Saturday, September 01, 2018

If my job was to identify potential spies, I certainly would. After all, spying is a job.

http://fortune.com/2018/08/31/china-linkedin-spies/

U.S. Government Thinks China Is Using LinkedIn to Enlist American Spies

The U.S. government believes China is using fake LinkedIn accounts to recruit American spies with government intel and is calling on the company to help shut them down.

According to Reuters, which broke the story Friday morning, intelligence and law enforcement have placed pressure on LinkedIn, owned by Microsoft, to thwart the budding espionage network. U.S. counter-intelligence chief, William Evanina, is the source of the allegations and claims to have warned the networking platform about China’s “super aggressive” tactics on the site, including their mass-messaging of thousands of users at a time.

...and if I wanted to sneak a spy into the US, I’d do it through Canada.

https://hotforsecurity.bitdefender.com/blog/air-canada-admits-app-data-breach-included-customers-passport-details-20300.html

Air Canada admits app data breach included customers’ passport details

All 1.7 million users of Air Canada’s mobile app have had their passwords reset by the company following a security breach which saw hackers compromise up to 20,000 accounts last week.

A security notice published by the company explains that it detected “unusual login behaviour” related to the smartphone Air Canada app between August 22-24 2018, that may have seen 20,000 profiles “improperly accessed.”

… The company says that credit and payment card information was encrypted, and was not compromised in the security breach.

However, victims who have had their passport details stolen may face serious consequences, as fraudsters could use the details to set up accounts with insurance firms, mobile phone operators, banks and the like if they do not require sight of the physical passport.

… There is also a risk that a fraudster could use the stolen information to request a new physical passport. However, Air Canada says that the Canadian government describes that risk as “low” provided the genuine passport holder still has physical ownership of the document.

BBC News, however, raises the issue that Air Canada required account passwords to merely be between 6 and 10 characters, and could not contain symbols. That, in itself, goes against the Canadian government’s own password advice.

Just nailing down a small part of the remaining fraction they don’t already know about us?

Google and Mastercard Cut a Secret Ad Deal to Track Retail Sales

Mark Bergen and Jennifer Surane report:

For the past year, select Google advertisers have had access to a potent new tool to track whether the ads they ran online led to a sale at a physical store in the U.S. That insight came thanks in part to a stockpile of Mastercard transactions that Google paid for.

But most of the two billion Mastercard holders aren’t aware of this behind-the-scenes tracking. That’s because the companies never told the public about the arrangement.

Friday, August 31, 2018

My guess is they will find a way.

https://www.bespacific.com/doj-warns-it-might-not-be-able-to-prosecute-voting-machine-hackers/

DOJ Warns It Might Not Be Able to Prosecute Voting Machine Hackers

Motherboard: “…After more than a decade of headlines about the vulnerability of US voting machines to hacking, it turns out the federal government says it may not be able to prosecute election hacking under the federal law that currently governs computer intrusions. Per a Justice Department report issued in July from the Attorney General’s Cyber Digital Task Force, electronic voting machines may not qualify as “protected computers” under the Computer Fraud and Abuse Act, the 1986 law that prohibits unauthorized access to protected computers and networks or access that exceeds authorization (such as an insider breach)…”

[From the DoJ Report:

The principal statute used to prosecute hackers—the Computer Fraud and Abuse Act (“CFAA”)—currently does not prohibit the act of hacking a voting machine in many common situations. In general, the CFAA only prohibits hacking computers that are connected to the Internet (or that meet other narrow criteria for protection). In many conceivable situations, electronic voting machines will not meet those criteria, as they are typically kept of the Internet. Consequently, should hacking of a voting machine occur, the government would not, in many conceivable circumstances, be able to use the CFAA to prosecute the hackers. (The conduct could, however, potentially violate other criminal statutes.)

I hope my students are ready for this.

https://www.forbes.com/sites/jasonevangelho/2018/08/31/microsoft-to-allow-unlimited-devices-more-users-for-office-365-subscriptions/#4b6aa2183f85

Microsoft To Allow Unlimited Devices, More Users For Office 365 Subscriptions

,,, In a Microsoft Tech Community blog post, the company writes that beginning October 2, Office 365 Home will see their device limits completely removed. That means instead of being limited to installing the software on a total of 10 devices, it's now an unlimited number of devices for both subscriber tiers.

Thursday, August 30, 2018

Slow but inevitable?

#Celebgate Phisher Who Hacked into More Than 225 Apple iCloud Accounts Sentenced to Prison

John H. Durham, United States Attorney for the District of Connecticut, announced that GEORGE GAROFANO, 26, of North Branford, was sentenced today by U.S. District Judge Victor A. Bolden in Bridgeport to eight months of imprisonment, followed by three years of supervised release, for engaging in a phishing scheme that gave him illegal access to more than 200 Apple iCloud accounts, many of which belonged to members of the entertainment industry.

According to court documents and statements made in court, from April 2013 through October 2014, GAROFANO engaged in a phishing scheme to obtain usernames and passwords for iCloud accounts. GAROFANO admitted that he sent e-mails to victims that appeared to be from security accounts of Apple and encouraged the victims to send him their usernames and passwords, or to enter them on a third-party website, where he would later retrieve them.

An addition to my list of similar articles for other social media.

How to Download All the Data LinkedIn Has About You

Why bother inventing falsehoods when the truth is bad enough? Is this the path to Ad Revenue?

https://www.thedailybeast.com/liker-a-facebook-alternative-for-liberals-is-hive-of-false-claims-about-trump

Liker, a Facebook Alternative for Liberals, Is Hive of False Claims About Trump

In the world of the anti-Trump Facebook #Resistance, no one has a bigger soapbox than Omar Rivero, the founder of the Occupy Democrats Facebook page.

Along with his brother Rafael, Rivero has amassed 7 million followers and an estimated six figures in monthly ad revenue for the page with viral-ready videos and infographics. In 2017, the Miami New Times noted that Occupy Democrats has more influence on Facebook “than virtually any other news source in America.”

But Rivero’s success has also brought attention to Occupy Democrats’ relaxed attitude toward the truth. Occupy Democrats has repeatedly been dinged by fact-checking sites for posting exaggerated or invented news stories, earning several “pants on fire” ratings from PolitiFact and amassing a number of mentions on hoax-debunking site Snopes. Brooke Binkowski, a journalist who covered Occupy Democrats as the managing editor of Snopes, told The Daily Beast that the page’s headlines were often “extremely misleading.”

I know some people who could have saved a lot of money had this been the rule of the land a few years ago.

https://www.techdirt.com/articles/20180829/00360440535/important-appeals-court-ruling-states-clearly-that-merely-having-ip-address-is-insufficient-infringement-claims.shtml

Important Appeals Court Ruling States Clearly That Merely Having An IP Address Is Insufficient For Infringement Claims

Tons of copyright lawsuits (and even more copyright trolling shakedowns that never even reach court) are based on one single bit of data: the IP address. We've seen numerous district courts reject using a bare IP address as evidence of infringement, but now we have a very important (even if short and to the point) ruling in the 9th Circuit that could put a serious damper on copyright trolling.

In this copyright action, we consider whether a bare allegation that a defendant is the registered subscriber of an Internet Protocol (“IP”) address associated with infringing activity is sufficient to state a claim for direct or contributory infringement. We conclude that it is not.

The case involved well known copyright trolling lawyer Carl Crowell representing Cobbler Nevada LLC. As we discussed in our article on the district court decision, the actions in this case were particularly nefarious. Crowell quickly learned that the IP address in question belonged to an adult foster care home, but decided to go after the operator, Thomas Gonzales, even though he was aware that any of the many residents or staff may have actually been responsible for the infringement. Gonzales (reasonably) refused to just cough up the names and details of residents and staff without a court order, and Crowell's response was just to go after Gonzales directly. But the facts of this case made it especially easy for the lower court to highlight how a mere IP address is not nearly enough to allege infringement.

… The only connection between Gonzales and the infringement was that he was the registered internet subscriber and that he was sent infringement notices. To establish a claim of copyright infringement, Cobbler Nevada “must show that [it] owns the copyright and that the defendant himself violated one or more of the plaintiff’s exclusive rights under the Copyright Act.” Ellison v. Robertson, 357 F.3d 1072, 1076 (9th Cir. 2004). Cobbler Nevada has not done so.

A resource for my Data Management students.

https://www.ewsolutions.com/metadata-infrastructure-planning-part-1/?inf_contact_key=5f13f53a17b9d4e4f9b0b0fd3dccab06bfe97aa2f85383494ca3834962b7eeb8

Data Management University

Another non-automotive company plans to enter the electric vehicle market.

https://www.engadget.com/2018/08/29/dyson-ev-development-expansion/

Dyson's EV ambitions include 10 miles of test tracks

Dyson is most definitely serious about its plans to release an electric vehicle. The company has outlined its proposed second growth phase for its EV development facility at Hullavington Airfield, and the plans are more than a little ambitious. Its application would create more than 10 miles of test tracks around the former base, including specialized tracks for hill and off-roading tests. You'd also see more than 480,000 square feet of new new development space with room for 2,000-plus workers.

For my students who like to watch videos while I lecture.

https://www.androidcentral.com/thrifter-deal-students-can-stream-spotify-hulu-and-showtime-all-less-5-month

Students can stream Spotify, Hulu, and Showtime all for less than $5 a month

Listen to your favorite music, watch your favorite shows, and catch up on a few series you couldn't watch before with this expanded bundle from Spotify that now includes Hulu and Showtime. Spotify first teamed up with Hulu late last year to offer a similar service, but Showtime is a new addition that doesn't add anything to the price. That's a great combo of programs, especially if you don't have cable but do have access to some high-speed Internet. You will need to prove you're attending a Title IV accredited institution to get the deal, so no fooling the system.

The bundle includes a subscription to Spotify Premium, Hulu with Limited Commercials, and Showtime streaming services. The Hulu subscription is regularly $7.99 a month by itself. Spotify Premium is $9.99 and Showtime is $10.99 a month when purchased directly. There are lots of ways to get discounts on all of these services, but getting all three together for $4.99 is nuts.

He could be talking about my students!

http://dilbert.com/strip/2018-08-30

Wednesday, August 29, 2018

Aren’t most Twitter accounts trying to “manipulate” their audience? “Vote Republican!” “Buy my album” “Send me money and I’ll unlock your files”

https://www.securityweek.com/twitter-suspends-accounts-engaged-manipulation

Twitter Suspends Accounts Engaged in Manipulation

Twitter this week announced the suspension of a total of 770 accounts for “engaging in coordinated manipulation.”

The suspensions were performed in two waves. One last week, when the social networking platform purged 284 accounts, many of which supposedly originated from Iran, and another this week, when 486 more accounts were kicked for the same reason.

… The report triggered reactions from large Internet companies, including Facebook and Google. The former removed 652 pages, groups, and accounts suspected of being tied to Russia and Iran, while the latter blocked 39 YouTube channels and disabled six Blogger and 13 Google+ accounts.

I imagine rich neighborhoods will tweak the algorithm to keep more people in jail. And if anyone released re-offends, “Hey! The computer made me release him!”

https://www.npr.org/2018/08/28/642795284/california-becomes-first-state-to-end-cash-bail

California Becomes First State To End Cash Bail After 40-Year Fight

California will become the first state in the nation to abolish bail for suspects awaiting trial under a sweeping reform bill signed by Gov. Jerry Brown on Tuesday.

An overhaul of the state's bail system has been in the works for years, and became an inevitability earlier this year when a California appellate court declared the state's cash bail system unconstitutional. The new law goes into effect in October 2019.

… Under the California law those arrested and charged with a crime won't be putting up money or borrowing it from a bail bond agent to obtain their release. Instead, local courts will decide who to keep in custody and whom to release while they await trial. Those decisions will be based on an algorithm created by the courts in each jurisdiction.

Reminds me of the fight Phil Zimmerman had to publish PGP software. Same law. Same chance of the government keeping these files from terrorists – ZERO. After all, nothing will keep terrorist groups from doing exactly what Cody Wilson did.

https://arstechnica.com/tech-policy/2018/08/in-defiance-of-court-order-3d-printed-gun-pioneer-starts-selling-cad-files/

After court order, 3D-printed gun pioneer now sells pay-what-you-want CAD files

During what he called his first ever press conference, Defense Distributed founder Cody Wilson announced Tuesday that he would continue to comply with a federal court order forbidding him from internationally publishing CAD files of firearms. Wilson said he would also begin selling copies of his 3D-printed gun files for a "suggested price" of $10 each.

The files, crucially, will be transmitted to customers "on a DD-branded flash drive" in the United States. Wilson also mentioned looking into customer email and secure download links.

Previously, Defense Distributed had given the files away for free, globally.

Perspective. Words of hate.

https://www.bespacific.com/fanning-the-flames-of-hate-social-media-and-hate-crime-2/

Fanning the Flames of Hate: Social Media and Hate Crime

Müller, Karsten and Schwarz, Carlo, Fanning the Flames of Hate: Social Media and Hate Crime (May 21, 2018). Available at SSRN: https://ssrn.com/abstract=3082972 or http://dx.doi.org/10.2139/ssrn.3082972

“This paper investigates the link between social media and hate crime using Facebook data. We study the case of Germany, where the recently emerged right-wing party Alternative für Deutschland (AfD) has developed a major social media presence. We show that right-wing anti-refugee sentiment on Facebook predicts violent crimes against refugees in otherwise similar municipalities with higher social media usage. To further establish causality, we exploit exogenous variation in major internet and Facebook outages, which fully undo the correlation between social media and hate crime. We further find that the effect decreases with distracting news events; increases with user network interactions; and does not hold for posts unrelated to refugees. Our results suggest that social media can act as a propagation mechanism between online hate speech and real-life violent crime.”

Perspective. Confirming a few speculations… [Problems with the link?]

https://www.bespacific.com/using-twitter-to-visualize-polarization/

Using Twitter to Visualize Polarization

Center for Data Innovation – “MIT Technology Review has created a set of visualizations that uses data about Twitter activity to illustrate the polarization of political discourse in the United States. The visualizations include multiple cluster maps demonstrating that accounts that follow each other tweet similar content. In addition, diagrams show that the most partisan accounts, which include bot accounts that tweet hundreds of times a day, tweet significantly more than accounts in the political center. The visualizations also show the polarization of Turkish and Russian accounts.”

My book would be: How to guarantee security!

http://dilbert.com/strip/2018-08-29

Tuesday, August 28, 2018

Big population, big breach.

Leaked data from Chinese hotel chain may affect 130 million customers

Nicole Jao reports:

Personal data and booking information from 13 hotels operated by Huazhu Hotels Group (华住酒店集团) has reportedly been leaked in what could be the largest data breach in China in five years, according to Chinese cybersecurity media FreeBuf (in Chinese).

This morning, a post on a Chinese dark web forum titled “Huazhu-owned hotels booking data” claimed to be selling personal data and information of customers from Huazhu-owned hotels including Hanting Inns and Hotels (汉庭酒店), Hi Inn (海友酒店), and JI Hotel (全季酒店).

Don’t want the police to find you through a DNA database? It may already be too late.

Stuart Leavenworth reports:

It’s a forensics technique that has helped crack several cold cases. Across the country, investigators are analyzing DNA and using basic genealogy to find relatives of potential suspects in the hope that these “familial searches” will lead them to the killer.

Familial searches led California authorities to arrest Joseph James DeAngelo in the Golden State Killer probe in April, and investigators have since used it to make breakthroughs in several other unsolved murder cases, including four in Washington state, Pennsylvania, Texas and North Carolina.

But as these searches proliferate, they are raising concerns about police engagement in “DNA dragnets” and “genetic stop and frisk” techniques. And as public DNA databases grow and are accessed by law enforcement, investigators may soon have the ability to track down nearly anyone, even people who never submitted their genetic material for analysis.

Monday, August 27, 2018

Should I be training my students to fight this war? The logistics of Cyberwar are all handled by the computer.

https://www.schneier.com/blog/archives/2018/08/future_cyberwar.html

Future Cyberwar

A report for the Center for Strategic and International Studies looks at surprise and war. One of the report's cyberwar scenarios is particularly compelling. It doesn't just map cyber onto today's tactics, but completely re-imagines future tactics that include a cyber component (quote starts on page 110).

The U.S. secretary of defense had wondered this past week when the other shoe would drop. Finally, it had, though the U.S. military would be unable to respond effectively for a while.

The scope and detail of the attack, not to mention its sheer audacity, had earned the grudging respect of the secretary. Years of worry about a possible Chinese "Assassin's Mace" -- a silver bullet super-weapon capable of disabling key parts of the American military -- turned out to be focused on the wrong thing.

The cyber attacks varied. Sailors stationed at the 7th Fleet' s homeport in Japan awoke one day to find their financial accounts, and those of their dependents, empty. Checking, savings, retirement funds: simply gone. The Marines based on Okinawa were under virtual siege by the populace, whose simmering resentment at their presence had boiled over after a YouTube video posted under the account of a Marine stationed there had gone viral. The video featured a dozen Marines drunkenly gang-raping two teenaged Okinawan girls. The video was vivid, the girls' cries heart-wrenching the cheers of Marines sickening And all of it fake. The National Security Agency's initial analysis of the video had uncovered digital fingerprints showing that it was a computer-assisted lie, and could prove that the Marine's account under which it had been posted was hacked. But the damage had been done.

There was the commanding officer of Edwards Air Force Base whose Internet browser history had been posted on the squadron's Facebook page. His command turned on him as a pervert; his weak protestations that he had not visited most of the posted links could not counter his admission that he had, in fact, trafficked some of them. Lies mixed with the truth. Soldiers at Fort Sill were at each other's throats thanks to a series of text messages that allegedly unearthed an adultery ring on base.

The variations elsewhere were endless. Marines suddenly owed hundreds of thousands of dollars on credit lines they had never opened; sailors received death threats on their Twitter feeds; spouses and female service members had private pictures of themselves plastered across the Internet; older service members received notifications about cancerous conditions discovered in their latest physical.

Leadership was not exempt. Under the hashtag # PACOMMUSTGO a dozen women allegedly described harassment by the commander of Pacific command. Editorial writers demanded that, under the administration's "zero tolerance" policy, he step aside while Congress held hearings.

There was not an American service member or dependent whose life had not been digitally turned upside down. In response, the secretary had declared "an operational pause," directing units to stand down until things were sorted out.

Then, China had made its move, flooding the South China Sea with its conventional forces, enforcing a sea and air identification zone there, and blockading Taiwan. But the secretary could only respond weakly with a few air patrols and diversions of ships already at sea. Word was coming in through back channels that the Taiwanese government, suddenly stripped of its most ardent defender, was already considering capitulation.

I found this excerpt here. The autor is Mark Cancian.

Strange that my local library only had this as an audio book.

https://www.bespacific.com/bill-gates-not-enough-people-are-paying-attention-to-this-economic-trend/

Bill Gates – Not enough people are paying attention to this economic trend

Gates Notes: The Blog of Bill Gates – “The portion of the world’s economy that doesn’t fit the old model just keeps getting larger. That has major implications for everything from tax law to economic policy to which cities thrive and which cities fall behind, but in general, the rules that govern the economy haven’t kept up. This is one of the biggest trends in the global economy that isn’t getting enough attention…the brilliant new book Capitalism Without Capital by Jonathan Haskel and Stian Westlake is about as good an explanation as I’ve seen. They start by defining intangible assets as “something you can’t touch.” It sounds obvious, but it’s an important distinction because intangible industries work differently than tangible industries. Products you can’t touch have a very different set of dynamics in terms of competition and risk and how you value the companies that make them…

“…What the book reinforced for me is that lawmakers need to adjust their economic policymaking to reflect these new realities. For example, the tools many countries use to measure intangible assets are behind the times, so they’re getting an incomplete picture of the economy. The U.S. didn’t include software in GDP calculations until 1999. Even today, GDP doesn’t count investment in things like market research, branding, and training—intangible assets that companies are spending huge amounts of money on. Measurement isn’t the only area where we’re falling behind—there are a number of big questions that lots of countries should be debating right now. Are trademark and patent laws too strict or too generous? Does competition policy need to be updated? How, if at all, should taxation policies change? What is the best way to stimulate an economy in a world where capitalism happens without the capital? We need really smart thinkers and brilliant economists digging into all of these questions. Capitalism Without Capital is the first book I’ve seen that tackles them in depth, and I think it should be required reading for policymakers. It took time for the investment world to embrace companies built on intangible assets. In the early days of Microsoft, I felt like I was explaining something completely foreign to people. Our business plan involved a different way of looking at assets than investors were used to. They couldn’t imagine what returns we would generate over the long term…”

Because I’m a Science Fiction fan.

https://www.bespacific.com/commentary-the-encyclopedia-of-science-fiction-is-the-best-place-on-the-internet/

Commentary – The Encyclopedia of Science Fiction is the Best Place on the Internet

Literary Hub, MH Rowe: “Of all the things you can read on the internet, The Encyclopedia of Science Fiction is one of the only good ones. In perpetual conversation with itself, ever growing and expanding—perhaps threatening, in its accumulated obsessions, to become self-aware—this index of the fantastic documents possible pasts and futures alike. It bristles with Tarzan arcana and the history of Croatian science fiction. It features enthusiastic discussions of Medieval futurism, feminism, bug-eyed monsters, dream hacking, and Leonardo da Vinci. Almost any sci-fi author you care to mention has an entry there, alongside accounts of many authors no one cares to mention at all. That you could be reading it right now goes without saying, since in some alternate universe you surely are.

While the SFE’s purview is “science fiction” broadly conceived, its articles have warring impulses. On the one hand, they aim to educate. Within these pages, you’ll find explanations of numerous literary tropes, both those well-known (the generation starship used in many tales of space exploration) and those more obscure (a jonbar point, or the small, seemingly insignificant moment that proves to be the difference between two alternate histories, in time-travel stories). But when the entry on Gene Wolfe declares that he is “quite possibly” science fiction’s most important writer, no shy excuse for this partiality follows. More than informative, this encyclopedia enthuses, anoints, or dismisses. What it has to say about Joanna Russ, Octavia Butler, Kim Stanley Robinson, and J.G. Ballard is aimed squarely at canons and reputations. The SFE quarrels its way into being encyclopedic…”

I won't dance, don't ask me
I won't dance, don't ask me
I won't dance, madam, with you
I won't dance. Why should I?
I won't dance. How could I?
I won't dance, merci beaucoup

https://www.theverge.com/2018/8/26/17778792/deepfakes-video-dancing-ai-synthesis

Deepfakes for dancing: you can now use AI to fake those dance moves you always wanted

Artificial intelligence is proving to be a very capable tool when it comes to manipulating videos of people. Face-swapping deepfakes have been the most visible example, but new applications are being found every day. The latest? Call it deepfakes for dancing. It uses AI to read someone’s dance moves and copy them on to a target body.

Sunday, August 26, 2018

You might think someone would notice unauthorized access to such sensitive material.

https://www.theverge.com/2018/8/22/17716622/sec-business-wire-hack-stolen-press-release-fraud-ukraine

How an international hacker network turned stolen press releases into $100 million

… Newswires like Business Wire are clearinghouses for corporate information, holding press releases, regulatory announcements, and other market-moving information under strict embargo before sending it out to the world. Over a period of at least five years, three US newswires were hacked using a variety of methods from SQL injections and phishing emails to data-stealing malware and illicitly acquired login credentials. Traders who were active on US stock exchanges drew up shopping lists of company press releases and told the hackers when to expect them to hit the newswires. The hackers would then upload the stolen press releases to foreign servers for the traders to access in exchange for 40 percent of their profits, paid to various offshore bank accounts. Through interviews with sources involved with both the scheme and the investigation, chat logs, and court documents, The Verge has traced the evolution of what law enforcement would later call one of the largest securities fraud cases in US history.

Even the smartest Computer Security manager will have problems with “stupid.”

1,464 Western Australian government officials used ‘Password123’ as their password. But don’t smirk.

Taylor Telford reports:

Somewhere in Western Australia, a government IT employee is probably laughing or crying or pulling their hair out, or maybe all of the above. A security audit of the Western Australian government released this week by the state’s auditor general found that 26 percent of its officials had weak, common passwords — including more than 5,000 including the word “password” out of 234,000 in 17 government agencies.

The legions of lazy passwords were exactly what you — or a thrilled hacker — would expect: 1,464 people went for “Password123” and 813 used “password1.” Nearly 200 individuals simply used “password,” perhaps never changing it to begin with. Almost 13,000 used variations of the date and season, and almost 7,000 included versions of “123

Centennial Man

Saturday, September 01, 2018

Friday, August 31, 2018

Thursday, August 30, 2018

Wednesday, August 29, 2018

Tuesday, August 28, 2018

Don’t want the police to find you through a DNA database? It may already be too late.

Monday, August 27, 2018

Sunday, August 26, 2018

Search This Blog

Followers

Blog Archive

Links

About Me