Saturday, August 04, 2018

For my Computer Security students: The opposite of a default password? Something you must turn on?
Google Offers G Suite Alerts for State-Sponsored Attacks
Google this week announced that it can now alert G Suite admins when it believes users have been targeted by government-backed attackers.
The search company has been notifying users on what it believes might be state-sponsored attacks for over six years, and reaffirmed its commitment to continue alerting users on such incidents last year.
The Internet giant is now providing G Suite admins with the option to receive alerts whenever attacks appearing to be coming from a state-sponsored actor are targeting their users. The feature will show up in the G Suite Admin console as soon as it becomes available.
If an admin chooses to turn the feature on, an email alert (to admins) is triggered when we believe a government-backed attacker has likely attempted to access a user’s account or computer through phishing, malware, or another method,” Google explains.
As usual, such alerts don’t necessarily imply that the account has been compromised or that the organization has been hit with a larger attack.
The new feature is turned off by default, but admins can easily enable or disable it in Admin Console > Reports > Manage Alerts > Government backed attack.

Will Cyber command adopt any of this?
How Governments Can Better Defend Themselves Against Cyberattacks
In the early 2000s, hackers successfully infiltrated a series of secure military computer networks across the United States. From that breach, later deemed “Titan Rain,” the hackers would successfully pilfer a wealth of sensitive data including Army helicopter specs, the Air Force’s flight-planning software, and schematics for a NASA Mars orbiter.
American leaders have typically vowed swift and fierce retaliation for any attack on the United States by a foreign actor. So why was there no retaliation for this provocation?
The answer comes down to attribution. “If North Korea attacks us with nuclear weapons, we observe that it is North Korea, so we retaliate against North Korea,” explains Sandeep Baliga, a professor of managerial economics and decision sciences at Kellogg.
But in cyber warfare, attributing an attack is not so easy. While experts suspected that the Chinese government was behind Titan Rain, it was possible that it had been the work of rogue Chinese civilians, or even another nation that manipulated its digital footprints to make China appear responsible.
This uncertainty presents a dilemma. For decades, the U.S. military has relied on the threat of retaliation to deter would-be aggressors. Most famously, the doctrine of “mutually assured destruction” warded off Soviet nukes during the Cold War. But if the U.S. can no longer pinpoint and retaliate against its aggressors, then that doctrine is hard to apply, Baliga says.
In a new paper with University of Chicago’s Ethan Bueno de Mesquita and MIT’s Alexander Wolitzky, Baliga formulates a deterrence theory for the Internet age
[Deterrence with Imperfect Attribution

“Grandma, you need to charge your phone!” What other uses are there?
… Now, sharing your location also shares your battery level.
We first became aware of the battery sharing feature early this year when some hints popped up in an APK Teardown. At the time, it looked like Google was going to give approximate battery levels in plain language—e.g. "Bob's battery is between 50 and 75 percent." However, the feature appears to be live for more people after appearing intermittently for a few weeks, and it's more precise. When checking a contact's location, there's now a battery icon right next to the distance. There's a battery percentage, and the icon indicates charging status.
… I've tested this feature out and can confirm the battery level is accurate—it's exactly the battery percentage on your friend's phone when their location was last updated. This just happens automatically, and there doesn't appear to be any way to turn it off when sharing your location.

Friday, August 03, 2018

It will be interesting to see how this develops (or flops).
Was LabMD Hacked? A Key Issue in Lawsuit Against FTC Lawyers
Did LabMD, the now-defunct cancer testing company, expose sensitive patient information with shoddy data security practices as U.S. regulations have charged, or was the company victimized by a private forensics firm extorting it for business – raising the troubling question of whether the entire case against LabMD was built on a false premise.
That is a central question in Daugherty et al. v. Sheer et al., a case pending before the U.S. Court of Appeals for the D.C. Circuit. LabMD has asked the court to reconsider its decision that two Federal Trade Commission lawyers are immune from a lawsuit filed against them by LabMD, charging that its First Amendment rights were violated when the FTC lawyers engaged in a “deliberate and successful effort to cause the Commission to authorize an enforcement action” based on misrepresenting critical facts in the case. LabMD has charged that FTC lawyers Alain Sheer and Ruth Yodaiken recommended that the commission start an enforcement action that “was laced with lies.”
… The crux of LabMD’s argument is that the D.C. Circuit suffered from a “fundamental misunderstanding of the technology at issue,” and that there is no basis to conclude that LabMD’s file with sensitive patient information “was ever publicly available.” Instead, LabMD argues, the sensitive patient file – which had been on a company computer that had LimeWire installed on it – was never publicly available but that a forensic firm trolled peer-to-peer networks in a “profit-motivated shakedown” and accessed the patient file through the LimeWire connection.
“Mail deposited in millions of U.S. mailboxes every day is ‘available’ to anyone but it is not considered ‘publicly available’ despite the ease with which mail can be taken from so many boxes,” argues LabMD.

Is the solution even in sight?
Lawmakers in UK and US Propose Sweeping Changes to Tech Policies to Combat Misinformation
Two years after the twin historic events that rocked the global system–the Brexit referendum and the US Presidential election–lawmakers in Britain and the United States are heading toward similar conclusions on what to do about the problems at the intersection of technology, media and democracy that these events laid bare. This week in Britain, the House of Commons Committee on Culture, Media, and Sport released its Interim Report on Disinformation and ‘Fake News’, while in the United States Senator Mark Warner, the Ranking Democratic Member of the Senate Intelligence Committee, released a draft white paper on Potential Policy Proposals for Regulation of Social Media and Technology Firms.
… While the ideas and conclusions published in these reports are far from becoming the law of the land on either side of the Atlantic, they do represent a growing view on what such modern democracies must do to improve public discourse online. Here are five themes that are consistent in both documents:
1. Government must act urgently to make the technology companies liable
2. Data protections and privacy must be strengthened
3. The scale and monopoly power of technology platforms must be addressed
4. Democracies need to invest in digital literacy
5. Democracies must do more to deter disinformation from adversarial state actors

Are cable monopolies crumbling? Hardly. But it doesn’t pay to mess with Google.
FCC sides with Google Fiber over Comcast with new pro-competition rule
The Federal Communications Commission today approved new rules that could let Google Fiber and other new Internet service providers gain faster access to utility poles.
The FCC's One Touch Make Ready (OTMR) rules will let companies attach wires to utility poles without waiting for the other users of the pole to move their own wires. Google Fiber says its deployment has stalled in multiple cities because Comcast and AT&T take a long time to get poles ready for new attachers. One Touch Make Ready rules let new attachers make all of the necessary wire adjustments themselves.

Thursday, August 02, 2018

Interesting. US only for now? Not clear. Only for Microsoft clients? Even then, they have to invite you?
Microsoft AccountGuard Service Offers Protection for Political and Election Orgs
Microsoft has launched a pilot program aimed at providing cybersecurity protection for political campaigns and election authorities.
The pilot program —named AccountGuard— was launched at the end of July, Bleeping Computer has learned, and was set in motion for the 2018 US midterm elections.
According to the pilot's website, AccountGuard "provides additional security and threat monitoring for Microsoft accounts belonging to participating US campaigns, political committees, campaign tech vendors, and their staff, who are likely to be at a higher risk in the lead up to elections."
… Microsoft is now running a website where participants in the 2018 US midterm elections can sign up for this increased protection.
According to the website, this service is part of Microsoft's "Election Defense Technologies" and is offered on a non-partisan basis by invitation only. Users from the following organizations are eligible to participate:
  • US-based political campaigns
  • US-based political committees
  • Select campaign technology vendors
  • Select individuals may also participate, if invited by eligible campaigns and affiliated organizations

So, can I have a copy? Or is it a secret?
US Department of Justice creates software blacklist to prevent foreign attacks
The US Department of Justice wants to educate its contractors and military software buyers about malicious software that could infiltrate the country’s infrastructure.
For fear of nation state attacks and cyberespionage attempts, the Pentagon has released a “Do Not Buy” software list that has been in development for approximately six months, writes Defense One. The list includes all software that is not according to “national security standards,” said Ellen Lord, defense undersecretary for acquisition and sustainment, and looks at companies with suspicious links to Russia and China.

Any new law (or new technology) swings a pendulum one way or another. There is always an immediate push to swing it back the other way.
Why Market Regulators Are Hunting Around for GDPR Exemptions
As soon as the new European General Data Protection Regulation (GDPR) went into effect at the end of May, it was almost inevitable that organizations, companies and regulators located outside of the EU would begin looking for exemptions. And that’s exactly what has happened – a group of financial market regulators from outside the European Union (including the very influential SEC in the United States as well as regulators in both Japan and Hong Kong) are now asking for GDPR exemptions from some of the strict privacy guidelines put into place by the GDPR.
When is data privacy not in the public interest?
Of particular concern for these regulators is that fact that a long-time loophole for sharing data across borders appears to have been closed – or at least, narrowed significantly – by the GDPR. That loophole – known as the “public interest” exemption, enables regulators to freely share bank and trading account data with each other across national borders as long as they are doing so in the public interest.
Such types of GDPR exemptions, they say, are absolutely vital to doing their jobs properly. For example, if they are trying to crack down on securities fraud, and the paper trail takes them out of Europe and into North America or Asia, they need to be able to do so without dealing with all the encumbrances created by the GDPR. The same thing is true if they are trying to crack down on cryptocurrency fraud, or trying to prevent a group of banks from banding together to rig key market rates (such as the LIBOR rate, which is used to determine interest rates charged on loans).

Time to get those lawyers trained?
Cybersecurity Role, Spend on the Rise for Corporate Legal
Association of Corporate Counsel: “More than 40 percent of in-house lawyers stated their companies plan to change data security standards, breach notification procedures, and incident response plans as a result of the upcoming European Union General Data Protection Regulation (GDPR), and 63 percent in the United States strongly favor the implementation of a federal law that sets uniform data security and breach notification expectations, according to the Association of Corporate Counsel (ACC) Foundation: The State of Cybersecurity Report. Released by the ACC Foundation, which supports the mission of ACC, and underwritten by Ballard Spahr LLP, the report incorporated data and insights from more than 617 in-house lawyers at over 412 companies in 33 countries.
In-house lawyers anticipate their role in cybersecurity prevention and response, as well as cybersecurity budgets, to increase over the next 12 months. In fact, 63 percent of respondents noted growth in company funds dedicated to cyber incidents, compared to 53 percent in 2015. Chief legal officers (CLO) and general counsel (GC) at large companies are also more likely to serve as members of a data breach response team, compared with those at smaller companies.
“With the rising number of high-profile data breaches and increased focus on technology, it’s no shock to see protection of corporate data become the fastest rising area of concern for legal and business executives,” said Veta T. Richardson, ACC president and CEO. “Data can be a company’s most valuable and most vulnerable resource. Legal departments play an essential role in formulating policies and procedures to mitigate cyber risk.”

How do you make money with a free App. (I bet governments will never use this.)
WhatsApp finally earns money by charging businesses for slow replies
Today WhatsApp launches its first revenue-generating enterprise product and the only way it currently makes money directly from its app. The WhatsApp Business API is launching to let businesses respond to messages from users for free for up to 24 hours, but will charge them a fixed rate by country per message sent after that.
Businesses will still only be able to message people who contacted them first, but the API will help them programatically send shipping confirmations, appointment reminders or event tickets. Clients also can use it to manually respond to customer service inquiries through their own tool or apps like Zendesk, MessageBird or Twilio. And small businesses that are one of the 3 million users of the WhatsApp For Business app can still use it to send late replies one-by-one for free.

Oracle was never a competitor, now they can’t keep up as a vendor?
Amazon plans to move completely off Oracle software by early 2020
Amazon's emergence as a major provider of data center technology has turned many of its longtime suppliers, including Oracle, into heated rivals.
Now Amazon is dealing yet another blow to Oracle. The e-commerce giant, having already moved much of its infrastructure internally to Amazon Web Services, plans to be completely off Oracle's proprietary database software by the first quarter of 2020, according to people familiar with the matter.
… Meanwhile, Oracle is about the same size it was four years ago and the stock is just above where it was trading at the end of 2014. Oracle shares dropped by about 1 percent after the initial report Wednesday.
… The primary issue Amazon has faced on Oracle is the inability for the database technology to scale to meet Amazon's performance needs, a person familiar with the matter said. Another person, who said the move could be completed by mid-2019, added that there hasn't been any development of new technology relying on Oracle databases for quite a while.

I think this nails it!
What Russia Understands about Trump
… I’d be very surprised if Trump was a standard intelligence recruit, the type of guy who’d meet his handler under a bridge in Vienna and who’d be paid for influence. There’s almost a commercial aspect to how the Russians deal with him rather than an asset-running one. It’s a trusted relationship with someone they can nudge without having to instruct or order.
Burton Gerber, a thirty-nine-year veteran of the CIA and mentor to both Hall and Sipher, agrees with this assessment. The notion of Trump in certain precincts of the media as a Manchurian candidate, a Russian asset owned and run by the Kremlin, is ridiculous, he argues:
Trump is basically a man with low self-esteem, which he has worked against by being a bully and a narcissist. His actions scream, “Take me, I’m yours if you’ll admire and compliment me.” The Russians would never want to recruit him, just continuously have access to him and be able to influence him.

Perspective. How sad.
U.S. adults now spend nearly 6 hours per day watching video
If you’ve been wondering why every major media platform has been doubling down on its video efforts in recent months, Nielsen’s new report has the answer. According to the firm’s research, U.S. adults are now spending almost 6 hours per day on video, on average. That includes time spent watching both live and time-shifted TV, watching videos in an app or mobile website on a smartphone or tablet, watching video over a TV-connected device like a DVD player, game console or internet device such as Roku, and watching videos on a computer.
That data on video viewing was collected during the first quarter of 2018 – and accounts for a sizable chunk of the 11 hours per day Americans spend listening to, watching, reading or otherwise interacting with media.

Wednesday, August 01, 2018

Is “coordinated inauthentic behavior” a fancy way to say ‘spreading fake news?” What happens if they determine that the Democrats/Republicans are behind it?
Removing Bad Actors on Facebook
Today we removed 32 Pages and accounts from Facebook and Instagram because they were involved in coordinated inauthentic behavior. This kind of behavior is not allowed on Facebook because we don’t want people or organizations creating networks of accounts to mislead others about who they are, or what they’re doing.
We’re still in the very early stages of our investigation and don’t have all the facts — including who may be behind this.

(Related) Because he’s an American?
Why LeBron Can Say Whatever He Wants About Politics
LeBron James attended a Cleveland campaign rally for Hillary Clinton in 2016 even though she was likely to lose his home state of Ohio. After Donald Trump’s election, James repeatedly blasted the president. When Laura Ingraham said James should “shut up and dribble,” he rebutted the Fox News host by saying he had never heard of her before her remark. And now this: On Monday, James wouldn’t rule out running for president in 2020.
… But I don’t think James really has to worry about any backlash. The wall between the worlds of sports and politics has increasingly broken down, and James’s place in those worlds gives him extra protection.
1. His fans are mostly Democrats
2. His political tactics are quite mild, particularly considering the context
3. He’s not alone
4. James is really, really good at basketball

IF the NBA can do this for MGM, could Facebook use the same tech to eliminate Fake News?
NBA inks deal with MGM Resorts to provide data to bettors
The NBA and WNBA will now share official data with MGM Resorts International, a major win for the leagues as they prepare for the anticipated growth of sports betting across the country.
The Las Vegas-based casino giant will pay the NBA for that data to use in determining outcomes of various bets. The NBA's stance has been that getting accurate stats to bettors is critical so players know what they're betting on and so casinos will know when to pay out, and MGM Resorts is the first casino to make an arrangement with the league for those numbers.
… How MGM will get that data remains unclear.
NBA stat data is distributed globally by Sportradar, which sends it to media outlets, broadcasters and betting outlets outside the U.S. — but not inside this country, at least for now.
… MGM will be an official casino partner for the league, but will not have exclusive rights to the data. The NBA still can, and likely will, try to make deals with other casinos who will be offering sports betting in various states or through mobile apps.
The deal also won't stop other casino companies from offering wagers on NBA games, including prop bets that rely on results other than the final score.

Another “news” manipulation story. Do all reviews at TripAdvisor pass through the organization being reviewed? Seems made for manipulation.
Australian hotelier Meriton fined A$3m for manipulating TripAdvisor reviews
The Australian hotel operator owned by billionaire Harry Triguboff was fined A$3 million (S$3.03 million) on Tuesday for misleading customers, after it withheld unhappy guests' details from travel site TripAdvisor Inc to avoid bad reviews.
Between November 2014 and October 2015, Meriton Serviced Apartments falsified or held back the contact details of customers it thought might be critical at 13 properties, Australia's Federal Court found.
The company's booking software allowed staff to add letters to customers' email addresses to stop TripAdvisor from reaching them if they had made complaints during their stay. It also held back reviews during maintenance periods at the hotels.
… The Australian Competition and Consumer Commission (ACCC), which brought the proceedings against Meriton, had initially sought a A$20 million penalty.
"This case sends a strong message that businesses can expect ACCC enforcement action if they're caught manipulating feedback on third party review websites," ACCC Commissioner Sarah Court said in a statement.

What would an “ethical programming” class look like?
Liability and Risk in Programming Autonomous Vehicles
… We are about to undergo a paradigm shift from passive response-based systems in cars (such as cruise control, lane-change warning alarms, obstacle alarms and so on) to fully active systems. This is where an autonomous vehicle, having processed various inputs from multiple sensors, having (in some implementations) integrated those inputs with externally supplied data (for example from sensors transmitting from road signs or from the road itself), takes a decision on what to do – how much to accelerate or to brake, how to turn the wheel, etc.
… . This is the field of so-called ‘electro-ethics’. Electro-ethics is the intersection of technology, law and moral philosophy. To enable machines to perform sophisticated decision-making to complete complex tasks, software designers need to develop sets of rules that will underpin decisions made in any situation. It is impossible to program on a situational basis, so higher level guiding principles need to be programmed with clarity so any situation can be dealt with safely and properly.

Who knew our programming classes were “Pre-Law?”
Paper – Replacing Law with Computer Code
Micheler, Eva and Whaley, Anna, Regulatory Technology – Replacing Law with Computer Code (July 9, 2018). LSE Legal Studies Working Paper No. 14/2018. Available at SSRN:
“Recently both the Bank of England and the Financial Conduct Authority have carried out experiments using new digital technology for regulatory purposes. The idea is to replace rules written in natural legal language with computer code and to use artificial intelligence for regulatory purposes. This new way of designing public law is in line with the government’s vision for the UK to become a global leader in digital technology. It is also reflected in the FCA’s business plan. The article reviews the technology and the advantages and disadvantages of combining the technology with regulatory law. It then informs the discussion from a broader public law perspective. It analyses regulatory technology through criteria developed in the mainstream regulatory discourse. It contributes to that discourse by anticipating problems that will arise as the technology evolves. In addition, the hope is to assist the government in avoiding mistakes that have occurred in the past and creating a better system from the start.”

Perspective. Who has the power here, Kroger or Visa. Would Amazon just issue its own card?
Report: Nation's largest grocery chain may ban Visa transactions
Grocery chain Kroger is reportedly considering banning all Visa card transactions at its locations throughout the United States due to a dispute on swipe fees, Bloomberg reported.
… According to the National Retail Federation, roughly 2 percent of all transactions go toward swipe fees.

Interesting. Great use of graphics!
Here’s How America Uses Its Land
Bloomberg: “There are many statistical measures that show how productive the U.S. is. Its economy is the largest in the world and grew at a rate of 4.1 percent last quarter, its fastest pace since 2014. The unemployment rate is near the lowest mark in a half century . What can be harder to decipher is how Americans use their land to create wealth. The 48 contiguous states alone are a 1.9 billion-acre jigsaw puzzle of cities, farms, forests and pastures that Americans use to feed themselves, power their economy and extract value for business and pleasure… Using surveys, satellite images and categorizations from various government agencies, the U.S. Department of Agriculture divides the U.S. into six major types of land. The data can’t be pinpointed to a city block—each square on the map represents 250,000 acres of land. But piecing the data together state-by-state can give a general sense of how U.S. land is used. Gathered together, cropland would take up more than a fifth of the 48 contiguous states. Pasture and rangeland would cover most of the Western U.S., and all of the country’s cities and towns would fit neatly in the Northeast…”

A note for my website students.

I’ve been tutoring the wrong things. No more Math and Computer Science for me!
Parents Hiring Fortnite Coaches to Improve Play, Help Children Level Up
On Tuesday, Sarah E. Needleman of the Wall Street Journal reported parents are throwing down between $10 and $20 per hour so their kids can level up and become better Fortnite players.
"There's pressure not to just play it but to be really good at it," Ally Hicks, who purchased four hours of lessons for her 10-year-old son, told the WSJ. "You can imagine what that was like for him at school."
… In some cases, it's paying off. Nick Mennen told the Wall Street Journal his 12-year-old son, Noble, struggled to win on the highly competitive Fortnite landscape.
"Now he'll throw down 10 to 20 wins," Mennen said.
The demand for coaches may continue to grow with the latest update from Epic in June placing the player count at 125 million.

Tuesday, July 31, 2018

Targeting in Cyberwar is simple.
The Future Of Information Warfare Is Here — And The Russians Are Already Doing It
So reports Army Col. Liam Collins in the August issue of ARMY magazine. Here’s how it works:
“The Russians are adept at identifying Ukrainian positions by their electrometric signatures,” writes Collins. One would expect that, but the thing that impressed me what came next.
“In one tactic, soldiers receive texts telling them they are ‘surrounded and abandoned.’ Minutes later, their families receive a text stating, ‘Your son is killed in action,’ which often prompts a call or text to the soldiers. Minutes later, soldiers receive another message telling them to ‘retreat and live,’ followed by an artillery strike to the location where a large group of cellphones was detected.”

Were typewriters part of the backup plan?
Catalin Cimpanu reports:
On Monday, officials from Matanuska-Susitna (Mat-Su), a borough part of the Anchorage Metropolitan Statistical Area, said they are still recovering from a ransomware infection that took place last week, on July 24.
The ransomware infection crippled the Borough’s government networks and has led to the IT staff shutting down a large swath of affected IT systems.
“Last Tues., July 24, the Borough first disconnected servers from each other, then disconnected the Borough itself from the Internet, phones, and email, as it recognized it was under cyber attack,” said Mat-Su Public Affairs Director Patty Sullivan.
Read more on BleepingComputer.

It shouldn’t be that hard to count the records impacted in a breach.
Wouldn’t you hate to be That Guy who has to tell the boss that they need to revise their breach estimate up from 1+ million to 10 million?
Wale Azeez reports:
Dixons Carphone has apologised to all of its customers after revealing that a 2017 data breach affected personal data held in an additional 8.8 million customer records.
The admission early on Tuesday is the second revelation related to the data breach in six weeks and the third since 2015.
Read more on Sky News.

(Related) Even Yale has problems counting victims.
Between April, 2008, and January, 2009, hackers accessed and exfiltrated data on 119,000 individual affiliated with the university. The hacked data included the individuals’ names, Social Security numbers, date of birth (in most cases), and e-mail addresses and physical addresses in some cases.
Not knowing about the hack at the time, Yale did nothing. And in September, 2011, when they purged personal information from that database as part of their updated data protection program, they still had no idea that there had been a hack in 2008.
On June 11, 2018, during the course of a routine security review of Yale’s servers, Yale discovered that at some time between March, 2016 and June, 2018 hackers had accessed and extracted data including the names and Social Security numbers of 33 individuals from that server. Five days later, on June 16, 2018, they discovered the earlier hack.
Yale’s notification letter of July 26, 2018 indicates that they have no evidence of misuse of the information, but are offering those being notified one year of Kroll’s services.
You can read the notification to the New Hampshire Attorney General’s Office with the template notification letter on the AG’s site. Yale has also posted information on their website.

Helping the Twits who run Twitter? “We don’t understand our own technology.”
Twitter is funding college professors to audit its platform for toxicity
… Twitter has enlisted experts from universities to conduct an audit of its platform to figure out where the echo chambers and “uncivil discourse” are originating from.
Back in March, Twitter put out a call for experts to measure how toxic its platform was and suggest ways to improve it. It said finalists would be chosen in July. Twitter now says there were over 230 proposals, and of those, the winners include two professors from New York’s Syracuse University, one from Italy’s Bocconi University, a professor from a college that specializes in tech in the Netherlands, Delft University, and others.

No surprise, except in Washington.
US intelligence agencies determine that North Korea is constructing new missiles: report
… Satellite images taken in recent weeks appear to show that at least one and possibly two liquid-fueled intercontinental ballistic missiles (ICBMs) are being worked on at a large research facility in Sanumdong, outside of the capital of Pyongyang.
This is the same facility where the country first produced intercontinental ballistic missiles that could reach the U.S.

Perspective. Maybe the “wild west” era is over?
City Council approves new bike-share rules, prompting ofo to leave Seattle
The Seattle City Council moved to make dockless bike share a permanent fixture in the city Monday, passing legislation that would allow up to 20,000 of the bikes to operate here, while also setting a nonbinding deadline for the city to build a network of protected bike lanes through downtown.
The bike-share legislation, passed unanimously, allows up to four companies to operate in the city, each paying $250,000 for the right to scatter up to 5,000 bikes on the city’s sidewalks.
… The 10,000-or-so bikes currently in the city were used an average of about 7,000 times a day in May and June for as little as $1 a ride, although the program has drawn complaints about riders not wearing helmets and leaving bikes parked haphazardly and blocking pedestrian access.

(Related) Headline is something my students figured out long ago.
Electric Moped Sharing Service Launches in Brooklyn; Private Cars Increasingly Pointless
… Revel follows the car2go model: you open an app to find the nearest moped, and you can drive anywhere in Brooklyn or Queens, as long as you eventually return it to a legal spot somewhere within the zone—and you can park perpendicular to the curb, so finding a spot shouldn't be that hard.
I found the sign-up process straightforward: anyone with a valid driver's license can download the app, [How do they check? Bob] type in their driver information, give a credit card for the required $25 signup fee, and begin driving within 24 hours. Plus the first two rides are free. It took about two hours for the required background check to be completed, and I was good to go (you won’t get approved if you have any DUIs or other significantly bad infractions in your driving record). Of course, there was still the matter of learning how to actually operate the machine: Revel requires that anyone who hasn’t driven a moped in traffic complete a free 20-minute training course at their headquarters in Bushwick (there’s also a safety video on Youtube.)

Ah, the Right to print and keep guns!
More than 1,000 people have already downloaded plans to 3-D print an AR-15

(Related) Of course they did.
U.S. states make last-minute legal bid to halt 3-D online guns
… Along with Washington state, New York, New Jersey, Pennsylvania, Connecticut, Oregon, Maryland, and the District of Columbia are working on finalizing the lawsuit and plan on filing it later on Monday, Ferguson said.
The states behind the lawsuit argue that publishing blueprints would allow criminals easy access to weapons. Gun rights advocates say fears about 3-D printed guns are largely overblown, based on current technology.

Monday, July 30, 2018

This happens here, but rarely in connection with IT companies.
Express News Service reports:
Proprietors of three small-scale IT companies were arrested on Saturday in connection with the data leak of students who appeared for the class 10 and 12 state board exams this year. The serious breach of data came to light recently as data companies were openly selling the district-wise details of nearly 8 lakh students along with their address, phone numbers and other personal information, which were collected by the School Education department from the students.
A statement from the city police said three companies in the city were found involved in selling the data and arrested owners of the three companies. But the police could not tell the origin of the breach of data from the government’s database.
Read more on New Indian Express.

Why Russia (and others) have such an easy time hacking the US.
GAO – Urgent Actions Are Needed to Address Cybersecurity Challenges Facing the Nation
Urgent Actions Are Needed to Address Cybersecurity Challenges Facing the Nation, GAO-18-645T: Published: Jul 25, 2018. Publicly Released: Jul 25, 2018. “GAO has identified four major cybersecurity challenges and 10 critical actions that the federal government and other entities need to take to address them. GAO continues to designate information security as a government-wide high-risk area due to increasing cyber-based threats and the persistent nature of security vulnerabilities…”
“GAO has made over 3,000 recommendations to agencies aimed at addressing cybersecurity shortcomings in each of these action areas, including protecting cyber critical infrastructure, managing the cybersecurity workforce, and responding to cybersecurity incidents. Although many recommendations have been addressed, about 1,000 have not yet been implemented. Until these shortcomings are addressed, federal agencies’ information and systems will be increasingly susceptible to the multitude of cyber-related threats that exist…”

Russia wants to turn off your lights? When does this rise to an act of war?
Russian Hackers Meddling with U.S. Power Grid Poses Huge Threat to National Security
The newest cyber threat troubling top U.S. government officials is the prospect of Russian hackers breaking into the U.S. power grid and selectively causing blackouts across the country. According to officials at the Department of Homeland Security (DHS), members of a shadowy, state-sponsored group known as Dragonfly or Energetic Bear have been escalating hacking attacks on the U.S. energy grid, nuclear facilities and other critical U.S. infrastructure since 2014. The next inevitable step is for these hackers to “throw the switch” on control systems at power plants in order to cause blackouts.
… First, they gained access to networks of key utility vendors using simple tactics such as spear-phishing attacks and watering-hole attacks. Once they gained the right passwords and credentials, that’s when they went to work studying the ins and outs of the U.S. power grid using their newfound backdoor access.
Since these utility vendors had the ability to update software and run diagnostics, hackers who worked for a Russian state sponsored group gained a valuable back door into key elements of the national power grid. What if, for example, they decide to delete some of the grid software instead of updating it? Or what if these Russian hackers decide to alter the diagnostics testing in order to expose the system to more risk?
The real concern, say DHS officials, is that Russian hackers will eventually get to the point where they could automate hacking attacks from a distance.

Russians Are Targeting Private Election Companies, Too — And States Aren’t Doing Much About It
The American election system is a textbook example of federalism at work. States administer elections, and the federal government doesn’t have much say in how they do it. While this decentralized system has its benefits, it also means that there’s no across-the-board standard for election system cybersecurity practices. This lack of standardization has become all the more apparent over the past two years: Hackers probed 21 state systems during the lead-up to the 2016 election and gained access to one. But the federal government and states don’t appear to have made great strides to ensure that this doesn’t happen again. To do so, they’d need to deal with not only their own cybersecurity deficits but also those of the private companies that help states administer elections.
Voting machine manufacturers and the makers of election software and electronic poll books (which are lists of eligible voters) are crucially intertwined with state election systems. All states, to some extent or another, rely on these private companies for election products. But despite the central role these companies play, state regulations of them are relatively lax.

Useful ability for my Computer Security students?
Identifying People by Metadata
Interesting research: "You are your Metadata: Identification and Obfuscation of Social Media Users using Metadata Information," by Beatrice Perez, Mirco Musolesi, and Gianluca Stringhini.
Abstract: Metadata are associated to most of the information we produce in our daily interactions and communication in the digital world. Yet, surprisingly, metadata are often still categorized as non-sensitive. Indeed, in the past, researchers and practitioners have mainly focused on the problem of the identification of a user from the content of a message.
In this paper, we use Twitter as a case study to quantify the uniqueness of the association between metadata and user identity and to understand the effectiveness of potential obfuscation strategies. More specifically, we analyze atomic fields in the metadata and systematically combine them in an effort to classify new tweets as belonging to an account using different machine learning algorithms of increasing complexity. We demonstrate that through the application of a supervised learning algorithm, we are able to identify any user in a group of 10,000 with approximately 96.7% accuracy. Moreover, if we broaden the scope of our search and consider the 10 most likely candidates we increase the accuracy of the model to 99.22%. We also found that data obfuscation is hard and ineffective for this type of data: even after perturbing 60% of the training data, it is still possible to classify users with an accuracy higher than 95%. These results have strong implications in terms of the design of metadata obfuscation strategies, for example for data set release, not only for Twitter, but, more generally, for most social media platforms.

Good summary, useful graphic.
The 6 Types Of Cyber Attacks To Protect Against In 2018

Perspective. The decline and fall of American society?
The First Augur Assassination Markets Have Arrived
"Killed, not die of natural causes or accidents."
Pretty much everyone saw them coming, but it was no less disturbing when assassination markets actually began to appear on Augur, a decentralized protocol for betting on the outcomes of real-world events and that launched two weeks ago on ethereum.
The markets – which allow users to bet on the fates of prominent politicians, entrepreneurs and celebrities – in some cases explicitly specify assassination, as the quote above shows. (CoinDesk is intentionally not providing links to these markets or naming the individuals concerned.)
In addition to targeting individuals, some markets offer bets on whether mass shootings and terrorist attacks with certain minimum numbers of casualties will occur.

I keep threatening my students with an infographic project. Maybe this Quarter I’ll actually assign one.
15 Free Infographic Templates in Powerpoint
  • Infographics are a powerful tool for capturing the attention of your target audiences. In fact, businesses that publish infographics grow their traffic an average of 12% more than those that don’t.
  • The hard part, of course, is finding time and resources to create these infographics. That’s why we’ve created fifteen fully customizable infographic templates that will give you the inspiration and foundation you need to build your own infographics right in PowerPoint or Illustrator.”
  • Note – requires free registration…”

Sunday, July 29, 2018

Never, ever challenge hackers. Apparently he was ignorant of or perhaps believed all those security breaches were “fake news?”
Aadhaar Details of TRAI Chief Leaked After he Tweets His UIDAI Number Throwing Security Breach Challenge
In a major embarassment for the Telecom Regulatory Authority of India (TRAI), alleged personal details of its chairman R S Sharma were leaked on Saturday after he tweeted his Aadhaar number asking if it had made him vulnerable to any security risk.
… In a series of tweets, a French security expert, who goes by the nickname Elliot Alderson and uses twitter handle @fs0c131y, leaked Sharma's personal details such as address, date of birth, mobile number, PAN card number and even WhatsApp profile picture, explaing the TRAI chief how risky it was to make the Aadhaar number public.
"People managed to get your personal address, DoB and your alternate phone number. I stop here, I hope you will understand why make your Aadhaar number public is not a good idea," Alderson, who is known to have revealed security loopholes in the Aadhaar data system, wrote. He posted screenshots of Sharma's leaked details with key areas blackened and hidden.

What exactly is TSA supposed to do? Does this match their mission statement? (Protect the nation's transportation systems to ensure freedom of movement for people and commerce.)
TSA is tracking regular travelers like terrorists in secret surveillance program
Federal air marshals have begun following ordinary US citizens not suspected of a crime or on any terrorist watch list and collecting extensive information about their movements and behavior under a new domestic surveillance program that is drawing criticism from within the agency.
The previously undisclosed program, called “Quiet Skies,” specifically targets travelers who “are not under investigation by any agency and are not in the Terrorist Screening Data Base,” according to a Transportation Security Administration bulletin in March.
The internal bulletin describes the program’s goal as thwarting threats to commercial aircraft “posed by unknown or partially known terrorists,” and gives the agency broad discretion over which air travelers to focus on and how closely they are tracked.
… It is a time-consuming and costly assignment, they say, which saps their ability to do more vital law enforcement work.
TSA officials, in a written statement to the Globe, broadly defended the agency’s efforts to deter potential acts of terror. But the agency declined to discuss whether Quiet Skies has intercepted any threats, or even to confirm that the program exists.
Release of such information “would make passengers less safe,” spokesman James Gregory said in the statement.
[Behavior checklist follows…