Saturday, December 12, 2015

This does not instill confidence.
Danielle Nerman reports:
The president of the Privacy and Access Council of Canada says it’s not just individuals and small businesses who are shelling out to hackers who infect their computers with viruses.
“Police departments and law firms are very, very attractive targets and they pay quite often,” said Sharon Polsky, a Calgary data protection and privacy expert.
“If it’s worth it to them to regain control of their information, absolutely they’re going to pay it,” she said
Read more on CBC.ca




Life will be so much simpler when we have eliminated the need for employees.
More than half of in-house legal counsel report that their companies are increasing spending on cybersecurity, while one-third state that their companies have experienced a data breach, according to a new report from the Washington, DC-based Association of Corporate Counsel (ACC) Foundation.
Read more on CanadianUnderwriter.ca.
The report will cost you $475 (yeah, right, I’ll pass), but you can download the key findings from ACC, here.


(Related) Might be fun for my Grad students to try answering...
Case Study: Should He Be Fired for That Facebook Post?
This fictionalized case study will appear in a forthcoming issue of Harvard Business Review, along with commentary from experts and readers. If you’d like your comment to be considered for publication, please be sure to include your full name, company or university affiliation, and email address.




How to get out of jury duty?
Rafael Olmeda reports:
Jurors who raised concerns about the availability of their personal information prompted a mistrial in a Broward murder case earlier this week.
Jeffrey Chidsey, 30, was about to go on trial Wednesday for second-degree murder in the 2009 shooting death of Cameron Fritzson outside a Davie pool hall. But one of the jurors had a question that would prove to derail the proceedings.
Read more on The Sun Sentinel.
[From the article:
The first juror's concern was rare, according to the State Attorney's Office, the defense, and experts on identity theft. While an enterprising identity thief could conceivably mine all kinds of public records for information, national expert Rob Douglas said he had never heard of juror information being exploited in such a way.
"A very determined person could do it, but does it happen on a regular basis? No, not at all," said Douglas, who runs the Colorado-based website IdentityTheft.info.




You can't cave in every time. Where would you draw the line?
Turkey fines Twitter for refusing to take down content
Turkey has fined Twitter for failing to take down a piece of content, Reuters reported on Friday.
A Turkish official told the wire service that the country's communications regulator had fined the social media platform the equivalent of $51,000 for failing to remove content it claims is associated with "terrorist propaganda."
A person briefed on the matter said that the dispute between Turkey and Twitter was over an account of a political protest critical of the Turkish government.




Perhaps there is no sense of urgency. After all, there are 18,762 airports in the US. (See: http://www.rita.dot.gov/bts/sites/rita.dot.gov.bts/files/publications/national_transportation_statistics/html/table_01_03.html)
Study cites 327 'close encounters' between drones and planes
There were 327 "close encounters" between drones and airplanes between December 2013 and September 2015, according to a new study released on Friday.
The study, conducted by The Center for the Study of the Drone at Bard College, found that 327 of 921 incidents involving drones and commercial flights were close enough to be considered near-collisions, while 594 were better classified as just sightings.
… The FAA has been in the process of developing rules for commercial drones for the better part of three years.


(Related) I suppose there will be all manner of “solutions” to the drone problem.
Tokyo's Answer To Rogue Drones? Its Own Net-Wielding Police Drone
… The issue of drones penetrating government security garnered attention in Japan last April–a small amount of radioactive soil from the Fukushima Prefecture was flown by a drone onto the roof of the prime minister’s office. Needless to say, the Japanese government was not pleased.
The new drone will have six propellers and a 3-by-2-meter net, according to the Asahi Shimbun, and will be used by the unit in the Tokyo Metropolitan Police in charge of patrolling the Imperial Palace, the prime minister’s building, and the Diet building, among other critical locations.




The next big thing?
Elon Musk and Other Tech Titans Create Company to Develop Artificial Intelligence
… In recent years the field of artificial intelligence has shifted from being an obscure, dead-end backwater of computer science to one of the defining technologies of the time. Faster computers, the availability of large data sets, and corporate sponsorship have developed the technology to a point where it powers Google’s web search systems, helps Facebook Inc. understand pictures, lets Tesla’s cars drive themselves autonomously on highways, and allowed IBM to beat expert humans at the game show “Jeopardy!”




I have students who read. One or two. This could become useful as they add a bit more.
CommonLit - Search for Thematic Discussion Questions Paired With Interesting Texts
Almost one year ago I wrote about a new organization called CommonLit that was developing a database of short fiction and nonfiction texts paired with discussion questions. At the time you could only find texts by browsing through the database. Now you can actually search through CommonLit on their search page. Enter a word or term on the search page to find texts with paired questions related to your term. You can then filter your results by grade level, theme, and genre.
The discussion questions on CommonLit aren't your typical "how does the author use foreshadowing?" kind of questions. Rather the discussion questions deal with larger themes like "how do we define the roles of men and women?" and "why do people follow the crowd?"
Applications for Education
Commonlit's thematic questions could be quite helpful in getting students interested in reading. I've always found that if I can get students engrossed in a conversation around a big question, I then have a much easier time getting them to read materials related to the conversation. My students tend to want to read so that they can find more ideas to bring into their arguments in the classroom conversation.




For my student Twits
How To Use Twitter Without Screwing Up
… Whether you’re just looking to better understand the social network, or hoping to avoid embarrassing yourself on social media, keeping these five things in mind can go a long way.




This is the kind of question we should be asking our students every few months.
Which Search Engine Should You Be Using Today?
Though Google is still considered top dog in the search engine world, plenty of alternative search providers vie for your traffic and usage.
Everyone jokes about how Bing is just a Google impostor and that Yahoo! is abandoned, but it’s time to move past the stereotypes and see what these search engines can really do. Let’s compare the features of the biggest ones and see which ones are best for what and for whom.




An incentive to upgrade to Windows 10?
Microsoft gives Windows 10 users 10 free, full music albums for the holidays
Microsoft has a Groove-y gift for music fans rocking Windows 10 in the United States. The company has chosen ten albums from 2015 to offer free of charge via the Windows Store.
… Each album is offered separately, which means if you want all 10 you’ll have to redeem the free offers one-by-one. Any albums you redeem in the Windows Store are immediately downloaded to your PC via the Windows 10 Groove app.




It must be Saturday. Look what came in my RSS reader!
Hack Education Weekly News
… The Senate approved the renewal of the Elementary and Secondary Education Act – the Every Student Succeeds Act, which will replace No Child Left Behind. President Obama signed the bill on Thursday. Computer science is now considered part of a “well-rounded education,” according to the new law.
… “More than 100 students involved in a sexting scandal at a southern Colorado high school will not face criminal charges,” says the Fremont County DA.
… According to Phil Hill, the University of Phoenix is ditching its “homegrown” LMS platform and adopting Blackboard Learn Ultra. [We just installed a new one we created. Does nothing the cheap ones don't do. Bob]


Friday, December 11, 2015

Fast response, but not detected internally.
WP Engine Resets Passwords After Data Breach
Popular WordPress hosting service WP Engine informed customers this week that their credentials may have been compromised in a security breach.
Only few details have been provided about the incident as the investigation, conducted in collaboration with law enforcement and a “leading” cybersecurity firm, is ongoing. WP Engine became aware of the breach on December 9 and customers were first notified later that day.
Many have complained about the lack of details from WP Engine, particularly regarding the way passwords were stored. The company has promised to share information about the data breach as soon as it’s available.




Failure to encrypt.
Jett Goldsmith writes:
A security vulnerability affecting 16 companies worldwide, including Air Canada, the CN Tower, and the San Diego Zoo, has potentially revealed the unencrypted credit card data of hundreds of thousands of customers, according to a report by threat detection firm Wandera.
Read more on Neowin.
Over on Wandera’s blog, they write:
Today, Wandera announced the discovery of the CardCrypt security flaw affecting sixteen companies, including four major airlines – Air Canada*, easyJet*, AirAsia and Aer Lingus*. Each of the companies has been failing one of the most basic of security requirements by not fully encrypting the traffic to the payment portion of their mobile web site or app. This means that customers who use these services unknowingly may have had their credit card information sent ‘in the clear’, and have been at risk of having that information stolen.
* UPDATE: We are pleased to say we have learned that easyJet, Chiltern Railways, San Diego Zoo, CN Tower, Aer Lingus and Air Canada have now confirmed there is no ongoing issue. We will continue to assist others in trying to swiftly resolve this issue.
Reportedly, it was not just credit card numbers that were leaking in some cases:
What information was exposed?
Every one of the companies has exposed the full credit card number unencrypted. All of the companies, except for Air Canada, also exposed the CVV number. But the CardCrypt flaw is not limited to just this information. Alarmingly, the amount of additional information that was exposed by some of the companies has been significant and included card expiration date, full name, billing address, email addresses and even passport information.
Read more on Wandera.




Yeah, but they will shop online anyway.
AMSTERDAM – December 10, 2015 – Nearly two-thirds (64%) of consumers surveyed worldwide say they are unlikely to shop or do business again with a company that had experienced a breach where financial information was stolen, and almost half (49%) had the same opinion when it came to data breaches where personal information was stolen. This is according to a recent global survey by Gemalto (Euronext NL0000400653 GTO), the world leader in digital security, titled “Broken Trust: ‘Tis the Season to Be Wary”, which surveyed 5,750 consumers in Australia, Brazil, France, Germany, Japan, United Kingdom and United States.




Should we really expect good management from OPM?
Tal Koppan reports:
The federal agency that had more than 21 million Americans’ personal information stolen in a massive hack is once again in congressional cross-hairs — this time for improperly doling out taxpayer dollars to protect those Americans after the data breach.
The Office of Personnel Management’s inspector general released a report this month, made public Thursday, finding that the agency improperly handled its contract award to a company hired to protect the identities of the first 4 million federal employees affected by the breach, which has been blamed on China.
Read more on WPTZ.




The least impactive nugget of data gathered by the candidates is your phone number so they can make way too many automated phone calls urging you to vote for them. This kind of research simply helps them tailor their lies.
Harry Davies reports:
Ted Cruz’s presidential campaign is using psychological data based on research spanning tens of millions of Facebook users, harvested largely without their permission, to boost his surging White House run and gain an edge over Donald Trump and other Republican rivals, the Guardian can reveal.
A little-known data company, now embedded within Cruz’s campaign and indirectly financed by his primary billionaire benefactor, paid researchers at Cambridge University to gather detailed psychological profiles about the US electorate using a massive pool of mainly unwitting US Facebook users built with an online survey.
Read more on The Guardian.




Does the FBI have the tools to identify terrorists by reading the plaintext messages they send? Isn't that what the big fuss over NSA's bulk interception was about?
Lawmakers: No evidence San Bernardino shooters used encryption
Lawmakers on Thursday said there was no evidence yet the two suspected shooters used encryption to hide from authorities in the lead-up to last week's San Bernardino, Calif., terror attack that killed 14 people.
… But that hasn’t ruled out the possibility, Burr and others cautioned.
… The recent terror attacks in San Bernardino and Paris have shed an intense spotlight on encryption.
While no evidence has been uncovered that either plot was hatched via secure communications platforms, lawmakers and federal officials have used the incidents to resurface an argument that law enforcement should have guaranteed access to encrypted data.


(Related) It's not like there are no tools for terrorists. But most of these actors are minimally trained amateurs. If they are identified and stopped, no big deal. They are just cannon fodder.
Sadly Rachman reports:
Computer scientists at the Massachusetts Institute of Technology (MIT) have developed a new SMS text messaging system that is untraceable and apparently even more secure than the Tor anonymity network, in order to create truly anonymous communications.
Read more on TreeAngle.




Perspective. Why would we expect corporations (or terrorists) to be more concerned about security than the courts? (Note that publishing a list of weaknesses give hackers a roadmap.)
Nick Cahill reports:
Despite a 2013 audit revealing significant information security flaws, the Judicial Council of California hasn’t improved its control systems and remains “unacceptably” at risk for data breaches, according to a follow-up audit.
The council’s case management records and human resources data are specifically jeopardized because of its failure to implement recommendations from the original audit, the state auditor said Thursday. The audit also criticized the council for a lack of urgency in setting a timeline for implementing better controls.
Read more on Courthouse News.




My Cayman Islands bank account is about to get a lot of deposits, because I have a phone book and I know how to use it!
Latest Google Wallet update lets you send money using just a phone number




For the gamers in my Spreadsheet class.
6 Iconic Games Recreated in Microsoft Excel




Because conversions are useful in many applications. To and from PDFs for example.
The Complete Microsoft Office File Converter Guide




Perspective. So now you can wait until you are down to your last couple of six-packs before re-ordering.
Amazon Starts One-Hour Booze Delivery in Manhattan
… One-hour delivery costs $7.99, and two-hour service is free, Amazon said. Prime Now, a one-hour delivery service available only to Prime members, is available in 23 cities such as Dallas, Chicago, and Nashville.


Thursday, December 10, 2015

A good deal?
Wyndham settles FTC data breach charges
Wyndham Worldwide Corp (WYN.N) has agreed to settle U.S. Federal Trade Commission charges that it failed to properly safeguard customer information, in a case arising from three data breaches affecting more than 619,000 customers.
… A consent order outlining the settlement was filed with the federal court in Newark, New Jersey, 3-1/2 months after the 3rd U.S. Circuit Court of Appeals in Philadelphia said the FTC had authority to regulate corporate cyber security.
Under the order, Wyndham must establish a comprehensive information security program designed to protect cardholder data including payment card numbers, names and expiration dates, the FTC said.
Wyndham was not fined or required to admit wrongdoing, but will comply with a widely used industry standard to protect the safety of payment card information. The Parsippany, New Jersey-based company's obligations under the order last for 20 years.
… The case is Federal Trade Commission v Wyndham Worldwide Corp et al, U.S. District Court, District of New Jersey, No. 13-01887.




A self-inflicted wound?
And Avid Life Media still has not provided any update as to how that horrific breach occurred. Nor did they respond to my email inquiry this week requesting an update.

Related Posts:





Does Google see what keywords you are blocking?
Google Creates New Roadblock For Corporate Data Thieves
Businesses of all sizes dread the thought of data theft.
In response, Google said Wednesday that it is adding technology to Gmail that makes it harder for employees to send business data out the door. Specifically, the tech giant is bundling a service that helps prevent sending sensitive information through Gmail, at least for customers who pay for the Google Apps Unlimited edition.
With this addition, corporate IT staff can set up a scan of outgoing email (both the text itself and attached documents) for credit card numbers, social security numbers, etc. Messages that trip the switch can be quarantined for review, or returned to the sender along with a prompt to remove the information. Administrators can also set up automatic scans that would flag emails that include certain keywords.




Kind of a good new / bad news article.
Daily New Malware Count Drops by 15,000: Kaspersky
The number of new malware files detected each day dropped by roughly 15,000 in 2015 when compared to the last year, according to a recent report from Kaspersky Lab.
According to the security company, its products detected 310,000 new malware files each day in 2015, compared to 325,000 in 2014. The company notes in a blog post that the decrease is likely due to the fact that the coding of new malware is expensive and cybercriminals have been switching to intrusive advertising programs or legitimate digital signatures in their attacks.




Nothing too exciting.
Washington Post – Cybersecurity – A Special Report
by Sabrina I. Pacifici on Dec 9, 2015




Apparently the world did not end as predicted.
FBI: Too soon to tell if NSA reform is hurting investigations
… FBI Director James Comey's assessment is at odds with prominent hawks, who have warned that new limits on the National Security Agency (NSA) are hamstringing federal officials at a time when fears about terrorism are on the rise.
"We don’t know yet” whether the NSA reforms have had a negative impact, Comey told a Senate committee.
“In theory it should work as well or better than what we used to have,” he insisted. “But I don’t know yet.”




“We know the bad guys are in there somewhere!” If we have clear evidence that “Communicator X” is controlling the planners of terrorism (call them Y1 - Yn) in several countries, we would like to know they are talking to. We can identify X and most of the Ys, it's the Zs that we need to gather up before that links are lost.
In a seminal decision updating and consolidating its previous jurisprudence on surveillance, the Grand Chamber of the European Court of Human Rights took a sideways swing at mass surveillance programs last week, reiterating the centrality of “reasonable suspicion” to the authorization process and the need to ensure interception warrants are targeted to an individual or premises. The decision in Zakharov v. Russia — coming on the heels of the European Court of Justice’s strongly-worded condemnation in Schrems of interception systems that provide States with “generalised access” to the content of communications — is another blow to governments across Europe and the United States that continue to argue for the legitimacy and lawfulness of bulk collection programs. It also provoked the ire of the Russian government, prompting an immediate legislative move to give the Russian constitution precedence over Strasbourg judgments.




Would it be politically correct or politically incorrect to believe Kim?
North Korea says it’s ready to detonate H-bomb, but skepticism abounds




WalMart would like to hold your money for you.
Wal-Mart enters mobile payment with launch of Walmart Pay
Wal-Mart Stores Inc (WMT.N) said it would launch 'Walmart Pay,' to become the first U.S. retailer to offer its own payment feature to expand consumer payment options and increase the speed of checkouts.
… The feature requires customers to choose Walmart Pay within the retailer's mobile app at a checkout counter, activate their phone camera and scan the code displayed at the register after which an e-receipt will be sent to the app.




Perspective.
One-fifth of Americans report going online almost constantly
by Sabrina I. Pacifici on Dec 9, 2015
Pew FactTank – “As smartphones and other mobile devices have become more widespread, some 21% of Americans now report that they go online “almost constantly,” according to a Pew Research Center survey. Overall, 73% of Americans go online on a daily basis. Along with the 21% who go online almost constantly, 42% go online several times a day and 10% go online about once a day. Some 13% go online several times a week or less often. And in this survey, 13% of adults say they do not use the internet at all.”




Perspective.
Netflix accounts for more than a third of prime-time internet traffic in North America
Just in case Netflix hadn’t completely established itself as a juggernaut, here’s more evidence of its all-consuming hold on consumers: The video-streaming company nets roughly 35% of aggregate peak-period internet traffic in North America, according to a new report.
… In set of findings announced today (Dec. 7) for online traffic consumption across North America, Africa, and the Middle East, Sandvine’s data illustrated Netflix’s total domination in North America—the service is well ahead of competitors like YouTube (which has 16.8% of aggregate upstream/downstream traffic), Amazon Video (2.9%), iTunes (2.6%), and Hulu (2.5%). BitTorrent, which accounted for 31% of total internet traffic in 2008, only accounted for 4.4% in 2015.
By comparison, Netflix had just 22% of North American internet traffic in 2011, according to Sandvine’s report from that year.




If Facebook is the answer, what was the question? Worth reading.
How Facebook Plans to Disrupt Education
Back in September, Facebook made a deal with Summit Public Schools. Don’t worry if you didn’t hear about it when it happened – it was a quiet event, without a lot of fanfare. With that being said, the implications of this partnership might change everything we know about public education.




Too depressing? My students would think this blog post was too long to read.
How Long Does That Book Take to Read? This Site Tells You
Daunted by the size of that book you have been meaning to read? It might take you less time than you think. If you want an accurate calculation of the time you’ll need to finish that book, head over to How Long to Read.
The site lists more than 12 million books in its database. Use the site search to look up the name of any book on your reading list and select it from the search results. A dedicated page for that book should pop up. Look to the sample text on the side, click on the Start Speed Reading Timer button, then read it.
Once you finish, click on the button again to stop the timer. This displays an estimate of the time you’ll need to read the entire book.




Trendy, but already obsolete.
A Short Overview of 12 Tools for Creating Flipped Classroom Lessons


Wednesday, December 09, 2015

Stealing data is bad. Stealing data and then failing to secure it is even worse. (Would this case get tossed out in the Eleventh Circuit?)
Justin Baer reports:
Morgan Stanley suspected that Russian hackers stole client data from a former financial adviser who pleaded guilty to illegally accessing the bank’s computers and taking the information home with him.
Galen Marsh, who was fired from the Wall Street firm in January for viewing and copying account information on other advisers’ clients, pleaded guilty in September to one felony count of exceeding authorized access to a computer. But Mr. Marsh had always maintained that he wasn’t responsible for some of the client data appearing online on a text-sharing website, and that he didn’t offer to sell the information.
In a recent court document filed ahead of Mr. Marsh’s sentencing hearing, Mr. Marsh’s lawyers wrote that “based upon conversations with representatives of Morgan Stanley, we learned that hackers emanating from Russia were suspected of posting the information and offering to sell it online.”
Read more on WSJ.
[From the article:
According to court documents, Mr. Marsh allegedly made more than 5,000 unauthorized searches of confidential information on the firm’s computer systems using the identification numbers of other Morgan Stanley branches, groups and advisers, beginning in June 2011. He uploaded the data, which included client names, addresses, account numbers and investment information, to a personal server in his New Jersey home, the prosecutors alleged.
Mr. Marsh has argued he accessed the information to analyze how other advisers managed clients’ money. Morgan Stanley has said no clients lost money on the security breach.




Find a popular site. Use them to spread your malware.
Joseph C. Chen reports:
NOTE: This is a developing story. Please watch this space for updates as we continue to dig into the technical details of this attack.
The blog page of one of the leading media sites in the United Kingdom, “The Independent” has been compromised, which may put its millions of readers at risk of getting infected with ransomware. We have already informed The Independent about this security incident and are working with them to contain the situation. For their part, the news website staff was quick to respond and take action to mitigate the risk this event posed to the website itself and its user base.
It should be noted that only the blog part of the website–which uses WordPress–is impacted; the rest of The Independent’s online presence seem unaffected.
Read more on TrendMicro.




Interesting. A “Golden Parachute” for the average employee?
Scott Daugherty reports:
A Virginia Beach construction company claims a former employee stole trade secrets earlier this year and provided them to a competitor.
Unlike most such cases, however, officials with Atlantic Marine Construction Company aren’t arguing the employee stole their proposal sheets and other records before he was fired. Rather, the company claims Christopher McGrath, formerly of Virginia Beach, stole them after he was terminated via a widely available computer program he secretly installed on a work computer.
Read more on Virginian- Pilot.
[From the article:
The lawsuit said McGrath – Atlantic Marine’s now-former vice president in charge of construction – installed “Google Chrome Remote Desktop” on a work computer in February without authorization. He was fired in August for reasons not specified in the suit.
Following his termination, McGrath accessed Atlantic Marine’s computer network at least 16 times with the help of the program, the lawsuit said. According to the suit, Atlantic Marine believes McGrath viewed, copied and downloaded the company’s trade secrets each time he connected to the network.




Local. There's one in Greenwood Village. Notified in early November, still leaking customer data until December.
Ron Ruggless reports:
CM Ebar LLC, parent to the Elephant Bar restaurants, warned customers who used credit cards at the 29-unit chain between August and December that their data may have been breached, the company said Tuesday.
The casual-dining operator said it was alerted to the potential security breach on Nov. 3, and it has investigated and removed the suspected computer malware that lead to the possible incident.
[…]
A representative for CM Ebar said the possible data breach included 20 restaurants in California, three in Colorado, two in Arizona and one each in the remaining states where it operates. A complete list of the restaurants is available at a microsite dedicated to the incident.
Read more on nrn.com.




So, outsource the last bit to a small company?
New EU cybersecurity rules neutered by future backdoors, weakened crypto
The European Union has drawn up a set of rules governing the security of the region's digital infrastructure. Under the framework provisionally agreed last night by Members of the European Parliament (MEPs) and the Luxembourg Presidency of the EU Council of Ministers, transport, energy and other key companies will have to ensure that the digital infrastructure that they use to deliver essential services, such as traffic control or electricity grid management, is resilient enough to withstand online attacks. Similarly, major digital marketplaces like eBay or Amazon, search engines, and cloud services will be required to ensure that their infrastructure is secure, and to report major incidents. Smaller digital companies will be exempt from these requirements.




Remember, “A wet bird never flies at night.” Not encrypted – encoded. Decoded it means, “How ignorant!”
Less than a week after the attacks in Paris — while the public and policymakers were still reeling, and the investigation had barely gotten off the ground — Cy Vance, Manhattan’s District Attorney, released a policy paper calling for legislation requiring companies to provide the government with backdoor access to their smartphones and other mobile devices. This is the first concrete proposal of this type since September 2014, when FBI Director James Comey reignited the “Crypto Wars” in response to Apple’s and Google’s decisions to use default encryption on their smartphones.




Spam from USPS? Was there really a demand for this? Why filter out most of their scans?
The US Postal Service Will Soon Email You Scans of Your Mail
The US Postal Service is rolling out a new service that emails you scans of the mail you’ll be getting in your mailbox each day.
The USPS has been testing the service, Informed Delivery, in some zip codes in Northern Virginia since 2014, and it will reach the New York City metro area, plus select areas of Connecticut, beginning this fall. USPS says expansion to other areas is being considered for 2016. For now, the Postal Service will only send you scans of letter-sized envelopes.
Once you sign up, USPS will email you a notification before 11 am daily, Monday through Saturday, containing grayscale images of just the front of your envelopes for up to ten pieces of mail.
… For now, the service won’t be available to businesses, and it won’t work for packages—USPS says customers should rely on its tracking and mail hold services instead for those types of mail.
… USPS actually already photographs every letter and package mailed in the United States—a practice it started after anthrax attacks in late 2001 killed five people, including two postal workers.




Should be very simple.
Federal Rules of Civil Procedure 2016 ePub
by Sabrina I. Pacifici on Dec 8, 2015
From Sarah Glassmeyer – “The Federal Rules of Civil Procedure just had a ton of revisions come into effect on December 1. Since the US Courts only publish this in a 170 page PDF, I thought I’d make it a little more user friendly and make an ebook (by which I mean an ePub, compatible with everything but Kindles) out of it. I also added in all of the new forms as jpegs, so they look the way that they are supposed to look. It was a massive pain in the tookus to do. You’re welcome. Anyway, here it is.” Thank you Sarah.




Find a book for Christmas break!
NPR’s Book Concierge – Guide To 2015’s Great Reads
by Sabrina I. Pacifici on Dec 8, 2015




For my App students in the Winter Quarter.
11 Apps and Sites for Learning to Code
… The MIT App Inventorn allows students to create and publish their own Android applications. The MIT App Inventor works in your web browser (Chrome is recommended). The only download that is required for App Inventor 2 is the optional emulator. The emulator allows people who don't have Android devices to text their apps on their desktops. If you have an Android device then the emulator is not required and you don't need to worry about installing it. MIT provides excellent support documentation and curriculum for classroom use for new users of App Inventor. Click here to read about a great app developed by students using the MIT App Inventor.


Tuesday, December 08, 2015

For any of my students who still think passwords are adequate security.
Password Cracking Tool Hashcat Goes Open Source
Hashcat, the popular password recovery utility advertised as the world’s fastest password cracker, has been released as open source.
The announcement was first made on December 4 on Twitter via an MD5 hash that read “hashcat open source” when cracked. Jens 'atom' Steube, the main Hashcat developer, later announced in a post on the official forum that the source code for both Hashcat, the CPU-based tool, and oclHashcat, the GPU-based version, has been released under the MIT license.
The source code for Hashcat and oclHashcat is available on GitHub. Bug fixes and new features can be submitted, but contributors must ensure that their code complies with a specified set of requirements.




For some reason I don't think this is the last we'll hear of the OPM breach.
Eric Yoder reports:
The last of the notices are set to go out this week to the more than 21 million people whose personal information was stolen in a cyber breach of government security clearance files, with about 1.5 million of those having signed up so far for identity and credit monitoring services.
Read more on Washington Post.




Perspective? Everyone want to teach kids to code, no one wants to teach ethics? None of the hackers arrested for the TalkTalk hack are over 21.
UK Police Campaign Targets Hackers as Young as 12
Britain's National Crime Agency on Tuesday launched a campaign to discourage youngsters from becoming hackers after it found the average age of suspects had plummeted to 17.
The NCA's #CyberChoices campaign targets parents of boys aged 12-15 who may be involved in cyber-crime without their knowledge.




Everyone knows, cars don't lie!
Hit-And-Run Suspect Busted After Her Car Calls The Police, Spurs Controversial Legal Ramifications
… Take the case of Cathy Bernstein, for example. The 57-year-old woman made an absolutely boneheaded play by rear-ending another vehicle and then fleeing the scene. Bernstein, perhaps thinking that she had gotten away with her act of recklessness, went about her business until she received a call from police dispatch.
How did police dispatch find out that Bernstein was even involved in an accident? Well, her Ford vehicle was equipped with an Emergency Assistance feature that alerts emergency personnel when it detects that the vehicle has been involved in a serious accident. In addition to alerting first responders about a serious accident, an onboard GPS module can pinpoint the exact time and location of the accident.
… Use of GPS technology in vehicles is already drawing criticism from privacy groups, as they feel that innocent citizens could have their personal information and driving habits wind up in the hands of law enforcement. In the case involving Cathy Bernstein, the good guys won, but some feel that automatically dialing law enforcement represents a violation of fourth amendment rights.




Surveillance Apps for the masses.
New software watches for license plates, turning you into Little Brother
We now live in a world where if you have an IP-enabled security camera, you can download some free, open-source software from GitHub and boom—you have a fully functional automated license plate reader (ALPR, or LPR).
… For the last six months, the two-man team behind OpenALPR has built this software and given it away for free, largely as a way to draw attention to their other paid services:




How would DNA testing be different from a test for pollen or mud from a crime scene? What basis would there be to seize clothing if it could not be examined for evidence?
Orin Kerr writes:
This summer, my co-counsel and I filed a cert petition in a pro bono case on behalf of a criminal defendant named Manuel Arzola. The case, Arzola v. Massachusetts, raises this question:
Whether a Fourth Amendment “search” occurs when government agents remove blood from a person’s lawfully-seized clothing and conduct a DNA test that generates a DNA identity profile.
Read more on The Volokh Conspiracy.




Please forgive me, I feel a rant coming on. The “easy” solution (ask any politician) is to ban encryption. Let's ignore the fact that ISIS (and others) are attracting followers via unencrypted social media. Apparently, we have no counter for “the gospel according to ISIS.” We don't even try to develop a counter argument. Instead we blame encryption – even when the evidence says encryption was not used.
Homeland chair moves to rein in 'dark' networks
The head of the House Homeland Security Committee is pushing a new initiative to deal with the proliferation of encrypted devices that critics say allow terrorists to communicate without detection.
The effort by Chairman Michael McCaul (R-Texas) will not force concessions on tech companies, he said Monday.
Instead, it would create “a national commission on security and technology challenges in the digital age,” which McCaul promised would be tasked with providing specific recommendations for dealing with an issue that has become a priority for law enforcement officials.
… “It is time for Congress to act because the White House has failed to bring all parties together — transparently — to find solutions.”
… McCaul initially claimed that the terrorists behind last month’s deadly attacks in Paris had the encrypted messaging application Telegram on their phones.
However, a staffer subsequently told The Hill that he “was providing a reference point to the types of encrypted messaging platforms that are available” and is not aware “of any specific app on the Paris attackers’ phones.”
Still, the staffer noted that intelligence officials have indicated that they believe the attackers communicated through encrypted channels.


(Related) There may be no evidence that this will help, but “we've got to do something!”
Andrew Griffin reports:
France is proposing that it will ban free public Wi-Fi and anonymised browsing because of the Paris attacks, according to leaked documents.
The French government is considering extending internet powers in a way that has only previously been done in Iran and China, according to the document seen by French newspaper Le Monde.
Read more on The Independent.




Perspective. Why you need a mobile App for your customers.
How We Shop Differently on Our Phones
… The researchers found that the average order size of low spenders (defined as shoppers whose total spending was less than the median in the first phase) increased after they adopted mobile shopping. They also placed more orders per year than they had using only a computer. Among high-spending mobile shoppers, the size of the order remained about the same. But, as with the low spenders, the frequency of their purchases steadily increased the more they used their mobile devices for shopping.


Monday, December 07, 2015

What is this world coming to when you can't even have a beer in piece?
650,000 Affected by JD Wetherspoon Data Breach
JD Wetherspoon, a major pub chain operating in the UK and Ireland, informed customers last week that their personal information may have been stolen after hackers breached its website in mid-June 2015.
According to an email sent out customers, the company only learned of the breach on December 1. An investigation revealed that attackers gained access to a customer database linked to the firm’s old website, which had been hosted by a third party.
The compromised database stored the names, dates of birth, email addresses and phone numbers of 656,723 people who signed up for JD Wetherspoon newsletters, registered to use Wi-Fi in pubs and opted to receive company information, purchased vouchers online between January 2009 and August 2014, or used the contact form on the company’s website.




For politicians, there's no reaction as good as an over-reaction!
After Paris Attacks, French Cops Want to Block Tor and Forbid Free Wi-Fi
After the recent Paris terror attacks, French law enforcement wants to have several powers added to a proposed law, including the move to forbid and block the use of the Tor anonymity network, according to an internal document from the Ministry of Interior seen by French newspaper Le Monde.
That document talks about two proposed pieces of legislation, one around the state of emergency, and the other concerning counter-terrorism.




For my students.
New on LLRX – Information Quality Resources and Expert Resources
by Sabrina I. Pacifici on Dec 6, 2015
Via LLRXInformation Quality Resources and Expert ResourcesMarcus Zillman’s guide is a comprehensive and selective bibliography including search engines, world wide web resources, services and sites currently offering free, value added content on the web. As more and more of the global population is accessing the web, making informed choices about what content to use to obtain reliable, accurate, actionable information becomes more critical. This guide provides an extensive range of reliable, relevant information to leverage – whether you are an educator, a librarian, a researcher, a lawyer, a student, a professional working on mission critical organizational objectives, or in the interest of current awareness. Gaining insight into your resources can be a challenging process if undertaken without benchmarks and skillfully researched pathfinders. This guide comprises a wide range of resources for everyone who regularly engages with web content for knowledge discovery, producing work product, and creating value added content related to specific sectors, issues or topics.


(Related)
Tutorial Resources




Will Big Data help weed the gene pool? Dilbert seems to think so.


Sunday, December 06, 2015

Update – the downside.
In the wake of the Ashley Madison hack, we read a few reports that suggested that the revelations may have contributed to a few suicides. There is still fallout happening from that breach and data dump. Dean Balsamini reports:
A prominent New Jersey educator lost his job, his wife, his mind and possibly his freedom — thanks to the Ashley Madison hack, The Post has learned.
[The] district school superintendent of Randolph NJ, sustained severe burns while trying to torch his garage after confessing to his wife and school board he had an account with the infamous infidelity Web site.
[…]
The downward spiral accelerated. On the same day as the suspected arson, [he] was placed on paid administrative leave.
Two weeks later, on Oct. 27, he resigned from his $167,500-a-year job as school boss. Officials said, “It was in the best interest of both parties to end the employment relationship.”
Read more on NY Post.
I’ve omitted his name from the quoted material because his children are old enough to be online and to be Googling. I hope the media does respect their privacy and not make this worse for them. Maybe as a citizen journo I should be providing his name, but it just feels wrong right now. [See the Jonathan Zittrain TED talk, below. Bob] The point of the story is that the breach and data dump have had consequences for people’s lives.




For my Computer Security students.
Jigsaw Security Analytics posted an interesting report today.
Over the past few months we have been silently collecting data and comparing news articles to actual data that our OSINT-X platform has been monitoring.
[…]
We setup a quick test plan and implemented the plan in OSINT-X to basically read news articles, pull out any references to leaks of information, personal credential disclosures, breach notifications, etc and we started comparing this data to information being posted to Pastebin, other paste sites, Darknet and underground forums. The goal in this was to find out just how many times corporations actually disclose that they have been breached. To keep things fair we had manual review to ensure that the “breached” information was legitimate (meaning we checked to verify whenever possible before including the results in our statistics). What we found was quite interesting.
In this article, they reported on three sectors. I’m going to jump to their results in the healthcare sector:
By far the healthcare industry was the worst of the worst during this timeframe. From inadvertain (sic) prescriptions being sent to the wrong fax number to multiple instances of hackers stealing data, we really don’t even know where to begin.
During our analysis we noted a total of 305 individual incidents during the 90 day study period of which only 52 were publicly disclosed by the healthcare organization. It appears as though many times the victims are reluctant to disclose the issues out of fear of litigation or brand reputation.
Well, wait a second. Are you assuming that the entity even knows about the breach? If data are posted on a paste site, what makes you think the entity even knows about the problem? Did you contact them to inquire?
And if you didn’t contact them and they’re a U.S. entity covered under HIPAA, how do you know that the entity didn’t disclose the breach to HHS and send notification letters to individuals? Under HITECH, a covered entity has no obligation to issue a public statement/substitute notice unless certain conditions exist. So if you’re looking at small-n incidents and don’t see a public statement, it is not safe to assume that there has been no disclosure.
What was interesting is that of the ones the disclosed leaks only 4 of them have had any sort of legal issue as a result of the breach itself. 3 events were insider theft of health information for illicit use.
It seems the healthcare industry as a whole refrains from reporting whenever they can get away with it even though the actual cost of a breach seems to be leveling out and many organization are covered under cyber insurance policies.
Read more on Jigsaw Security Analytics. I want to find out more about their methodology and results.




Is this the future of news? Random photos with incoherent captions?
Snapchat’s Move Into Real-Time News is Fascinating
For an app that many—possibly even most—initially dismissed as a trivial tool for teens to send sexy texts that would automatically disappear, Snapchat has certainly come a long way. Not only does it have an estimated market value of about $16 billion, but it is also now seen by many media outlets as a viable platform for their news, thanks in part to its Discover feature.
… Although the company has experimented with news aggregation features a few times before now, the latest and most powerful example of it doing so came on Wednesday and Thursday, after a mass shooting in San Bernardino, Calif.
… Snapchat creates stories based around geographic locations such as Los Angeles every day, with random content uploaded by users about the city. The service usually employs GPS location tools to show that kind of story only to those who are in that city. But in the case of the shooting, the company made the San Bernardino stream available to everyone in the U.S., for the first time.
… The results of Snapchat’s news gathering can be seen in a post that Mashable did, as well as a similar piece that Business Insider did on the phenomenon. It’s a live stream of images and videos from people who were near the shooting location, including some shaky footage of people under lockdown.




This is how you say, “nyah nyah, na nyah nyah” in Russian.
BBC reports:
Russia has adopted a law allowing it to overrule judgements from the European Court of Human Rights (ECHR).
The vote in the Duma, Russia’s lower house of parliament, came the same day as the ECHR ruled against Russia’s Federal Security Service over spying.
The European court said Russia had violated privacy rights with a system to secretly intercept mobile phone communications.
The Russian constitution takes precedence under the new Duma law.
The measure was fast-tracked, giving the constitutional court the right to declare international court orders unenforceable in Russia if they contradict the constitution.
Read more on BBC.




Jonathan is an optimist? Perhaps too much of an optimist.
Jonathan Zittrain: The Web as random acts of kindness
Feeling like the world is becoming less friendly? Social theorist Jonathan Zittrain begs to difffer. The Internet, he suggests, is made up of millions of disinterested acts of kindness, curiosity and trust.