Saturday, June 18, 2016

A most interesting hack. 
Fund Based on Digital Currency Ethereum to Wind Down After Alleged Hack
   Founders of the fund, DAO, which was built around a digital currency called Ethereum and which raised more than $150 million this spring, said Friday morning they have been forced to shut down the fund and plan for its unwinding.
The attack spirited away roughly 3.6 million Ethereum coins, valued at around $55 million, from DAO to another account.
   The DAO’s founders are planning to “fork” the code and effectively void the hacker’s transactions.
“The DAO’s journey is over but all funds are safe,” said Stephan Tual, the founder of Slock.It, the group that created DAO, which stands for Decentralized Autonomous Organization.  “All stolen funds will be retrieved from the attacker.”
   DAO was set up in May as an experiment in using digital currencies and self-operating digital contracts to create a venture-capital fund that could run itself.  But it was criticized early on for being poorly constructed, and there were calls for it to halt operations while it worked out its bugs.  Those criticisms now appear prescient.
   One investor in the DAO, Menno Pietersen, said he opposed the rescue and called the incident a “horrible mess.”  The DAO’s creators “messed up” and didn’t take the time to build their product correctly, he said.  He acknowledged that he himself didn’t vet the investment carefully enough, but said that as a backer of Ethereum, he was against any fix that would invalidate the goal of creating a decentralized platform.  If trades can simply be erased, he asked, “what will they do next?”


Because no one is perfect.  Perhaps penetration testing should be continuous?  (Pay attention Ethical Hacking students.) 
How Hired Hackers Got “Complete Control” Of Palantir
Palantir Technologies has cultivated a reputation as perhaps the most formidable data analysis firm in Silicon Valley, doing secretive work for defense and intelligence agencies as well as Wall Street giants.  But when Palantir hired professional hackers to test the security of its own information systems late last year, the hackers found gaping holes that left data about customers exposed.
Palantir, valued at $20 billion, prides itself on an ability to guard important secrets, both its own and those entrusted to it by clients.  But after being brought in to try to infiltrate these digital defenses, the cybersecurity firm Veris Group concluded that even a low-level breach would allow hackers to gain wide-ranging and privileged access to the Palantir network, likely leading to the “compromise of critical systems and sensitive data, including customer-specific information.”
   Virtually every company is vulnerable to hacks, to varying degrees.  In recent years, red teams generally have had a high success rate in getting deep inside of companies’ networks, and they virtually always find at least some security flaws, according to an industry source.  That Palantir did a red team exercise shows that it wanted to identify and repair any such flaws.  The Veris report notes multiple strengths in Palantir’s defenses, including an “excellent” response by its security staff.


I’ll bet this is not their policy.  If they have a policy.  Something my Computer Security students need to think about.
For today’s object lesson (and maybe abject lesson), I give you FIS Global and Guaranty Bank and Trust.  I’ve written up the incident in more detail over on the Daily Dot, but the short version is a hacker (@1×0123) found a vulnerability in FIS Global’s client portal login and tweeted about it.  FIS didn’t respond to him directly.  Instead, they got his Twitter account locked and the screenshots removed.
Getting a hacker’s Twitter account locked.  What could possibly go wrong, right?
It wasn’t just the hacker they failed to respond to.  FIS also failed to respond to two inquiries by this blogger to their communications department and one attempt to reach their Twitter team.
Trying a different route, and not knowing at the time whether the vulnerability had been addressed, this blogger also reached out to contact the bank client whose data was being exposed on the Internet.  They didn’t reply to two voicemails left with two different executives.
C’mon, folks.  Don’t you want people to let you know if they find a vulnerability that’s exposing your customer data or proprietary information?  Are you familiar with behaviorism?
If you keep ignoring people when they take time out of their lives to try to alert you to a situation, well, then the next time someone finds a vulnerability, they’ll either just keep it to themselves, exploit it, or share it with others who will exploit it.  Is that what you really want?  When someone notifies you, then even if you were already aware of the situation, take a damned moment to let them know you got their message and appreciated it.
At the very least, try not to tick off the hacker, okay, because it just may make a difference in their decision to publicly dump your data.
Read my report on the Daily Dot


I thought this might happen.  Firefox is allowing anyone to have a personal account, a business account, a dating account, a job search account, a ‘say outrageous things’ account, a ‘don’t let this screw up my credit’ account, etc.  No doubt the FBI (et al) will want to make connections that users would like to keep separate. 
Firefox Containers Help You Browse The Web Using Separate Identities
In the physical world, when interacting with other people, we like to think that we have a strong, recognizable personality, but the truth is we often tend to change it according to the context we’re in.  We behave differently when we are among friends than with our boss, our parents or our children. At work we’re one person, on holiday another.
So far this has been hardly possible to replicate online, mainly because our surfing experience is tracked and monitored in every possible way in order to build a single, identifiable profile, which advertisers can use to target us.
Enters “Containers”, a new interesting feature Mozilla is testing in version 50 of the Nightly build of its popular Firefox browser.  As security engineer Tanvi Vyas writes in the company’s blog, with Containers “users are able to portray different characteristics of themselves in different situations”.
Say you have two twitter accounts and want to login to them at the same time? No need to open a secondary browser or launch a desktop application like TweetDeck.  With Nightly, you could just open the File menu and select the “New Container Tab” option, choosing between the Personal, Work, Shopping, and Banking options.
   Imagine you’re trying to book a flight and you don’t want the airline to adjust the price according to your browsing history: you won’t have to delete all your cookies any more, just open a separate tab.
As Vyas acknowledges, the idea of contextual identities is not new, but so far it has been hard to implement, mainly because it’s difficult to figure out what the best user experience should be.


The model I’ve proposing for years!
Municipal fiber network will let customers switch ISPs in seconds
Most cities and towns that build their own broadband networks do so to solve a single problem: that residents and businesses aren't being adequately served by private cable companies and telcos.
But there's more than one way to create a network and offer service, and the city of Ammon, Idaho, is deploying a model that's worth examining.  Ammon has built an open access network that lets multiple private ISPs offer service to customers over city-owned fiber.  The wholesale model in itself isn't unprecedented, but Ammon has also built a system in which residents will be able to sign up for an ISP—or switch ISPs if they are dissatisfied—almost instantly, just by visiting a city-operated website and without changing any equipment.


Perspective.  My students will be shocked.  They thought Uber was always profitable. 
Uber points to profits in all developed markets
Uber says it has now reached profitability in all its developed markets, underscoring the business case for the new ride-hailing models that are disrupting the transportation industry.
Travis Kalanick, chief executive, told the FT that Uber is making money in North America, Australia and in its Europe, Middle East and Africa region, on a basis that excludes interest and tax.
“We have hundreds of cities that are profitable globally,” he said.  “That allows us to invest in new places, and to sustainably invest in a very expensive place like China.”
Mr Kalanick also disclosed that China — where the company is fighting a costly subsidy battle with rival Didi Chuxing — is now Uber’s biggest market by number of rides, accounting for a third of the company’s daily trips.


Because crazy people…
Active Shooter Event: Quick Reference Guide – DHS
by Sabrina I. Pacifici on
Department of Homeland Security guide – quick reference guide to assist friends, family, colleagues, co-workers, organizations – “An “active shooter” is an individual who is engaged in killing or attempting to kill people in a confined and populated area; in most cases, active shooters use firearms(s) and there is no pattern or method to their selection of victims.”


Once again…
Hack Education Weekly News
   “A Swedish college has been ordered to refund tuition fees to an American business student for giving her a poor economics education,” the AP reports.  “The Vastmanland court ruled Tuesday the Malardalen University’s two-year program ‘Analytical Finance’ that Connie Askenback attended from 2011 to 2013 ‘had no practical value.’”
   From the press release: “Achieving the Dream Launches Major National Initiative to Help 38 Community Colleges in 13 States Develop New Degree Programs Using Open Educational Resources.”  More via The Chronicle of Higher Education.
   Via the Detroit Free Press: “Wayne State drops math as general ed requirement.”  [5 out of 4 students thrilled!  Bob]
   Via The Chronicle of Higher Education: “Facebook Reveals How It Decides if a Research Project Is Ethical.”

No comments: