Saturday, September 15, 2018

Never a good idea?
FreshMenu Hid Data Breach Affecting 110,000 Users
FreshMenu, a food delivery provider based in India, has come under social media attack for keeping under wraps a data breach two years ago that exposed the personal information of over 110,000 users.
The incident originally was brought to light in 2016 by data breach tracker HaveIBeenPwned, which discovered that the breach exposed names, email addresses, phone numbers, home addresses, and order histories, the Times of India reported on Wednesday. That news report led to the strong response on social media.
Troy Hunt, who runs HaveIBeenPwned, says he had informed FreshMenu back in July 2016 that the breach had taken place, but the company decided not to notify impacted customers.
… But security practitioners say that even if payment information wasn't breached, the incident should have been promptly reported to those affected.
"Customers have every right to know what data of theirs has been compromised or leaked," says Rahul Sharma, founder of the Perspective, a firm which focuses on cyber policy. "This should be a practice followed by every company, and I feel a law addressing this issue must come out soon."
"Who are they to decide whether my leaked data is important or critical? If I am trusting them with my data, I have every right to know when my data gets compromised, however small the breach is."




Unfortunately, minimal is the key word.
Catalin Cimpanu reports:
A multi-year study on the stock price evolution for breached companies reveals that data breaches have a long-term impact on a company’s stock price, even if it’s somewhat minimal.
The study, carried out by the research team behind the CompariTech web portal, looked only at companies listed on the New York Stock Exchange (NYSE) that suffered and publicly disclosed breaches of one million records and over in the past three years.
Read more on ZDNet.
[From the article:
"In the long term, breached companies underperformed the market," the CompariTech team concluded in their report.
… Study authors noted that the impact of data breaches likely diminished over time, but the damage was still visible in the stock's NASDAQ performance indicator even after three years, in some cases.




The Cold War in the Internet Age. How close to the “trigger” are they willing to come?
German Troops Face Russian 'Hybrid War' in Lithuania: Merkel
German Chancellor Angela Merkel said Friday Berlin was boosting military cyber capabilities to respond to Russian hybrid warfare that is targeting its troops deployed on NATO's eastern flank.
"Here you are also confronted with a situation that represents another part of the Russian military doctrine: the idea of hybrid warfare," she told German troops stationed in Lithuania as part of a NATO force deployed to deter Russia.
NATO allies have accused Russia of using "hybrid warfare" techniques, including subversion, propaganda and cyber warfare, to undermine the West without triggering a full NATO military response.
Russia has repeatedly denied that it stages such attacks and has accused the US-led alliance of provoking an arms race.
… Soon after their arrival, German troops were subjected to false rape accusations while media reports said Moscow also targeted NATO soldiers' smartphones.


(Related) Follows the Russian pattern. (They also attacked the lab doing Olympic drug testing.)
Dutch 'Expelled Two Russian Spies Over Novichok Lab Plot'
Dutch intelligence services arrested two alleged Russian spies on suspicion of planning to hack a Swiss laboratory investigating the poisoning of double agent Sergei Skripal, reports and officials said Friday.
The two agents, believed to be working for Russia's GRU military intelligence service, targeted the Spiez laboratory near Bern, Dutch-based NRC newspaper and Swiss daily Tages-Anzeiger said.
At the time, Spiez was analysing data related to poison gas attacks in Syria, as well as the March 4 attack using the nerve agent Novichok on Russian double agent Sergei Skripal and his daughter in Salisbury, they reported.
The laboratory does analytical work for the Hague-based Organisation for the Prohibition of Chemical Weapons (OPCW), the global chemical arms watchdog.




Interesting argument.
Carrie Goldberg and her law firm represent Matthew Herrick in Matthew Herrick v. Grinder LLC, a case that may shake things up with Section 230 of the CDA’s protections for platforms. Tor Ekeland Law, PLLC are co-counsel in the case.
Goldberg writes:
Our client, Matthew Herrick, was stalked and harassed by his ex-boyfriend through the Grindr app. The ex-boyfriend had created impersonating profiles to arrange sex dates with over a thousand men who came to Matthew’s home and workplace. Matthew reported it to Grindr over 100 times. He also got an Order of Protection and made criminal complaints against his ex, but the strangers kept coming. The impersonating profiles told them that Matthew had drugs to share and wanted to role-play rape fantasies. When our firm served Grindr’s team with a court order demanding they exclude Matthew’s ex from using their product, they said they didn’t have the technology to do so. They own the patent to geo-locating technology! And yet, they can’t screen users?!
We said, “If you can’t control your product, it’s dangerous.” So we, along with co-counsel Tor Ekeland Law, PLLC, sued Grindr using theories of products liability. This case challenges Section 230 of the Communications Decency Act (CDA), which tech companies claim exempts them from being liable for harm that happens on their platforms. The CDA, passed in 1995, was initially created to protect online bulletin boards from defamation cases. Over the last twenty-two years, the law has become broader and broader because of the way courts have interpreted it, granting protections to a broader array of internet service providers for a broader array of harmful activities.
Read more on her blog, where you can also download the relevant filings.




For future Computer Security classes.
Secureworks Launches New Security Maturity Model
Secureworks has launched the Secureworks Security Maturity Model. It is released, announces Secureworks, in response to "research which shows that more than one-third of US organizations (37%) face security risks that exceed their overall security maturity. Within that group, 10% face a significant deficiency when it comes to protecting themselves from the threats in their environment."
Secureworks is offering a complementary evaluation (an online process supported by a security expert) to help organizations benchmark their own security maturity. The model incorporates elements of well-known frameworks like National Institute of Standards and Technology (NIST) and ISO 27001/02 with insight from Secureworks' global threat intelligence. It comprises four levels: guarded, informed, integrated and resilient.
Further information, and a route map for attaining security maturity, can be found in a white paper titled '5 Critical Steps to a More Mature Security Posture' (PDF).




The price of entry into the China market?
Google built a prototype of a censored search engine for China that links users’ searches to their personal phone numbers, thus making it easier for the Chinese government to monitor people’s queries, The Intercept can reveal.
The search engine, codenamed Dragonfly, was designed for Android devices, and would remove content deemed sensitive by China’s ruling Communist Party regime, such as information about political dissidents, free speech, democracy, human rights, and peaceful protest.
Previously undisclosed details about the plan, obtained by The Intercept on Friday, show that Google compiled a censorship blacklist that included terms such as “human rights,” “student protest,” and “Nobel Prize” in Mandarin.




Perspective.
Facebook’s Crackdown on Misinformation Might Actually Be Working
… The study, released as a working paper Friday afternoon, examines how Facebook and Twitter users interacted with articles from 570 sites that have been identified by at least one credible source as a purveyor of “fake news”—that is, patently false, intentionally misleading, or hyperpartisan content. It finds that engagement on stories from those sites rose steadily on both Facebook and Twitter until shortly after the 2016 U.S. presidential election. Beginning in early 2017, however, those sites’ engagement began to drop off on Facebook—even as it kept rising on Twitter.
While the authors caution that the study is “far from definitive,” it’s noteworthy as perhaps the first large-scale empirical study that directly examines the efficacy of Facebook’s ongoing campaign against misinformation. Its findings could serve as a guidepost as the company continues to reckon with its influence on civil society.


(Related) On the other hand…
Tech’s New Problem: North Korea
North Korea operatives have sought to use U.S. technology and social media networks to evade U.S.-led sanctions and generate income, taking advantage of many of the same shortcomings that allowed Russians to interfere in the 2016 election.
Cloaking their identities, the North Koreans have been able to advertise jobs and find clients on job-search exchanges such as Upwork and Freelancer.com.




Dogbert suggests a message for my students.


Friday, September 14, 2018

Would this be an act of war?
Ever since the forced bankruptcy of the investment bank Lehman Brothers triggered the financial crisis 10 years ago, regulators, risk managers, and central bankers around the globe have focused on shoring up banks’ ability to withstand financial shocks.
But the next crisis might not come from a financial shock at all. The more likely culprit: a cyber attack that causes disruptions to financial services capabilities, especially payments systems, around the world.




This should make the Computer Security manager the CEO’s best friend!
One-Third of Data Breaches Led to People Losing Jobs: Kaspersky
Nearly one-third of data breaches suffered by companies around the world have resulted in someone losing their job, according to a study conducted earlier this year by Kaspersky Lab.
The cybersecurity firm has interviewed nearly 6,000 people across 29 countries for its annual Global Corporate IT Security Risks Survey. Respondents worked for companies of various sizes, including small businesses with less than 50 employees and major corporations with over 1,000 workers.
The study found that, globally, 31% of incidents led to employees being laid off. China was the country with the highest percentage of senior IT security staff being laid off as a result of a data breach. People holding a senior IT role lost their job in roughly one-third of cases, with similar percentages across the globe.
Kaspersky’s survey shows a significant difference in the chances of C-level executives and presidents losing their job over a data breach in various parts of the world. In North America, for instance, 32% of CEOs and other C-level managers were laid off following a data breach – this is the region where the C-suite is most likely to lose its job.
Companies in China, APAC and North America are also most likely to have problems with attracting new customers following a data breach, according to Kaspersky’s report.




Perspective.
Cyber attacks cost German industry almost $50 billion: study
Two thirds of Germany’s manufacturers have been hit by cyber-crime attacks, costing industry in Europe’s largest economy some 43 billion euros ($50 billion), according to a survey published by Germany’s IT sector association on Thursday.




Catch up to Colorado.
Report: Kansas Plans to Spend $4.6M on Election Security
The U.S. Election Assistance Commission released the Kansas plan for its share of the $380 million allocated by Congress to strengthen voting systems amid ongoing threats from Russia and others. Nearly all the other states had released plans for their election security grants last month, but Kansas had gotten an extension to turn in its report.
Nearly $1.07 million has been budgeted to ensure every voting machine in Kansas has a verifiable paper audit trail, according to the budget breakdown. The majority of counties in the state already have a paper-based system, Kobach said.




How would the government prove I knew the password to a device? (Easy to see how they would make the assumption if it was my phone.)
Orin S. Kerr, Compelled Decryption and the Privilege Against Self-Incrimination, forthcoming in the Texas Law Review, available at SSRN: https://ssrn.com/abstract=3248286.
Abstract:
This essay considers the Fifth Amendment barrier to orders compelling a suspect to enter in a password to decrypt a locked phone, computer, or file. It argues that a simple rule should apply: An assertion of privilege should be sustained unless the government can independently show that the suspect knows the password. The act of entering in a password is testimonial, but the only implied statement is that the suspect knows the password. When the government can prove this fact independently, the assertion is a foregone conclusion and the Fifth Amendment poses no bar to the enforcement of the order. This rule is both doctrinally correct and sensible policy. It properly reflects the distribution of government power in a digital age when nearly everyone is carrying a device that comes with an extraordinarily powerful lock.
Orin had tweeted that he would welcome feedback on the article, particularly critical ones from techies.




Perspective.
The State of the Digital Workplace 2018




Perspective. (Denver doesn’t look good on their graphic)
Buried under bodies
… Over a five-year period, each detective in Detroit has been tasked with solving an average of about eight new slayings annually — a caseload exceeding what policing experts say should be no more than five homicides per detective, per year.
Major police departments that are successful at making arrests in homicides generally assign detectives fewer than five cases annually, according to a Washington Post analysis of homicide caseloads in 48 cities, including Detroit.
The Post study found that departments with lower caseloads tended to have higher arrest rates, while departments with higher caseloads tended to have lower arrest rates — 39 of the 48 departments fell within that pattern.




This could be a game changer, but how does it know what you intended the program to do?
Facebook’s new ‘SapFix’ AI automatically debugs your code
Facebook has quietly built and deployed an artificial intelligence programming tool called SapFix that scans code, automatically identifies bugs, tests different patches and suggests the best ones that engineers can choose to implement. Revealed today at Facebook’s @Scale engineering conference, SapFix is already running on Facebook’s massive code base and the company plans to eventually share it with the developer community.


(Related) Soon, computers will do the programming based on vague requirements.
Microsoft acquires AI startup Lobe to help people make deep learning models without code
Microsoft today announced it has acquired Lobe, creator of a platform for building custom deep learning models using a visual interface that requires no code or technical understanding of AI. Lobe, a platform that can understand hand gestures, read handwriting, and hear music, will continue to develop as a standalone service, according to the company’s website.




I might find a use for this.
Voicepods - Automatically Turn Text Into Voice Recordings
Voicepods is a neat service that will create voice recordings based on the text that you write. Voicepods offers eight voices in which you can have your text read-aloud. The voice recording that is generated from your text can be listened to online and you can download it as an MP3 to use wherever MP3 playback is supported. Watch my video that is embedded below to learn how easy it is to make a voice recording on Voicepods.




Something to listen to?
Agility in the Age of the Cloud
September 14, 2018 Runtime 0:57:19
In this webinar, you’ll learn:
  • How we will all have to react in real time to ever-richer data flows
  • How the cloud can help to break down data and organizational silos
  • The potential impacts of cloud-based collaboration on product development and innovation
  • Which ethical questions the cloud creates, and how to think about them


Thursday, September 13, 2018

Another, “We forgot the default was No Security.”
Veeam Leaks 200 GB Customer Database, Goldmine for Phishers
A database containing 200 gigabytes of customer data, estimated to harbor around 445 million records, has been exposed online by backup and recovery company Veeam, thanks to an improperly secured server hosted on Amazon.
The database apparently contained names, email address, IP addresses, referrer URL addresses, customer organization size, and much more.




If you ask me, it’s a good thing.
U.S. Silently Enters New Age of Cyberwarfare
… This past month, buried beneath an ant mound of political scandal and news cacophony, President Trump set in motion a plan to gut Presidential Policy Directive 20, an Obama-era policy limiting the use of destructive offensive cyberweapons like Stuxnet. What exactly will replace PPD-20 remains clouded in uncertainty, but one thing seems clear: The military’s gloves are off. Without PPD-20, the U.S. military can now use hacking weapons with far less oversight from the State Department, Commerce Department, and intelligence agencies. A paper released earlier this year by U.S. Cyber Command, the hacking arm of the U.S. military, outlines a proposed policy of increased military intervention, and paints a landscape of nations under constant cyberassault. It’s not a stretch to say the removal of PPD-20 may fundamentally restructure the way America conducts war in cyberspace. Whether or not that is a good thing depends on whom you ask.




For my Computer Security students. Much of their work is insuring that evidence (logs) exists! (And to stop nonsense like this when it doesn't!)
Lisa Joy reports:
An east-central Alberta woman feels vindicated after winning a wrongful termination case against a medical centre society where she worked as a receptionist. The woman claimed she was terminated without just cause and publicly humiliated. Red Deer Judge Andreassen agreed and awarded her $25,600 in compensation.
The Consort and District Medical Centre Society, months after terminating Sherri Galloway, claimed she violated privacy laws by viewing confidential patient medical records. Judge Andreassen, however, not only ruled there was no evidence to back up the board’s claims but also slammed their actions.
Read more on Red Deer Advocate.




Are we at the point where “If you don’t Tweet, you won’t be counted?”
Researchers Are Now Turning to Twitter to Track Immigrant Migration
More than 250 million people migrated away from their birth country in 2017, according to the United Nations. However, tracking migration through surveys, like an official census, is costly and can take years to complete. To answer those concerns, researchers from the Institute for Cross-Disciplinary Physics and Complex Systems have developed a new method—tracking migration using data from the social media platform Twitter, which provides more frequent, nuanced, and perhaps more accurate information.




You hear that Russia? Let this be fair warning that we will definitely consider maybe doing something if you mess with us again.
Trump signs order to combat election interference
President Donald Trump has signed an executive order aimed at discouraging foreign countries and actors from tampering with U.S. elections, two top national security officials said in a conference call with reporters Wednesday.


(Related) So why don’t I have that warm fuzzy feeling?
Facebook ‘Better Prepared’ to Fight Election Interference, Mark Zuckerberg Says
… On Wednesday, Mr. Zuckerberg, Facebook’s chief executive, published a roughly 3,300-word blog post cataloging all the steps the company has taken.




Perspective. I see the same effort from my Chinese students
China Is Overtaking the U.S. in Scientific Research
… Qingnan Xie of Nanjing University of Science & Technology and Richard Freeman of Harvard University have studied China’s contribution to global scientific output. They document a rapid expansion between 2000 and 2016, as the Chinese share of global publications in physical sciences, engineering and math quadrupled. By 2016, the Chinese share exceeded that of the U.S.
Furthermore, the authors argue that these metrics -- which are based on the addresses of the authors -- understate China's impact. The data don't count papers written by Chinese researchers located in other countries with addresses outside China and exclude most papers written in Chinese publications. The researchers adjusted for both factors and conclude that Chinese academics now account for more than one-third of global publications in these scientific fields.




Keeping up.
Council for Economic Education
The Council for Economic Education is pleased to offer professional development webinars for teachers nationwide. The webinars cover multiple topics on how to integrate personal finance and economics in the classroom and create a fun learning experience for your students.
When you attend the webinar(s), you will leave with relevant lessons, resources and tools that can be implemented the next day. Also, New York State teachers earn one Continuing Education Unit (CEU) for each webinar. If you are interested, but cannot attend the live webinar, please register to get access to the archived version. You must attend a live webinar or listen to a recorded webinar for at least 45 minutes in order to receive a certificate.




For the Disaster Recovery toolkit.
12+ tools and resources useful during hurricanes and other disasters




Another source of classic science fiction. (And other genre)
PDF Books World


Wednesday, September 12, 2018

This could be very useful for future Computer Security classes. Since this is Finals week, it’s a bit late this quarter.
Clare Ward writes:
Once again, Verizon has opened the doors on the reality of a data breach with the launch of the Verizon 2018 Data Breach Digest (DBD) series, enabling businesses to read undisclosed stories from the company’s cyber-investigative vault.
The Data Breach Digest series puts cybercrime in context, outlining the (anonymized) specifics of data breaches and cybersecurity incidents for cyber defenders across all businesses to benefit from Verizon’s insights.
Cybercrime victims often believe they are the victim of an isolated attack; however, in reality this is not the case – thousands of companies experience data breaches or cybersecurity incidents every month. Unfortunately, most breaches are never publicly disclosed, preventing others from learning from the facts. This plays to the advantage of cybercriminals, enabling them to reuse successful breach tactics time and time again on new, unsuspecting organizations.
By opening up Verizon’s cybercrime files via the Data Breach Digest scenarios, we are offering a panoramic insider’s view of the cyber threat activities in an effort to share what we have seen with other organizations around the global. Our hope is that we can learn together – and in doing so, better equip ourselves in the fight against cybercrime.
Read more on Verizon. As of today, here are the stories available, as described by Verizon:
  • Credential Theft – the Monster Cache: Credential theft is an increasingly common target for cybercriminals, but is actually relatively easy to prevent. This story outlines how the development of cyberattack models, which outline threat actor goals, capabilities, and methods were combined with organization profiling to help organizations protect themselves against attack. This case demonstrates how an awareness of an attack vector common to the target’s specific industry could have prevented a major data breach.
  • Insider Threat – the Card Shark: For this case, Verizon experts conducted a Payment Card Industry (PCI) forensic investigation on unauthorized ATM withdrawals. What they found was a network and physical security structure flawed from start to finish. This case walks readers through the investigation to see the many process and policy challenges that enabled this attack.
  • Crypto-Jacking Malware – the Peeled Onion: Sometimes attackers care less about proprietary information and more about processing power. This incident demonstrated how a strong firewall can be undone with missed security patches, turning a client’s system into a stealthy cryptocurrency miner.
  • Third-Party Palooza – the Minus Touch: Digital forensics starts with the data – but what if there’s no data to be found? A blank hard drive and an uncooperative co-location data center starts the Verizon team on a hunt for the what/where – and what was done with it!




Much easier than the con in the movie.
Phishing Is the Internet’s Most Successful Con
… In this age, the online equivalent of The Sting is a phishing site: a fake reality that lives online, set up to capture precious information such as logins and passwords, bank-account numbers, and the other functional secrets of modern life. You don’t get to see these spaces being built, but—like The Sting’s betting room—they can be perfect in every detail. Or they can be thrown together at the last minute like a clapboard set.




For my students.
The Ethics of Artificial Intelligence: An Interview of Kurt Long
… I am delighted to be interviewing Kurt Long about the topic of AI. Long is the creator and CEO of FairWarning, a cloud-based security provider that provides data protection and governance for electronic health records, Salesforce, Office 365, and many other cloud applications. Long has extensive experience with AI and has thought a lot about its ethical ramifications.




The pendulum swings again.
EU approves controversial Copyright Directive, including internet ‘link tax’ and ‘upload filter’
The European Parliament has voted in favor of the Copyright Directive, a controversial piece of legislation intended to update online copyright laws for the internet age.
The directive was originally rejected by MEPs in July following criticism of two key provisions: Articles 11 and 13, dubbed the “link tax” and “upload filter” by critics. However, in parliament this morning, an updated version of the directive was approved, along with amended versions of Articles 11 and 13. The final vote was 438 in favor and 226 against.
… The directive itself still faces a final vote in January 2019 (although experts say it’s unlikely it will be rejected). After that it will need to be implemented by individual EU member states, who could very well vary significantly in how they choose to interpret the directive’s text.
The most important parts of this are Articles 11 and 13. Article 11 is intended to give publishers and papers a way to make money when companies like Google link to their stories, allowing them to demand paid licenses. Article 13 requires certain platforms like YouTube and Facebook stop users sharing unlicensed copyrighted material.
Critics of the Copyright Directive say these provisions are disastrous. In the case of Article 11, they note that attempts to “tax” platforms like Google News for sharing articles have repeatedly failed, and that the system would be ripe to abuse by copyright trolls.
Article 13, they say, is even worse. The legislation requires that platforms proactively work with rightsholders to stop users uploading copyrighted content. The only way to do so would be to scan all data being uploaded to sites like YouTube and Facebook. This would create an incredible burden for small platforms, and could be used as a mechanism for widespread censorship. This is why figures like Wikipedia founder Jimmy Wales and World Wide Web inventor Tim Berners-Lee came out so strongly against the directive.




Clever yes, but computer wizards?
Street gangs turn to high-tech cybercrime to make a living
Street gangs are growing more sophisticated and moving into cyberspace. Following an extensive three-year investigation, the State of California Department of Justice arrested and indicted 32 suspects on 240 counts, including identity theft, fraud and hacking. The individuals are linked to criminal street gangs the BullyBoys and the CoCo Boys, California Attorney General Xavier Becerra announced this week.
In total, the suspects are charged with “63 counts of conspiracy to commit grand theft; 54 counts of hacking, computer access and fraud; 56 counts of grand theft; 59 counts of burglary; and eight counts of identity theft,” according to the press release.


Tuesday, September 11, 2018

India wants it to be secure, but wishes never seem to deter hackers.
UIDAI’s Aadhaar Software Hacked, ID Database Compromised, Experts Confirm
The authenticity of the data stored in India's controversial Aadhaar identity database, which contains the biometrics and personal information of over 1 billion Indians, has been compromised by a software patch that disables critical security features of the software used to enrol new Aadhaar users, a three month-long investigation by HuffPost India reveals.
The patch—freely available for as little as Rs 2,500 (around $35)— allows unauthorised persons, based anywhere in the world, to generate Aadhaar numbers at will, and is still in widespread use.




To stimulate the Computer Security discussion.
Doug Levin has a great piece on a real case of curious students exploring their K-12 district’s network. Of course, they “shouldn’t” have done that, right? Every adult in the room knows that, and the kids knew it, too. But the temptation was just soooooo great.
So do read The Case of ‘Joseph Jones’ and the Rochester Community (Michigan) Schools. Doug and I have long been on the same page that districts’ responses to bright, curious students, can make or break a child’s future. And hacking out of curiosity vs. hacking to change grades or cause malicious damage are very different things. Then, too, what responsibility do we assign to adults who are not being diligent nor transparent with the community? As Doug writes:
To wit: when 12 year-olds can breach the IT systems of organizations with $100 million+ budgets, how should we assign blame? Penalties and disciplinary actions for students who violate acceptable use policies are established, but what of the consequences to school districts. At what point could district leadership be considered negligent? What obligation do schools have to be forthright with their communities about their digital security shortcomings? How might schools react differently to these incidents, in ways that are more proactive and even humane? These are hard questions, no doubt, but given the frequency of ‘students hacking their schools’ incidents, I believe it is time we more forthrightly address this complicated issue.
Read Doug’s thoughtful post and see what you think.




Take your neighbor’s Tesla for a spin!
Hackers Can Clone Tesla Key Fobs in Seconds
Researchers claim to have discovered a new attack method that can be used to quickly clone the wireless key fob of Tesla Model S and possibly other vehicles.
A team from the COSIC research group at the KU Leuven university in Belgium has discovered a new attack method that can be used to clone key fobs in just seconds. Cloning a fob then allows the attacker to open and start a car whenever they wish.
During normal operation the car periodically advertises its identifier. The key will receive the car’s identifier, if it is the expected car identifier the key fob will reply, signaling it is ready to receive a challenge,” the researchers explained in a blog post. “In the next step the car will transmit a random challenge to the key fob. The key fob computes a response and transmits it. After receiving the key fob’s response, the car must verify it before unlocking the doors. The same challenge response protocol is repeated to start the car.”
The team noted that there are several security issues during this process. For instance, there is no mutual authentication, allowing anyone to get a response from the key fob if they know the vehicle’s identifier, which is broadcasted by the vehicle and is easy to record.
There are also some crypto-related issues. Responses are computed using DST40, an outdated proprietary cipher that uses a 40-bit secret cryptographic key. Researchers showed more than a decade ago that the cryptographic key can be recovered using at least two challenge response pairs.




A simple question: Why? If you don’t vote are you an alien?
From EPIC.org:
ICE has reversed position and is no longer seeking the immediate release of over 18 million voting records from North Carolina. Citing administrative difficulties and the unprecedented scope of the subpoena, ICE agreed to limit its demand to preserve voter privacy and will allow state officials to respond after the midterm elections in January 2019. The demand still poses substantial privacy risks and departs from testimony by Homeland Security Secretary Kristjen Nielsen, who told Congress that DHS would not make such requests. EPIC previously highlighted these problems and explained that the data demand violates DHS policy. EPIC has long fought to ensure voter privacy and recently forced the defunct Presidential Election Commission to delete millions of state voter records unlawfully obtained.




I’m not sure this is a right.
The 'Right to Be Forgotten,' Globally? How Google Is Fighting to Limit the Scope of Europe's Privacy Law
On Tuesday, Google will try to convince Europe’s top court that the EU should not be pushing its own privacy laws on the rest of the world. The case marks the culmination of a long-running battle within Europe—but depending how the court rules, the implications could be global.




So, is there a market for reliable, trustworthy news? (Apparently not)
News Use Across Social Media Platforms 2018
Most Americans continue to get news on social media, even though many have concerns about its accuracy: “About two-thirds of American adults (68%) say they at least occasionally get news on social media, about the same share as at this time in 2017, according to a new Pew Research Center survey. Many of these consumers, however, are skeptical of the information they see there: A majority (57%) say they expect the news they see on social media to be largely inaccurate. Still, most social media news consumers say getting news this way has made little difference in their understanding of current events, and more say it has helped than confused them (36% compared with 15%). Republicans are more negative about the news they see on social media than Democrats. Among Republican social media news consumers, 72% say they expect the news they see there to be inaccurate, compared with 46% of Democrats and 52% of independents. And while 42% of those Democrats who get news on social media say it has helped their understanding of current events, fewer Republicans (24%) say the same. Even among those Americans who say they prefer to get news on social media over other platforms (such as print, TV or radio), a substantial portion (42%) express this skepticism….”


(Related) Do computers know the difference between real and fake news?
Hoodline raises $10M for its hyper-local, automated data newswire
While many lament the death of local news, a small army of tech startups has been developing a new set of tools to figure out how to save it. In one of the latest developments, Hoodline — which has built a platform to ingest and analyse hundreds of terabytes of data to find and then write local news stories — has raised $10 million in a Series A round to help take its effort nationwide.
… Hoodline is not the only one exploring how to tap into big data to build stories; there are many.
Among them, in the UK, the Press Association is working with a startup called Urbs to develop AI systems that can help surface interesting stories for (human) journalists to write. In the US, Automated Insights has been developing “robot” reporters to cover local sports and quarterly earnings beats.
Other efforts like LiveStories is also tackling a trove of publicly available information — in its case civic data — to visualise and shape narratives from it, products that potentially also make their way into the news.




Deep web, Dark web, Internet. The differences are small, but significant.
The 'deep web' may be 500 times bigger than the normal web. Its uses go well beyond buying drugs
… The dark web is a small subset of the deep web, which is part of the internet that is not found using search engines. That includes many websites that require users to log in with an username and password, and the deep web is estimated to be about 400 to 500 times larger than the common internet. The dark web is relatively smaller — it is made up of a series of encrypted networks that is able to hide users' identities and locations and can only be accessed with special software.
The most popular of those networks is called TOR, or The Onion Router, which was developed initially for government use before it was made available to the general public.




Always respond, even if the dedicated followers won’t read it.
After Trump Tweets that the Ford Focus Can 'BE BUILT IN THE U.S.A.,' Ford Explains Why That Would Make No Sense
… Ford’s North America product communications manager, Mike Levine, spelled it out for the president in a tweet noting “it would not be profitable to build the Focus Active in the U.S. given an expected annual sales volume of fewer than 50,000 units and its competitive segment.”
Ford didn’t move production of the Focus to China by accident; it did so because the U.S. market has shifted away from smaller vehicles toward SUVs, which has made production of the Focus in the U.S.—a relatively expensive location—an illogical choice.




A reminder for my students.
In a Few Days, Credit Freezes Will Be Fee-Free
… Currently, many states allow the big three bureaus — Equifax, Experian and TransUnion — to charge a fee for placing or lifting a security freeze. But thanks to a federal law enacted earlier this year, after Sept. 21, 2018 it will be free to freeze and unfreeze your credit file and those of your children or dependents throughout the United States.
KrebsOnSecurity has for many years urged readers to freeze their files with the big three bureaus, as well as with a distant fourth — Innovis — and the NCTUE, an Equifax-operated credit checking clearinghouse relied upon by most of the major mobile phone providers.




Fulfilling my constitutional duty!
Two Interactive Copies of the Constitution for Constitution Day
Next Monday is Constitution Day in the United States. By law all schools that receive federal funds have to offer some instruction on on the Constitution. If you're looking for some activities to do with your students on Constitution Day, consider having your students explore one of the following interactive displays of the Constitution.
The Constitution Center's website features the U.S. Constitution divided into easily searchable sections. From the main page you can select and jump to a specific article or amendment. What I really like about the site is that you can choose an issue like privacy, civil rights, or health care and see how those issues are connected to the Constitution. The Constitution Center offers an extensive list of lesson plans for each of the Constitution's articles and amendments. Select an article or amendment then scroll to the bottom of the page to find the lesson plans. Alternatively, you can find all of the lesson plans listed here.
C-SPAN Classroom has a section called Constitution Clips. On Constitution Clips you will find the entire text of the U.S. Constitution. Within the text there are links to videos that are related to each article and amendment. The videos are a mix of scholars talking, news clips, and documentary clips. When you click on one of the links you will be directed to a page that contains the corresponding video. Below each video there are links to additional resources including lesson plans.


Monday, September 10, 2018

Why I encourage my students.
Tech's ultimate success: Software developers are now more valuable to companies than money
A full quarter century into the era of the modern consumer internet, the C-suite is still grappling with the fundamental problem dubbed digital transformation. One reason this challenge is so pernicious is that it can't be solved the way most transitions can, with money and management consultants. Instead, it requires the expertise of a new breed of corporate leaders: software developers.
As our global economy increasingly comes to run on technology-enabled rails and every company becomes a tech company, demand for high-quality software engineers is at an all-time high. A recent study from Stripe and Harris Poll found that 61 percent of C-suite executives believe access to developer talent is a threat to the success of their business. Perhaps more surprisingly — as we mark a decade after the financial crisis — this threat was even ranked above capital constraints.




Perspective. Not everyone is a Bird fancier.
People Are Vandalizing E-Scooters in 'Bird Dropping' Fad
If you haven't been keeping up with the hip new fads lately, there are two new things to be on the lookout for. First, are e-scooters distributed around urban areas to enhance the ease of mobility without automobile congestion. Second, are the people who are taking those same electric scooters and throwing them off of bridges. Pranksters have begun to seek out these e-scooters simply to damage them for the ‘Gram, calling it “bird dropping.”




This is how you should 3D print a gun. Of course, it would be much cheaper to buy the gun.
HP’s Metal Jet could be a huge leap for commercial 3D printing
Just a few years after launching its Multi Jet Fusion 3D printer, HP is ready to get into the world of 3D metal printing with Metal Jet, a new commercial platform.
… The company expects to make Metal Jet printers available to early customers in 2020 for under $400,000, with broader availability to follow in 2021.




I use an RSS reader every day, I’ll have to try this.


Sunday, September 09, 2018

Dangerous technology or “user error?”
Scooter use is rising in major cities. So are trips to the emergency room.
… In Santa Monica, Calif. — where one of the biggest electric-scooter companies is based — the city’s fire department has responded to 34 serious accidents involving the devices this summer. The director of an emergency department there said his team treated 18 patients who were seriously injured in electric-scooter accidents during the final two weeks of July. And in San Francisco, the doctor who runs the emergency room at a major hospital said he is seeing as many as 10 severe injuries a week.




“Algorithms is free speech?”
Press protections might safeguard Google’s algorithms, even from Trump
President Trump indicated last week that the White House is looking into regulating Google, Facebook, and Twitter because they are, he alleges, privileging voices that criticize him while suppressing his supporters’ ideas.
How, exactly, would this blanket suggestion to regulate these companies work? When we’re talking about regulating the information that comes up in Google searches or appears in people’s timelines on Facebook or Twitter, we’re really talking about governing algorithms and the decisions they make about which information should be provided and prioritized.
Regulating algorithms might seem like entirely new legal territory, since Google and its cousins are only two decades old. But a newspaper case from 1974 has quite a bit to say about whether the government can control, under the First Amendment, companies’ algorithms and how they produce and organize information.
In Miami Herald v. Tornillo, the Supreme Court struck down a Florida law that gave political candidates the “right of reply” to criticisms they faced in newspapers. The law required the newspaper to publish a response from the candidate, and to place it, free of charge, in a conspicuous place. The candidate’s lawyers contended that newspapers held near monopolistic roles when it came to reaching audiences and that compelling them to publish responses was the only way to ensure that candidates could have a comparable voice.
In the Herald case, the paper refused to comply with the law. Its editors argued the law violated the First Amendment because it allowed the government to compel a newspaper to publish certain information. The Supreme Court resoundingly agreed with the Herald. Justices explained that the government cannot force newspaper editors “to publish that which reason tells them should not be published.”




From that bastion of legal thought…
China's Supreme Court Recognizes Blockchain Evidence as Legally Binding
Blockchain can now be legally used to authenticate evidence in legal disputes in China, according to the country's Supreme People's Court.
The court released new rules on Friday – that take immediate effect – clarifying various issues relating to how internet courts in China should review legal disputes.
Part of the new regulation specifies that internet courts in the country shall recognize the legality of blockchain as a method for storing and authenticating digital evidence, provided that parties can prove the legitimacy of the technology being used in the process.
"Internet courts shall recognize digital data that are submitted as evidence if relevant parties collected and stored these data via blockchain with digital signatures, reliable timestamps and hash value verification or via a digital deposition platform, and can prove the authenticity of such technology used," the Supreme Court said in an announcement.




Hear this, Bernie Sanders?
Amazon’s Antitrust Antagonist Has a Breakthrough Idea
… At the end of the antitrust stacks is a table near the window. “This is my command post,” said Lina Khan.
It’s nothing, really. A few books are piled up haphazardly next to a bottle with water and another with tea. Ms. Khan was in Dallas quite a bit over the last year, refining an argument about monopoly power that takes aim at one of the most admired, secretive and feared companies of our era: Amazon.
The retailer overwhelmingly dominates online commerce, employs more than half a million people and powers much of the internet itself through its cloud computing division. On Tuesday, it briefly became the second company to be worth a trillion dollars.
… Amazon has more revenue than Facebook, Google and Twitter put together, but it has largely escaped sustained examination. That is beginning to change, and one significant reason is Ms. Khan.
In early 2017, when she was an unknown law student, Ms. Khan published “Amazon’s Antitrust Paradox” in the Yale Law Journal. Her argument went against a consensus in antitrust circles that dates back to the 1970s — the moment when regulation was redefined to focus on consumer welfare, which is to say price. Since Amazon is renowned for its cut-rate deals, it would seem safe from federal intervention.
Ms. Khan disagreed. Over 93 heavily footnoted pages, she presented the case that the company should not get a pass on anticompetitive behavior just because it makes customers happy. Once-robust monopoly laws have been marginalized, Ms. Khan wrote, and consequently Amazon is amassing structural power that lets it exert increasing control over many parts of the economy.
Amazon has so much data on so many customers, it is so willing to forgo profits, it is so aggressive and has so many advantages from its shipping and warehouse infrastructure that it exerts an influence much broader than its market share. It resembles the all-powerful railroads of the Progressive Era, Ms. Khan wrote: “The thousands of retailers and independent businesses that must ride Amazon’s rails to reach market are increasingly dependent on their biggest competitor.”




Perspective.
The devilishly quiet age of AI
… The AI revolution will arrive almost imperceptibly, but still faster than prior big technological shifts because of intense global competition and the breadth of its reach, according to a new study by the McKinsey Global Institute.
But by the second half of the next decade, a few players will be conspicuously ahead of rivals, and by 2035, there will be clear winners and losers among countries, companies and individuals.
  • The dividing line will be defined by those who took the coming age seriously and prepared for it and those who were passive.
The report follows up on a May study by McKinsey that described an evolving pecking order of companies that were establishing "an insurmountable advantage" over peers by pushing ahead with AI. It singled out nine "superstar" companies, all in the U.S. and China, that were well ahead of everyone else.
The latest study expands by adding to the list winning countries and individuals. In all, McKinsey analyzed 41 countries, grouping them into four buckets by how well they appeared to be poised for the new age of AI.
… By the time the fruits of AI investment become clear — after 2025 — it will be extremely difficult to compete with the leading players, says Jacques Bughin and Jeongmin Seong, two co-authors of the report.
… AI adoption will add $13 trillion a year to global production, the report said, and an average of 1.2% to global GDP growth per year.
  • Among companies, those that embrace AI will see double their cash flow by 2030. Those that don't could lose 20% of their revenue by then.




Consciously or not, Scott Adams is targeting the White House.