Saturday, June 23, 2018

...and yet the government still claims it is secure.
Aria Thaker reports:
In another exposure of Aadhaar’s cybersecurity weaknesses, over 70 subdomains under a Government of India website are providing access to demographic-authentication services without requiring identity verification from the requester. The websites allow users to access an application programming interface, or API, in which anyone can enter a person’s Aadhaar number, name, gender and date of birth, and be directed to a page that either reads “yes” or displays an error message, indicating whether or not the information corresponds to a valid entry in the Aadhaar database. Providing such unrestricted access to this API raises major concerns of privacy, and may be exploited by hackers seeking to uncover people’s Aadhaar numbers. It also violates the Aadhaar Act, the law governing India’s nationwide digital-identity programme.
Two security researchers—Srinivas Kodali and Karan Saini—independently found the vulnerability and reported it to relevant authorities.
Read more on Caravan Magazine.

And for the time being, the hackers pull ahead.
A hacker figured out how to brute force iPhone passcodes
A security researcher has figured out how to brute force a passcode on any up-to-date iPhone or iPad, bypassing the software's security mechanisms.
Since iOS 8 rolled out in 2014, all iPhones and iPads have come with device encryption. Often protected by a four- or six-digit passcode, a hardware and software combination has made it nearly impossible to break into an iPhone or iPad without cooperation from the device owner.
And if the wrong passcode is entered too many times, the device gets wiped.
But Matthew Hickey, a security researcher and co-founder of cybersecurity firm Hacker House, found a way to bypass the 10-time limit and enter as many codes as he wants -- even on iOS 11.3.
"An attacker just needs a turned on, locked phone and a Lightning cable," Hickey told ZDNet.
… He explained that when an iPhone or iPad is plugged in and a would-be-hacker sends keyboard inputs, it triggers an interrupt request, which takes priority over anything else on the device.
"Instead of sending passcodes one at a time and waiting, send them all in one go," he said.
An attacker can send all the passcodes in one go by enumerating each code from 0000 to 9999 in one string with no spaces.

They could probably do this faster if the used computers.
Justin Hemmings of Alston & Bird writes:
The FBI recently published its 2017 Internet Crime Report highlighting trends and statistics compiled by the FBI’s Internet Crime Complaint Center (“IC3”) during 2017. The report compiles data from a total of 301,580 complaints which reported losses of over $1.4 billion. In addition to an explanation of the IC3’s history and operations, the report includes five “hot topics” from 2017: business email compromise (“BEC”), ransomware, tech support fraud, extortion, and the Justice Department’s Elder Justice Initiative.

A glimmer of hope?
Cellphone Tracking: A Win for Privacy Advocates!
Today, in Carpenter v. United States, the Supreme Court ruled, in a 5-4 decision, that police need the warrant to search your phone when digging for cellphone tracking information.
Chief Justice John Roberts noted that a phone is basically “a feature of human anatomy.” We’re finally seeing this come to fruition in the court system.
… For even more details check out:

(Related) On the other hand...
The latest Supreme Court decision is being hailed as a big victory for digital privacy. It’s not.
… Whatever it’s other flaws, the Roberts Court thus seems to understand electronic privacy’s importance.
But there are a couple of things to know before toasting the Court’s high regard for privacy in the digital age. The Roberts Court, building on what the preceding Rehnquist Court did, has created an infrastructure for Fourth Amendment law that makes it exceptionally easy for police to do a search, even when a warrant is required. The law also makes it exceptionally difficult for citizens to obtain close judicial oversight, even when the police have violated the Constitution. As a result of these background rules, even a decision as seemingly important as Carpenter is unlikely to have any dramatic effect on police practices.
It’s not just that our digital privacy is insufficiently protected, in other words. It’s that our Fourth Amendment rights and remedies in general have been eroded.

We’re on break now, so all my students should be reading!
Global Grey (Web): Free eBook Series and Collections
You probably know that classic books are available for free on sites like Project Gutenberg. But Aisha goes the extra mile. She collects some of the best book series in collections that you’ll find easy to download and read. Go to “Series” section on Global Grey and you’ll get an endless reading of free ebooks in collections.

(Related) How I organize my ebooks.
Calibre might not be the most polished app in the world, but it’s definitely the best software for managing your ebook collection.
It ticks all the right boxes: it’s free, there aren’t any ads, and it boasts a vast number of powerful features.
1. Merge and Split EPUB Ebooks
3. Turn Calibre Into a Sharing Server
If several members of your household have a Kindle, or if you own multiple Kindles, continually syncing your data manually quickly becomes tedious.
Instead, why not turn your Calibre app into a content server? By doing so, you can make your entire Calibre library available on all your devices. You can even upload new content to your Calibre library from those devices.
5. Remove DRM From Ebooks
Calibre lets your wrestle back control of your ebooks by offering a way to remove the DRM from titles you’ve bought from Amazon and other online stores.
We covered the process in detail when we explained how to remove the DRM on every ebook you own. So we recommend reading that article for the full scoop.
6. Automatically Download Ebook Metadata
7. Put Your Ebook Library in the Cloud

Friday, June 22, 2018

Speeds things up by recognizing that you boarded a train and charging your account. No ticket needed. Also, no access to the train if the government flags you as unworthy.
Xin Wen reports:
The Beijing subway system plans to introduce bio-recognition technology at stations this year to improve transport efficiency and reduce costs, a senior manager said last week.
Two bio-recognition technologiesfacial recognition and palm touchare being considered, said Zhang Huabing, head of enterprise development for Beijing Subway, the operator of most lines in the city, during the International Metro Transit Exhibition in Beijing on Thursday.
Read more on China Daily.

Thomas J. Prohaska reports a follow-up to a situation I had mentioned on this site previously:
The New York Civil Liberties Union has asked New York State education officials to revoke funding for a project to install facial recognition software in Lockport schools.
The organization contends the Lockport school district’s plan endangers the rights of students and teachers.
In a letter Monday, the NYCLU asked the state Education Department to cancel its approval of the $2.75 million project.
“It is alarming that Lockport’s proposal for use of facial recognition technology was not subject to further scrutiny due to its privacy implications and other civil liberties concerns,” wrote John A. Curr III, NYCLU western region director, and Stefanie D. Coyle, education counsel, to Education Commissioner MaryEllen Elia.
Read more on Buffalo News.
[From the article:
… some 300 new surveillance cameras are to be installed in 10 Lockport City School District buildings, along with software that the vendor, SN Technologies of Canada, says will match the faces seen by the cameras to lists of criminals, sex offenders and other barred people. District officials have mentioned noncustodial parents and suspended or expelled students as others whose facial images could be included in the software.
… Tony Olivo of Orchard Park, the district's security consultant, listed by SN Technologies' website as a business partner, told The Buffalo News in May that the software will detect the presence of a person whose photo is in the database of banned individuals 99.97 percent of the time, [Baloney! Bob] if there are enough digital surveillance cameras to get an accurate image.
Facial recognition software doesn't always work. Studies have shown it works best on faces of white males, and doesn't work well on women, people of color or children.

Is a collection worse than the uncollected details? What if the intent isn’t innocent?
Sarah Taylor reports:
Sam Lavigne, who is reportedly an adjunct professor at New York University as well as a digital designer and developer, released a list of more than 1,500 Immigration and Customs Enforcement employees’ personal information on Wednesday.

What are the details?

In a since-removed blog post on Medium, “Lavigne wrote, ‘I’ve downloaded and made available the profiles of (almost) everyone on LinkedIn who works for ICE, 1,595 people in total. While I don’t have a precise idea of what should be done with this data set, I leave it here with the hope that researchers, journalists, and activists will find it useful.’
Read more on The Blaze. Most of the copies were reportedly removed, but this site does not know if copies are still floating around somewhere.
So if this was publicly available info – apparently voluntarily shared by people on LinkedIn, is this stalking or doxxing or anything wrong? What if you suspect that the list was created with the knowledge that some might use it to harass individuals?
Where is the First Amendment line here? Justin Shafer was prosecuted for much less.

“What happens in Vegas, is now available on the Internet”
Joe Cadillic writes:
Hotels like the Wynn Las Vegas and the Marriott are installing Amazon listening devices in every room.
Two years ago, Geek Wire revealed that the Wynn Las Vegas hotel installed Amazon Echo devices in all their rooms:
You may soon be able to ask that question when traveling to the Wynn Las Vegas hotel, which announced today that it will place Amazon’s Echo device — powered by the voice assistant Alexa — in all 4,748 hotel rooms. Wynn Resorts called it an “industry first.”
According to Amazon, hotel customers love being spied on.
Read more on MassPrivateI.

And so the pendulum swings yet again.
Exigent Circumstances: iOS 12’s USB Restricted Mode and Warrantless iPhone Access
Apple recently confirmed the introduction of a new feature called “USB Restricted Mode” in the latest version of the iPhone’s mobile operating system, iOS 12. If enabled in the user’s settings, USB Restricted Mode will disable data transfer from the iPhone over the Lightning cable once the phone has been locked for an hour unless the phone’s password is entered.
… law enforcement agents may try to use USB Restricted Mode’s narrow one-hour time window as justification for warrantless searches of iPhones they seize. The Fourth Amendment generally requires a warrant in order for a police search of someone’s property to be considered reasonable. But that requirement is rife with exceptions. One exception is the “exigent circumstances” doctrine. “‘[E]xigent circumstances,’ including the need to prevent the destruction of evidence, permit police officers to conduct an otherwise permissible search without first obtaining a warrant.” Kentucky v. King, 131 S. Ct. 1849, 1853-54 (2011).

I don’t suppose that “politics/politician free” is an option?
Facebook’s Screening for Political Ads Nabs News Sites Instead of Politicians
“..Facebook’s new screening policies to deter manipulation of political ads are creating their own problems. The company’s human reviewers and software algorithms are catching paid posts from legitimate news organizations that mention issues or candidates, while overlooking straightforwardly political posts from candidates and advocacy groups. Participants in ProPublica’s Facebook Political Ad Collector project have submitted 40 ads that should have carried disclaimers under the social network’s policy, but didn’t. Facebook may have underestimated the difficulty of distinguishing between political messages and political news coverage — and the consternation that failing to do so would stir among news organizations…”

(Related) It makes me wonder if they had some “online abuse, harassment, spam, and security” they wanted to hide.
Twitter ‘smytes’ customers
Twitter today announced it was acquiring the “trust and safety as a service” startup Smyte to help it better address issues related to online abuse, harassment, spam, and security on its platform. But it also decided to immediately shut down access to Smyte’s API without warning, leaving Smyte’s existing customers no time to transition to a new service provider.
The change left Smyte’s current customer base stranded, with production issues related to the safety of their own platforms.
… Customers got a phone call, and then – boom – the service was gone. Clients had multi-year contracts in some cases.

I starting to see some interesting/thoughtful coverage of these “rent by the ride” vehicles. Start with this nice overview.
Make Way for Little Vehicles
The public reaction to the arrival of dockless bikes and electric scooters in U.S. cities can be tracked in stages. The first stage, for many, was annoyance. Who were these grown men and women on candy-colored bikes and teeny kick-scooters speeding down the streets and sidewalks, menacing walkers and leaving their rented toys all over the place? Especially in San Francisco, where this whimsical new mobility mode has taken off, scooters have come to represent yet another example of tech industry entitlement, another way for a startup to move fast and break stuff.
… The second stage is epiphany, when the reluctant first-time user—out of curiosity or journalistic responsibility—actually tries a dockless bike or e-scooter and realizes that they are not only a visual counterpoint to the bulk and terror of cars, but a delightful and crazily practical alternative to them.
That leads to stage three, if it comes: mass adoption.
Call them Little Vehicles—not just bikes and scooters, but e-bikes, velomobiles, motorized skateboards, unicycles, “hoverboards,” and other small, battery-powered low-speed not-a-cars. Nearly all of them look silly, but if cities take them seriously, they could be a really, really big deal. Little Vehicles could significantly erode private car and ride-hail use, and play a key role in helping cities achieve their as of now unattainable environmental and road safety goals.
Getting to mass adoption will require Little Vehicles for all seasons, for all sorts of trips, and for all types of people.

Electric scooter-sharing moves into the fast lane
How fast is the electric scooter-sharing craze growing?
Fast enough to be declared a nuisance and kicked off the streets of San Francisco and a handful of others cities to allow local officials to mull regulations. And fast enough to draw big investments to allow nimble startups to reach billion-dollar valuations.
In the United States capital Washington, the electric two-wheelers have become a fixture on city bike paths, zipping along at speeds up to 25km per hour, sometimes veering onto sidewalks despite warnings to the contrary.
… Most systems charge US$1 to unlock the scooter and 15 cents per minute, so a 10-minute trip would cost US$2.50.

A recent student project was to design an App to replace physical ATMs. The App probably wouldn’t have this vulnerability.
Rats break into Indian ATM and chew up cash worth £13,300
Rats have nibbled through more than 1m rupees of banknotes after entering a cash machine in north-east India, police said.
The costly invasion in Assam state was only detected by bank officials after complained that the machine was faulty and had stopped dispensing cash, police in Tinsukia district said.

Disrupting education?
Job Training in the Digital Age: Learning to Do, Not Think
… We started as an education company and thought of what we were doing as a disruptive force against graduate education. The idea was that if you could decrease the time [for education] and enhance the relevancy of the skills you were teaching, you could dramatically increase the return on investment and get individuals to invest in their futures, as opposed to hoping that the government would subsidize loans. It allowed us to exist outside of the accrediting bodies and that whole incumbent system that was a lot like a taxi limousine commission.

Some free online short stories.
Summer Reading in JSTOR

For my niece, the guitar goddess.
GarageBand lessons are now free for aspiring musicians
GarageBand has long been a useful tool to record music, podcasts and more. Even better, the app is free to download and use on your Mac or iOS devices, making it easy to try. Recent updates have brought enhancements like a portal for free sound packs and a better drum sequencer (on mobile), along with Touch Bar support and realistic-sounding drummers on the desktop. Now, Apple is upgrading its music creation suite yet again, offering it's previously $5 artist piano and guitar lessons for free, along with more additions to its drummers, loops and sound effects.

Thursday, June 21, 2018

The next big hacker target? “Drive the car of your dreams!”
Car Consortium That Includes Apple Announces Digital Car Key Specification for Smartphones
The Car Connectivity Consortium (CCC), an organization that includes Apple, today announced the publication of a new Digital Key Release 1.0 specification, which is a standardized solution designed to let drivers download a digital vehicle key onto their smartphones.
… The new Digital Key specification, which uses NFC, was developed to create a "robust ecosystem" around interoperable digital key use cases. It will let drivers lock, unlock, start the engine, and share access to their cars using smart devices like the iPhone with reliable user authentication methods.

My solution? Make the exam much harder.
Algeria Shut Down the Internet to Prevent Students from Cheating on Exams
Algeria shut the Internet down nationwide to prevent high-school students from cheating on their exams.
The solution in New South Wales, Australia was to ban smartphones.

Not sure I follow this…
The National Security Archive launches New CyberWar Map
“The National Security Archive’s Cyber Vault Project is announcing the launch of the CyberWar Map. This resource is both a visualization of state-sponsored cyberattacks and an index of Cyber Vault documents related to each topic (represented as nodes on the map). Clicking on each node will reveal hyperlinks and document descriptions. In some cases where key analysis was done under copyright, the link will direct readers to sources external to the National Security Archive. In a few other cases nodes do not yet have documents to display. The CyberWar Map is a living research aid: documents and nodes will be added on a regular basis. This is a particularly useful way of presenting information related to cyber actors, tools and incidents. The complexity of the field makes it increasingly challenging to conceptualize a “bird’s eye view” of the cyber-battlefield; therefore, the topic lends itself especially well to a dynamic graphic representation.”

A useful link for my Computer Security class.
Brief Overview of GDPR
Impact on E-Workplace and BYOD: GDPR’s strict adherence to EU citizens privacy protections impact US businesses directly and requires extremely strict policies, which is sure to impact BYOD policies. For instance, GDPR compliance may make certain employees have explicit permission to process, control and contain data within particular time frames. Not only this, but in order to adhere to GDPR, companies may need to be strict enough to include emergency erasing capabilities, GPS tracking, and thorough logging of all communication.

The Law gig?
Launching Soon: ‘Text A Lawyer’ Aims To Be The Uber Of Legal Help
Slated to launch next month is a service that allows consumers to get answers to their legal questions by text for a flat price of $20.
The service, called Text A Lawyer, is modeled after ride-sharing service Uber in that it uses two separate mobile apps, one for consumers to submit legal questions and another for lawyers who are in a waiting pool ready to give answers.
The goal, says founder Kevin Gillespie, is to make it simple for low- and moderate-income consumers to get answers to legal questions. Text-messaging is a medium many are comfortable with, he says, and it has the added advantage of providing both the consumer and lawyer with a transcript of the Q&A.
… Consumers will pay $20 to submit a legal question. After consumers open the app, it prompts them to select the state in which they reside and the kind of lawyer they are looking for (family, criminal, immigration, etc.). It then asks them to describe their question in a few sentences. A final screen is a conflicts check, asking the names of any alleged victims, adverse parties and witnesses, and the consumer’s relationship to any of these people.

Joint Chiefs of Staff – Permanent global cyberspace superiority is not possible
Steven Aftergood – Secrecy News Blog: “Military planners should not anticipate that the United States will ever dominate cyberspace, the Joint Chiefs of Staff said in a new doctrinal publication. The kind of supremacy that might be achievable in other domains is not a realistic option in cyber operations. “Permanent global cyberspace superiority is not possible due to the complexity of cyberspace,” the DoD publication said. In fact, “Even local superiority may be impractical due to the way IT [information technology] is implemented; the fact US and other national governments do not directly control large, privately owned portions of cyberspace; the broad array of state and non-state actors; the low cost of entry; and the rapid and unpredictable proliferation of technology.” Nevertheless, the military has to make do under all circumstances. “Commanders should be prepared to conduct operations under degraded conditions in cyberspace.” This sober assessment appeared in a new edition of Joint Publication 3-12, Cyberspace Operations, dated June 8, 2018. (The 100-page document updates and replaces a 70-page version from 2013.)…”

Perspective. Why I have my students working with Apps and IoT.
HPE: $4 Billion Says Intelligent Edge is the Future of Computing
Hewlett Packard Enterprise on Tuesday unveiled a new strategy it’s planning to spend $4 billion to pursue over the next four years.
The company will invest that much in technology and services to enable the intelligent edge, a catch-all phrase used to describe the myriad of things like smart sensors and cameras or devices that aggregate and process data they produce upstream in the network, such as routers, gateways, or servers. What makes them “edge” devices is their location at the source of the data rather than in a big data center somewhere far away. What makes them “intelligent” is the computing capacity and software to analyze the data in near-real-time, as it’s being generated, and make decisions based on insights gleaned from that analysis.

Perspective. A new industry and already arrogant.
Bird scooters refuses to suspend operations after city's request
Bird electric scooters will not suspend its operations in Indianapolis as requested by the city in a letter sent Tuesday evening.
"We look forward to continuing to serve our new Indy riders as we work with city leaders to create a regulatory framework that works best for the people of Indianapolis and helps them meet their goals," Bird spokesman Kenneth Baer said in a statement sent to the IndyStar.
… The city's letter requesting the suspension cited "a number of public safety, legal, and regulatory concerns."
It also referenced an ordinance currently pending approval of the City-County Council's Public Works Committee that would make unlawful "a dockless bicycle share or hire program on a street, roadway, or other city-owned property or rights-of-way."
… Bird scooters continued operations in Nashville after the city sent a cease and desist letter two days after the service launched. The company suspended operations after the city impounded more than 400 scooters.

Perspective. Does the government ever look at the cost?
Housing A Separated Migrant Child Costs The US More Than An Admiral’s BAH
To take a migrant child from her parents at a U.S. point of entry, place her in a just-erected government tent city, and keep her separated from family costs the federal government a whopping $775 per child per night, according to the Department of Health and Human Services — more than twice what it would cost to house the children in detention with their families, and nearly six times more than a brigadier general’s or rear admiral’s housing allowance for New York City.

Fake News? How does this get past management?
Burger King pulls Russia World Cup ad promoting sex with players
Burger King has apologized for an online ad offering burgers to Russian women who get impregnated by soccer players during the World Cup the country is hosting until July 15. The promotion on the global fast food chain's account on VK – a local rival of Facebook – suggested Russia could benefit from some good "football genes."
"As part of its social responsibility (campaign), Burger King is offering a reward to women who get impregnated by football stars," said Burger King.
"Every woman will get three million rubles (around $45,000) and a lifetime's supply of Whopper burgers. Women who manage to get the best football genes will ensure Russia's success in future generations."
… "We apologise for our statement. It turned out to be too offensive," Burger King said.
The ad appeared to be ineptly trying to poke fun at an infamatory statement by a lawmakers who urged women not to have sex with foreign fans.

Wednesday, June 20, 2018

Send in the Space Patrol! Perhaps we could insist that China pay for a (fire)Wall?
China-based campaign breached satellite, defense companies: Symantec
A sophisticated hacking campaign launched from computers in China burrowed deeply into satellite operators, defense contractors and telecommunications companies in the United States and southeast Asia, security researchers at Symantec Corp said on Tuesday.
Symantec said the effort appeared to be driven by national espionage goals, such as the interception of military and civilian communications.
Such interception capabilities are rare but not unheard of, and the researchers could not say what communications, if any, were taken. More disturbingly in this case, the hackers infected computers that controlled the satellites, so that they could have changed the positions of the orbiting devices and disrupted data traffic, Symantec said.

Could this happen to anyone? (Hint: Yes!)
When you think of consequences of employees clicking on phishing emails, did you ever think about how an entire state government might wind up having their email domain blacklisted? It happened to Oregon because was used to send out spam after an employee clicked on a phishing email. Hillary Borrud reports:
Oregon’s state technology workers are scrambling to fix a problem that is preventing thousands of government employees from corresponding with members of the public via email.
Several private email providers have blacklisted the state email domain after a state employee apparently clicked on a phishing email earlier this month that allowed a hacker to access the state’s computer system.
“The malicious link hijacked the state-owned PC and generated over eight million spam emails from an email address,” state officials wrote in an email explaining the situation to employees on Friday.
Now, private citizens with certain email providers can’t receive emails from state employees.
Read more on OregonLive.

Perspective. Why so much employee activism? Is this the new “Trump Reality?”
Microsoft CEO Satya Nadella downplayed his company’s work with U.S. Immigration and Customs Enforcement in a company-wide email sent this evening, saying that Microsoft’s contract with ICE deals only with email, calendar, and messaging—not with separating children from their parents.
Nadella’s email came after more than 100 employees sent him an open letter demanding that Microsoft cancel its $19.4 million contract with ICE. In a January blog post, Microsoft asserted that it was proud to work with ICE and that it was providing ICE with deep learning technology to aid with facial recognition.
But Microsoft executives are now claiming that its ICE contract does not include facial recognition technology.
… However, Nadella stopped short of vowing to cancel the ICE contract, as employees had requested in their letter—nor did he explain why the company’s January blog post claimed Microsoft offered facial recognition services to ICE.

Amazon Faces Backlash Over 'Rekognition' Software's Use By Law Enforcement

11 States Pull National Guard Off Border Missions To Protest Child Separations
Eleven US states have cancelled agreements to send members of the National Guard to the US-Mexico border as part of a growing backlash over the Trump administration’s policy of separating migrant families trying to enter the US.
Initially three states — New York, Massachusetts, and Colorado — pulled their forces from current or planned deployments at the border, but they were soon joined by many more.
… In an executive order on Monday, John Hickenlooper, Democratic governor for Colorado, barred state resources from being used to separate immigrant families.

How much variation is acceptable? Should we rely on AI to set bail?
You’ve Been Arrested. Will You Get Bail? Can You Pay It? It May All Depend On Your Judge.
… not all judges in New York City treat bail the same way. A FiveThirtyEight analysis of 105,581 cases handled by The Legal Aid Society, the largest public defender organization in New York, found that how much bail you owe — and whether you owe it at all — can depend on who hears your case the day you’re arraigned.
New York’s judges are assigned to arraignment shifts, hearing every case that comes into the court during that time. Because the assignments are random — judges hear cases solely based on when people are arrested and how busy the court is — we can identify whether defendants are being treated equally regardless of who hears their case. They are not.

Some Python tools…
OpenEDGAR: Open Source Software for SEC EDGAR Analysis
Computational Legal Studies: “Our next paper — OpenEDGAR – Open Source Software for SEC Edgar Analysis is now available. This paper explores a range of #OpenSource tools we have developed to explore the EDGAR system operated by the US Securities and Exchange Commission (SEC). While a range of more sophisticated extraction and clause classification protocols can be developed leveraging LexNLP and other open and closed source tools, we provide some very simple code examples as an illustrative starting point.
Click here for Paper: < SSRN > < arXiv >
Access Codebase Here: < Github >
Abstract: OpenEDGAR is an open source Python framework designed to rapidly construct research databases based on the Electronic Data Gathering, Analysis, and Retrieval (EDGAR) system operated by the US Securities and Exchange Commission (SEC). OpenEDGAR is built on the Django application framework, supports distributed compute across one or more servers, and includes functionality to (i) retrieve and parse index and filing data from EDGAR, (ii) build tables for key metadata like form type and filer, (iii) retrieve, parse, and update CIK to ticker and industry mappings, (iv) extract content and metadata from filing documents, and (v) search filing document contents. OpenEDGAR is designed for use in both academic research and industrial applications, and is distributed under MIT License at

Tools for my techies.
GitHub’s free education bundle is now available to all schools
Software development isn’t just about writing code. It’s also about what you do with that code — testing, documenting, and proper source management. These skills are often left by the wayside in the classroom.
GitHub wants to change that, and has announced that it’s expanding GitHub Education, and will begin offering it to all schools.
Previously, GitHub Education was offered to a limited number of selected degree or certificate-granting educational instutitions.
GitHub Education is a bundle of company’s tools and training. It comes with free access to GitHub Enterprise or Business Hosted, as well as teacher training for the platform via GitHub Campus Advisors.
… Of course, GitHub isn’t the only source management company targeting the education market. Earlier this month, rival GitLab announced it was offering its Ultimate and Gold packages to classroom customers.

Tuesday, June 19, 2018

If it sounds too good to be true…
Adidas fans hit by phishing scam
Why users always fall for the lamest phishing scams is beyond comprehension, but hackers take advantage of this weakness and hide their scheming behind the usual fake prizes and too-good-to-be-true giveaways. This time, it was Adidas’ turn to feature in a major phishing scam that targeted users in specific regions.
A fake Adidas campaign promising free shoes instantly became popular through WhatsApp, and it’s not even the first time such a phishing scheme was used this year. To celebrate its 69th anniversary, the sports company was allegedly giving away 2,500 pairs of shoes to users who filled out a four-question survey.
All they had to do was click on a link to claim the prize and share it on WhatsApp with their contacts
… No matter how many times users tried to share the campaign, they had no way to confirm that the share actually went through. It was just part of the scam. The very detail that they couldn’t choose color or size should have been a hint that it wasn’t a legitimate campaign – either that or the misspelled company name in the spoofed link.
Users were promised free sneakers in exchange for $1 to claim them, but all they were left with was a recurring $50-per-month subscription fee. Through the scam, hackers got access to users’ payments and contact details. The subscription users are automatically signed up for the “organizejobs” service, which has been identified as a scam.

Not the best ‘Business Continuity’ example.
'We do not know when this is going to be fixed,' American says of CLT flight problems
American Airlines struggled to recover Monday from a recurring computer problem that left one of its key regional carriers unable to fly to or from Charlotte Douglas International Airport, stranding hundreds of passengers for the second time in a week.
The problem, airline spokeswoman Katie Cody said, traced back to the crew scheduling and tracking system at PSA Airlines, a wholly-owned subsidiary that operates flights under the American Eagle brand. The issue is with hardware at PSA's headquarters in Dayton, Ohio, and it's left the carrier unable to get flight crews and planes matched up. About 350 flights into and out of Charlotte have been canceled since Sunday, Cody said.
… PSA canceled about 70 flights on Sunday, a bit more than 10 percent of the total at Charlotte Douglas. A similar number were planned to be canceled Monday night, Cody said.
For PSA, it was the second time in a week trouble struck. A technical issue with the regional carrier caused more than 120 Charlotte flights to be canceled last week, on Thursday, and the issue continued into Friday morning.
The outage indicates there might not be a backup software system for crew scheduling at PSA, Harteveldt said. The problem also appears to be bigger than American first realized, he said.
“This is apparently a more complex problem than initially thought, and it could take several days, based on my understanding, potentially even a week, to really fix this,” he said.

What different? Only the excuses.
A U.S. Department of Health and Human Services Administrative Law Judge (ALJ) has ruled that The University of Texas MD Anderson Cancer Center (MD Anderson) violated the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules and granted summary judgment to the Office for Civil Rights (OCR) on all issues, requiring MD Anderson to pay $4,348,000 in civil money penalties to OCR. This is the second summary judgment victory in OCR’s history of HIPAA enforcement and the $4.3 million is the fourth largest amount ever awarded to OCR by an ALJ or secured in a settlement for HIPAA violations.
MD Anderson is both a degree-granting academic institution and a comprehensive cancer treatment and research center located at the Texas Medical Center in Houston. OCR investigated MD Anderson following three separate data breach reports in 2012 and 2013 involving the theft of an unencrypted laptop from the residence of an MD Anderson employee and the loss of two unencrypted universal serial bus (USB) thumb drives containing the unencrypted electronic protected health information (ePHI) of over 33,500 individuals. OCR’s investigation found that MD Anderson had written encryption policies going as far back as 2006 and that MD Anderson’s own risk analyses had found that the lack of device-level encryption posed a high risk to the security of ePHI. Despite the encryption policies and high risk findings, MD Anderson did not begin to adopt an enterprise-wide solution to implement encryption of ePHI until 2011, and even then it failed to encrypt its inventory of electronic devices containing ePHI between March 24, 2011 and January 25, 2013. The ALJ agreed with OCR’s arguments and findings and upheld OCR’s penalties for each day of MD Anderson’s non-compliance with HIPAA and for each record of individuals breached.
MD Anderson claimed that it was not obligated to encrypt its devices, and asserted that the ePHI at issue was for “research,” and thus was not subject to HIPAA’s nondisclosure requirements. MD Anderson further argued that HIPAA’s penalties were unreasonable. The ALJ rejected each of these arguments and stated that MD Anderson’s “dilatory conduct is shocking given the high risk to its patients resulting from the unauthorized disclosure of ePHI,” a risk that MD Anderson “not only recognized, but that it restated many times.”
The Notice of Proposed Determination and the ALJ’s opinion may be found on the OCR website at
Previous coverage of the incidents referenced in this case can be found on here.

Will this rise to the level of a significant concern? Will surveillance technology find itself limited to small, closely held companies or even foreign companies?
Amazon shareholders call for halt of facial recognition sales to police
In a letter delivered to CEO Jeff Bezos late Friday, the shareholders, many of whom are advocates of socially responsible investing, say they're concerned about the privacy threat of government surveillance from the tool.
Amazon's technology, called Rekognition and introduced in 2016, detects objects and faces in images and videos. Customers, which include law enforcement in Orlando, Florida and Washington County, Oregon, can upload face databases to automatically identify individuals.
… The shareholders, which include the Social Equity Group and Northwest Coalition for Responsible Investment, are joining groups such as the ACLU in efforts to stop the company from selling the service — pointing out the risks of mass surveillance.
… "We are concerned the technology would be used to unfairly and disproportionately target and surveil people of color, immigrants, and civil society organizations," the shareholders write. "We are concerned sales may be expanded to foreign governments, including authoritarian regimes."
In a blog post earlier this month, Matt Wood, a general manager of artificial intelligence at Amazon Web Services, said Amazon's policy prohibits the use of its service for activities that are illegal, violate the rights of others, or may be harmful.

Plus ça change, plus c'est la même chose. What else could you expect when the “punishment” required a few days of pretending to be sorry and moving to a new office.
Cambridge Analytica staffers are on the job – working on 2020 campaign
Quartz: “Hang on to your data, dear Facebook friends. Cambridge Analytica—the political consultancy that collapsed into bankruptcy in May after a scandal about its nefarious information-collection methods—is apparently metamorphosing. The company that Marc Zuckerberg admitted targeted 87 million Facebook users’ data, and whose work could well have influenced elections in the US and UK, may be currently disgraced. But it also appears to be putting a new face on its same old data-gathering gig. The Associated Press (AP) on June 15 reported that top staffers from the fallen consultancy are back on the job at a newly-formed company with a name that’s eerily reminiscent of the last place they worked—Data Propria. As the name implies, the new company is similarly preoccupied with gathering information, specifically to target voters and consumers. Basically, it’s the same mission that Cambridge Analytica had. Matt Oczkowski—head of product at the predecessor firm—is leading Data Propria, which also employs Cambridge Analytica’s former chief data scientist, David Wilkinson, and others from the scandal-ridden company…”

(Related) What does political awareness have in common with digital savvyness?
Distinguishing Between Factual and Opinion Statements in the News
“The politically aware, digitally savvy and those more trusting of the news media fare better; Republicans and Democrats both influenced by political appeal of statements In today’s fast-paced and complex information environment, news consumers must make rapid-fire judgments about how to internalize news-related statements – statements that often come in snippets and through pathways that provide little context. A new Pew Research Center survey of 5,035 U.S. adults examines a basic step in that process: whether members of the public can recognize news as factual – something that’s capable of being proved or disproved by objective evidence – or as an opinion that reflects the beliefs and values of whoever expressed it. The findings from the survey, conducted between Feb. 22 and March 8, 2018, reveal that even this basic task presents a challenge. The main portion of the study, which measured the public’s ability to distinguish between five factual statements and five opinion statements, found that a majority of Americans correctly identified at least three of the five statements in each set. But this result is only a little better than random guesses. Far fewer Americans got all five correct, and roughly a quarter got most or all wrong. Even more revealing is that certain Americans do far better at parsing through this content than others. Those with high political awareness, those who are very digitally savvy and those who place high levels of trust in the news media are better able than others to accurately identify news-related statements as factual or opinion…”

(Related) Will anyone learn from these examples?
Cyber Attack Aims to Manipulate Mexican Election
On Wednesday June 13, in the run-up to Mexico's July 1 presidential election, a website operated by the rightist National Action Party (PAN) was taken off-line for several hours by a DDoS attack. The outage occurred at the time of a televised presidential debate, and just following a point at which the PAN candidate held up a placard with the website address claiming it held proof of potential corruption.
PAN secretary Damian Zepeda later suggested that front-running leftist candidate Andres Manuel Lopez Obrador (AMLO) was behind the attack
The source of the DDoS attack is unknown and possibly unknowable – but it is a reminder of the extent to which the internet can be used to influence or even control public opinion.
The accusations of Russian involvement in both the Trump election in the U.S. and the UK Brexit referendum are still fresh. Perhaps more directly relevant is the controversy over the DDoS attack on the FCC website just as it was gathering public comment on the (then) proposed elimination of the net neutrality rules.
The FCC claimed it had been taken off-line by a DDoS attack. Critics of the FCC plans have suggested it was purposely taken off-line to avoid registering mass public dissent over the FCC rules. If the Mexico event was a direct parallel to these claims, it could suggest that PAN couldn't prove the criticisms it was making, and took down the website itself.
This last possibility is not a serious proposal – but it illustrates the plausible deniability and difficulty of attribution that comes with cyber activity. The DDoS attack could have been delivered by Russia (because it has a history of interference); by AMLO (to prevent access to his competitor's website); by the U.S. (because it would almost certainly prefer a right-leaning to a left-leaning neighbor); or by PAN itself (as a false flag). Or, of course, none of the above -- a straightforward DDoS attack by cybercriminals.

I wonder what caused/allowed this?
KPMG's audit work unacceptable, says watchdog
The auditing work of one of the world's "Big Four" accounting firms has been sharply criticised by the industry's watchdog.
KPMG audits had shown an "unacceptable deterioration" and will be subject to closer supervision, the Financial Reporting Council said.
The FRC added all the Big Four - which also include PwC, EY and Deloitte - needed to reverse a decline.
KPMG said it was "disappointed" and was taking steps to improve audit quality.
… "There has been an unacceptable deterioration in quality at one firm, KPMG," the FRC said in a statement. "50% of KPMG's FTSE 350 audits required more than just limited improvements, compared to 35% in the previous year."
… "They must address urgently several factors that are vital to audit, including the level of challenge and scepticism by auditors, in particular in their bank audits. We also expect improvements in group audits and in the audit of pension balances."
… KPMG came in for criticism over its audit of collapsed construction firm Carillion earlier this year, and the FRC has opened an investigation into the group under the Audit Enforcement Procedure.
The auditor was also recently fined £3.2m by the watchdog over its audit of insurance firm Quindell. Last year, the FRC opened an investigation into KPMG's audit of the accounts of aero-engine maker Rolls-Royce.
… the accounting industry has faced a lot of criticism in the last few years over whether their verdicts on companies' accounts can be trusted.

Monday, June 18, 2018

A sneak attack on SWIFT.
Banco de Chile admits losing $10 million in disk-wiping malware attack
Banco de Chile, the second largest bank in the country, released a public statement confirming a major malware attack that breached its computer systems on May 24, shutting down bank operations. The hackers used a disk-wiping malware to cause the outage in order to distract attention from their original target – the SWIFT money transferring system.
According to the bank’s CEO Eduardo Ebensperger, $10 million were stolen and linked to accounts based in Hong Kong.
“We found some strange transactions on the Swift system, and that’s when we realized that the virus wasn’t all of it, but fraud was being attempted,” he confirmed in an interview last week (translation).

Why is this so common in Chicago? Has it been like this since the time of Mrs. O’Leary’s cow?
If there is a Keystone Cops equivalent of a k-12 data breach, a recent incident involving Chicago Public Schools may be a strong contender.
Last week, this site noted a breach that seemed puzzling in its description. Since that time, some informed parents have reached out to me to provide me with more details about the incident.
It all started when Chicago Public Schools (CPS) sent a letter to parents of students who were eligible to select other schools for the 2018-2019 school year. The letter was intended to instruct the parents how to review the schools that their child was eligible for and how to indicate their choice.
Based on what was provided to by Cassie Creswell, co-director of Raise Your Hand Action, a Chicago-based public education advocacy group, it appears that instead of the letter having an attachment, the letter (only) contained a link to a file on Blackboard. That file contained 3,700 students’ and parents’ information. So every recipient who clicked on the link in the email would have seen – and could have downloaded – a file with thousands of students and parents’ information.
Why that file should be up on Blackboard with absolutely no login required was not explained by CPS in their breach notification letter.
According to Cressell, the fields were in the following format:
First_Name Last_Name HomePhone WorkPhone MobilePhone SMSPhone EmailAddress ReferenceCode Building
The names are the student’s name, the phone numbers and email are for the parent, and the reference code is the child’s CPS student ID number, Creswell explained. The field labeled “Building” contained a list of one or more types of selective schools: AC, Regional Gifted Centers, Classical.
Frustratingly, it appeared that although CPS fairly quickly realized that they had had a data breach, they didn’t quite understand the nature of the breach. Initially, as their notification letter suggested, they seemed to believe that parents had actually received an attached file with 3,700 students’ information. Hence, they asked parents to basically “do the right thing” and delete the attachment without looking at it.
But there was no attachment, and it took CPS more than 4 hours to figure out that instead of asking parents to delete a nonexistent attachment, they needed to remove the unsecured file from Blackboard or otherwise lock it down.
So while CPS may have believed that they had responded appropriately to the breach by asking parents to delete an attached file, in actuality, the file remained where it had always been – up on Blackboard. And any parents who hadn’t already accessed that file when they first got an email from CPS might have become curious and taken a look at the file in the more than 5 hours it allegedly took CPS to actually secure the file.
To make matters even worse, there’s some indication that this was not the first time CPS had made this exact type of error. was provided with a text copy of an email sent by CPS on March 10, 2017 that contacted parents about selective enrollment, and that supposedly contained an attachment, but actually contained a link to a live file on Blackboard:
*File attachments:*
SEHS Confirmation Reminder.csv
This certainly appears to be the same scenario as the recent breach, and has reached out to CPS to ask them to confirm or deny whether this was the same kind of breach.
In a statement to, Creswell summarized parental frustration and fears:
We are deeply concerned about yet another improper sharing incident of student data in Chicago Public Schools. The district’s response to being notified of the breach was especially concerning because (1) it was clear that they initially didn’t understand how the data had been shared (on the web vs as an email attachment), and it took hours for them to disable the web site. And (2) this is at least the second time that they’ve made this exact mistake.
CPS has a $950K contract with Blackboard Connect, but it seems that they haven’t received either the training or the support needed to properly use this product, one which interfaces with their own Student Information System.
This is just an error that’s come to light publicly; what else is happening that the parents and the public don’t even see?
As noted above, reached out to CPS to ask them to confirm or deny that this was the second time that parents had been given a link to a file on Blackboard instead of being provided an attached form to complete. also posed two additional questions to Tony Howard, Executive Director, CPS Office of Access and Enrollment:
In terms of the current/most recent incident: Who determined that a file should be uploaded to Blackboard and made available without any login required? Was that an executive decision or did some hapless employee just screw up or….?
Is someone going to reconfigure connect.blackboard to require at least a password to access files on it? I’m concerned that someone could have uploaded a spreadsheet with hundreds of thousands of student names, IDs, and medical or SpEd information or other sensitive info.
No response was immediately received, but that is not surprising on a weekend and holiday. This post will be updated if a reply is received.

So, now that we are free to react, how will they react to our reaction?
Pentagon Puts Cyberwarriors on the Offensive, Increasing the Risk of Conflict
The Pentagon has quietly empowered the United States Cyber Command to take a far more aggressive approach to defending the nation against cyberattacks, a shift in strategy that could increase the risk of conflict with the foreign states that sponsor malicious hacking groups.
Until now, the Cyber Command has assumed a largely defensive posture, trying to counter attackers as they enter American networks. In the relatively few instances when it has gone on the offensive, particularly in trying to disrupt the online activities of the Islamic State and its recruiters in the past several years, the results have been mixed at best.
But in the spring, as the Pentagon elevated the command’s status, it opened the door to nearly daily raids on foreign networks, seeking to disable cyberweapons before they can be unleashed, according to strategy documents and military and intelligence officials.
… It is unclear how carefully the administration has weighed the various risks involved if the plan is acted on in classified operations. Adversaries like Russia, China and North Korea, all nuclear-armed states, have been behind major cyberattacks, and the United States has struggled with the question of how to avoid an unforeseen escalation as it wields its growing cyberarsenal.
Another complicating factor is that taking action against an adversary often requires surreptitiously operating in the networks of an ally, like Germany — a problem that often gave the Obama administration pause.

Sounds fluffy to this old auditor. Are we going to wait a year to find out if they have any impact?
Facebook quietly made a huge concession to shareholders as it aims to avoid another data disaster
… On Friday, Facebook quietly changed the name of its audit committee — which is chaired by former White House chief of staff Erskine Bowles — to the audit and risk oversight committee.
The committee's responsibilities have also been increased to encompass three major issues:
  1. It will review how Facebook "services can be used to facilitate harm or undermine public safety or the public interest." This could be read as a reference to fake news and election interference. [If that’s what they meant, that what they would have said. Bob]
  2. It will investigate Facebook's "privacy program" following the Cambridge Analytica, in which the accounts of 87 million users were compromised.
  3. Facebook's "cybersecurity risk exposures" will also be analysed by the committee.
Bowles' group of executives, which also include Marc Andreessen, Kenneth Chenault, and Jeffrey Zients, will conduct these reviews at least once a year.

Something my students might do.
Legal Analytics vs. Legal Research: What’s the Difference?
Law Technology Today: “Legal analytics involves mining data contained in case documents and docket entries, and then aggregating that data to provide previously unknowable insights into the behavior of the individuals (judges and lawyers), organizations (parties, courts, law firms), and the subjects of lawsuits (such as patents) that populate the litigation ecosystem. Litigators use legal analytics to reveal trends and patterns in past litigation that inform legal strategy and anticipate outcomes in current cases. While every litigator learns how to conduct legal research in law school, performs legal research on the job (or reviews research conducted by associates or staff), and applies the fruits of legal research to the facts of their cases, many may not yet have encountered legal analytics. Data-driven insights from legal analytics do not replace legal research or reasoning, or lawyers themselves. They are a supplement, both prior to and during litigation…”

If you don’t die on schedule, will they call for a “Terminator?”
Google Is Training Machines To Predict When A Patient Will Die
A woman with late-stage breast cancer came to a city hospital, fluids already flooding her lungs. She saw two doctors and got a radiology scan. The hospital's computers read her vital signs and estimated a 9.3 percent chance she would die during her stay.
Then came Google's turn. A new type of algorithm created by the company read up on the woman – 175,639 data points – and rendered its assessment of her death risk: 19.9 percent. She passed away in a matter of days. [So the correct number was 100%? Bob]
The harrowing account of the unidentified woman's death was published by Google in May in research highlighting the health-care potential of neural networks, a form of artificial intelligence software that's particularly good at using data to automatically learn and improve. Google had created a tool that could forecast a host of patient outcomes, including how long people may stay in hospitals, their odds of re-admission and chances they will soon die.
What impressed medical experts most was Google's ability to sift through data previously out of reach: notes buried in PDFs or scribbled on old charts. The neural net gobbled up all this unruly information then spat out predictions. And it did it far faster and more accurately than existing techniques. Google's system even showed which records led it to conclusions.

It turns out that the project in Software Architecture was rather timely after all. Perhaps Facebook will hire some of my students to point out the errors in their system?
A million Indians testing Whatsapp payments; what 's the feedback like?
Almost one million people in India are "testing" WhatsApp's payments service, and the company is working with the Indian government, NPCI and multiple banks to further expand the feature to more users, a company official said.
WhatsApp payment service, which rivals the likes of Paytm, has been in beta testing over the last few months.
… WhatsApp had received permission from NPCI to tie up with banks to facilitate financial transactions via Unified Payments Interface (UPI).
Paytm founder Vijay Shekhar Sharma had earlier this year alleged that WhatsApp's UPI payment platform has security risks for consumers and is not in compliance with the guidelines.
The Reserve Bank of India has mandated all payment system operators to ensure that data related to payments is stored only in India giving firms six months to comply with it.
… WhatsApp had stated that sensitive user data such as the last 6 digits of a debit card and UPI PIN is not stored at all.
While it admitted to using the infrastructure of Facebook for the service, it asserted that the parent firm does not use payment information for commercial purpose.

Another shot at Amazon?
Google places a $550 million bet on China's second-largest e-commerce player
… The two tech companies said they would work together to develop retail infrastructure that can better personalize the shopping experience and reduce friction in a number of markets, including Southeast Asia.
For its part, said it planned to make a selection of items available for sale in places like the U.S. and Europe through Google Shopping — a service that lets users search for products on e-commerce websites and compare prices between different sellers.
… At the same time, also teamed up with U.S. retail giant Walmart in the grocery business. Reports said Walmart opened a small high-tech supermarket in China where consumers can use smartphones to pay for items that are mostly available on its virtual store on online platform JD Daojia, an affiliate of

This link could be handy since we no longer teach our students how to use PowerPoint.

Does this mean I will have to look at my students?
Huge Flipgrid News! - All Features Now Free
Flipgrid has been acquired by Microsoft. That's good news for the founders of Flipgrid and great news for all of us who enjoy using Flipgrid. As of this morning all Flipgrid features are now free for all users! If you are a person who paid for a Flipgrid Pro account, you'll be getting a prorated refund of your subscription.
Some of the features of Flipgrid that are now available to all users include:
  • Unlimited grids!
  • More time limit options
    • Set a time limit between fifteen seconds and five minutes.
  • Scheduled launch and freeze dates.
According to their statement Flipgrid will continue to work and Chromebooks, iPads, iPhones, Android phones and tablets, and in the web browser on your Windows or Mac computer.
If you haven't tried Flipgrid, take a look at my video to see what it's all about.
… Flipgrid already supports Microsoft Teams.