Saturday, April 28, 2018

The process is simple, why wouldn’t more companies use it?
Facebook confesses: Buckle up, there's plenty more privacy lapses where that came from
Facebook has confirmed what many of us have known for years: Cambridge Analytica was far from the only organization engaging in the wholesale hoarding of netizens' personal data via the social network.
The Silicon Valley giant told America's financial watchdog, the SEC, on Thursday that it will probably reveal additional data-harvesting operations as it continues probing how outside developers accessed its website and what information they siphoned off in bulk.
… Now after years of letting companies chug from its firehose, Facebook is shocked – shocked – to discover that shady outfits were amassing folks' info via these APIs.

Soon, mandatory for all citizens (and visitors)?
How private is your DNA on ancestry websites? East Area Rapist case raises questions
… A partial DNA match with an unidentified relative of Joseph James DeAngelo on a genealogy website led to DeAngelo’s arrest as the suspect in the notorious East Area Rapist case, the Sacramento County District Attorney’s Office said Thursday.
Investigators recently found a “familial DNA match” to a sample collected years ago at a crime scene linked to the East Area Rapist. The family link then led the Sheriff’s Department to DeAngelo’s home on a quiet middle-class street in Citrus Heights, where they obtained a direct DNA sample from him after following him and picking up an unidentified object he discarded, according to Sheriff Scott Jones.
When that sample came back as a hit for a series of crimes, DeAngelo was arrested.
Sacramento County District Attorney Anne Marie Schubert declined to detail how her office obtained the relative’s DNA profile or accessed a genealogy database, raising questions about the privacy of personal genetic information on websites.
“I haven’t come across this before,” said John Roman, a senior fellow at research organization NORC at the University of Chicago. Roman is a forensics expert and studied the use of DNA in criminal investigation in 2005-09 in Orange County and L.A.
“If that’s how the match was obtained, then I would think there would be court battles to come.”
Colleen Fitzpatrick and Margaret Press, who run a nonprofit organization called the DNA Doe Project, said one of DeAngelo’s relatives may have shared DNA results with one of several public DNA matching websites, where people upload genetic data in search of biological parents or other long-lost relatives after obtaining results from a commercial site.
The Sheriff’s Department then could have gone to one of those sites, loaded DNA information from East Area Rapist crime scenes and found partial matches.
… California became the first state to authorize such familial line testing in 2008, but it has strict limits. Searches can be requested only when law enforcement has a suspect, and the DNA is only tested against databases containing samples from people arrested or convicted of felonies.
The FBI maintains that system, but each state manages its own DNA database. In California, it’s maintained by the California Bureau of Investigation.

Police Used Free Genealogy Database To Track Golden State Killer Suspect
… Paul Holes, a recently retired investigator with California’s Contra Costa County District Attorney’s Office, said he took crime-scene DNA — believed to be that of the culprit — and entered the profile into the online Florida-based GEDmatch database.
… Holes said that when he entered the crime-scene DNA profile, more than 100 users matched as a distant relative, possibly as close as a third cousin. To use GEDmatch, users agree to make their information public and attach at least an email address to their profile.

Cops hunting the Golden State Killer got the WRONG MAN by using a free genealogy site and ordered innocent sickly 73-year-old to give DNA to clear himself - then his daughter helped nail 'real killer'
Investigators hunting the Golden State Killer used DNA information from a genealogy website to identify a sickly 73-year-old as their prime suspect, and then a judge ordered him to undergo a test to prove he was not the serial murderer and rapist.
Cops used a genetic profile based on DNA from crime scenes and compared it to 189,000 others uploaded by family tree enthusiasts on free site to track down the care home resident, who also shared a rare genetic marker with the killer.
… Eventually, police used the same technique on a different genealogy website to track down who they believe to be the real Golden State Killer: 73-year-old former police officer Joseph DeAngelo, who has now been charged with eight counts of murder.
… Although many will celebrate the use of Internet DNA databases to identify DeAngelo, the fact that police wrongly identified an early suspect will worry campaigners who fear the approach jeopardizes privacy rights.
Steve Mercer, chief attorney for the forensic division of the Maryland Office of the Public Defender, said privacy laws are not strong enough to keep police from accessing ancestry sites, which have fewer protections than databases which hold the DNA of convicts.
… While people may not realize police can use public genealogy websites to solve crimes, it is probably legal, said Erin Murphy, a DNA expert and professor at New York University School of Law.
'It seems crazy to say a police officer investigating a very serious crime can't do something your cousin can do,' Murphy said. 'If an ordinary person can do this, why can't a cop? On the other hand, if an ordinary person had done this, we might think they shouldn't.'

Friday, April 27, 2018

You would expect to find CyberWar anywhere you find a shooting war.
Syria Is Now ‘The Most Aggressive Electronic Warfare Environment On The Planet,’ SOCOM Says
General Raymond Thomas, the commander of U.S. Special Operations Command (USSOCOM), revealed that Syria has become the frontline of electronic warfare and U.S. planes are being disabled.
… While Thomas did not say which country is responsible for the attacks, Russian jamming and electronic warfare capabilities in Syria have long been noticed. Earlier this month, reports surfaced that Russian jamming was affecting small U.S. surveillance drones.
Those efforts were, according to NBC News, not affecting larger armed drones like the MQ-1 Predator or the MQ-9 Reaper.
… It’s not clear what exactly Thomas meant by “disabling,” but Lori Moe Buckhout, a former Army colonel and expert on electronic warfare, told Breaking Defense that the attacks could possibly have targeted a EC-130’s Position, Navigation and Timing (PNT) or communications.
That would force the pilots to use traditional methods of navigation like maps and line of sight, which could make flying the aircraft more difficult.
… Syria has proven to become, as STRATFOR notes, “the ultimate testing ground” for the Russian military.
“Moscow’s forces employed new sea- and air-launched land-attack cruise missiles, deployed new types of air defense systems and battlefield drones, and extensively relied on next-generation electronic warfare systems,” a report from the geopolitical intelligence platform said.

I would like the SEC to mandate a comparison between costs of the breach and costs that could have prevented the breach. I doubt we’ll ever see that.
Larry Dignan reports:
Equifax’s first quarter earnings report highlighted expenses due to its September 2017 data breach and how the spending is shifting more toward IT and security.
In its first quarter earnings report, Equifax outlined that it spent $45.7 million for the three months ended March 31 on IT and data security. The company has been staffing up to bring on expertise to shore up its security.
Read more on ZDNet.

Get ready for November.
… Election hacking has a broad set of definitions, but you can boil it down to one central concept: manipulation of the voting process in favor of a candidate or political party.
… Despite the many examples of electoral interference around the globe, election hacking boils down to just three major, coverall categories. Why? Because together, these three categories form a cohesive strategy for election hacking.
1. Manipulate the Voters Before the Election
2. Manipulate the Votes and Machines
3. Manipulate the Infrastructure

More for Mom & Dad than the corporate environment, but I would recommend sharing this with employees.
Reports of tech support scams rocket, earning handsome returns for fraudsters
A typical technical support scam works like this:
1. A user receives a phone call, claiming to come from an operating system vendor or ISP claiming that a security problem has been found on the user’s computer.
One trick fraudster may use to gain a less technically savvy user’s confidence by tricking them into looking for error messages in Windows Event Viewer’s logs.
In fact, such entries are completely harmless and should not be considered evidence of a malware infection.

Gosh Jeff, physical security was last week’s topic. Try to keep up!
Amazon is now selling home security services, including installations and no monthly fees
… Amazon has quietly launched a portal offering home security services — which include all the equipment you would need and in-person visits from Amazon consultants to advise and install the kit. The packages are being sold in five price tiers, at a flat fee — no monthly service contracts, a significant disruption of how many home security services are sold today.

This week is Cryptography…
A few thoughts on Ray Ozzie’s “Clear” Proposal
.. In this post I’m going to sketch a few thoughts about Ozzie’s proposal, and about the debate in general. Since this is a cryptography blog, I’m mainly going to stick to the technical, and avoid the policy details (which are substantial).

As much for my Architecture class as my Computer Security class.
… The disaster at TSB should serve as a big wake up call. The very short version is that a UK bank, TSB, which had been merged into and then many years later was spun out of Lloyds Bank, was bought by the Spanish bank Banco Sabadell in 2015. Lloyds had continued to run the TSB systems and was to transfer them over to Sabadell over the weekend. It’s turned out to be an epic failure, and it’s not clear if and when this can be straightened out.
It is bad enough that bank IT problem had been so severe and protracted a major newspaper, The Guardian, created a live blog for it that has now been running for two days.
The more serious issue is the fact that customers still can’t access online accounts and even more disconcerting, are sometimes being allowed into other people’s accounts, says there are massive problems with data integrity.
… Even worse, the fact that this situation has persisted strongly suggests that Lloyds went ahead with the migration without allowing for a rollback. If true, this is a colossal failure, particularly in combination with the other probable planning failure, that of not remotely adequate debugging (while there was a pilot, it is inconceivable that it could have been deemed to be a success if the testing had been adequate).

Something to research: Does this track with the decline in PC sales?
Microsoft Tops Amazon In Q1 Cloud Revenue, $6.0 Billion To $5.44 Billion; IBM Third at $4.2 Billion
Despite posting excellent first-quarter cloud-revenue growth of 49% to $5.44 billion, Amazon actually lost ground in its efforts to overtake Microsoft as the world's leading enterprise-cloud provider as Satya Nadella's company reported its commercial-cloud revenue jumped 58% to $6.0 billion.

Thursday, April 26, 2018

Perhaps this is the birth of an interest in Computer Security?
Taryn Luna reports on a hack and phish that may leave you wondering whether this was a politically motivated attack or just a garden variety attack.
Luna reports the the victim is Sen. Richard Pan, D-Sacramento, whose re-election campaign account was robbed in a multi-step scheme that began with a hack of his email account in February.
The hackers appeared to study the campaign’s email pattern of approving payments, pretended to be him and sent a fake invoice to his treasurer requesting $46,000 to a vaccine-related nonprofit organization in mid-February, Pan said. He said the responsible parties were able to block communications with other people to hide their trail.
The vaccine connection is what raises the possibility of possible political motivation. Luna explains:
Pan is a doctor and has drawn the ire of a fervent community of activists who oppose his legislative work to toughen vaccination requirements for school children. Pan said there’s no evidence to suggest anyone associated with the anti-vaccination movement was actually involved in the theft, but he’s suspicious given violent threats he’s endured and prior interactions with his opponents. Among other related legislation, Pan successfully removed personal belief exemptions for vaccines in 2015.
The senator’s treasurer was appropriately cautious when she received the request to send the check, but she did not know she was going back and forth in email with the criminals and not with her boss.
As a result of this incident the campaign now uses two-factor authentication for any such requests.
Read more here on SacBee.

This week my students are designing a data center. Here’s something else to consider.
Loud Sound From Fire Alarm System Shuts Down Nasdaq's Scandinavian Data Center
A loud sound emitted by a fire suppression system has destroyed the hard drives of a Swedish data center, downing Nasdaq operations across Northern Europe.
The incident took place in the early hours of Wednesday, April 18, and was caused by a gas-based fire suppression system that is typically deployed in data centers because of their ability to put out fires without destroying non-burnt equipment.
These systems work by releasing inert gas at high speeds, a mechanism usually accompanied by a loud whistle-like sound. With non-calibrated systems, this sound can get very loud, a big no-no in data centers, where loud sounds are known to affect performance, shut down, or even destroy hard drives.
The latter scenario is what happened on Wednesday night, as the sound produced by the errant release of the inert gas destroyed hard drives for around a third of the Nasdaq servers located in the Digiplex data center.
… A Digiplex spokesperson told Bleeping Computer that Nasdaq only rents space in the data center, and uses its own equipment . Nasdaq said there weren't enough servers in the whole of Sweden to replace the destroyed ones, and had to import new machines.

Next week, we’ll be discussing encryption.
Democrats raise security concerns over Trump cellphone use
Democrats are demanding answers from the Trump administration on steps being taken to prevent the president from falling victim to foreign hackers, suggesting his personal cellphone use poses a national security threat.
… “While cybersecurity is a universal concern, the President of the United States stands alone as the single-most valuable intelligence target on the planet,” Reps. Ted Lieu (D-Calif.) and Ruben Gallego (D-Ariz.) wrote.
“Our national security should not depend on whether the President clicks on a malicious link on Twitter or his text application, or the fortuity of foreign agencies not knowing his personal cell number,” they wrote.
CNN reported earlier this week that Trump has begun to more frequently use his personal mobile device to contact those advising him outside the White House.

Something for all my students.

Is it a Trump thing?
In Trump's first year, FISA court denied record number of surveillance orders
In its first year, the Trump administration kept one little-known courtroom in the capital busy.
… Annual data published Wednesday by the US Courts shows that the Foreign Intelligence Surveillance (FISA) Court last year denied 26 applications in full, and 50 applications in part.
That's compared to 21 orders between when the court was first formed in 1978 and President Barack Obama's final year in office in 2016.

I didn’t know that.
… A Manhattan judge ruled Wednesday that there’s nothing “outrageous” about throwing the president’s supporters out of bars — because the law doesn’t protect against political discrimination.

Not the first time I’ve heard this argument.
The Politicization of Our Security Institutions
The politicization of the FBI has been swift and extreme. According to Reuters polling, just two years ago, 84 percent of Republicans viewed the FBI favorably. By February 2018, 73 percent agreed that “members of the FBI and Department of Justice are working to delegitimize Trump through politically motivated investigations,” according to a new Reuters poll. Thanks to a president eroding long-standing norms and America’s extreme political polarization, the FBI may not be alone. We are at risk of becoming more similar to struggling democracies, where most security and law enforcement institutions are simply assumed to be aligned with a political party.
It is not difficult to imagine a near-future in which the American public sees Immigration and Customs Enforcement (ICE) agents, sheriffs, many police forces, and the military as “Republican” institutions. In other words, the public would expect these institutions, as a matter of course, to tilt their analysis and actions towards helping their preferred party. Meanwhile, the public could come to see the FBI, more cerebral intelligence agencies such as that of the State Department and CIA, and big city police as “Democratic,” with the same politicized lean to their actions and public pronouncements.

Perspective. Any studies on the creation of new jobs in AI, VR, etc?
A study finds nearly half of jobs are vulnerable to automation
… A new working paper by the OECD, a club of mostly rich countries, employs a similar approach, looking at other developed economies. Its technique differs from Mr Frey and Mr Osborne’s study by assessing the automatability of each task within a given job, based on a survey of skills in 2015. Overall, the study finds that 14% of jobs across 32 countries are highly vulnerable, defined as having at least a 70% chance of automation. A further 32% were slightly less imperilled, with a probability between 50% and 70%. At current employment rates, that puts 210m jobs at risk across the 32 countries in the study.

A confusing meme. Was there a problem? We won’t know until late next year.
Finland set to scrap free money experiment after two-year trial
The Finnish Social Insurance Institute, often referred to as Kela, introduced a two-year trial of Universal Basic Income (UBI) in January 2017. The scheme saw its government pay a random sample of 2,000 unemployed citizens aged 25 to 58 a monthly payment of 560 euros ($684).
Kela's trial did not require the recipients of basic income to seek or accept employment, while those who took a job during this period would still continue to receive the same amount of cash.
However, Kela's request for extra funding to expand the two-year pilot to a group of employees this year was rejected by the government on Monday. Instead, the Finnish administration said it would prioritize other schemes in an effort to reform the Scandinavian country's social security system.
… The full results of the pilot are not scheduled to be released until late 2019, while Kela has vowed to stay in touch with the recipients of basic income to assess the long-term impact of the trial.

Perspective. Will others follow suit?
Ford dropping all but 2 cars from its North American dealerships
Ford said on Wednesday the only passenger car models it plans to keep on the market in North America will be the Mustang and the upcoming Ford Focus Active, a crossover-like hatchback that's slated to debut in 2019.
That means the Fiesta, Taurus, Fusion and the regular Focus will disappear in the United States and Canada.
Ford will, however, continue to offer its full gamut of trucks, SUVs and crossovers.

For the student toolkit. Works on Apple phones also.
How to scan without a scanner
… Microsoft Office Lens app uses your phone’s or table’s camera to take a picture of the document and then edit it to make it look scanned and it does all of that in a few seconds with a few steps. Another cool thing about the app is that once you “scan” the document you can export it in a file type that suites you or to a service of your choice. Also, using the OCR algorithm you can scan business card to convert them into contacts as well as photos that you need to have the text extracted.

An important tool.

Wednesday, April 25, 2018

Cheap at twice the price?
$35 Million Penalty for Not Telling Investors of Yahoo Hack
US securities regulators on Tuesday announced that Altaba will pay a $35 million penalty for not telling them hackers had stolen Yahoo's "crown jewels."
The 2014 breach blamed on Russian hackers affected hundreds of millions of Yahoo accounts, with stolen 'crown jewel' data including usernames, email addresses, phone numbers, birthdates, encrypted passwords, and security questions, according to the Securities and Exchange Commission.
While Yahoo discovered the data breach quickly, it remained mum about it until more than two years later when it was being acquired by telecom giant Verizon Communications, the SEC case maintained.
Although Yahoo is no longer an independent company -- its financial holdings are in a separate company now called Altaba -- Verizon has continued to operate the Yahoo brand, including its email service and a variety of news and entertainment websites.
In addition to the 2014 breach, a hack the previous year affected all three billion Yahoo user accounts, according to findings disclosed by Verizon after the acquisition.
Yahoo, which was once one of the leading internet firms, sold its main online operations to Verizon last year in a deal valued at $4.48 billion.
The purchase price was cut following revelations of the two major data breaches at Yahoo.

If it’s encrypted, it must be valuable?
Attacks on Encrypted Services
Encryption is one of the most basic necessities in the security arsenal. It’s what makes it possible for banks to offer online banking and funds transfers, or for consumers to make purchases online using their credit or debit cards. It’s what protects the public’s online interaction with government agencies or health care providers. It should surprise no one, however, that encrypted services are prime targets of DDoS attacks. Such services enable access to a wealth of personal, confidential and financial data. Identity thieves and cyber criminals can have a field day if they succeed in breaking web service encryption.
According to NETSCOUT Arbor’s 13th Annual Worldwide Infrastructure Security Report (WISR), attacks targeting encrypted web services have become increasingly common in recent years. Among enterprise, government and education (EGE) respondents, 53 percent of detected attacks targeted encrypted services at the application layer. And 42 percent of respondents experienced attacks targeting the TLS/SSL (Transport Layer Security/Secure Socket Layer) protocol governing client-server authentication and secure communications. Among service providers, the percentage seeing attacks targeting secure web services (HTTPS) rose significantly over the previous year, from 52 percent to 61 percent.

(Related) This is a One Time Pad.
… “It’s just a random three-digit number that corresponds to a sign and then we have 10 different cards with random numbers,” Iannetta said. “As soon as they [the MASN broadcast] zoomed in… we heard about it and switched cards immediately. We switched to a different card with a whole new set of numbers. There’s no way to memorize it. There’s a random-number generator spitting out a corresponding number [for the cards], and the coaches have the same cards.”
In explaining the process, Iannetta said he’ll look toward the dugout see a coach use his fingers to send in the three-digit code and then look on his card for the corresponding call. It could be a throw over to first or nothing, no action. Iannetta said three-digit codes are never repeated in-game for the same call.
“If I get ‘1-4-3,’ and it’s a throw over to first base, we’ll never use ‘1-4-3’ again to throw over,” Iannetta said. “There will never be repetition… It’s pretty impossible to steal signs if you use the system we are using.”

Very “James Bond.” Not research an amateur would undertake. Which intelligence service wanted this laptop enough to “show off” their hack?
Hotel Rooms Around the World Susceptible to Silent Breach
In 2003, researchers from F-Secure were attending a security conference in Berlin – specifically, the ph-neutral hacker conference – when a laptop was stolen from a locked hotel room.
More to the point, however, there was no sign of the door being forced, nor any indication from the electronic locking system's logs that anyone had entered the room in their absence.
F-Secure researchers told SecurityWeek, "Our guy was working on some really interesting and specific stuff; and, yes, it would absolutely have been of interest to any 3, 4 or 5 letter agency in many different nation-states."
With this background it is not surprising that the researchers started to investigate the locking system. Specifically, they were looking for a Vision by VingCard vulnerability that could be exploited without trace – and eventually they found one. It took thousands of hours work over the last 15 years examining the system and looking for the tiniest errors of logic.
In summary, with any existing, old or expired keycard to any room on the system, it is possible to generate a master key that can be used to gain entry to any of the hotel rooms without leaving a trace on the system. An attacker could book a room and then use that keycard as the source; or could even read the data remotely by standing close to someone who has a card in a pocket -- in a hotel elevator, for example.

Start ‘em young!
More than 1 million children in the United States were affected by identity theft last year, according to a new study highlighting what’s easily the most overlooked demographic impacted by breaches of personally identifiable information.
The study, released Tuesday by Javelin Strategy & Research, claims that in 2017, more than $2.6 billion in losses may be attributed to incidents of identity theft involving children. The out-of-pocket cost to families is estimated at over $540 million.
… The study, which was funded by theft-protection service Identity Guard, also found a “strong connection” between children who are bullied and those affected by fraud. Kids bullied online are nine times more likely to have their identities stolen, researchers found.

I’ve been telling (and telling and telling) my Computer Security students that management often does not know what is happening. How could anyone miss this?
Fajita heist: Texas man sentenced to 50 years for stealing $1.2 million worth of food
Gilberto Escamilla, 53, was employed at the Darrel B. Hester Juvenile Detention Center in San Benito, Texas, until August 2017 — when it was discovered that he had been placing orders for fajitas using county funds and then selling them for his own profit since December 2008, according to Cameron County Court filings.
… According to The Brownsville Herald, Escamilla's scheme unraveled last August after a delivery driver with Labatt Food Service phoned the detention center to give kitchen employees a heads up that an 800-pound delivery of fajitas had arrived.
Employees immediately thought the delivery to be suspicious as minors at the detention center are not served fajitas, however the delivery driver insisted that had been delivering fajitas to the detention center's kitchen for the past nine years.

More on Facebook, et. al.
From the better-late-than-never dept.
For readers who are interested and may have missed what’s occurring with the Facebook breach, Cambridge Analytica, SCL, SCL Canada, and AggegatedIQ (AIQ) in Canada, there have been some remarkable meetings and testimony occurring that are worth watching. The latest was testimony by Zackary Massingham, Chief Executive Officer, AIQ, and Jeff Silvester, Chief Operating Officer, AIQ.
As the AIQ CEOs were giving their testimony and stating they have replied to all of the questions the UK ICO asked of them, someone, apparently from the UK ICO, texted the committee in real time to state what they were stating isn’t true and stated why it wasn’t true. It was a ball dropper as the committee read the text out loud in real time to the CEOs.
You can watch the 2-hour video from the Standing Committee on Access to Information, Privacy and Ethics (ETHI) and their investigation into the “Breach of Personal Information Involving Cambridge Analytica and Facebook” here (meeting 101):
Click on the green icon labeled, “Watch on ParlVu”, for the video.
On the 26th of April, the investigation continues Starring Professors Colin J. Bennett, Thierry Giasson and Mozilla. You will be able to watch it from this link (meeting 102):
All previous meetings from this investigation, including the testimony from Chris Vickery, can be streamed by going to the following web page and by expanding the meeting dates (meetings 99 to 101 as of writing):

Just because it’s a lot of money.
Apple and Donohoe clear final hurdle for repayment of €13bn disputed tax bill
Apple will place the first tranche of its €13 billion Irish tax bill in an escrow account next month following the signing of a legal agreement between the Government and the US tech giant.
It is anticipated that Apple will make a series of unspecified payments into the account starting in May with the full amount expected to be recovered by the end of September.
… When interest is added the final figure could reach €15 billion but the Department of Finance said it was not possible to calculate the interest until all the money had been recovered.
… Both Apple and the Government are appealing the ruling on the grounds that Apple’s tax treatment was in line with Irish and European Union law.

A Privacy resource.
New on LLRX – Pete Recommends – weekly highlights on cyber security issues – April 23 2018
Via LLRXPete Recommends – weekly highlights on cyber security issues – April 23 2018 – Privacy and security issues impact every aspect of our lives – home, work, travel, education, health/medical, to name but a few. On a weekly basis Pete Weiss highlights articles and information that focus on the increasingly complex and wide ranging ways our privacy and security is diminished, often without our situational awareness.

How AI might be used.
New Product of the Year? Law Librarians Pick AI Research Tool from Bloomberg Law
A legal research tool that uses artificial intelligence to help legal researchers quickly find key language critical to a court’s reasoning has been selected by the American Association of Law Libraries as winner of its 2018 New Product Award.
AALL cited Points of Law, a tool developed by Bloomberg Law, for its ability to provide researchers with a court decision’s legal points and to identify legal precedents.
As I explained in my review of Points of Law last September, as a researcher scrolls through a court opinion, the tool highlights the essential language in the opinion, making it easier for the researcher to browse through the key discussion points and enabling the researcher to more quickly get the gist of the key holdings.
For each point of law within a case, a pop-up shows the top three cases cited in support of it.

Explaining BlockChain.
MIT Explainer: What is a blockchain?
  • “What is it? A public, permanent, append-only distributed ledger.
  • What’s that? A mathematical structure for storing data in a way that is nearly impossible to fake. It can be used for all kinds of valuable data.
  • Where did it come from? “I’ve been working on a new electronic cash system that’s fully peer-to-peer, with no trusted third party.” These are the words of Satoshi Nakamoto, the mysterious creator of Bitcoin, in a message sent to a cryptography-focused mailing list in October 2008. Included was a link to a nine-page white paper describing a technology that some are now convinced will disrupt the financial system…”

Know the players!
Senate confirms Trump's pick for NSA, Cyber Command
Lt. Gen. Paul Nakasone was unanimously confirmed by voice vote to serve as the "dual-hat" leader of both the National Security Agency and U.S. Cyber Command.

A tool for looking at Instagram’s data on you.
Instagram launches “Data Download” tool to let you leave
Instagram’s “Data Download” feature can be accessed here or through the app’s privacy settings. It lets users export their photos, videos, archived Stories, profile, info, comments, and non-ephemeral messages, though it can take a few hours to days for your download to be ready.

(Related) Hacking Instagram.

A guide for my students.

For coding tips when writing your own?

Dilbert’s fool-proof system for avoiding bad reviews?

Tuesday, April 24, 2018

Why are old, crash prone operating systems still in use?
Hackers Go After X-Ray, MRI Machines for Corporate Espionage
Fortunately, sabotage and patient data collection doesn't appear to be a motive behind the hacking. The attackers were probably focused on corporate espionage and studying how the medical software onboard the computers worked, the security firm Symantec said on Monday.
Over the past three years, the hacking group Orangeworm has been secretly delivering the Windows-based malware to about 100 different organizations, said Jon DiMaggio, a security researcher at Symantec. The biggest number of victims, at 17 percent, have been based in the US.
The hackers have been particularly interested in legacy Windows 95 systems, which can end up controlling the X-ray and MRI machines, he said. The malware used was capable of taking remote control over a computer, and spreading itself over a network.

I’m shocked, shocked I tell you! Where is Captain Obvious when the CIA needs him?
CIA agents in 'about 30 countries' being tracked by technology, top official says
CIA officers working overseas used to expect to be followed after hours by adversarial spies hoping to find their sources.
But now, foreign spies often don't need to bother because technology can do it for them, said Dawn Meyerriecks, deputy director of the CIA's science and technology division.
Digital surveillance, including closed-circuit television and wireless infrastructure, in about 30 countries is so good that physical tracking is no longer necessary, Meyerriecks told the audience at an intelligence conference in Tampa, Florida, on Sunday.
… But the CIA is spying back, she said. As of six months ago, the agency has been pursuing nearly 140 artificial intelligence projects.
In one, a small team "took a bunch of unclassified overhead and street view" and paired it with machine learning and artificial intelligence algorithms to create "a map of cameras in one of the big capitals that we don't have easy access to," Meyerriecks said.
That way, agents can try to figure out where they are being surveilled and how they might evade the camera eye.

Just in case someone does not take my Computer Security class.
Five myths about internet privacy where nothing is what is seems to be
You have precious little privacy on the web – whether you are browsing, using Facebook or Gmail, public WiFi, disk cleaning applications, or using the same “strong” passwords on multiple sites. USAToday reports – Many of us think we’re taking the right precautions, when in fact we’re putting our info at risk. The following are five such misconceptions, the truth behind them, and what to do about it…”

Interesting arguments? Here or nowhere?
Alexander Berengaut writes:
Last summer, Marcus Hutchins, the security researcher who stopped the “WannaCry” malware attack, was arrested and charged for his role in allegedly creating and conspiring to sell a different piece of malware, known as Kronos. As we have previously discussed on this blog, however, the indictment was notable for its lack of allegations connecting Hutchins to the United States, which raises constitutional due process issues, and Hutchins subsequently moved to dismiss the indictment on this basis.
The government has now responded to Hutchins’ motion. It makes two main arguments. First, the government maintains—as a factual matter—that the allegations in the indictment do allege a sufficient nexus between Hutchins and the United States. Second, the government argues, as a legal matter, that if Hutchins’ indictment is defective because it fails to allege conduct specifically directed at the United States, then there is no country on Earth where Hutchins could be prosecuted. Both arguments appear to fall short.
Read more on Covington & Burling Inside Privacy

Another legal conflict?
Clear Scope for Conflict Between Privacy Laws
The Clarifying Lawful Overseas Use of Data Act, or CLOUD Act, was enacted into U.S. federal law on March 23, 2018. It had been attached, at page 2212 of 2232 pages, to the omnibus spending bill, and allows law enforcement to demand access to data of concern wherever in the world that data is stored.
The General Data Protection Regulation, or GDPR, becomes European Law on May 25, 2018. It restricts companies that operate in Europe or process EU citizen data from transferring that data to third parties.
On the surface, there is clear scope for conflict between these two laws; but as always, it is more complex than that. The two key elements are, for CLOUD, section 2713; and for GDPR, article 48.
Section 2713 reads, "A provider of electronic communication service or remote computing service shall comply with the obligations of this chapter to preserve, backup, or disclose the contents of a wire of electronic communication and any record or other information relating to a customer or subscriber within such provider’s possession, custody, or control, regardless of whether such communication, record, or other information is located within or outside the United States."
Article 48 of GDPR states, "Any judgment of a court or tribunal and any decision of an administrative authority of a third country requiring a controller or processor to transfer or disclose personal data may only be recognised or enforceable in any manner if based on an international agreement, such as a mutual legal assistance treaty, in force between the requesting third country and the Union or a Member State, without prejudice to other grounds for transfer pursuant to this Chapter."
It gets complicated because CLOUD specifically allows for 'international agreements', but not mutual legal assistance treaties (MLATs), which it does not mention at all. Indeed, the U.S. government has always complained that MLATs are too complex and slow to be of any value to a fast-moving investigation.

Trying to keep up.
Lawmakers grill academic at heart of Facebook scandal
… Cambridge University researcher Aleksandr Kogan told "60 Minutes" he was "sincerely sorry" about the way he and "tens of thousands" of other app developers took advantage of what he said was Facebook's lax data policy enforcement, but he doesn't think he really did anything wrong.
On Tuesday, he told members of the British Parliament that Cambridge Analytica's suspended CEO, Alexander Nix, had blatantly lied to them during his testimony on the relationship between that company and his own.

Facebook reveals 25 pages of takedown rules for hate speech and more
Facebook has never before made public the guidelines its moderators use to decide whether to remove violence, spam, harassment, self-harm, terrorism, intellectual property theft, and hate speech from social network until now. The company hoped to avoid making it easy to game these rules, but that worry has been overridden by the public’s constant calls for clarity and protests about its decisions. Today Facebook published 25 pages of detailed criteria and examples for what is and isn’t allowed.

Compare & contrast.
YouTube Took Down Over 8 Million Videos In 3 Months, And Machines Did Most Of The Work
Google-owned YouTube took down 8.3 million videos in the last three months of 2017, with machines doing most of the work in cleaning up the video-sharing platform.
The announcement comes alongside the launch of the Reporting History dashboard, which will allow YouTube users to see the status of videos that they have flagged.

What happens if you don’t want Amazon opening your front door?
Introducing In-Car Delivery
As a Prime member, get your Amazon packages securely delivered right into your vehicle parked at home, at work or near other locations in your address book. Park your vehicle in a publicly accessible area to receive in-car deliveries, and track your packages with real-time notifications. FREE for Prime members in select cities and surrounding areas with supported vehicles. Check your eligibility, or download the Amazon Key App to get started.
Amazon Key In-Car Delivery supports most 2015 model year or newer Chevrolet, Buick, GMC, Cadillac, and Volvo vehicles with an active connected car service plan such as OnStar or Volvo On Call. Stay tuned for future partner announcements.

Strangely enough, I’m in agreement.
Surprise! Monkeys can't sue for copyright, not even for 'monkey selfies.' Here's why.
As bananas as it sounds, the Ninth U.S. Court of Appeals ruled on Monday that monkeys do not have the right to sue for copyright infringement as argued in the case of a monkey whose selfie went viral around the world.
… After the image went viral, the site Wikimedia Commons — which is the media repository for Wikipedia — uploaded the image as an image in the public domain. It argued that “because as the work of a non-human animal, it has no human author in whom copyright is vested.”
… PETA used a rule called “next friend” that allowed the organization to sue on behalf of an animal. For a while, it wasn’t even clear that PETA was representing the right monkey. PETA argued that animals are so intelligent that they are capable of holding legal ownership of intellectual property.
Still, the case continued and in 2016 a federal judge ruled that a monkey cannot own copyright. The next year, PETA settled the suit with Slater but the Ninth Circuit refused to let either side drop the case.
And on Monday, the Ninth Circuit delivered a conclusive blow to one of the most-talked about copyright cases in modern times, and one that generated a wide range of reactions given its implications about the work of non-humans, including artificially intelligent machines.

Why does this sound like Hillary Clinton? It’s going to be difficult to plead ignorance after comments he made during the campaign.
Trump ramps up personal cell phone use
President Donald Trump is increasingly relying on his personal cell phone to contact outside advisers, multiple sources inside and outside the White House told CNN, as Trump returns to the free-wheeling mode of operation that characterized the earliest days of his administration.
… Sources cited Trump's stepped-up cell phone use as an example of chief of staff John Kelly's waning influence over who gets access to the President.
… While Trump never entirely gave up his personal cell phone once Kelly came aboard, one source close to the White House speculated that the President is ramping up the use of his personal device recently in part because "he doesn't want Kelly to know who he's talking to."

A toolkit for my Android using students.
The best privacy and security apps for Android
Table of Contents

For all that data I’ve been trying to explain.
Creating Data Visualizations Without Knowing How to Code
Center for Data Innovation: “A research collaboration between Adobe and Georgia Tech has published a free data visualization tool called Data Illustrator that allows users to create visualizations in a graphical interface without having to know how to code. Additionally, Dutch data visualization firm Vizualism has published a tutorial for Data Illustrator to walk users through how to create a visualization using data about life expectancy in Dutch cities.”

Storyline JS - Turn Your Spreadsheets Into Stories
In yesterday's Practical Ed Tech Tip of the Week I featured the storytelling tools produced by Knight Lab at Northwestern University. One of those tools is called Storyline JS. Storyline JS lets you create an interactive, annotated line chart. The purpose of Storyline JS is to enable you to add detailed annotations to the data points displayed on your line charts. Watch my video below to see how to create an annotated line chart with Storyline JS.
Storyline JS could be a great tool for students to use to demonstrate their understanding of what the data in a line chart actually means. Similarly, using Storyline JS could be a good way for students to explain the causes for changes in the data displayed in their line charts.

Monday, April 23, 2018

This could work with any nationality if scammers can tell visitors from citizens. I wonder of it works in other countries?
Don’t give money to the “Chinese Consulate,” FTC says in scam-busting report
Scammers are using a combination of phishing techniques and social engineering to trick people with Chinese last names into handing over their personal information and even make direct payments to the scammer.
The scheme isn’t new, with reports going back as early as 2015 when the Federal Communications Commission (FCC) told phone carriers to start using robocall-blocking services.
Now the Federal Trade Commission has had it too. A statement by the FTC said it has recently recorded a surge in complaints from customers claiming that scammers are purporting to call from the Chinese Consulate asking them for personal information and even cash.

Do many people still use Internet Explorer?
Internet Explorer zero-day alert: Attackers hitting unpatched bug in Microsoft browser
A well-resourced hacking group is using a previously unknown and unpatched bug in Internet Explorer (IE) to infect Windows PCs with malware.
… According to the firm, the vulnerability affects the latest versions of IE and other applications that use the browser.

National Health Systems are large targets.
Sue Dunleavy reports:
The sensitive health data of Australians is subject to a data breach every two days and the organisations and governments that fail to protect it are facing no financial penalties.
As outrage builds over Facebook’s failure to protect privacy, a News Corp investigation has uncovered health data that shows if Australians have a sexually transmitted disease, mental illness, HIV or an abortion, even whether they’ve used a prostitute, is not properly protected.
A new mandatory notification scheme that requires businesses to report to the Office of the Australian Information Commissioner when there is a data breach shows in the first 37 days of the new regime a data breach occurred every two days in the health sector.
Read more on Daily Telegraph

Cities with inadequate backups are also easy targets.
City of Atlanta Ransomware Attack Proves Disastrously Expensive
City of Atlanta Ransomware Attack Showcases Ethical Problem in Whether to Pay a Ransom or Not
Over the course of the last week, it has become apparent that the City of Atlanta, Georgia, has paid out nearly $3 million dollars in contracts to help its recovery from a ransomware attack on March 22, 2018 – which (at the time of writing) is still without resolution.
Precise details on the Atlanta contracts are confused and confusing – but two consistent elements are that SecureWorks is being paid $650,000 for emergency incident response services, and Ernst & Young is being paid $600,000 for advisory services for cyber incident response. The total for all the contracts appears to total roughly $2.7 million. The eventual cost will likely be more, since it doesn't include lost staff productivity nor the billings of a law firm reportedly charging Atlanta $485 per hour for partners, and $300 per hour for associates. The ransom demand was for around $51,000.
Also worth considering is the SamSam attack on Hancock Health reported in January this year. Hancock chose to pay a ransom of around $55,000, and recovered its systems within a few days. It later admitted that it would not have been able to recover from backups since the attackers – which sound like the Gold Lowell group – had previously compromised them.

Is it possible that this a rogue AI?
Some Gmail Users Are Getting Spam Apparently Sent By Themselves
It's bad enough that several Gmail accounts are reporting unexplained spam in their inbox, but what's worse is they're apparently sent by themselves, even though most of the accounts employ hard-to-crack two-factor authentication.
Google's spam filtering technology is typically excellent at separating legitimate emails from spam, which makes the incident an odd aberration from Gmail's otherwise sterling security protections. However, a spam variant was successful at bypassing those protections, possibly by making it seem as if the spam recipient is also the sender.

More thoughts on Facebook.
Facebook in the Spotlight: Dataism vs. Privacy
JURIST Guest Columnist Chris Hoofnagle of Berkeley Law, discusses the policing of Facebook’s privacy policies and FTC enforcement: “Are our institutions up to the challenge of protecting users from information-age problems? This is the high-level question emerging from the Facebook-Cambridge Analytica debate. While on one hand Facebook and similarly-situated companies will pay some regulatory price, our public institutions are also in the crosshairs. In the U.S., the much-praised and admired Federal Trade Commission (“FTC”) approach is suffering a crisis of legitimacy. Facebook’s European regulator, the Irish data protection commissioner, is losing both control over its supervision of American companies and the respect of its regulatory colleagues. In a recent press release, the Article 29 Working Party announced that it was creating a working group focusing on social media, never mentioning the Irish in its statement. In this essay I explain the challenges the FTC faces in enforcing its 2012 consent agreement against Facebook and suggest ways it could nonetheless prevail. In the long run, everyone wins if our civil society institutions can police Facebook, including the company itself. While Facebook’s privacy problems have long been dismissed as harmless, advertising-related controversies, all now understand Facebook’s power over our broader information environment. After Brexit, the 2016 U.S. election, and violence in Myanmar, if consumer law fails, we risk turning to more heavy-handed regulatory tools, including cyber sovereignty approaches, with attendant consequences for civil society and internet freedom…”

Perhaps a wax (resin, whatever) mold of the finger/thumb prints should be mandatory?
Florida Detectives Tried Using Dead Man’s Finger to Unlock Cellphone
A pair of Florida detectives visited a funeral home last month in an attempt to unlock a cellphone belonging to a deceased man by using his fingerprint.
… They gained access to the corpse and held his fingerprint to the phone’s sensor but, according to the Tampa Bay Times, which first reported the case, the move was ultimately unsuccessful. Largo police lieutenant Randall Chaney said that the two detectives needed access in order to preserve data stored on the handset that was potentially tied to a separate drug inquiry involving the deceased suspect.
Chaney told the Tampa Bay Times there is typically a 48 to 72-hour period to open a cellphone that has been locked using a fingerprint. While Largo police officers got the device back within that period, Phillip’s body had already been transferred from state custody to the funeral home. Detectives believed a warrant was not needed because the suspect had little expectation of privacy, Chaney added.

Florida police failed to unlock phone using a dead man's finger — but corpses may still help in hacking handsets
… Though it's not clear what brand of phone Phillip owned, Engadget years ago concluded that a finger from a corpse would not unlock an iPhone.
The Touch ID system uses two methods to sense and identify a fingerprint, capacitive and radio frequency. "A capacitive sensor is activated by the slight electrical charge running through your skin," wrote Engadget in 2013. "We all have a small amount of electrical current running through our bodies, and capacitive technology utilizes that to sense touch."
And the radio frequency waves in an iPhone sensor would also not open unless living tissue was present.

Should we all have this App?
This app maker says his work saved thousands during Hurricane Harvey — and he’s not done yet
… His idea was to create an application where a family in distress could quickly submit a call for help containing their location and information, which would instantly appear on a map. A responder could pull the location in order to execute the rescue. Once the family was safe, the information would be taken down so rescuers could focus on those still in need.
… At least 25,000 people were rescued in Houston using the app, Marchetti says.
… The service — now known as CrowdSource Rescue (CSR) — was meant to fill the deficit of public services during a time of immense, dizzying catastrophe. CSR reduced the redundancy created by reposting and sharing across multiple platforms. It crowdsourced every part of the operation: posting, dispatching, rescuing, and updating. It allowed Houstonians and outside volunteer organizations such as the Cajun Navy to work hand in hand with public officials.

Perspective. Well, perhaps Texas has a different perspective.
Emma Platoff reports:
An appeals court has struck down Texas’ “revenge porn” law, ruling that the statute is overly broad and violates the First Amendment.
The 2015 state law targets what author state Sen. Sylvia Garcia, D-Houston, called “a very disturbing internet trend” of posting a previous partner’s nude or semi-nude photos to the web without the partner’s permission, often with identifying information attached. Inspired in part by the testimony of Hollie Toups, a Southeast woman whose intimate photos were posted online, the law made posting private, intimate photos a misdemeanor, carrying a charge of up to a year in jail as well as a $4,000 fine.
Read more on Texas Tribune.

The future of e-commerce in India increasingly looks like an all-American affair
India’s technology industry is bracing itself for the next era of e-commerce warfare, which looks set to be waged and bankrolled by two gigantic corporations located halfway across the world: Amazon and Walmart.
Amazon is already deeply committed to the country, where it has pledged to deploy over $5 billion to grow its business, and now U.S. rival Walmart is said to be inching closer to a deal to buy Flipkart.
Bloomberg reports that Walmart is poised to acquire 60-80 percent of the company for $12 billion.

(Related) Is that why Amazon didn’t complete their bid for Flipkart?
Amazon expects groceries to account for over half of India business in the next 5 years
… Amit Agarwal, the India head of Amazon, said in an interview on Friday that groceries and goods such as creams, soaps and cleaning products, were already the largest product category on Amazon in terms of number of units sold in India.
“I would not speculate on when we would launch AmazonFresh but, absolutely, if you ask me the next five years of vision – from your avocados to your potatoes, and your meat to your ice cream – we’ll deliver everything to you in two hours,” he said.

For my History nerds.
Papers of Benjamin Franklin Now Online
“The papers of American scientist, statesman and diplomat Benjamin Franklin have been digitized and are now available online for the first time from the Library of Congress. The Library announced the digitization in remembrance of the anniversary of Franklin’s death on April 17, 1790. The Franklin papers consist of approximately 8,000 items mostly dating from the 1770s and 1780s. These include the petition that the First Continental Congress sent to Franklin, then a colonial diplomat in London, to deliver to King George III; letterbooks Franklin kept as he negotiated the Treaty of Paris that ended the Revolutionary War; drafts of the treaty; notes documenting his scientific observations, and correspondence with fellow scientists. The collection is online at:”

Looks like it might be useful for topics you are not already familiar with.
Peekier – privacy-oriented search engine
Peekier (pronounced /’pi·ki·er/) is a new way to search the web. Peek through search results fast and securely on a search engine that respects your privacy. Faster information discovery – Peekier shows you a website preview of the search results. Clicking on a result will maximize the preview and allow you to scroll through the website. You can then decide if the information displayed on the website interests you or not before clicking on the link. Here is what a normal search engine looks like on a widescreen monitor: 2/3rds of the screen real estate remain unused. Peekier utilizes 100% of your monitor, giving you all the information you need to know before you visit a website. This is the way searching will be done in the future.
… websites are loaded on our servers and we only send the rendered image to your browser, we deal with malware and other threats while protecting your privacy and providing a safe and secure experience while you stay on our website. You can still choose to visit a website that interests you―the choice is yours. Strict privacy policy – We take your privacy very seriously. We’re pretty sure we’re the search engine with the most privacy oriented features in the world. Peekier does not log your personal info or track you throughout your browsing sessions. For more information on how we protect your privacy click here…”

In all the ruckus about the ban on torrent sites, we forget that there are many more legal uses for torrents than illegal ones.
Still not convinced?