Saturday, October 03, 2015

Targeting clients for a little “spear phishing?” I'm not sure I would have agreed to hold off notifying my clients. The crooks must know they will eventually be hunted. If they are in China, how does this help anything? Interesting ethical question.
http://www.wsj.com/articles/scottrade-discloses-data-breach-potentially-targeting-4-6-million-clients-1443815069
Scottrade Discloses Data Breach Potentially Targeting 4.6 Million Clients
Discount brokerage Scottrade Inc. disclosed a data breach Friday that appeared to target the names and street addresses of about 4.6 million clients.
The firm believes criminal activity penetrated its network between late 2013 and early 2014, and may affect clients who opened an account before February 2014.
… “Although Social Security numbers, email addresses and other sensitive data were contained in the system accessed, it appears that contact information was the focus of the incident,” the company said in a statement
… Scottrade said it was alerted to the breach by federal authorities in late August and was asked not to share any information due to the continuing criminal investigation. The authorities were investigating cybertheft from Scottrade and other financial services companies.






An update. I read it that way too. I still fall for bad reporting. Too trusting I guess.
No, the Experian hack did NOT go on for over two years: it happened last month
In reading a lot of the coverage of Experian’s breach affecting those who applied for T-Mobile USA accounts, I noticed that some journalists and others seemed to interpret Experian’s statement as indicating that the data were hacked/accessed over a two-year period (from September 2013 to September 2015). As I noted to a commenter earlier today, I had read Experian’s statement (and T-Mobile’s statement) as meaning that the hacked database held data from those who applied for T-Mobile accounts between September 2013 until the breach was discovered, but that the hack itself occurred during a relatively brief and recent period.
My impression was formed, in part, because in their submission to the California Attorney General’s Office, Experian reported that the breach occurred on September 14, 2015, and was discovered on September 15, 2015.
So I emailed Experian earlier today, told them my understanding of the timeframe, and asked them to clarify what the time frame of the hack was. Spokesperson Susan Henson responded:
Regarding the timing of when the intrusion happened, yes, much of the reporting on that topic has been incorrect. The breach was not undiscovered for two years. Our investigation shows the activity took place over a number of days in mid-September, not two years as was reported by some media outlets. In fact the intrusion was discovered, investigated and secured in a matter of days, and our notice to consumers and standing up a support call center and identity theft protection service happened yesterday, Oct. 1. The notice to state AG’s happened today.
Where I think the confusion happened is that the data acquired was for some T-Mobile USA customers who applied for services between Sept., 2013 and Sept. 16, 2015.
You got the timing of the actual intrusion correct and on Sept. 15 we discovered the unauthorized access.
So there you have it: the breach occurred last month and was discovered within days.






For my Risk Management and Computer Security students. If you ignore a warning, aren't you increasing your liability?
http://www.modernreaders.com/more-sites-may-be-in-danger-following-patreon-hack/31718/mark-kesler
More sites may be in danger following Patreon hack
In the days running up to the massive hack on the Patreon database, the company was apparently warned about a major programming issue that could result in the compromise of information.
A special report from Ars Technica documented how Patreon was notified by Swedish security firm Detectify regarding the serious error, and how that same firm believes that that error was what hackers exploited when they published 15 GB worth of sensitive user information, including passwords and private messages. This, according to the tech publication, was “nothing short of facepalm material,” and other sites may have similar errors that may allow them to be hacked in the future.






Is this normal? (See the article)
Homeland Security Detains Stockton Mayor, Forces Him To Hand Over His Passwords
Mike Masnick writes:
Anthony Silva, the mayor of Stockton, California, recently went to China for a mayor’s conference. On his return to San Francisco airport he was detained by Homeland Security, and then had his two laptops and his mobile phone confiscated. They refused to show him any sort of warrant (of course) and then refused to let him leave until he agreed to hand over his password [Would this be kidnapping or extortion? Bob]
Read more on TechDirt.






These are not Snowden's picks. Strange they don't mention the Privacy Foundation. Probably because we don't Tweet!
http://www.makeuseof.com/tag/snowden-just-joined-twitter-better-privacy-advocates-follow/
Snowden’s on Twitter, Here Are 7 More Privacy Advocates to Follow






“We can, therefore we must!”
http://www.businessinsider.com/linkedin-settles-class-action-lawsuit-2015-10?google_editors_picks=true
LinkedIn might have to pay you money for spamming your email contacts
… In 2013, a class-action lawsuit accused LinkedIn of accessing users' email accounts without their permission and unwittingly using their names to send email invitations to people in their address books.
At the time, LinkedIn called many of the accusations false.
The court agreed that LinkedIn members did give the social network permission to use their email contacts to send connection invitations.
But the court found that although LinkedIn members consented to importing their contacts and sending LinkedIn connection requests, they did not consent to the two additional "reminder emails" that LinkedIn would send about those requests.






Reduce all second class citizens to a number, making it easier to avoid treating them as people. Watch this and remember it when the US wants to do the same.
JP: My Number system raises red flags ahead of notice release
From Kyodo News:
Despite being trumpeted as ushering in a more efficient, egalitarian society, the government’s controversial My Number system that starts with identification numbers being sent out to residents of Japan next week is raising serious qualms about invasion of privacy and leakage of personal information.
These are not the only concerns, however.
Read more on Japan Today.
[From the article:
… Others relate to the heavy burden the project will put on businesses that will be tasked with collecting the identification numbers of employees and part-time workers—not to mention their family dependents.
Add to this the fuss about how exactly a tax rebate proposal under the system will work, fears about photo-ID cards being lost, and question marks over whether municipalities are capable of handling the expected number of applications.






Perspective. Has war been declared? (Check the interactive graphic!)
http://www.nytimes.com/2015/10/01/technology/personaltech/ad-blockers-mobile-iphone-browsers.html?_r=0
Putting Mobile Ad Blockers to the Test
To block ads or not to block ads on your mobile device? That’s the philosophical dilemma facing consumers since Apple added support for ad blockers to its iPhone operating system a couple of weeks ago.
To help answer the question, we decided to put multiple ad blockers to the test.
… The advantages of ad blocking seem obvious. Not only can consumers eliminate the clutter of promotions, but eradicating data-intensive ads could help deliver faster web page load times and longer battery lives for devices. Dean Murphy, who developed the ad-blocking app Crystal, said blocking programs might also encourage publishers to create better ads that are less taxing on mobile gadgets.






Perspective. Visualizing Big Data.
http://www.makeuseof.com/tag/how-much-physical-media-would-it-take-to-store-the-internet/
How Much Physical Media Would it Take to Store the Internet?
http://cdn.makeuseof.com/wp-content/uploads/2015/10/793c17681b4c630c7f3a8af04efbfc19.jpg?e9577d






Perhaps my students could point their children to these.
http://www.freetech4teachers.com/2015/10/zing-thousands-of-free-ebooks-for.html#.Vg_iin0sr4Q
Zing! - Thousands of Free eBooks for Students
Zing is a new service offering thousands of free fiction and non-fiction ebooks to teachers and students. On Zing you can browse for books by topic, language, or reading level. You can read the books in your web browser on a laptop or tablet.
Zing is more than just a repository of free ebooks. In the Zing reader students will find a built-in dictionary and tools for taking notes while they read.
If you create an accounts on Zing you will be able to create Zing classrooms. In those classrooms you can create and manage accounts for students. Through your Zing classroom portal you can check your students' reading logs.
[From the Zing website:
Zing’s proprietary eLearning functionality embeds teaching points directly into the digital texts, providing an interactive, engaging, and instructional learning experience for student readers.
Personalized Learning Package: Teachers have the ability to add their own eLearning teaching points to ANY Zing text! Teaching points can be differentiated by student, by title, or by reading/writing skill or strategy.






For my researching (all) students.
http://www.bespacific.com/searching-ssrn-just-got-easier/
Searching SSRN Just Got Easier
by Sabrina I. Pacifici on Oct 2, 2015
Abou SSRN: “SSRN’s new page centralizes all the tools you need to find stuff in the eLibrary. We combined Quick Search and Advanced Search onto one tab, and made it simple to switch to Browse SSRN Networks or Browse JEL Codes. Did you even know all of those functions existed?
What’s New for the Savvy reSearcher? – In the Advanced Search area, we kept the traditional search options: title, abstract ID, keywords, author name, or date range, but added more. You can now further refine your search by selecting the Subject Matter Networks you want to search within – the default is all networks but you can store your preference..”






The Neverending Story.
http://www.rockol.com/uk/news-647063/prosecution-rests-time-for-defence-to-avoid-kim-dotcoms-extradition
Kim Dotcom’s extradition: the prosecution rests, now it’s time for the defence
… The prosecution relied heavily on documents provided by the United States Department of Justice - which included emails and Skype messages from the Megaupload team - to prove its case.
Now Dotcom’s defence team has its chance to debunk the prosecution’s arguments, and its biggest asset appears to be the fact that Megaupload only facilitated piracy and therefore did not itself pirate content. However, the explicit nature of the documentation provided by the prosecution means that the defence has a difficult climb ahead.



(Related) Is this unusual?
http://www.radionz.co.nz/news/national/285692/crown-unable-to-produce-dotcom-extradition-notices
Crown unable to produce Dotcom extradition notices
… North Shore district court services manager Fiona Parkes - a witness for the Crown - today produced several documents she said appeared to be copies of the extradition requests.
Mr Dotcom's lawyer Ron Mansfield pointed out the documents were not date-stamped and asked Ms Parkes if she knew whether any originals existed.
She said she did not.






Every week this column amuses (and depresses) me.
http://hackeducation.com/2015/10/02/hack-education-weekly-news/
Hack Education Weekly News
… Earlier in the week, Duncan proposed a “prison-to-school pipeline,” reducing the number of people incarcerated for non-violent crimes and using the money saved for pay raises for teachers in high poverty schools. [Does this sounds strange to you? Bob]
Via Education Week: “Wyoming could become one of the first states to institute broad protections for students unwilling to give school officials access to their social media accounts. The proposal, which made its way through the state Task Force on Digital Information Privacy, now sits before the state’s joint education committee.”
… A federal judge has ruled that “students who experience traumatic events while growing up in poor, turbulent neighborhoods could be considered disabled,” NPR reports. The ruling comes as part of a class action lawsuit against the Compton School District. (The judge also denied the plaintiffs’ request for class action status.)
Via the Southern Poverty Law Center: “A federal judge in Alabama has found that the Birmingham Police Department violated the constitutional rights of students in public schools by using pepper spray to deal with minor discipline problems and by failing to ensure that children were decontaminated afterward.”
… The Kansas Court of Appeals reversed the expulsion of Navid Yeasin, a University of Kansas student expelled for tweets he made about his ex-girlfriend.
Via The Chronicle of Higher Education: “A Year After Starbucks Offered Tuition Discounts at Arizona State, Who's Enrolling?” Spoiler alert: about 3700 employees, far fewer than the enrollment projects of 15,000.



Friday, October 02, 2015

Outsourcing has risks.
Hackers Stole Data on 15 million T-Mobile Customers
… T-Mobile says as many as 15 million people may have been affected by the data breach, an attack that didn’t compromise T-Mobile’s own systems but rather those of its credit partner — the data vendor and credit bureau Experian. To be clear, the hack hurts even non-subscribers to T-Mobile — credit applicants who for whatever reason ultimately went with another service.
Experian says no credit card or banking data was stolen as part of the attack, which began in September 2013 and wasn’t discovered until two years later, on Sept. 15.
But just because your financial information may be safe doesn’t necessarily mean the rest of your personal information is secure: names, addresses, Social Security numbers, birth dates and driver’s license and passport numbers were all leaked. Some of this data was encrypted, but Experian’s encryption may have been compromised, according to T-Mobile.
T-Mobile is offering two years of free credit monitoring to those who think they may have been affected. But it’s no small irony to note that the credit monitoring service is being provided by none other than Experian itself. [Makes me wonder why. Bob]
Experian says its own consumer credit database “was not accessed” in the incident, but the fact that any systems run by Experian were breached at all is problematic: Experian is one of the major credit scoring agencies in the country, and it safeguards vast amounts of data on everyday Americans.




Just so someone can say, “I did that!” It's a shame they can't see the damage they're doing.
Gigabytes of user data from hack of Patreon donations site dumped online
Hackers have published almost 15 gigabytes' worth of password data, donation records, and source code taken during the recent hack of the Patreon funding website.
The data has been circulating in various online locations and was reposted here by someone who said it wasn't immediately possible to confirm the authenticity of the data. Security researcher Troy Hunt has since downloaded the archive file, inspected its contents, and concluded that they almost certainly came from Patreon servers. He said the amount and type of data posted by the hackers suggest the breach was more extensive and potentially damaging to users than he previously assumed.




You don't see many hacks like this one. Clearly a Linux fan.
Someone Has Hacked 10,000 Home Routers To Make Them More Secure
Most router malware just sits on your home network and uses the device to launch further attacks. In particular, infected routers are useful for generating power for distributed denial of service (DDoS) attacks, where servers are flooded with traffic from hacked machines.
But there’s a curious kind of malware (if you can call it that) going around that not only cleans the device of other infections but even encourages users to update their passwords, according to research from security giant Symantec.
The Wifatch software, now resident on at least 10,000 routers running the Linux operating system, runs across a peer-to-peer network. When it discovers that a potentially vulnerable Telnet port – a port typically used to control functions on the device and is often protected with default, crackable passwords – Wifatch shuts it down. It then asks the user to change passwords and update the firmware on the router. Furthermore, Wifatch has a module that tries to remove “well-known families of malware targeting embedded devices”.
Symantec researcher, Mario Ballano, suspects a “white hat” vigilante might be behind the malware.




A complement to “Best Practice” reports. This is a list of things you need to fix, fast. Unfortunately...
Study Analyzes Corporate Security Practices Across Industries
Clint Gibler, a software security engineer at NCC Group’s Domain Services division and the author of the study, detailed the findings on Wednesday at the Virus Bulletin conference in Prague.
Running a commercial scanner on the systems of 100 organizations across ten industry verticals between February 2014 and May 2015 revealed a total of 908,000 security issues. The sectors analyzed by the researcher include charity, energy and utilities, financial services, health, IT, leisure and media, public sector (education and local), retail, and transport.
Once affected companies were notified about the existence of the flaws, the vulnerable Linux packages were all updated within a 20 week timeframe. On the other hand, only 75 percent of Microsoft patches were applied in a similar timeframe, with 10 percent of the Microsoft product issues being left unresolved even after a year.
The complete report will become available in the coming days. [I'll keep an eye out. Bob]




What could possibly go wrong?
This Creepy, Yelp-Like App Lets You Rate People Like Restaurants
Ever get the urge to rate your friends and colleagues like restaurants, stars and all? Exposing their strengths, but more likely their flaws, for all to see on the unforgiving and unforgetting Internet...forever?
Sadly, there’s an app for that. It’s called Peeple and it’s scheduled to go live in the Apple App Store in late November – that is, if the bitter backlash swirling virally around it doesn’t torpedo the catty reputation tool first.
… To use the controversial free app, you have to be 21 and have a Facebook account, and there’s no cowardly hiding behind anonymity. You must use your real name. You also need to know someone’s cell phone number to add them to Peeple’s database, which is straight creepy in our book.


(Related) Perhaps this article will help me understand this generation?
Digital Romance: The Teens Get It
On Thursday, the Pew Research Center released a report titled “Teens, Technology, and Romantic Relationships.”
… Fifty percent of teens have expressed interest in someone by friending them on Facebook or another social-media site, and 47 percent by commenting on or liking a post. Pew characterizes these interactions as “entry-level” digital flirting, often used by teens who have never dated before. But even for the older and more experienced, I think, they remain ways of dipping a toe in the ocean of romantic possibility while leaving yourself room to safely withdraw.




Well you wouldn't expect him to blame the Internet he invented or global warming, which he also invented.
Al Gore Blames the 2016 Election's Craziness on Television
… Speaking at the 2015 Washington Ideas Forum on Thursday, Al Gore did blame a technology for the race’s unpredictableness—but not the one people might think of.
… “Television pushed the printing press off of center stage, and now—still—the politicians spend 75 percent of their money on 30-second TV ads,” he said. “Political candidates have to spend three-quarters of their time begging rich people for money to get into the television square.”
And then, said Gore, “human nature being what it is,” politicians wind up thinking more about the interests of donors than the interests of constituents.




Well, that's one way to look at it. But I bet John Galt would be a rider.
The socialist case for Uber
Imagine that a left-wing union activist from Glasgow dreamed up an idea for a workers' ride-sharing cooperative. In this thought experiment, let's give this business a liberal-friendly name, "PeopleCar."
PeopleCar would not only help low-income folks get lifts to work cheaper, but it would be structured as a wealth-sharing collective in which 75% of the money made by the business would go directly to the workers running it. And it would be environmentally friendly because it reduces the number of cars on the road, reduces the demand for new cars, and the company would encourage its staff to use electric or hybrid vehicles.
Best of all, it's self-sustaining and massively popular with the workers who use it.
PeopleCar would be hailed as a huge success. Its founders would be heroes. You would love PeopleCar.
That company already exists in real life. It is called Uber.
But people on the left hate Uber, because they want to show solidarity with traditional taxi drivers.
Uber operates exactly the way I just described it, but instead of "PeopleCar" it has an unfortunate Nietzschean moniker which makes it sound like it is run by Nazis. It was founded by a shamelessly aggressive Ayn Rand fan named Travis Kalanick. He is not a bearded leftist from Scotland, the current home of British socialism. He comes from San Francisco, the current home of rapacious capitalists.




Well, I find it interesting. (And I liked the book “The Martian” too)
The Martian, and the Rise of Serial Publishing
This has led to a resurgence in serially published books, with The Martian, now a major motion picture, being the prime example.




Rethinking existing technologies. Brilliant.
This Bladeless Razor Has Raised More Than $2 Million On Kickstarter
The Skarp razor uses a small laser to cut through hair very close to the skin and claims to do so without any irritation. The device looks like a traditional razor and using a AAA battery, the device will last for about a month, according to the crowdfunding campaign description.
The $89, $139 and $159 early bird specials are sold out, so to pre-order the Skarp now costs $189.


(Related) Find out who owns that old technology?
Patent Searching Guide
by Sabrina I. Pacifici on Oct 1, 2015
Via Amy Riegelman – University of Minnesota: Patent Searching Tutorial – includes Google Patents and USPTO Patent Database.




Same question every quarter.
What’s the Best Way to Run Multiple Operating Systems on Your PC?




“Why is it always testing with you evil per-fessers?”
The Essential Guide to Mobile App Testing




About time! I start my Spreadsheet class on Tuesday.
Microsoft Office 2016: A Big Upgrade for Small Business
Office 2016 is finally available for Windows...




I wonder if I could place a couple of students there or even in the Colorado legislature?
Tech fellows to embed with Congress
A handful of technologists are slated to embed with members of Congress next year as part of a fellowship at New America's Open Technology Institute.
In its infancy, the the program will only place about three individuals with technology backgrounds into congressional offices. But the Open Technology Institute said it is the first of "several new projects" in the area.
… "Congress is struggling to keep up with technology in part because it doesn’t have a pipeline for tech talent. TechCongress will change that," Moore said in a statement.
The fellowship starts in January and the application deadline is at the end of the month. The program pays $52,500 over nine months.


Thursday, October 01, 2015

For my Ethical Hacking students. Check with your lawyers before you try something like this.
Love it!
Steve Nichols reports:
A cyber hacker gets scammed when he targeted a Clearwater cyber security firm.
KnowBe4 trains corporate clients on defending against “phishing attacks”, a term for using realistic-looking but fake emails for illicit gain.
Last Friday, the company’s chief financial officer received an email purportedly from the chief technology officer requesting instructions on wire transferring nearly $20,000.
Read what happened next on Fox13.
[From the article:
Then they sent a fake email appearing to be from AOL, the scammer's email provider. It said the email account was locked for security purposes, and the user needed to "click here" to log in and unlock the account. "And of course this link doesn't go to AOL, that link goes to us" Irimie explained.
"Indeed he entered his user name and password so we could get his IP address, his internet address" Sjouwerman said, adding that information in turn provided the scammer's geographic location. "We know where it is but we refrain from making that public because we've transferred it to law enforcement, and it's now in their hands" he told FOX 13 News.




It is intelligence laundering. You have a source you don't want to compromise (say a spy in the Kremlin) so you use the intelligence from that source to ensure you “stumble upon” the same intelligence in a way that “explains” how you got the information without getting your spy shot.
FBI and DEA under review for use of NSA mass surveillance data
… The investigations surfaced in a report to Congress from the Justice Department's inspector general.
Parallel construction is a controversial investigative technique that takes information gained from sources like the NSA's mass surveillance, covers up or lies about the sources, and then utilizes them in criminal investigations inside the United States. The information was passed to other federal agencies like the Internal Revenue Service (IRS).
The technique was described as “decades old, a bedrock concept” by a DEA official.
Critics at the Electronic Frontier Foundation (EFF) described the technique as “intelligence laundering” designed to cover up "deception and dishonesty" that ran contrary to the original intent of post-9/11 surveillance laws.
… The DEA’s use of parallel construction was revealed by Reuters a few months later.
… The NSA sent daily metadata reports to the FBI from at least 2006 to 2011, according to the director of national intelligence.
The ongoing review will examine how the FBI processed the NSA’s information, how much information was passed along, and the results of the initiated investigations.
… The Justice Department’s Office of Inspector General is also investigating the FBI’s use of Patroit Act Section 215 from 2012 to 2014 that allowed it to obtain “any tangible thing” from any business or entity as part of investigations against international terrorism or spying.
A previous investigation revealed that every single Section 215 application submitted by the FBI to the secretive Foreign Intelligence Surveillance Court (FISA) was approved.


(Related) Compromising your field agents is always a bad thing.
Aditya Tejas reports:
The U.S. Central Intelligence Agency (CIA) pulled a number of officers from the American Embassy in Beijing as a precautionary measure after a massive cyberattack in June compromised the personal data of over 22 million federal employees, according to a report Tuesday.
U.S. officials reportedly said the data breach was conducted by a hostile party to identify spies and other American officials who could be blackmailed to provide information. The records, stolen from the Office of Personnel Management (OPM), contain the background checks of State Department employees.




An interesting way to identify and ensure everyone is using Best Practices!
Excellent. NewsOK reports:
State Auditor Nicole Galloway on Wednesday announced the launch of a cybersecurity audit initiative in Missouri schools.
The initiative will focus on identifying practices that improve the security of information that schools have on students and their families.
Read more on NewsOK.
[From the article:
According to the Privacy Rights Clearinghouse, a nonprofit based in San Diego, more than 250 K-12 schools across the United States experienced a data breach event in the past 10 years. [I'd bet that number is low. Bob]




Do they care what the customer's want? What will happen if Google blocks Digical?
Mobile Operator Digicel Will Block Advertising Across Its Network
Who needs an ad-blocking app when your telecom operator will prevent ads from reaching your mobile device?
Wireless operator Digicel will soon begin blocking online advertising from traveling across its networks in the Caribbean and South Pacific, the company announced Wednesday.
German telecommunications group Deutsche Telekom is also considering blocking advertising on its networks, a person familiar with the matter said.
Jamaica-based Digicel said online advertising companies such as Google, Facebook and Yahoo will now be required to pay to deliver ads to its subscribers, or can expect to have them blocked.
… For now, U.S. consumers are blocking ads by installing software on their computers or mobile devices. The practice is growing, threatening the business model of many ad-supported online sites and services.




Because vast improvements don't work well with half-vast implementations. Europe has been using these for 5 years. Why are there any surprises here? Because no one tried to learn from the Europeans, they tried to make it all up on their own.
Chips, Dips and Tips: 5 Potential Problems With New Credit Cards
… Thursday's "deadline" for merchants to support the new EMV technology — or face the consequences if fraud occurs — is really a soft target, and consumers are unlikely to notice any dramatic changes or encounter difficulties as they make their shopping rounds.
… the chip generates a unique purchase code every time the card is used, transactions will take a few seconds longer to process. Added to unfamiliarity with the "dip" process and there may be checkout delays, experts warn.
"Some people are experiencing a 20 second wait times with these chips," said Avivah Litan, vice president and analyst at Gartner Research.
… "I have several credit cards with chips in them and all but my American Express work really well," said chip credit card user Marilyn Barnicke Belleghem. "Apparently, the chip (on that card) is placed in the wrong position to be accurately read on the machine at the grocery store where I like to shop."
… In other countries, chip cards come with PINs, which require the user to remember a four-digit number in order to use the card. Most U.S. chip cards won't come with PIN technology initially, meaning shoppers will still confirm purchases with a signature. The problem is, some chip credit card machines in other countries aren't equipped to accept signatures, so you might not be able to pay if you're traveling and don't have a card with a PIN.
… With only a signature required, we won't have the full protection that a PIN offers. If a thief steals your chip card, they can still use it. They just have to forge your signature.
The new technology doesn't protect against fraud in online purchases, either. Online transactions don't require a terminal at checkout, so there's no way to read your card and generate a code. All anyone needs is your credit card number, three-digit security code, and expiration date.
… The added hassle might motivate consumers to use phones to make wireless NFC (near-field communication) payments, which is quicker.
"I think this is going to spur an adoption of mobile payments," said Gartner's Litan. "They're much more convenient. This is exactly what the credit card companies want you to do. The same culprits pushing chips, they would also like us to use our mobile phones. Then they don't have to pay for physical cards, and it has the same security as a chip."




An interesting question for my lawyer friends.
Why Are So Many Law Firms Trapped in 1995?




Replacing project management? Turning tasks into just another thing on the Internet of Things?
Asana's New Plan: Tracking Every Aspect Of Your Work, With Help From Developers
… Asana has some 140,000 companies who use it to track projects and tasks, with the hope of eliminating back-and-forth conversations that happen in email and meetings in favor of, you know, actual work. While most use it for free, more than 10,000 companies pay per-team fees that start at $21 a month, and Asana now has "tens of millions of dollars" in annual recurring revenue, Moskovitz said.
… The problem is that not everything you deal with at work is a task. Asana, historically, has presented itself as a task-management tool. Now, Moskovitz and Rosenstein want to expand its scope to the larger category of "work tracking," an area of collaboration they see as coequal to file sharing, like Box and Dropbox, and messaging, the field of Slack, Convo and similar apps.
Sections are essentially additional data fields that can be assigned to an object in Asana. Venture-capital firms might track companies by stage and amount invested. A DNA analysis firm might track vials. A nonprofit orchestrating healthcare in a developing country might track patients. All of those require a more structured approach than a generic task.
That, in turn, opens up Asana to far more interesting possibilities for third-party developers. A healthcare systems integrator might build a generalized case-management tool for hospitals. A publishing company might create a system for tracking an article from assignment to editing and fact-checking to publication.




A case study of political disconnect? “We knew it couldn't be done until 2019 so we set the deadline at 2015. Then we can claim we're statesmanlike by extending it to 2018.”
Bill to extend safety system deadline would avert rail shutdown, help Metra
A measure introduced in the U.S. House on Wednesday seeks to avert the threatened year-end shutdown of the nation's freight and commuter railroads, including Metra.
Leaders of the Transportation and Infrastructure Committee said their bipartisan legislation would give U.S. railroads an additional three years to implement the congressionally mandated safety system known as positive train control.
The lawmakers acknowledged that the Dec. 31 deadline for installation of PTC on the vast majority of the railroads is not achievable, and that extending the period until the end of 2018 will prevent significant disruptions of both passenger and freight rail service across the country.
… Without an extension, railroads say their crews would be prohibited by law from operating trains beyond that date. They say freight shipments will be halted, commuter lines will cease operations, and Amtrak service outside of portions of the Northeast Corridor will be suspended.
A shutdown could have a huge impact on Chicago, the nation's rail hub. Each day, the city has 500 freight trains pass through, Metra operates 753 trains, and 56 Amtrak trains come and go.
… The agency has said previously that installing PTC will cost $350 million and won't be fully in place until at least mid-2019.




Perspective. Why “free” works.
The price of free: how Apple, Facebook, Microsoft and Google sell you to advertisers




Is Office365 getting all of Microsoft's attention?
Likes and @Mentions coming to Outlook on the web
Over the last several years, social networks have changed the way we communicate. In our personal lives, we show our approval by “Liking” a friend’s status update on Facebook and we “@Mention” others in a Twitter post to call attention to it. In our workplace, these same social concepts became popular through enterprise social tools such as Yammer. Today we’re taking the next step and introducing Like and @Mention to workplace email in Outlook on the web.
… To Like a message, simply click the thumbs-up icon in the reading pane. This turns the icon from gray to blue, notes within the email that you liked the message and adds a thumbs-up icon in the email list view. Anyone on the thread can Like a message, and their Likes are identified and captured within the message as well. If someone likes your email, you’ll receive a notification letting you know.
While the focus of Likes is on specific emails, the focus of Mentions is on specific individuals. When collaborating on email, it is common to call out a specific person for an action or request. Another scenario is adding a person to an existing thread for their attention—perhaps you are on a thread and know that the person who can answer a question was not initially included. Using the Mentions feature ensures that the person is not only aware of the request but is also included in the thread.
… The Like feature in Outlook on the web will begin to roll out today to Office 365 First Release customers whose Office 365 plan includes Exchange Online. We expect the feature to roll out broadly to eligible Office 365 commercial customers starting in late October. The Mention feature will begin rolling out to First Release customers in mid-October and broadly to all eligible Office 365 commercial customers in mid-November.
In addition, our Outlook.com users who have been migrated to the new version of the service will start seeing Mentions in the December time frame as well.




Ain't technology wonderful? Power for devices on the Internet of Things.
Freevolt generates power from thin air
… Drayson Technologies today announced Freevolt, a system that harvests energy from radio frequency (RF) signals bouncing around in the ether and turns it into usable, "perpetual power."
… We're constantly surrounded by an ever-denser cloud of RF signals. They're the reason your smartphone gets 2G, 3G and 4G coverage, your laptop gets WiFi, and your TV receives digital broadcasts.
… According to Drayson, Freevolt is the first commercially available technology that powers devices using ambient RF energy, no dedicated transmitter required.




For my students who are serious about their field of study.
The 5 Best News Curation Apps to Fight Information Overload


Wednesday, September 30, 2015

A most interesting trend.
Ryan M. Martin of Winston & Strawn LLP writes:
The U.S. District Court for the Southern District of Illinois recently denied the retail grocery chain Schnuck Markets’ motion to dismiss various claims arising from a December 2012 data breach in which hackers gained access to Schnucks’ credit/debit card processing systems. By mid-March 2013, both customers’ banks and Schnucks’ own payment processor had notified Schnucks that the breach had resulted in fraudulent charges to customer cards.
Read more on Lexology.
So… Neiman Marcus. Flowers Hospital. Schnuck. Do my eyes deceive me, or are we seeing a possible trend with data breach lawsuits surviving motions to dismiss for lack of standing? Of course, that doesn’t mean the plaintiffs will be able to prove they suffered harm, but are courts becoming a tad more plaintiff-friendly? We’ll have to watch and wait….




What has happened to “management?” One would think senior management, the legal department and probably several other business departments would be very interested in accurate information. Why did they fail to deliver?
Fiat Chrysler is in trouble again with the NHTSA
Fiat Chrysler Inc. is in hot water again with regulators after under-reporting a “significant” amount of deaths, injuries and legal claims, according to The Financial Times.
The FT cited the National Highway Traffic Safety Administration as saying Fiat Chrysler had discovered “deficiencies” in the way it reports faults.


(Related) “We don't need no stinking laws/regulations/policies/procedures/management!”
Benjamin Krause writes:
VA OIG just reported that Palo Alto VA Health Care System unlawfully gave patient data to a private IT company despite employees not having cleared background checks.
The watchdog investigated allegations that the Palo Alto VA informatics chief entered into an illegal agreement with a health care company called Kyron.
VA OIG confirmed allegations that the patient data was given to Kyron prior to its employees getting background checks. It also confirmed that patient data was loaded into the Kyron’s extraction software prior to receiving approval from VA information security officers.
Read more on DisabledVeterans.org.




Another privacy trend. How useful/accurate are they?
Apple debuts new privacy website
Apple debuted a new website on Tuesday aimed at informing customers on how the company uses their data.
The company has been positioning itself as a bastion of digital privacy as user data in the industry is increasingly being shared with advertisers and, sometimes, law enforcement.
“When you pay for groceries, message a friend, track a workout, or share a photo, you shouldn’t have to worry about your information falling into the wrong hands,” the company says on the website. “The personal data on your devices should be protected and never shared without your permission.”
The website explains, at a level more granular than many of its competitors, the privacy protections that Apple says are built into its applications.
… Google has its own website explaining how it uses user data.




For my Ethical Hacking students. You can't build a full dossier without complete medical information.
Re-identification is just too damned easy sometimes – and if your state is selling your “de-identified” health information, don’t be reassured – be worried.
Here’s the abstract of a study by Latanya Sweeney:
Alice goes to the hospital in the United States. Her doctor and health insurance company know the details ― and often, so does her state government. Thirty-three of the states that know those details do not keep the information to themselves or limit their sharing to researchers [1]. Instead, they give away or sell a version of this information, and often they’re legally required to do so. The states turn to you as a computer scientist, IT specialist, policy expert, consultant, or privacy officer and ask, are the data anonymous? Can anyone be identified? Chances are you have no idea whether real-world risks exist. Here is how I matched patient names to publicly available health data sold by Washington State, and how the state responded. Doing this kind of experiment helps improve data-sharing practices, reduce privacy risks, and encourage the development of better technological solutions.
Results summary: The State of Washington sells a patient-level health dataset for $50. This publicly available dataset contained virtually all hospitalizations occurring in the state in a given year, including patient demographics, diagnoses, procedures, attending physician, hospital, a summary of charges, and how the bill was paid. It did not contain patient names or addresses (only five-digit ZIPs, which are U.S. postal codes). Newspaper stories printed in the state for the same year that contain the word “hospitalized” often included a patient’s name and residential information and explained why the person was hospitalized, such as a vehicle accident or assault. A close analysis of four archival news sources focused on Washington State activities from a single searchable news repository studied uniquely and exactly matched medical records in the state database for 35 of the 81 news stories found in 2011 (or 43 percent), thereby putting names to patient records. An independent third party verified that all of the matches were correct. In response to the re-identification of patients in its data, Washington State changed its way of sharing these data to create three levels of access. Anyone can download tabular summaries. Anyone can pay $50 and complete a data-use agreement to receive a redacted version of the data. However, access to all the fields provided prior to this experiment are now limited to applicants who qualify through a review process.
Reference:
Sweeney L. Only You, Your Doctor, and Many Others May Know. Technology Science. 2015092903. September 29, 2015. http://techscience.org/a/2015092903
The full paper is available for free download at that url.


(Related)
Erika Morphy reports:
With little fanfare or formality, Adam Smith, associate professor of computer science and engineering in Penn State’s School of Electrical Engineering and Computer Science, and Vitaly Shmatikov, a professor at Cornell University, are going to try to tackle a looming issue that will, if it is not addressed, have consequences for just about anyone who has every used the Internet, sent an email, received medical attention or otherwise made his or her presence known on the Grid that is our online society.
Read more on Computerworld.




Perspective. “There's gold in them thar ads!”
Google’s most expensive search keywords are for ambulance-chasing lawyers
Chances are, if you’ve watched television in the US, you’ve seen myriad advertisements for local lawyers that want to save you money after an injury—no win, no fee. Perhaps you’ve even memorized their bizarre jingles, or seen a program based on their exploits. And it seems that the internet is no different than television: Accident lawyers dominate the most expensive keyword search terms on Google AdWords—the adverts that pop up next to search results on Google.
… The report, which was released last month, was created by WebpageFX, a digital marketing company, and SEMrush, a digital marketing analytics firm. They found that the vast majority of the most expensive keyword search terms were for legal issues, most of which were localized to certain US cities or states. The single most expensive paid search term so far in 2015 is: “San Antonio car wreck attorney,” which costs advertisers $670.44 every time a person searching on Google clicks on that term.




Yes, but... Kind of a big but!
Andrew Crocker writes:
When it comes to the highest court in Massachusetts, it sometimes seems like entire battles are won and lost in the footnotes. In a seemingly straightforward new case, the Supreme Judicial Court has managed to add a wrinkle on top of the already complicated patchwork of law surrounding cell phone location tracking. The court’s opinion today in Commonwealth v. Estabrook sets out what it calls a “bright-line rule” and reaffirms that, in general, the Massachusetts constitution requires a warrant for tracking a person’s location using cell site location information (CSLI). That’s worth celebrating, but cynical readers who are already wondering about the “in general” in the previous sentence should take a look at footnote twelve in the opinion. Meanwhile, all readers should probably buckle in for a somewhat detailed tale of judicial incrementalism.
Read more on EFF.
[Footnote 12:
This exception to the warrant requirement for CSLI applies only to "telephone call" CSLI, which is at issue in this case, and not to "registration" CSLI. "Telephone call" CSLI indicates the "approximate physical location . . . of a cellular telephone only when a telephone call is made or received by that telephone. "Augustine, 467 Mass. at 258-259 (Gants, J., dissenting). By contrast, "registration" CSLI "provides the approximate physical location of a cellular telephone every seven seconds unless the telephone is 'powered off,' regardless of whether any telephone call is made to or from the telephone." Id . at 259 (Gants, J., dissenting).




Perspective. No answers here, only questions. I still want to teach a drone piloting class.
1 Million Drones Will Be Sold This Christmas, and the FAA Is Terrified
Any ideas what you'll be getting for the holidays? According to the FAA, about 1 million of you will be getting drones, whether that's a high-end quadcopter or low-end $20 knockoffs from Walmart. Regardless, the FAA is very, very worried about what happens when 1 million new aircraft enter the airspace.




Perspective. How the Internet of Things is growing.
GE Predicts Predix Platform Will Generate $6B In Revenue This Year
Like many big companies, GE has been in the process of trying to reinvent itself, and Predix, its Industrial Internet of Things platform has been a big part of that.
Today, at its annual Minds + Machine conference in San Francisco, GE announced that the Predix platform had grown into a big business with $5 billion in revenues and $6 billion in orders expected this year.




The future of part-time work?
Amazon’s new ‘Flex’ delivery scheme is like Uber for packages
Amazon has just launched an Uber-like delivery system offering regular folks the chance to deliver packages using their own cars for $18 to $25 an hour.
… On Tuesday, the company unveiled the new scheme, called Amazon Flex.
Flex works with Amazon’s super-speedy Prime Now offering where customers can get one- and two-hour delivery on tens of thousands of items, with drivers able to choose between two-, four-, and eight-hour shifts. Besides a car, workers must also have an Android phone for managing deliveries via the Flex app (no iOS version yet), and pass a background check.




Something for everyone?
14 Effective Home & Self Defense Gadgets For Women Living Alone




This is useful! (Tweets for Twits!) Also something for business (marketing) students.
Twitter Has A 136-Page Handbook For Politicians' 140-Character Tweets
Twitter seems simple — just type in 140 characters and hit enter, right? But Twitter can be tough. Building an audience. Keeping that audience. Finding a voice. Cutting through all the chatter. It's a lot, especially if you're a busy elected official.
Well, elected officials, fear not! Twitter itself is here to help. NPR recently discovered that the social media giant has a very special handbook just for people running for elected to office. And it's 136 pages long.
The manual has been "wildly popular," said Bridget Coin, a manager on Twitter's Government and Elections Partnership Team who helped put the manual together (see below for more of our interview with her). "We don't want to make assumptions. We want to make sure that people feel empowered with the full story of what Twitter is."


Tuesday, September 29, 2015

If you don't have the skills to attack the ones you hate, you can always hire a hacker to attack them for you. This sounds like the hacker may have some inside help – pre-installed software or human.
Jeff Stone reports:
Someone is tormenting Rutgers University. The New Jersey school announced on Monday it was fending off a distributed denial of service attack that crippled its Internet and Wi-Fi access. It’s just the latest cyberattack on a major U.S. research institution, and comes after a number of similar hacks against Rutgers, a school of approximately 65,000 undergraduate students.




Is this response Trump-esque? “I'll apologize if I'm ever wrong?” Probably small as breaches go, but it might come up in the campaign.
Norton Rose Fulbright, a law firm representing The Trump Hotel Collection, is sending out notifications to customers who used a payment card at Trump International Hotel & Tower Las Vegas between May 19, 2014, and June 2, 2015.
They write:
Although an independent forensic investigation has not conclusively determined that any particular customer’s payment card information was taken from the Hotel’s payment card system or misused as a result of the incident, we are providing this notice out of an abundance of caution to inform potentially affected customers of the incident and to call their attention to some steps they may choose to take to help protect themselves.
While the independent forensic investigator did not find evidence that information was taken from the Hotel’s systems, it appears that there may have been unauthorized malware access to payment card information as it was inputted into the payment card systems. Payment card data (including payment card account number, card expiration date, security code, and cardholder name) of individuals who used a payment card at the Hotel between May 19, 2014, and June 2, 2015, may have been affected.
Those notified are being offer credit protection monitoring if they are U.S. residents.
The notification letter does not indicate how Trump Hotel Collection first became aware of the malware, nor how many customers are being notified.
Note: As a reminder, Brian Krebs broke the story in July about how the hotel collection might be impacted, but it was not just one hotel that was suggested as impacted, and the breach was thought to have begun in February, perhaps. So here we are in September, and the hotel is still claiming that there’s no evidence of data exfiltration or misuse, months after banks suspected them as the common point of compromise? Hmmm….




This is going to take some research. Are they going to replace the software so it accurately shows a defective engine (emissions too high) or will they replace (some or all of ) the engines? Sounds like the latter!
Volkswagen to refit cars affected by emissions scandal
Volkswagen announced plans on Tuesday to refit up to 11 million vehicles and overhaul its namesake brand to try to move on from the scandal over its cheating on diesel emissions tests.
New Chief Executive Matthias Mueller said the German carmaker would ask customers "in the next few days" to have diesel vehicles that contained illegal software refitted, a move which some analysts have said could cost more than $6.5 billion.
… Volkswagen's Belgian importer, D'Ieteren, said it would offer engine upgrades to 800 customers who had ordered a vehicle with a diesel engine that was likely to have been fitted with illegal software. The importer said it would pay for the expected 2 million euros cost.




It might not be worth it to guarantee zero downtime, but three times in one month is probably costing more than an upgrading.
Mayday, Slackers! Facebook Is Down.
Sorry, friends, “something went wrong.” For the third time this month and the second time this week alone, Facebook is down. The struggle is real.
The tech titan appears to be in a love-hate relationship with its servers. Team Zuckerberg hasn’t issued an official statement about what’s causing the frustrating blackout.
… Apparently it’s complicated, so much so that this latest meltdown is going on 60-plus excruciating minutes. That’s thousands of empty seconds of forever lost social snooping and gluttonous oversharing for possibly billions of people the world over. We might have to, like, actually talk to each other.




My Ethical Hacking students have a new “best target!” Nothing gets you in to .gov sites like a security certificate from the people tasked with protecting them.
Raytheon Gets $1 Billion Contract to Protect .Gov Networks
Waltham, Mass.-based Raytheon said it would be the prime contractor and systems integrator for the agency's Network Security Deployment (NSD) Division, which is responsible for the National Cybersecurity Protection System (NCPS). NCPS provides the infrastructure that assists more than 100 federal civilian government agencies with the security of their networks against cyber attacks.
Under the contract, Raytheon said that it would lead a team “providing full lifecycle development and sustainment” support. Specifically, the company said that scope of work would involve providing NPPD with design, development, and operations/maintenance services in support of the NCPS, and “support government efforts to develop, deploy and sustain systems that monitor, analyze and mitigate cyber threats to .gov networks.”




Perspective.
U.S. Gov Makes 5,221 Requests for Yahoo! User Data in First Half of 2015
In its most recent transparency report, Yahoo said that that these requests were made for data on a total of 8,424 accounts and that most of them had only non-content data (NCD) shared, or basic information such as alternate e-mail address, name, IP address, login details, billing information and other transactional information.
In addition to the requests for which only NCD was disclosed, which totaled 3,174 between January 1 and June 30, Yahoo! received 1,258 requests for content disclosure (24 percent of requests), rejected 304 requests (6 percent), and could not find data for 485 of them (9 percent). [Now that is interesting. Bob]
The company also revealed that it received between 0 and 999 National Security Letters (NSLs) in the six months period, and that 0 to 999 accounts were specified in those NSLs.




Is New Jersey leading or diverging?
NBC reports:
The state Supreme Court has reversed itself and put back into place an older standard for warrant-less searches by police during car stops.
Police can now search a vehicle without a warrant if they have probable cause to believe there is contraband or evidence of a crime as long as the circumstances that led to the probable cause are unforeseeable and spontaneous.
Read more on NBC.
h/t, @CarolOnAdvLaw
Update: Steve Bellovin points out that WSJ has additional details, here.




My blog is backed up. If nothing else, it might make an interesting database to search for various security incidents. If your company does not make backups, will you accept the versions the people suing you have?
Make Backups of Your Online & Social Media Accounts to Windows
They say that if something is on the Internet, it stays there, in some form, forever. However, that is not strictly true. If a company such as Google shuts down one of their services, the data contained within will be gone forever. Regular backups are essential, even for data located in the cloud.
… Let’s look at different social media sites and see how to download your history, for when you build your Presidential Library.




Probably takes a bit more effort than the average reader is willing to expend, but my students might try these if their grade depended on it.
5 Tools to Learn About and Protect Your Privacy




Coming soon? Perhaps I should grab one of these and start planning a class. OR I could encourage my students to create a cheap but sturdy VR holder so you can keep your hands free for fighting dragons.
Microsoft Has A Google Cardboard Competitor Called VR Kit
… Spotted on a website to promote a hackathon in Russia, Microsoft is trying to attract developers to an upcoming hackathon that will use the company’s VR-Kits. As you can see in the image at the top of this post, the kit works by inserting your Lumia into a cardboard box and then holding it to your face.


(Related) Or maybe we could build some VR classes.
… Starting today, we’re bringing this experience to thousands of schools around the world with the new Expeditions Pioneer Program. During the 2015/2016 school year, we’ll be bringing “kits” containing everything a teacher needs to run a virtual trip for their class: ASUS smartphones, a tablet for the teacher to direct the tour, a router that allows Expeditions to run without an Internet connection, and Google Cardboard viewers or Mattel View-Masters that turn phones into virtual reality headsets.




Perspective. This is how dashboard creation should work, inside the organization or on a website.
Berkman Center Launches New Internet Data Dashboard
by Sabrina I. Pacifici on Sep 28, 2015
“The Berkman Center for Internet & Society at Harvard University is pleased to announce the launch of the Internet Monitor dashboard, a freely accessible tool that aims to improve information for policymakers, researchers, advocates, and user communities working to shape the future of the Internet by helping them understand trends in Internet health and activity through data analysis and visualization.


(Related) This is how the government does it.
Unlocking Federal Talent
by Sabrina I. Pacifici on Sep 28, 2015
UnlockTalent.gov is a comprehensive [??? Bob] data visualization dashboard created by the US Office of Personnel Management to help Government leaders make data driven decisions and design initiatives to increase employee engagement and satisfaction.




For my students.
5 Research Tools Students Often Overlook
When they're given a research assignment most students immediately turn to Google to start their research. Unfortunately, many students don't recognize that they are limiting their research efforts by not going beyond Google.com to search. Here are five research tools that I introduce to students to get them to go beyond using Google.com.
1. School librarian and library resources.
2. Wolfram Alpha.
3. Google Books.
4. Google Scholar.
5. Duck Duck Go.




I want a fitness tracker just like Wally's!