Saturday, May 26, 2018

Something for my Computer Security students.
Security and Human Behavior (SHB 2018)
I'm at Carnegie Mellon University, at the eleventh Workshop on Security and Human Behavior.
SHB is a small invitational gathering of people studying various aspects of the human side of security, organized each year by Alessandro Acquisti, Ross Anderson, and myself. The 50 or so people in the room include psychologists, economists, computer security researchers, sociologists, political scientists, neuroscientists, designers, lawyers, philosophers, anthropologists, business school professors, and a smattering of others. It's not just an interdisciplinary event; most of the people here are individually interdisciplinary.
The goal is to maximize discussion and interaction. We do that by putting everyone on panels, and limiting talks to 7-10 minutes. The rest of the time is left to open discussion. Four hour-and-a-half panels per day over two days equals eight panels; six people per panel means that 48 people get to speak. We also have lunches, dinners, and receptions – all designed so people from different disciplines talk to each other.
I invariably find this to be the most intellectually stimulating conference of my year. It influences my thinking in many different, and sometimes surprising, ways.
This year's program is here. This page lists the participants and includes links to some of their work. As he does every year, Ross Anderson is liveblogging the talks. (Ross also maintains a good webpage of psychology and security resources.)
Here are my posts on the first, second, third, fourth, fifth, sixth, seventh, eighth, ninth, and tenth SHB workshops. Follow those links to find summaries, papers, and occasionally audio recordings of the various workshops.
Next year, I'll be hosting the event at Harvard.

Is this a Facebook issue or a Darwinian elimination of candidates who can’t read and follow simple instructions?
Facebook’s new political ad rules could upend June 5th primaries
Facebook introduced new disclosure rules for political advertisements this week designed to block bad actors from meddling in elections. But in the meantime, the rules are blocking legitimate candidates from buying Facebook ads — and at least one congressional candidate in Mississippi says it could tip the election toward his opponent.
The rules that Facebook implemented in the United States this week require anyone wishing to buy a political ad to verify their identity. To do so, Facebook mails a card to their physical location containing an authorization code. Only after the candidate or advocacy group enters that authorization code on Facebook can they purchase political ads.
Facebook began allowing political advertisers to start the verification process on April 23rd. The company promoted the new process with a blog post and messages inside Facebook directed at administrators of political pages. In May, it also sent emails to page administrators advising them of the changes.
But not everyone got the message — and now some are scrambling to come up with a Plan B ahead of June 5th primary elections.
… Yesterday, Rose’s campaign planned to buy 500 different Facebook ads. The first batch were approved shortly before the new rules took effect. But when Rose went to buy the remainder, he received a message from Facebook saying his ads had not been authorized. Rose filled out the required online forms attesting to his identity. At the end, Facebook said it would send Rose an authorization code in the mail. He was told it would arrive in 12 to 15 days — by which point the election would be over.
… Richard Boyanton, who is mounting a primary challenge to Republican Sen. Roger Wicker (R-MS), also found himself stymied by the new rules. … Then yesterday, Facebook informed him he would need to verify his identity before he could buy more ads. He had received a message from the company two or three weeks ago, he said, but he did not realize that he would be prevented from running ads if he did not follow the steps laid out in the message.

Deciding what to block is hard. Maybe.
Leaked Documents Show Facebook’s Post-Charlottesville Reckoning with American Nazis
… In January, 5 months after Charlottesville, Facebook added slides discussing the company’s position on white nationalism, supremacy, and separatism. While it says Facebook does not allow praise, support, or representation of white supremacy, it does allow the same sort of positions for white nationalism and separatism, according to one of the slides obtained by Motherboard.
Explaining its motivation, another section of the document reads that nationalism is an “extreme right movement and ideology, but it doesn't seem to be always associated with racism (at least not explicitly).” Facebook then acknowledges that “In fact, some white nationalists carefully avoid the term supremacy because it has negative connotations.”
… Facebook classifies hate groups, individuals, and high profile figures based on “strong, medium, and weak signals,” according to one of the documents focused on hate speech in America. A strong signal would be if the individual is a founder or prominent member of a hate organization (or, “h8 org”, in Facebook parlance); medium would include the name or symbol of a banned hate group, or using dehumanizing language against certain groups of people. Partnership or some form of alliance with a banned hate organization—including participating in rallies together, of particular relevance to events like Charlottesville—Facebook sees as a weak signal, as well as an individual receiving a guilty verdict for distributing forbidden propaganda material.

Crush Them’: An Oral History of the Lawsuit That Upended Silicon Valley
Twenty years ago, Microsoft tried to eliminate its competition in the race for the future of the internet. The government had other ideas.

Could be amusing in my Statistics class.
Turn CSV Files Into Heat Maps
Heat Map Tool is a tool for easily creating heat maps or incident maps from a CSV file. To create a heat map all you need to do is upload a CSV file then specify your desired display attributes like scale, colors, and opacity. You can edit the display attributes of your map whenever you like. If you're wondering how to create a CSV file you can do so by exporting from a spreadsheet in Google Documents or exporting from an Excel file. Click here for directions on exporting from Excel. The free version of Heat Map Tool allows you to have up to 100 data points on your map and up to 500 hits per day on your map.

Friday, May 25, 2018

A notice from Google this morning (emphasis is mine) as I write my Blog.
European Union laws require you to give European Union visitors information about cookies used and data collected on your blog. In many cases, these laws also require you to obtain consent.
As a courtesy, we have added a notice on your blog to explain Google's use of certain Blogger and Google cookies, including use of Google Analytics and AdSense cookies, and other data collected by Google.
You are responsible for confirming this notice actually works for your blog, and that it displays. If you employ other cookies, for example by adding third party features, this notice may not work for you. If you include functionality from other providers there may be extra information collected from your users.
Learn more about this notice and your responsibilities.

New regulation, new basis for lawsuits. How many additional lawyers/firms were added just for this?
Activists Are Already Targeting Google and Facebook Over Europe's New Data Privacy Law That Went Live Today
Europe’s sweeping new data privacy regime came into effect this morning, and privacy activists are not wasting time in flexing their muscles. One organization has already made official data protection complaints about Google, Facebook, WhatsApp and Instagram, while another is going after the shadowy data brokers that trade people’s information behind the scenes.
The complaints about Google, Facebook and Facebook’s subsidiaries come from a group called None Of Your Business (NOYB)—a non-profit founded by the very successful serial Facebook litigant Max Schrems. Schrems, the Austrian lawyer who annihilated the U.S.-EU Safe Harbor data-sharing agreement a few years ago, formed the crowdfunded NOYB in order to take on big tech firms that break the EU’s new General Data Protection Regulation (GDPR.)

What starts as digital may not remain digital.
UK Warns That Aggressive Cyberattack Could Trigger Kinetic Response
UK Says it Doesn't Need to Demonstrate Attribution Before Engaging Cyber Retaliation
The scene was set last week when Air Marshall Phil Collins (Chief of Defence Intelligence, UK Ministry of Defence) spoke at the Royal United Services Institute (RUSI). In his speech Collins talked about the growing use of non-kinetic (primarily cyber) warfare.
"We can see numerous examples of this today," he said: "unprecedented industrial espionage activity against the UK and Allies; private security contractors being used in high-end expeditionary warfare in Syria; cyber-attacks against national infrastructure and reputation across Europe; information operations that attempt to pervert political process and frustrate the rule of law; and attempted assassinations."
He warned that the nature of modern warfare is becoming broader, more strategic, and features "continuous full spectrum competition and confrontation."
The implication is that the UK requires the ability (and he makes it clear that he believes the UK has that ability) to both respond to cyber-attacks and if necessary launch preemptive cyber-attacks effectively in self-defense.

This will be interesting. (In a kind of “Did too!” “Did not!” way.)
Facebook releases its U.S. political ad archive
Facebook’s new archive for U.S. political ads — created to give users more information about who is advertising on Facebook and who they are trying to target — went live today. The archive was first announced in October.
The archive is available to view at The archive contains both ads promoting candidates for political office as well as those that Facebook has deemed to be “issue ads” — ads that touch on a list of 20 hot-button topics that Facebook released earlier this month. These ads will also be labeled in users’ news feeds starting today, with a “paid for by” tag. Political and issue ads on Instagram will also be labeled.

For my Software Architecture class to design a fix and my Computer Security class to fix this design.
Amazon might have a serious Alexa problem on its hands
News broke out earlier this week that Amazon’s Alexa assistant recorded a private conversation between two people and then sent that recording to a third party. Alexa, of course, is supposed to listen to everything you say but only act when you utter the designated hotwords that invoke the assistant.
… Amazon explained to Recode what caused this privacy infringing incident. Here’s what happened — we’ve broken down Amazon’s statement into all the steps Alexa went through to dispatch the message:
Echo woke up due to a word in background conversation sounding like “Alexa.”
Then, the subsequent conversation was heard as a “send message” request.
At which point, Alexa said out loud “To whom?” At which point, the background conversation was interpreted as a name in the customer’s contact list.
Alexa then asked out loud, “[contact name], right?” Alexa then interpreted background conversation as “right.”
As unlikely as this string of events is, we are evaluating options to make this case even less likely.”
All this sounds extremely unlikely but it also kind of explains what happened perfectly. To recap, the woman was talking to her husband and a partial recording of their chat was then sent to one of his employees who lives in a different state.
It’s always possible that one of the two people in the chat said a word that sounded like Alexa, triggering a sequence of events as described above. They may have also mentioned a name that sounded just like the name of the man’s employee and used words that may have been interpreted as confirmation to send a message.
But, no matter how you look at it, this is a serious issue. Apparently, Alexa can misinterpret its own hotword, which is definitely not something you want from the assistant.

(Related) Using this system to confirm the validity of stolen information?
Here’s something we don’t see everyday, and it involves Kentucky-based health insurer Humana. Humana’s technology team became suspicious after there were a number of calls to an 800 number of Humana’s that involved their Interactive Voice Response system where the caller was able to authenticate as a member by providing date of birth, zip code, and Humana ID number or Social Security Number, but then never went further with the system to request anything. So were the calls simply to verify the accuracy of member information in preparation for some other attack or misuse? It wasn’t clear, but Humana wisely took action.
Humana blocked the phone numbers associated with the suspicious calls, notified members, and offered them protective services through Equifax’s Credit Watch Gold service. And of course, they continue to monitor for any other suspicious behavior.

Designing in Security checks is good. Ignoring Security checks is all too common.
Another Deutsche Bank Error Revealed: $30 Billion 2014 Gaffe
A 28 billion-euro ($35 billion) payments error at Deutsche Bank AG in March wasn’t the first such blunder to befall the lender.
In March 2014, the German bank mistakenly sent 21 billion euros to Macquarie Group Ltd. as collateral for an over-the-counter derivatives trade, according to a person familiar with the matter who declined to be identified. That incident led directly to the introduction of fail-safes, though these didn’t catch the latest gaffe, the person said.
… While the New York Fed warned the firm in late 2013 about persistent deficiencies in its processes, lapses have continued, demonstrating the challenge facing new Chief Executive Officer Christian Sewing as he seeks to return the bank to growth and placate U.S. regulators.
… The 2018 error was caused by the input of euros instead of yen, Sewing told shareholders in Frankfurt on Thursday…
… The 2014 over-payment was a result of human error while using a collateral management system, the person familiar said. A control system that requires at least two pairs of eyes to look at transactions of a certain size also failed, they said.
Following the error, Deutsche Bank designed an enhanced “bear trap” system, whereby all payments over a certain size were subjected to increased scrutiny, according to the person. Yet that failed to prevent the more recent gaffe in March of this year.
… The German bank also ran into payment difficulty in June 2015 when a junior member of its Frankfurt-based foreign-exchange sales team mistakenly sent $6 billion to a U.S. hedge fund client.

I hope my game creating students remember their poor old professor when they become rich.
Fortnite made nearly $300 million in the month of April
Epic Games’ Fortnite generated $296 million in the month of April across mobile, console, and PC platforms, according to digital game sales tracker SuperData Research. That amount is more than double what the game generated in the month of February, when it earned $126 million and surpassed Playerunknown’s Battlegrounds in monthly sales for the first time.
The big difference between the games, and what really makes Fortnite shine, is Epic’s free-to-play model, which gets the title into as many players’ hands as possible and recoups the money, and then some, by way of in-game purchases. Epic sells players cosmetic items that do not affect gameplay, including goofy and topical character costumes and in-game dance moves purely for vanity purposes. It also sells a season subscription called the Battle Pass for around $10. Still, the company sells these items at such an alarming quantity that Fortnite made more money in April than Avengers: Infinity War did on its opening weekend later that same month.

Ignore the source, try it for the benefits.
Pornhub launches its own VPN
Pornhub is launching its own VPN service today with free and unlimited bandwidth. The VPN is supposed to help users avoid ISP throttling and geographic limitations. It’s also designed to let users transmit data anonymously without saving or collecting any of that data.
… The VPN service is available on Mac, Windows, Android, and iOS

Thursday, May 24, 2018

Better encryption, but will anyone implement it?
Fitting Forward Secrecy into Today's Security Architecture
Forward Secrecy’s day has come – for most. The cryptographic technique (sometimes called Perfect Forward Secrecy or PFS), adds an additional layer of confidentiality to an encrypted session, ensuring that only the two endpoints can decrypt the traffic. With forward secrecy, even if a third party were to record an encrypted session, and later gain access to the server private key, they could not use that key to decrypt a session protected by forward secrecy. Neat, huh?
Forward secrecy thwarts large-scale passive surveillance (such as might be conducted by a snooping nation state or other well-resourced threat actor) so it is seen a tool that helps preserve freedom of speech, privacy, and other rights-of-the-citizenry.
It is supported and preferred by every major browser, most mobile browsers and applications, and nearly 90% of TLS hosts on the Internet, according to a recent TLS Telemetry report (PDF). The crypto community applauds forward secrecy’s broad acceptance today.
Of course there’s a snag, for some.

Something for my students to debate.
Facebook and Free Speech
In the weeks since Mark Zuckerberg’s testimony to Congress, Facebook has made two important policy announcements. The company released a document explaining what posts and accounts it removes on the basis of its internal rules, known as “community standards,” and it engaged outside consultants to review the social media platform’s impact on various communities. The company also released its first transparency report on the enforcement of its community standards.
These are all welcome developments, but they lay bare a fundamental question raised by Zuckerberg himself: What obligations does the public want companies to fulfill when deciding which speech deserves a place on the Internet and social media? The Supreme Court recently called the internet and social media platforms “the most important places…for the exchange of views,” so the question is not simply an academic exercise.

Is Facebook the only one doing this?
Facebook users worldwide are being asked to review their privacy settings as GDPR looms
Facebook users will soon see a notice on their accounts asking them to review their privacy settings, as the company prepares for the rollout of new data protection rules in Europe.
The alert, which starts appearing this week, asks users across the globe to reassess their preferences for the types of personal data Facebook can use for ad targeting and whether they'll submit to facial recognition. They'll be given the chance to review the information they share on their profiles, including political and religious affiliations and relationship status.
Consumers will see how Facebook uses their activity to send targeted ads and what the company does with its facial recognition tools. Facebook will show them which features they currently have turned on, allowing them to opt out if they choose.
Though Facebook is facing a barrage of criticism in the U.S. over data protection, following the Cambridge Analytica scandal in March, this week's notice is in response to the General Data Protection Regulation in Europe. The alert has already appeared for European users, but this time it is getting a worldwide rollout.

Lots of Facebook action today.
Exclusive: Facebook Opens Up About False News
… Facebook is today making three important announcements on false news, to which WIRED got an early and exclusive look.
… The first new announcement is a request for proposals from academics eager to study false news on the platform. Researchers who are accepted will get data and money; the public will get, ideally, elusive answers to how much false news actually exists and how much it matters. The second announcement is the launch of a public education campaign that will utilize the top of Facebook’s homepage, perhaps the most valuable real estate on the internet. Users will be taught what false news is and how they can stop its spread. Facebook knows it is at war, and it wants to teach the populace how to join its side of the fight. The third announcement—and the one the company seems most excited about—is the release of a nearly 12-minute video called “Facing Facts,” a title that suggests both the topic and the repentant tone.

Sufficient to deter Russian interference in elections?
United Kingdom Att’y General’s Speech on International Law and Cyber: Key Highlights
On Wednesday, the United Kingdom’s Attorney General, Jeremy Wright, QC MP, gave a speech at Chatham House on the role of international law in cyberspace. It is the first official statement of the UK’s overarching view on the topic, including on some specific issues that are at the center of international policy and debate (the speech can be found here.) Here are eight key points:
First, it is important for states to publicly articulate their understanding of international law, especially in cyberspace. Wright acknowledged that rapidly changing technology and developing norms made clear rules difficult, but he warned against allowing cyberspace to become a “grey area.”

Helping US voters find the Not-Fake News.
Twitter adds candidate labels ahead of midterm elections
Twitter will start adding labels to the profiles of candidates running in the 2018 midterm elections after May 30th.
The label, which will apply to all candidates running for state governor, U.S. Senate or U.S. House of Representatives, will contain the office the candidate is running for, the state the office is located in, their district number (when applicable), and other identifying information.
  • The label will be marked with a small icon of a government building, and will appear on the Twitter page of the candidate as well as alongside all tweets sent or retweeted by the account.

We keep getting smaller. Is subcutaneous next?
I’m not into watches or wristbands, but for the last few weeks I’ve been wearing a fitness tracker on my finger. It knows how long I sleep and detects when I walk or run, and all I’ve gotta do is wear it like jewelry and forget about it.
The device is the Motiv Ring. Its features and its iOS app are minimalist compared to what a Fitbit or an Apple Watch can do, which is part of why I like it.
… The ring doesn’t have a screen, just a tiny light that changes color when it charges or when it’s syncing with your phone. (You can force it to sync by spinning the ring around your finger, or ask it to ring your phone by spinning one way and then the other.) The ring doesn’t need to sync constantly, so you don’t need to worry if your phone dies or if you’d rather go to the gym without your phone. It can hang onto a few days’ data if needed.

Tracks with my student opinions.
AAA: American Trust in Autonomous Vehicles Slips
Following high-profile incidents involving autonomous vehicle technologies, a new report from AAA’s multi-year tracking study indicates that consumer trust in these vehicles has quickly eroded. Today, three-quarters (73 percent) of American drivers report they would be too afraid to ride in a fully self-driving vehicle, up significantly from 63 percent in late 2017. Additionally, two-thirds (63 percent) of U.S. adults report they would actually feel less safe sharing the road with a self-driving vehicle while walking or riding a bicycle.

Perspective. Maybe the next Indian billionaire is in my classroom.
Why Walmart’s Flipkart Deal Will Spur Entrepreneurship in India
Walmart’s agreement on June 9 to purchase 77% of Flipkart for $16 billion mints two engineer billionaires in India. Binny Bansal and Sachin Bansal, who co-founded Flipkart and who are not related, each reportedly own about 5% of the Indian online retailer. They will have a net worth about $1 billion when the transaction with Walmart is completed later this year. It will mark a major business success for professionals in India, outside the information technology businesses. The example of the founders, including their initial failures, will inspire more professionals in India to risk starting an enterprise.
Flipkart is India’s largest online retailer with an estimated 40% market share. Amazon, its main and tough competitor, has about a third of the market.

Perspective. Too trusting or setting the President up for further legal action?
Judge rules Trump can't block users on Twitter
A federal district court judge on Wednesday ruled that President Trump can't block people from viewing his Twitter feed over their political views.
Judge Naomi Reice Buchwald, of the U.S. District Court for the Southern District of New York, said President Trump’s Twitter account is a public forum and blocking people who reply to his tweets with differing opinions constitutes viewpoint discrimination, which violates the First Amendment.
… Buchwald, who was appointed by former President Clinton, rejected Trump’s argument that the First Amendment does not apply in this case and that the president’s personal First Amendment interests supersede those of the plaintiffs.
She suggested in her 75-page opinion that Trump could have ignored his opponents’ reply tweets.
… But Buchwald did not order Trump or Scavino to unblock the individual plaintiffs in the case or prohibit them from blocking others from the account based on their views as the plaintiffs’ had asked.
She said a declaratory judgment should be sufficient.
“Because no government official is above the law and because all government officials are presumed to follow the law once the judiciary has said what the law is, we must assume that the President and Scavino will remedy the blocking we have held to be unconstitutional,” Buchwald wrote.

Perhaps this is part of the cost to acquire a new CEO?
Chipotle Mexican Grill to close Denver headquarters, relocate staff to California and Ohio
The company said in a news release the headquarters will move to Newport Beach, Calif. and other functions within the Denver office will move to the company’s existing office in Columbus, Ohio.
… The news comes as a surprise to some in Denver, as the company announced in December it was moving its headquarters to a new office tower downtown that was still under construction.
"We wish @ChipotleTweets all the best. We want their existing employees to know we have services that can help them find new jobs," Gov. John Hickenlooper tweeted Wednesday afternoon. His wife, Robin, has sat on Chipotle's board of directors since December 2016.
It signed a 15-year lease for five floors of a 40-story skyscraper located on 15th Street between Arapahoe and Lawrence streets. The status of the lease is currently unclear, though the building held its grand opening in recent months.
The CEO at the time, Steve Ells, said: “Our roots are here, and this contemporary, collaborative and modern space will position us to look ahead to the next 25 years.”
… Paul Seaborn, an assistant professor of management at the University of Denver, has watched Chipotle's performance closely and co-wrote a case study last year for an international competition that focused on the key challenges facing the company. He said Chipotle's new CEO is cooking up a culture shock with this latest move.
… Seaborn also said he believes there are no real benefits to moving the headquarters to Newport Beach other than the new CEO's own connections to California. As the former CEO of Taco Bell its headquarters are in nearby Irvine, California.
"This seems much more of a personal management decision," said Seaborn. "This particular move is going to create a big question around retention and who are the key employees that they feel are really pushing the company forward and can they get them to move to California."

Stupid is as stupid does. F. Gump
Cake shop hilariously censors Latin phrase on US graduate's cake
Cara Koscinski ordered a graduation cake for her 18-year-old son Jacob, who graduated with an impressive 4.89 grade point average, The Washington Post reports.
Ms Koscinski had ordered the cake online from cake shop Publix.
She wanted it to say: "Congrats Jacob! Summa Cum Laude, Class of 2018." The Latin phrase translates in English to "with the highest distinction".
However Publix's online system auto-corrected the middle Latin word, picking it up as bad language.

I might want to try this.
How to Embed Your Slideshows Into Your Blog

Wednesday, May 23, 2018

“Go ahead and lie. Who will they believe, us or a bunch of techies?”
FBI inflated encrypted device figures, misleading public
Contrary to what the FBI told the public, we now know that instead of 7,775 encrypted smartphones proving stumbling blocks to FBI criminal investigations, there are no more than 2,000.
… Wray called this a "major public safety issue", and used it to push a "responsible encryption" mantra – in other words, encryption backdoors.
The FBI denied ZDNet's request for information on these phones. The bureau said the information was exempt from disclosure, as the records "could reasonably be expected to interfere with enforcement proceedings."
Internally though the FBI knew they miscounted the devices as of a month ago. The bureau still doesn't have an accurate count of how many encrypted phones it has from last year.

I guess we don’t want to “fall behind” China.
Amazon is selling police departments a real-time facial recognition system
The Verge: “Documents obtained by the ACLU of Northern California have shed new light on Rekognition, Amazon’s little-known facial recognition project. Rekognition is currently used by police in Orlando and Oregon’s Washington County, often using nondisclosure agreements to avoid public disclosure. The result is a powerful real-time facial recognition system that can tap into police body cameras and municipal surveillance systems. According to further reporting by The Washington Post, the Washington County Sheriff pays between $6 and $12 a month for access to Rekognition, which allows the department to scan mug shot photos against real-time footage. The most significant concerns are raised by the Orlando project, which is capable of running real-time facial recognition on a network of cameras throughout the city. The project was described by Rekognition project director Ranju Das at a recent AWS conference in Seoul…”

There are probably many, many “special circumstances.” No doubt some future AI will deal with them.
Google Under Fire For Revealing Rape Victims' Names
The company's been accused of displaying the names of rape victims through its Autocomplete and Related Search functions – even when the victims have been granted anonymity by the courts.
The problem is that both features use data gathered from previous searches to predict what information the user is looking for and make suggestions. If enough people know a victim's name and use it as one of their search terms, Google's algorithm will provide a helpful prompt to those that don't.
In the US, there's no legal prohibition on publishing the names of rape victims, although the media tend to avoid doing so. In many countries, however, it's against the law. And the UK's Times newspaper has uncovered several cases in which Autocomplete and Related Search have revealed the names of rape victims and others who have official anonymity.

(Related) Somehow, “send us your private porn so we can block your private porn” does not seems to be entirely satisfactory. Imagine the lawsuits if this database leaks!
Facebook Safety
People shouldn’t be able to share intimate images to hurt others
By Antigone Davis, Global Head of Safety
It’s demeaning and devastating when someone’s intimate images are shared without their permission, and we want to do everything we can to help victims of this abuse. We’re now partnering with safety organizations on a way for people to securely submit photos they fear will be shared without their consent, so we can block them from being uploaded to Facebook, Instagram and Messenger. This pilot program, starting in Australia, Canada, the UK and US, expands on existing tools for people to report this content to us if it’s already been shared.

Tuesday, May 22, 2018

No real chance that customers would win a lawsuit, so why spend money ensuring security?
Comcast website bug leaks Xfinity customer data
… The website, used by customers to set up their home internet and cable service, can be tricked into displaying the home address where the router is located, as well as the Wi-Fi name and password.
… The site returned the Wi-Fi name and password – in plaintext -- used to connect to the network for one of the customers who uses an Xfinity router. The other customer was using his own router – and the site didn't return the Wi-Fi network name or password.

Retaliation is a step to all-out cyberwar.
Inside 'Project Indigo,' the quiet info-sharing program between banks and U.S. Cyber Command
A confidential information-sharing agreement between the Financial Services Information Sharing and Analysis Center (FS-ISAC) and U.S. Cyber Command reveals the blurring line between the country’s public and private sectors as the U.S. government becomes increasingly receptive to launching offensive hacking operations.
… The broad purpose of Project Indigo is to help inform U.S. Cyber Command about nation-state hacking aimed at banks. In practice, this intelligence is independently evaluated and, if appropriate, Cyber Command responds under its own unique authorities.
It’s possible that a bank could tip off the military about a cyberattack against the financial industry, prompting Cyber Command to react and take action. That could include providing unique insight back to FSARC or even taking offensive measures to disrupt the attacker — such as retaliatory hacking — if it’s appropriate and the Pentagon approves it, according to current and former U.S. officials.

Isn’t this what Hillary Clinton said about email servers? Good thing the President doesn’t email…
Too inconvenient’: Trump goes rogue on phone security
President Donald Trump uses a White House cellphone that isn’t equipped with sophisticated security features designed to shield his communications, according to two senior administration officials — a departure from the practice of his predecessors that potentially exposes him to hacking or surveillance.
The president, who relies on cellphones to reach his friends and millions of Twitter followers, has rebuffed staff efforts to strengthen security around his phone use, according to the administration officials.
… While aides have urged the president to swap out the Twitter phone on a monthly basis, Trump has resisted their entreaties, telling them it was “too inconvenient,” the same administration official said.
The president has gone as long as five months without having the phone checked by security experts. It is unclear how often Trump’s call-capable phones, which are essentially used as burner phones, are swapped out.

Told ya so!
Explaining Efail and Why It Isn’t the End of Email Privacy
Last week the PGPocalipse was all over the news… Except that, well, it wasn’t an apocalypse.
A team of researchers published a paper(PDF) where they describe how to decrypt a PGP encrypted email via a targeted attack. The research itself is pretty well documented and, from a security researcher perspective, it’s a good paper to read, especially the cryptography parts.
But we here at Hackaday were skeptical about media claims that Efail had broken PGP. Some media reports went as far as recommending everyone turn off PGP encryption on all email clients, but they weren’t able to back this recommendation up with firm reasoning. In fact, Efail isn’t an immediate threat for the vast majority of people simply because an attacker must already have access to an encrypted email to use the exploit. Advising everyone to disable encryption all together just makes no sense.
Aside from the massive false alarm, Efail is a very interesting exploit to wrap your head around. Join me after the break as I walk through how it works, and what you can do to avoid it.

More that TSA on steroids, this is Big Brothering at its best. Any country could do this, including the US.
China's social credit system has blocked people from taking 11 million flights and 4 million train trips
China's social credit system has blocked people from taking 11.14 million flights and 4.25 million high-speed train trips.
The numbers, from the end of April, were included in a report by China's state-run news outlet Global Times, but it is unclear what offenses those targeted in the travel ban have committed.
The social credit system is actually a collection of blacklists, of which there are more than a dozen at the national level. Each list is based on similar offenses — such as misbehavior on planes and trains, or failing to abide by a court judgment — and determines the punishments people face, from throttling internet speeds to blocking loans.

Keeping up with the players in the intelligence game.
… the Directorate for Signals Intelligence, Japan’s version of the National Security Agency.
The directorate has a history that dates back to the 1950s; its role is to eavesdrop on communications. But its operations remain so highly classified that the Japanese government has disclosed little about its work – even the location of its headquarters. Most Japanese officials, except for a select few of the prime minister’s inner circle, are kept in the dark about the directorate’s activities, which are regulated by a limited legal framework and not subject to any independent oversight.
Now, a new investigation by the Japanese broadcaster NHK — produced in collaboration with The Intercept — reveals, for the first time, details about the inner workings of Japan’s opaque spy community. Based on classified documents and interviews with current and former officials familiar with the agency’s intelligence work, the investigation shines light on a previously undisclosed internet surveillance program and a spy hub in the south of Japan that is used to monitor phone calls and emails passing across communications satellites.

… while digital marketers are aware of the strict new regulatory regime, seemingly few have taken active steps to address how it will impact their day-to-day operations.
GDPR will force marketers to relinquish much of their dependence on behavioral data collection. Most critically, it will directly implicate several business practices that are core to current digital ad targeting. The stipulation that will perhaps cause most angst is the new formulation for collecting an individual’s consent to data gathering and processing; GDPR requires that consent be active (as opposed to passive) and represent a genuine and meaningful choice. Digital marketers know that users of internet-based services like Snapchat, Facebook, and Google technically provide consent by agreeing to these companies’ terms of service when they sign up. But does this constitute an active and genuine choice? Does it indicate that the user is willing to have her personal data harvested across the digital and physical worlds, on- and off-platform, and have that data used to create a behavioral profile for digital marketing purposes? Almost certifiably not.

Most GDPR emails unnecessary and some illegal, say experts
… Many companies, acting based on poor legal advice, a fear of fines of up to €20m (£17.5m) and a lack of good examples to follow, have taken what they see as the safest option for hewing to the General Data Protection Regulation (GDPR): asking customers to renew their consent for marketing communications and data processing.
… “Businesses are not required to automatically ‘repaper’ or refresh all existing 1998 Act consents in preparation for the GDPR,” Vitale said. “The first question to ask is: which of the six legal grounds under the GDPR should you rely on to process personal data? Consent is only one ground. The others are contract, legal obligation, vital interests, public interest and legitimate interests.

How Human-Computer ‘Superminds’ Are Redefining the Future of Work
The ongoing, and sometimes loud, debate about how many and what kinds of jobs smart machines will leave for humans to do in the future is missing a salient point: Just as the automation of human work in the past allowed people and machines to do many things that couldn’t be done before, groups of people and computers working together will be able to do many things in the future that neither can do alone now.

No doubt this is their strategy to entice kids to write rather than Tweet.
U.S. Postal Service announces first-ever scratch and sniff stamp with popsicle scent
… The U.S. Postal Service said Monday that it will issue its first-ever scratch-and-sniff stamps that will aim to evoke the sweet scent of summer. The 10 different stamp designs each feature a watercolor illustration of two different ice pops on a stick.
There will be one scent for all of the stamps and the secret smell will be unveiled when the Postal Service issues the stamps on June 20, according to U.S. Postal Service public relations representative Mark Saunders.

Monday, May 21, 2018

Are there devices that are not being used by the police?
Potential Spy Devices Which Track Cellphones, Intercept Calls Found All Over DC MD VA
NBC News4 I-Team – Washington, DC – “The technology can be as small as a suitcase, placed anywhere at any time, and it’s used to track cell phones and intercept calls. The News4 I-Team found dozens of potential spy devices while driving around Washington, D.C., Maryland and Northern Virginia. “While you might not be a target yourself, you may live next to someone who is. You could still get caught up,” said Aaron Turner, a leading mobile security expert. The device, sometimes referred to by the brand name StingRay, is designed to mimic a cell tower and can trick your phone into connecting to it instead. The News4 I-Team asked Turner to ride around the capital region with special software loaded onto three cell phones, with three different carriers, to detect the devices operating in various locations. “So when you see these red bars, those are very high-suspicion events,” said Turner. If you live in or near the District, your phone has probably been tracked at some point, he said. A recent report by the Department of Homeland Security called the spy devices a real and growing risk. And the I-Team found them in high-profile areas like outside the Trump International Hotel on Pennsylvania Avenue and while driving across the 14th Street bridge into Crystal City. The I-Team got picked up twice while driving along K Street — the corridor popular with lobbyists. “It looks like they don’t consider us to be interesting, so they’ve dropped us,” Turner remarked looking down at one of his phones. Every cellphone has a unique identifying number. The phone catcher technology can harness thousands of them at a time. DHS has warned rogue devices could prevent connected phones from making 911 calls, saying, “If this type of attack occurs during an emergency, it could prevent victims from receiving assistance.” “Absolutely. That’s a worry,” said D.C. Councilwoman Mary Cheh, adding that the spy technology should be a concern for all who live and work in the District. The I-Team’s test phones detected 40 potential locations where the spy devices could be operating, while driving around for just a few hours…”

I had not considered the benefits to this ‘industry.’
WaPo – Technology has made the repo man ruthlessly efficient
Washington Post – “Technology has made the repo man ruthlessly efficient, allowing this familiar angel of financial calamity to capitalize on a dark corner of the United States’ strong economy: the soaring number of people falling behind on their car payments.”
“…Derek Lewis works for Relentless Recovery, the largest repo company in Ohio and its busiest collector of license plate scans. Last year, the company repossessed more than 25,500 vehicles — including tractor trailers and riding lawn mowers. Business has more than doubled since 2014, the company said. Even with the rising deployment of remote engine cutoffs and GPS locators in cars, repo agencies remain dominant. Relentless scanned 28 million license plates last year, a demonstration of its recent, heavy push into technology. It now has more than 40 camera-equipped vehicles, mostly spotter cars. Agents are finding repos they never would have a few years ago. The company’s goal is to capture every plate in Ohio and use that information to reveal patterns… “It’s kind of scary, but it’s amazing,” said Alana Ferrante, chief executive of Relentless… Repo agents are responsible for the majority of the billions of license plate scans produced nationwide. But they don’t control the information. Most of that data is owned by Digital Recognition Network (DRN), a Fort Worth company that is the largest provider of license-plate-recognition systems. And DRN sells the information to insurance companies, private investigators — even other repo agents. DRN is a sister company to Vigilant Solutions, which provides the plate scans to law enforcement, including police and U.S. Immigration and Customs Enforcement. Both companies declined to respond to questions about their operations… For repo companies, one worry is whether they are producing information that others are monetizing…”

I wonder if I could integrate Fakey into my Computer Security class. (Probably, yes.)
3 new tools to study and counter online disinformation
Indiana University Bloomington: “Researchers at CNetS, IUNI, and the Indiana University Observatory on Social Media have launched upgrades to two tools playing a major role in countering the spread of misinformation online: Hoaxy and Botometer. A third tool Fakey — an educational game designed to make people smarter news consumers — also launches with the upgrades. Hoaxy is a search engine that shows users how stories from low-credibility sources spread on Twitter. Botometer is an app that assigns a score to Twitter users based on the likelihood that the account is automated. The two tools are not integrated so that one can now easily detect when information is spreading virally, and who is responsible for its spread. Hoaxy and Botometer currently process hundreds of thousands of daily online queries. The technology has enabled researchers, including a team at IU, to study how information flows online in the presence of bots. Examples are a study on the cover of the March issue of Science that analyzed the spread of false news on Twitter and an analysis from the Pew Research Center in April that found that nearly two-thirds of the links to popular websites on Twitter are shared by automated accounts. Fakey is a web and mobile news literacy game that mixes news stories with false reports, clickbait headlines, conspiracy theories and “junk science.” Players earn points by “fact-checking” false information and liking or sharing accurate stories. The project, led by IU graduate student Mihai Avram, was created to help people develop responsible social media consumption habits. An Android app is available, and an iOS versions will launch shortly…”

Soon, all chatbot speech will be indistinguishable from human speech.
Microsoft acquires conversational AI startup Semantic Machines to help bots sound more lifelike
Microsoft announced today that it has acquired Semantic Machines, a Berkeley-based startup that wants to solve one of the biggest challenges in conversational AI: making chatbots sound more human and less like, well, bots.

Perspective. What is a good number? How much do we spend to predict/prevent school shootings?
The Unknown Cost of America’s Counterterrorism Efforts
A Stimson Center working group released a study last week on the costs of America’s counterterrorism efforts, and it found about what you’d expect: nearly 17 years after 9/11, we still don’t know exactly how much we have spent, but it’s a ton. Over $2.8 trillion, at least. The staggering numbers grabbed headlines on Wednesday, as they should. With this struggle closing in on the two-decade mark, we need to have a frank accounting of the threats we face and how much spending is enough to keep Americans safe. But beyond the matter of raw dollars spent, the report raises deeper questions about what counts as counterterrorism and whether our funding matches our strategy.
… What at first glance might appear to be a bean counting exercise is anything but. At a deeper level, this is about our strategy and priorities in what we once aptly called the long war. For example, my working group colleague John Mueller sees the terrorist threat as dramatically less severe than I do, but he nonetheless makes strong points, grounded in economic analysis, to argue that we are overspending compared to the threat. In Mueller’s estimation, our counterterrorism efforts would need to have saved at least 250,000 lives to justify the expenditures we have made. These are direct costs only. Mueller goes further in arguing that the indirect economic costs of, for example, longer lines at airports and border crossings and increased security at high profile venues have cost us many billions more dollars.

Perspective. The latest infographic.
How Much Data Do We Create Every Day? The Mind-Blowing Stats Everyone Should Read
The amount of data we produce every day is truly mind boggling. There are 2.5 quintillion bytes of data created each day at our current pace, but that pace is only accelerating with the growth of the Internet of Things (IoT). Over the last two years alone 90 percent of the data in the world was generated.

(Related) and this is just the UK.
Public can now search UK government’s entire digital archive
BusinessCloud: “The British government’s entire online presence comprising billions of web pages has been indexed and digitally archived to the cloud for the first time. Manchester tech firm MirrorWeb has devised an all-new indexing to create an accessible, searchable and user-friendly resource for the public. The National Archives’ gigantic 120TB web archive encompasses billions of web pages – from every government department website and social media account – from 1996 to the present. It took MirrorWeb – named among our 101 Rising Stars of the UK Start-up Scene last year – just two weeks to transfer the data from 72 hard drives at The National Archives to internal hard drives before transferring and digitally archiving more than two decades of government internet history to the cloud. As part of a four-year contract, MirrorWeb was tasked with both moving the data to the cloud using Amazon Web Services as well as indexing it. Indexing the data meant that MirrorWeb had to write a complete replacement for the UK Government Web Archives’ previous search functionality. As a result, 1.4bn documents were indexed and are now accessible and searchable to researchers, students and the members of the public who need to use them, enabling them to view websites and social media content in their original form as well as search for content on specific topics. John Sheridan, digital director of The National Archives, said: “We are preserving 1,000 years of British history and a big part of that is preserving the digital record of government today…”

One must choose nicknames carefully…

Sunday, May 20, 2018

Hackers will read this looking for tips & tricks.
How North Korean hackers became the world’s greatest bank robbers
The Reconnaissance General Bureau, North Korea’s equivalent to the CIA, has trained up the world’s greatest bank-robbing crews. In just the past few years, RGB hackers have struck more than 100 banks and cryptocurrency exchanges around the world, pilfering more than $650 million. That we know of.
… These thieves also have one distinct advantage over other syndicates: They are absolutely confident that they’ll never be charged. So it goes when your own country sponsors your criminal mischief.

Interesting but inconclusive.
Germany Acts to Tame Facebook, Learning From Its Own History of Hate
… Spread over five floors, hundreds of men and women sit in rows of six scanning their computer screens. All have signed nondisclosure agreements. Four trauma specialists are at their disposal seven days a week.
They are the agents of Facebook. And they have the power to decide what is free speech and what is hate speech.
This is a deletion center, one of Facebook’s largest, with more than 1,200 content moderators. They are cleaning up content — from terrorist propaganda to Nazi symbols to child abuse — that violates the law or the company’s community standards.

This could be useful.
My Data Request’ lists guides to get data about you
GDPR is right around the corner, so it’s time to prepare your personal data requests. If you live in the European Union, tech companies have to comply with personal data requests after May 25th. And there’s a handy website that helps you do just that.
My Data Request lists dozens of tech companies and tells you how you can contact them. The website also links to the privacy policy of each service and tells you what to do even if you don’t live in the EU.
Some companies, such as Facebook, LinkedIn, Twitter, Google, Tinder and Snapchat have made that easy as they have created a page on their website to download a zip archive with all your personal data.
… For most companies (including Amazon), you’ll have to email them yourself. My Data Request has created handy email templates. You just have to copy the message, put your name and contact information and send the email. The email addresses are listed on My Data Request’s site too.

Perspective. Will Chatbots need to be customized for each industry/company? Possibly. Will I have to remember dozens of different names to get anything done? (Or will there be an App for that?)
Bank of America debuts its AI-powered assistant, Erica
Bank of America on Friday officially introduced Erica, an AI-powered virtual assistant for its 25 million mobile customers.
Erica, which Bank of America began rolling out to customers in March, can help people conduct banking via voice commands, text or with gestures from within the Bank of America app. She can currently help customers with a variety of tasks:
  • Searching for past transactions, such as checks written or shopping activity
  • Accessing key information, such as routing numbers or the closest ATM
  • Scheduling face-to-face meetings at a Bank of America financial center
  • Viewing bills and scheduling payments
  • Locking and unlocking debit cards
  • Transferring money between accounts or sending money to friends with Zelle