Saturday, October 24, 2015

Strange actions for a “bug.” Debit cards would be an interesting infrastructure target for someone testing CyberWar tools. Just saying...
Federal Consumer Watchdog Investigating Russell Simmons’ RushCard
The federal consumer watchdog said Friday that it has launched an investigation into RushCard, a prepaid debit-card business co-founded by hip-hop music producer Russell Simmons after thousands of customers lost access to funds in their accounts.
Mr. Simmons has said on RushCard’s Facebook page that a technology update on Oct. 12 triggered a series of problems that cut off some customers’ access to their money. Some customers’ cards were deactivated and others saw the same transaction appear twice in their statements, he said.
In a post on Wednesday, Mr. Simmons said the company had been debugging its systems and that most customers’ cards should be working normally.
… Prepaid cards, which target low-income consumers who lack regular checking accounts or credit cards, are among the fastest-growing financial products in the U.S., with an estimated 16 million cards in circulation.
Customers load cash or receive direct deposits from employers, and use them to make payments, store funds or get cash at ATMs.




Lots of interesting angles to this one. Is the ransom demand from the hacker or someone pretending to be the hacker. Are we headed toward “security by contract?” I guess we'll have to stay tuned.
TalkTalk attack: government urged to do more on cyber crime
… Police are investigating a ransom demand sent to the telecoms company after its chief executive, Dido Harding, said a person claiming to be the hacker had contacted her directly and demanded money in exchange for the data.
Oliver Parry, the Institute of Directors’ senior corporate governance adviser, told the BBC that police should make cybercrime an urgent priority, but added that companies “are ultimately responsible for protecting their customers’ data”.
There have been questions about how well TalkTalk secured its customers’ data after Harding admitted she did not know whether details including names, addresses and bank account numbers were encrypted. It was the company’s third major data breach in the past year.
Proof of adequate cyber security could be made a condition of government contracts, said Hazel Blears, the former MP who has been counter-terrorism minister and a member of the parliamentary intelligence and security committee.
She said the UK had been “a little bit tardy” in waking up to the scale of the threat but must now seek tougher rules to ensure data was protected.




Seems to be a rather soft response to the OPM hack.
After OPM hack, spy agencies warn staffers to keep quiet on social media
Intelligence agencies are warning their staffers about keeping safe on Facebook, Twitter and other social media sites following the massive theft of government personnel files.
The Office of the Director of National Intelligence released two videos and a poster on Friday as part of an effort to keep intelligence agency staffers secure from foreign spies.
The poster was released along with two YouTube videos.
One shows a man presumably working at an intelligence agency who unknowingly passes information along to a “foreign intel ops center” by looking for a new job on Facebook. Another encourages intelligence officials to protect themselves from “social media deception.”




Could this change how software is licensed?
Justice Department Wants Court To Force Apple To Decrypt iPhones Because Apple Licenses, Not Sells, iOS
… The feds want access to an iPhone 5s owned by a man who's now a defendant in a drug case and currently facing accusations of possessing and distributing meth. Apple has declined to hand over the keys to iOS, stating that, among several reasons, any backdoor access creates new vulnerabilities.
… Apple argued that giving the government special access into iOS, which it touts as being out of reach of federal snoops, would "tarnish the Apple brand."
"Absent Apple's assistance, the government cannot access that evidence without risking its destruction. But Apple can," states the court brief (PDF).
Apple has assisted in federal cases before by extracting the requested data and passing it along to law enforcement agencies, the DOJ reasoned in the brief.
So with Apple unwilling to budge and court orders falling flat, thus far, the department changed its tactics and is now arguing that the company "is not far removed from this matter."
Apple designed, built and sold the iPhone 5s in question. But that's just the beginning, the government stated.
"Apple wrote and owns the software that runs the phone, and this software is thwarting the execution of the warrant," the justice department added. "Apple's software licensing agreement specifies that iOS 7 software is 'licensed, not sold' and that users are merely granted 'a limited non-exclusive license to use the iOS Software.'"
From there, the DOJ calls into question the legal protection of Apple as a licensor of software.
… For privacy watchdogs, the above argument might invoke goosebumps. If the DOJ's reasoning stands, it could take up that strategy with other companies giving out licenses to software.




Perspective. My students will go where the money is.
The Cloud Is Raining Cash on Amazon, Google, and Microsoft
Amazon.com, Google, and Microsoft all topped profit estimates last quarter, highlighting the widening gulf between companies that deliver computing via server-laden warehouses and a generation of latecomers to the cloud boom. Together, the three companies added $86 billion in market cap following their earnings reports on Thursday.
The trio shares a reliance on technology that comes from powerful machines lashed together in bunkers the size of football fields. These data centers are capable of providing a broad range of services at a low cost—be it Microsoft's personal and business software, Amazon's e-commerce and computing power, or Google's Web search and advertising algorithms. Contrast that with technology firms, such as IBM, Hewlett-Packard, EMC, and Oracle, which are suffering from slowing growth or declines as cloud operators shun traditional hardware, software, and services.




Perspective. One site to rule them all? (Sorry J.R.R.)
72 Hours With Facebook Instant Articles
On Tuesday, Facebook debuted its long-awaited Instant Articles feature to all users of its iPhone app. Now, when someone taps a story in their News Feed from a select group of publications—including The New York Times, The Washington Post, Buzzfeed, and The Atlanticthey access a version stored directly on Facebook’s servers, not on the publication’s own. The company has started to test the feature on Android phones as well.
With the formal release of the feature, Facebook formally ends one era in the platform wars and begins another.
Since August 2013, when it adjusted the algorithm of its News Feed to favor “quality content,” Facebook has been the major referrer to news sites—either the fastest-growing or the just-plain biggest. Over the summer, the analytics company Parsely said that its proprietary data confirmed that Facebook now directs more traffic to news sites than Google. “The list is a lot longer than is publicly known of those that have Facebook delivering half to two-thirds of their traffic right now,” said Justin Smith, the CEO of Bloomberg Media, in February of this year.
… Very soon, every digital publisher, journalistic or non, that wants to be a serious online player will host a large portion of their content on Facebook’s servers. The Instant Articles is just too good to resist, and I think the penalty for resisting will be too high. And then we all, Facebook and the media sector alike, will have to deal with the consequences—whether the comparisons to feudalism are correct or not.




Amusing. I don't always have the time to read the longer articles, but I know where to look when I do. It's in my RSS feed.
JSTOR Daily – free online magazine
by Sabrina I. Pacifici on Oct 23, 2015
JSTOR Daily offers a fresh way for people to understand and contextualize their world. Our writers provide insight, commentary, and analysis of ideas, research, and current events, tapping into the rich scholarship on JSTOR, a digital library of more than 2,000 academic journals, dating back to the first volume ever published, along with thousands of monographs, and other material. In addition to weekly feature articles, the magazine publishes daily blog posts that provide the backstory to complex issues of the day in a variety of subject areas, interviews with and profiles of scholars and their work, and much more. Our idea of a good story is one that:
  • tells thought-provoking stories that appeal to a general reader
  • draws on scholarly research to provide fresh insight into the news media and current affairs
  • deepens our understanding of our world
  • highlights the amazing content found on JSTOR
  • exposes the work of scholars who are using JSTOR to conduct their research”




The weekly low-lights.
Hack Education Weekly News
Via Vox: “What Scotland learned from making college tuition free.”
Via Inside Higher Ed: “On Wednesday 72 women’s and civil rights organizations urged the U.S. Education Department to tell colleges that they must monitor anonymous apps like Yik Yak – frequently the source of sexist and racist comments about named or identifiable students – and do something to protect those students who are named. The groups said they view anonymous online abuse as an emerging issue under provisions of the Title IX of the Education Amendments of 1972.”
Via Inside Higher Ed: “The University of Kentucky is asking a small distillery, Kentucky Mist Moonshine, to stop using the word ‘Kentucky’ on T-shirts and other materials, saying that the word is covered by a university trademark.”
… From a paper titled “Changing Distributions: How Online College Classes Alter Student and Professor Performance”: “Using an instrumental variables approach and data from DeVry University, this study finds that, on average, online course-taking reduces student learning by one-third to one-quarter of a standard deviation compared to conventional in-person classes. Taking a course online also reduces student learning in future courses and persistence in college.”




Wally illustrates “objection to change #47.”


Friday, October 23, 2015

Small, but impactive.
TALKTALK HACKED: 4 million customers affected, stock plummeting, 'Russian jihadist hackers' claim responsibility
British broadband provider TalkTalk has been hacked for the third time, the company announced late Thursday, and customers' data — including credit card details — may have been stolen.
In a statement, TalkTalk called the attack "significant and sustained." Up to 4 million customers may be affected, according to the Financial Times. [See below. Did they get every account? Bob]
… TalkTalk shares have plummeted 9% on the news. [Unusual, Bob]
It's not clear who is behind the hack yet, but a group claiming to be a Russian jihadist cyberterrorist group is claiming responsibility. BuzzFeed has spoken to a TalkTalk customer included in an apparent preliminary dump of customer data, and it appears to be legitimate — although the hacker's stated political affiliation could well be false.
The company has around 4 million UK customers.
The BBC is reporting that TalkTalk's website was targeted by a DDoS attack — overwhelming servers with traffic. This on its own wouldn't give the attacker access to internal data, however.
… It's not yet clear whether the hackers gained access to customers' full credit card details, or if they were at least partially encrypted (if they weren't, it'd be a major security issue). The company says that "not all of the data was encrypted" — had it been, it would be very difficult for the attacker to make any sense of.




Better late than never? The original collector of Big Data has finally realize they can use all that data they insist on gathering! But of course since they have never done anything with that data, they don't know what to do with it. (This is apparently so obvious that it only take 2 pages to report everything they already knew?)
Federal Investment in Big Data Applications Heads for Liftoff
U.S. government agencies appear to have gotten the memo: Big data is good for you.
Federal agencies' acquisition, storage, processing and management of almost unimaginably large chunks of information will drive the government to use big data technologies, according to a recent survey of federal information technology managers.
In addition, the use of big data analytics to productively maximize the value of all this information will become a major goal of government agencies, the survey showed.
To accomplish those goals, federal IT managers increasingly are seeking the support of the private sector.
Forty-six percent of respondents planned to increase use of third-party contractors or consultants to assist with big data projects, according to the survey, which was sponsored by Unisys Federal. Another 52 percent intended to maintain their current level of engagement with outside providers.
[The 2 page “report”:


(Related) “Hackathon” sounds really cool, but this looks more like a technology showcase – buy my product/service because it will make your life easier! No staffers will be writing code.
Overnight Tech: House gears up for ‘hackathon’
House leaders are hosting a "hackathon" on Capitol Hill intended to find ways for technology to help congressional staffers with their jobs.
House Majority Leader Kevin McCarthy (R-Calif.) and House Minority Whip Steny Hoyer (D-Md.) are hosting the event Friday, which follows a similar gathering in late 2011 that was summarized in an 18-page report.
Tech company employees are scheduled to meet with congressional staff and other open government advocates to "brainstorm" ideas to modernize hearings, as well as ease legislative workflow, constituent services and outreach.
The Open Government Foundation recently estimated about 12 percent of the government's budget goes to tech spending, including IT staff, technical support, maintenance and software. Still many have criticized Congress, and the government in general, for being far behind the private sector in adopting new technology.




Because humans don't think like a computer? Will that be a good thing? I'd like some say on how machine learning reorganizes my life.
Google says it's 'rethinking everything' around machine learning
… New Google CEO Sundar Pichai took part in his first earnings call, and in between discussing the numbers he revealed how important Google thinks machine learning is to its future.
”Machine learning is a core, transformative way by which we’re rethinking everything we’re doing,” he said.
He was putting the spotlight on a branch of artificial intelligence that’s getting more attention lately. It involves using computer algorithms that can “learn” over time. A common example is its use in email, where machine learning figures out from watching users’ behavior which emails are spam and which should be let through.
… He didn’t give examples, but it’s not hard to imagine where it might turn up. He mentioned machine learning in the context of mobile, for example, where machine learning could determine if a user is at work, at home or in their car, so that their phone can deliver information accordingly.




Probably unethical.
How to Get Free Access to Academic Papers on Twitter
Most academic journals charge expensive subscriptions and, for those without a login, fees of $30 or more per article. Now academics are using the hashtag #icanhazpdf to freely share copyrighted papers.
Scientists are tweeting a link of the paywalled article along with their email address in the hashtag—a riff on the infamous meme of a fluffy cat’s “I Can Has Cheezburger?” line. Someone else who does have access to the article downloads a pdf of the paper and emails the file to the person requesting it. The initial tweet is then deleted as soon as the requester receives the file.
Andrea Kuszewski, a San Francisco-based cognitive scientist who started the hashtag, tells Quartz that “the biggest rule is that you don’t thank people.” Those who willingly share papers are, in most cases, breaking copyright laws. But Kuszewski says it’s an important act of “civil disobedience,” adding “it’s not an aggressive act but it’s just a way of saying things need to change.”




For my Statistics (and Marketing) students. Correlation.
Customers Who Like Santa Also Like…Nicotine Gum?
Social media is a limitless focus group. Each tweet, like, post, or comment represents an active decision by a person to interact with another person, brand, or TV program culminating in a detailed individual profile. The data provides marketers the opportunity to observe people in their native environments — their own social groups and with brands — while also tracking shifts in taste and behavior over time. Combining trillions of these data points provides unprecedented insight into consumer interests and predictive associations.
… it turns out that social media turns up all sorts of unpredictable and unexpected correlations.
In addition to providing a more holistic understanding of a brand’s consumers, these non-obvious relationships enable marketers to reach untapped consumers in an addressable way and at a reduced cost. For ambitious marketers, this means tailoring campaigns around each high priority interest.


(Related) Try it yourself?
Facebook is unleashing universal search across its entire social network
… Because Facebook commands the lion's share of our time spent online, it hosts a huge percentage of the links we share from around the web and the discussions we have around news, personal interests, and other moments in our lives. Facebook's search team is now turning that firehose of human interaction, which already generates 1.5 billion daily searches, into a vast repository of discussion, searchable by anyone.




Is this Wall Street Journal column pro-Republican or merely anti-Hillary? (Worst case? They she is being completely neutral.)
She Knew All Along
Thanks to Hillary Clinton’s Benghazi testimony on Thursday, we now understand why the former secretary of state never wanted anyone to see her emails and why the State Department sat on documents. Turns out those emails and papers show that the Obama administration deliberately misled the nation about the deadly events in Libya on Sept. 11, 2012.


(Related) These GIFs are more likely to do Hillary harm. Are these the reactions of a serious politician or an amateur actor?




Free phone service for my students? (I'm still waiting for them to pay me.)
The 10 Cheapest Mobile Phone Plans in the US Right Now [Cheat Sheet Included]
… Two quick notes: first, for the purposes of this article, I’ll only be looking at plans that include at least some mobile data. If you’re looking for a plan that only includes calling and texting, or just calling, you can find even cheaper plans than these. Second, many of these plans are based around an idea called “Wi-Fi first” which means that if you’re connected to Wi-Fi, your calls and messages will be routed via the Wi-Fi instead of through your cellular network.


Thursday, October 22, 2015

This might not have anything to do with El Salvador or Human Rights or lawsuits, but then again, it might.
Jennifer Wing reports:
The theft of a computer and hard-drive containing the names and stories of people who survived the war in El Salvador has human rights workers on edge. The break-in happened in Smith Hall, in the offices of the University of Washington’s Center for Human Rights, or CHR.
UW’s Campus Police Department says sometime between October 14-18, Dr. Angelina Godoy’s desktop computer and an external hard drive were taken. Godoy is CHR’s Director. There was no sign of forced entry.
The stolen devices contain personal testimonies that are part of ongoing human rights investigations involving survivors of the war in El Salvador, a civil war that killed more than 75,000 people between 1980 and 1991. During the conflict the US provided military aid to the Salvadoran Government.
Read more on KPLU.
In related coverage, Derek Wang and Gil Aegerter explain:
The center’s lawsuit alleges that the CIA is illegally withholding information about an El Salvador army officer who is suspected of human rights violations during that Central American country’s civil war in the 1980s.
Center officials say they have backup copies of the information on the computer drives, but they’re concerned because the drives had about 90 percent of the information being used in the lawsuit, including sensitive details about personal testimonies and pending investigations.
Read more on KUOW.




Adding insult to injury. Can Hillary now claim “Everyone does it?”
Sam Thielman reports:
WikiLeaks on Wednesday released documents it said had been collected from CIA director John Brennan’s personal AOL account, the first in what the group said would be a series of publications.
[…]
The embarrassing leaks include a questionnaire for the official’s security clearance marked: “Review copy – Do not retain.”
Other documents included an early version of the Limitations on Interrogations Techniques Act of 2008, a bill defining the limits of interrogation methods. Also released was a letter from Missouri Republican senator Christopher Bond, then a member of the Senate select committee on intelligence.
All the documents in the WikiLeaks cache are from 2008 and before. Brennan assumed office in 2013.
Read more on The Guardian.
[From the article:
Authorities told CNN that Brennan’s account did not contain any classified information.




So these devices would never need to decrypt message contents.
Law enforcement: Phone spying software not capable of collecting content
Cell phone spying technology used by federal law enforcement will not have the software capability to scoop up individuals' actual communications, like texts or pictures, law enforcement officials said Tuesday.
Officials from the Justice Department and the Department of Homeland Security (DHS) told lawmakers the devices will not be configured to collect the actual content from people's phones. 
… DHS said its use of the technology in the past never scooped up actual content from mobile phones, while the Justice Department demurred.
"I will have to get back to you about what the policy said," Tyrangiel said.




Bad procedure. “This data is really, really important, but we didn't bother to protect it.” It's not like the name change came as a surprise. (Goes to the “Right to be remembered” issue?)
Radio New Zealand reports:
Child sex abuse survivors in Britain are calling for an investigation after discovering some testimonies may have been deleted due to a technical error.
Claims of paedophiles in Westminster in the 1980s sparked the inquiry and cases under investigation could date back to the 1970s.
But the inquiry’s website has said information victims submitted between 14 September and 2 October was deleted before it reached the investigation’s engagement team.
“Due to a change in our website address to www.iicsa.org.uk on 14 September, any information submitted to the inquiry between 14 September and 2 October through the online form on the ‘Share your experience’ page of our website, was instantly and permanently deleted before it reached our engagement team,” it said.
Read more on Radio New Zealand.




An interesting argument: “Give up your gnome or die!”
Your Genome Isn’t Really Secret,’ Says Google Ventures’s Bill Maris
Bill Maris has a simple proposition for those who are a little freaked out by his efforts to digitize human DNA: “If we each keep our genetic information secret, then we’re all going to die.” OK then.
The Google Ventures managing partner has shifted the firm’s focus this year to investing in companies that aim to slow aging, reverse disease, and extend life. Many of those life-sciences companies do this by collecting customers’ genetic information and looking for trends.
Hoarding this kind of personal data introduces risks, particularly as hacking becomes an everyday occurrence. But Maris dismissed privacy concerns surrounding the prospect of genomic data becoming public. “What are you worried about?” he said at a Wall Street Journal technology conference in Laguna Beach, Calif., on Tuesday. “Your genome isn’t really secret.”
That’s because people constantly leave traces of their genomic material lying around in public. If someone really wanted the information, they don’t need to hack a server. They could just pull a cup with your saliva out of the trash and test it, said Maris


(Related)
Kieren McCarthy reports:
DNA testing company 23andMe says it has received four requests from law enforcement agencies for “user data” in the past quarter, all of them from the United States.
Those stats came in the first “transparency report” from the company on Wednesday.
Read more on The Register.




Background.
Healthcare Sector Security Woefully Weak, Survey Says
… Healthcare is indeed a major target for cybercriminals, Raytheon|Websense found in a report released last month. The healthcare sector experiences 340 percent more security incidents and attacks than the average for other industries, and it is more than 200 percent more likely to encounter data theft.
Advanced malware is used in one of every 600 attacks in the healthcare sector. Compared to other sectors, healthcare is four times more likely to be hit by advanced malware.




For my App building students.
Twitter buys Fastlane, a popular tool for building iPhone apps, and adds Android support
Twitter has acquired Fastlane, a set of tools that found a lot of popularity with iPhone developers as an easy way to constantly test and update their apps.
… Also important, as far as not annoying developers: Fastlane has always been available as a free download, available as "open source" for programmers all over the world to look at and improve on. Krause says his employment at Twitter won't change that at all.


(Related) For those not Twit Apps.
One of Microsoft's best friends just hit the gas pedal on its already huge growth
Xamarin, a fast-growing mobile app development startup that's got a close partnership with Microsoft, has snapped up tiny startup RoboVM in a little acquisition that could lead to some huge growth.
… When Xamarin first got started in 2011, it had a simple sales pitch. Write your smartphone app in C#, and it provides the tools to make it into an iPhone, Android, Mac, or Windows app with a minimum of effort.
RoboVM, a tiny startup founded earlier in 2015, has the exact same pitch — only it did it with Java.


Wednesday, October 21, 2015

How should I classify this article? It's not really computer security nor is it a privacy violation. Should we call it 'being a corporate good citizen?' I would not have seen the need to scan for child porn, but maybe I need to change my thinking. This article makes it sound much more common than I would have believed. Is there a threshold level (some statistical level of occurrence) such that if I have no indication a crime is being committed I should still look for evidence of that crime?
First Firms Blocked Porn. Now They Scan for Child Sex Images
The first alarm came within a week. It meant an Ericsson AB employee had used a company computer to view images categorized by law enforcement as child sexual abuse.
“It was faster than we would have wanted,” says Nina Macpherson, Ericsson’s chief legal officer.
In a bid to ensure none of its 114,000 staff worldwide were using company equipment to view illegal content, in 2011 the Swedish mobile networks pioneer installed scanning software from Netclean Technologies AB. While many companies since then have adopted similar measures, few have been willing to discuss their experience publicly.
… Since installing the system, Ericsson says it has been dealing with around one alarm each month – each one flagging an act that could lead to prosecution.
… The alerts – invisible to the person who triggers them – are sent via e-mail and text message to Ericsson’s group security adviser, Patrik HÃ¥kansson, a former detective chief inspector from Sweden’s National Police IT Crime Squad. He’s confident that the digital fingerprint system means the software only raises the alarm when it detects images already on an international child abuse blacklist.
“There are no false positives; the technology won’t show up any pictures of children on the beach,” says HÃ¥kansson.
His job is to confirm that the illegal pictures have indeed been handled on company equipment, and by whom. In the U.S. the FBI must be called immediately. In other markets Ericsson can carry out some internal investigations before involving law enforcement.
… Ericsson employees sign a form consenting to being observed. Does that equate to spying on staff? As long as companies are upfront and explain to employees they are being monitored, there “can’t be any expectation of privacy,’’ says Stuart Neilson, a London-based employment lawyer.
That’s important, because there are also risks for any company that knows its equipment is being used illegally and doesn’t act. “If the organization has evidence that an employee has been accessing these sites but has done nothing with that evidence, then the employer might be liable,’’ Neilson says.




For my Computer Security students. If you block sites like Reddit, then you need to watch for people using these “work arounds.” (What we really need is a system to reduce an employees work hours by the time they spend on non-work tasks.)
How to Browse Reddit at Work Without Getting Caught
Reddit is addictive — so much so that many people can’t even go 24 hours without it. That kind of addiction is bad news when you work in an office environment. It’s just too tempting and too easy to Reddit while you work.
So if you want to make it less obvious that you’re wasting so much of your employer’s time, you should think about using MSOutlookit:
This site replicates the content of Reddit but wraps it up in the aesthetics of Outlook 2007. Each email displays the username, title, and score of each post. You can switch subreddits by changing the email category, but the selection is a bit limited.




For my Chrome using students.
Meet eFast: This Malware REPLACES Your Browser With Adware
Malware that targets the browser is nothing new. But malware that replaces an already existing browser with one designed to track online movements, hijack search traffic, and fill each page with unwanted adverts? Yeah, that’s pretty interesting.
The eFast Browser was discovered by the MalwareBytes team a few days ago, and it does all of the above, and more.
Perhaps the worst thing about eFast Browser is that unless you’re especially observant, you might not even notice it’s there, as it takes great pains to camouflage itself.
For starters, it looks and feels like the bona-fide Chrome browser, as it’s built on the Chromium Browser.




These take time and then the company doesn't want to see reminders of its breach back in the news so I don't always catch these settlements. As usual, they make a good case for attending law school.
Sony's Settlement With Employees Over Hacked Data Worth More Than $5.5 Million
Sony Pictures will be paying somewhere in the neighborhood of $5.5 million to $8 million to resolve a class action lawsuit over a large hack attack last winter that left the personal information of employees and ex-employees vulnerable. The details of the settlement were revealed in court papers on Monday night.
… The proposed deal contemplates a $2 million cash fund to reimburse class members up to $1,000 each for preventive measures taken to protect against identity theft. Meanwhile, the class action lawyers who represented the plaintiffs would be getting almost $3.5 million.




Might be useful. Download a copy and see.
The California County Superintendents Educational Services Association has produced a data privacy guide for districts containing a range of best practices, sample vendor contracts, and steps to take when a data breach occurs.




This may just be Fox being Fox. On the other hand, it may be another indication that the government is about to dump on Hillary. How much has she irritated people? Stay tuned.
FBN Exclusive: DOJ Officials Fear Foreign Telecoms Hacked Clinton Emails, Server
Officials close to the matter at the Department of Justice are concerned the emails Hillary Clinton sent from her personal devices while overseas on business as U.S. Secretary of State were breached by foreign telecoms in the countries she visited—a list which includes China.
… The Justice Department officials also used the words “reckless", “stunning,” and “unbelievable” in discussing the controversy swirling around Clinton’s use of a private, nongovernment email account, as well as her use of a personal Blackberry, an Apple iPad, and home server while U.S. Secretary of State. The officials did not indicate they have any knowledge of a breach at this point.
As for the effort to designate Clinton’s emails as classified or unclassified, the Justice Department officials agreed that, as one put it: “Every email she sent is classified because she herself is classified, because she is both Secretary of State and a former first lady.”
… FOX News recently reported that an intelligence source familiar with the FBI’s probe into Clinton’s server said that the FBI is now focused on whether there were violations of the federal Espionage Act pertaining to "gross negligence" in the safeguarding of national defense information. Sets of emails released show that Clinton and top aides continuously sent information about foreign governments and sensitive conversations with world leaders, among other things, FOX News reported.




If you really want to protect your communication, don't rely on someone else to encrypt your data. Do it yourself (it's fast and free) then if these bozos decrypt their “unbreakable” encryption for law enforcement or for their own amusement, they will find apparent gibberish. Let them ask you for the encryption key like good little boys and girls.
Apple Tells Judge It Can’t Unlock New iPhones
Apple Inc. told a federal judge that it “would be impossible” to access user data on a locked iPhone running one of the newer operating systems, but that it could likely help the government unlock an older phone.
In a brief filed late Monday, the company said “in most cases now and in the future” it will be unable to assist the government in unlocking a password-protected iPhone. The brief was filed at the invitation of U.S. Magistrate Judge James Orenstein, who is considering a request from the Justice Department that he order Apple to help government investigators access a seized iPhone.
Judge Orenstein, in an earlier ruling in the case, was doubtful that he had the authority to force Apple to help the government. The Justice Department has said in this case and others that federal judges have such power under the All Writs Act, an 18th-century law.




Think about cats out of bags. I may not tell you everything I know, but I have no problem discussing any published facts. Speculation is just that and I can come up with more scenarios than you can possibly imagine. It's one of the things I was trained to do.
Four weeks ago, Bart Gellman of the Century Foundation delivered a keynote address at Purdue University’s “Dawn or Doom?” colloquium. His topic was “The NSA, Edward Snowden, and National Security Journalism.” As part of his lecture, Gellman displayed slides of a handful of the documents that Snowden leaked (some of which Gellman published in the Washington Post), which describe certain NSA mass data collection programs, including Upstream and PRISM. Purdue live-streamed the lecture, and told Gellman it would be posted online shortly.
But Purdue has not posted the Gellman lecture video. Nor, in all probability, will the video ever be posted ... because it no longer exists: Purdue apparently “wiped” all copies of the lecture video from university servers because it contained screen shots of the Snowden documents. On October 8, the organizer of the conference, Dr. Gerry McCartney, from Purdue’s Chief Information Office, posted this statement on behalf of the university, offering an alarming excuse for Purdue’s actions:
Purdue has been recognized as a national leader in its commitment to freedom of expression and free and open inquiry and debate. We reject entirely the notion that complying with clear federal law is in any way an abridgment of those principles. We have already acknowledged that perhaps a better way to comply would have been to block only the classified information in question. And if we can correct that situation, we will. But a speaker’s decision to exercise civil disobedience does not obligate Purdue to join him in that act.




I like anything that helps me understand the law – God© knows I need all the help I can get.




Perspective. It occurred to me recently that I am no longer subjected to the dreaded, “Let me show you the slides of our vacation!” Now the send me an email with pictures attached, which I can ignore at my leisure.
Google Photos hits 100 million monthly users after five months
Google Photos is less than half a year old, but it's already hit a major milestone with more than 100 million monthly active users, the company announced today. The unlimited photo service comes with apps available on iOS, Android, and on the web, and it was spun off from the company's Google+ social network in May, to much rejoicing. Google Photos was hailed at launch for its simplicity and for combining many of the disparate features of competitors like Dropbox's Carousel, Apple's iCloud, and Yahoo's Flickr into a single service.
To hit 100 million users in just five months is no easy feat. It took both Pinterest and Twitter about five years to hit that benchmark. Even Instagram's explosive popularity back in 2010 meant it still took the startup around two and a half years to reach the 100 million mark.




Useful for my students or their children? Either way, thanks Facebook! I need to explre this more, but it really does look useful.
Announcing the Launch of TechPrep
… At Facebook, we’re working on a number of initiatives to widen the pipeline and build an inclusive culture. After looking closely at the data, we realized that one challenge is a lack of exposure to computer science and careers in technology, as well as a lack of resources for parents, guardians, and others who want to learn more. In the US, this lack of access is prevalent in a number of underrepresented groups including Black and Hispanic communities.
Today, we’re excited to introduce TechPrep, a resource hub where underrepresented people and their parents and guardians can learn more about computer science and programming and find resources to get them started. TechPrep brings together hundreds of resources, curated based on who you are and what you need, such as age range, skill level and what kind of resource you are looking for. The website is designed for both English and Spanish speakers.




For any of my students who care.
100+ Animated Philosophy Lessons
Wireless Philosophy AKA Wi-Phi is a project produced by philosophy students and professors from Duke, Yale, Northern Illinois University, MIT, and Duquesne University. The purpose of the project is to philosophy through animated videos. There are currently more than 100 videos available in the Wireless Philosophy YouTube channel. The videos are organized into twelve playlists covering topics like critical thinking and biases, political philosophy, religion, Descartes, and linguistics.




This could be my students discussing homework.


Tuesday, October 20, 2015

See? It's not just Hillary. Computer security is not a consideration in highly political environments. Good computer security won't get you re-elected or re-appointed. (and apparently bad computer security won't keep you from being re-elected or re-appointed.)
Ken Dilanian of AP reports:
The State Department was among the worst agencies in the federal government at protecting its computer networks while Hillary Rodham Clinton was secretary from 2009 to 2013, a situation that continued to deteriorate as John Kerry took office and Russian hackers breached the department’s email system, according to independent audits and interviews.
Read more on Newser.




Not clear what they did beyond the link to porn. Should the school have said more?
Stuff reports:
Student emails have been suspended at Mt Albert Grammar after a security breach led to porn being sent to every student.
An official message was sent to parents on Monday night apologising for any offence caused.
Principal Dale Burden said they believed the culprit was most likely to be a student at the school and if so that amounted to serious misconduct.
The school was first alerted by a parent who saw the email which contained a link to a pornographic image.
Read more on Stuff.
Okay, but how did the student hack/gain access to the system? And what else could the student have accessed via that login or method?




I've got a Computer Security grad class coming up soon. This might be a useful model for their paper.
From the good folks at CitizenLab:
This post describes the results of Internet scanning we recently conducted to identify the users of FinFisher, a sophisticated and user-friendly spyware suite sold exclusively to governments. We devise a method for querying FinFisher’s “anonymizing proxies” to unmask the true location of the spyware’s master servers. Since the master servers are installed on the premises of FinFisher customers, tracing the servers allows us to identify which governments are likely using FinFisher. In some cases, we can trace the servers to specific entities inside a government by correlating our scan results with publicly available sources. Our results indicate 32 countries where at least one government entity is likely using the spyware suite, and we are further able to identify 10 entities by name. Despite the 2014 FinFisher breach, and subsequent disclosure of sensitive customer data, our scanning has detected more servers in more countries than ever before.
Read the full report on CitizenLab.




Not sure this is doable except in certain rare circumstances. Might be fun for my Ethical Hacking students to try.
Vijay Prabhu reports:
If you thought biometrics was the ultimate weapon of authentication, you may be proved wrong by Starbug. German researcher Jan Krissler, aka Starbug is a hacker whose claim to fame is breaching Apple’s TouchID and recreating the German defense minister’s thumbprint from a high-res image.
Starbug has revealed that he can now decode anyone’s smartphone PIN code from any selfie “image” of the owner.
Starbug and his colleagues have extracted the reflection of smartphone screens in the eye whites of “selfie” subjects, then they used an ultra-high resolution image techniques to extract the user’s PIN code. Starbug presented his discovery at the Biometrics 2015 conference in London.
Read more on TechWorm.




Perspective. You have to store all that “Big Data” somewhere. Just think how much information could be compromised by losing just one of these cartridges.
Data Storage: Does High Capacity Create Big Problems?
… HP, IBM and Quantum, the companies behind LTO, have confirmed that next gen cartridges will offer up to 15TB of compressed data storage, and published the specifications for third part manufacturers.
And it's not just LTO tape technology that is seeing an explosion in capacity: last year Sony announced tape technology that could result in tape cartridges with a capacity of 185TB, while in April IBM and Fujifilm demonstrated new technologies that cram 123 billion bits in a square inch of tape, equivalent to an LTO tape cartridge holding 220TB.


(Related)
How Do You Store A Zettabyte?
Storage capacity is growing at unprecedented rates. So Aaron Ogus, Partner Development Manager at Microsoft Azure, posed an interesting question at this month’s 7th annual Global IT Executive Summit hosted by Fujifilm in Los Angeles: how do you store a zettabyte (ZB) of data?
This is more than an academic exercise for his company. He deals with cloud storage and currently stores exabytes (EB) of data on millions of hard disk drives (HDDs) for his cloud storage. When he began in 2007, the company used four 750 GB HDDs inside 1u servers.




Just a quick update on a slow process.
It started off at a decent pace a month ago with regular newsworthy statements and events making the headlines, but his week the extradition hearing of Kim Dotcom appeared to drop into a much lower gear.
The hearing, which will determine whether Kim Dotcom, Mathias Ortmann, Finn Batato and Bram van der Kolk are extradited to the United States, got underway in September. However, legal argument has persistently bogged the hearing down, with repeated claims by the defendants that the U.S. government is doing everything possible to prevent them from engaging in a fair fight.
… After claiming that the U.S. seizure of the defendants’ funds made it impossible to hire expert witnesses in the United States, Dotcom’s lawyer Ron Mansfield asked the court to consider submissions as to why the case should be paused or even thrown out altogether.
While those have been underway for some days now, according to 3News lawyers for Dotcom and his former associates are now expected to make further submissions on additional points. Allowing for a response from the Crown, that process could take several more weeks to complete.
… lawyer Grant Illingworth, who represents Mathias Ortmann and Bram van der Kolk, was present today. He warned the court that the U.S. interpretation of extradition law threatened to make Judge Nevin’s considerations almost irrelevant.
“[The U.S. is seeking to] reduce your honor’s role to a mere rubber-stamping exercise. The US [approach] would render the extradition process largely meaningless,” he told the Judge.


Monday, October 19, 2015

Once upon a time, we would roll tanks to the border to express our annoyance. What is the Cyberspace equivalent?
Cyberspace Becomes Second Front in Russia’s Clash With NATO
… Along with reported computer breaches of a French TV network and the White House, a number of attacks now being attributed to Russian hackers and some not previously disclosed have riveted intelligence officials as relations with Russia have deteriorated. These targets include the Polish stock market, the U.S. House of Representatives, a German steel plant that suffered severe damage and The New York Times.
U.S. officials worry that any attempt by the Russian government to use vulnerabilities in critical infrastructure like global stock exchanges, power grids and airports as pressure points against the West could lead to a broader conflict...




I think we need to create a Best Practices guide for organizations (and their lawyers).
Andrew Sadauskas reports:
In the immediate aftermath of a security breach, companies should ensure they don’t use weasel words and have in place strong internal communications and clearly-defined staff guidelines, according to Atlassian head of security intelligence Daniel Grzelak.
Read more at ITNews. Why? Because I actually agree with pretty much everything he advises, and if more companies took his advice, there’d be a lot less snark on my blog. [and on mine! Bob]


(Related) But this is not always possible. Consider hiding it in other news like Target did by announcing their breach on the day President Obama was inaugurated. It almost worked!
Christopher Escobedo Hart writes that a well-handled breach can actually improve a company’s bottom line.
A recent study goes a step further, suggesting that if handled well a data breach can actually help the bottom line. This counter-intuitive conclusion, conducted by Sebastian Gay at the University of Chicago, is based on data from breaches occurring between 2005-2014. The paper finds that “firms manage to avoid the full negative effect of a privacy breach event disclosure by releasing on the same day an abnormal amount of positive news to the market.” In other words, sometimes companies have maintained a store of “good news” that they bundle together and release at around the same time that they disclose a data breach, which not only offsets the negative effect of the bad news of a data breach, but actually increases the bottom line.
Read more on Foley, Hoag Security, Privacy and the Law.




See? It's not just Hillary, it's anyone who is computer illiterate.
From the yeah-this-probably-needs-to-be-investigated dept.:
Hillary Rodham Clinton’s e-mail scandal didn’t stop the head of the CIA from using his own personal AOL account to stash work-related documents, according to a stoner high-school student who claims to have hacked into them.
CIA Director John Brennan’s private account held sensitive files — including his 47-page application for top-secret security clearance — until he recently learned that it had been infiltrated, the hacker told The Post.
Other e-mails stored in Brennan’s non-government account contained the Social Security numbers and personal information of more than a dozen top American intelligence officials, as well as a government letter about the use of “harsh interrogation techniques” on terrorism suspects, according to the hacker.
Read more of this report by Philip Messing, Jamie Schram and Bruce Golding on NY Post.
The twitter accounts being used to disclose the hack, @phphax (“Cracka”) and @_CWA_ are still online this morning, as are files purporting to be Brennan’s email contact list and call logs of Avril Haines, the White House Deputy National Security Advisor.
Assuming, for now, that these reports are accurate, I’m not sure what this will do to the brouhaha over Clinton’s private email server.
[From the Post article:
… The FBI and other federal agencies are now investigating the hacker, with one source saying criminal charges are possible, law enforcement sources said.
“I think they’ll want to make an example out of him to deter people from doing this in the future,” said a source who described the situation as “just wild” and “crazy.”
“I can’t believe he did this to the head of the CIA,’’ the source added. “[The] problem with these older-generation guys is that they don’t know anything about cybersecurity, and as you can see, it can be problematic.”




Confusing. How will they differentiate between “nation-state” and “teenager working for a nation-state?” Is this a small/medium/huge problem?
Facebook to Warn Users of State Sponsored Attacks
According to the social network, users will be informed on any suspected compromise from an attacker believed to be working on behalf of a nation-state. The company is already monitoring accounts for potentially malicious activity while offering users the possibility to proactively secure their accounts, and the new security measure is building on this foundation.
In addition to a warning on the possible malicious activity, Facebook will provide users with the possibility to turn on Login Approvals, which would ensure that third-parties cannot login into a user’s account. As soon as the account is accessed from a new device or browser, the user receives a security code on the phone, so that only they could login.
Alex Stamos, Chief Security Officer at Facebook, explains in a blog post that the warnings are not being sent out because Facebook's platform or systems have been compromised, but that user’s computer or mobile device might have been infected with malware.




Interesting. I can neither confirm nor deny... Mathematically, this might not be as difficult as you might think.
How is NSA breaking so much crypto?
There have been rumors for years that the NSA can decrypt a significant fraction of encrypted Internet traffic. In 2012, James Bamford published an article quoting anonymous former NSA officials stating that the agency had achieved a “computing breakthrough” that gave them “the ability to crack current public encryption.” The Snowden documents also hint at some extraordinary capabilities: they show that NSA has built extensive infrastructure to intercept and decrypt VPN traffic and suggest that the agency can decrypt at least some HTTPS and SSH connections on demand.
However, the documents do not explain how these breakthroughs work, and speculation about possible backdoors or broken algorithms has been rampant in the technical community. Yesterday at ACM CCS, one of the leading security research venues, we and twelve coauthors presented a paper that we think solves this technical mystery.
… For the nerds in the audience, here’s what’s wrong: If a client and server are speaking Diffie-Hellman, they first need to agree on a large prime number with a particular form. There seemed to be no reason why everyone couldn’t just use the same prime, and, in fact, many applications tend to use standardized or hard-coded primes. But there was a very important detail that got lost in translation between the mathematicians and the practitioners: an adversary can perform a single enormous computation to “crack” a particular prime, then easily break any individual connection that uses that prime.




“As long as you are volunteering that data, you won't mind if we copy it into our criminal database, right?” Have we paid for DNA testing or have we agreed to add our DNA to their database forever?
Cops are asking Ancestry.com and 23andMe for their customers’ DNA
When companies like Ancestry.com and 23andMe first invited people to send in their DNA for genealogy tracing and medical diagnostic tests, privacy advocates warned about the creation of giant genetic databases that might one day be used against participants by law enforcement. DNA, after all, can be a key to solving crimes. It “has serious information about you and your family,” genetic privacy advocate Jeremy Gruber told me back in 2010 when such services were just getting popular.
Now, five years later, when 23andMe and Ancestry both have over a million customers, those warnings are looking prescient. “Your relative’s DNA could turn you into a suspect,” warns Wired, writing about a case from earlier this year, in which New Orleans filmmaker Michael Usry became a suspect in an unsolved murder case after cops did a familial genetic search using semen collected in 1996. The cops searched an Ancestry.com database and got a familial match to a saliva sample Usry’s father had given years earlier. Usry was ultimately determined to be innocent and the Electronic Frontier Foundation called it a “wild goose chase” that demonstrated “the very real threats to privacy and civil liberties posed by law enforcement access to private genetic databases.”
… As NYU law professor Erin Murphy told the New Orleans Advocate regarding the Usry case, gathering DNA information is “a series of totally reasonable steps by law enforcement.” If you’re a cop trying to solve a crime, and you have DNA at your disposal, you’re going to want to use it to further your investigation. But the fact that your signing up for 23andMe or Ancestry.com means that you and all of your current and future family members could become genetic criminal suspects is not something most users probably have in mind when trying to find out where their ancestors came from.
“It has this really Orwellian state feeling to it,” Murphy said to the Advocate.
If the idea of investigators poking through your DNA freaks you out, both Ancestry.com and 23andMe have options to delete your information with the sites. 23andMe says it will delete information within 30 days upon request.




This could cause a few problems. Imagine schools introducing technology that does a good job teaching students but fails to meet the state's standards. They buy the technology and then most of their students won't use it.
Rich Lord reports:
The homework assignments, essays, musings and instant messages today’s students are entering into educational websites and applications would be subject to new data privacy standards under legislation introduced today in Harrisburg.
State Rep. Dan Miller, D-Mt. Lebanon, and Tedd Nesbit, R-Grove City, have introduced two-bills that would stop short of outlawing controversial data practices, but would require that districts inform parents if they use technology that doesn’t meet the standards, and allow students to opt out.
Read more on Government Technology.
[From the article:
Nearly two-thirds of the districts could show no process for vetting the privacy policies of education technology vendors. Only eight systems could show that they were training teachers to protect student data.
Most of the vendors had no provision for deleting unneeded student data or protecting it in a corporate acquisition or bankruptcy sale, and only a tiny minority pledged to notify schools in the event of a data breach.




I don't see this as a problem for quite some time. (Except for TV game shows)
The End of Expertise
… Talk to people in such professional service industries as private banking, auditing, consulting, even engineering, and you begin to hear concerns about the commoditization of professional knowledge.
… Increasingly, tax preparation is being automated, and even auditing is going the way of algorithmic review and big data “sweeps” instead of sampling. Artificial intelligence is writing much of the content that you’re reading (although not this!), and Jancis Robinson, the wine expert and writer, recently wrote that she has “gone from being a unique provider of information to having to fight for attention.”




Interesting blog post. I've been looking for a follow-up to Paul David's “The Dynamo and the Computer” I think this might be it. Interesting read anyway.
The Deployment Age
A couple of weeks ago James Gross, co-founder of Percolate, had me speak at their Transition conference. I talked about Carlota Perez, her theories, and the transition to the deployment period that we are currently undergoing. The talk, as I remember it, (plus some stuff I had to cut for time) is below. I’ve also added some additional material as sidenotes.
Perez’ theory describes the path a technological revolution, like the Industrial Revolution, takes and the social, economic and institutional changes that go along with it. The jury is still out on the theory, and there are plenty of reasons to doubt it. But if it successfully predicts what happens over the next ten years it will have in good part proved its power.




Do you think this will upset my Computer Security students?
Google is recording your voice and questions
by Sabrina I. Pacifici on Oct 18, 2015
“Google searches are like a stream of consciousness. We plug every idle curiosity, every thought, and every question into the search engine. Google has always kept careful record of these searches, which helps sell ads. But Google also keeps an audio log of the questions you ask its voice search function, OK Google, and now you can listen to those recordings online. Back in June, Google launched a new portal for all Google account-related activities. It’s where you can manage your privacy settings, see what you’ve searched for, and where Google has logged your location. The Guardian pointed out Oct. 12 that these archives include a section for voice searches, and it’s a little unnerving to listen to every silly thing you’ve asked since the service launched…”
  • Note to self and others – everything you say and do via digital devices is collected – by various organizations for reasons ranging from marketing to surveillance. We have automatically been opted-out of “privacy.” And it is always a good idea to seek the assistance of a Librarian – in person is a bonus – we listen to and respond to questions on a mind boggling range of issues, with expertise, and without an agenda.




For my Math students.
The 20 Websites You Need to Learn Math Step by Step