Saturday, May 19, 2018

Let this be a lesson to my Computer Security students.
Mark Satter reports:
The nation relies on teachers to educate our children and help them when they make mistakes. But when it comes to protecting students’ data, it is often the teachers and school staff who mistakenly let bad actors in to school computer systems, officials say.
In a hearing Thursday before the House Committee on Education and the Workforce, a panel of educators, privacy experts and U.S. Department of Education officials pointed to accidental online errors by school staff as the main threat to protecting school data.
In the state of Kentucky, which experienced more than 4 billion attempted attacks on the computer systems of K-12 services last year, the greatest number of data breaches were the result of staff who fell for email phishing scams, according to David Couch, CIO for the Kentucky Education Technology System (KETS) at the Kentucky Department of Education.
“By far the greatest vulnerability to our systems is internal staff who fall victim to phishing attempts,” Couch said during the hearing.
Read more on EdScoop.

(Related) Perhaps a class or two on Ethics?
Violet Ikonomova reports:
Leave it to kids in one of Michigan’s best school districts to have figured out how to hack the district’s grading system and (presumably) give themselves A’s.
A message posted to the Bloomfield Hills Schools website alerts parents that “a couple” students made “some poor choices lately,” hacking into the district’s student information system and manipulating their personal grades, attendance, and lunch balance information. The data base houses all of the district’s student and family data, the notice says.
The students are in high school and modified the information of their own accounts and others high schoolers, Bloomfield Hills Schools Superintendent Robert Glass says in a video message elsewhere on the website. A total of 20 students saw changes made in the form of improved grades, improved attendance, and reduced lunch balances.
Read more on Detroit Metro Times.

Aggregating data for resale.
200 Million Sets of Japanese PII Emerge on Underground Forums
A dataset allegedly containing 200 million unique sets of personally identifiable information (PII) exfiltrated from several popular Japanese website databases emerged on underground forums, FireEye reports.
Advertised by a Chinese threat actor at around $150, the dataset contained names, credentials, email addresses, dates of birth, phone numbers, and home addresses, and was initially spotted in December 2017.
The data appears sourced from a variety of Japanese websites, including those in the retail, food and beverage, financial, entertainment, and transportation sectors, and FireEye believes that the cybercriminals obtained it via opportunistic compromises.

It’s cheaper (for the state) if you have no rights!”
Gavin Reinke of Alston & Bird writes:
The Georgia Court of Appeals recently reaffirmed its prior conclusion that there is no duty to safeguard personal information under Georgia law. In McConnell v. Ga. Dep’t of Labor, — S.E.2d —-, 2018 WL 2173252 (Ga. App. May 11, 2018), the Court of Appeals addressed whether a plaintiff whose social security number and other personal identifying information (“PII”) had allegedly been negligently disclosed by an employee of the Georgia Department of Labor stated a negligence claim in connection with the unauthorized disclosure.
In urging that the Court of Appeals should recognize such a duty, the plaintiff in McConnellrelied on the Georgia Personal Identity Protection Act (the “GPIPA”). The plaintiff argued that the GPIPA supported recognizing a duty to safeguard PII because the statute reflects the General Assembly’s “intent to protect citizens from the adverse effects of disclosure of personal information and created a general duty to preserve and protect personal information.” McConnell, 2018 WL 2173252.

You have no ‘right to be forgotten.’
All of’s alleged co-owners arrested on extortion charges
Two alleged owners of—Sahar Sarid and Thomas Keesee—have been arrested in south Florida on a recently issued California warrant. The notorious website publishes mugshots and then demands payment for their removal.
… "This pay-for-removal scheme attempts to profit off of someone else's humiliation," said Attorney General Becerra in a statement. "Those who can't afford to pay into this scheme to have their information removed pay the price when they look for a job, housing, or try to build relationships with others. This is exploitation, plain and simple."
… The 29-page affidavit provides a lengthy explanation of what prosecutors call a "business permeated with fraud."

(Related) For all my students!
I sometimes think people don’t realize the amount of time and passion Joe Cadillic dedicates to informing you all of surveillance issues and online threats to our privacy. We’ll get back to that later in this post, but for now:
This week, one of the links he sent me to share with you all is a treasure.
Michael Bazzell writes:
Posted on May 15th, 2018
I received an email today from a reader of the latest edition of my privacy book Hiding from the Internet. In the book, I include an entire chapter of opt-out links for removing personal information from people-search, data-mining, marketing, and data broker websites. The reader asked if I maintained a digital version of the workbook with active hyperlinks for easy navigation. While I try to maintain a page for hyperlinks from the book, it did not quite replicate the workbook model that is in the official publication. Today, I am releasing the entire workbook in PDF format for free. I hope it helps the process of cleaning up unwanted online details. The direct link is below.

Computers and the Constitution.
From EPIC:
EPIC has filed a “friend of the court” brief, joined by forty-four technical experts and legal scholars (members of the EPIC Advisory Board), in the OPM Data Breachcase. The case concerns the data breach at the US Office of Personnel and Management in 2015 that affected 22 million federal employees, their friends, and family members. In the brief to the federal appeals court, EPIC said that “when personal data is collected by a government agency, that agency has a constitutional obligation to protect the personal data it has obtained.” In a 2011 case NASA v. Nelson, EPIC urgedthe Supreme Court to limit data collection by federal agencies, citing the growing risk of data breach in the federal government.

Adding ‘touch’ to Tech. Hand holding for people not comfortable with e-commerce?
Walmart has quietly launched Jetblack, a ‘members-only’ personal shopping service for affluent city moms
Code Eight, a stealthy personal-shopping startup incubated inside of Walmart, has rebranded itself as Jetblack, Recode has learned.
In job listings, the service is described as a “members-only personal shopping and concierge service that combines the convenience of e-commerce with the customized attention of a personal assistant.”
Visitors to are greeted by a landing page that says, “Nice work, you found us!”
“Jetblack is currently in beta in Manhattan,” the site says. It gives visitors an option to request early access.
A new Walmart subsidiary, called Code Eight, has recently started testing a personal shopping service for “busy NYC moms,” according to multiple sources, with the goal of letting them get product recommendations and make purchases simply through text messaging.
The target customer of Code Eight is described in an online job listing as a “high net worth urban consumer” — translation: A rich city dweller — certainly not the historical sweet spot for Walmart’s main business.
Household items are delivered for free within 24 hours; other purchases are delivered within two business days. Returns are picked up for free at a customer’s apartment building or house.

Friday, May 18, 2018

Here is how the pros do it. I wonder if anyone has recommended an App to President Trump?
North Korea-tied hackers used Google Play and Facebook to infect defectors
Researchers said a team of hackers tied to North Korea recently managed to get the Google Play market to host at least three Android apps designed to surreptitiously steal personal information from defectors of the isolated nation.
The three apps first appeared in the official Android marketplace in January and weren’t removed until March when Google was privately notified. That’s according to a blog post published Thursday by researchers from security company McAfee. Two apps masqueraded as security apps, and a third purported to provide information about food ingredients. Hidden functions caused them to steal device information and allow them to receive additional executable code that stole personal photos, contact lists, and text messages.
The apps were spread to selected individuals, in many cases by contacting them over Facebook. The apps had about 100 downloads when Google removed them. Nation-operated espionage campaigns frequently infect a small number of carefully selected targets and keep the number small in an attempt to remain undetected. Thursday’s report is the latest to document malicious apps that bypassed Google filters designed to keep bad wares out of the Play market.
… In January, McAfee reported finding malicious apps targeting North Korean journalists and defectors. Some of the Korean words found in the control servers weren’t used in South Korea but were used in North Korea. The researchers also found a North Korean IP address in a test log file of some Android devices that were connected to accounts used to spread the malware. McAfee said the developers didn’t appear to be connected to any previously known hacking groups. The researchers named the group Sun Team after finding a deleted folder called “sun Team Folder.”

Just one of millions of the tiny errors that hacker exploit.
Cell phone tracking firm exposed millions of Americans' real-time locations
… The company, LocationSmart, is a data aggregator and claims to have "direct connections" to cell carriers to obtain locations from nearby cell towers. The site had its own "try-before-you-buy" page that lets you test the accuracy of its data. The page required explicit consent from the user before their location data can be used by sending a one-time text message to the user. When we tried with a colleague, we tracked his phone to a city block of his actual location.
But that website had a bug that allowed anyone to track someone's location silently without their permission.
"Due to a very elementary bug in the website, you can just skip that consent part and go straight to the location," said Robert Xiao, a PhD student at the Human-Computer Interaction Institute at Carnegie Mellon University, in a phone call.
"The implication of this is that LocationSmart never required consent in the first place," he said. "There seems to be no security oversight here."

It’s a start...
DHS Publishes New Cybersecurity Strategy
The U.S. Department of Homeland Security (DHS) this week published its long-delayed Cybersecurity Strategy. It had been mandated by Congress to deliver a strategy by March 2017, and did so on May 15, 2018.
The strategy is defined in a high-level document (PDF) of 35 pages. Its scope is to provide "the Department with a framework to execute our cybersecurity responsibilities during the next five years to keep pace with the evolving cyber risk landscape by reducing vulnerabilities and building resilience; countering malicious actors in cyberspace; responding to incidents; and making the cyber ecosystem more secure and resilient."
Of necessity, however, the five pillars and seven goals are defined in very basic terms. They define objectives, sub-objectives and outcomes – but with little on methods. For example, goal #1 (the risk identification pillar) is to assess evolving cybersecurity risks. This will be achieved by working with "stakeholders, including sector-specific agencies, nonfederal cybersecurity firms, and other federal and nonfederal entities, to gain an adequate understanding of the national cybersecurity risk posture, analyze evolving interdependencies and systemic risk, and assess changing techniques of malicious actors."
However, nobody was able to predict, detect or prevent Russian meddling in the 2016 presidential election, nor the WannaCry and NotPetya outbreaks. The implication is that something new and beyond just increased interagency cooperation needs to be done to achieve genuine risk identification.

Another failed IT project?

Sort of a multi-generational Big Brother to guide the entire human race. You can’t say they don’t think big.
Google's Hypothetical 'Selfish Ledger' Imagines Collecting All Your Data to Push You to Change Society
A couple of years ago, Alphabet’s X “moonshot factory” conjured up a concept that describes how total and absolute data collection could be used to shape the decisions you make. And now a video about that concept has leaked online.
The video was obtained and published on Thursday by The Verge. It describes a so-called “Selfish Ledger” that would collect all of your data, including actions you make on your phone, preference settings, and decisions you make, and not just keep it there for future evaluation. Instead, the ledger, which would be designed and managed by Google, would interpret that information and guide you down a path towards reaching a goal, or on a broader scale, doing your part to help solve poverty or other societal problems.

20 years of the Laws of Cyberspace
What if an architecture emerges that permits constant monitoring; an architecture that facilitates the constant tracking of behavior and movement. What if an architecture emerged that would costlessly collect data about individuals, about their behavior, about who they wanted to become. And what if the architecture could do that invisibly, without interfering with an individual’s daily life at all? … This architecture is the world that the net is becoming. This is the picture of control it is growing into. As in real space, we will have passports in cyberspace. As in real space, these passports can be used to track our behavior. But in cyberspace, unlike real space, this monitoring, this tracking, this control of behavior, will all be much less expensive. This control will occur in the background, effectively and invisibly. -Lawrence Lessig, “The Laws of Cyberspace,” 1998

My cousin, the crook?
DNA Data From 100 Crime Scenes Has Been Uploaded To A Genealogy Website — Just Like The Golden State Killer
The remarkable sleuthing method that tracked down the Golden State Killer was not a one-off. A company in Virginia is now working with several law enforcement agencies to solve cases using the same “genetic genealogy” approach that led investigators in California to arrest Joseph James DeAngelo.
The company, Parabon NanoLabs, has already loaded DNA data from about 100 crime scenes into a public genealogy database called GEDmatch. And in about 20 of these cases, the company says, it has found matches with people estimated to be the suspect’s third cousins or even closer relatives.
“We were actually pretty surprised,” Ellen Greytak, Parabon’s director of bioinformatics, told BuzzFeed News. With those known genetic connections, she said, investigators have a good chance of using genealogical research to draw family trees and identify possible suspects. Some arrests could come quickly, she suggested. “I think there is going to be press around this very soon.”

About time!
Tech Firms Move to Put Ethical Guard Rails Around AI
… At Microsoft, Horvitz helped establish an internal ethics board in 2016 to help the company navigate potentially tricky spots with its own AI technology. The group is cosponsored by Microsoft’s president and most senior lawyer, Brad Smith. It has prompted the company to refuse business from corporate customers, and to attach conditions to some deals limiting the use of its technology.
Horvitz declined to provide details of those incidents, saying only that they typically involved companies asking Microsoft to build custom AI projects. The group has also trained Microsoft sales teams on applications of AI the company is wary of.
Google … promised that it would require a new, hyperrealistic form of its voice assistant to identify itself as a bot when speaking with humans on the phone. The pledge came two days after CEO Sundar Pichai played impressive—and to some troubling—audio clips in which the experimental software made restaurant reservations with unsuspecting staff.

What Google isn't telling us about its AI demo
… Axios asked Google for the name of the hair salon or restaurant, in order to verify both that the businesses exist and that the calls were not pre-planned. We also said that we'd guarantee, in writing, not to publicly identify either establishment (so as to prevent them from receiving unwanted attention).
A longtime Google spokeswoman declined to provide either name.
We also asked if either call was edited, even perhaps just cutting the second or two when the business identifies itself. And, if so, were there other edits? The spokeswoman declined comment, but said she'd check and get back to us. She didn't.

Perspective. But all the political journalists do.
Very Few Voters Actually Read Trump’s Tweets
… since politicians are known for boring, repetitive, long-winded speeches, what could be a better political platform than one that literally forbids using more than 280 characters at a time? Twitter seems good for Trump, too: As his allies often say, it gives the president a way to speak directly to the American electorate, getting around the media’s filter. Trump’s Twitter account is followed by 52 million people, not that far off from the nearly 63 million who voted for him in 2016.
But some data released this week should give Trump and his supporters pause about the power of his Twitter account in directly reaching American voters — and push the media to think carefully about its coverage of Trump’s tweets. Only 8 percent of U.S. adults say they follow Trump’s Twitter account (@realDonaldTrump), and only 4 percent say they follow his account and regularly read the president’s tweets, according to a new Gallup poll.

Zillman makes large and useful collections. Always worth a careful read!
New on LLRX – 2018 New Economy Resources and Tools
Via LLRX.com2018 New Economy Resources and Tools – This guide by Marcus Zillman provides researchers in multiple disciplines – law, economists, academia, government, corporate, and journalism – the latest, most reliable web resources for discovering sources to meet the multifaceted needs of time sensitive, specific, actionable work product. The global economic landscape is rapidly changing as transparency, big data and the ability to access data from new and now accessible databases are increasingly available through portals and sites around the world. Understanding how to locate and leverage new economy analytics, resources and alerts will provide you with keep tools and techniques to expand access to requisite knowledge that you can apply daily in your work place.

Could be handy for my researchers…

Thursday, May 17, 2018

If a hacker hacks another hacker, is that like “the enemy of my enemy is my friend?”
Joseph Cox reports:
Last week, Motherboard reported that a vigilante hacker had stolen data from a hacking group that researchers say is a government-linked cyberespionage unit. The data included GPS locations, text messages, and phone calls that the group had taken from their own victims. Now, that hacker has seemingly published the stolen data online for anyone to download.
Read more on Motherboard.

Could make for an interesting discussion in my Software Architecture class.

A global interpretation of US v Microsoft? “If you want access to our data, we want access to your data.” Whose laws must I obey?
Digital Free for All Part Deux: European Commission Proposal on E-Evidence
The European Commission has released a proposal to enable EU-member states’ law enforcement authorities to access digital information regardless of where that data is stored. It shares several of the practical and human rights problems as the similar piece of U.S. legislation known as the CLOUD Act, as well raising fresh concerns of its own.
The proposal, labelled “E-evidence – cross-border access to electronic evidence” is now heading to the European Parliament and Council for debate. The EU institutions should review this measure closely before amplifying the errors of the CLOUD Act and raising new problems for cross-border access to electronic evidence. Left unchanged, the Commission proposal will make a difficult situation worse.
What Does the Proposal Mean for Digital Rights?
There will be a lot to debate in the Commission’s proposal as it winds through the EU legislative process. However, two initial areas of concern should be addressed swiftly by EU institutions. First is the fact that this proposal could usher in paradigm shift in the system cross-border access to data in criminal investigations, risking a digital free for all and eliminating critical junctures for judicial review of law enforcement requests for data. The second concern centers around the proposal’s failure to adequately safeguard human rights. We at EPIC pointed to precisely these risks in our amicus brief in the now mooted United States v. Microsoft case concerning U.S. law enforcement access to data stored in Ireland.

Not quite tossing the baby with the bathwater, but then this is only one example.
Deleted WHOIS Data: An Unintended Consequence of GDPR
As security professionals, next week we can expect to see another example of an unintended consequence when the General Data Protection Regulations (GDPR) goes into effect. There are actually a few unintended consequences from these new regulations, but one of the most concerning is the upcoming response that domain registrars are discussing through the global body the Internet Corporation for Assigned Names and Numbers (ICANN). As the name suggests, ICANN is responsible for maintaining the rules for WHOIS data – essentially, a telephone directory-like structure that contains detailed information on who signed up for a specific Internet domain, including their name, address, email address and telephone number. Such data is subject to the GDPR’s privacy requirements for protection. As a result, under current proposals, many of the businesses that register domains will remove key elements of information from the system. In effect, on May 25 the system will “go dark” until alternative preparations are made, which ICANN representatives expect won’t start being implemented until December 2018.
Without access to this critical resource, combatting criminal behavior on the Internet becomes much more difficult. To make matters worse, during the intervening months before an alternative solution for GDPR-compliant access is available, attackers will be able to exploit this new-found anonymity to their advantage. We may see an uptick in spam and, more generally, in criminal activity. As we alter our methods for data handling, we could be exposing the very individuals we are striving to protect, to additional risk.

I wonder what information Google gathers from this?
Google Offers Free DDoS Protection for U.S. Political Organizations
Jigsaw, an incubator run by Google parent Alphabet, this week announced the availability of Project Shield – which offers free distributed denial of service (DDoS) protections – for the U.S. political community.
Opened in February 2016 to independent, under-resourced news sites, Project Shield helps protect free speech by fending off crippling DDoS assaults.
In March last year, Google and Jigsaw announced a partnership to offer Protect Your Election, tools that would help news organizations, human rights groups, and election monitoring sites fend off not only DDoS assaults, but also phishing and account takeover attempts.
This week, Jigsaw revealed that Project Shield is now available for free to “U.S. political organizations registered with the appropriate electoral authorities, including candidates, campaigns, section 527 organizations, and political action committees.”

Is the system smart enough to recognize that the plate does not match the car?
Law enforcement can identify your vehicle by make, model, year, color, features via new software
News release: “Leonardo’s ELSAG ALPR solutions are used by nearly 4,000 customers in over 25 countries by local, state, and federal law enforcement agencies. Leonardo will introduce two new Automatic License Plate Recognition (ALPR) solutions at the 2018 IACP Technology Conference on May 21-23 in Providence, Rhode Island. The ELSAG MTC and ECSS will be on display during the conference… After years of research and development, Leonardo is proud to introduce Make, Type and Color Recognition feature called ELSAG MTC to their ELSAG Enterprise Operation Center (EOC). Using advanced computer vision software, ELSAG ALPR data can now be processed to include the vehicle’s make, type – sedan, SUV, hatchback, pickup, minivan, van, box truck – and general colour – red, blue, green, white and yellow. The solution actively recognizes the 34 most common vehicle brands on U.S. roads.” [emphasis added]

Virtual digital assistants to overtake world population by 2021
Ovum: “Globally, the native digital assistant installed base is set to exceed 7.5 billion active devices by 2021, which is more than the world population according to the US Census Bureau on May 1, 2017. But fear not – Skynet, from the popular Terminator movies, does not feature among the leading digital assistants. Instead, Google Assistant will dominate the voice AI–capable device market with 23.3% market share, followed by Samsung’s Bixby (14.5%), Apple’s Siri (13.1%), Amazon’s Alexa (3.9%), and Microsoft’s Cortana (2.3%). Ovum’s Digital Assistant and Voice AI–Capable Device Forecast: 2016–21 found that smartphones and tablets clearly lead the voice AI–capable device market, with 3.5 billion active devices in 2016, most of which use Google Now and Apple Siri. However, the use of AI in conjunction with other devices greatly increases consumer engagement and is set to unlock new opportunities, particularly in the home. Ovum expects an exponential uptake of voice AI capabilities among new devices, including wearable, smart home, and TV devices, with a combined installed base of 1.63 billion active devices in 2021, a tenfold increase on 2016. Despite all the hype that surrounds AI-capable connected speakers, TV devices (i.e. smart TVs, set-top boxes, and media streamers) offer a larger opportunity, accounting for 57% of that installed base in 2021…”

(Related). If Alexa starts talking to itself in eight voices, can it order itself to ‘kill the humans?’
Alexa developers get 8 free voices to use in skills, courtesy of Amazon Polly
Now Alexa’s voice apps don’t have to sound like Alexa. Amazon today is offering a way for developers to give their voice apps a unique character with the launch of eight free voices to use in skills, courtesy of the Amazon Polly service. The voices are only available in U.S. English, and include a mix of both male and female, according to Amazon Polly’s website.
… To use an Amazon Polly voice instead, developers would use Structured Speech Markup Language (SSML) and then specify which voice they want with the “voice name” tag. This makes it easier to adjust what is said, as developers could just change the text instead of having to re-record an mp3.

Different cultures. Contrast with the NY subway system.
Japanese train firm apologises for leaving 25 seconds early
A Japanese rail company has apologised for one of its trains leaving a station 25 seconds early, terming the incident as a great inconvenience placed upon customers which was truly inexcusable. What is more concerning to the Japanese, is that, in the past months, this is not the first time this has happened with West Japan Railways, also known as JR West. In November, a train left 20 seconds early. The train pulled away from the Notogawa Station platform at the 35th second of 7:11a.m. instead of the scheduled 7:12a.m. after the conductor allegedly saw nobody on the platform and figured that nobody would be affected by the 25 second difference. However, one of the stranded passengers escalated their complaint to the HeadQuarters.

My students seem eager to get rid of their textbooks…
BookScouter helps you sell textbooks and used books for the most money by comparing offers from over 35 book buyback vendors with a single search.

Wednesday, May 16, 2018

If you don’t understand security, you can’t understand why we need this post. It’s not Real Estate Mr President.
Trump eliminates job of national cybersecurity coordinator
… Trump signed an executive order rearranging the federal information technology infrastructure that includes no mention of the White House cybersecurity coordinator or of a replacement for Rob Joyce, who said last month that he is leaving the position to return to the National Security Agency, where he previously directed cyber-defense programs.
Politico first reported the elimination of the job on Tuesday. The White House and the National Security Council didn't reply to requests for comment about the decision, which came on the same day a major computer security report again found government systems to be the least secure among all industries.

(Related) Does the President think this is an adequate replacement? Remove high level strategy, let every CIO do his own thing?
Trump issues order to strengthen CIO role at U.S. federal agencies
… In December, the White House said the government required a major overhaul of its information technology systems as well as needing to protect data better and accelerate moves toward using cloud-based technology.
The order on Tuesday seeks to address some of those issues by giving agency CIOs authority similar to that of their counterparts in the private sector, making it easier to attract high-level talent for government technology jobs, one official said.

Do you see this as an unbiased approach?
Facebook’s fake news algorithm seems to be working
The Outline: “Facebook’s January 12 announcement that it would begin to deprioritize news in users’ News Feed left publishers shaking in their boots. “[B]y making these changes, I expect the time people spend on Facebook and some measures of engagement will go down,” admitted Mark Zuckerberg, much to the horror of every major media outlet, most of which relied heavily on the traffic generated from the site. And for a while, it truly did look like the apocalypse was nigh: The Outline’s investigation from early March showed that traffic for most conservative publishers and nearly all publishers of viral and needlessly polarizing content experienced a significant drop in the month following the News Feed change. In the wake of Newswhip’s recent analysis of top publishers’ Facebook engagement data over March and April, many have come to the similar conclusions of partisan bias (though the winners and losers often switch, depending on who’s talking). However, new information that takes into account the last four months as a whole — rather than merely looking at month-to-month trends — tells a much different story. According to data The Outline obtained from research tool CrowdTangle, a subsidiary of Facebook, Facebook’s January news feed algorithm change has had little to no effect on mainstream conservative and liberal publishers in the long run, with most actually experiencing increased interaction rates following February. However, publishers of clickbait, purposefully polarizing content, and/or blatantly fake news have experienced a significant sustained drop in interaction in the months following Facebook’s January News Feed deprioritization announcement. The Outline came to these conclusions after analyzing the Facebook interaction rates of 20 publishers from November 1, 2017 to April 20, 2018. CrowdTangle calculates a particular Facebook page’s interaction rate by dividing the average number of interactions (i.e. likes, comments, shares, etc) in a given time period by the size of the account…”

Twitter will hide more bad tweets in conversations and searches
Twitter: “In March, we introduced our new approach to improve the health of the public conversation on Twitter. One important issue we’ve been working to address is what some might refer to as “trolls.” Some troll-like behavior is fun, good and humorous. What we’re talking about today are troll-like behaviors that distort and detract from the public conversation on Twitter, particularly in communal areas like conversations and search. Some of these accounts and Tweets violate our policies, and, in those cases, we take action on them. Others don’t but are behaving in ways that distort the conversation. To put this in context, less than 1% of accounts make up the majority of accounts reported for abuse, but a lot of what’s reported does not violate our rules. While still a small overall number, these accounts have a disproportionately large – and negative – impact on people’s experience on Twitter. The challenge for us has been: how can we proactively address these disruptive behaviors that do not violate our policies but negatively impact the health of the conversation? A New Approach – Today, we use policies, human review processes, and machine learning to help us determine how Tweets are organized and presented in communal places like conversations and search. Now, we’re tackling issues of behaviors that distort and detract from the public conversation in those areas by integrating new behavioral signals into how Tweets are presented. By using new tools to address this conduct from a behavioral perspective, we’re able to improve the health of the conversation, and everyone’s experience on Twitter, without waiting for people who use Twitter to report potential issues to us…”

Incentive? Is it enough?
Amazon just gave you a Whole Foods reason to get Prime
If you’re not an Amazon Prime subscriber but love Whole Foods, which is also an Amazon property, you should check out the retailer’s brand new promotion that’s targeting Whole Foods shoppers.
Amazon is ready to give you 10% off Whole Foods purchases at already discounted prices, and cut prices on other Whole Foods products each week.
Vice president of Amazon Prime Cem Sibay told The Wall Street Journal that this week’s deals will be available immediately in Florida stores and roll out to more than 460 stores nationwide this summer.

Perspective. A quick overview of the market.
Cloud Computing Companies
Cloud computing companies are enjoying marked growth, and it's no surprise: the cloud computing market shows no signs of slowing down its own considerable growth. Forrester Research estimates the total global public cloud market will be $178 billion in 2018, up from $146 billion in 2017, and will continue to grow at a compound annual growth rate (CAGR) of 22%.
… So in our list of the 50 leading cloud computing companies, you will see big names that have been around for decades right along new entries.

Is this not a stupid rule?
WTF: Guardsmen Can Patrol The US Border But Can’t Look Across It?!
The National Guard troops standing watch along the United States’ southwest border may find themselves curious to know what great mysteries lay beyond the muddy waters of the Rio Grande… but alas, federal law forbids them from using their state-of-the-art surveillance equipment to find out.
While the roughly 800 guardsmen holding the line in Texas, New Mexico, and Arizona are permitted to use their naked eyes to peer across the divide, the legal basis for President Donald Trump’s National Guard deployment prohibits the troops from peeping southward through a pair of binoculars — or any other piece of technology that makes things appear closer than they actually are.
Title 32 provides that the National Guard can operate “up to” the United States-Mexico border, but that’s it. No peeking across!
In addition to the surveillance restrictions, the troops are also prohibited from apprehending people or having any physical contact with migrants. Those duties are left to the Border Patrol, which is not shackled by the Posse Comitatus Act of 1878, the post-Civil War statute that limits military involvement in civilian law enforcement.

I have a few people I want to try this on…

Tuesday, May 15, 2018

How do you get transactions into a sealed system?
Hackers Divert Funds From Mexico Banks, Amount Unclear: Official
Hackers have stolen an unknown amount of money from banks in Mexico in a series of cyber attacks on the country's interbank payments system, an official said Monday.
At least five attacks on the Mexican central bank's Interbank Electronic Payments System (SPEI) were carried out in April and May, said Lorenza Martinez, director general of the corporate payments and services system at the central bank.
"Some transactions were introduced that were not recognized by the issuing bank," she told Radio Centro.
"In some cases these transfers made it through to the destination bank and were withdrawn in cash."
Some Mexican media outlets have put the amount stolen at 400 million pesos ($20.4 million), but Martinez denied those reports.
"The amount is currently being analyzed . Some of the transfers were stopped, and the funds are currently being returned," she said.
She said the money stolen belonged to the banks themselves and that clients' funds were never affected.
The interbank payments system allows banks to make real-time transfers to each other.
They connect via their own computer systems or an external provider – the point where the attacks appear to have taken place, Martinez said.
After the attacks were detected, banks switched to a slower but more secure method.

A follow-up to yesterday with a bit more detail. Still looks like the actual algorithms are sound, but the process that integrates it into email is flawed.
What You Need to Know About E-Fail and the PGP Flaw
EFF: “…you should stop using PGP for encrypted email and switch to a different secure communications method for now. A group of researchers released a paper today that describes a new class of serious vulnerabilities in PGP (including GPG), the most popular email encryption standard. The new paper includes a proof-of-concept exploit that can allow an attacker to use the victim’s own email client to decrypt previously acquired messages and return the decrypted content to the attacker without alerting the victim. The proof of concept is only one implementation of this new type of attack, and variants may follow in the coming days. Because of the straightforward nature of the proof of concept, the severity of these security vulnerabilities, the range of email clients and plugins affected, and the high level of protection that PGP users need and expect, EFF is advising PGP users to pause in their use of the tool and seek other modes of secure end-to-end communication for now. Because we are awaiting the response from the security community of the flaws highlighted in the paper, we recommend that for now you uninstall or disable your PGP email plug-in. These steps are intended as a temporary, conservative stopgap until the immediate risk of the exploit has passed and been mitigated against by the wider community. There may be simpler mitigations available soon, as vendors and commentators develop narrower solutions, but this is the safest stance to take for now. Because sending PGP-encrypted emails to an unpatched client will create adverse ecosystem incentives to open incoming emails, any of which could be maliciously crafted to expose ciphertext to attackers…”

Should home owners be allowed to share video with police? If not, why not?
Joe Cadillic writes:
When I first heard about ‘Ring’ a smart doorbell with a video camera, I didn’t think much of it.
I mean how could the police state turn what appeared to be an innocuous smart device into another surveillance tool?
Enter Amazon, who recently purchased Ring for $1 billion dollars.
Fast forward a few months and Amazon announces that Ring is on a mission to work with law enforcement across the country.
Read more on MassPrivateI.

Election meddling is a global (and a local) problem.
In India, Facebook’s WhatsApp Plays Central Role in Elections
… Mr. Bhat, a B.J.P. youth leader, said he used WhatsApp to stay in constant touch with the 60 voters he was assigned to track for the party. He sent them critiques of the state government, dark warnings about Hindus being murdered by Muslims — including a debunked B.J.P. claim that 23 activists were killed by jihadists — and jokes ridiculing Congress leaders. His own WhatsApp stream was full of election updates, pro-B.J.P. videos, and false news stories, including a fake poll purportedly commissioned by the BBC that predicted a sweeping B.J.P. win.
… Facebook’s WhatsApp is taking an increasingly central role in elections, especially in developing countries. More than any other social media or messaging app, WhatsApp was used in recent months by India’s political parties, religious activists and others to send messages and distribute news to Karnataka’s 49 million voters. While many messages were ordinary campaign missives, some were intended to inflame sectarian tensions and others were downright false, with no way to trace where they originated.

Facebook closed 583m fake accounts in first three months of 2018
Facebook took moderation action against almost 1.5bn accounts and posts which violated its community standards in the first three months of 2018, the company has revealed.
In its first quarterly Community Standards Enforcement Report, Facebook said the overwhelming majority of moderation action was against spam posts and fake accounts: it took action on 837m pieces of spam, and shut down a further 583m fake accounts on the site in the three months. But Facebook also moderated 2.5m pieces of hate speech, 1.9m pieces of terrorist propaganda, 3.4m pieces of graphic violence and 21m pieces of content featuring adult nudity and sexual activity.

Geography does not guarantee trust, but apparently it can generate distrust. Probably huge profits waiting for any firm that can prove software does only what the vendor claims it does.
Kaspersky Lab to open Swiss data center to combat spying allegations
Moscow-based Kaspersky Lab plans to open a data center in Switzerland by the end of next year to help address Western government concerns that Russia exploits its anti-virus software to spy on customers.
… Kaspersky Lab said part of the new facility would be based in Zurich, and the company had chosen Switzerland for its “policy of neutrality” and strong data protection laws.

Wishing won’t make it so.
AI-4-Good in War
The United Nations campaign entitled #AI4good highlights positive ways artificial intelligence (AI) can be used for the good of humanity. The #AI4Good Summit in Geneva this week highlights many ways AI can have positive uses – both now and in the future. From the agenda, some areas of positive applications of AI include medicine, education, economic, and law enforcement applications.

...and doesn’t electrocute the chicken trying to cross.
Sweden tests roads that charge electric vehicles as they drive
An electrified road in Sweden that is the first in the world to charge vehicles as they drive along is showing promise and could potentially help cut the high cost of electric cars, project backers Vattenfall and Elways told Reuters.
The state-funded project, named eRoadArlanda and costing about 50 million crowns ($5.82 million), uses a modified electric truck that moves cargo from Stockholm’s Arlanda airport to Postnord’s nearby logistics hub to test the technology.
A electrified rail embedded in the tarmac of the 2-km-long (1.24 miles) road charges the truck automatically as it travels above it. A movable arm attached to the truck detects the rail’s location in the road, and charging stops when the vehicle is overtaking or coming to a halt.
The system also calculates the vehicle’s energy consumption, which enables electricity costs to be debited per vehicle and user.
Elways’ chief executive Gunnar Asplund said the charging while driving would mean electric cars no longer need big batteries — which can be half the cost of an electric car — to ensure they have enough power to travel a useful distance.

Perspective. Facebook is unlikely to collapse, but I expect it to try new methods of revenue generation. Perhaps add-free subscriptions? (What is the average Facebook user worth as an Ad recipient?)

Perspective. Are you ready for an i-car?
Apple Now Boasts Second Largest Self-Driving Vehicle Fleet In California
… Apple currently has 55 vehicles cruising the roads (along with 83 trained drivers), GM Cruise has the largest fleet at 104 vehicles and the third largest fleet is Waymo with 51 vehicles.

Didi Chuxing receives permit to test self-driving cars in California
… Didi is getting its permit just weeks after California introduced new rules around self-driving permits, the brunt of which focused on completely driverless vehicles. A total of 53 companies were part of this new permit batch, though many of them are no strangers to the technology.

Well, I find it interesting.
Where’s the Value? An Inside Look at Walmart’s Flipkart Deal
… In the medium term, Walmart may be able to do some smart moves with Flipkart. I am sure it has built these factors into its valuation — and if it has not, it should have. Walmart and Flipkart will have better bargaining power with suppliers (imagine the global might of both U.S. and India volumes while negotiating rates with Chinese suppliers). Walmart could also apply its e-commerce lessons from Flipkart and implement them in the U.S and other global plays (, etc). I imagine this would have a much greater bearing on Walmart’s thinking than a pure India play. After all, few companies globally have been able to withstand Amazon’s onslaught, as Walmart knows from previous experience. Walmart’s sourcing might, combined with Flipkart’s e-commerce prowess, can and should be a global play, not just an India play.

A (literally) dying market?
An iPad for 80-year-olds: Senior-citizen carrier Consumer Cellular bets on tablets
Consumer Cellular has spent years carving out a lucrative niche in the wireless industry: selling mobile phones to senior citizens.
Now the closely held Portland company looks to apply that formula to tablets and smart-home equipment. The idea is to offer technology that’s simpler to use, both for non-savvy consumers and those who are physically challenged.
The company’s expansion begins this month with the addition of the GrandPad to its lineup. The touch-screen tablet was designed for older customers — people who may be intimidated by an iPad. The interface lets users hold video chats with family members, view photos or check up on news.

Monday, May 14, 2018

Oh wow, this could be bad! And I just recommended PGP to my students. I wonder if it’s the plug-in and not the actual encryption packages? Either way, I’m glad I taught my students to build their own encryption system.
Stop Using Common Email Encryption Tools Immediately, Researchers Warn
Throughout the many arguments over encrypted communications, there has been at least one constant: the venerable tools for strong email encryption are trustworthy. That may no longer be true.
On Tuesday, well-credentialed cybersecurity researchers will detail what they call critical vulnerabilities in widely-used tools for applying PGP/GPG and S/MIME encryption. According to Sebastian Schinzel, a professor at the M√ľnster University of Applied Sciences in Germany, the flaws could reveal the “plaintext” that email encryption is supposed to cover up—in both current and old emails.
The researchers are advising everyone to temporarily stop using plugins for mail clients like Microsoft Outlook and Apple Mail that automatically encrypt and decrypt emails—at least until someone figures out how to remedy the situation. Instead, experts say, people should switch to tools like Signal, the encrypted messaging app that’s bankrolled by WhatsApp co-founder Brian Acton.
When contacted by Fortune, Schinzel declined to divulge further details ahead of Tuesday’s announcement, but he pointed to a blog post from the world’s biggest digital rights group, the Electronic Frontier Foundation (EFF,) for further advice.

The downside of trusting crooks to be honest.
Catalin Cimpanu reports:
Ransomware has infected the servers of the Riverside Fire and Police department for the second time in a month.
The first ransomware infection took place on April 23, last month and encrypted ten months worth of work data related to active investigations.
Officials said they didn’t pay the ransom and were able to recover some of the data from previous backups. Other data they recovered from public court records, but to this day, the Riverside Fire and Police department have not fully recovered from the first attack.
Read more on Bleeping Computer
[From the article:
The second infection took place last week, May 4, but only came to light today when US Secret Service agents arrived in the Ohio town to help with the investigation.
This time around officials appear to have learned their lesson and were actively making backups on a daily basis. Officials said the second ransomware infection only locked up data for the last eight hours of work, and the department fully recovered after the second attack.
"Everything was backed-up, but we lost about eight hours worth of information we have to re-enter," City Manager Mark Carpenter told local media. "It was our police and fire records, so we just re-enter the reports."
This is not the first ransomware infection that hit a police department and has wiped data on investigations. Police in Cockrell Hill, Texas suffered a similar incident in January 2017 when they lost nearly eight years worth of evidence.
Police and fire departments are regularly hit with ransomware, but usually, they manage to recover either by restoring backups or by paying the ransom. Past victims include the police departments in the Mad River Township, Ohio; Roxana, Illinois; Tewksbury, Massachusetts; Rockport, Oregon; Mount Pleasant, South Carolina; just to name a few.

A new(ish) term that defines a category of Identity Theft.
Sizing Up the Impact of Synthetic Identity Fraud
With recent data breaches and the associated flood of PII onto the dark web, synthetic identity fraud is easier to commit than ever. Credit card losses due to this fraud exceeded $800 million in the U.S. last year, says Julie Conroy, a research director at Aite Group. Perhaps more shocking is just how much of the fraud is going undetected, flying under the radar as credit write-offs.
"One of the challenging aspects of this is often it doesn't get recognized as fraud and gets written off as a credit loss; so understanding the scope of the problem has been a challenge," Conroy says in an interview with Information Security Media Group about Aite's latest research. "A number of institutions are starting to see fundamental shifts to things like their credit delinquency curves that are only explainable by synthetic identity fraud."

Synthetic Identity Theft
A type of fraud in which a criminal combines real (usually stolen) and fake information to create a new identity, which is used to open fraudulent accounts and make fraudulent purchases. Synthetic identity theft allows the criminal to steal money from any credit card companies or lenders who extend credit based on the fake identity.

Cambridge again? Don’t they have Computer Security managers there?
Phee Waterfield and Timothy Revell report:
Data from millions of Facebook users who used a popular personality app, including their answers to intimate questionnaires, was left exposed online for anyone to access, a New Scientist investigation has found.
Academics at the University of Cambridge distributed the data from the personality quiz app myPersonality to hundreds of researchers via a website with insufficient security provisions, which led to it being left vulnerable to access for four years. Gaining access illicitly was relatively easy.
The data was highly sensitive, revealing personal details of Facebook users, such as the results of psychological tests. It was meant to be stored and shared anonymously, however such poor precautions were taken that deanonymising would not be hard.
Read more on New Scientist

The flip side of blocking Russian Facebook ads?
When governments censor websites and block messaging apps like Telegram, here's where to turn for proof
In Iran, use of the messaging app Telegram has officially been banned.
For some 40 million Iranians, Telegram has been an integral part of daily life, a place to talk with friends and family beyond the reach of government censors. Which is why, after anti-government protests broke out in the final days of 2017, the government instructed the country's internet service providers to implement temporary controls that would make Telegram harder to use — before outright banning its use this month.
Anecdotal reports are one thing. But to understand how, exactly, Telegram was being blocked — and to what extent in different parts of the country — researcher Mahsa Alimardani turned to technical data gathered by a watchdog group called the Open Observatory of Network Interference, or OONI.
… All of the data collected by OONI's measurement software — called probes — is stored in a publicly accessible database, where anyone can go to understand what's being blocked, filtered, or throttled in a particular country, and how. That data can be used to track the evolution of information controls over time or link censorship with political events like elections and protests.

For my Computer Security and Software Architecture students.
Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy
“This update to NIST Special Publication 800-37 (Revision 2) responds to the call by the Defense Science Board, Executive Order 13800, and OMB Memorandum M-17-25 to develop the next-generation Risk Management Framework (RMF) for information systems, organizations, and individuals. There are seven major objectives for this update:
  • Provide closer linkage and communication between the risk management processes and activities at the C-suite or governance level of the organization and the individuals, processes, and activities at the system and operational level of the organization;
  • Institutionalize critical organization-wide risk management preparatory activities to facilitate a more effective, efficient, and cost-effective execution of the RMF;
  • Demonstrate how the Cybersecurity Framework can be aligned with the RMF and implemented using established NIST risk management processes;
  • Integrate privacy risk management concepts and principles into the RMF and support the use of the consolidated security and privacy control catalog in NIST Special Publication 800-53 Revision 5;
  • Promote the development of trustworthy secure software and systems by aligning life cycle-based systems engineering processes in NIST Special Publication 800-160 with the steps in the RMF;
  • Integrate supply chain risk management (SCRM) concepts into the RMF to protect against untrustworthy suppliers, insertion of counterfeits, tampering, unauthorized production, theft, insertion of malicious code, and poor manufacturing and development practices throughout the SDLC; and
  • Provide an alternative organization-generated control selection approach to complement the traditional baseline control selection approach…”

You need the latest tools to match competition.
Platform business models are booming—becoming bigger and more powerful than ever. Just consider that a few tweets from the president caused Amazon’s market capitalization to fall by about $40 billion, or that Russian influencers were able to reach 126 million people through Facebook. At OpenMatters, we spend a lot of time studying network orchestration—business models where companies facilitate relationships and interactions, rather than serving up all the products, services, and pieces of content themselves. Think Facebook, Uber, Pinterest, Alibaba, Airbnb, and the myriad “unicorns” that are being showered in investor dollars. These companies are groundbreaking, leveraging networks effects and near-zero scaling cost to trounce competition or define new markets. However, not all platform plays work—the business model alone isn’t sufficient for success. There are lots of things that can make a platform succeed or fail, of course, but an increasingly central aspect of a successful platform strategy is machine learning.
… What happened is pretty clear: people got tired of sorting through hundreds of unqualified applicants for every job opening. The pile of resumes was too large, and the simple algorithms attempting to serve up relevant content were insufficient for the size and varied needs of the user base. Then, better solutions emerged. Companies like LinkedIn and Glassdoor began filling the gap—standing out by better curating professional networks. Craigslist is another great example of an early platform company that failed to innovate and curate, and is quickly losing market share to added-value platforms like OfferUp or even Facebook Marketplace.
… In addition to using machine learning to parse and understand data generated by a network, platform companies are now seeing the importance of AI for detecting and preventing misuse. Fraudulent, criminal, and abusive behaviors are a problem for many networks and companies are realizing that they can no longer wash their hands of the actions of their users. Twitter has had to take steps to curb abuse, Yelp and LinkedIn are working on filtering out fake content, and Facebook is likely at the beginning of a long journey to prevent misuse following the Russian influencing scandal. These platforms are simply too big and too complicated for manual or human-led solutions to uncover and thwart misuse. Machine learning and artificial intelligence are the only way to manage the content at scale and as it evolves.

More than a Roomba, less than a Terminator?
Russia Just Showed Off Its New Robot Tank — And Confirmed It Was On The Ground In Syria
Russia has been on the forefront of building unmanned ground vehicles and last week the Russian Defense Ministry confirmed that their armed drone tank Uran-9 was tested in Syria.
The Uran-9 is powerfully armed with anti-tank missiles, an automatic cannon, and a machine gun. It can also be reconfigured to carry different weapons like surface-to-air missiles. Additionally, the unmanned vehicle is equipped with advanced optics and targeting systems including a laser warning system and thermal imaging.
… Since its Syrian intervention in 2015, the resurgent Russian military has battle tested an arsenal of new weapons including the Su-57 stealth fighter jet, the T-90 battle tank, ship-launched cruise missiles and air defense systems.
… In the case of the Uran-9, it is remotely controlled by an individual from a mobile vehicle that must remain within 1.8 miles. The automatic turret is able to detect and acquire targets, but the ultimate decision to fire rests with the controller.