Saturday, March 17, 2018

This sounds juvenile but I’m surprised North Korea isn’t trying to rig a lottery somewhere.
Sean Poulter reports:
The National Lottery is advising all 10.5million people with online accounts to change their passwords following a security breach ahead of tonight’s £14 million Euromillions draw.
The move follows an attempt by hackers to access accounts using a technique known as ‘credential stuffing’.
Read more on Daily Mail.

Is it time to start investigating the Board of Directors? Do they know what their responsibilities are?
Report: Wells Fargo investigation broadens to wealth division
… The Justice Department is now investigating whether Wells Fargo made inappropriate recommendations or referrals, or failed to inform customers about potential conflicts of interest, the Journal reported, citing unnamed people familiar with the matter.

No doubt it was just the AI having a joke.
Facebook apologises for search suggestions of child abuse videos
… The social network’s search suggestions, which are supposed to automatically offer the most popular search terms to users, apparently broke around 4am in the UK, and started to suggest unpleasant results for those who typed in “video of”.
Multiple users posted examples on Twitter, with the site proposing searches including “video of girl sucking dick under water”, “videos of sexuals” and “video of little girl giving oral”. Others reported similar results in other languages.
Even after the offensive search terms stopped being displayed, users still reported odd algorithmic suggestions, seemingly far from what Facebook would normally offer, such as “zodwa wabantu videos and pics” (a South African celebrity) and “cristiano ronaldo hala madrid king video call”.

Have they forgotten that monopoly thing they faced a few years ago?
Microsoft wants to force Windows 10 Mail users to use Edge for email links
Microsoft is testing a new change to its future version of Windows 10 which will probably annoy anyone using the operating system. The software giant revealed today that “we will begin testing a change where links clicked on within the Windows Mail app will open in Microsoft Edge.” The change means if you have Chrome or Firefox set as your default browser in Windows 10, Microsoft will simply ignore that and force you into Edge when you click a link within the Mail app.

Worth a listen?
Why Regulation Is a Tricky Business in the Sharing Economy
New research from Sarah Light, Wharton professor of legal studies and business ethics, examines what role the federal government should play in regulating these organizations. Her paper is titled, “The Role of the Federal Government in Regulating the Sharing Economy,” and it will appear in the forthcoming book, Cambridge Handbook on the Law of the Sharing Economy. Light recently joined Knowledge@Wharton to discuss what she’s uncovered.
An edited transcript of the conversation follows.

Friday, March 16, 2018

So is this the Cyberwar equivalent of moving troops to the boarder or something more sinister?
Cyberattacks Put Russian Fingers on the Switch at Power Plants, U.S. Says
The Trump administration accused Russia on Thursday of engineering a series of cyberattacks that targeted American and European nuclear power plants and water and electric systems, and could have sabotaged or shut power plants off at will.
United States officials and private security firms saw the attacks as a signal by Moscow that it could disrupt the West’s critical facilities in the event of a conflict.
… according to a Department of Homeland Security report issued on Thursday, Russian hackers made their way to machines with access to critical control systems at power plants that were not identified. The hackers never went so far as to sabotage or shut down the computer systems that guide the operations of the plants.
Still, new computer screenshots released by the Department of Homeland Security on Thursday made clear that Russian state hackers had the foothold they would have needed to manipulate or shut down power plants.

(Related) Why not name names? Because they don’t know who did it?
Hackers Tried to Cause Saudi Petrochemical Plant Blast: NYT
Cyber-attackers tried to trigger a deadly explosion at a petrochemical plant in Saudi Arabia in August and failed only because of a code glitch, The New York Times reported.
Investigators declined to identify the suspected attackers, but people interviewed by the newspaper unanimously said that it most likely aimed to cause a blast that would have guaranteed casualties. A bug in the attackers' code accidentally shut down the system instead, according to the report.
The cyber-attack -- which could signal plans for other attacks around the world – was likely the work of hackers supported by a government, according to multiple insiders interviewed by the newspaper.
All sources declined to name the company operating the plant as well as the countries suspected to have backed the hackers, The New York Times said.

Did everyone involved understand that this was a Beta test or was there an assumption that this was foolproof?
New Orleans ends its Palantir predictive policing program
Two weeks ago, The Verge reported the existence of a six-year predictive policing collaboration between the New Orleans Police Department and Palantir Technologies, a data mining giant co-founded by Peter Thiel. The nature of the partnership, which used Palantir’s network-analysis software to identify potential aggressors and victims of violence, was unknown to the public and key members of the city council prior to publication of The Verge’s findings.
Yesterday, outgoing New Orleans Mayor Mitch Landrieu’s press office told the Times-Picayune that his office would not renew its pro bono contract with Palantir, which has been extended three times since 2012. The remarks were the first from Landrieu’s office concerning Palantir’s work with the NOPD. The mayor did not respond to repeated requests for comment from The Verge for the February 28th article, done in partnership with Investigative Fund, or from local media since news of the partnership broke.
There is also potential legal fallout from the revelation of New Orleans’ partnership with Palantir. Several defense attorneys interviewed by The Verge, including lawyers who represented people accused of membership in gangs that, according to documents and interviews, were identified at least in part through the use of Palantir software, said they had never heard of the partnership nor seen any discovery evidence referencing Palantir’s use by the NOPD.

(Related) If it was good policing, they would be bragging about it.
C.J. Ciaramella reports:
In 2004, Ascension Alverez-Tejeda and his girlfriend were stopped at a traffic light in Oregon when their car was rear-ended by a drunk driver. The police arrived and arrested the drunk, but while Alverez-Tejeda was outside dealing with the situation, a thief jumped in his car and tore off down the road.
Police recovered the car and, after obtaining a search warrant from a judge, found in it cocaine and methamphetamine that Alverez-Tejeda was trafficking from California to Washington.
It looked like a case of very bad luck for Alverez-Tejeda. The truth didn’t come out until the trial: The whole thing had been staged. The only ones who weren’t in on the plot were Alverez-Tejeda, his girlfriend, and the judge who signed the warrant.
Read more on Reason.
[From the article:
The cops then constructed an elaborate ruse to gain probable cause to search his car.

Is a ‘feature,’ but not without risk.
You can store the following information in your Medical ID, which is viewable by anyone who knows how to access it:
  • Your name, Apple ID picture, and date of birth.
  • Known medical conditions (for example, asthma).
  • Relevant medical notes relating to conditions (for example, any metal pins from past surgery).
  • Known allergies and reactions.
  • Any medication you are currently taking.
  • Your blood type and organ donor status.
  • Your weight and height.
  • An emergency contact of your choosing.
Keep in mind that there’s no way of limiting this information to strictly emergency personnel. Anyone with physical access to your iPhone can find your Medical ID if they’re looking for it. This does raise some potential privacy concerns, but it’s a trade you’ll have to make if you want to use the feature.

For my Ethical hacking students’ toolkit.

Why the answers are obvious! Wrong, but obvious!
Orin Kerr writes:
I recently posted a draft of a new article, Cross-Enforcement of the Fourth Amendment, forthcoming in the Harvard Law Review. Here’s the opening:
Imagine you are a state police officer in a state that has decriminalized marijuana possession. You pull over a car for speeding, and you smell marijuana coming from inside the car. Marijuana possession is legal under state law but remains a federal offense. Can you search the car for evidence of the federal crime even though you are a state officer?
Next imagine you are a federal immigration agent driving on a state highway. You spot a van that you have a hunch contains undocumented immigrants. You lack sufficient cause to stop the van to investigate an immigration offense, but you notice that the van is speeding in violation of state traffic law. Can you pull over the van for speeding even though you are a federal agent?
Read more on The Volokh Conspiracy.

An end to confusion? If your accountants understand it, the Board of Directors can relax, maybe.
PricewaterhouseCoopers LLP plans to unveil a new offering to audit companies’ use of the blockchain—making sure companies are implementing and using it properly, and allowing people within a company to continuously monitor its blockchain transactions.

Perspective. This is why we are so easily slotted into categories.
Americans Are Partisan About Everything — Even Sex Scandals
Poll of the week
Views about President Trump’s relationship (or lack thereof) with adult film actress Stormy Daniels are split along partisan lines, according to a Huffington Post/YouGov survey released this week. Seventy percent of Democrats found credible Daniels’ account of an extramarital affair with Trump in 2006, while just 11 percent of Republicans said the same. And if Trump did have an affair with Daniels, 82 percent of Democrats said it would have been immoral, compared with 54 percent of Republicans.
Perhaps because Daniels is in the news, along with other alleged affairs by Trump, just 26 percent of Democrats (vs. 67 percent of Republicans) agreed that “an elected official who has committed an immoral act in their personal life can still behave ethically and fulfill their duties in their public and professional life.”

In a landmark 2016 study Johns Hopkins researchers estimated that more than 250,000 Americans die each year from treatment-related mistakes, making medical error the third-leading cause of death in the United States.
… . Due to the progressive digitization of the cockpit and pilot decision support, flying by and trusting instruments is now essential for avoiding accidents. The U.S. Department of Defense’s new F-35 aircraft is so advanced that the pilot interacts continuously through a “heads-up” digital display projected on the helmet, providing total situational awareness. Pilots who aren’t adept at working with computer interfaces and don’t trust algorithms to help fly the aircraft will not just perform poorly, they’ll crash on takeoff.
… to realize the full potential of AI and other digital technologies we will need to overhaul medical education for future physicians and nurses and rethink professional development for current caregivers.

Handy notes for website builders.

Thursday, March 15, 2018

My students easily identified this as insider trading, why did the CIO think no one would notice?
Equifax CIO Put ‘2 and 2 Together’ Then Sold Stock, SEC Says
The text from the Equifax Inc. executive sounded ominous: “We may be the one breached.”
Yet before the wider world learned of the credit bureau’s massive hack – in which sensitive information for more than 140 million U.S. consumers had been compromised – the executive, Jun Ying, was selling Equifax stock, federal authorities now say.
Six months after the cyberattack shook Equifax and raised questions about suspicious trading by several executives there, the Department of Justice on Wednesday charged Ying with insider trading. Prosecutors say he searched on the internet for what might happen to Equifax stock when the news of the attack broke, then exercised all of his stock options. The move netted him more than $480,000. Ying’s lawyers, Douglas I. Koff and Craig S. Warkol of Schulte Roth & Zabel, declined to comment on Ying’s behalf.
… Ying, who was next in line to become the company’s global CIO, avoided more than $117,000 of losses by selling his shares, the SEC said.

My students are aware that new technologies are often introduced before security is considered. Not everyone has got the “design for security” word yet.
Why do the Vast Majority of Applications Still Not Undergo Security Testing?
Did you know that 84% of all cyber attacks target applications, not networks? What’s even more curious is that 80% of Internet of Things (IoT) applications aren’t even tested for security vulnerabilities.
It is 2018, and despite all the evidence around us, we haven’t fully accepted the problem at hand when it comes to software security. Because we haven’t accepted the problem, we are not making progress in addressing the associated vulnerabilities. Which is why after an active 2017, we are already seeing numerous new attacks before we leave the first quarter of the year.

Always interesting.
Microsoft Publishes Bi-annual Security Intelligence Report (SIR)
Microsoft's 23rd bi-annual Security Intelligence Report (SIR) focuses on three topics: the disruption of the Gamarue (aka Andromeda) botnet, evolving hacker methodologies, and ransomware. It draws on the data analysis of Microsoft's global estate since February 2017, including 400 billion email messages scanned, 450 billion authentications, and 18+ billion Bing webpage scans every month; together with the telemetry collected from the 1.2 billion Windows devices that opt in to sharing threat data with Microsoft.
The report has five primary recommendations to counter the threat of ransomware: backup data; employ multi-layered security defenses; upgrade to the latest software and enforce judicious patching; isolate or retire computers that cannot be patched; and manage and control privileged credentials. A new survey from Thycotic demonstrates just how poor many organizations are at managing privileged accounts.
There is no mention of a sixth potential recommendation -- if infected with ransomware, immediately visit the NoMoreRansom project website. This project aggregates known ransomware decryptors, and it is possible that victims might be able to recover encrypted files without recourse to the risky option of paying the ransom. For now, Microsoft does not appear to be a partner in this project.

Cool! I could ping your phone to get the same information. If I was a stalker, I be giggling! On the other hand, I don’t own a smartphone. Will I still be able to drive?
Joe Cadillic sent me an email with a subject line comment all in capital letters. That’s usually a clue that I’m about to read a very disturbing news development.
Jerry Smith reports:
Delaware could be among the first states to use mobile driver’s licenses.
Features of the mDL that will be tested include:
• Enhanced privacy for age verification: No need to show a person’s address, license number and birthdate. The mobile driver’s license will verify if the person is over 18 or 21 and display a photo.
• Law enforcement use during a traffic stop: The mobile driver’s license will allow law enforcement officers to ping a driver’s smartphone to request their driver’s license information before walking to the vehicle.
Read more on Delaware Online. I’m guessing it was that second bullet that really made Joe apoplectic.

Guidelines for anyone wishing to influence an election? Grab them fast, because they will likely get wiped too.
Facebook Quietly Hid Webpages Bragging of Ability to Influence Elections
The Intercept: “When Mark Zuckerber was asked if Facebook had influenced the outcome of the 2016 presidential election, the founder and CEO dismissed the notion that the site even had such power as “crazy.” It was a disingenuous remark. Facebook’s website had an entire section devoted to touting the “success stories” of political campaigns that used the social network to influence electoral outcomes. That page, however, is now gone, even as the 2018 congressional primaries get underway… The case studies that Facebook used to list from political campaigns, however, included more interesting claims. Facebook’s work with Florida’s Republican Gov. Rick Scott “used link ads and video ads to boost Hispanic voter turnout in their candidate’s successful bid for a second term, resulting in a 22% increase in Hispanic support and the majority of the Cuban vote.” Facebook’s work with the Scottish National Party, a political party in the U.K., was described as “triggering a landslide.” The “success stories” drop-down menu that once included an entire section for “Government and Politics” is now gone. Pages for the individual case studies, like the Scott campaign and SNP, are still accessible through their URLs, but otherwise seem to have been delisted…”

(Related) It’s a start, but they better not screw it up!
YouTube announces plan to provide users with info cues to combat conspiracy theory videos
Wired: “After the mass shooting in Parkland, Florida, in February, the top trending video on YouTube wasn’t a news clip about the tragedy, but a conspiracy theory video suggesting survivor David Hogg was an actor. The video garnered 200,000 views before YouTube removed it from its platform. Until now, the company hasn’t said much about how it plans to handle the spread of that sort of misinformation moving forward. On Tuesday, however, YouTube CEO Susan Wojcicki detailed a potential solution. YouTube will now begin displaying links to fact-based content alongside conspiracy theory videos. Wojcicki announced the new feature, which she called “information cues,” during a talk with WIRED editor-in-chief Nicholas Thompson at the South by Southwest conference in Austin, Texas. Here’s how it will work: If you search and click on a conspiracy theory video about, say, chemtrails, YouTube will now link to a Wikipedia page that debunks the hoax alongside the video. A video calling into question whether humans have ever landed on the moon might be accompanied by the official Wikipedia page about the Apollo Moon landing in 1969. Wojcicki says the feature will only include conspiracy theories right now that have “significant debate” on the platform…”

(Related) I wonder if they checked to see if a high volume of referrals could harm Wikipedia?
YouTube didn’t tell Wikipedia about its plans for Wikipedia
YouTube doesn’t need to officially partner with Wikimedia to use information from Wikipedia, but it’s still a bemusing tactic to make such an announcement without any official word passed between the two.

This will never be anonymous. (Anonymous entity #4567 arrested for 17 counts of murder in Parkland, Florida)
Florida Could Start a Criminal-Justice Data Revolution
There’s no such thing as the US criminal justice system. There are, instead, thousands of counties across the country, each with their own systems, made up of a diffuse network of sheriffs, court clerks, prosecutors, public defenders, and jail officials who all enforce the rules around who does and doesn’t end up behind bars. It’s hard enough to ensure that key details about a case pass from one node of this convoluted web to the other within a single county; forget about at the state or national level.
That's what makes a new criminal justice reform bill now making its way to Florida governor Rick Scott’s desk especially noteworthy. On Friday, the Florida Legislature approved a bill, introduced by Republican state representative Chris Sprowls, that requires every entity within the state’s criminal justice system to collect an unprecedented amount of data and publish it in one publicly accessible database. That database will store anonymized data about individual defendants—including, among other things, previously unrecorded details about their ethnicities and the precise terms of their plea deals. It will also include county-level data about the daily number of people being held in a given jail pre-trial, for instance, or a court’s annual misdemeanor caseload. All in, the bill requires counties to turn over about 25 percent more data than they currently do.

The law, she keeps a-changing!
German Court's Privacy Ruling Against Facebook Will Have Far-Reaching Effects
Facebook has millions of users in the European Union, and a German court recently ruled against the company in a case involving its Privacy Policy. Few ever read privacy policies except judges, who must examine them when challenges arise.
The new EU General Data Protection Regulations, which go into effect on May 25, will make things even more complicated.
If you have any customers who are EU residents, the new GDPR will impact you.
… A German court earlier this year ruled that Facebook's terms of use did not comply with informed consent.
Informed consent is specific under EU rules. Article 4(11) of the GDPR defines consent as
"any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her."
Five criteria must be met to constitute consent:
  • freely given
  • specific
  • informed
  • unambiguous
  • affirmative

… Facebook and many U.S. websites use default privacy settings. The German court found several of those settings were difficult for the user to find and change. By implementing default settings, Facebook had failed to get informed consent.

At what point do you need to talk to a real lawyer? Perhaps an AI app could help answer that.
Legal tech is opening the system to those who need legal representation the most
TechCrunch: “…Emerging startups like and legal tech products like LegalZoom and DocuSign have lowered the barrier to entry for legal protection that was previously confined to law offices. Now anyone can write their will or incorporate a company without having to seek legal counsel. The dissolution of the traditional legal business model is good news for public interest law. Access to justice is a fundamental human right, but most can’t afford to hire legal representation when the need arises. Public defenders, pro bono lawyers, and immigration attorneys provide a great service to citizens, yet the demand for legal support far outweighs the supply of legal aid services. There simply aren’t enough public interest lawyers to go around. Financial hardship shouldn’t be a barrier to justice. Fortunately, simple applications of technology can streamline legal representation, and with wider adoption, may reduce a key contributor to the economic inequality equation. While law firms have been slow to embrace new disruptive technologies, public interest law is different. Tech allows them to serve more clients. It’s a disruption for good, and nonprofit tech companies are spearheading this movement….”

Making my students more productive?
If you’re a programmer who doesn’t use Chrome, you’re in the minority.

Might be useful for students describing their projects to potential employers.
A Great List of Tools for Making Cool Infographics
Cool Infographics is a book and a blog written by Randy Krum. I read his book a few years ago and came away with some great design ideas that I now use in my slides and in some social media posts. On his blog Randy critiques the design quality and information accuracy of infographics found around the Internet. His blog also contains a section in which he lists dozens of tools for creating all kinds of data visualizations.
The Cool Infographics tools page lists dozens of tools for building all kinds of data visualizations from simple word clouds to complex interactive designs. The Cool Infographics tools page also lists resources for free images, resources on picking the right design for your project, and places to find data to use in your projects.
Some of the tools on the Cool Infographics tools page will be familiar to readers of this blog. Canva and Timeline JS, for example, have been featured many times on this blog. Some tools, like Zanifesto, were completely new to me.

This could be useful for many of my students.

(Related) This one, not so much. Apparently, they think there is a market.
Duolingo targets Trekkies with new Klingon language course

Wednesday, March 14, 2018

Are we secretly at war? How do we tell random criminal breaches from organized state sponsored attacks? (Have we drawn a line in the sand?)
This sounds serious. Zack Hale reports:
The Port of Longview was recently victimized by a cyber attack that may have affected hundreds of past and current employees and dozens of vendors.
The FBI notified the port of the attack on Feb. 1, according to an internal memo obtained Monday by The Daily News.
However, the FBI told the port additional details about the attack are “classified,” according to the memo.
Investigators traced the attack to internet service provider addresses in Russia, Liberia and Kazakhstan, according to the memo.
Read more on TDN.
As a matter of opinion, I am tired of seeing entities engage law firms so that they can decline to reveal details and shield them as “privileged.” There needs to be an exception for matters of significant public concern, and a foreign attack on a port should qualify for needing public disclosure. Or at least a Congressional investigation and inquiry – if we had a Congress that could actually investigate anything without turning things into a partisan circus.

Not the kind of “First” you want to be remembered for…
J. Robert MacAneney of Carlton Fields writes:
On March 5, Yahoo, Inc. (“Yahoo”) announced a proposed settlement in In re Yahoo Inc. Securities Litigation, which was filed in U.S. District Court in San Francisco. The $80 million proposed settlement relates to a securities class litigation stemming from Yahoo’s 2013 and 2014 data breaches. While many elements of the Yahoo securities class action may be factually unique, the settlement is a milestone because it is the first significant securities fraud settlement from a cybersecurity breach.
Read more on JDSupra.

A problem with archives.
The Quest for a Universal Translator for Old, Obsolete Computer Files
“…The digital world continues to expand and mutate in all sorts of ways that will orphan and otherwise impair file formats and programs—from ones long forgotten to ones that work just fine today but carry no guarantees against obsolescence. Instead of a patchwork of one-off solutions, perhaps there’s a better way to keep old software running smoothly—a simpler process for summoning the past on demand. A team at the Yale University Library is trying to build one. Digital archivists deal with least two broad categories of artifacts. There are analog objects or documents scanned into a second, digital life—digitized maps, for instance, or scanned photos. The other objects are natives of the digital world. These files can include everything from a simple compressed image to a game on a CD-ROM to a CAD design for a skyscraper. The relentless march of new versions and new platforms makes obsolescence a constant presence, from as soon as digital objects are conceived…”

This may help me explain ‘harm’ to my students.
In lawsuits about data breaches, the issue of harm has confounded courts. Harm is central to whether plaintiffs have standing to sue in federal court and whether their legal claims are viable. Plaintiffs have argued that data breaches create a risk of future injury, such as identity theft, fraud, or damaged reputations, and that breaches cause them to experience anxiety about this risk. Courts have been reaching wildly inconsistent conclusions on the issue of harm, with most courts dismissing data-breach lawsuits for failure to allege harm. A sound and principled approach to harm has yet to emerge.
In the past five years, the U.S. Supreme Court has contributed to the confusion. In 2013, the Court, in Clapper v. Amnesty International, concluded that fear and anxiety about surveillance—and the cost of taking measures to protect against it—were too speculative to satisfy the “injury in fact” requirement to warrant standing. This past term, the U.S. Supreme Court stated in Spokeo v. Robins that “intangible” injury, including the “risk” of injury, could be sufficient to establish harm. When does an increased risk of future injury and anxiety constitute harm? The answer remains unclear. Little progress has been made to harmonize this troubled body of law, and there is no coherent theory or approach.
In this Article, we examine why courts have struggled to conceptualize harms caused by data breaches. The difficulty largely stems from the fact that data-breach harms are intangible, risk-oriented, and diffuse. Harms with these characteristics need not confound courts; the judicial system has been recognizing intangible, risk-oriented, and diffuse injuries in other areas of law. We argue that courts are far too dismissive of certain forms of data-breach harm and can and should find cognizable harms. We demonstrate how courts can assess risk and anxiety in a concrete and coherent way, drawing upon existing legal precedent.
Solove, D.J. and Citron, D.K. Risk and Anxiety: A Theory of Data-Breach Harms. Texas Law Review. March, 2018, 96:737. Download here.

I kinda thought they were already doing this. Do you think they actually expected customers to walk into their stores?
Why Luxury Brands Are Racing to Embrace E-commerce
Farfetch is on the cusp of accomplishing something rare in the world of luxury retail: It potentially could become one of the few luxury tech “unicorns” with an upcoming $5 billion IPO. The lofty valuation marks a remarkable turn for an industry that had long been resistant to selling online, fearful that the internet’s mass access would damage luxury brands’ exclusivity. But now luxury fashion houses from Louis Vuitton to Chanel and Gucci have been racing to embrace digital, whether it is partnering with multi-brand sites like Farfetch, developing their own platforms or both.
The pivot to digital makes sense: Online sales are expected to drive future growth in the luxury goods market, making up 25% of the market by 2025 up from an estimated 9% last year, according to a 2017 report from Bain & Co. That means sales from offline stores will shrink to 75% of the total from 91%. Such projections serve as a wake-up call to luxury brands that have long relied on partners such as department stores — and their own boutiques — to sell products. But traditional retailers are struggling and more customers are becoming comfortable buying luxury goods online.

Apparently this is how you ‘campaign’ in Russia. “Vote for me or else?”
Putin enemy found dead in London eight days after Skripal poisoning, as counter-terror police launch investigation
Counter-terrorism police have opened an investigation into the “unexplained” death on British soil of an arch enemy of Vladimir Putin, just eight days after the nerve gas assassination attempt on a Russian double agent.
Nikolai Glushkov, 68, the right-hand man of the deceased oligarch Boris Berezovsky, Mr Putin’s one-time fiercest rival, was found dead at his London home on Monday.
A Russian media source said Glushkov, the former boss of the state airline Aeroflot, who said he feared he was on a Kremlin hit-list, was found with “strangulation marks” on his neck.

Resources for my undergrads…
Look for scholarships with Free Graduate School Scholarship Search
Sallie Mae- “Learn why scholarships—free money that you don’t have to pay back—are important and how to search for them to help you pay for graduate school…. Getting started is easy; students register free of charge, fill out a profile that can be updated at any time, and start searching. The tool responds with matches that identify relevant scholarships and their award amounts, application requirements, and deadlines. In addition, Graduate School Scholarship Search automatically will send updates when it identifies new matches.”

For our Python students.

None of the social media giants have offered guidance, as far as I know.

Tuesday, March 13, 2018

A local heads-up!
Sammantha Tillotson and Casie Collignon of BakerHostetler write:
In January 2018, Colorado legislators sponsored a bill that, if passed, will change the state’s existing data breach reporting laws in important ways. A House Committee Report detailing the current version of the bill can be found here. The bill would create a new statute, C.R.S. § 6-1-713.5, titled Protection of Personal Identifying Information, which amends the existing statutes C.R.S. § 6-1-713, governing the disposal of personal identifying information, and C.R.S. § 6-1-716, Notification of Security Breach.
Read more on Data Privacy Monitor.

I’ll ask my Data Management class why they would do this. Care to speculate?
Thomas Fox-Brewster reports:
All it might take is a USB stick and 10 seconds for a Mazda to be turned into a kind of spy mobile.
Two researchers who’ve been probing one of the car maker’s models in recent months found the vehicle was collecting an awful lot of information from drivers’ smartphones, including text messages, call records, app activity, photos, contacts, GPS history and emails. And it was storing all that information unencrypted, they claim. They later discovered a way to install malware on the car, forcing it not only to hand over all that information, but track the location of the vehicle in almost real-time.
Read more on Forbes.

Someone needs to figure out what will work… Just saying.
Dena Castricone of Murtha Cullina writes:
Two courts. Two days. Two different results. On March 7, on remand from the U.S. Court of Appeals for the Eighth Circuit, a federal district court judge in Minnesota granted a motion to dismiss a consumer class action suit involving a 2014 data breach affecting over 1,000 grocery stores. The court found that the allegations of possible future identity theft or fraud because of the breach were not sufficient to establish a substantial risk of future harm.
The next day, the U.S. Court of Appeals for the Ninth Circuit reached an opposite result, further highlighting the split among courts on the issue of standing in data breach litigation.
Read more on JDSupra.

It will be amusing to see if TSA’s search for “really stupid terrorists” is more sophisticated than Best Buy’s Geek Squad. Unlikely TSA will reveal their strategy, because they don’t seem to have one. They operate like any bureaucracy attempting to expand its power.
ACLU sues the TSA for domestic electronics screening details
When the TSA launched stricter screening procedures for domestic passengers' electronic devices last year, it didn't reveal the whys and hows. That didn't sit well with the American Civil Liberties Union Foundation, which has now filed a Freedom of Information Act (FOIA) lawsuit against the organization in an effort to extract more info about its procedures and motivations.
… The rights and liberties watchdog wants to see the TSA's records detailing its policies, procedures or protocols when it comes to searching domestic passengers' devices. It also wants to see the equipment the TSA uses to probe deep into people's phones and laptops when they don't think manual searches are enough. Finally, it wants to know what kind of training the officers who conduct electronic searches get.

The cy pres that funded the Privacy Foundation at DU’s Sturm College of Law provided years of Privacy education. With that as an example, maybe this is not such a bad idea.
Marcia Coyle writes:
Google Inc. has told the U.S. Supreme Court there was nothing unfair or unreasonable about the tech company’s $8.5 million settlement of a class action in which $5.3 million of the funds go to third parties and none to members of the class.
In urging the justices to deny review in Frank v. Gaos, Mayer Brown partner Donald Falk, representing Google, argued the cy pres-only settlement “will benefit the class as a whole by funding closely targeted projects that are directly connected to the internet privacy issues raised by plaintiffs’ claims.”
Read more on the National Law Journal.

If it’s good enough for SpiderMan...
With Great Platforms Comes Great Responsibility
The openness provided by Facebook, Twitter, Google, and other leading digital platforms is working against them and their users. Everyone – including the companies that created these platforms – needs to find ways to fight against their malicious use.

Commentary – how do we fix life online without limiting free speech
“Which Web sites get the most traffic? According to the ranking service Alexa, the top three sites in the United States, as of this writing, are Google, YouTube, and Facebook. (Porn, somewhat hearteningly, doesn’t crack the top ten.) The rankings don’t reflect everything—the dark Web, the nouveau-riche recluses harvesting bitcoin—but, for the most part, people online go where you’d expect them to go. The only truly surprising entry, in fourth place, is Reddit, whose astronomical popularity seems at odds with the fact that many Americans have only vaguely heard of the site and have no real understanding of what it is.

U.N. investigators cite Facebook role in Myanmar crisis
U.N. human rights experts investigating a possible genocide in Myanmar said on Monday that Facebook had played a role in spreading hate speech there.
… U.N. Myanmar investigator Yanghee Lee said Facebook was a huge part of public, civil and private life, and the government used it to disseminate information to the public.
“Everything is done through Facebook in Myanmar,” she told reporters, adding that Facebook had helped the impoverished country but had also been used to spread hate speech.

Do people still read? Perhaps Apple will read stories to them?
Apple is acquiring the Netflix of magazines
Apple announced today that it signed an agreement to acquire the digital magazine service Texture, which serves articles from more than 200 magazines digitally on iOS, Windows, Amazon, and Android devices for a flat monthly fee.
Apple has acquired the entire company, including staff, and has assured users that the Android version of the app will still be supported. The price of the acquisition was not disclosed.

Monday, March 12, 2018

For my Ethical Hackers. Hiding for six years is good, but probably not a record.
Newly discovered Slingshot malware was hidden in routers for 6 years
Securelist, a division of Kaspersky Lab, has identified a highly-advanced malware family called "Slingshot," which appears to have been first deployed in 2012, and was active in February when the researchers finished their investigation. Researchers at Kaspersky Lab have identified nearly 100 targets of the Slingshot APT (advanced persistent threat) including individuals, government agencies, and organizations located primarily in Kenya, Yemen, Libya, and Afghanistan.

Educating us educators.
Blockchain May Offer a Résumé You Can Trust
Employers have struggled for years with the question: How do I know these job candidates are telling the truth about their background?
New assurance may come from a surprising place: blockchain technology.
A handful of educational institutions and technology companies are working on developing trustworthy, quickly verifiable digital diplomas...

I think Sir Tim has it backward. Should we wrap regulations around technologies that became a place for innovation because they were open (i.e. unregulated.)
Tim Berners-Lee: We need a ‘legal or regulatory framework’ to save the Web from dominant tech platforms
World Wide Web inventor Sir Tim Berners-Lee believes we need to regulate technology companies to help preserve the Web as we know it.
The British computer scientist issued an open letter today, 29 years to the day after he first proposed his idea for the online information management system that would later become known as the Web. In the letter, he outlined what he thinks we need to do to save the Web from the concentration of power of a “few dominant platforms” that has “made it possible to weaponize the Web at scale.”

Too simple?
My Simpleshow
My Simpleshow is a tool for building short “explainer” videos. It includes a number of template storylines that users can select as a starting point. For example, their educational templates include “explain a mathematical formula,” “interpret literature,” “introduce a biological process,” and others. There are also professional storylines (like “introduce your startup”) and personal storylines (like “invite someone to an event”). After selecting a storyline, users flesh out the template script with their specific details, select illustrations, and graphics, and select a soundtrack. A number of sample explainer videos can be found under “examples” in the menu at the top right of the site. My Simpleshow is free for personal or classroom use. A variety of paid plans are also available for business use. My Simpleshow works in any modern browser.”

Sunday, March 11, 2018

It’s good to be the king.
Chinese Intelligence Agencies Are Doctoring the Country's Vulnerability Database
Chinese intelligence agencies are doctoring the Chinese National Vulnerabilities Database (CNNVD) to hide security flaws that government hackers might have an interest in, according to a report released on Friday by US threat intelligence firm Recorded Future.
… "CNNVD’s manipulation of its vulnerability publication data ultimately reveals more than it conceals," the Recorded Future team says.
"First, the selective backdating of vulnerability publication for the outliers is essentially a tacit confirmation from CNNVD of their vulnerability evaluation program and the operational use of some delayed vulnerabilities.
"Second, while many think of the MSS (Ministry of State Security) as primarily a foreign intelligence service, it also has a large, and arguably more important, domestic intelligence mandate."

Are similar phones available to non-criminals on the open market? I’d venture a ‘yes’ on that.
Feds Bust CEO Allegedly Selling Custom BlackBerry Phones to Sinaloa Drug Cartel
For years, a slew of shadowy companies have sold so-called encrypted phones, custom BlackBerry or Android devices that sometimes have the camera and microphone removed and only send secure messages through private networks. Several of those firms allegedly cater primarily for criminal organizations.
Now, the FBI has arrested the owner of one of the most established companies, Phantom Secure, as part of a complex law enforcement operation, according to court records and sources familiar with the matter.
… A complaint filed in the Southern District of California on Thursday charges Vincent Ramos, the founder and CEO of Canada-based Phantom, with racketeering conspiracy to conduct enterprise affairs, as well as conspiracy to distribute narcotics, and aiding and abetting. Authorities arrested Ramos on Thursday, according to the court docket. Crucially, the complaint alleges that Ramos and Phantom were not simply incidental to a crime, like Apple might be when a criminal uses an iPhone, but that the company was specifically created to facilitate criminal activity.
… In addition to removing the microphone and camera from BlackBerry devices, Phantom also takes out GPS navigation, internet browsing, and normal messenger services, the complaint reads. Phantom then installs Pretty Good Privacy (PGP) software to send encrypted messages, and routes these messages through overseas servers, the complaint alleges. The complaint points to Hong Kong and Panama as countries “believed by PHANTOM SECURE to be uncooperative with law enforcement.” Phantom can also remotely wipe devices in the event they are seized by authorities.
… Law enforcement agencies have cracked down on other encrypted phone companies allegedly catering to organised crime over the past few years. In 2016, Dutch investigators arrested the owner of Ennetcom, whose customers allegedly include hitmen, drug traffickers, and other serious criminals. And then in 2017, Dutch authorities also busted PGP Sure, which also allegedly catered to organized crime.

Perspective. If the government says “NO!” ignore them?
Stealth startup launches four unauthorized rogue satellites into orbit
The Indian-built PSLV-C40, which launched in January, had 31 satellites onboard. It carried a lot of cool stuff into orbit, including the Arkyd-6 satellite which could lead to asteroid mining, as well as the first commercial satellite for Finland.
It also carried an unauthorized payload: four tiny satellites from a stealth startup called Swarm Technologies, which didn’t have permission from the Federal Communications Commission (FCC). The nearly undetectable satellites could pose a hazard to the thousands of other orbiting spacecraft, the agency said.
… Realizing that their tiny satellites would raise red flags at the agency, the company installed GPS responders and covered the satellites in radar-reflecting material to make them easier to track.
The FCC disagreed, however, and rejected Swarm’s application for its satellite launch in December, citing safety concerns.

Perspective. For my Data Management Students.
The History of Digital Content (Infographic)
2.5 quintillion bytes of digital data are created every day -- that’s equivalent to the storage capacity of 36 million iPads.