Saturday, February 03, 2018

One more Thing on the Internet of Things. Did you take your court ordered medication? Is there an App to tell me what medication you are taking? (Could my students create one?)
David M. Perry writes:
There’s a new psychiatric medication on the market called Abilify MyCite. On its own, the drug Abilify is a partial dopamine agonist that has been approved by the Food and Drug Administration since 2013 as an anti-psychotic medication. It’s generally prescribed to people with conditions such as such as schizophrenia and bipolar disorder, though questions remain about its effectiveness and the severity of its side effects. The “MyCite” pill, approved just last year, does something new. It contains a digital sensor that tracks whether a patient has ingested the drug, then shares that information with doctors, family, or whoever is programmed to receive it.
The use of Web technology to track medication has been emerging over the past decade or so. The technology has arrived with the usual benefits and risks of the Internet of Things: timely reminders, cool gadgets, vulnerability to hacking, loss of control over one’s data, state surveillance. When it comes to a pill like MyCite, America’s history of coercive psychiatric medication intensifies the risks. If the medical technology is simply used to help people remember to voluntarily take their pills, so much the better. Alas, that’s unlikely to be the case.
Read more on Pacific Standard.

Will I be allowed to encrypt my car’s data? Do I have any lecerage in that contract negotiation?
Cyrus Farivar reports that autonomous vehicles (AVs) have changed our threat model.
In order for AVs to work, they have to snag all kinds of data about the world around them: where precisely other objects are at any given moment and how fast they are moving. That data can seemingly be kept forever.
Under current law, all of that data can be obtained relatively easily by federal law enforcement. In other words, if you’re a privacy-minded citizen, your threat model just changed.
“Because of all of the sensors and data that is being captured—[AVs] are giant recording things,” Jaeger said. “Even if they’re not involved in an incident directly, they captured some of it. Maybe infrared data or something.”
This is profoundly different from older cars that lack such sensors and do not gather up such vast quantities of stored data. As such, Tesla’s terms and conditions—like those of other non-automotive tech companies, including Apple, Google, and more—say that the company will hand over data to law enforcement when legally compelled to do so. Waymo did not respond to Ars’ multiple queries for clarification its position, so how far that assistance will go is anyone’s guess.
Read more on Ars Technica about an important case that may significantly impact law enforcement’s too-ready access to your data.

A new record is not a good thing.
This Week In Credit Card News: A Record Number Of Data Breaches; Starbucks Enters Credit Card Market
The Identity Theft Resource Center reports the number of U.S. data breaches reached an all-time high in 2017. Data breaches totaled 1,579, up 45% from 2016. 55% hit the business sector; 24% hit the medical/healthcare industry. Of the 179 million records exposed last year, nearly 158 million were Social Security numbers, accounting for 88% of all exposed records. Nearly 20% of breaches resulted in information on debit and credit cards being exposed.

Are you the kind of crazy we insure? Are you too crazy to insure? Is this just a way to reduce insurance costs?
Andy Marso reports:
Susan Eyman, a psychologist in Lawrence, Kansas, told a patient last year that the patient’s insurance company had requested her notes from their therapy sessions as part of an audit of her billings.
Eyman said the patient was shocked. The notes included intensely personal things about trauma he had told her in strict confidence. He asked if she could assure the confidentiality of the notes once Blue Cross Blue Shield of Kansas had them.
“And I said, ‘No, of course not,’ ” Eyman said. “Of course I can’t. If you send this information out there, it’s out there.”
Eyman said she refused to turn over the notes and was forced to pay back thousands in BCBS Kansas reimbursements.
Read more on The Seattle Times.
I recently experienced this same issue myself, but with a different insurer. A long-term care patient’s insurer suddenly started asking me for therapy notes. I was appalled, because psychotherapy notes are among the most sensitive notes anywhere. I think asking for therapy goals and some measure of progress is appropriate and acceptable, but actual therapy notes? I’ll see what, if anything, we can negotiate, I guess, and then decide what to do.

...but is it criminal?
A ‘Dirty and Open Secret’: Can Social Media Curb Fake Followers?
Social media users, advertisers and regulators were aghast this past week over revelations in a report by The New York Times of a thriving cottage industry that creates fake followers on Twitter, Facebook or other channels for anybody willing to pay for them. Called “bots,” these fake accounts are available in the thousands to those that want to boost their popularity with tweets or retweets on Twitter, or Facebook likes or shares.
Although Twitter and Facebook officially frown on users buying followers and regularly take down fake accounts, they have a vested interest in the popularity scores of their users because advertisers use those metrics. The political will also may not be readily available to legislate against buying followers, experts say, pointing out that some of President Trump’s appointees also bought followers, in addition to others such as computer billionaire Michael Dell and Treasury Secretary Steve Mnuchin’s actress wife Louise Linton.
“This is a dirty and open secret of social media,” said Kartik Hosanagar, Wharton professor of operations, information and decisions. “This has been going on for a while, and The New York Times article finally puts the spotlight on this shadow economy. Overall, social media is a complete mess right now in terms of the sanctity of information circulating on it.”

Tools for my “Flipped Classroom” world.
7 Ways to Create Screencasts on Chromebooks - Updated for 2018

Friday, February 02, 2018

There’s an App for that! What could Equifax do to stop these claims?
Ethan Wolff-Mann reports:
In September, entrepreneur Joshua Browder’s Do Not Pay chatbot website added a new skill: allowing people to sue Equifax for its monumental data breach that exposed the personal information of 145.5 million people, which included Social Security numbers.
A few months later, the results are coming in and people are winning judgements approaching $10,000.
Yahoo Finance spoke to a few consumers who have taken on Equifax in small claims courts, a process that they found surprisingly smooth, with no need for lawyers.
It was the easiest nine grand I ever made,” said Darrow B. of San Francisco, who just won a judgment of $9,100.
Read more on Yahoo!
[From the article:
Darrow points to her ruling as a good blueprint to go from when arguing before the court. In it, the judge noted that Equifax had a duty to safeguard information, failed to heed warnings from the Department of Homeland Security, and “willfully” violated the Fair Credit Reporting Act and state regulations.
To some judges at least, demonstrating Equifax was negligent in its duty is enough for a positive judgment. The credit monitoring company was slow to disclose the breach (not everyone affected even got an email notifying them of what happened); it also pointed consumers to a useless website to see if they were affected, and then pushed them to sign up for a monitoring product that both could strip consumers of the right to sue the company and provide it with potential future revenue.

Sure! All I need is a few billion dollars of seed money...
Just the announcement that Jeff Bezos, Warren Buffett, and Jaime Dimon will be entering the health care space has sent shock waves for industry incumbents such as CVS, Cigna, and UnitedHealth. It also puts a fundamental question back on the agendas of CEOs in other industries: Will software eat the world, as Marc Andreessen famously quipped? Is this a warning shot that signals that other legacy industrial companies, such as Ford, Deere, and Rolls Royce are also at increased risk of being disrupted?
To start to answer that question, let’s tally up the score. There are three types of products today. Digital natives (Amazon, Google, Facebook, Microsoft, IBM) have gained competitive advantage in the first two, and the jury is still out on the third:
  • Type 1: These are “pure” information goods, where digital natives rule. An example would be Google in search, or Facebook in social networking. Their business models benefit from internet connectivity and they enjoy tremendous network effects.
  • Type 2: These are once-analog products that have now been converted into digital products, such as photography, books, and music. Here too, digital natives dominate. These products are typically sold as a service via digital distribution platforms ( for books, Spotify for music, Netflix for movies).
  • Type 3: Then there are products where input-output efficiency and reliability of the physical components are still critical but digital is becoming an integral part of the product itself (in effect, computers are being put inside products). This is the world of the Internet of Things (IOT) and the Industrial Internet.

Perspective. Once Operating Systems reach “good enough” the scramble for “new and improved” versions is reduced.
StatCounter: Windows 10 overtakes Windows 7 in usage share
Windows 10 has overtaken Windows 7 in usage share. The milestone was reached some 29 months after the latest and greatest operating system from Microsoft first debuted, according to StatCounter.

“Sincerity – if you can fake that, you've got it made.” George Burns
The Rising Importance of Soft Skills
Conversable Economist: “What skills are most important for an employee to succeed at Google? Back in 2013, the company undertook Project Oxygen to answer that question. Cathy N. Davidson described the result in the Washington Post last month (“The surprising thing Google learned about its employees — and what it means for today’s students,” December 20, 2017). She writes:
“Sergey Brin and Larry Page, both brilliant computer scientists, founded their company on the conviction that only technologists can understand technology. Google originally set its hiring algorithms to sort for computer science students with top grades from elite science universities. In 2013, Google decided to test its hiring hypothesis by crunching every bit and byte of hiring, firing, and promotion data accumulated since the company’s incorporation in 1998. Project Oxygen shocked everyone by concluding that, among the eight most important qualities of Google’s top employees, STEM expertise comes in dead last. The seven top characteristics of success at Google are all soft skills: being a good coach; communicating and listening well; possessing insights into others (including others different values and points of view); having empathy toward and being supportive of one’s colleagues; being a good critical thinker and problem solver; and being able to make connections across complex ideas.”
Well, Google is a big company. Perhaps the soft skills matter for a lot of its employees. But for the A-level invention teams, surely the technical skills count for more? Last spring, Google tested that hypothesis with Project Aristotle. Davidson reports the results…”

For all my students.

For flipping the classroom?

Thursday, February 01, 2018

Another unsecured “Thing” on the Internet of Things.
As a data leak, this belongs on I will cross-post it there, but I do want readers of this site to remain cognizant that there is just so much risk to privacy and data these days. Thomas Fox-Brewster reports:
Valentine’s Day is just around the corner. Some might be considering the purchase of a special kind of pleasure-giving device for their partner as a gift. But they might want to rethink those plans: the quality of cybersecurity in newfangled, connected sex toys has been unsurprisingly shocking in recent years. And it doesn’t look to be getting much better, if research released by Austrian company SEC Consult on Thursday is anything to go by.
Probing Vibratissimo’s ‘Panty Buster’ sex toy for women, the researchers found the device and associated websites had multiple vulnerabilities. By far the most severe issue (and one that was thankfully immediately addressed by Vibratissimo’s owner, Amor Gummiwaren) allowed anyone to obtain a database of all customer information by simply grabbing a username and password from an open file on the website. And it was possible to grab passwords for the sex toy owner accounts, as they were left open in plain text. From there, a hacker could look at sensitive data, including explicit images, sexual orientation and home addresses, according an SEC blog post.
Read more on Forbes.

Facilitating terrorists?
Court: No evidence that Twitter can be blamed for deaths in Islamic State attack
Islamic State may have used its access to Twitter to spread its message of terrorism and recruit new members, but that doesn’t make the social media company legally responsible for the deaths of two Americans in an ISIS-linked attack in Jordan, a federal appeals court in San Francisco ruled Wednesday.
Lawyers for the widows of the two men argued in their lawsuit that Twitter had been essential to the emergence of the terror group and bore some responsibility for the deadly consequences.

Isn’t this argument similar to the one being made against Facebook and Google?
The Government's Unraveling Antitrust Case Against AT&T-Time Warner
Antitrust scholars, media industry experts and economists across the political spectrum have been scratching their collective heads since November, when the Department of Justice filed suit to block AT&T’s planned $85 billion merger with Time Warner.
As the case now heads for an early trial in March, that confusion has only grown.
The government’s untested new theory is that the merged entity will have both the incentive and the ability to withhold or overcharge for Time-Warner content if the deal goes through.
But that view stands in stark contrast to what is happening across the media landscape. Incumbents, including AT&T, have continued to lose ground to new entrants and new forms of content, pushing traditional producers and distributors into more deal-making.

Perspective. I doubt Facebook is doomed.
Facebook lost daily users for the first time ever in the U.S. and Canada
Here’s a troubling data point if you’re a Facebook investor: The company may have finally tapped out its most valuable market, the U.S. and Canada.
Facebook’s daily active user base in the U.S. and Canada fell for the first time ever in the fourth quarter, dropping to 184 million from 185 million in the previous quarter.
Each user accounted for $26.76 worth of revenue for the company last quarter, and it went up by 35 percent over the same quarter last year.

Perspective. Have we reached several “tipping points?”
Study – All fossil-fuel vehicles will vanish in 8 years in twin ‘death spiral’ for big oil and big autos
All fossil-fuel vehicles will vanish in 8 years in twin ‘death spiral’ for big oil and big autos, says study that’s shocking the industries. This speedy revolution, a Stanford economist says, will be driven by technology, not climate policies — and while his timing may be off a few years, there is little doubt about the direction. No more petrol or diesel cars, buses, or trucks will be sold anywhere in the world within eight years. The entire market for land transport will switch to electrification, leading to a collapse of oil prices and the demise of the petroleum industry as we have known it for a century. This is the futuristic forecast by Stanford University economist Tony Seba. His report, with the deceptively bland title Rethinking Transportation 2020-2030, has gone viral in green circles and is causing spasms of anxiety in the established industries.”

(Related). Tipping point two?
Is a Transition to Renewable Energy on the Verge of Being Unstoppable?

Strange business model. Would this work to give school children free tablets?
All inmates in New York State prisons will get free tablets
Each inmate incarcerated in a New York State prison will soon have a free tablet.
The tablets will give inmates access to educational content, eBooks and music, officials said. They’ll also help inmates file grievances and allow them to communicate with family and friends through a secure email system. There will be no internet access.
New York’s Department of Corrections and Community Supervision will receive the tablets for inmates as part of a deal with JPay, a company that specializes in corrections-related services, a DOC spokesperson said. The company will provide the tablets as part of a contractual agreement the state DOC entered with the company. No state funds will go toward the tablets.
JPay will make money if an inmate chooses to purchase approved additional books or items with the tablet.
… There are about 52,000 inmates in NYS DOC facilities as of March of 2016.

This seems backwards. If women get paid less, shouldn’t that bring the average down? The “why” is interesting.
… For Every 10% Increase in Women Working, We See a 5% Increase in Wages

This is what has replaced bird watching?
Watch this short Pokémon Go nature documentary narrated by Stephen Fry

An article for my geeks.

What happened to praise for the ethical employee?

Wednesday, January 31, 2018

More to enliven the debate in my Computer Security class.
A couple more versions of the story. Lots of butt covering going on?
Hawaii false alarm: Officials quit over missile alert
… Administrator Vern Miyagi and executive officer Toby Clairmont stepped down on Tuesday after reports detailing the agency's failures were released.
The individual who sent the alert has also been fired, officials confirmed.
… The report said the mix-up happened after a midnight supervisor at the Hawaii Emergency Management Agency decided to conduct a spontaneous drill during a shift transition. The incoming day supervisor was then said to be unaware the 08:05 drill would involve any incoming day officers, who were then not told about the exercise.
The drill message, which was called in pretending to be from US Pacific Command, began and ended with the words: "Exercise! Exercise! Exercise!". But the warning also said "This is not a drill", in a script that the FCC say was different from established procedure.
According to the federal report, the employee was one of three who received the call but did not hear the exercise warning. Believing it was real, they said they sent out the genuine alert out using the agency's software.
… A state report also released on Tuesday said the employee had a record of "poor performance" on the job.
Reports say he had been a source of concern for colleagues for 10 years, having confused emergency drills with real life incidents on at least two occasions.


An article for my Data Management students.
Chief data officer’s guide to an AI strategy
CIO – Develop a data-driven culture but be mindful of regulatory and ethical considerations: “Artificial intelligence (AI) is set to be a priority for more than 30 percent of CIOs by 2020, according to Gartner. While AI promises game changing capabilities, this is only going to happen if your organisation applies it effectively. If you’re a chief data officer (CDO) trying to realise the full potential of AI, now’s the time to broaden your strategy, assess the impact on both business models and customer experiences, and prepare for other strategic challenges. Much of the current wave of attention is the result of gains in advanced analytics and machine learning. This current shift is partially attributable to the emergence of inexpensive, massive and readily available computing power, as well as the mountains of data available to train machines, form patterns and produce insights. Although top of mind, many organisations are just beginning their AI journey — gathering knowledge and developing strategies for applying it. If you’re like many data and analytics leaders, the need to define an AI strategy and identify uses is a real challenge…”

Data Management procedures must cover disposal! (No doubt someone would have looked in the cabinet, but it was locked.)
What’s possibly worse than leaving files with personally identifiable information in filing cabinets that you’re selling as surplus?
How about leaving top secret and classified documents on the workings of five governments?

How not to be anti-social media?
Michael Posner on the ethical challenges facing social networks and businesses
Ethics professor Michael Posner says there is an obligation for social networking sites like Facebook to do more to prevent the dissemination of political disinformation.
Posner says that when companies actively address ethical issues it not only benefits their brand image, but also makes them more efficient, more productive, and makes more people want to work for their company. [??? Bob]

Interesting, but not ‘real world?’ Amazon is offering a ‘prisoner’s dilemma.” If only one city offers them a huge tax break (other incentives being nearly equal) guess who wins? Seems short sighted to me.
Amazon HQ2 finalists should refuse tax breaks, say nearly 100 economists, professors
… The petition states that while the signees support Amazon’s decision to build a second headquarters, “incentives do not alter business location decisions as much as is often claimed and are less important than more fundamental location factors. Worse, they divert funds that could be put to better use underwriting public services such as schools, housing programs, job training, and transportation, which are more effective ways to spur economic development.”
… In its original RFP for HQ2, Amazon said that “incentives offered by the state/province and local communities to offset initial capital outlay and ongoing operational costs will be significant factors in the decision-making process” — so it’s unlikely that cities will collectively agree to take incentives off the table.

For my student vets…
After A False Start, The VA’s Vet ID System Finally Works
As of Jan. 29, Veterans can once again again submit online applications online, and this time — the applications actually go through.
All veterans with an honorable or general discharge can request the new ID cards. Keep in mind, they don’t replace VA medical cards or defense retiree cards, nor are they official government-issued forms of identification — so you can’t use it to board a plane, or by booze. But, they are handy for when you’re in a checkout line and spot a “10% off for veterans” discount sign.

Tuesday, January 30, 2018

Seems strange that it could go so long in a heavily regulated industry. This might have gone undetected if they had a reliable, encrypted back-channel. Talk only “legitimate” trade talk on the recorded channels, keep the spoofing to the back-channel. (Now watch the FBI pick up that argument.) Of course, the offers to buy and the canceled orders are all recorded too.
Key to catching the traders charged with manipulating metals futures: electronic chatter
A new sweep of three big banks and six traders for allegedly manipulating metals futures relied heavily on electronic chatter to build a case.
The Commodity Futures Trading Commission announced criminal and civil enforcement actions on Monday against Deutsche Bank AG and Deutsche Bank Securities Inc, UBS AG and HSBC Securities (USA) Inc. and six individuals involved in spoofing and stop loss collusion schemes.
Deutsche Bank AG and Deutsche Bank Securities Inc. were hit the hardest, agreeing to pay a $30 million penalty while neither admitting or denying they failed to supervise precious metals traders who allegedly schemed to manipulate the price of precious metals futures contracts and allegedly colluding to trigger customer stop-loss orders. The fraud allegedly ran from Feb. 2008 to at least Sept. 2014.
… As in past enforcement orders regarding traders schemes, the CFTC along with the U.S. Attorney’s office and the FBI relied on the mandatory recordings of trader chatter to prove the brazen nature of the schemes.
One trader was recorded responding to another trader’s discussion of a bid with, “For anyone. Or a spoof?” to which the other trader admits, “spoof.”
In another conversation, one trader admitted in another in a chat that he used spoofing to manipulate the market: “so glad I could that up 2 bucks...that does show u how easy it is to manipulate it so[me]times.” Trader A c ommented further: “that was alot of clicking...i know how to ‘game’ this stuff.”

OMG. Are we going to start seeing WWBD T-shirts? (What Would Bezos Do) On the other hand, Amazon might like a really pliable state legislature.
To Get Anything Done, Georgia Politicians Say, ‘Do It for Amazon’
From a religious-freedom bill to a proposed English-only constitutional amendment, Georgia politicians and advocates are invoking Amazon’s name.
The prospect of luring the retailer here is being used as political ammunition, notwithstanding that Inc. is months away from picking among Atlanta and 19 other finalists for the location of its second headquarters.

How easily the health care industry panics.
Amazon, Berkshire, JPMorgan Move to Target Health-Care Costs Inc., Buffett’s Berkshire Hathaway Inc. and JPMorgan Chase & Co. said they plan to collaborate on a way to offer health-care services to their U.S. employees more transparently and at a lower cost. The three companies plan to set up a new independent company “that is free from profit-making incentives and constraints,” according to a short statement on Tuesday.
The move sent shares of health-care stocks falling in early trading. Express Scripts Holding Co. and CVS Health Corp., which manage pharmacy benefits, slumped 6.7 percent and 5.5 percent, respectively. Health insurers Cigna Corp. and Anthem Inc. also dropped.

We’re creating more videos for our students, so this might be useful.
A Free Teleprompter
Thanks to Beth Holland this weekend I learned about a free teleprompter service called CuePrompter. CuePrompter displays your written script in a clear, large, scrolling format in your web browser. It's perfect for use when recording yourself or someone else on camera.
To use CuePrompter just go to the site then start entering your script into the "quick start" text box. After you have entered your script you can select the size of the prompter display, the size of the text, and the display color scheme. Click "start prompter" when you're ready to start using your script in the CuePrompter display. You can adjust the speed at which your script scrolls down the screen. If you need to stop and rewind, you can do that in the script display too.

Monday, January 29, 2018

Something for my deep thinking students.
Estimating the Cost of Internet Insecurity
It's really hard to estimate the cost of an insecure Internet. Studies are all over the map. A methodical study by RAND is the best work I've seen at trying to put a number on this. The results are, well, all over the map:
"Estimating the Global Cost of Cyber Risk: Methodology and Examples":
Here's Rand's risk calculator, if you want to play with the parameters yourself.
Note: I was an advisor to the project.
Separately, Symantec has published a new cybercrime report with their own statistics.

Something for my students to reverse so they can de-anonymize.
On January 25, the Personal Data Protection Commission of Singapore issued a guide to basic anonymization techniques. You can access the guide here (pdf).

(Related) Why anonymization is important.
David Gershgorn reports:
Some of Google’s top AI researchers are trying to predict your medical outcome as soon as you’re admitted to the hospital.
A new research paper, published Jan. 24 with 34 co-authors and not peer-reviewed, claims better accuracy than existing software at predicting outcomes like whether a patient will die in the hospital, be discharged and readmitted, and their final diagnosis. To conduct the study, Google obtained de-identified data of 216,221 adults, with more than 46 billion data points between them. The data span 11 combined years at two hospitals, University of California San Francisco Medical Center (from 2012-2016) and University of Chicago Medicine (2009-2016).
Read more on Quartz.
OK, now if this is accurate, it sounds really promising, right? But I wondered how they got so much de-identified medical data on so many people. So I took a look at the paper’s methods section and here’s what is says:
We included EHR data from the University of California, San Francisco (UCSF) from 2012-2016, and the University of Chicago Medicine (UCM) from 2009-2016. We refer to each health system as Hospital A and Hospital B. All electronic health records were de-identified, except that dates of service were maintained in the UCM dataset. Both datasets contained patient demographics, provider orders, diagnoses, procedures, medications, laboratory values, vital signs, and flowsheet data, which represents all other structured data elements (e.g. nursing flowsheets), from all inpatient and outpatient encounters. The UCM dataset (but not UCSF) additionally contained de-identified, free-text medical notes. Each dataset was kept in an encrypted, access-controlled, and audited sandbox.
Ethics review and institutional review boards approved the study with waiver of informed consent or exemption at each institution.
So if you went to either of these hospitals, the hospital might have subsequently waived your informed consent and just turned over data on you that everyone believes is de-identified. Now it’s great that that it was kept encrypted, access-controlled, and in an audited sandbox, but here’s the thing: are you okay with a hospital waiving your informed consent? How difficult might it be to re-identify the data?
I know a lot of people feel that it’s okay for entities to do this (waive consent) because it’s in the best interests of public health and progress, but of course, I focus on the individual’s rights. So think about it… is this okay and if it’s not, how does that affect your use of a particular hospital? Would you say or do anything different?

They have never done this before. Perhaps they are concerned about GDPR?
Facebook marks Data Privacy Day by sharing its 7 privacy principles
With the European Union’s new data protection laws coming into force this year, Facebook has begun preparing for the General Data Protection Regulation (GDPR) by publishing its privacy principles for the first time.
The company also announced that it will push videos into users’ news feeds detailing how they can manage their privacy on the social network, and it recently revealed plans to roll out a new privacy center later this year that pulls together key settings into a single hub.
The announcement was timed to coincide with Data Privacy Day, an occasion marked every January 28 to promote best practices around online data privacy and security.

When Privacy equals Targeting.
Strava fitness tracking app reveals movements on remote military bases
A fitness tracking app that maps people's exercise habits could pose security risks for security forces around the world.
Strava, which bills itself as "the social network for athletes" and allows its users to share their running routes, released a newly updated global heatmap last November. But experts and keen observers have recently realized its potential to reveal location patterns of security forces working out at military bases in remote locations.
Nathan Ruser, a 20-year-old Australian student and analyst for the Institute for United Conflict Analysts, noted on Twitter on Saturday that the map made US bases "clearly identifiable and mappable."
… In a post about the update in November, Strava said the update would include "six times more data than before – in total one billion activities from all Strava data through September 2017." Strava boasts "tens of millions" of users, and according to the company, marked three trillion latitude/longitude points on the updated map. It tracks location data using GPS from FitBits, cellphones, and other fitness tracking devices.
… Scott Lafoy, an open-source imagery analyst, told CNN it's too early to truly assess how useful the data is.
"In terms of strategic stuff, we know all the bases there, we know a lot of the positions, this will just be some nice ancillary data," said Lafoy.
… "If the data is not actually anonymous, then you can start figuring out timetables and like some very tactical information, and then you start getting into some pretty serious issues," LaFoy said.

Do most companies measure downtime? I doubt it.
IT Downtime Costs Businesses $1.55 Million Per Year, Report Says (INFOGRAPHIC)

Ready or not, here it comes.
NIST Report on Blockchain Technology Aims to Go Beyond the Hype
“Beguiling, baffling or both—that’s blockchain. Aiming to clarify the subject for the benefit of companies and other organizations, the National Institute of Standards and Technology (NIST) has released a straightforward introduction to blockchain, which underpins Bitcoin and other digital currencies. Virtual barrels of digital ink are flowing in the media nowadays about these cryptocurrencies and the underlying blockchain technology that enables them. Much of the attention stems either from the giddy heights of value attained lately by the most well-known of these currencies, Bitcoin, or from the novelty of blockchain itself, which has been described (link is external) as the most disruptive technology since the internet. Blockchain’s proponents believe it lets individuals perform transactions safely without the costs or security risks that accompany the intermediaries that are required in conventional transactions. The NIST report’s authors hope it will be useful to businesses that want to make clear-eyed decisions about whether blockchain would be an asset to their products.”

Something to cheer up my students? Power to the programmers!

Sunday, January 28, 2018

This warning is a bit late, but since this is an annual event everyone should already be on guard.
As this site has done in 2016 and 2017, will maintain a list of entities that disclose that they have become victims of a W-2 phishing or business email compromise (BEC) attack. For 2016, we compiled 175 incidents (although some of them didn’t become public knowledge until 2017), and for 2017, we had 204 incidents – a number that very closely matches what the government subsequently reported from their records.
How many incidents will we find in 2018, and how many individuals will potentially be at risk of tax refund fraud from this type of scam?
As in past years, the list will be alphabetized, which loses the chronology but makes it a bit easier for me to search for specific entities as I’m updating the list. Links are to media coverage or reports of the breach, and the number affected, if revealed, is in parentheses for the entry.
Throughout the season, look for Steve Ragan of Salted Hash to provide some summary updates on how many are being affected.
If you become aware of any W-2 incidents that I don’t have on this list, please let me know via the Comments section for this post, Twitter (@pogowasright) or email me at breaches[at]protonmail[dot]ch.
So here we go…… THE 2018 LIST:

Probably not a technique any teenager could employ. I wonder if we could borrow an ATM for my Ethical Hacking class?
ATM makers warn of 'jackpotting' hacks on U.S. machines
Diebold Nixdorf Inc and NCR Corp, two of the world’s largest ATM makers, have warned that cyber criminals are targeting U.S. cash machines with tools that force them to spit out cash in hacking schemes known as “jackpotting.”
The two ATM makers did not identify any victims or say how much money had been lost. Jackpotting has been rising worldwide in recent years, though it is unclear how much cash has been stolen because victims and police often do not disclose details.
… Diebold Nixdorf’s alert described steps that criminals had used to compromise ATMs. They include gaining physical access, replacing the hard drive and using an industrial endoscope to depress an internal button required to reset the device.

We will likely continue to ratchet up these laws a bit at a time because we don’t seem able to agree on where we should be.
Erin Jordan reports:
Data security breaches at big corporations, including Equifax and Target, spurred the Iowa Attorney General’s Office to seek changes to Iowa law to further protect consumers.
House Study Bill 526, discussed in a Judiciary subcommittee Tuesday, would update Iowa’s data breach notification act, which requires businesses, nonprofits and other entities hit by hackers to alert consumers and the state.
The update adds new categories of data, such as medical records. And although the law already requires reporting of information breaches “without reasonable delay,” the bill would add a 45-day maximum on reporting.
Read more on The Gazette.
One of the things the bill would change, although not mentioned in this article, is that it would apply to personal information in any form, and not just computerized data. And it significantly expands the definition of personal information. Do take a look at it. I hope we have more state attorneys general proposing such bills in the wake of Equifax, when state legislatures may be more inclined to actually pass stronger legislation.

It seems to have taken well over a year for social media to realize what was happening and locate some of the evidence. I wonder if anyone has asked the social sedia firms if they are ready for the next election?
Twitter Says Russian Bots Retweeted Trump 470,000 Times
Russian-linked Twitter bots shared Donald Trump’s tweets almost half a million times during the final months of the 2016 election, Twitter Inc. said in a submission to Congress.
The automated accounts retweeted the Republican candidate’s @realDonaldTrump posts almost 470,000 times, accounting for just more than 4 percent of the re-tweets he received from Sept. 1 to Nov. 15, 2016. Hillary Clinton’s account got less than 50,000 retweets by the Russian-linked automated accounts during the same period of time, the company said in documents posted Friday by the Senate Judiciary Committee.

Not much in the video (more like a Ford commercial) but something for my students to consider. Should it be armed?
Ford’s Autonomous Police Car Could Ticket You Without a Human
So far it's just a patent.

Anyone want to write “The Ethical Algorithm?”
Two new books focus on the injustice of algorithms
The difficulty with talking about the technology industry is that it’s increasingly hard to define. “A tech company can be a giant data-mining operation turned advertising platform, like Facebook or Google. But it can also be a design-heavy producer of phones, computers and software. Or perhaps it’s a transportation company pretending it’s just a marketplace, nothing to see here. Maybe it’s Amazon?.. A pair of recent books survey these issues, as they play out on social networks and in the wider world, in systems many Americans are not even aware of…”

Dilbert neatly summarizes all sides of the wage & salary debate.