Saturday, February 06, 2016

Isn't this the wrong way to do things? You're telling me that someone I deal with has really bad security (or is a crook) but you won't tell me who it is?
Lucinda Borrell reports:
A data breach at an unidentified online retailer could have led to credit card users having their account details “compromised”, MoneySavingExpert has learned – resulting in Tesco Bank cancelling a number of its customers’ cards as a “precautionary measure”.
We don’t yet know who the online retailer is and it’s possible multiple credit card providers’ customers could have been put at risk. However Tesco Bank took action after being notified by Mastercard of the breach earlier this week, and is now in the process of identifying those at risk and cancelling their cards.
Read more on MoneySavingExpert. Again, note that this incident is not specific to Tesco or Mastercard. The breach is presumably at a retailer, so whatever card you used with the unnamed retailer may be impacted.




Perspective. How many people does it take to evaluate, suspend and perhaps reevaluate this many accounts? How much of the job could be automated? Is this a common cost of doing business on the Internet?
Twitter – Combating Violent Extremism
by Sabrina I. Pacifici on Feb 5, 2016
Twitter news release: “Like most people around the world, we are horrified by the atrocities perpetrated by extremist groups. We condemn the use of Twitter to promote terrorism and the Twitter Rules make it clear that this type of behavior, or any violent threat, is not permitted on our service. As the nature of the terrorist threat has changed, so has our ongoing work in this area. Since the middle of 2015 alone, we’ve suspended over 125,000 accounts for threatening or promoting terrorist acts, primarily related to ISIS…”




Not ready for prime time?
Every Step You Fake: A Comparative Analysis of Fitness Tracker Privacy and Security
… Today, we are releasing two sections of the report so that consumers can know what companies are doing to secure their personal information. The two sections being released are the study background, and our technical methodology and findings.
Our key technical findings include:
  • Seven out of eight fitness tracking devices emit persistent unique identifiers (Bluetooth Media Access Control address) that can expose their wearers to long-term tracking of their location when the device is not paired, and connected to, a mobile device Jawbone and Withings applications can be exploited to create fake fitness band records. Such fake records call into question the reliability of that fitness tracker data use in court cases and insurance programs.
  • The Garmin Connect applications (iPhone and Android) and Withings Health Mate (Android) application have security vulnerabilities that enable an unauthorized third-party to read, write, and delete user data
  • Garmin Connect does not employ basic data transmission security practices for its iOS or Android applications and consequently exposes fitness information to surveillance or tampering
Read the full report. [Except for the missing bits. Bob]




Resources?
Video Roundup
It’s always great to attend security and privacy conferences in person. But in cases where you have to miss an event, online videos of the talks can be a great way to stay current with the ongoing conversation.
Art, Design, and The Future of Privacy
As I promised back in September, the videos of the event we co-hosted with DIS Magazine at Pioneer Works are available online. The DIS blog had a great writeup with summaries of the different panels, and you can find transcripts over at Open Transcripts. I had a great time participating, and came away with some great perspectives.




Do you think the FCC thought that companies might lower prices? Me too, neither.
Verizon’s New Video Service Tests Net Neutrality Laws
Verizon has confirmed that any video streamed through its new Go90 service won’t count towards the data plans of Verizon customers. That’s bad news for Netflix, YouTube, and other competing streaming video services, which will continue to count against your data cap—unless perhaps those companies participate in one of Verizon’s FreeBee program, which allows companies to underwrite their app’s bandwidth costs on behalf of users.
The practice of exempting some internet usage from a data cap is known as “zero rating,” and most major internet providers are now dabbling in one form of it or another. T-Mobile exempts video and music streaming from various partners through its Music Freedom and Binge On services. AT&T has been experimenting with various forms of sponsored data in recent years. Sprint’s prepaid service includes some zero rated content. And Comcast allows viewers to watch its Stream TV service, which it classifies as a traditional cable television service, on their computers without having it count towards data limits.
Although these services certainly violate the spirit of network neutrality by allowing providers to give certain partners or themselves an advantage over competitors, zero rating isn’t necessarily banned by the FCC’s Open Internet Order.




Just a simple way to move money out of China?
Chinese-led investors plan to buy Chicago Stock Exchange
… The buyers are considering opening a stock exchange in southwest China and also hope to list Chinese stocks in the U.S., Chicago Stock Exchange CEO John Kerin said in an interview Friday. The exchange needs the cash from the buyout to launch its new trading products and platforms, Kerin said.
… Companies don’t exclusively list stocks on the Chicago Stock Exchange as they do on the NYSE, Kerin said. But after the buyout is complete, the Chicago Stock Exchange has plans to allow small companies that don’t meet NYSE requirements to list stocks on the exchange.
The exchange has been also working on an on-demand auction product that is expected to be released in the spring.
… The Chicago Stock Exchange is not a member of the World Federation of Exchanges.




I wonder if “there's an App for that?” Steal small amounts from lots of people.
Why a Chinese Ponzi scheme that preyed on poor farmers should scare us much more than Bernie Madoff’s fraud
… Last year, Ezubao, a peer-to-peer lending platform which claimed to match investors with companies looking for finance, sponsored the online broadcasts of the National People’s Congress by a subsidiary of state-owned news agency Xinhua. With its logo adorning the Great Hall of the People in Beijing, how could savers doubt it was a trustworthy brand?
… One of the company’s executives has since been reported as saying that 95 per cent of the projects it claimed to invest in were fake. Reports suggest that some 880,000 people have collectively lost $10.7 billion after falling for Ding’s hype.
The lessons of Ezubao are far more important than those of the Madoff fraud. This wasn’t wealthy individuals taking advantage of the greed of other wealthy individuals; this was a near-state sponsored company capitalizing on Chinese citizens who could least afford to lose their money.
… And Ezubao might just be the tip of the proverbial iceberg when it comes to fraud among China’s burgeoning wave of financial technology players. Last March, Dagong, China’s credit rating agency, warned that some 1,250 online financial platforms were at risk of going bankrupt. Its president, Xu Zhipeng, cautioned that “a storm of credit risks is brewing in the peer-to-peer lending industry”, which had grown threefold the previous year to US$17 billion.




For my Data Management students.
Data Quality Demands a Team Approach
With data becoming increasingly central to business strategies, data quality management has never been more important. So it is a little disheartening to see that just 40 percent of companies surveyed by 451 Research were very confident in their organization's data quality or its data quality management practices.
In fact the research, sponsored by Blazent, found a complete lack of data quality management practices for a surprising 8.5 percent of respondents.
IT departments are primarily accountable for data quality at most of the surveyed companies, the research revealed. Cross-functional teams and other employees are largely not held responsible.
… IT typically does not take a strategic view of data.
Data entry by employees was the top reason for poor data quality, cited by 57.5 percent of respondents, followed by data migration or conversion projects, mentioned by 47 percent, and mixed entries by multiple users (44 percent).




Perspective. Replacing Gutenberg.
Google Is Publishing Unprintable Books
Early Wednesday morning, Google released two electronic books in its Play Store. Unlike the countless e-books already available — the digital equivalent of paperbacks — these books are digitally native. They could never exist on the printed page.
In collaboration with London-based book publisher Visual Editions, Google’s Creative Labs has been developing books — short stories, really — intended for smartphones and tablets. The project, Editions at Play, is what Google calls “an experiment in unprintable books.” What that means is still up for debate.




Everything I need to know.
Hack Education Weekly News
Via The New York Times: “Public Advocate Letitia James has sued the New York City Education Department, saying a $130 million computer system meant to track services for students with disabilities was a failure.”
… “PARCC Scores Lower for Students Who Took Exams on Computers,” says Education Week. Also via Education Week: “Comparing Paper-Pencil and Computer Test Scores: 7 Key Research Studies.”
Via the Atlanta Journal-Constitution: “A Cobb County high school’s new reliance on iPads for classroom work has some worrying students without them could be left behind. Walton High School is directing parents of its nearly 2,600 students to buy iPads for their children to use in classroom assignments starting this month. School officials have said iPads would be available for check-out for students who couldn’t afford or didn't own them, but only about a dozen are being provided for those students to use.”
… Apollo Education, the parent company of the University of Phoenix, has laid off 70 employees, the Arizona Republic reports.




Tools & Techniques
5 Online AIs You Can Put to Work Right Now
DeepArt.io: Your Photo, in the Style of a Famous Painter




Perhaps Dilbert will explain how the uses of technology change over time.


Friday, February 05, 2016

For my Computer Security students. The future is secure?
The Keybase filesystem
Alpha releases of the Keybase app are starting to come with a cryptographically secure file mount. It is brand new. And very different.
… The Keybase servers do not have private keys that can read this data. Nor can they inject any public keys into this process, to trick you into encrypting for extra parties. Your and my key additions and removals are signed by us into a public merkle tree, which in turn is hashed into the Bitcoin block chain to prevent a forking attack. Here's a screenshot of my 7 device keys and 9 public identities, and how they're all related.
As a reminder, Keybase is open source Go.
… If you're not a Keybase user yet, you can click this link to get in line to be one of our first users.




Are there clear guidelines or is it simply a vague, “find fraud?”
Rae Johnston reports:
State and Federal Government agencies are using private investigators to conduct “optical surveillance” on members of the public, including monitoring the social media accounts of Centrelink recipients. This “open-source intelligence” is a growing trend, bringing questions about online privacy into the spotlight.
Evidence gathered from private social media accounts has been used to investigate Centrelink claims. According to The Daily Telegraph, and in one instance conversations on Twitter were used to prove the relationship status of a couple who were receiving payments as individuals.
Read more on Gizmodo.com.




Interesting. Could become a resource. I need to play with it a bit more.
Harvard portal helps track and map use of personal data
by Sabrina I. Pacifici on Feb 4, 2016
“About theDataMaptheDataMap™ is an online portal for documenting flows of personal data. It tells you where your data goes. The goal is to produce a detailed description of personal data flows in the United States. The effort started with health data and is expanding to all other kinds of personal data. The motivation is to help journalists, advocates, regulators, policy makers and researchers understand the current state of personal data sharing so they can do their jobs better. Our aim is to help the helpers. A comprehensive data map will encourage new uses of personal data, help innovators find new data sources, and educate the public and inform policy makers on data sharing practices so society can act responsibly to reap benefits from sharing while addressing risks for harm. With funding from the Knight Foundation, we will launch a portal that engages members of the public in a game-like environment to report and vet reports of personal data sharing and to participate in data visualization and analysis competitions.” [theDataMap™ operates as a research project in the Data Privacy Lab, a program in the Institute for Quantitative Social Science (IQSS) at Harvard University. The project leader is Professor Latanya Sweeney.]




It all began with “Double secret probation!”
Paper – Coming to Terms with Secret Law
by Sabrina I. Pacifici on Feb 4, 2016
Rudesill, Dakota S., Coming to Terms with Secret Law (January 6, 2015). 7 Harvard National Security Journal, 2015, Forthcoming; Ohio State Public Law Working Paper No. 321. Available for download at SSRN: http://ssrn.com/abstract=2687223
“The allegation that the U.S. government is producing secret law has become increasingly common. This article evaluates this claim, examining the available evidence in all three federal branches. In particular, Congress’s governance of national security programs via classified addenda to legislative reports is here given the first focused scholarly treatment, including empirical analysis that shows references in Public Law to these classified documents spiking in recent years. Having determined that the secret law allegation is well founded, the article argues that secret law is importantly different than secret fact: the constitutional norm against the former is stronger than against the latter. Three normative options are constructed and compared: live with secret law as it exists, abolish it, or reform it. The article concludes by proposing 10 principles for governing secret law, starting with the cardinal rule of public law’s supremacy over secret law.”




Bad reporting? Another case of someone making up the news?
Super Bowl 50: FAA Threatens To Shoot Down Drones Flying Near Levi's Stadium On Game Day
As football fans prepare for Super Bowl 50, the FAA is making preparations of its own for the big day, threatening to shoot down any unauthorized drones that fly within 36 miles of Levi's Stadium in Santa Clara, Calif. This news comes as the FAA takes an increasingly militant stance on recreational drone usage in the U.S.
… violators could face civil penalties and criminal charges, the FAA warned, noting that the government officials may use deadly force against the airborne aircraft, if it is determined that the aircraft poses an imminent security threat.


(Related)
No, The FAA Isn’t Going To Shoot Down Super Bowl Drones
… I’ve written about this before, and was struck by the references to “deadly force,” which aren’t in the announcement from the FAA or the official notice. As best I can find, it appears to come from an NBC story titled “FAA: Drones Flown Around the Super Bowl Could Face 'Deadly Force'.
… This is technically always true, as the United States Government has a sovereign authority to the skies above America and it can make the call to shoot down aircraft deemed to be a threat. And the term “deadly force” appears in the FAA’s recommendations for police on illegal drone use. The document specifically states “The United States government may use deadly force against airborne aircraft, if it is determined that the aircraft poses an imminent security threat.”




No doubt this won a Darwin Award for design.
Dem presses Amazon to stop selling gun-shaped cellphone cases















One, anyway.
6 Little-Known Corners Of The Deep Web You Might Actually Like
… To access these sites, you’ll need to use Tor, which allows you to connect to these sites anonymously, and will keep your connection private.
Jotunbane describes the reasoning behind his website like this: “I got tired of ebooks that looked like they were made in a hurry, and since I had the skill set to do something about it, well here we are.” In short, the Reading Club lets you download books that have been cleaned up from their original e-book versions.
… If you don’t abuse the system, it seems to be a good way around freedom-stifling DRM practices.




One for my students.
10 Super Ways to Save When Shopping on Amazon
For college students, Amazon Student is a terrific money-saving program. You can sign up for a free six-month trial that gives you the two-day shipping for free, unlimited photo storage, and exclusive student-related discounts and deals. After your trial expires, you are eligible to receive Amazon Prime at half the cost and you still get all of the Prime member benefits we listed above.


(Related) (Free) Prime first, then other free stuff.
Amazon Prime Members Have Digital Access to Washington Post for Free – 6 months
by Sabrina I. Pacifici on Feb 4, 2016
“Amazon today announced that Prime members can now enjoy six months of free unlimited access to The Washington Post National Digital Edition, a subscription usually retailing for $9.99 per month. After the first six months of access to world-class national and international news, Prime members can continue to enjoy unlimited digital access with a discounted monthly subscription rate of only $3.99, a savings of 60% per month… Prime members can read news on the go at any time with The Washington Post’s new national app available on iOS, Android and Amazon Fire devices or access The Washington Post’s full website by visiting washingtonpost.com. For a limited time, members who are not currently subscribed to The Washington Post can start a free trial of The Washington Post National Edition by simply visiting www.washingtonpost.com/primeoffer and signing in with Amazon credentials.”




Another student cheapie.
College Students Can Now Receive Digital Access to The Times for $1 a Week
by Sabrina I. Pacifici on Feb 4, 2016
New York Times Co Press Run – “The New York Times today will begin offering college students full access to NYTimes.com on the web and via its smartphone apps for just $1 a week. Students will be required to sign up for their subscription using their valid school email address, as well as provide their graduation year in order to verify their student status. Previously, college students could sign up for access at 50% off standard retail rates for a digital subscription ($7.50 every 4 weeks). In July, The Times tested the $1 a week offer and found the students had a very positive response to the deeply discounted rate. The offer is limited to new subscribers only…”