Review Bid to Collect Internet Sales Tax
The U.S. Supreme Court will consider freeing state and local governments to collect billions of dollars in sales taxes from online retailers, agreeing to revisit a 26-year-old ruling that has made much of the internet a tax-free zone.
Heeding calls from traditional retailers and dozens of states, the justices said they’ll hear South Dakota’s contention that the 1992 ruling is obsolete in the e-commerce era and should be overturned.

Because I’m hoping they let me teach Math again…
10 Good Resources for Math Teachers and Students

I’m sure the President would (like to) agree with Dilbert.

Friday, January 12, 2018

Step by step to illustrate a failure. Where else might this work?
Bogus Passwords Can Unlock AppStore Preferences in macOS
A security vulnerability impacting macOS High Sierra allows admins to unlock the AppStore Preferences in System Preferences by providing any password.
The issue was found to affect macOS 10.13.2, the latest iteration of the platform, and can be reproduced only if the user is logged in as administrator. For non-admin accounts, the correct credentials are necessary to unlock the preferences pane.
macOS High Sierra 10.13.2 users interested in reproducing the bug should log into their machines as administrators, then navigate to the App Store preferences in System Preferences.
Next, users should click on the padlock icon to lock it if necessary, then click it again. When prompted to enter the login credentials, they can use any password and still unlock the Prefpane.

Interesting. Prepare a dossier by stealing data online (or maybe just the Equifax data?) and use it to construct a plausible case for infidelity. Would it seem more real if it came by mail?
Bitcoin Blackmail by Snail Mail Preys on Those with Guilty Conscience
KrebsOnSecurity heard from a reader whose friend recently received a remarkably customized extortion letter via snail mail that threatened to tell the recipient’s wife about his supposed extramarital affairs unless he paid $3,600 in bitcoin. The friend said he had nothing to hide and suspects this is part of a random but well-crafted campaign to prey on men who may have a guilty conscience.
The letter addressed the recipient by his first name and hometown throughout, and claimed to have evidence of the supposed dalliances.
… Of course, sending extortion letters via postal mail is mail fraud, a crime which carries severe penalties (fines of up to $1 million and up to 30 years in jail). However, as the extortionist rightly notes in his letter, the likelihood that authorities would ever be able to catch him is probably low.
The last time I heard of or saw this type of targeted extortion by mail was in the wake of the 2015 breach at online cheating site But those attempts made more sense to me since obviously many AshleyMadison users quite clearly did have an affair to hide.
… I opted not to publish a scan of the letter here because it was double-sided and redacting names, etc. gets dicey thanks to photo and image manipulation tools. Here’s a transcription of it instead (PDF).

How (not) to handle a breach?
Federal Appeals Court Slams Data Breach Privilege Claim
In the most recent object lesson in a data breach privilege case, a federal appeals court has ordered a Michigan-based mortgage lender to turn over privileged forensic investigatory documents after the investigator’s conclusions were revealed in discovery.
… In an interrogatory response, United Shore said that it retained a forensic firm – through counsel – to investigate the breach that had concluded XMS’s action caused the intrusions. The interrogatory stated that its forensic investigator determined that “certain files stored in XMS’s … system had been accessed without authorization … in plain violation of established security protocols.” United Shore disclosed more than 150 non-privileged documents concerning the investigation, but it withheld additional documents based on the attorney client privilege.
District Court Ruling. XMS moved to compel United Shore to produce the privileged documents, arguing that it implicitly waived the attorney-client privilege by referencing its investigator’s conclusions in its discovery response.
The district court agreed. It concluded that United Shore not only disclosed that its investigator "conducted an investigation ... [but] also provided...conclusions from that investigation.”

Would we pass a law like this if we were starting from zero today? Probably not.
House Extends Surveillance Law, Rejecting New Privacy Safeguards
The House of Representatives voted on Thursday to extend the National Security Agency’s warrantless surveillance program for six years with minimal changes, rejecting a push by a bipartisan group of lawmakers to impose significant privacy limits when it sweeps up Americans’ emails and other personal communications.
The vote, 256 to 164, centered on an expiring law that permits the government, without a warrant, to collect communications from United States companies like Google and AT&T of foreigners abroad — even when those targets are talking to Americans.

Law is complex. Is there any place to ask about a topic and get answers that point out differences in all 50 states?
This may come as a shock. AP reports:
Connecticut’s highest court ruled Thursday on an issue that most people may think is already settled, saying doctors have a duty to keep patients’ medical records confidential and can be sued if they don’t.
The Supreme Court’s 6-0 decision overturned the ruling of a lower court judge who said Connecticut had yet to recognize doctor-patient confidentiality.
The high court’s ruling reinstated a lawsuit by former New Canaan resident Emily Byrne against the Avery Center for Obstetrics & Gynecology in Westport.
Read more on Boston Herald, while I scratch my head over this one. Connecticut health law never required confidentiality? Seriously? From reading the rest of the article, it sounds like the center had a pretty clear privacy policy that made it clear that they might disclose in response to subpoenas, but even so…..
So for all this time, mental health patients in Connecticut had no enforceable right to confidentiality? Or was there an exception for mental health?
How could this be????

Governments do not do IT well. (I may have said that a few hundred times.)
GAO – Agencies Need to Involve Chief Information Officers in Reviewing Billions of Dollars in Acquisitions
Information Technology: Agencies Need to Involve Chief Information Officers in Reviewing Billions of Dollars in Acquisitions GAO-18-42: Published: Jan 10, 2018. Publicly Released: Jan 10, 2018.
“Most of the 22 selected agencies did not identify all of their information technology (IT) contracts. The selected agencies identified 78,249 IT-related contracts, to which they obligated $14.7 billion in fiscal year 2016. However, GAO identified 31,493 additional contracts with $4.5 billion obligated, raising the total amount obligated to IT contracts in fiscal year 2016 to at least $19.2 billion (see figure). The percentage of additional IT contract obligations GAO identified varied among the selected agencies. For example, the Department of State did not identify 1 percent of its IT contract obligations. Conversely, 8 agencies did not identify over 40 percent of their IT-related contract obligations. Many of the selected agencies that did not identify these IT acquisitions did not follow Office of Management and Budget’s (OMB) guidance.
... agencies will likely miss an opportunity to strengthen CIOs’ authority and the oversight of IT acquisitions. As a result, agencies may award IT contracts that are duplicative, wasteful, or poorly conceived.”

Apparently, Ram trucks won’t be able to get over the wall either.
Fiat Chrysler Is Moving a Plant From Mexico to Michigan
Fiat Chrysler Automobiles said on Thursday it will shift production of Ram heavy-duty pickup trucks from Mexico to Michigan in 2020, a move that lowers the risk to the automaker’s profit should President Donald Trump pull the United States out of the North American Free Trade Agreement.

For my International students. Quite a list of languages supported!
Voice Dictation – Type with your Voice
Introducing the all-new Voice Dictation v2.0, a speech recognition app that lets you type with your voice. There’s no software to install, there’s no training required and all you need is Google Chrome on your Windows PC, Mac OS or Linux.
Dictation can recognize spoken words in English, Hindi, Español, Italiano, Deutsch, Français, and all the other popular languages. Another unique feature of Dictation is support for voice commands that let you do more with your voice. For instance, you can say a command like new line or nueva línea for inserting lines. You can add punctuations, special symbols and even smileys using simple commands in most languages.
This YouTube video will walk you through the Dictation app.
Dictation stores everything in your browser locally and not a byte of your data is uploaded anywhere.

Thursday, January 11, 2018

Don’t mess with Putin.
Hackers Leak Olympic Committee Emails in Response to Russia Ban
A group of hackers linked to Russia has leaked several emails apparently exchanged between officials of the International Olympic Committee (IOC) and other individuals involved with the Olympics. The leak comes in response to Russia being banned from the upcoming Pyeongchang 2018 Winter Games in South Korea.
The group, calling itself Fancy Bears and claiming to be a team of hacktivists that “stand for fair play and clean sport,” previously released confidential athlete medical records stolen from the systems of the World Anti-Doping Agency (WADA), and also targeted the International Association of Athletics Federations (IAAF). One of their most recent leaks included emails and medical records related to football (soccer) players who used illegal substances.
The first leaks from Fancy Bears came shortly after Russian athletes were banned from the 2016 Rio Olympics following reports that Russia had been operating a state-sponsored doping program.
While Fancy Bears claim to be hacktivists, researchers have found ties between the group and Fancy Bear, a sophisticated Russian cyber espionage team also known as APT28, Pawn Storm, Sednit, Sofacy, Tsar Team and Strontium.
The latest leak includes emails apparently exchanged between IOC officials and other individuals involved with the Olympics. Some of the messages discuss the recent decision to ban Russia from the upcoming Winter Games based on the findings of the IOC Disciplinary Commission.
While the hackers claim the emails they leaked prove the accusations, a majority of the messages don’t appear to contain anything critical. Furthermore, Olympics-related organizations whose systems were previously breached by the hackers claimed at the time that some of the leaked files had been doctored.

Evaluating the potential for hacking without actually hacking.
Is India's Aadhaar System Really "Hack-Proof"? Assessing a Publicly Observable Security Posture

Gosh, what a clever idea!
Uber’s Secret Tool for Keeping the Cops in the Dark
In May 2015 about 10 investigators for the Quebec tax authority burst into Uber Technologies Inc.’s office in Montreal. The authorities believed Uber had violated tax laws and had a warrant to collect evidence. Managers on-site knew what to do, say people with knowledge of the event.
Like managers at Uber’s hundreds of offices abroad, they’d been trained to page a number that alerted specially trained staff at company headquarters in San Francisco. When the call came in, staffers quickly remotely logged off every computer in the Montreal office, making it practically impossible for the authorities to retrieve the company records they’d obtained a warrant to collect. The investigators left without any evidence.

There ought to be a law…
This is still happening? It shouldn’t be. At what point should they be required to abandon using fax?
Alicia Bridges of CBC reports:
The Saskatchewan Health Authority has again faxed private medical information about a patient to a North Battleford computer shop, according to the frustrated owner of the business.
Darryl Arnold says his company fax machine received a 21-page medical report from the Shellbrook Hospital that was intended for a North Battleford-area doctor.
Read more on CBC. What’s also disturbing is that they seem to be trying to put the problem-solving on the involuntary recipient of their misdirected faxes:
Arnold said his company’s fax number is nearly identical to the one belonging to a North Battleford-area doctor’s office — it’s just one digit different.
He said he has been in contact with a health authority worker, who suggested he address the problem by changing his business fax number.
Arnold said he is willing to do that as long as the health authority compensates him for reprinting company business cards and letterhead.
But he said the health authority did not respond after he sent them the amount he wants them to pay for the number.
Arnold said the authority also suggested he try to set up his fax machine to block faxes from health authority numbers, but the company that sold him the machine has told him that’s not possible.
SHA is the source of the breach. THEY have to solve/prevent this – not the computer shop. Jeez….

For my Computer Security students.

I like the “annual inspection” idea. BUT Let’s do the math: $100 times 143,000,000 = More than the PowerBall and MegaMillions combined! It will never pass.
Bill Would Establish Cybersecurity Inspections, Impose Mandatory Penalties, and Compensate Consumers for Stolen Data
“United States Senators Elizabeth Warren (D-Mass.) and Mark Warner (D-Va.) today introduced the Data Breach Prevention and Compensation Act to hold large credit reporting agencies (CRAs) – including Equifax – accountable for data breaches involving consumer data. The bill would give the Federal Trade Commission (FTC) more direct supervisory authority over data security at CRAs, impose mandatory penalties on CRAs to incentivize adequate protection of consumer data, and provide robust compensation to consumers for stolen data. In September 2017, Equifax announced that hackers had stolen sensitive personal information – including Social Security Numbers, birth dates, credit card numbers, driver’s license numbers, and passport numbers – of over 145 million Americans. The attack highlighted that CRAs hold vast amounts of data on millions of Americans but lack adequate safeguards against hackers. Since 2013, Equifax has disclosed at least four separate hacks in which sensitive personal data were compromised. The Data Breach Prevention and Compensation Act would establish an Office of Cybersecurity at the FTC tasked with annual inspections and supervision of cybersecurity at CRAs. It would impose mandatory, strict liability penalties for breaches of consumer data beginning with a base penalty of $100 for each consumer who had one piece of personal identifying information (PII) compromised and another $50 for each additional PII compromised per consumer. Under this legislation, Equifax would have had to pay at least a $1.5 billion penalty for their failure to protect Americans’ personal information. To ensure robust recovery for affected consumers, the bill would also require the FTC to use 50% of its penalty to compensate consumers and would increase penalties in cases of woefully inadequate cybersecurity or if a CRA fails to timely notify the FTC of a breach.”

For our Disaster Recovery discussion.
The Most Awful Transit Center in America Could Get Unimaginably Worse
… One day this autumn, an Acela pulls into Newark, N.J., and a railway spokesman escorts me onto the rear engine car, where we stand and take in the view facing backward. As we descend into one of the Hudson tunnels—there are two, both 107 years old, finished in the same year the Wright brothers built their first airplane factory—a supervisor flips on the rear headlights, illuminating the ghastly tubes.

What I have been saying for years.
Community-Owned Fiber Networks: Value Leaders in America
“By one recent estimate about 8.9 percent of Americans, or about 29 million people, lack access to wired home “broadband” service, which the U.S. Federal Communications Commission defines as an internet access connection providing speeds of at least 25 Mbps download and 3 Mbps upload. Even where home broadband is available, high prices inhibit adoption; in one national survey, 33 percent of non-subscribers cited cost of service as the primary barrier. Municipally and other community-owned networks have been proposed as a driver of competition and resulting better service and prices. We examined prices advertised by a subset of community-owned networks that use fiber-to-the-home (FTTH) technology. In late 2015 and 2016 we collected advertised prices for residential data plans offered by 40 community-owned (typically municipally-owned) FTTH networks. We then identified the least-expensive service that meets the federal definition of broadband (regardless of the exact speeds provided) and compared advertised prices to those of private competitors in the same markets. We were able to make comparisons in 27 communities and found that in 23 cases, the community-owned FTTH providers’ pricing was lower when the service costs and fees were averaged over four years. (Using a three year-average changed this fraction to 22 out of 27.) In the other 13 communities, comparisons were not possible, either because the private providers’ website terms of service deterred or prohibited data collection or because no competitor offered service that qualified as broadband. We also found that almost all community-owned FTTH networks offered prices that were clear and unchanging, whereas private ISPs typically charged initial low promotional or “teaser” rates that later sharply rose, usually after 12 months. We made the incidental finding that Comcast advertised different prices and terms for the same service in different regions. We do not have enough information to draw conclusions about the impacts of these practices. In general, our ability to study broadband pricing was constrained by the lack of standardization in internet service offerings and a shortage of available data. The FCC doesn’t collect data from ISPs on advertised prices, prices actually charged, service availability by address, consumer adoption by address, or the length of time consumers retain service.”

Health Care Just Became the U.S.’s Largest Employer
The Atlantic – “This moment was inevitable. It just wasn’t supposed to happen so soon. Due to the inexorable aging of the country—and equally unstoppable growth in medical spending—it was long obvious that health-care jobs would slowly take up more and more of the economy. But in the last quarter, for the first time in history, health care has surpassed manufacturing and retail, the most significant job engines of the 20th century, to become the largest source of jobs in the U.S. In 2000, there were 7 million more workers in manufacturing than in health care. At the beginning of the Great Recession, there were 2.4 million more workers in retail than health care. In 2017, health care surpassed both. There are several drivers of the health-care jobs boom. The first is something so obvious that it might actually be underrated, since it is rarely a proper news story in its own right: Americans, as a group, are getting older…”

Definitely an article to hand out in my next Statistics course!
Visualizing the Uncertainty in Data

Wednesday, January 10, 2018

My Computer Security students will debate this, because it clearly isn’t going away. On the other hand, I will be demonstrating how easily they can create Pubic/Private key encryption.
Zack Whittaker reports:
The FBI said the number of encrypted devices that the FBI has been unable to access last year has risen.
FBI director Christopher Wray said in a conference Tuesday at Fordham University in New York that the agency couldn’t access 7,775 devices in 2017 because the contents were scrambled.
That’s up from over 6,900 in October.
Read more on ZDNet.

Trust is what they sell.
How Antivirus Software Can be the Perfect Spying Tool
Your antivirus product could be spying on you without you having a clue. It might be intentional but legitimate behavior, yet (malicious) intent is the one step separating antivirus software from a cyber-espionage tool. A perfect one, experts argue.
Because we trust the antivirus to keep us safe from malware, we let it look at all of our files, no questions asked. Regardless of whether personal files or work documents, the antivirus has access to them all, which allows it to work as needed.
To prove this and using the "Antivirus Hacker's Handbook" (Joxean Koret) as base for an experiment, he tampered with the virus signatures for Kaspersky Lab’s Internet Security for macOS and modified one of the signatures to automatically detect classified documents and mark them for collection. By modifying signatures instead of the antivirus engine, he didn’t alter the security application’s main purpose.

This is not funny in a world where technology should have stop this.
A Foreign Navy Screwed Up Its New $3 Billion Nuclear Missile Sub By Leaving Its Hatch Open
The modern submarine is not a simple machine. A loss of propulsion, unexpected flooding, or trouble with reactors or weapons can doom a sub crew to a watery grave.
Also, it’s a good idea to, like, close the hatches before you dive.
Call it a lesson learned for the Indian navy, which managed to put the country’s first nuclear-missile submarine, the $2.9 billion INS Arihant, out of commission in the most boneheaded way possible.
The Hindu reported yesterday that the Arihant has been out of commission since suffering “major damage” some 10 months ago, due to what a navy source characterized as a “human error” — to wit: allowing water to flood to sub’s propulsion compartment after failing to secure one of the vessel’s external hatches.

As citizens get better as circumventing government “shutdowns,” governments get better at closing the loopholes. A case study for my Ethical Hacking students.
Iran tried to block the internet to disrupt protests. It wound up disrupting daily life
… Like other Iranians dependent on the web, Nouri was at first set back when the Supreme National Security Council restricted access to social media applications and servers commonly used to bypass Iran's cloistered internet.
"We weren't able to communicate to our users and we lost payments," Nouri said.
It took the 32-year-old three days to find a different server to host his mobile app design company, which employs 15 people, allowing him to again evade government censors and get his business back up and running.
As authorities have tried to govern the internet, Iranians have over the years become adept at circumventing online censorship. But as more Iranians use the internet — and the internet plays a bigger role in an increasingly web-connected society — crackdowns have broader effects. For many, internet restrictions in recent weeks disrupted daily life more than the protests did.
… As the latest protests spread, authorities banned use of Telegram and Instagram, which had been used to mobilize demonstrations. At one point, authorities completely cut off internet access for 30 minutes, according to security experts.

Well, I find it interesting.
Introduction: Artificial Intelligence, Technology, and the Law
Stern, Simon, Introduction: Artificial Intelligence, Technology, and the Law (December 24, 2017). 68 University of Toronto Law Journal (2018). Available at SSRN:
“This article introduces the essays on “Artificial Intelligence, Technology, and the Law” in the issue of the University of Toronto Law Journal based on a conference held in February 2017. The article discusses the themes of each paper, examining the challenges they raise and reflecting on their further implications.”

(Related). All of these should be obvious!
6 Ways Artificial Intelligence Can Help Lawyers (Infographic)
Rocket Matter: “There’s no doubt about it: Artificial intelligence (AI) is on the rise and is very much a part of our reality. Though lawyers may be weary of AI taking their jobs, there is much to be said for artificial intelligence as a major asset to law firms. Still not convinced? This infographic breaks down six ways that artificial intelligence can help lawyers…”

Probably not the end of this story.
Colleagues rally around handcuffed teacher as Louisiana superintendent defends raise
A Louisiana school board is under fire after a teacher was forcibly removed from a board meeting after questioning the superintendent's pay. Deyshia Hargrave was handcuffed and arrested by a city marshal Monday night in Abbeville. The middle school English teacher was booked on one count of resisting an officer and one count of remaining on premises after being forbidden. She later posted bond.
Superintendent Jerome Puyau is not commenting on Hargrave's arrest, but is defending his raise, reports CBS News' Vladimir Duthiers.
"It was time that we brought to the board a salary that's commensurate with what superintendents are making," Puyau said.
Since 2012, Puyau has been making about $110,000 per year, according to two board members. With the new contract that was approved Monday, he could earn $38,000 more. In 2016, the average Louisiana teacher's salary was around $49,000.
The Vermilion Parish School board and the city prosecutor say they are not moving forward with charges against Hargrave, but many in the district still want to know why their colleague, a former teacher of the year, was arrested in the first place.

This definitely falls in the “we can, therefore we must” category. All I can say is, “must we, really?”
Ikea Wants You to Pee on This Ad. If You’re Pregnant, It Will Give You a Discount on a Crib
Swedish agency Åkestam Holst, Adweek’s International Agency of the Year for 2017, has been killing it with the Ikea work in recent years. And it starts out 2018 with a splash (sorry) by creating a magazine ad that women are encouraged to pee on.
Sounds a bit gross, and maybe it is—but there’s a fun twist. If you’re pregnant, peeing on the ad reveals a special discounted price on cribs, thanks to technology similar to that in pregnancy-test kits.
… This is definitely the coolest pee-based advertising since Animal Planet put urine-scented ads at the bottom of lampposts to attract dogs (whose owners then saw a larger ad at their own eye level promoting a dog award show).

Tuesday, January 09, 2018

Not my Centennial. Also, be careful what you say, the data accessed looks important to me!
Travis Loose reports:
The Centennial School District on Friday announced a security breach within its student information systems. District officials do not currently believe any important student information was taken, however the investigation is ongoing.
Two Centennial High School students — a junior and senior, both under 18 — are responsible for data breach, school district spokeswoman Carol Fenstermacher told Patch in an email Friday. One of the students reportedly told authorities they did it to “show that the system could be hacked,” Fenstermacher said, but police are working to determine any specific or nefarious intent.
The district’s IT staff reportedly found the access points that were hacked by the students and has secured them, Fenstermacher said. Law enforcement is determining the full extent of the breach and figuring what, if anything, was taken.
Read more on Patch.
[From the article:
Fenstermacher said the hackers were able to access the names, birthdates, addresses, schools and grade levels, phone numbers, student IDs, and demographic information of all current and former Centennial School District students.

What were they (not) thinking?
I tweeted about this breach disclosure earlier today after Zack Whittaker called everyone’s attention to it, and I am glad to see that Catalin has written the matter up:
In a data breach notification letter submitted to the Office of the Attorney General for the state of California, a makeup product vendor said it could not fully assess the impact of a recent card security breach due to a lack of backups.
[…] Beautyblender started investigating the incident after two customers complained about fraudulent transactions on credit cards used on the site.
[…] “Unfortunately, due to the lack of backups of the website that were available from the website hosting company, beautyblender has been unable to confirm the date that the malware was placed on the website.”
Their last backup was in April, 2015. Ugh.
Read more on BleepingComputer.

North Korea needs hard currency.
Monero Miner Sends Cryptocurrency to North Korean University
An application compiled just weeks ago was found to be an installer for a Monero miner designed to send the mined currency to a North Korean university, AlienVault reports.
The application’s developers, however, might not be of North Korean origins themselves, the security researchers say. They also suggest that the tool could either be only an experimental application or could attempt to trick researchers by connecting to Kim Il Sung University in Pyongyang, North Korea.

Still trust this vendor?
Hardcoded Backdoor Found on Western Digital Storage Devices
Discovered by GulfTech security researcher James Bercegay, the security flaws could be exploited to achieve remote root code execution on the affected WD My Cloud personal cloud storage units (the device is currently the best-selling NAS (network attached storage) device on Amazon).
One of the most important security issues the researcher found was an unrestricted file upload vulnerability created by the “misuse and misunderstanding of the PHP gethostbyaddr() function,” the researcher says.

Definitely an article for my Computer Security student toolkit!
Perhaps you’re an office manager tasked with setting up a new email system for your nonprofit, or maybe you’re a legal secretary for a small firm and you’ve been asked to choose an app for scanning sensitive documents: you might be wondering how you can even begin to assess a tool as “safe enough to use.” This post will help you think about how to approach the problem and select the right vendor.

Something for my researching students?
New guide helps journalists, researchers investigate misinformation, memes and trolling
“Recent scandals about the role of social media in key political events in the US, UK and other European countries over the past couple of years have underscored the need to understand the interactions between digital platforms, misleading information and propaganda, and their influence on collective life in democracies. In response to this, the Public Data Lab and First Draft collaborated last year to develop a free, open-access guide to help students, journalists and researchers investigate misleading and viral content, memes and trolling practices online. Released today, the five chapters of the guide describe a series of research protocols or “recipes” that can be used to trace trolling practices, the ways false viral news and memes circulate online, and the commercial underpinnings of problematic content. Each recipe provides an accessible overview of the key steps, methods, techniques and datasets used. The guide will be most useful to digitally savvy and social media literate students, journalists and researchers. However, the recipes range from easy formulae that can be executed without much technical knowledge other than a working understanding of tools such as BuzzSumo and the CrowdTangle browser extension, to ones that draw on more advanced computational techniques. Where possible, we try to offer the recipes in both variants…”

Tech’s Enormous Scale: Samsung Now Outspends Exxon and Shell Combined
Samsung Electronics Co. spent more money on capital expenditures last year than any other publicly traded company, offering a dramatic example of how technology and telecom firms have driven an uptick in global manufacturing investment.
The South Korean tech giant invested $44 billion to build or expand new facilities making semiconductors, displays and other products, according to S&P Global Market Intelligence estimates.

Always an amusing argument.
… Both conservatives and progressives invoke “consumer welfare” as antitrust’s core concern, but they offer divergent interpretations of this concept. Guided by the late Robert Bork’s seminal work, The Antitrust Paradox, conservatives invoke a total welfare standard that regards efficiency-enhancing mergers as presumptively legitimate, no matter how those gains are allocated between consumers and producers. For their part, progressives also focus on the consequences for consumers, but employ a broader understanding of consumer welfare that encompasses quality, innovation, and choice as well as price.
Recently, a third stance has entered the fray. Populists regard the consumer welfare standard as inadequate, because it pays no attention to the political dimension of antitrust — in particular, to the connection between economic concentration and corporate political power. Reflecting a tradition extending back a century to the thought of Louis D. Brandeis, populists believe that a multiplicity of businesses is preferable to a small number of large firms — for the health of local communities as well as economic sectors — even if consumers pay higher prices.

NYU professor Scott Galloway talks about the pervasive influence of Big Tech – both good and bad – in his new book.

For my geeks who Pi.

Monday, January 08, 2018

Surveillance as a commercial opportunity?
EFF – “Across the country, private companies are deploying vehicles mounted with automated license plate readers (ALPRs) to drive up and down streets to document the travel patterns of everyday drivers. These systems take photos of every license plate they see, tag them with time and location, and upload them to a central database. These companies—who are essentially data brokers that scrape information from our vehicles—sell this information to lenders, insurance companies, and debt collectors. They also sell this information to law enforcement, including U.S. Department of Homeland security, which recently released its updated policy for leveraging commercial ALPR data for immigration enforcement. The Atlantic has called this collection of our license plates “an unprecedented threat to privacy.” This data, collected in aggregate, can reveal intimate details about our lives, including what doctors we visit, where we worship, where we take our kids to school, and where we sleep at night. Companies marketing this data claim that the technology can predict our movements and link us to our associates based on which vehicles are often parked next to each other…”
See also the Washington Post – “Beijing bets on facial recognition in a big drive for total surveillance… It will use facial recognition and artificial intelligence to analyze and understand the mountain of incoming video evidence; to track suspects, spot suspicious behaviors and even predict crime; to coordinate the work of emergency services; and to monitor the comings and goings of the country’s 1.4 billion people, official documents and security industry reports show.”

Governments don’t do technology very well. Perhaps my students could create an Emergency App?
Uber can find you easily, but emergency services struggle to locate those in need
We live in a day and age where calling 911 anytime, anywhere, is easier than ever. But getting 911 dispatchers to track your location is harder than ever.
Your smart phone allows Uber drivers, video games apps and social media accounts, like Instagram, to pinpoint your exact location — yet 911 dispatchers are left scrambling to find you.
With 70 percent of all 911 calls made nationally on cell phones, 2News wanted to know how well your location can be tracked in a life-or-death situations.
… Apps like Pokemon-Go and Uber can track your every move, because you have accepted the terms and conditions of their operating system. Your acceptance gives your permission to be tracked to your exact GPS location. Emergency dispatchers don't have that luxury, and instead rely on cell towers from the major carriers and what is called triangulation. If the triangulation system works, the longer you are on the phone, the closer and closer the cell towers can pinpoint your location as they relay information between towers nearest to where your call was made.

It’s not the current level of sharing, it’s the direction this is going. I’ve highlighted the hackable bits.
What if you could view your neighbors’ smart security cameras?
More and more companies are trying to sell you cameras to put outside the house. Now one of them is wondering: why not share their footage with neighbors, so more people can monitor what’s going on?
That’s the idea behind Streety, a new app from the security provider Vivint. People with Vivint security systems will be able to share footage from their outdoor cameras with neighbors, who will be able to tune into them live and post messages for others. They can also place requests to view recorded footage in case, say, they’re trying to figure out who dinged their car a couple hours ago.
Vivint is only activating the feature for outdoor cameras — not indoor ones — and the sharing has a range limit: 300 yards, or about one-sixth of a mile. That isn’t very far, which could really restrict the feature’s usefulness. In a denser neighborhood, that might cover a lot of ground; but in a more spacious suburb, it might only cover a few houses in any direction. That wouldn’t help if you’re hoping to tap into a camera down the street to see what your kid is up to.

Gosh! What the coincidence. (As a Director, I would like to know what is going on here.)
Intel CEO's big stock sale raises questions
Intel CEO Brian Krzanich sold more than $39 million worth of company stock after Intel learned of a fundamental design flaw in its products, but before the general public was made aware.
Why it matters: The SEC may take a hard look at Krzanich's windfall, particularly the part where he changed the rules governing his stock sale schedule.
… An Intel spokeswoman says that Krzanich's October 2017 trading plan change and subsequent stock sale were "unrelated" to the chip design flaw, but declined to provide any alternate explanation.
Intel also says that it does not expect material financial impacts from the design flaw, although it remains too early to know for sure.

Colorado is already in compliance. What will we use when all cars are self-driving and no one has a drivers license?
Flying Domestic May Get Harder Thanks to Driver’s License Law
Four years after hijackers showed driver’s licenses to board planes used in the 2001 terrorist attacks, Congress passed the “Real ID” Act to force states to exert greater oversight of the primary identification Americans use when they fly domestically.
Now, after 13 years of delays and extensions, the Trump administration has fixed a hard deadline of October for states to comply. Under the law, all airline travelers must display a new, technologically advanced license if they wish to board a plane. But privacy advocates warn that the program, with its requirement of data and photo sharing between states and the federal government, carries with it some Orwellian implications.
The Department of Homeland Security has given the 23 states still operating under extensions until Oct. 10.

Know the players…
Membership of the 115th Congress: A Profile
CRS report via FAS – Membership of the 115th Congress: A Profile. Jennifer E. Manning, Senior Research Librarian, January 3, 2018: “This report presents a profile of the membership of the 115th Congress (2017-2018) as of January 3, 2018. Statistical information is included on selected characteristics of Members, including data on party affiliation, average age, occupation, education, length of congressional service, religious affiliation, gender, ethnicity, foreign births, and military service. In the House of Representatives, there are 241 Republicans (including 1 Delegate and the Resident Commissioner of Puerto Rico), 197 Democrats (including 4 Delegates), and 3 vacant seats. The Senate has 51 Republicans, 47 Democrats, and 2 Independents, who both caucus with the Democrats.”

It’s a Vet thing.
Military Service Records, Awards, and Unit Histories: A Guide to Locating Source
CRS report via FAS – Military Service Records, Awards, and Unit Histories: A Guide to Locating Sources. Nese F. DeBruyne, Senior Research Librarian; Barbara Salazar Torreon, Senior Research Librarian. January 2, 2018. “This guide provides information on locating military unit histories and individual service records of discharged, retired, and deceased military personnel. It also provides information on locating and replacing military awards and medals. Included is contact information for military history, websites for additional sources of research, and a bibliography of other publications, including related CRS reports.”

I might have a use for this. offers free video conferencing for up t0 5 participants is a one-click video conference solution. After signing up for an account, users can create a video conference. The system provides a url to join the conference that can be sent to up to six participants. Recipients of this link need only click it to join the video conference – they will not need to create an account, nor will they need to download or install any additional software. also supports screen sharing for presentations, software demos, remote technical support, and so on. It provides a ‘website widget’ that site owners can use to enable one-click video calls from their home page.’s free tier allows five team members, each of whom can receive ten ‘website widget’ calls per month and can create an unlimited number of video conferences. currently supports Google Chrome, Mozilla Firefox, and Opera, with work ongoing to add support for other browsers. Companion mobile phone apps for iOS and Android are currently in beta.”

Sunday, January 07, 2018

Do I really want Big Brother talking to me via an ‘always on’ device?
Alison DeNisco Rayome reports:
Lancashire police officers are researching an integration with the digital assistant that would allow the force to send out crime bulletins to residents, such as missing persons reports, wanted suspects in the area, and the number of officers currently on duty, according to a TechSpot report. The integration could also be used for internal communications, such as to update officers on daily crime logs or breaking incidents.
However, the most interesting potential usage would directly involve residents, allowing victims and witnesses to report crimes directly to the police via their Amazon Echo—another example of how artificial intelligence (AI) tools can potentially free up human workers like police to do more complex work.
Read more on TechRepublic.

So, it’s like fingerprints? But it can be used in ways fingerprints can not. (e.g. You are related to someone who left DNA at a crime scene.)
Did you know that police can compel you to provide a DNA sample if they are booking you for (just) a misdemeanor?
I didn’t know, and was not happy to read about it on John Wesley Hall posts part of the opinion in U.S. v. Buller:
This court tends to agree with Justice Scalia that the primary purpose of the DNA collection statute is criminal investigation. As such, this court also agrees that the Fourth Amendment should require a warrant or some level of suspicion before the search of one’s DNA is allowed. However, until the King decision is modified or repudiated, it remains the law of the land and this court is bound to apply it. Because the analysis under King and the rationale for the conclusion in King cannot be meaningfully distinguished in the case of a misdemeanor arrestee, and because there is no federal law decided in the five years since the King decision was issued making such a distinction, the court concludes that the collection of DNA from Mr. Buller is constitutional under the Fourth Amendment.
Add that to the list of things that need to be fixed.

Are they now saying “Free is Bad?”
How to Curb Silicon Valley Power—Even With Weak Antitrust Laws
Technology companies with unprecedented power to sway consumers and move markets have done the unthinkable: They’ve made trust-busting sound like a good idea again. [Yoicks! Bob]
The concentration of wealth and influence among tech giants has been building for years—90 percent of new online-ad dollars went to either Google or Facebook in 2016; Amazon is by far the largest online retailer, the third-largest streaming media company, and largest cloud-computing provider. Silicon Valley titans coasted to the top of the economy with little government oversight on the backs of incredibly convenient products, a killer backstory, shrewd lobbying, and our personal data. They were allowed to grow unfettered in part because of a nearly-40-year-old interpretation of US antitrust law that views anticompetitive behavior primarily through the prism of the effect on consumers. In that light, the tech industry’s cheap products and free services fell somewhere between benign and benevolent.

Perspective. How would you find that terrorist-related needle in this haystack?
WhatsApp sets new messaging record: 75 billion on New Year’s Eve
WhatsApp, one of the world’s most-used messaging services, hit a new milestone on New Year’s Eve: more than 75 billion messages sent by its users. The new record represents the most messages sent in a single day in the chat app’s history, a spokesperson told VentureBeat in an email. The previous record was set in 2016, also on New Year’s Eve: 63 billion messages sent.
The 75 billion number included 13 billion images and 5 billion videos, the Facebook-owned WhatsApp revealed.