Saturday, April 21, 2018

Reinforcing the points made in yesterdays Privacy Foundation seminar. Authorized employees are a substantial risk! “Became Aware” is not the same as “Discovered.” Likely someone told them what was happening. Interesting again that the offer Identity Protection to all of their clients.
From their press release:
SunTrust Banks, Inc. (NYSE: STI) is now offering Identity Protection for all current and new consumer clients at no cost on an ongoing basis. Experian IDnotify™ will be provided to those who sign up for the service.
SunTrust cares deeply about the privacy and security of client information. The company became aware of potential theft by a former employee of information from some of its contact lists. Although the investigation is ongoing, SunTrust is proactively notifying approximately 1.5 million clients that certain information, such as name, address, phone number and certain account balances may have been exposed. The contact lists did not include personally identifying information, such as social security number, account number, PIN, User ID, password, or driver’s license information. SunTrust is also working with outside experts and coordinating with law enforcement.
Read the full press release here.

More resources for my Computer Security students.

...and a tool for Privacy.

Interesting arguments?
Government hacking tactics questioned at OURSA
Jennifer Granick, surveillance and cybersecurity counsel at the American Civil Liberties Union, took the stage at OURSA on Tuesday to discuss the state of modern surveillance and hacking performed by the U.S. government, arguing that both cross the line of traditional legal searches.
"Increasingly, modern surveillance is mass surveillance," Granick said. "We used to target people for surveillance because of their political opinions or their religion or their race. Now the mainstream is being surveilled."
… The U.S. doesn't currently have specific hacking laws, though the U.S. government uses hacking for law enforcement and intelligence operations. Instead, noted Granick, the U.S. relies on the same legal process for hacking that it does for regular searches – the warrant. While warrants are crucial, they don't cover enough ground.
"Government hacking is different from regular searches in five particular ways that the warrant requirement can't really address," Granick said.
Those ways include the amount of data being collected; the invasiveness of the techniques the government uses to hack and surveil, such as turning on the cameras and microphones on personal laptops and smart devices; and, the falsification of data.
… "If this information is being collected for criminal prosecution purposes, how can we know that the very act of accessing the computer hasn't changed the information that's there in ways that impinge upon the defendants' rights?" Granick posed. "How can the defense test that theory and see that the evidence is not altered in any way if the government insists on keeping the exploit and the vulnerability secret? It interferes the with due process rights of the defendant in the criminal justice system."
The fourth way in which government hacking is out-of-scope with regular search warrants is the potential cybersecurity harms.

Fodder for my IT Management class.
Wells Fargo Fined $1B for Mortgage, Auto Lending Abuses
Wells Fargo will pay $1 billion to federal regulators to settle charges tied to misconduct at its mortgage and auto lending business, the latest punishment levied against the banking giant for widespread customer abuses.
… Starting in September 2016, Wells has admitted to a number of abusive practices across multiple parts of its business that duped consumers out of millions of dollars. Regulators, in turn, have fined Wells several times and put unprecedented restrictions on its ability to do business, including forcing the bank to replace directors on its board
… In Friday's announcement, the CFPB and the OCC penalized Wells for improperly charging fees to borrowers who wanted to lock in an interest rate on a pending mortgage loan and for sticking auto loan customers with insurance policies they didn't want or need. The bank admitted that tens of thousands of customers who could not afford the combined auto loan and extra insurance payment fell behind on their payments and had their cars repossessed.
These abuses are separate from Wells Fargo's well-known sales practices scandal, where employees opened as many as 3.5 million bank and credit card accounts without getting customers' authorization. The account scandal torpedoed Wells Fargo's reputation as the nation's best-run bank.

Helping my students select a major.
A.I. Researchers Are Making More Than $1 Million, Even at a Nonprofit
One of the poorest-kept secrets in Silicon Valley has been the huge salaries and bonuses that experts in artificial intelligence can command. Now, a little-noticed tax filing by a research lab called OpenAI has made some of those eye-popping figures public.
OpenAI paid its top researcher, Ilya Sutskever, more than $1.9 million in 2016. It paid another leading researcher, Ian Goodfellow, more than $800,000 — even though he was not hired until March of that year. Both were recruited from Google.
A third big name in the field, the roboticist Pieter Abbeel, made $425,000, though he did not join until June 2016, after taking a leave from his job as a professor at the University of California, Berkeley. Those figures all include signing bonuses.

Friday, April 20, 2018

When is taking advantage of a Security Failure not a crime? An old and well (or at least frequently) documented problem.
Is Enumerating Resources on a Website "Hacking"?
I saw a story pop up this week which made a bunch of headlines and upon sharing it, also sparked some vigorous debate. It all had to do with a 19-year-old bloke in Canada downloading some publicly accessible documents which, as it later turned out, shouldn't have been publicly accessible. Let's start with this video as it pretty succinctly explains the issue in consumer-friendly terms:
… This was public data. Whether it was intended to be public or not does not change the fact that it was published to a location which exposed it to the world without any requirement for authorisation whatsoever. His "crime" was simply to use the technology as it was designed to work. There was a lot of support for this position

For my Ethical Hacking students. Be sure to wear the electronic equivalent of a bio-hazard suit.

I’m sure my lawyer friends will be able to explain this one. Sure.
Matt Burgess reports:
“Do not pretend that I do not exist, do not ignore me or break the deadlines,” was the message from one unknown hacker to a British company targeted in February 2018. The person stole a “very large quantity of data”.
Both the hacker and the hacked company are the subject of a High Court injunction. The legal ruling from judge Matthew Nicklin, has been taken out to stop the company being named and prohibits hacked data from being stolen.
The case gives an insight into one hacker’s demands to a company and how it responded. It is the latest in a number of injunctions being taken out by companies that are looking to protect information that has been stolen from their servers.
Read more on Wired (UK).
OK, I don’t see how this is going to stop the hackers from dumping data if they don’t get paid. Maybe some web hosts will honor/comply with an injunction and remove data, but there are just too many ways/places to dump data for this to really make a serious dent in the problem. And what would stop a U.S. journalist from reporting on the breach, naming the company, and discussing any stolen data???

Good news for the White House? (Where would the President be without “Fake News” to blame?)
Americans Favor Protecting Information Freedoms Over Government Steps to Restrict False News Online
… Nearly six-in-ten Americans (58%) say they prefer to protect the public’s freedom to access and publish information online, including on social media, even if it means false information can also be published. Roughly four-in-ten (39%) fall the other way, preferring that the U.S. government take steps to restrict false information even if it limits those freedoms, according to a survey

I’ll believe it when my students start reading ToS.
The ‘Terms and Conditions’ Reckoning Is Coming
Eleanor Margolis had used PayPal for more than a decade when the online payment provider blocked her account in January. The reason: She was 16 years old when she signed up, and PayPal Holdings Inc. insists she should have known the minimum age is 18, because the rule is clearly stated in terms and conditions she agreed to. Clearly stated, that is, in a document longer than The Great Gatsby—almost 50,000 words spread across 21 separate web pages. “They didn’t have any checks in place to make sure I was over 18,” says Margolis, now 28. “Instead, they contact me 12 years later. It’s completely absurd.”
… GDPR, which comes into force in Europe in May and calls for fines as high as 4 percent of a company’s global revenue for violations, will make it tougher to get away with book-length user agreements, says Eduardo Ustaran, co-director of the cybersecurity practice at law firm Hogan Lovells. He suggests that companies streamline their rules and make sure they’re written in plain English. If a typical user wouldn’t understand the documents, the consent that companies rely on for their business activities would be legally invalid. “Your whole basis for using people’s personal data would disappear,” Ustaran says.

No other comment.
The FBI Restored Its Missing Crime Data
On Tuesday, the FBI restored 70 data tables that were missing from the 2016 Crime in the United States report, providing data that researchers consider crucial to their understanding of crime trends in the U.S. over time. The yearly report is considered the gold standard for tracking crime statistics in the United States, gathered from over 18,000 law-enforcement agencies in cities around the country. But the 2016 report, the first compiled under the Trump administration, was missing dozens of data tables that researchers rely on.

Thursday, April 19, 2018

If you have data, someone will collect and aggregate it.
Data firm leaks 48 million user profiles it scraped from Facebook, LinkedIn, others
A little-known data firm was able to build 48 million personal profiles, combining data from sites and social networks like Facebook, LinkedIn, Twitter, and Zillow, among others -- without the users' knowledge or consent.
Localblox, a Bellevue, Wash.-based firm, says it "automatically crawls, discovers, extracts, indexes, maps and augments data in a variety of formats from the web and from exchange networks." Since its founding in 2010, the company has focused its collection on publicly accessible data sources, like social networks Facebook, Twitter, and LinkedIn, and real estate site Zillow to name a few, to produce profiles.
But earlier this year, the company left a massive store of profile data on a public but unlisted Amazon S3 storage bucket without a password, allowing anyone to download its contents.
The bucket, labeled "lbdumps," contained a file that unpacked to a single file over 1.2 terabytes in size. The file listed 48 million individual records, scraped from public profiles, consolidated, then stitched together.
The data was subsequently found by Chris Vickery, director of cyber risk research at security firm UpGuard. Vickery, a well-known ethical data breach hunter, disclosed the leak to Localblox's chief technology officer Ashfaq Rahman in late February. The bucket was secured hours later.

(Related) A long look at a company operating on the fringe? Making a business of Big Brotherly surveillance. If nothing else, the background image is worth viewing.
Palantir Knows Everything About You

Useful! I will share this with my Computer Security students. (PDF)
Chart on Admissibility of Electronic Evidence
Craig Ball posted a well documented chart, Admissibility of Electronic Evidence, authored by U.S. District Judge Paul Grimm and attorney Kevin Brady.

The other side of the “All AI Algorithms are Biased” argument.
Upping Your Diversity Game: Tech That Enables a More Diverse Talent Pool
Diversity is a common topic of discussion for HR teams and internal recruiters, and with good reason. Few people question that a diverse team makes a company stronger. But finding the right pool of candidates can be a challenge.
It's surprising where some of those challenges come from. Many people think subconscious bias during resume review could be the cause, and that's one of the issues. But even the way you write your job descriptions can impact the kinds of candidates that apply.
… Corporations have tried to combat unconscious bias through training, but critics and even some studies say that traditional diversity training is the least effective means of removing bias from hiring.
… Several applications exist that allow companies to find candidates solely based on skills. Software like Hundred5 allows applicants to take a skills-based test, and those that score the lowest are weeded out of the pack of potential hires before anyone can make assumptions about gender or race.
… Similarly, platforms Pymetrics and Gapjumpers use online surveys and quizzes without demographic information attached. Applicants answer questions on Gapjumpers, what they call "blind auditions", and employers review the answers to decide if the applicant is worth pursuing. According to their website, Gapjumpers sees women making up 60 percent of the top performers in blind auditions.
Pymetrics combines neuroscience games and AI to match people with jobs. After roughly 20 minutes playing behavior-based games, the AI matches the results with the profile of a position. If there is a match, the applicant moves on to the next round.

Jeff Bezos reveals Amazon has 100 million Prime members in letter to shareholders

A supplement for my students.
Linkedin – The Skills Companies Need Most in 2018 – And The Courses to Get Them
Linkedin Learning Blog: “Whenever there is change, there is opportunity. With report after report showing the world of work changing faster than ever today, it’s fair to assume there’s more opportunity than ever. The challenge? It isn’t easy to know where that opportunity exists. If only some organization with the resources necessary to answer that question could release a roadmap… Well, consider this is your roadmap. Using a combination of LinkedIn data and survey results, we determined both the soft and the hard skills companies need most. And then we provided LinkedIn Learning courses that teach those skills, which we’ve made free for all of January 2018…”
[As I read their course descriptions, it looks like they actually offer First Month Free. Bob]


For all my students.
You can think of Grasshopper as an app that teaches you how to code in Javascript similar to how apps like Duolingo teach you how to learn a foreign language. After signing in with your Google account, you will be walked through the basics of programming and given several quizzes. As you continue on, you will be given more subject matter to learn and exercises to help you retain the knowledge.
… My one real hope is that as Grasshopper grows, the Google developers working on the app will add new programming languages for users to learn.
If you’re interested in checking out Grasshopper for yourself, you can download it for free from the Play Store. Additionally, if you’re running iOS, you can download it from Apple’s App Store.

Wednesday, April 18, 2018

Good news for my Computer Security majors.
Closing the Enterprise Security Skills Gap
… The term "skills gap," in a nutshell, refers to specific challenges organizations have confronted over the past few years in finding and retaining competent, trained resources for security efforts. It is a measurable trend across the industry as a whole.
For example, it takes most organizations (54 percent) more than three months to fill open security positions, the recently released 2018 ISACA Global State of Cybersecurity Survey found. That figure is consistent with its prior year's findings.

(Related) Go where management is worried.
Security Pros at Energy Firms Concerned About 'Catastrophic' Attacks
Many cybersecurity professionals working in the energy sector are concerned that an attack on their organization’s industrial control systems (ICS) could have “catastrophic” consequences, according to a study conducted recently by Dimensional Research on behalf of security and compliance solutions provider Tripwire.
Of the more than 150 respondents, including IT and OT security professionals in energy and oil and gas companies, 91% say they are worried about the risk of attacks on ICS. Nearly all respondents are very concerned or somewhat concerned about an attack leading to operational shutdowns or downtime that impacts customers.
Other areas of major concern include physical damage to infrastructure, employee safety, impact on the organization’s reputation, and data theft.
High-profile pieces of malware such as Trisis and Industroyer have had a significant impact on security investments, but incidents involving ransomware have had the same degree of impact, the study shows.

Stay current (better yet, stay ahead) with your security updates. Constantly remind your employees of the risks.
NSA: Hackers Weaponize Known Vulnerabilities Within 24 Hours
How do you break into the US military's defense networks? Apparently, hackers are trying to do so by leveraging every publicly-known vulnerability they can find.
The turnaround can be quick, said Dave Hogue, a technical director with the US National Security Agency. Once a security flaw goes public, it can be added into the arsenal of state-sponsored attackers in less than a day.
"Within 24 hours I would say now, whenever an exploit or a vulnerability is released, its weaponized and used against us," Hogue said in a talk at the RSA security conference on Tuesday.
… Hogue said the top attack method the agency is running into are phishing messages.
"We see 36 million emails per day, and we reject about 85 percent of those," he said.
It's also rare for the agency to encounter a "zero-day" exploit, or a cyber attack that leverages a previously unknown vulnerability. In fact, the NSA has not responded to an intrusion that uses a zero-day vulnerability in over 24 months, Hogue said.

My guess is that this was not a Russian hack.
IRS website unavailable for efiling most of tax day!
IRS electronic filing systems working again after agency’s Tax Day technology meltdown“The Internal Revenue Service’s system for accepting online tax returns is working again after being inoperational for much of the day Tuesday [April 17, 2018]. IRS officials promised that people hampered by the technology failures would not be penalized for late returns, but they have not yet announced any specific exemptions to the deadline. This story will be updated. [ IRS gives taxpayers one more day to file after payment site crashes. ]

So much for the good fight? Not sure ‘resolved’ is the right word.
U.S. top court rules that Microsoft email privacy dispute is moot
The U.S. Supreme Court on Tuesday dropped Microsoft Corp’s privacy fight with the Justice Department over whether prosecutors can force technology companies to hand over data stored overseas after Congress passed legislation that resolved the dispute.
… President Donald Trump on March 22 signed legislation into law that makes clear that U.S. judges can issue warrants for such data while giving companies an avenue to object if the request conflicts with foreign law.

“Solutions” my software architecture students should consider. Is India the testing sandbox for new innovations?
Amazon made a lightweight browser for India, and it's fantastic
Amazon introduced the Kindle Lite app late last month, offering a similar experience as the full-fledged Kindle client for a fraction of the size. Now, the retailer has rolled out a lightweight web browser dubbed Internet, which comes in at just 2MB and takes up just 26MB of storage space on your phone.
One of the key highlights with Amazon's browser is a private mode, which is essentially the same thing as Chrome's incognito mode.

(Related) Perhaps my software architecture students could generalize this to address our ongoing self-driving car debate?
Algorithmic Impact Assessments: A Practical Framework for Public Agency Accountability
GCN: Algorithmic Impact Assessments: A Practical Framework for Public Agency Accountability, a report by the AI Now Institute, a partnership between New York University, the American Civil Liberties Union and the Partnership on AI. [h/t Pete Weiss]
Why: As public agencies increasingly turn to automated processes and algorithms to make decisions, they need frameworks for accountability that can address inevitable questions – from software bias to the system’s impact on the community. The AI Now Institute’s Algorithmic Impact Assessment gives public agencies a practical way to assess automated decision systems and to ensure public accountability.
Proposal: Just as an environmental impact statement can increase agencies’ sensitivity to environmental values and effectively inform the public of coming changes, an AIA aims to do the same for algorithms before governments put them to use. The process starts with a pre-acquisition review in which an agency, other public officials and the public at large are given a chance to review the proposed technology before the agency enters into any formal agreements. Part of this process would include defining what the agency considers an “automated decision system,” disclosing details about the technology and its use, evaluating the potential for bias and inaccuracy as well as planning for third-party researchers to study the system after it becomes operational…”

Talk about stroking an ego! Or are we looking to understand the often inexplicable?
Every top New York Times best-seller this year has been about Trump

Tuesday, April 17, 2018

Is it election season already?
U.S. and U.K. Are Blaming Russia for a Global Hacking Campaign and Giving Advice on How to Thwart It
… This is the second time this year that the U.S. and U.K. have attributed cyberattacks on Russia, following their unprecedented attribution in February of last year’s extremely expensive NotPetya attack. It is also the first time that British and American agencies have combined such an announcement with technical advice on countering the threat, aimed at organizations who might be affected.
The new announcement, which comes in the context of tensions over Syria, relates to attacks on government and private-sector organizations, as well as critical infrastructure providers. The Internet service providers serving these organizations were also targeted, according to a joint statement by the U.S.’s Federal Bureau of Investigation (FBI) and Department of Homeland Security, and the National Cyber Security Centre division of the U.K.’s GCHQ intelligence agency.

The difference between competent security researchers and Facebook? Two hours vs. nine years!!!
Deleted Facebook Cybercrime Groups Had 300,000 Members
Hours after being alerted by KrebsOnSecurity, Facebook last week deleted almost 120 private discussion groups totaling more than 300,000 members who flagrantly promoted a host of illicit activities on the social media network’s platform. The scam groups facilitated a broad spectrum of shady activities, including spamming, wire fraud, account takeovers, phony tax refunds, 419 scams, denial-of-service attack-for-hire services and botnet creation tools. The average age of these groups on Facebook’s platform was two years.
On Thursday, April 12, KrebsOnSecurity spent roughly two hours combing Facebook for groups whose sole purpose appeared to be flouting the company’s terms of service agreement about what types of content it will or will not tolerate on its platform.
… Each of these closed groups solicited new members to engage in a variety of shady activities. Some had existed on Facebook for up to nine years; approximately ten percent of them had plied their trade on the social network for more than four years.

Of course, Google, Facebook, et. al. have our (user) agreement for email scanning…
Protecting Email Privacy—A Battle We Need to Keep Fighting
EFF: “We filed an amicus brief in a federal appellate case called United States v. Ackerman Friday, arguing something most of us already thought was a given—that the Fourth Amendment protects the contents of your emails from warrantless government searches. Email and other electronic communications can contain highly personal, intimate details of our lives. As one court noted, through emails, “[l]overs exchange sweet nothings, and businessmen swap ambitious plans, all with the click of a mouse button.” In an age where almost all of us now communicate via email, text, or some other messaging service, electronic communications are, in effect, no different from letters, which the Supreme Court held were protected by the Fourth Amendment way back in 1878. Most of us thought this was pretty uncontroversial, especially since another federal appellate court held as much in a 2010 case called United States v. Warshak. However, in Ackerman, the district court added a new wrinkle. It held the Fourth Amendment no longer applies once an email user violates a provider’s terms of service and the provider shuts down the user’s account…

Something my Computer Security students will do in Week Six.
France builds WhatsApp rival due to surveillance risk
The French government is building its own encrypted messenger service to ease fears that foreign entities could spy on private conversations between top officials, the digital ministry said on Monday.
None of the world’s major encrypted messaging apps, including Facebook’s WhatsApp and Telegram – a favorite of President Emmanuel Macron – are based in France, raising the risk of data breaches at servers outside the country.

Continuing our exploration of Facebook.
Hard Questions: What Data Does Facebook Collect When I’m Not Using Facebook, and Why?
When does Facebook get data about people from other websites and apps?
Many websites and apps use Facebook services to make their content and ads more engaging and relevant. These services include:
  • Social plugins, such as our Like and Share buttons, which make other sites more social and help you share content on Facebook;
  • Facebook Login, which lets you use your Facebook account to log into another website or app;
  • Facebook Analytics, which helps websites and apps better understand how people use their services; and
  • Facebook ads and measurement tools, which enable websites and apps to show ads from Facebook advertisers, to run their own ads on Facebook or elsewhere, and to understand the effectiveness of their ads.

These Ex-Spies Are Harvesting Facebook Photos For A Massive Facial Recognition Database
… over the last five years a secretive surveillance company founded by a former Israeli intelligence officer has been quietly building a massive facial recognition database consisting of faces acquired from the giant social network, YouTube and countless other websites.
… That database forms the core of a facial recognition service called Face-Int, now owned by Israeli vendor Verint after it snapped up the product's creator, little-known surveillance company Terrogence, in 2017. Both Verint and Terrogence have long been vendors for the U.S. government, providing bleeding-edge spy tech to the NSA, the U.S. Navy and countless other intelligence and security agencies.

How they hack the iPhone?
Stop Using 6-Digit iPhone Passcodes
… In September 2014, Apple made disk encryption the default on iPhone. In theory, that means that if your phone is locked and protected with a passcode, someone who gets their hands on it can’t read or extract the data from it unless they know or can guess the passcode.
… To protect against these kind of attacks, Apple has made a few changes in recent years. First of all, iPhones now require 6 digit passcodes by default (but people who have restored backups when upgrading to newer iPhones may still have 4 digit PINs). Second, after a certain amount of wrong guesses to unlock the device, iPhones are programmed to delay new guesses. Finally, there’s even a setting that you can turn on to wipe all data from the phone after 10 failed passcode attempts, as Apple’s iOS security guide explains.
If GrayKey works as advertised, it means Grayshift has found a way to avoid these delays and just keep guessing passcodes.

Too good to be true?
Clients hang up in disbelief when lawyer calls to tell them of $61M verdict over unwanted calls
… Lawyer John Barrett and his colleagues are having a hard time getting their message across when they call to deliver the news, the Wall Street Journal reports. The clients are hanging up before the lawyers or a paralegal can explain, or they are hanging up in disbelief after hearing the figures.
Barrett and co-counsel Brian Glaser won a $20.4 million verdict against Dish last year, an amount that was tripled by the judge. As a result, more than 18,000 people who received the calls are each eligible receive $2,400 to $30,000, before payment of attorney fees and expenses.
The firm began making the calls after fewer than 8 percent of clients who received a letter about the verdict failed to return the required forms.

Something for my Software Architecture student project. (Building an ATM APP to replace physical ATMs)
Asian consumers love digital banking — here’s why Americans are less excited about it

NBER – The Impact of Artificial Intelligence on Innovation
The Impact of Artificial Intelligence on Innovation, Iain M. Cockburn, Rebecca Henderson, Scott Stern, NBER Working Paper No. 24449. Issued in March 2018.
“Artificial intelligence may greatly increase the efficiency of the existing economy. But it may have an even larger impact by serving as a new general-purpose “method of invention” that can reshape the nature of the innovation process and the organization of R&D.

Netflix hits 125 Million streaming subscribers
… Since, it was a financial data from the company, they have also disclosed the revenue and profit they have earned through the first quarter of this current year. As per their official financial report, Netflix has generated $3.7 billion in revenue for Q1 with a net profit of $290 million.

Preparing my geeks.
Google’s new DIY AI kits could help shape the future
… Google just announced two new “AIY” (it’s like DIY, but for artificial intelligence) kits that build upon the ideas the company set forth with its first-generation kits. This time around, however, the new kits ship with everything a student might need to build AI solutions, including a Raspberry Pi Zero WH board.
“We’re taking the first of many steps to help educators integrate AIY into STEM lesson plans and help prepare students for the challenges of the future by launching a new version of our AIY kits,” Billy Rutledge, Director of AIY Projects at Google, wrote in a blog post. “The Voice Kit lets you build a voice controlled speaker, while the Vision Kit lets you build a camera that learns to recognize people and objects. The new kits make getting started a little easier with clearer instructions, a new app and all the parts in one box.”
He continued, “To make setup easier, both kits have been redesigned to work with the new Raspberry Pi Zero WH, which comes included in the box, along with the USB connector cable and pre-provisioned SD card. Now users no longer need to download the software image and can get running faster. The updated AIY Vision Kit v1.1 also includes the Raspberry Pi Camera v2.”
Here’s a video of the Vision Kit in action:
This is a very cool example of a tech company taking some initiative to help encourage communities to enhance their STEM programs in schools. Google’s new AIY Voice Kit and Vision Kit are already available online at and in Target stores across the country, and Google hopes to offer them in other regions in the coming months. The Voice Kit is available for $49.99, while the more complex Vision Kit costs $89.99.

Monday, April 16, 2018

Great news for my Computer Security students, 26% of companies will want to hire them!
McAfee: 26% of companies have suffered cloud data theft
Enterprises are moving their data to the cloud, but not everybody is certain that the cloud is as secure as it could be, according to the third annual report on cloud security from cybersecurity firm McAfee. This is due in part to the fact that one in four companies has been hit with cloud data theft.

Security? Privacy? Another innovation the FBI can rail against? Certainly problems for industries that require record keeping of any communication with clients.
Gmail Reportedly Testing Self-Destructing Emails: Here's How 'Confidential Mode' Would Work
… According to a new report from TechCrunch, a tipster also revealed to the publication that Google is testing a "confidential mode" that would make it easier for users to ensure their emails are only read by the intended person. Moreover, the emails will also have a self-destructing option, which would allow users to set when their email will expire and become unreadable.
… TechCrunch received several screenshots from its tipster, illustrating how Gmail's self-destructing emails would work. Upon selecting to compose a new email, users would get the option to compose it in "confidential mode."
Enabling this option would automatically set several restrictions to the email in question, limiting what the recipient can do with the information. For instance, the recipient would not be able to download the content, forward the email, print it, or copy-paste it.
Users would also be able to set when they want their email to self-destruct, such as one week, one month, several years, or other such options. For an extra layer of security, senders could also require the email recipient to enter a passcode sent in a text message, to confirm their identity before being able to access the contents of the email.
This should significantly boost the security of Gmail and encourage wider use even at enterprise level with high confidentiality requirements. It seems that the new feature is just in testing for now, however, as the "Learn more" option doesn't actually lead to a page with more details on this option.

Interesting forensic work.
The dealer sent a stream of WhatsApp messages offering drugs for sale, one of which showed a number of ecstasy pills in the palm of his hand, reports the BBC. An officer who recovered a phone noticed that the middle and bottom of a finger was shown, potentially allowing a fingerprint to be identified.
In the event, it turned out to be the wrong part of the finger.
There were just parts of the middle and bottom of a finger visible – records only keep the top part. This meant the image did not find a match on national databases.
Other clues led police to the suspect, however, and the photo was then subsequently used to prove he was the dealer.
While the scale and quality of the photograph proved a challenge, the small bits were enough to prove he was the dealer.
It has now opened the floodgates and when there is part of a hand on a photograph, officers are sending them in.

Perspective. Is China killing the goose that lays the golden eggs?
China Is Nationalizing Its Tech Sector
… Communist Party committees have been installed at many tech firms, reviewing everything from operations to compliance with national goals. Regulators have been discussing taking a 1 percent stake in some giants, including Alibaba and Tencent, along with a board seat. Tech companies have been widely encouraged to invest in state-owned firms, in the hopes of making them more productive. The common denominator of all these efforts is that the government wants more control.

In a global (Internet enabled) market, even a small niche can be profitable.
High-definition vinyl’ could be spinning on your turntable by next year
Vinyl records are in the midst of a surprising renaissance, fueled not only by millennial nostalgia but by high-tech turntables. As CD and digital music sales continue to decline due to online streaming services like Spotify, CNBC reports that vinyl LP sales increased to 13 million in 2016 — their highest level since 1991.
Now, an Austrian start-up named Rebeat Innovations is hoping to give the venerable medium itself a high-tech boost with an innovation it’s calling “high-definition vinyl.”
Pitchfork has a rundown on the new process, which involves digital audio conversion and the use of lasers to engrave the ceramic “stamper,” the master component that creates the grooves on the record during the manufacturing process.
The company filed a patent in 2016 for “3D-based topographical mapping combined with laser inscription technology,” which it says will reduce the manufacturing time by 60 percent.
… What’s more, backward compatibility is built in — HD Vinyl albums can be played on any current turntable.

This could be amusing. Also, Baen publishing has interviews with its authors at
2000+ Recordings of Poets and Fiction Writers Reading and Discussing Their Work
A few years ago the Library of Congress published an online collection of audio recordings of poets and fiction writers reading and discussing their works. At the time of its launch the collection contain 124 recordings. Since then the collection has grown to include more than 2,000 recordings.
The Archive of Recorded Poetry and Literature contains recordings of writers reading some of their poems and other works. Many of the recordings are long interviews with the writers during which they read some of their works. The audio can be heard on the LOC website and or embedded into blog posts as I've done here. Below you will find the recordings of Ray Bradbury and Robert Frost.

Sort of an anti-University?

Sunday, April 15, 2018

Just a reminder:
The Privacy Foundation at the University of Denver Sturm College of Law
Privacy Foundation Event: Workplace Privacy and Bring Your Own Device (BYOD)
Friday, April 20, 2018 10:00 am to 1:00 pm
or contact Privacy Foundation Event Coordinator at
Click here for the flyer (PDF)

Warrants, there’s an App for that!” A response to savvy repeat offenders, could this make obtaining warrants for other searches easier?
Robert McCoppin reports:
Police in McHenry County will be out for blood with drivers who refuse to take breath tests for suspicion of driving under the influence of alcohol or drugs.
And the practice of officers immediately seeking blood draws from those who won’t submit to a breath screen appears to be spreading, with Lake County also planning to adopt a similar policy.
The strategy in many departments takes advantage of technology that allows police to generate an “e-warrant” that can be sent electronically to a judge for review right from a curbside traffic stop.
Read more on Chicago Tribune.
via Joe Cadillic
So… does this e-warrant approach also apply to applications to search a driver’s or passenger’s cell phone or devices? What would the police have to provide to a judge to get a judge to sign the warrant? And should searching the device be treated any differently than requiring a blood draw?
As you may have guessed, I’m still working on my first cup of coffee this morning and finding the news puzzling….

This is an old hack, but I have a new batch of Computer Security students who must start thinking of the threat from Things on the Internet of Things.
Hackers stole a casino's high-roller database through a thermometer in the lobby fish tank

Is the world headed this way? How long can the US resist?
Michael Bahar, Mary Jane Wilson-Bilik, Alexander F.L. Sand, and Trevor J. Satnick of Eversheds Sutherland write:
With enactment of the Personal Information Protection Act (PIPA), Bermuda can now count itself among the ever-expanding list of jurisdictions with enhanced privacy protections. PIPA, passed on July 27, 2016, and entered into force in December 2017, shares many of the more stringent requirements and protections with Europe’s impending General Data Protection Regulation (GDPR), which indicates a growing, global trend towards stepped-up privacy regimes. That said, as much as there are similarities between the regulations, there are important differences, especially for those companies which also must comply with US privacy laws.
Read more on Eversheds Sutherland.
[From the article:
Like the GDPR, PIPA defines personal information (PI) more broadly than the US typically does. For Bermuda, PI is “any information about an identified or identifiable individual.” Under GDPR, personal data is “any information relating to an identified or identifiable natural person.”

This is useful for all my students.
NIST – Cyber Resiliency Considerations for the Engineering of Trustworthy Secure Systems
“This publication is intended to be used in conjunction with NIST Special Publication 800-160 Volume 1, Systems Security Engineering – Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems. It can be viewed as a handbook for achieving the identified cyber resiliency outcomes based on a systems engineering perspective on system life cycle processes, allowing the experience and expertise of the organization to determine what is correct for its purpose. Organizations can select, adapt, and use some or all of the cyber resiliency constructs (i.e., goals, objectives, techniques, approaches, and design principles) described in this publication and apply them to the technical, operational, and threat environments for which systems need to be engineered.

I have to agree with the author, this raises a number of questions. Is the Pentagon learning to speak Trump Talk? Do they have a much faster method of identifying trolls than Facebook claims?
… So far, Russia hasn’t given any signs it intends to truly escalate the situation, possibly in part because the White House has actually not yet settled on a comprehensive strategy. But Pentagon spokesperson Dana White did trot out a bizarre statistic on “Russian trolls” on Saturday, telling reporters, “The Russian disinformation campaign has already begun. There has been a 2,000 percent increase in Russian trolls in the last 24 hours.”
… It’s entirely plausible that Russia’s “Troll Army” did mobilize and pull some weekend shifts in response to the events in Syria. It’s much less clear where White pulled the 2,000 percent statistic from, or whether that number is particularly significant—while trolls have gathered to talk shit or simply try to hijack the discussion around the events in Syria, the same could be said of most noteworthy events.

Perspective. Remember that scene in “2001 A space odyssey” where the astronauts lock themselves in a shuttle and HAL reads their lips?
Google works out a fascinating, slightly scary way for AI to isolate voices in a crowd
The company says this tech works on videos with a single audio track and can isolate voices in a video algorithmically, depending on who's talking, or by having a user manually select the face of the person whose voice they want to hear.
Google says the visual component here is key, as the tech watches for when a person's mouth is moving to better identify which voices to focus on at a given point and to create more accurate individual speech tracks for the length of a video.

Perspective. I also see this as a method of ensuring that money/food reaches the intended recipients.
Inside the Jordan refugee camp that runs on blockchain
… And if the man behind the project, WFP executive Houman Haddad, has his way, the blockchain-based program will do far more than save money. It will tackle a central problem in any humanitarian crisis: how do you get people without government identity documents or a bank account into a financial and legal system where those things are prerequisites to getting a job and living a secure life?

Perspective. Do this result from targeting the symptom rather than the cause?
Amid FOSTA crackdown, sex workers find refuge on Mastodon
… With the news that President Trump has signed the Allow States and Victims to Fight Online Sex Trafficking Act (FOSTA), their options will continue to dwindle — and with it, the ability for many sex workers to pay their bills, let alone do so safely.
Over the past few weeks, sex workers have been turning to an unexpected platform to remain online: the social network Mastodon, under a new instance called “Switter.” Melbourne-based company Assembly Four created Switter after its founders learned that social media platforms were either removing sex workers’ content or banning their accounts. Without the time or resources to build a whole new network from scratch, the group turned to Mastodon.
… Switter, which uses a domain hosted in Austria, offers a workaround to this US legislation. As an open-source platform, Mastodon mimics the look and function of Twitter. Rather than rely on a single flagship site, however, it functions through a series of networks called instances. These instances can be connected to others, or they can exist as standalone networks. Since its launch last month, Switter has grown to become the sixth largest instance, according to Mastodon Network Monitoring. “The ability to communicate and share information with your peers is absolutely critical in the modern age,” says J, an Assembly Four employee who goes by a single-letter handle. “With FOSTA already having wide-reaching effects, we realised that we needed to come up with a safe place for sex workers to communicate, and fast.”

The ultimate suggestion box?