Saturday, July 14, 2018

Here’s what they did last time. Are we ready this time?
Six Big Takeaways from Mueller’s Indictment of Russian Intel Officers
Special Counsel Robert Mueller released an indictment today of 12 Russian intelligence officers, accusing them of hacking the Democratic National Committee (DNC), the Hillary Clinton campaign and the Democratic Congressional Campaign Committee (DCCC).
The document contained an extraordinary amount of detail about how Russian intelligence carried out its operation.

Inside Facebook, Twitter and Google's AI battle over your social lives
When you sign up for Facebook on your phone, the app isn't just giving you the latest updates and photos from your friends and family. In the background, it's utilizing the phone's gyroscope to detect subtle movements that come from breathing. It's measuring how quickly you tap on the screen, and even looking at what angle the phone is being held.
Sound creepy? These are just some of the ways that Facebook is verifying that you're actually human and not one of the tens of millions of bots attempting to invade the social network each day.
That Facebook would go to such lengths underscores the escalation of the war between tech companies and bots that can cause chaos in politics and damage public trust . Facebook isn't alone. Twitter on Wednesday began removing millions of blocked accounts, and Google is looking to stamp out malicious trolls on YouTube.

A podcast for my Disaster Recovery lecture.
It Won’t Happen to Me’: Why People Don’t Prepare for Disasters
Knowledge@Wharton: How often do people forget the fact that they went through a storm previously, yet they don’t prepare for the next one?
Robert Meyer: This is a question we study an awful lot. People actually have a really good memory of past storms that they’ve been through, but what people tend to forget, which often causes laxness in protection or preparation, is what it really felt like to go through these storms. Everyone will remember the storm. You look in the news, and [reports] remind you of it. But what tends to fade quickly is what it really felt like to go through these things. I think it’s part of human evolution that we tend to have a really short memory for pain. As a consequence, it seems really bad at the time, and you have people thinking, “Next time, I’m going to really fully prepare; I never want to go through this again.” Then three or four months later, you remember the event but forget what it felt like.

Microsoft Executive: Facial Recognition Tech Should Be Regulated
Microsoft President Brad Smith ... said in a blog post on Friday that Microsoft believes there should be “thoughtful government regulation” of the controversial technology that can automatically recognize a person’s face. He also said that there should be standards created—via both the public and private sectors—“for the development of norms around acceptable uses.”
… Smith acknowledges that the use of facial recognition technology can be “both positive and potentially even profound” and cites hypothetical scenarios in which computers could more easily find missing children or help law enforcement identify terrorists.
… It’s in other more controversial uses of the technology that Smith calls “more sobering,” and he believes the government should step in with regulation. He cites scenarios like people being monitored in political rallies or shopping mall vendors scanning people’s faces and sharing that data with others without permission.
“This has long been the stuff of science fiction and popular movies – like Minority Report, Enemy of the State and even 1984—but now it’s on the verge of becoming possible,” Smith said. “Perhaps as much as any advance, facial recognition raises a critical question: what role do we want this type of technology to play in everyday society?”
… Some of the questions Smith wants the government to discuss are:
Should law enforcement use of facial recognition be subject to human oversight and controls, including restrictions on the use of unaided facial recognition technology as evidence of an individual’s guilt or innocence of a crime?
Similarly, should we ensure there is civilian oversight and accountability for the use of facial recognition as part of governmental national security technology practices?
What types of legal measures can prevent use of facial recognition for racial profiling and other violations of rights while still permitting the beneficial uses of the technology?

Looks like they could have been doing this all along, but chose not to. I wonder how many organizations monitor continuously.
Uber begins monitoring U.S. driver background checks continuously
As part of a plan to improve safety for its riders, Uber is rolling out ongoing background checks for its drivers, the company tells Axios. Uber has partnered with its background check provider, Checkr, and Appriss, which provides safety data.
Why it matters: Over the years, Uber has been plagued with incidents of driver violence or unsafe behavior. Once a driver had a clean initial background check, the company couldn't always track later violations or problems.
How it works: Through Appriss’s real-time collection of data, Uber will be notified if a driver is newly charged with a criminal offense. From there, Uber can decide if it wants to suspend a driver from its service to prevent unsafe behavior.

Perhaps Facebook is not doing “everything” it can.
Facebook Groups widely used for sharing pirated Hollywood movies
Facebook Groups has a piracy problem — and the company says there's nothing it can do about it.
The social network is awash with groups devoted to freely sharing pirated Hollywood movies with hundreds of thousands of users, Business Insider has found.
With names like "Full HD English Movie" and "Free full movies 2018," these Facebook groups make no attempt to hide their purpose or to conceal catalogs brimming with the latest blockbusters like "Ant Man and the Wasp" and "A Quiet Place." Business Insider found them by simply searching for "free movies" on Facebook.
These groups, some of which are years old, exist despite Facebook's army of human content moderators and automated software meant to detect copyright-infringing content, raising questions about the effectiveness of Facebook's content-policing systems.
Reached for comment, a Facebook representative said it wasn't the company's responsibility to take down such content unless asked to by the content's rights holders, even if the videos seem clearly stolen, because otherwise Facebook can't be sure it is being illegally shared.

Amazon’s share of the US e-commerce market is now 49%, or 5% of all retail spend
Amazon has already been in the crosshairs of the White House when it comes to threats of antitrust investigations, and while some say this is simply Trumpian bluster that has a slim chance of going anywhere, some new numbers out from the researchers at eMarketer could prove to be a fan to the flames.
Amazon is set to clear $258.22 billion in US retail sales in 2018, according to eMarketer’s figures, which will work out to 49.1 percent of all online retail spend in the country, and 5 percent of all retail sales.
… Now, it is fast approaching a tipping point where more people will be spending money online with Amazon, than with all other retailers — combined. Amazon’s next-closest competitor, eBay, a very, very distant second at 6.6 percent, and Apple in third at 3.9 percent. Walmart, the world’s biggest retailer when counting physical stores, has yet to really hit the right note in e-commerce and comes in behind Apple with 3.7 percent of online sales in the US.

Friday, July 13, 2018

Why I teach so many Computer Security classes.
IBM Security on Wednesday released its latest report examining the costs and impact associated with data breaches. The findings paint a grim portrait of what the clean up is like for companies whose data becomes exposed—particularly for larger corporations that suffer so-called “mega breaches,” a costly exposure involving potentially tens of millions of private records.
According to the IBM study, while the average cost of a data breach globally hovers just under $4 million—a 6.4 percent increase over the past year—costs associated with so-called mega breaches (an Equifax or Target, for example) can reach into the hundreds of millions of dollars. The average cost of a breach involving 1 million records is estimated at around $40 million, while those involving 50 million records or more can skyrocket up to $350 million in damages.
… The average time to identify a data breach is 197 days, and the average time to contain a data breach once identified is 69 days.
Download Full Reports & Register for the Webinar
To download the 2018 Cost of a Data Breach Study: Global Overview, visit
To view the digital infographic with study highlights, visit:
To register to attend the IBM Security and Ponemon Institute webinar on July 26th at 11 a.m. ET, visit:

Willie Sutton robbed banks because “that’s where the money’s at.” If you want insider, ‘don’t tell anyone the secret plans’ kind of information, law firms are the new target.
Jennifer Schlesinger and Andrea Day report:
It would be hard to walk into to a major business and walk away with all its sensitive information. But sometimes that’s not the case when it comes to online networks.
Q6 Cyber, a cybersecurity firm that specializes in monitoring the dark web, showed CNBC a forum post in Russian where the cybercriminal was offering access to a New York City law firm’s network and files, and was willing to send screenshots as evidence he had broken in.
The price for the access was $3,500.
Read more on CNBC.
Law firm hacks and leaks are pretty much a dime a dozen these days. As one of my regular sources notes, another day, another law firm leak. To what extent are hackers trying to extort the law firms or just putting access up for sale? I wouldn’t be surprised if law firms were quietly paying extortion after they get hacked, but I also wouldn’t be surprised if the majority of compromised law firms don’t even know that they are leaking data unless they are fortunate enough to be notified by some whitehat or independent researcher. So depending on what kind of law they practice and what’s in their files, they may be exposing some really sensitive IP or financial information, etc.

I think I’ve just discovered the next project for my Computer Security students.
Would Asking People To Hack America’s Election Systems Make Them More Safe?
There are four months until the midterm elections, and the security of state election systems remains a concern. The clock is ticking to ferret out problems and fix them before Nov. 6. Websites associated with voting continue to have poor cybersecurity hygiene, even after the revelation that hackers probed the systems of 21 states in the lead-up to the 2016 election. And while Congress has increased the funds available to states to improve their election systems, many are still jumping through bureaucratic hoops to actually access the money.

Geez Mugsey, I didn’t think the cat would rat us out!
Chloe Nordquist reports:
Well now, those photos you post of your cat could lead strangers straight to your home.
The metadata hidden beneath those cute furry Instagram pics include your geo-location. And one website,, highlights just that.
They took the metadata from cat photos on Instagram and compiled a visual map of where those photos were taken.
Read more on Fox4.

What could possibly go wrong?
Federal court rules that TSA agents can’t be sued for false arrests, abuse, or assault
TSA agents and security screeners can’t be sued for false arrests, abuse, or assault, according to a ruling from a federal appeals court in Pellegrino v. the United States of America Transportation Security Administration, reports travel news and advice site The Points Guy.
According to the US Court of Appeals for the Third Circuit, TSA officials have sovereign immunity while working in their official functions as screeners and security agents under the Federal Tort Claims Act. While that law ordinarily doesn’t cover law enforcement officers, the court ruled in a 2-1 decision that TSA agents aren’t considered law enforcement and therefore are covered under the law.
Per the court’s decision, TSA searches are considered “administrative searches,” and as Circuit Judge Cheryl Ann Krause notes in the decision, “Congress to date has limited the proviso to ‘investigative or law enforcement officers,’” which the TSA searches wouldn’t fall under. According to Judge Krause, it would be up to Congress to enact legislation that could hold TSA agents accountable. But as the law stands now, it seems that there’s very little that individuals wronged by the TSA can do to have their problems addressed.

Does this disqualify me for law school?

Thursday, July 12, 2018

Yet another example of people using the same password on multiple systems.
Macy's data breach exposes customers' credit card info
Macy's says cyberthieves hacked the accounts of thousands of the retailer's online customers, compromising people's full names as well as their credit card numbers and expiration dates.
The attack, which occurred over roughly six weeks between the end of April and the beginning of June before being shut down, affected consumers registered on or Logins and passwords were taken from sites unrelated to the retailers and then used to access data on both sites.

Some things that Computer Security can address and some that it can’t.
80 percent of IT decision makers say outdated tech is holding them back
betanews: “A study by analysts Vanson Bourne for self service automation specialist SnapLogic looks at the data priorities and investment plans of IT decision makers, along with what’s holding them back from maximizing value. Among the findings are that 80 percent of those surveyed report that outdated technology holds their organization back from taking advantage of new data-driven opportunities. Also that trust and quality issues slow progress, with only 29 percent of respondents having complete trust in the quality of their organization’s data. Nearly three-quarters (74 percent) say they face unprecedented volumes of data but struggle to generate useful insights from it, estimating that they use only about half (51 percent) of the data they collect or generate. What’s more, respondents estimate that less than half (48 percent) of all business decisions are based on data. Those surveyed report spending nearly one-fifth (19.5 percent) of their time simply working on data and getting it ready for use. This includes low-level tasks such as manually integrating datasets, apps and systems, as well as building and maintaining custom APIs…”

I wonder what kinds of ads these people got? NOTE: There is no reason to think the Russian government can’t do this themselves.
Facebook labels Russian users as ‘interested in treason’
Facebook’s advertising tools algorithmically labelled 65,000 Russians as interested in treason, potentially putting them at risk from the repressive state, until the company removed the category, following inquiries from journalists.
The labelling raises new concerns over data-driven profiling and targeting of users on the website, which has already faced criticism for the same tool algorithmically inferring information about users’ race, sexuality and political views despite data protection legislation requiring explicit consent to hold such information.
Facebook said the label was intended to only identify historical treason.

GDPR according to California?
500+ by Dipayan Ghosh  /  22h  //  keep unread  //  hide
Late last month, California passed a sweeping consumer privacy law that might force significant changes on companies that deal in personal data — and especially those operating in the digital space. The law’s passage comes on the heels of a few days of intense negotiation among privacy advocates, technology startups, network providers, Silicon Valley internet companies, and others. Those discussions have resulted in what many are describing as a landmark policy constituting the most stringent data protection regime in the United States.
The new law — the California Consumer Privacy Act, A.B. 375 — affords California residents an array of new rights, starting with the right to be informed about what kinds of personal data companies have collected and why it was collected. Among other novel protections, the law stipulates that consumers have the right to request the deletion of personal information, opt out of the sale of personal information, and access the personal information in a “readily useable format” that enables its transfer to third parties without hindrance.

This is focused?
Trump orders Justice Dept. task force to investigate wide range of fraud
… The Task Force on Market Integrity and Consumer Fraud was prompted by Trump's order and is designed to work as a unified effort by the Department of Justice, Securities and Exchange Commission, Consumer Financial Protection Bureau and Federal Trade Commission.
Other federal agencies, including all Cabinet-level entities and the U.S. Postal Inspection Service, will target crime in a range of areas, from healthcare to financial markets and digital currencies.
… "We expect to focus on cases involving fraud against the government, the financial markets, and consumers; procurement and grant fraud; securities and commodities fraud; digital currency fraud; money laundering; healthcare fraud; tax fraud; and other financial crimes," Deputy Attorney General Rod Rosenstein said as he introduced the task force Wednesday.

Are we moving toward a jury of 12 AIs?
Algorithms and Justice
I. Introduction
Our work on “Algorithms and Justice,” as part of the Ethics and Governance of Artificial Intelligence Initiative, explores ways in which government institutions are increasingly using artificial intelligence, algorithms, and machine learning technologies in their decision making processes

Microsoft Is Smoking Amazon In The Cloud
  • Microsoft's Azure has grown at an exceptional pace over the past several quarters now, outstripping Amazon Web Services' growth rates.
  • Also, it seems like customers are using more than one public cloud platform. It's a favorable industry dynamic for companies operating in the segment.
  • Overall, Microsoft's Azure seems to have a lot more growth potential.

The alternative transport world. (Next: Rent a horse?)
Portland’s Scooter Tax Is Super High, and That’s Fine
You may have heard that private shared e-scooters—parked alongside the sidewalk by each successive user, waiting to be located and rented with the smartphone of the next—are the new hotness in the rapidly expanding universe of battery-powered “micromobility.” In the last 14 days, shared scooter fleets have launched in Dallas, Baltimore, Salt Lake City, Oakland, Milwaukee and San Antonio. Bird, the 11-month-old company behind all those launches, raised its latest $300 million two weeks ago in a deal that could potentially make it one of the fastest-growing companies in U.S. history. On Monday, Bird’s main competitor Lime locked up a $335 million round of its own.
Last week, Portland announced the terms by which it’d become the first city in the Northwest to license shared e-scooters, starting July 23.
To those watching closely, Portland’s usage fee was eye-popping: 25 cents per trip.
That’s a big slice of each rental. The going rate to ride an e-scooter is currently $1 per trip plus 15 cents per minute.
There are various regulatory terms, too. Notably, Portland is setting an overall cap of 2,500 e-scooters in the city, and requiring at least 20 percent to be deployed to lower-income East Portland.

(Related) Why limit the number of companies that could pay a license fee?
Denver’s dockless scooter pilot program prompts permit applications from 7 companies
… Those companies include Lime and Bird, as well as ride-sharing giant Lyft, and a few other familiar names: Spin, Razor, Skoot and Jump.
Lyft also submitted a permit application for bikes, alongside Jump, Zagster and Ofo.
… Denver Public Works will grant permits to a maximum of five scooter-sharing companies and five bike-sharing companies. Each business will be allowed to release 250 scooters or 400 bikes in the city.

I’m a bit rusty, but apparently I should brush up a bit.
Google’s Gboard keyboard now lets you communicate through Morse code on both Android and iOS
… When activated, Morse code fills the keyboard area with two large dot and dash icons. As you tap the icons, word suggestions will appear at the top of the on-screen keyboard just as they do when you’re using the QWERTY version. Google has created a Morse Typing Trainer game that it says can teach users Morse code in under an hour. You can play it on both mobile and desktop.

Wednesday, July 11, 2018

Something I warn my Computer Security students about almost every class.
A dumb security flaw let a hacker download US drone secrets
A hacker used a basic security vulnerability to access highly sensitive files relating to the US military's spy drones and tanks, new research claims. Security firm Recorded Future says it discovered a criminal attempting to sell the secret information for only a few hundred dollars on a dark web forum last month.
… The information was exposed after two members of the US military connected to the internet through Netgear routers that still used the default log-in settings for file sharing. The bypass for the routers was first discovered two years ago and devices still vulnerable haven't had their firmware updated.

One simple tool in the battle? Hey, it can’t hurt.
WhatsApp’s label for forwarded messages won’t be enough to battle fake news
Basically, if a message wasn’t composed by the sender in your conversation, it’ll have a ‘forwarded’ label at the top.
… While it’s good to see WhatsApp acting quickly, the new feature likely won’t help much. The fact that a message about kidnappers in one’s area is a forward (and not originally composed by whoever sent it) may not influence recipients to immediately assume it’s false. It could even have the opposite effect, and encourage them to believe that if it’s been shared from elsewhere, it might be information that should be taken seriously.
In case you’re wondering why WhatsApp can’t simply scan the contents of messages, look for misinformation, and censor those on its own, the reason is that your correspondence is encrypted from end to end; the company can’t intercept messages when it’s passing through WhatsApp servers to read them.

Facebook Is Testing a Feature to Tell You If That DM Came from Russia
How do you really know that Facebook message came from who you think it came from? Perhaps it’s a sockpuppet account designed to stir up political division, or simply someone impersonating a friend to try and entice you to send over some cash.
Now, Facebook is testing a feature that provides additional information about direct messages from unknown contacts, including whether an account was recently created and what sort of phone number it used to log in.
Erin Gallagher, a multimedia artist, provided Motherboard with a screenshot of the new messenger warning. It says that the person sending a direct message logged into Messenger using a phone number from Russia; that the account was recently created; and that the unsolicited user is different from a Facebook friend with the same name. The last point would presumably be helpful for identifying accounts that may be trying to impersonate other users.

Countries seem much more willing (able?) to go after technology companies.
Britain to Fine Facebook Over Data Breach
Britain's data regulator said Wednesday it will fine Facebook half a million pounds for failing to protect user data, as part of its investigation into whether personal information was misused ahead of the Brexit referendum.
"In 2014 and 2015, the Facebook platform allowed an app... that ended up harvesting 87 million profiles of users around the world that was then used by Cambridge Analytica in the 2016 presidential campaign and in the referendum," Elizabeth Denham, the information commissioner, told BBC radio.
Wednesday's ICO report said: "The ICO's investigation concluded that Facebook contravened the law by failing to safeguard people's information."
The ICO added that it plans to issue Facebook with the maximum available fine for breaches of the Data Protection Act – an equivalent of $660,000 or 566,000 euros.
Because of the timing of the breaches, the ICO said it was unable to impose penalties that have since been introduced by the European General Data Protection, which would cap fines at 4.0 percent of Facebook's global turnover.
In Facebook's case this would amount to around $1.6 billion (1.4 billion euros).

Facebook Faces Australia Data Breach Compensation Claim
Facebook could face a hefty compensation bill in Australia after a leading litigation funder lodged a complaint with the country's privacy regulator over users' personal data shared with a British political consultancy.
The social networking giant admitted in April the data of up to 87 million people worldwide – including more than 300,000 in Australia – was harvested by Cambridge Analytica.
Under Australian law, all organisations must take "reasonable steps" to ensure personal information is held securely and IMF Bentham has teamed up with a major law firm to lodge a complaint with the Office of the Australian Information Commissioner (OAIO).
The OAIO launched an investigation into the alleged breaches in April and depending on its outcome, a class action could follow.
In its statement, IMF Bentham said it appeared Facebook learned of the breach in late 2015, but failed to tell users about it until this year.
IMF investment manager Nathan Landis told The Australian newspaper most awards for privacy breaches ranged between Aus$1,000 and Aus$10,000 (US$750-US$7,500).
This implies a potential compensation bill of between Aus$300 million and Aus$3 billion.

Because we’ll be watching him like a hawk. (No pun intended.)
SCOTUS Watch and Yale blog annotated list of Kavanaugh dissents and concurrences
“This site is brought to you by Jay Pinho and Victoria Kwan, the co-creators of SCOTUS Map. What is this? SCOTUS Watch tracks the public statements made by United States senators about how they plan to vote on the Supreme Court nominee, Brett Kavanaugh, and tallies them into a likely vote count. This tally is based solely on their statements: we do not make estimates or guesses based on a senator’s party affiliation or ideology. Note that this only includes statements made by senators after the identity of the nominee was announced. (So, for example, Senator Doug Jones’ statement to CNN on Sunday, July 8th would not count, as Brett Kavanaugh had not yet been announced.)”

3D printers are cheap. Just saying…
DIY Guns: A Landmark Ruling Opens the Door for Homemade Firearms
Cody Wilson makes digital files that let anyone 3-D print untraceable guns. The government tried to stop him. He sued—and won.
Five years ago, 25-year-old radical libertarian Cody Wilson stood on a remote central Texas gun range and pulled the trigger on the world’s first fully 3-D-printed gun. When, to his relief, his plastic invention fired a .380-caliber bullet into a berm of dirt without jamming or exploding in his hands, he drove back to Austin and uploaded the blueprints for the pistol to his website,
He'd launched the site months earlier along with an anarchist video manifesto, declaring that gun control would never be the same in an era when anyone can download and print their own firearm with a few clicks. In the days after that first test-firing, his gun was downloaded more than 100,000 times.
… Less than a week later, Wilson received a letter from the US State Department demanding that he take down his printable-gun blueprints or face prosecution for violating federal export controls. Under an obscure set of US regulations known as the International Trade in Arms Regulations (ITAR), Wilson was accused of exporting weapons without a license, just as if he'd shipped his plastic gun to Mexico rather than put a digital version of it on the internet.
… Two months ago, the Department of Justice quietly offered Wilson a settlement to end a lawsuit he and a group of co-plaintiffs have pursued since 2015 against the United States government. Wilson and his team of lawyers focused their legal argument on a free speech claim: They pointed out that by forbidding Wilson from posting his 3-D-printable data, the State Department was not only violating his right to bear arms but his right to freely share information. By blurring the line between a gun and a digital file, Wilson had also successfully blurred the lines between the Second Amendment and the First.

Howard Yu, Lego Professor of Management and Innovation at IMD Business School in Switzerland, discusses how the industrial cluster in the Swiss city of Basel is a unique example of enduring competitive advantage. He explains how early dye makers were able to continually jump to new capabilities and thrive for generations. He says the story of those companies offers a counter-narrative to the pessimistic view that unless your company is Google or Apple, you can’t stay ahead of the competition for long. Yu is the author of LEAP: How to Thrive in a World Where Everything Can Be Copied.

China Internet Report 2018
“China has twice as many internet users as the total population of the United States — and it’s growing fast. This unique collaboration between Abacus, 500 Startups, the South China Morning Post, will break down everything you need to know about China’s thriving tech industry, the big players in each field, and lay out the four overarching trends that have emerged.”
[From the top ten report:
1) China has nearly 3 times the number of internet users as the United States, and the gap will only widen.
4) Government policy continue to actively shape China’s tech industry.
10) China is now the world’s biggest gaming market.

Perspective. Not India?
China is owning the future of cars. German automakers want in
Top German carmakers including BMW and Volkswagen have inked a series of deals this week to continue developing electric and self-driving cars in China.
The flurry of commitments coincides with a trip to Berlin by Chinese Prime Minister Li Keqiang, but it also reflects a growing recognition that China holds the key to the auto industry's future.
Factories in China produced about 25 million passenger cars last year, according to the International Organization of Motor Vehicle Manufacturers. China is already the top market for many global car brands, and its drivers purchase more electric vehicles than any other country.
… "The fact that the [electric vehicle program] is mandatory creates a virtually certain market for plug-in vehicles in China. Elsewhere the consumer has been left to decide and so progress has been, and will be, slower," said Al Bedwell, a director at LMC Automotive.

Looks like a useful tool.
Kami - Annotate and Collaborate on PDFs
Kami is a neat service that makes it easy to annotate and comment on PDFs. The folks at Kami describe their service as a digital pen and paper. That is an accurate description of what the core of the service provides. The core function of Kami provides you with a place to draw, highlight, and type on a PDF. You can share your PDFs in Kami and write notes in the margins for others to see and they can do the same.
Create a free account to start using Kami. Once you have created your account you can import PDFs into Kami from your Google Drive or you can import them from your desktop. Kami can be integrated with Google Classroom to make it easy to share annotated PDFs with your students and for them to share with you.
Kami's core service for drawing, commenting, and annotating PDFs is free for all users. Kami does offer the option to upgrade to a premium account. The premium version includes options for adding voice comments and video comments to your PDFs. The premium version also supports conversion and use of Word documents.

For my starving students.
7-Eleven convenience stores are handing out free Slurpees this Wednesday, July 11, from 11 to 7, for the chain’s annual 7-Eleven Day.

Tuesday, July 10, 2018

What actually happened? The article raises some interesting questions.
Thieves hack Marathon gas station, steal $1,800 of gas
An hour past high noon, hackers allegedly used a “remote device” to control a prepaid gas pump at a Marathon gas station in Detroit, allowing 10 vehicles to steal $1,800 of gas over a 90-minute period.
How many gallons of gas can your vehicle hold? Surely not 60? Yet the Detroit gas “hack” reportedly included a “convoy” of 10 vehicles, pulling in and pumping one after another for an hour and a half, managing to steal 600 gallons of gas. That implies each vehicle stole 60 gallons. There is no mention of people in those vehicles also filling up gas cans, barrels or other storage, so the total of 10 vehicles filling up for free to make off with 600 gallons doesn’t seem quite right.
… The police aren’t quite sure what happened. It is also unclear if all the vehicles that filled up for free were in on it or if they just took advantage of the free gas. Detroit Police have the surveillance video and are still investigating.

Hackers Have a New Favorite Target: Gas Stations
… What sounds like an isolated incident is actually happening more than you might think. One week ago, police just north of Austin, Texas arrested a man for using an “elaborate” device to steal at least $800 worth of gas from a station that was closed at the time. And in June, a BP employee in New Jersey was arrested for allegedly manipulating gas pump computers to steal over $300,000.

They (the researchers) keep giving away our (social media) secrets!
This does not surprise me at all. Chris Stokel-Walker reports:
Metadata is everywhere. Everything you tweet, every picture you take, and every status update you post on Facebook. It’s used by police and security forces to identify people who try to hide their identities and locations, while associated metadata in selfies can inadvertently ensnare criminals unaware that the data can destroy their alibi.
And metadata on Twitter can also be used in extremely precise identification each and every one of us – according to a new paper by researchers at University College London and the Alan Turing Institute. Your tweets, it turns out, no matter how anonymous you might think they are, can be traced back to you with unerring accuracy. All someone needs to do is look at the metadata.
The scientists used tweets and the associated metadata to identify any user in a group of 10,000 Twitter users with 96.7 per cent accuracy.
Read more on Wired (UK).

This could be amusing. “Psst! Want a good deal on dis laptop that fell off dat truck?”
Patrick Marshall writes:
You’re about to cross a downtown street and your smartphone beeps to tell you that a text message has arrived. As you pull out your phone to check the message as you walk, the phone receives an alert from your local police — you’re about to step into the path of a rapidly approaching SUV!
Such a scenario may become possible with a technology called PHADE that allows public surveillance cameras to send personalized messages to people without knowing the address of the phone.
Developed by researchers at Purdue University, PHADE digitally associates people in the camera’s view with their smartphones by using the subjects’ behavioral address, or the identifiers extracted from their movements in the video.
Read more on GCN.

A call to arms? Is our government willing to respond?
Information Operations are a Cybersecurity Problem: Toward a New Strategic Paradigm to Combat Disinformation
Disinformation, misinformation, and social media hoaxes have evolved from a nuisance into high-stakes information war. State actors with geopolitical motivations, ideological true believers, non-state violent extremists, and economically-motivated enterprises are able to manipulate narratives on social media with ease, and it’s happening each and every day. Traditional analysis of propaganda and disinformation has focused fairly narrowly on understanding the perpetrators and trying to fact-check the narratives (fight narratives with counter-narratives, fight speech with more speech). Today’s information operations, however, are materially different – they’re computational. They’re driven by algorithms and are conducted with unprecedented scale and efficiency. To push a narrative today, content is quickly assembled, posted to platforms with large standing audiences, targeted at those most likely to be receptive to it, and then the platform’s algorithms are manipulated to make the content go viral (or at least, to make it easily discoverable). These operations are exploiting weakness in our information ecosystem. To combat this evolving threat, we have to address those structural weaknesses… but as platform features change and determined adversaries find new tactics, it often feels like whack-a-mole. It’s time to change our way of thinking about propaganda and disinformation: it’s not a truth-in-narrative issue, it’s an adversarial attack in the information space. Info ops are a cybersecurity issue.

Perhaps it has no merit, but it is amusing. Here’s a discovery question: Did they detect this malware anywhere else?
Catalin Cimpanu reports:
Two insurance companies are suing a cyber-security firm to recover insurance fees paid to a customer after the security firm failed to detect malware on the client’s network for months, an issue that led to one of the biggest security breaches of the 2000s.
Read more on Bleeping Computer about how Lexington Insurance Company and Beazley Insurance Company are suing TrustWave over the massive 2009 Heartland Payment Systems breach. TrustWave says the suit is meritless.
[From the article:
The two insurance firms claim that Chicago-based Trustwave Holdings, Inc. —the security firm— had failed to detect that an attacker used an SQL injection attack to breach Heartland's systems on July 24, 2007.
Furthermore, the two say Trustwave also failed to detect that attackers installed malware on the payments processor's servers on May 14, 2008, and did not raise a sign of alarm about the event.
The lawsuit points out that Trustwave did not detect any signs of suspicious activity during its security audits it provided Heartland for almost two years as part of its contracts, which also included testing for PCI DSS compliance and attestation.

Can you redefine yourself contractually?
Several publishers are pushing back on demands by agency giant Publicis that are meant to get the agency in compliance with the General Data Protection Regulation. The concerns center around Publicis’ shifting liability for the new European privacy law to publishers.
The GDPR requires companies to justify collecting people’s data for the purpose of targeting them with ads and other business objectives. Confusion and controversy have followed as players in the ad supply chain dispute who’s responsible for what. In the Publicis case, publishers say the holding company is asking the publishers to collect users’ consent to be ad-targeted and to assume all liability for collecting that consent, per its new terms and conditions. The publishers’ concern is that agreeing to this demand would leave the publisher responsible if the agency retargets users who haven’t consented to be targeted.
“The ask before was, ‘Add us to your consent form.’ Now they just reworded it to say, ‘You’re responsible for getting consent, and we aren’t,” groused one publisher that’s been presented with the demands and who, like all publishing execs in this article, spoke on condition of anonymity since they were still in talks with the holding company.
… Under GDPR, publishers are classed as data controllers because they are regarded as the source of the first-party audience data, which other businesses will marry advertiser data to for the purpose of targeting ads. Advertisers are also classed as data controllers, given their own customer data is sourced from them and not third parties. Agencies and vendors are typically defined as data processors, because they work with data that’s sourced either from the publisher or the client. Agencies therefore process data on behalf of their clients, but publishers don’t believe they should share accountability for whatever is done with that data on the clients’ sites, when that is controlled by the agency.

How would this work? Divide them geographically? The Balkanization of a global user community?
Coalition to breakup Facebook gains momentum
Bloomberg: “The top U.S. communications union is joining a coalition calling for the Federal Trade Commission to break up Facebook Inc., as the social media company faces growing government scrutiny and public pressure. “We should all be deeply concerned by Facebook’s power over our lives and democracy,” said Brian Thorn, a researcher for the 700,000-member Communications Workers of America, the newest member of the Freedom From Facebook coalition. For the FTC not to end Facebook’s monopoly and impose stronger rules on privacy “would be unfair to the American people, our privacy, and our democracy,” Thorn said in an email. Facebook disclosed July 2 that it’s cooperating with probes by the U.S. Securities and Exchange Commission and the Federal Bureau of Investigation on how political consulting firm Cambridge Analytica obtained personal information from as many as 87 million of the site’s users without their consent. The FTC, the Department of Justice and some state regulators were already probing the matter, which prompted Facebook Chief Executive Officer Mark Zuckerberg to testify before Congress in April. Facebook also faces calls for regulation from many lawmakers and the public over the privacy issue, Russian efforts to manipulate the 2016 presidential election and the spread of false information on the platform. Facebook declined to comment on the union’s move. The CWA doesn’t represent Facebook employees, but it does represent more than 100,000 workers at AT&T Inc., which has clashed with Facebook on public policy before. And although Facebook’s workers don’t belong to unions, the contracted shuttle drivers and cafeteria workers are unionized…”

The Best Influencers Are Babies
Welcome to the lucrative world of spawn con.
… influencer marketing has exploded, And more recently, one area has proven to be particularly lucrative: sponsored content that involves kids, or spawn con, if you will.

What a surprise!
How Brett Kavanaugh Would Change The Supreme Court

Create your own Karaoke?

Monday, July 09, 2018

Probably email addresses, not the emails. Note that they immediately identified a more secure method for authenticating their Admins. Why didn’t they use that from the beginning?
Timehop Security Breach Affects the Company’s Entire 21 Million Userbase
Timehop, a mobile app that surfaces old social media posts from the same day but from previous years, has announced a security breach affecting its entire userbase of over 21 million users.
Not all users were affected to the same extent. The company said a hacker gained access to its infrastructure and stole details on its users that included usernames, emails, telephone numbers, and access keys.
Timehop says that not all users had an email address or phone number attached to their account.
… Further, not all usernames contained users’ real names.
Nonetheless, the hacker stole the access keys for all 21 million users. These access keys link the Timehop account to various social media accounts from where Timehop pulls older social media posts and images.
… The company said it is now working with law enforcement and cyber-security firms to track down the intruders and secure its infrastructure.
According to preliminary evidence from the investigation, the intrusion took place on December 19, 2017, when a hacker gained access to an admin account for Timehop’s cloud infrastructure. Timehop says it failed to secure that account with multi-factor authentication, making the attack possible.
… The hacker logged into this account on four separate days in December 2017 and March and June 2018, during which it carried out reconnaissance operations.
The intrusion went undetected until July 4, when the intruder started exfiltrating the company’s database. Timehop says it detected the operation and cut off the hacker’s access two hours and nineteen minutes later.
The company said it now secured all accounts with multi-factor authentication to prevent further intrusions.

Another side of identity theft.
Oprah, Is That You? On Social Media, the Answer Is Often No.
Kip Moore, a country music singer-songwriter with hits like “Beer Money” and “Hey Pretty Girl,” has had some disturbing experiences with fans lately.
At some shows, women have approached him demanding to know why he stopped chatting with them on Instagram or Facebook. Some said they left their husbands to be with him after he said he loved them. Now they could be together, the women told him.
“They’re handing me a letter, you know, ‘Here’s the divorce papers. I’ve left so and so,’” Mr. Moore, 38, said. “If I check my inbox right now, I’d have hundreds of these messages. But I try not to check it, because it disheartens me.”
Mr. Moore, fueled by his country music fame, is a victim of what has become a widespread phenomenon: identity theft on social media. Recent searches found at least 28 accounts impersonating him on Facebook and at least 61 on Instagram. Many of the accounts send messages to his fans promising love and asking for money. Those who get duped often direct their anger at the real Mr. Moore.
… To get a sense of the scale of the problem, The New York Times commissioned an analysis to tally the number of impersonators across social media for the 10 most followed people on Instagram, including BeyoncĂ© and Taylor Swift. The analysis, conducted by Social Impostor, a firm that protects celebrities’ names online, found nearly 9,000 accounts across Facebook, Instagram and Twitter pretending to be those 10 people.

I may ask my students to read and analyze one of the privacy policies they have already agreed to.
How to Read Long Privacy Policies the Easy Way
the quint: “So once I tried reading the privacy policy of a company and post that the process ran its natural course. There were parts I felt were absolutely inconsequential and the excessive use of jargon resulted in me giving up and ultimately clicking “I Agree”. I’m sure it’s just not me and almost 90 percent of people who use these websites and services don’t even read the privacy policy. I get it! You don’t have the time to go through a 2,500-word-long document. And, of course, the language used is a bit convoluted and filled with legalese. Since data privacy policy holds some key information, many companies try to eschew critical information in order to sell the data to ad companies. The introduction of GDPR has instilled a certain amount of fear among such companies, but still users don’t find validity in reading the whole policy. So, is there an easier way to extract the important bits of a privacy policy without diving into its extraneous side? Maybe this can help…”

Trying to understand…
Law Review Article – Carpenter v. United States: Big Data is Different
Carpenter v. United States, 585 U.S. ___ (2018) (Roberts, C.J.). Response by Margot E. Kaminski Geo. Wash. L. Rev. On the Docket (Oct. Term 2017) Slip Opinion | SCOTUSblog
“A central truism of U.S. privacy law is that if you share information, you do not have an expectation of privacy in it. This reasoning runs through both Fourth Amendment jurisprudence and privacy tort cases, and has repeatedly been identified as a central failing of American privacy law in the digital age. On June 22, in Carpenter v. United States, the Supreme Court did away with this default. While repeatedly claiming to be fact-bound and incremental, Chief Justice Roberts’s opinion has paradigm-shifting implications not only for Fourth Amendment law, but also for private-sector privacy law.”

Sunday, July 08, 2018

How often can China successfully deny a hand in hacking? Eventually, we expect denials every time and believe none of them. Would silence be better?
Top-ranked Australian university hit by Chinese hackers: media
Australia’s top-ranked university on Friday said it had spent several months fighting off a threat to its computer systems, which media said had been compromised by Chinese hackers.
… Networks at the Australian National University in Canberra, which is home to several defense-focused research units, were breached “months ago” by attackers whom authorities traced to China, said Channel 9 television and Fairfax Media websites, citing “multiple” unnamed security and intelligence sources.

Where else might this happen?
How Facebook’s Rise Fueled Chaos and Confusion in Myanmar
The social network exploded in Myanmar, allowing fake news and violence to consume a country emerging from military rule.

The competition must be vicious.
Mobike to scrap China user deposit in bike-sharing race
Mobike, one of the world’s biggest bike-sharing companies, is doing away with deposits for all customers in China, amid a fierce battle to win users.
… “The move is designed to establish a no-threshold, zero-burden and zero-condition deposit-free standard for the entire bikesharing industry,” Mobike said in a statement.
The company is also launching e-bikes that can run up to 70 kilometers per charge at a top speed of 20 km/hour.