Saturday, October 31, 2015

Interesting to me that Forbes runs an article like this. Perhaps there is hope for corporate America! Makes me even less impressed with organizations (like TalkTalk) that don't bother encrypting their data.
Tor Releases Private IM Tool -- Here's An Idiot's Guide To Using Encrypted Messaging
The Tor Project announced an instant messaging tool today, Tor Messenger.
Though not perfect, it’s ideal for anyone looking for an IM tool designed with privacy in mind, as it not only encrypts communications, but routes users through the Tor network, made up of different “hops” or relays, to hide their original IP addresses. Logging is disabled by default too, so there should be no record of conversations.
Most web users aren’t, of course, au fait with the nitty gritty of cryptographic communications. But it’s now remarkably straightforward to set up encrypted instant messaging and not too tricky to do so with a good degree of security.




That's education! (Sung to the tune: “That's entertainment”)
Hack Education Weekly News
… California has become the first state to ban schools from using “Redskins” as a team name or mascot.
… The US Department of Education has proposed “a new regulation that would require any new intellectual property developed with grant funds from the department to be openly licensed,” says Education Week.
… Using her cellphone, a student at Spring Valley High School in Columbia, South Carolina videotaped a school resource officer violently throwing a fellow student, a young black woman to the ground, purportedly because she refused to comply quickly enough to her teacher’s demand she put her phone away. Both students were arrested. The video – horrific – went viral. Ben Fields, the sheriffy’s deputy, was subsequently fired. More, via The Atlantic, on “Race and Discipline in South Carolina Schools.”
Via The Atlantic: “The Law-School Scam Continues.” (More, via The NYT, on a study that has discovered schools are admitting students who are unlikely to ever pass the bar.)
… The Harvard Law Library is digitizing some 40 million pages of its collection, with the intention of making “a complete, searchable database of American case law that will be offered free on the Internet, allowing instant retrieval of vital records that usually must be paid for.”
… “Can a Professor Be Forced to Assign a $180 Textbook?” More on the controversy in the math department at Cal State Fullerton in The LA Times.
… “Stratford University, a for-profit institution based in Virginia, this week announced that it has become a public benefit corporation,” Inside Higher Ed reports.


Friday, October 30, 2015

This does not sound good. Replacing cards suggests the breached information has been used to extract cash. Why is everyone else claiming ignorance?
Cole Epley reports:
A large data breach at an unidentified, national business has prompted First National Bank of Omaha to issue new debit cards to customers in seven states.
The Omaha-based bank with operations in Nebraska, Illinois, Iowa, South Dakota, Kansas, Colorado and Texas recently sent new cards to customers with a letter explaining that its routine fraud-monitoring efforts had determined those customers’ cards were at risk of being compromised due to that breach.
Read more on Omaha.com
[From the article:
“The company affected, the card networks and investigators are still working to determine the extent of the exposure,” Langin said.
Citing the ongoing investigation, he wouldn’t say exactly how many customers were affected. Only debit cards are being reissued, not credit cards.
… Langin said he expects the issue also will affect other banks. Large metro-area institutions, including Mutual of Omaha Bank, SAC Federal Credit Union, Wells Fargo, Pinnacle Bank and Great Western Bank, all said they were not yet aware of any such breaches. [Very strange. Bob]




Update. If this breach was caused by a couple of kids poking at their security, imagine what a serious player could do.
There’s been a second arrest in the TalkTalk data breach case. And again, it’s a teenager that’s been arrested. Police confirmed that an unnamed male 16-year old from Feltham, West London, was arrested on charges under the Computer Misuse Act. He’s out on bail now.
Read more on Bit-Tech.
If TalkTalk wants to argue its data security is appropriate and they had no obligation to encrypt data, how will they respond to those who would point out that they’re getting hacked by kids?




No doubt the FBI will view this as a tool for uncatchable criminals. Everyone else may view it as a tool to avoid the minions of the surveillance state.
Tor Messenger Beta: Chat over Tor, Easily
Today we are releasing a new, beta version of Tor Messenger, based on Instantbird, an instant messaging client developed in the Mozilla community.

What is it?

Tor Messenger is a cross-platform chat program that aims to be secure by default and sends all of its traffic over Tor. It supports a wide variety of transport networks, including Jabber (XMPP), IRC, Google Talk, Facebook Chat, Twitter, Yahoo, and others; enables Off-the-Record (OTR) Messaging automatically; and has an easy-to-use graphical user interface localized into multiple languages.




Tin foil hat time! Imagine Big Brother giving everyone a surveillance device cleverly disguised as a tool to connect your laptop to the Internet…
From Daily Mail:
Using a wireless transmitter fitted behind a wall, computer scientists have developed a device that can map a nearby room in 3D while scanning for human bodies. Using the signals that reflect off these people, the device creates an accurate silhouette (pictured) and can even use this silhouette to identify who that person is.
The device is called RF Capture and it was developed by researchers at MIT’s Computer Science and Artificial Intelligence Lab (CSAIL).
Read more on Daily Mail.




I'll add this to my collection.
Guiding Principles on Privacy and Security of Personal Wellness Data
by Sabrina I. Pacifici on Oct 29, 2015
Consumer Electronics Association: “Wellness-related wearable devices represent one of the fastest-growing segments of the Internet of Things. Consumers now harness data about themselves — calories, steps, heart rate, and more — to improve their well-being. In the future, these devices will tell consumers even more about themselves, providing analytics and insights that will empower them to lead richer and healthier lives. Society also will benefit as we develop sophisticated tools to research health and wellness on an aggregated basis. All of these benefits depend on the collection and use of data, some of which can be considered personal or sensitive. Companies in the health and fitness ecosystem understand that they must be good stewards of that data to maintain consumer trust. With trust in mind, these Guiding Principles (“Principles”) articulate the Consumer Electronics Association’s (“CEA”) recommendations for voluntary best practices that mitigate risks that consumers may perceive with respect to personal wellness data. These Principles articulate practices that can be followed by a broad variety of companies in the health and fitness wearable ecosystem. If adopted, they may help companies obtain and maintain consumer trust. Since the Principles are baseline recommendations, companies following them will retain flexibility on how to implement them, accounting for each company’s unique combination of products, services, and users..”




A most formidable task. Consider drones created on a 3D printer or those stuffed in Christmas stockings. If junior is orbiting his drone around the Christmas tree, will SWAT teams break down doors to put a stop to his criminal activity? Will it be a crime to interfere with drones delivering your purchases?
Google, Amazon and Wal-Mart join FAA drone task force
… At a NASA-run conference in Silicon Valley in July, Vos proposed that every drone, including those flown by hobbyists for pleasure, constantly transmit its identification and location so airspace access and collision avoidance can be managed by computer.
He envisioned drone users entering a flight plan and getting approval before any flight took place. It's a self-serving proposal, because Google wants a high degree of computer control so it can efficiently and quickly deliver packages via drone.




Perspective. The world is taking all the computing power they want in their back pocket.
Technology Device Ownership: 2015
Today, 68% of U.S. adults have a smartphone, up from 35% in 2011, and tablet computer ownership has edged up to 45% among adults, according to newly released survey data from the Pew Research Center.1 Smartphone ownership is nearing the saturation point with some groups: 86% of those ages 18-29 have a smartphone, as do 83% of those ages 30-49 and 87% of those living in households earning $75,000 and up annually.
At the same time, the surveys suggest the adoption of some digital devices has slowed and even declined in recent years.




Interesting?
McKinsey Quarterly 2015 Number 3
by Sabrina I. Pacifici on Oct 29, 2015
“Introduces McKinsey’s metric for a company’s digital maturity: the Digital Quotient. Also examines a new approach to business-model innovation, simple rules for breakthrough ideas, and a guide to machine learning.” Issue contents:
Digital Quotient
• Raising your Digital Quotient
• An executive’s guide to machine learning
• Repelling the cyberattackers
• Getting a sharper picture of social media’s influence




Something I'll add to my Math classes. Not too simple nor too complex for my students, I hope.
An Illustrated Mathematics Dictionary
Math is Fun is a free website that offers math games, puzzles, and tutorials. One of the tutorial resources that they offer is an illustrated mathematics dictionary. The Math is Fun dictionary offers more than 700 definitions of mathematics terms. All of the definitions include an illustration. Nearly 200 of the definitions include an animation. Some of the animations are interactive tutorials.




I love it! A tool to hone my rudeness!
How Rude Are Your Emails? Get Rated From 0 to 100 Now
… Using the Politeness Checker by FoxType Labs, you can check the “politeness rating” of any particular phrase, which can be instrumental in maintaining good relationships with your friends, family, and coworkers. For now, it only works in English.
Of course, this tool can be used for more than just email, but they provide a free Gmail plugin that can quickly scan and rate your emails before you send them out. The tool provides suggestions on rewriting sentences to have a better tone.


Thursday, October 29, 2015

Unfortunately, a common story. Something for my Computer Security students to consider: Security didn't prevent the breach – it even failed to detect it.
13 Million Passwords Leaked From Free Hosting Service
Hackers have stolen more than 13 million user records from the systems of free web hosting service 000webhost, a security expert reported on Wednesday.
Troy Hunt, the owner of the Have I Been Pwned service, which allows users to learn if and where their personal data has been compromised, was contacted by someone claiming that names, email addresses, and plaintext passwords associated with 13 million 000webhost accounts had been leaked online several months ago. The expert later learned that the breach might have occurred as early as March.
After analyzing the data and speaking to several 000webhost.com account owners, Hunt determined that the leak is most likely genuine. The expert also analyzed the website and identified poor security practices, including the storing of passwords in plain text, and the lack of a secure connection when logging in to accounts.
Hunt attempted to contact the breached company many times over a period of several days, but he didn’t manage to get his message through. The owners of 000webhost only admitted being hacked after Hunt published a blog post describing his experience and the story was picked up by the media.




Strange. Nice to see they found this themselves. Strange that they deny it is from their systems even though you can logon to their systems using the passwords. Aren't they even a bit suspicious?
Barry Cooper reports:
More than two thousand British Gas customers have had their personal details posted online after a security breach.
The energy firm has moved to reassure the 2,200 customers affected that despite email addresses and account passwords being placed online, their bank account information has not been put at risk.
While no credit card information was visible, anybody choosing to log in would have been able to see previous statements, user addresses and other information relating to the customer’s energy account.
The data was made available on file sharing website Pastebin, but was removed and only impacted upon a relatively small number of British Gas’ 17 million customers.
To their credit, British Gas discovered the paste themselves through routine checks. But as significantly, they report that the data posted online does not appear to come from their databases. BBC reports:
It says, however, that it does not think its own systems were breached.
[…]
An email sent to affected customers states: “I can assure you there has been no breach of our secure data storage systems, so none of your payment data, such as bank account or credit card details, have been at risk.
“As you’d expect, we encrypt and store this information securely.
“From our investigations, we are confident that the information which appeared online did not come from British Gas.”




Note that this does not mean they are transparent about the data they collect.
ODNI – The Principles of Intelligence Transparency
by Sabrina I. Pacifici on Oct 28, 2015
“The Principles of Intelligence Transparency – In February 2015, the Director of National Intelligence (DNI) published the Principles of Intelligence Transparency for the Intelligence Community (Principles). These Principles are intended to facilitate Intelligence Community (IC) decisions on making information publicly available in a manner that enhances public understanding of intelligence activities, while continuing to protect information when disclosure would harm national security.




Are we narrowing in on a definition of Privacy?
Regulating Real-World Surveillance
by Sabrina I. Pacifici on Oct 28, 2015
Kaminski, Margot E., Regulating Real-World Surveillance (October 27, 2015). Washington Law Review, Vol. 9, No. 113, 2015; Ohio State Public Law Working Paper No. 316. Available for download at SSRN: http://ssrn.com/abstract=2681128
“A number of laws govern information gathering, or surveillance, by private parties in the physical world. But we lack a compelling theory of privacy harm that accounts for the state’s interest in enacting these laws. Without a theory of privacy harm, these laws will be enacted piecemeal. Legislators will have a difficult time justifying the laws to constituents; the laws will not be adequately tailored to legislative interest; and courts will find it challenging to weigh privacy harms against other strong values, such as freedom of expression. This Article identifies the government interest in enacting laws governing surveillance by private parties. Using social psychologist Irwin Altman’s framework of “boundary management” as a jumping-off point, I conceptualize privacy harm as interference in an individual’s ability to dynamically manage disclosure and social boundaries. Stemming from this understanding of privacy, the government has two related interests in enacting laws prohibiting surveillance: an interest in providing notice so that an individual can adjust her behavior; and an interest in prohibiting surveillance to prevent undesirable behavioral shifts. Framing the government interest, or interests, this way has several advantages. First, it descriptively maps on to existing laws: These laws either help individuals manage their desired level of disclosure by requiring notice, or prevent individuals from resorting to undesirable behavioral shifts by banning surveillance. Second, the framework helps us assess the strength and legitimacy of the legislative interest in these laws. Third, it allows courts to understand how First Amendment interests are in fact internalized in privacy laws. And fourth, it provides guidance to legislators for the enactment of new laws governing a range of new surveillance technologies — from automated license plate readers (ALPRs) to robots to drones.”




Research the RIAA and MPAA will simply ignore. (Begs the question: Are pirates 1 out of 47 users?)
With the option to stream millions of tracks supported by an occasional ad, or free of ads for a small subscription fee, Spotify appeared to be a serious competitor to unauthorized downloading.
While there has been plenty of anecdotal support for this claim, actual research on the topic has been lacking. A new study published by the European Commission’s Joint Research Centre aims to fill this gap.
In the study researchers Luis Aguiar (IPTS) and Joel Waldfogel (NBER) compare Spotify streaming data to download numbers from the 8,000 pirated artists on torrent sites, as well as legal digital track sales.
… “According to these results, an additional 47 streams reduces by one the number of tracks obtained without payment,” the paper reads (pdf).




Breaking away from the hype?
How People Are Actually Using the Internet of Things
… We did an open-source analysis of IoT user behavior, looking at 1,000 IoT technology platforms and services and more than 279,000 early adopter interactions with IoT devices. We found that consumers want an IoT that provides personalized services that can be adapted to different contexts. As with the Industrial IoT, the human IoT promises to be transformative.




Useful?
Screenr is Closing - Try Screencast-o-Matic
Earlier today I wrote a post about screencasting tools. In that post I included Screenr. A couple of hours later I received an email from Screenr announcing that they are shutting down on November 11th. Screencast-o-matic is my recommendation for a Screenr replacement.
Screencast-O-Matic is available in a free version and a pro version. The free version allows you to record for up to fifteen minutes at a time (that is plenty of time for most screencasts), publish to YouTube in HD, and save videos to your computer as MP4, AVI, and FLV files. The pro version ($15/year) includes video editing tools, unlimited recording lengths, a script tool, and removal of the Screencast-O-Matic watermark. Both versions of Screencast-O-Matic include a highlighted circle around your cursor so that viewers can easily follow your movements on the screen. A webcam recording option is included in the free and pro versions of Screencast-O-Matic.
Screencast-O-Matic can be used for creating how-to videos or simple flipped lesson videos in which you record yourself talking over a set of slides.




All my students should be using something like this (for the duration of my classes at least).
How to Create RSS Feeds for Google Search Results
Google Alerts, you probably know this, offer an easy way for you to create RSS feeds from the Google search results of any query. This is a good option if you are looking to monitor when new web pages are indexed by Google that match your search query.




Not during class, please.
8 Awesome Paid Mobile Games You Can Download for Free
… All of the games here work on both Android and iOS, and are now free for life—not for a limited period. “Free” still means some sacrifices sometimes, like ads or limited plays, but you still get a full game without having to pay a dime for it.


(Related)
6 Classic Board Games You Can Play on Your Phone




What a relief! I thought my students hated me.
12 Reasons Why People Are STILL Ignoring Your Emails


Wednesday, October 28, 2015

Why bother? Perhaps to distract the security folks while they try to infect the computers of anyone who could influence the court's opinion? Just saying.
Jason Healey and Anni Piiparinen report:
Attribution for cyberattacks is said to be notoriously difficult, but sometimes context and timing are damning evidence.
In July, the Permanent Court of Arbitration in The Hague conducted a hearing on the territorial dispute in the South China Sea between the Philippines and China. On the third day of the hearing, the Court’s website was suddenly knocked offline. The attack, made public by Bloomberg last week, reportedly originated from China and infected the page with malware, leaving anyone interested in the landmark legal case at risk of data theft.
Read more on The Diplomat.




Update: “Yes we failed to keep to our (privacy policy) contract with you, but that is a “real” contract. We think of this as 'shooting the rats as they abandon ship.'”
From the if-they-have-a-PR-firm-are-they-even-listening-to-them dept:
TalkTalk is becoming the poster child for poor PR and how NOT to respond after a data breach.
In today’s installment, the BBC reports that the firm will only waive contract termination fees if the customer has had money stolen from them.
“In the unlikely event that money is stolen from a customer’s bank account as a direct result of the cyber-attack [rather than as a result of any other information given out by a customer], then as a gesture of goodwill, on a case-by-case basis, we will waive termination fees,” the company said on its website.


(Related)
From Out-Law.com:
The Information Commissioner’s Office (ICO) in the UK cannot force companies to pay compensation to consumers affected by a data breach, the watchdog has confirmed.
On Monday, the UK’s culture minister Ed Vaizey told MPs in the House of Commons that it would be “a matter for the Information Commissioner’s Office and TalkTalk to decide on any appropriate levels of compensation” due to customers in relation to the data breach experienced by the telecoms provider.
Read more on Out-Law.com.




Perhaps he misunderstands (deliberately?) The idea is, “the best defense is a good offense,” not, “The best defense is an indefensible, attention grabbing rant.” Please excuse me while I go on my own rant.
CIA Chief 'Outraged' by Personal Email Hack
CIA chief John Brennan said Tuesday he was "outraged" that hackers broke into his personal email account, and faulted the media for its coverage of the incident. [Remember, we're talking one 15 year old... I'd say he is embarrassed to have been beaten so easily. Bob]
"I was certainly concerned about what people might try to do with that information," [But not enough to adequately secure it. Bob] he told a conference on national security in Washington, criticizing the media for "giving air to what is criminal activity." [“How dare they tell everyone how incompetent I am!” Bob]
"Because of some things that were put out, the implication of the reporting was that I was doing something wrong or inappropriate or in violation of my security responsibility, which was not certainly the case," he said. [In actuality, merely stupid. Bob]




To arms, Privacy advocates! Meet me at the skeet range for practice. No doubt Colorado's “make my day” law will cover me too. (Digest Item #1)
Is it Legal to Shoot Down Drones?
It may now be legal to shoot a drone out of the sky. At least in certain cases. This is according to Judge Rebecca Ward of the Bullitt County District Court, who recently dismissed all the charges against the so-called “Drone Slayer”. The question really is whether the drone is invading your privacy, which is where ambiguity over the lawfulness of shooting at drones still exists.
According to Ars Technica, Judge Ward has dismissed all charges against William Meredith, a man from Kentucky who shot a drone down because it was hovering over his property. Meredith was initially charged with firing his gun within city limits, and David Boggs, the owner and pilot of the drone was none too happy to have it shot down.
The question over whether this drone was invading Meredith’s privacy came down to its proximity to the property. Boggs claims the drone was flying 200 feet above the ground, and claims to have video evidence of this. Meredith claims the drone was flying “below the tree line,” and called three witnesses who testified on his behalf.
Boggs is planning to file a civil lawsuit, but the verdict in this case could be used as a precedent in cases where drones get shot down by gun-toting citizens concerned for their safety. While the shooter won out on this occasion, there is still a huge legal gray area hovering over the issue of drone technology. So please don’t take our headline as a call to arms. [Too late. Bob]




For my Computer Security students. 95% are deliberately less secure?
What's the Disconnect with Strict Transport Security?
Even the average Joe is starting to understand that encryption is important. If Joe doesn’t use HTTPS, an attacker can see or hijack his browser session. Session hijacking isn’t a theoretical threat: Over 5 years ago (an eternity in the #infosec world), Eric Butler released the Firesheep session hijacking tool and used Facebook as a target example. Sitting in a coffee shop, an attacker could use Firesheep to steal Joe’s Facebook session cookie and then “own” Joe’s account. Butler’s Firesheep website makes it clear: “On an open wireless network, cookies are basically shouted through the air, making these attacks extremely easy.”
Network administrators and architects certainly got the hint. Facebook went all-HTTPS shortly after. So did Twitter. Netflix is even talking about going all-HTTPS. Yay for encryption! Instagram made the mistake of initially encrypting only their login page. When talk of an “Instasheep” tool surfaced they, too, switched to all-HTTPS.
That’s why it’s so puzzling that adoption rate of HTTP Strict Transport Security (HSTS) remains so low at only 4.7 percent.


(Related) Encryption is everywhere.
Sean Lawless of Robinson & Cole writes:
With the release of Android 6.0, code name Marshmallow, Google has mandated that OEMs (Original Equipment Manufacturers) enable full disk encryption. Google is requiring that the feature be enabled as part of the ‘out of box experience’ for customers setting up new mobile devices. Google previously attempted to do the same for Android 5.0, code name Lollipop, but due to performance issues on some manufacturer’s devices, eased their requirement. Regarding Android 6.0, even if the customer skips setting the secure lockscreen, the device will encrypt using a default PIN.
Apple has mandated partial or full disk encryption since iOS version 8.
Read more on JDSupra.




Also for my Computer Security students. This seems to support my opinion that it may not be smart to look for cheap “breach prevention” jobs, rather look for the “now that you've been breached” jobs. They pay better and you'll never want for work.
The Harsh Truth of the Cybersecurity Talent Gap
Everyone is talking about the shortage in security talent. Literally, everyone. It’s not for naught though, when you look at the sheer volume of open positions out there. We must have a talent shortage, right?
I believe that somewhere beneath the hype and panic the answer is yes. But there is a harsh truth that very few people are willing to talk about. First and foremost, the talent shortage is largely self-created by an IT industry’s desire to find cheap labor by offshoring work. Second, the people in the current labor pool often are mismanaged, are not in the most appropriate roles and/or are not being supported properly. Let me explain.




Something for my Ethical Hacking students to consider. We will need to identify any system that has been hacked (modified from its “off the shelf” configuration) in order to assign liability. If I was a software provider, I would want to build this in as protection. Better: Collect all the hacks and see if they improve my product!
DMCA Ruling Ensures You Can't Be Sued For Hacking Your Car, Your Games Or Your iPhone
There was a big win for the digital rights community today, with a ruling that ensured it was legal for anyone to tinker with their motor, their iPhone or whatever technology they’d purchased. But the freedoms will only last for three years, when the fight between anti-tinkering corporations and activists will resume, absent any major legislative changes.
Prior to today’s decision by the Librarian of Congress, car manufacturers, the most vocal being General Motors, had attempted to block an exemption, the proposed Class 21 in the Digital Millennium Copyright Act (DMCA), that would allow anyone to play with the code that ran on vehicles they’d bought.
… Supporters of Class 21, however, argued that researchers needed access to vehicles’ code to uncover potential vulnerabilities and that anyone who paid for a product should be able to alter it how they wished. Cars have become increasingly connected in recent years, providing more functionality but opening up potential weaknesses that could be exposed by malicious hackers. Tinkerers also see the added connectivity as an avenue for modification.
… And, following months of protest from the Electronic Frontier Foundation (EFF), the security research community, benevolent hackers and scores of other activists, the final decision was to pass the exemption. A separate decision to renew a previous exemption for jailbreaking iPhones and other mobile devices was also granted. Another ruling meant computer game enthusiasts could modify their games to continue playing them even after support was killed off.




What is it about “Things?” Interesting article, worth a read.
Why the Internet of Things is about the Identity of Everything
While Gartner says 4.9 billion connected things are already in use, that actually means that 99.4 percent of things are still not connected. But that doesn’t really matter much because Internet of Things is a buzzword, trend, and hashtag with staying power, and it has “thing” manufacturers rushing to companies like Qipp to use their ALLTHINGS Platform to find ways to connect.
Qipp founder Stefan Zanetti, when speaking at an APIcon (the full video is at the end of the article), says that after more than a decade of research into connected things—years before it even had a name—manufacturers are flocking to him to ask “When can I connect this?” whether it’s a bike or a shoe or a guitar or even chewing gum.
“And that was really the point when we said: OK, guys, what do you really want with a connected product? You make good products but why would you want to connect them to the Internet of Things?
Zanetti and his team found the same answer across the board: “They’re producing really cool stuff and they lose contact with the data when they ship the products,” as it goes into the hands of the distributer or third-party retailer.


(Related) Why manufacturers might want to communicate with my tires. (A reason not mentioned in the article above.)
NTSB: Tire recalls need overhaul
The National Transportation Safety Board said Tuesday the U.S. system for tire registration is ineffective and called for mandatory tire registration, saying that at least 500 crash deaths a year are linked to tire problems.
Unlike car recalls, tire recalls face many problems. Independent tire dealers are not required to register tires on buyers’ behalf — and tire makers can’t contact those drivers if their tires need to be recalled.




For my Statistics students. Probably not enough to make the subject cool for everyone, but it might gat them thinking that statistics does have some value.
Jordan, Cuban, Leonsis Put Millions on Sports Betting's Future
Drawn in large part by the “inevitable” legalization of sports betting in the U.S., NBA owners Michael Jordan, Mark Cuban, and Ted Leonsis are investing millions of dollars into Sportradar AG, a sports data company that counts global bookmakers among its top customers.
… "Overseas, gaming and fraud detection have been perfected. [Really? Bob] So now that they’ve come to the U.S., I just felt they were just so well-positioned," Leonsis said in an interview. Unregulated gambling on the NFL is well over $100 billion, Leonsis estimated, and the amount of money at stake makes it "probably an inevitability" that sports betting will be legalized in the U.S. Sportradar’s "experience is going to translate and augur well here because we’re years behind."
… Unlike the NFL, which takes a hard line against sports betting, the NBA has been warming to the idea of legalized gambling on games. NBA Commissioner Adam Silver has said betting on American professional sports is inevitable and that the league would eventually profit from movements in states like New Jersey to legalize sports betting. Silver said betting makes fans more engaged in the games, similar to the effect of fantasy sports.




Cute idea, but it might make finding that rarely used folder easier. Of course, I could also make my own icon.
How to Individualize Folder Icons in Windows with Custom Images




I read SciFi all the time; technologyand business less often; textbooks too often.
The Ultimate 50 Ways to Find New Books to Read


Tuesday, October 27, 2015

It's bad enough that you get hacked. Now you have to explain how a 15-year-old could out smart the best security you could install. For TalkTalk's sake, let's hope this kid is the one demanding ransom and had nothing to do with the hack.
Teenager in Northern Ireland Is Arrested in TalkTalk Hacking Case
The British police have arrested a 15-year-old boy in Northern Ireland in connection with a recent hacking attack on the telecommunications operator TalkTalk.
The company, which provides fixed-line and broadband services to roughly four million customers in Britain, said last week that it had been the victim of a significant data breach, and that hackers who claimed responsibility for the data breach had demanded ransom.
The teenager was taken into custody Monday afternoon, and the police were searching his residence as part of a criminal investigation, according to a statement from the Metropolitan Police. On Tuesday, the police said the boy had been released on bail.
… Shares of TalkTalk are down 8 percent since the hacking attack was confirmed on Friday.


(Related) Here's a scarier alternative theory.
Did The Cyber Jihadi Holy War Start With TalkTalk And iTunes?
… That attack, we were told, was perpetrated by Russian cyber jihadists. The BBC reported the claims of a “cyber expert” and former police officer Adrian Culley, who found a post on a very secret cyber site called Pastebin, where the jihadis claimed they were the ones who had taken those cyber guns and plundered TalkTalk. Culley warned they were a particularly nasty strain of jihadi – Russian cyber jihadis.
The Daily Mirror, the self-proclaimed genius of the British tabloid playground, somehow managed to locate that Pastebin post too. This was, the paper relayed, the beginnings of a “cyber holy war”, with every single TalkTalk customer embroiled in the opening melee. How else would such a war begin than with a binary air strike on one of the smaller telecoms providers in the UK?




An article for my Computer Security students (and my Ethical Hacking students). Is the FBI saying they can't find the hackers fast enough to stop them from carrying out their threats? Perhaps they are saying, “If your security is so bad that hackers can own your system, they have probably erased the evidence we need to find them?” Or maybe, “Don't bother us with this trivial stuff?”
When I saw the headline, “The FBI recommends that you pay up if hackers infect your computer with ransomware,” my first thought was that someone goofed and omitted a “not” before “pay up.” I was wrong.
Tess Danielson reports:
If a hacker hijacks your computer with malware and holds your data for ransom, it’s probably best to just pay up, at least that’s the latest advice the FBI is giving out concerning ransomware.
Reported last week by Security Ledger, Joseph Bonavolonta, the Assistant Special Agent who oversees the FBI’s CYBER and Counterintelligence Program in Boston, spoke at the 2015 Cyber Security Summit and advised that companies infected with ransomware may want to give in to the criminal’s demands.
“The ransomware is that good,” Bonavolonta explained to an audience of business and technology leaders. “To be honest, we often advise people just to pay the ransom.”
Read more on Business Insider.




As I count them, that's seven out of 45. Well, they've only been working on this since June of 3007, so I guess that's fast for a government agency.
Kieren McCarthy reports:
US watchdog the Federal Trade Commission (FTC) has signed an agreement with seven countries to share cross-border information relating to privacy.
The new “alert” system will let regulators from America, UK, Australia, Canada, Ireland, the Netherlands, New Zealand, and Norway share confidential information about ongoing investigations, and the FTC is very excited about it.
“Today, data is increasingly crossing borders, and our privacy investigations and enforcement must do the same,” said FTC chair Edith Ramirez at the signing on Sunday. “GPEN Alert is an important, practical cooperation tool that will help GPEN [Global Privacy Enforcement Network] authorities protect consumer privacy across the globe.”
The other signatories are notably less excited however. Of the seven other countries, just one – the UK – has even bothered to announce the news. And the GPEN website has yet to update itself to contain information about its own new alert system.
Read more on The Register.




AN interesting debate.
Adam Klasfeld reports that the NYCLU, the NYU Law Chapter of the American Constitution Society, the New York State Association of Criminal Defense Lawyers, and four tech companies – FourSquare, Kickstarter, Meetup and Vimeo – have filed an amicus brief asking the New York Court of Appeals to overturn a ruling that allowed prosecutors to rummage through the accounts of 381 Facebook users.
As Klasfeld reviews the history of the case:
A little more than two years ago, the Manhattan District Attorney’s office presented Facebook with a bulk warrant, part of a large-scale investigation into the fraudulent filing of Social Security disability claims.
Prosecutors wanted to pin down whether a group of retired police officers and firefighters faked mental illness triggered by the Sept. 11, 2001, attacks.
As of a few months ago, the probe led to charges against 62 people, but the bulk warrants named hundreds of Facebook accounts – and gagged the website from informing the targets about the requests.
Read more on Courthouse News.
[From the article:
"This case raises important questions that impact the digital privacy and expressive rights of every New Yorker, including the threshold question of whether companies like Facebook have the right to challenge an order to produce its customers' records on the basis of its customers' privacy rights," the New York Civil Liberties Union wrote in its 38-page amicus brief.
… "Facebook was conscripted to perform a dragnet search and produce massive amounts of data contained in 381 user accounts and prohibited from notifying its users that their personal information had been targeted," the tech companies noted in a separate brief.
… "To act as custodians of their users' private information, such companies must have the choice to either object to unlawful government intrusions or notify users of such intrusions. The First Department's decision, as well as the trial court order it left in place, denies both options. The double bind in which these decisions leave online platforms is unlawful," the brief says.


(Related) Maybe. Or maybe the police just found the information online? But that might raise some “chain of custody” questions...
In response to allegations (noted in this blog post) that police had obtained Nicky Hager’s account information from Westpac without any court order, the following news release by Felix Geiringer on Hager’s behalf was issued today. Via Scoop:
Several people, including news media, have been seeking comment from Nicky Hager and his legal team about the revelation on the weekend that Westpac Bank gave the Police his private banking information (including over 10 months of his banking transactions from all of his accounts).
It is difficult for Mr Hager to comment at this time. The part of his claim that deals with the legality of these Police information requests was deferred during the first hearing and has not yet been argued. However, Mr Hager is keen to clarify the position and answer the public’s questions as much as he is able.
Until this weekend, Mr Hager only knew about the privacy breach by Westpac through court discovery. Documents provided through discovery are not allowed to be used for any other purpose until they are relied on in open Court. Since this part of Mr Hager’s case has not yet been argued, he has not been able to make use of his knowledge of this breach, not even to raise the matter with Westpac or the Privacy Commissioner.
Mr Hager had also requested documents from the Police under the Official Information Act and the Privacy Act. Had he been provided with documents under those Acts he would have been able to use them to take this matter further. However, the Police have not been willing to provide the documents under those Acts. Indeed, the Police have refused even to acknowledge the existence of correspondence with Westpac under those Acts. This is despite Mr Hager expressly asking the Police to list all of the documents they were wholly withholding under those Acts.
Mr Hager has complained to the Privacy Commission and the Office of the Ombudsman about the Police failure to respond fully to his requests for documents. Representatives of both of those organisations have met with Mr Hager’s lawyers and have been liaising with Police over these complaints.
Now that the fact of this breach of privacy has been made public, Mr Hager intends to seek a full and frank disclosure of the extent of the breach from Westpac. He looks forward to receiving Westpac’s response to that request and will be considering his options to take this matter further.
Mr Hager is very concerned by this breach. His case before the High Court includes a claim against the Police under the Bill of Rights Act for seeking and obtaining that information without a production order. He fully intends to explore all options open to him now that he is free to do so.
In the circumstances, neither Mr Hager nor his lawyers are able to give interviews on this topic at this time. However, it is hoped that we will be free to do so in the future.




This really is “pre-crime” without the Minority Report. If policing has been biased in the past (e.g. focusing on specific neighborhoods or ethnic groups) does that form the basis for predicting future activity?
Joe Cadillic writes:
Predictive HotSpot mapping began in 2012, the National Institute of Justice (NIJ) or really DHS, calls it “Mapping and Analysis for Public Safety.” Click here, here & here to see how the NIJ is really DHS.
NH police officer Derek Cataldo saw a 2000 Honda Accord parked at 5:35 p.m. on Merrimack Street, a “predictive hot spot.” Deleire was sitting in the driver’s seat. Cataldo drove by the car and then circled the block to get a better look and determine if Deleire was there for legitimate purposes, officer Cataldo approached the car and began talking with Deleire, who police said was physically shaking.
Everyone should be asking, why are police approaching people for no good reason? But wait, it gets worse…
Read more on MassPrivateI.
[From the article:
Interestingly the NIJ claims not every community has a "HOT SPOT" and they (police) should use OTHER forms of geographic analysis.
What you're not being told is a private metadata collection company (LexisNexis) is giving police their data.
BAIR Analytics invented the money making crime prediction software being used by police, BAIR was recently purchased by LexisNexis.




I can see Congress going wild! Imagine if Siri refused to answer questions about certain politicians! (The ones who don't think Apple is the best thing since sliced bread.) Or only responded to questions about technology with Apple's marketing department propiganda.
Siri is refusing to answer certain questions from people who aren't Apple Music subscribers
Apple Music listeners are starting to end their three-month free trials — and Siri has begun to play hardball.
On Monday, angel investor Tom Conrad pointed out on Twitter that if you ask Siri to tell you the top songs in the US, and you aren’t an Apple Music subscriber, she’ll basically stick her virtual tongue out at you and refuse to respond.
We checked it out and it reads the same for other fallen Apple Music subscribers. “Sorry, Nathan,” Siri told me. “I can’t look up the music charts for you. You don’t seem to be subscribed to Apple Music.”
… When I asked Siri about the top movie rentals in the US, she was much more forthcoming, and tried to get me to rent it on iTunes.
But the “give the customer information and then nudge them to buy” tactic doesn’t seem to be the way Apple wants to go at it in music.
Maybe that is because Apple hasn’t exactly been driving Spotify out of the market. Spotify’s CEO claims his service has seen even greater user growth since the launch of Apple Music.


(Related) Same strategy, different approach?
Facebook wants to be the only thing you look at on your phone




I wonder if there is really a significant economic benefit to drones or if this is seen as marketing?
Exclusive: Wal-Mart seeks to test drones for home delivery, pickup
Wal-Mart Stores Inc applied Monday to U.S. regulators for permission to test drones for home delivery, curbside pickup and checking warehouse inventories, a sign it plans to go head-to-head with Amazon in using drones to fill and deliver online orders.




Lawyer technology. Mostly marketing, but they mention evidence in passing. I guess this won’t be the basis for a new law school course.
New on LLRX – How Can Lawyers Use Social Media to Their Advantage?
by Sabrina I. Pacifici on Oct 26, 2015
Via LLRX.comHow Can Lawyers Use Social Media to Their Advantage? – Lawyers are no strangers to social media, but that doesn’t mean that everyone in the legal arena is familiar with how to use it effectively, proactively and consistently. If you are a lawyer who has not yet launched a social media presence, Mike Wallagher’s article provides actionable ways that document how social media can benefit you and your career.




One stat leaps out.
Google Turning Its Lucrative Web Search Over to AI Machines
… RankBrain uses artificial intelligence to embed vast amounts of written language into mathematical entities -- called vectors -- that the computer can understand. If RankBrain sees a word or phrase it isn’t familiar with, the machine can make a guess as to what words or phrases might have a similar meaning and filter the result accordingly, making it more effective at handling never-before-seen search queries.
Unique Questions
The system helps Mountain View, California-based Google deal with the 15 percent of queries a day it gets which its systems have never seen before, he said. [That seems remarkably high to me. Which is why I am remarking on it. Bob]




Perspective. I'm surprised this hasn't (yet?) been a hot market area.
Kangaroo is an amazing $99 Windows 10 portable PC
InFocus today debuted the Kangaroo, a $99 Windows 10 portable PC that “goes anywhere and works with any screen.” The term “mobile desktop” may seem like an oxymoron, but that really is the best description: Picture your typical desktop PC tower shrunk down to the size of a phablet sans screen; just like any desktop, you’ll still need to connect a mouse, keyboard, and monitor. Kangaroo is available on Newegg now, and will go on sale at the Microsoft Store by mid-November.
The pitch is simple: Kangaroo offers the power of a cheap full-sized computer with the convenience and mobility of a cell phone.




Perspective. Teachers and students too.
Parents and Teens Don’t Understand Each Other’s Internets




Something similar happens in the classroom, Dilbert's theory may explain a lot!


Monday, October 26, 2015

An update. Will the penny saved by not encrypting the data pay the millions this breach will cost?
TalkTalk shares more information about website hacking incident and current investigation
… TalkTalk has provided some clarifications on its official website about the hacking incident and has offered tips to its customers. Earlier, TalkTalk CEO Dido Harding had said that her company was under no legal obligation to encrypt customers' sensitive data. Now, TalkTalk is offering free credit reporting service to all clients with coupon code “TT231”.
… While TalkTalk said on Saturday it did not believe the information accessed would enable hackers to steal money from its customers, British newspapers on Sunday carried stories of individuals who said callers posing as TalkTalk employees had taken money from their bank accounts.
TalkTalk could face a fine up to half billion pounds. [I thought that sounded a bit high so I did a bit of Googleing Bob]


(Related) This is more likely.
TalkTalk 'knew of hacking risk A YEAR ago': Company could 'go out of business' and lose £75million after millions of customers' bank details were stolen in cyber attack
TalkTalk faces £75million in lost revenue as the backlash from the cyber attack on the company grows.
… TalkTalk is also facing an investigation by the Information Commissioner, who could impose a fine of up to £500,000 if the company is found to have breached data protection rules.




Can this be done? Can TSA make a plan? (They're actually being asked to plan to make a plan.)
On October 23, Papers, Please! wrote:
Acting on a petition submitted in July 2015 by the Competitive Enterprise Institute, the Court of Appeals for the D.C. Circuit today ordered the Department of Homeland Security to, within 30 days from today, “submit to the court a schedule for the expeditious issuance of a final rule ”governing the TSA’s use of virtual strip search machines or body scanners (what the TSA calls “Advanced Imaging Technology”) “within a reasonable time”.
The court didn’t say what it would consider “expeditious” or a “reasonable” time for the TSA to finalize rules for its use of body scanners.
I think we’re waaaay past “expeditious” by now and are more on the order of “sometime before the next millenium, folks?” Note that this is not ordering the actual rule be produced within 30 days – just a schedule for issuing a rule that should have been issued years ago.
Read more on Papers, Please!
For its part, EPIC wrote:
The Court of Appeal for the D.C. Circuit today ordered TSA to comply with the ruling in EPIC v. DHS and conduct an “expeditious” rulemaking on the use of body scanners at airports. EPIC successfully sued TSA in 2011 to compel notice-and-comment rulemaking after the agency failed to solicit public comments as required by law. EPIC said the body scanner program was “unlawful, invasive, and ineffective.” The backscatter x-ray devices were subsequently removed from U.S. airports, though the millimeter devices remain. In 2015 the Competitive Enterprise Institute filed a petition to compel TSA to issue a final rule as required by the EPIC v. DHS mandate. TSA now has 30 days to submit a rulemaking plan to the court.




A legitimate target – not even a “Cyber” target. That's not new. It's the increased activity that's a real concern.
Russian Ships Near Data Cables Are Too Close for U.S. Comfort
Russian submarines and spy ships are aggressively operating near the vital undersea cables that carry almost all global Internet communications, raising concerns among some American military and intelligence officials that the Russians might be planning to attack those lines in times of tension or conflict.
The issue goes beyond old worries during the Cold War that the Russians would tap into the cables — a task American intelligence agencies also mastered decades ago. The alarm today is deeper: The ultimate Russian hack on the United States could involve severing the fiber-optic cables at some of their hardest-to-access locations to halt the instant communications on which the West’s governments, economies and citizens have grown dependent.


(Related) Are light bulbs a national security concern? If not that, what? Concern that China will leave us in the dark?
Philips Deal to Sell Lighting Unit to Chinese Group Hits U.S. Regulatory Snag
Royal Philips NV has run into unexpected regulatory trouble in the U.S. over the planned sale of its lighting-components and automotive-lighting unit to a Chinese investor.
The Dutch electronics group said on Monday that the Committee on Foreign Investment in the U.S., or CFIUS, has expressed “certain unforeseen concerns” on the planned disposal of a 80% stake in the Philips business, called Lumileds, without providing further detail.




Cable without the cable.
Time Warner Cable will test internet-only TV in NYC next week
If you want cable TV without the cable box, Time Warner Cable may have something for you soon. Reliable sources tell Engadget that starting Monday, Time Warner Cable will beta test a version of its TWC TV service made available for the company's internet-only customers living in New York City. Similar to Sky's Now TV in the UK it will support a number of hardware platform but the plan is to focus on streaming TV through Roku's set-top boxes, and any participants will get a Roku 3 for free.




Still trying to understand the appeal...
Paper – Dawn of the Selfie Era
by Sabrina I. Pacifici on Oct 25, 2015
Dawn of the Selfie Era: The Whos, Wheres, and Hows of Selfies on Instagram. Flávio Souza, Diego de Las Casas, Vinícius Flores, SunBum Youn, Meeyoung Cha, Daniele Quercia, Virgílio Almeida, October 19, 2015.
“Online interactions are increasingly involving images, especially those containing human faces, which are naturally attention grabbing and more effective at conveying feelings than text. To understand this new convention of digital culture, we study the collective behavior of sharing selfies on Instagram and present how people appear in selfies and which patterns emerge from such interactions. Analysis of millions of photos shows that the amount of selfies has increased by 900 times from 2012 to 2014. Selfies are an effective medium to grab attention; they generate on average 1.1–3.2 times more likes and comments than other types of content on Instagram. Compared to other content, interactions involving selfies exhibit variations in homophily scores (in terms of age and gender) that suggest they are becoming more widespread. Their style also varies by cultural boundaries in that the average age and majority gender seen in selfies differ from one country to another. We provide explanations of such country-wise variations based on cultural and socioeconomic contexts.”




Eating causes cancer!
Red Meats Potentially Cause Cancer, Group Says
… The determination, published by a panel of researchers for the International Agency for Research on Cancer in a medical journal Monday, classifies processed meat products like salami and bacon carcinogenic to humans, the strongest level of risk for cancer, and a category shared with tobacco smoke and diesel engine exhaust.
Fresh meats like steaks and roasts are considered probably cancer-causing, a level of risk shared with the widely used herbicide glyphosate. [Herbicides used on almost all plants so: Meats cause cancer, plants cause cancer, fish cause mercury poisoning... Eat rocks? Bob]