Saturday, April 16, 2016

For my Computer Security students.  Sounds like it was written by a “Game of Thrones” fan, but true none the less. 
Paper – OPM Demonstrated that Antiquated Security Practices Harm National Security
by Sabrina I. Pacifici on
“In this digital age, information is secured, coveted, and exfiltrated by nation states, hacktivists, and ambitious actors because, now more than ever, knowledge is power.  Modern needs dictate that only authorized users know information, that authorized users can access information instantaneously, and that the integrity of information is certain.  In opposition to these aspirations, an incessant tide of cybersecurity threats, spread across an unfathomably complex cyber-threat landscape, batter the defenses a round any valuable store of information.  Adversaries seek to discern and exploit any minute vulnerability that could compromise the defenses and expose the wealth of knowledge inside.  Information security professionals often view convenience and security as a tug-o-war over controls and resources.  A fickle balance between convenience and security actually exists for the organizations with the knowledge to pursue it and vigilance to adapt their defenses to emerging changes in the threat landscape.  The increasing annual number of successful breaches indicates that organizations and governments alike are not correctly balancing security with convenience due to antiquated systems and decades of poor security practices.  If information is seen as a treasure hoard, then the cybersecurity infrastructure around it is the great fortress that is built by its people, founded on their technology, and maintained by their security practices.  The employment of reliable technology, superlative security practices, and knowledgeable people culminates in a multilayered, integrated defense that is resilient to threats.  The majority of in bound threats are thereby thwarted against its ramparts and the impact of the few successful breaches is minimized to acceptable losses.  No adversary or persistent attack compromises either the cybersecurity infrastructure or the integrity of the information secured within.”


Government trash talk? 
Ethan Blevins writes:
This morning, Judge Beth Andrus held a hearing to determine whether inspections of Seattle residents’ garbage violates the Washington Constitution’s right to privacy.  We relied on a Washington Supreme Court case that said government agents cannot sift through garbage cans without a warrant.  That includes garbage collectors.  They have an invitation to collect–not to inspect.
The City spent much of the argument trying to backpedal from the clear language of the law being challenged.
[A line from the article: 
Inadvertent discovery of prohibited items that a garbage collector happens upon in the course of their work might not violate the Washington Constitution; a deliberate hunt for pizza crusts and brussel sprouts surely does.


This sounds important.  The next dimension is time.  If security is dropped for months, the implications are clear.  What if security fails for only a few hours? 
As reported on the Hunton Insurance Recovery Blog, data breach claims involving customer data can present an ever-increasing risk for companies across all industries.  A recent case illustrates efforts to recover the costs associated with such claims.  A panel of the Fourth Circuit confirmed that general liability policies can afford coverage for cyber-related liabilities, and ruled that an insurer had to pay attorneys’ fees to defend the policyholder in class action litigation in Travelers Indemnity Company v. Portal Healthcare Solutions, No. 14-1944Syed Ahmad, a partner in the Hunton & Williams LLP insurance practice, was quoted in a Law360 article concerning the importance of this decision.
Read more on on Hunton & Williams Privacy & Information Security Law Blog.
[From the article:  
In the Portal case, the specific issue was whether the mere online availability of sensitive information constitutes “publication” for purposes of triggering an insurance policy’s personal or advertising injury coverage and its corresponding duty to defend.  The appellate court ruled it does and adopted the district court’s reasoning that “[p]ublication occurs when information is ‘placed before the public,’ not when a member of the public reads the information placed before it.”


What works and why.
The Rise of WhatsApp in Brazil Is About More than Just Messaging
For most people in Brazil, texting was never truly accessible.  The cost of SMS in the country was as much as 55 times more than in North America and far too expensive for most residents.  So when the messaging service WhatsApp entered the market, in 2009, allowing users to send messages to anyone for free and regardless of their mobile carrier, people gravitated toward the platform.  Today, 96% of Brazilians with access to a smartphone use WhatsApp as their primary method of communication.


Interesting.  Imagine the lobbyists who would have apoplexy if we tried this in the US. 
India's Audacious Plan to Bring Digital Banking to 1.2 Billion People
India is trying to yank its cash-based economy into the 21st century.
But how do you get 1.2 billion people, many of whom have never seen a bank or opened an account, to send digital payments to each other?
The government's answer is an effort it has named the Unified Payment Interface.  Debuting Monday, it's a system designed to make transferring and receiving money as easy as exchanging e-mail or text messages.
   India is hoping to replicate the success of a similar digital-payments scheme in Kenya.  Introduced in 2007, Safaricom's M-PESA system lets people send and receive money via mobile phones.  What's impressive is the sheer number of people doing so: 22 million, or half the African country's population.  India's system is designed to work at a more basic level, with payments flowing between mobile, banking and other networks.


Not sure this is the best use of time and treasure, but no doubt someone does.
USDA Local Food Directories: National Farmers Market Directory
by Sabrina I. Pacifici on
Updated April 15, 2016 – The Farmers Market Directory lists markets that feature two or more farm vendors selling agricultural products directly to customers at a common, recurrent physical location.  Maintained by the Agricultural Marketing Service, the Directory is designed to provide customers with convenient access to information about farmers market listings to include: market locations, directions, operating times, product offerings, accepted forms of payment, and more.  Visit our Local Food Directories page to find other operations offering locally grown products.  If you are a market manager visit our Local Food Directory Registration & Update page to add or update a market listing.  An API is available for developers to integrate this data into other applications.”


It can’t hurt.
Interest in computer science education is growing rapidly; even the President of the United States has spoken of the importance of giving every student an opportunity to learn computer science.  Google has been a supportive partner in these efforts by developing high-quality learning programs, educational tools and resources to advance new approaches in computer science education.  To make it easier for all students and educators to access this information, today we’re launching a CS EDU website that specifically outlines our initiatives in CS education.


For my collection of tools & techniques.
5+ Best Sites & Apps to Find, Create, or Edit the Perfect GIF

(Ditto) 
How to Make an Infographic for Free with PowerPoint


Weekly amusement and amazement. 
Hack Education Weekly News
   The Pacific Standard on “The Teen Sexting Overcorrection”: “Last week, Colorado lawmakers rejected a bill that would have made sexting among teenagers a misdemeanor crime.  As Colorado law currently stands, minors who sext can technically be charged with felony child pornography, which carries a mandatory sex offender registration, even when the act is consensual.  Lawmakers, it seems, aren’t quite sure how to respond to libidinous teens in the digital age.”
   Via Inside Higher Ed: “Graduates of an online program at George Washington U sue the institution, saying they paid more to receive a worse experience than face-to-face students.”
   Via Salon: “California school district votes to allow teachers to carry guns in the classroom.” What could possibly go wrong?! [California?  Bob] 
   Also via The Chronicle of Higher Education: “Tenured Professor Says Blog Post Cost Him His Job.”
   Via The Wall Street Journal: “States Where Day Care Costs More Than College.” [Yes, Colorado too  Bob] 

Friday, April 15, 2016

For my Computer Security students.
Phishing Attacks Hit the C-Suite With High Value Scams
Any information security professional knows that spear-phishing is effective. Cloudmark calls it "The Secret Weapon Behind the Worst Cyber Attacks", and lists 10 recent major breaches, from Target to OPM, that started with a successful spear-phish.
  Two examples of CEO frauds come with the recent W-2 spear-phishing scams, and what the FBI calls the Business E-Mail Scam (BEC). For the former, Cloudmark's Tom Landesman has compiled a list of 55 companies that were taken in by the W-2 attacks, and comments, "It's likely that even more have been compromised, but have not come forward."
   CEO frauds are even more successful than spear-phishing.  There are probably two major reasons: firstly, few companies deliver security awareness training (such as simulated phishing attacks) against their own C-suite; and secondly, many senior executives still don't believe that security is their personal concern.


See FBI?  All you have to do is ask nicely.
Exclusive: Canadian Police Obtained BlackBerry’s Global Decryption Key
A high-level surveillance probe of Montreal's criminal underworld shows that Canada's federal policing agency has had a global encryption key for BlackBerry devices since 2010.
The revelations are contained in a stack of court documents that were made public after members of a Montreal crime syndicate pleaded guilty to their role in a 2011 gangland murder.  The documents shed light on the extent to which the smartphone manufacturer, as well as telecommunications giant Rogers, cooperated with investigators.
   Government lawyers spent almost two years fighting in a Montreal courtroom to keep this information out of the public record.


Because in New Jersey, everyone is a Soprano. 
Joe Cadillic writes:
Thanks, to DHS & TSA grants totaling nearly $3 million, the NJ Transit has nearly finished installing DriveCam LTYX’s cameras with microphones to spy on every commuter 24/7.  (Note: NJ’s Transit has been using DriveCam surveillance cameras since 2006.)
NJ Transit officials say spying on commuters conversations is “necessary to fight crime and maintain security!”   NJ Transit spokesman Jim Smith said, “the onboard surveillance systems are also a deterrent for crime and unruly behavior.”
Cameras with microphones aren’t the only thing police use to spy on us, “smart” LED lights  installed at numerous airports are illegally recording everyone’s conversations.
Read more on MassPrivateI.


Is this what happens when “the right to be forgotten” isn’t the law of the land?  Did they believe it would work?  Have they never heard of the Streisand effect? 
UC Davis spent thousands to scrub pepper-spray references from Internet
UC Davis contracted with consultants for at least $175,000 to scrub the Internet of negative online postings following the November 2011 pepper-spraying of students and to improve the reputations of both the university and Chancellor Linda P.B. Katehi, newly released documents show.
The payments were made as the university was trying to boost its image online and were among several contracts issued following the pepper-spray incident.
[In case you missed it:  


If it was simple, we wouldn’t need years of conflicting opinions.
This Very Common Cellphone Surveillance Still Doesn't Require a Warrant
The government does not need a warrant to access the location data created on an ordinary, often minute-to-minute basis by cellphones and logged with cell providers, the Sixth Circuit for the U.S. Court of Appeals ruled Wednesday.
The ruling adds to a growing consensus among federal appeals courts that law enforcement can request this type of data—called “cell-site location information,” or CSLI—without violating the Fourth Amendment’s protection against unreasonable search or seizure.  But it only complicates the legal situation of their use, which is now so complex that driving across the border from Illinois to Kentucky changes how federal authorities can use the technology.
   Right now, CSLI comes in three flavors.  The first is “real-time,” where police work with a cell provider to access location data immediately after it’s created.  This usually does require a warrant.  The second is a “tower dump,” when authorities ask for all the phones that have communicated with a certain tower during a period of time.  There’s not a lot of law about how tower dumps work, but as of September of last year cops rarely sought a warrant for them.  
The third is historical CSLI, where law enforcement requests a backlog of location data created by a certain phone.  This does not require a warrant, and hundreds of these requests happen per day. In 2015, AT&T alone handled more than 58,000 requests for historic CSLI.  (By contrast, it received about 17,000 real-time CSLI warrants and fewer than 1,500 tower-dump requests.)  Warrantless CSLI may be the most common kind of cellphone surveillance that Americans are subject to.


Encouraging the creation of the tools of the trade.  
SOFT ROBOTS THAT can grasp delicate objects, computer algorithms designed to spot an “insider threat,” and artificial intelligence that will sift through large data sets — these are just a few of the technologies being pursued by companies with investment from In-Q-Tel, the CIA’s venture capital firm, according to a document obtained by The Intercept.
Yet among the 38 previously undisclosed companies receiving In-Q-Tel funding, the research focus that stands out is social media mining and surveillance; the portfolio document lists several tech companies pursuing work in this area, including Dataminr, Geofeedia, PATHAR, and TransVoyant.


Economics for techies.
Network Revolution: Creating Value Through Platforms, People and Technology
In the first article of a series that will be published over the coming year, authors Barry Libert, Megan Beck and Jerry (Yoram) Wind explore why companies whose business models involve leveraging networks generate more value than traditional firms


If it was a game, students would be rich!
How to Make More Money with Google Rewards
One of the best ways to get Android apps for free is to use the Google Opinion Rewards app, a mobile survey tool that rewards you with cash in your Google account every time you complete a few brief questions.  With over 5 million installs, this is a popular app, but are you making the best of it?  Could you be making more money with Google Opinion Rewards?


See yesterday’s blog for Illustrator templates we might be able to use here.
Don’t Pay for Adobe Illustrator: This Free Alternative Is Great
Want to learn how to use Illustrator but don’t want to subscribe to Adobe Creative Cloud?  Or need to access its features on the go while using someone else’s computer?  With Gravit you get a lot of the key features offered in expensive standards like Illustrator or Fireworks.
Best of all, Gravit is completely free.  You just have to sign up for an account to use it.  Gravit includes basic vector tools: a pen tool, line tool, and a Bezigon tool, as well as shapes including a rectangle, ellipse, triangle, polygon, and star.


Some of this is Windows 10 only, but some is available now. 
Microsoft kicks off back-to-school wave with new Windows 10, Office 365 Education apps, services
Microsoft is previewing today, April 14, what's coming on the Windows 10 Anniversary Update, Office 365 and Minecraft fronts for educators and students as its way of kicking off its back-to-school 2016/2017 wave.
   The company also is adding a new "Set Up School PCs" app to help teachers set of a "Shared Cart of Devices" for classrooms which make use of shared devices.  For schools with dedicated IT support, the updated Windows Imaging and Configuration Designer tool will aid with setting up shared devices in bulk.  And a new "Take a Test" app will create a browser-based, locked-down environment for quickly taking standardized tests.  The "Set Up School PCs" and "Take a Test" apps will be preloaded with the Windows 10 Education Edition.


I know students with a dozen of these.
Get A Raspberry Pi 2 Starter Kit for 85% Off
Today, we have 85% off a giant Raspberry Pi 2 starter kit that comes with the device itself, the cables and cards you need to make it all work, and courses that will teach you how to use the Pi to its fullest.  It would normally sell for over $800, but you can get it for just $115!  It’s a steal at this price.

Thursday, April 14, 2016

Did anyone at the State Department know they had been hacked?  Would they have mentioned this to Hillary as an “I told you so?”  (Does Senator Grassley know something that turns this into a ‘set-up’ that Hillary can’t afford to answer?) 
GOP Sen. Chuck Grassley Asks Hillary Whether 'Guccifer' Hacked Emails
Senate Judiciary Committee Chairman Senator Chuck Grassley has asked Hillary Clinton if she knew whether her emails were hacked by "Guccifer" — the noted Romanian who first revealed that the former secretary of state had used a private server.
In a letter Tuesday to Clinton's lawyer, David Kendall, the Iowa Republican referenced a "Meet the Press" interview she gave on Sunday in which she reiterated earlier positions that she was willing to answer "any questions that anybody might have" about the server.
"I hope this means you are reconsidering your refusal to answer the questions I asked you, through your attorney," Grassley said, referring to a January query on the issue.  "I also hope it means you will substantively respond to this letter as well."
   "Mr. Lazar’s public release of hacked emails between Sidney Blumenthal and you was the first public revelation of your @clintonemail.com address," Grassley said in the letter.
   "It is unclear from court documents and press reports whether Mr. Lazar ever attempted to hack your @clintonemail.com account or if he only had indirect access to your email via Mr. Blumenthal’s account.
"In an interview, Mr. Lazar purportedly claimed he 'had memos Hillary Clinton got as a State Secretary, with CIA briefings [that] were being read by her [and] two other people from the U.S. Government.


An interesting dichotomy.
Martha Neil reports:
A 2012 federal lawsuit over Facebook tracking of users filed by attorney Paul Kiesel was dismissed last year, with leave to refile.
U.S. District Judge Edward Davila said the plaintiffs in the San Jose, California, case didn’t make clear how they suffered “a realistic economic harm or loss” due to continued tracking by advertising cookies after they logged out of their Facebook accounts, as Bloomberg reported at the time.
But Kiesel is trying again.  In another federal court complaint filed in San Jose last month, he accuses Facebook and a number of medical groups of violating the Health Insurance Portability and Accountability Act by disclosing medical information about Facebook users without their express consent, reports the International Business Times.
The problem, according to the suit, is cookies that track web searches made by Facebook users on cancer organization sites.  Although the user’s name may not be provided to third parties along with the subject of their searches, HIPAA prohibits gathering or sharing medical information without express consent from the individual, explains the Richmond Journal of Law & Technology.
“Facebook is capturing users’ searches for medical information from medical websites without users ever knowing this sensitive data is being shared with Facebook, for marketing and other purposes,” Kiesel told the IBT.
The suit also accuses Facebook of violating the privacy laws of multiple states and federal wiretap law by collecting data without appropriate authorization.  It says Facebook creates marketing profiles for its 225 million users that enable companies to target them with advertising for conditions including pregnancy, diabetes, addiction and HIV/AIDs, reports Courthouse News.
Read more on ABA Journal.  As I commented on Twitter tonight, Facebook is not a HIPAA-covered entity, therefore if the complaint alleges they violated HIPAA, that should get tossed (in the world according to Dissent).  The hospitals, on the other hand, may find themselves in a difficult situation.  Even if they didn’t know that their sites were transmitting data to Facebook, they are responsible for protecting information.
Under HIPAA, the sites may be responsible for protecting patients’ protected health information (PHI).  There are 18 elements to PHI that can personally identify a patient, including IP address and URL.  So if site visitor’s IP address and urls they visit are transmitted to Facebook without the individual’s express consent, the plaintiffs may have some actual grounds to claim HIPAA violation.
Yes, I realize that site visitors are not necessarily patients, and that the site’s web site privacy policy should control and not HIPAA, but as has been pointed out in other situations, if you’re a HIPAA-covered entity in one situation, you’re a HIPAA-covered entity, so maybe HIPAA protections also apply to those who are just web site visitors.
This will be an interesting case to watch.


For discussion with my Computer Security students.
Cyber Security Oversight: Why it Belongs in the Board Room
   boards have started changing their view of cyber security as being a core function of IT management, and are now demanding that C-suites treat cyber threats as an enterprise risk that should be addressed from a strategic, company-wide, and economic perspective.  They are now taking a very active interest in cyber security, and want to be kept informed of current and evolving risks, as well as the organization’s security preparedness and response plans.  As a matter of fact, according to a recent study by accounting firm EisnerAmper (EA), directors of boards are most worried about cyber security risk (70 percent), reputational risk (66 percent), regulatory compliance risk (64 percent), and senior management succession planning (51 percent).
   Operating in this new environment is not easy.  A recent study by the National Association of Corporate Directors (NACD) revealed that over 90% of respondents believe their board’s understanding of cyber security risks still needs to improve.  In this context, the U.S. Senate recently proposed a cyber security disclosure bill that would require public companies to describe what cyber security expertise their boards have, and, if they don't have any, what steps the companies are taking to add this type of expertise to their boards.


Eventually, we will have a decision. 
Kim Janssen reports:
A lawsuit brought by an Illinois man who accused photo-sharing website Shutterfly of violating his privacy by using facial recognition software to identify his face has been settled for an undisclosed amount.
The case, which was given the go-ahead to proceed in January by a federal judge in Chicago, was being closely watched because if it had gone to trial it could have had implications for Facebook and other companies that use facial recognition software.
[…] A similar case brought by another Illinois resident, Carlo Licata, remains pending against Facebook in federal court in California.
Read more on Chicago Tribune.


Can we call this digital-illiteracy, or is there a more scientific term?  
California phone decryption bill defeated
A national debate over smartphone encryption arrived in Sacramento on Tuesday as legislators defeated a bill penalizing companies that don’t work with courts to break into phones, siding with technology industry representatives who called the bill a dangerous affront to privacy.
The bill did not receive a vote, with members of the Assembly Committee on Privacy and Consumer Protection worrying the measure would undermine data security and impose a logistically untenable requirement on California companies.


Not sure what to make of this yet.  Could be a safe way for the White House to disagree with the DoJ.
White House Announces Commission on Enhancing National Cybersecurity
The new Commission on Enhancing National Cybersecurity will be expected to recommend “bold, actionable steps” that the U.S. government and private sector can take to strengthen cybersecurity.
   The first public meeting will be held on Thursday at the U.S. Department of Commerce, where commission members will be joined by Secretary of Commerce Penny Pritzker, Assistant to the President for Homeland Security and Counterterrorism Lisa Monaco, and others.


Free Internet.  Apparently there is a race to be the first to offer it.
Facebook to Facilitate Global Internet Connectivity with Terragraph
   Facebook Engineering Vice President Jay Parikh described the new project as a wireless network, which is aimed at replacing Google Fiber in the remote areas.  The social-networking giant said that it is currently testing the new system at its Menlo Park headquarters.  Also, the company announced that it has plans to test the service in downtown San Jose by the end of 2016.
   Millimeter waves travel at a much faster speed than Wifi signals, and it also offers 10 times faster Internet speed.  The company claims that the new technology offers Internet speed up to 2.1 Gbps. In addition, Millimeter waves are non-permeable.  Therefore, the social network giant plans to install its new wireless system on the streets, as at present, it offers outdoor Internet connection only.


Is this true or Union dis-information?  (Would they fix copper after users switch and don’t use it anymore?) 
Verizon won’t fix copper lines when customers refuse switch to fiber
Verizon has reportedly switched 1.1 million customers from copper to fiber lines over the past few years under a program it calls "Fiber Is the Only Fix."  But some phone customers have refused the switch to fiber because they prefer to keep their copper lines—even though Verizon apparently is refusing to fix problems in the copper infrastructure.
The Philadelphia Inquirer reports that it obtained internal company documents that describe the effort to switch problematic copper lines to fiber.  Verizon customers with copper-based landline phones who call for repairs twice in 18 months "will be told that their 'only fix' is to replace decades-old copper line with high-speed fiber as Verizon won't fix the copper," the report said.


Interesting video
Snapchat augments reality with 3D Stickers
Today Snapchat revealed its new 3D stickers that can be pinned to objects in a video and stick with them no matter how they or your camera move.  Add an emoji face to your pet as it walks around, or give the moon sunglasses that grow with it as you zoom in.


Free eBook!  Offer ends Tomorrow!
Windows 10 at Work for Dummies (regular price $17.99, free for limited time)
Download: Windows 10 at Work for Dummies.  Offer ends April 15.


Anything to get rid of my students.
Quick Tips You Can Use to Make a Better CV
   how can you make your CV stand out?  Just follow the 7 tips outlined on the infographic below, and you’ll be good to go!

(Related) 
15 Free Creative Resume Templates for Photoshop and Illustrator
   To start using Adobe Photoshop, you can download a 30-day free trial — plenty of time to prepare your resume.   To continue using the app, it will cost from $10 per month.
   The content of your resume also has to stand out. That means gaining extra qualifications, working on interesting projects, and mastering your industry.


So that’s what my students are doing…

Wednesday, April 13, 2016

Reading for my Computer Security students. 
Symantec Speaks on Latest Threat Trends
   According to the report (PDF), the number of exposed identities jumped 23% to 429 million.  "But this number hides a bigger story. In 2015, more and more companies chose not to reveal the full extent of the breaches they experienced."


Another court explains “search in the digital era.”
Maryland Court ends Baltimore police use cellphone tracking devices
by Sabrina I. Pacifici on
Via TechDirt: “The Baltimore Police Department’s warrantless deployment of Stingray devices has come to an end.  It may have gotten away with more than 4,300 times so far, but the Maryland Special Appeals Court has declared these devices operate as searches under the Fourth Amendment.   The 74-page opinion — which belatedly follows its two-page order from nearly a month ago, indicating which side it had taken in this dispute — dives into every issue implicated by the warrantless use of Stingray devices and examines them alongside a long list of Fourth Amendment-related Supreme Court decisions and the Fourth Circuit Appeals Court’s precedent-setting US v. Graham opinion on cell site location info…” [Darlene Fichter]


Because of their App, Uber may have much more information about you than an “old fashioned” taxi company. 
What Private Information Did Uber Give the Government?
Between July and December 2015, Uber provided information on more than 11.6 million users and nearly 600,000 drivers to state and local regulatory agencies, the ride-sharing mobile app said Tuesday.
In its first-ever transparency report, the transportation company said it is required by law to provide certain information to government agencies, and has been asked to hand over information on trip requests, pickup and drop-off locations, and fees.  Uber says it was able to negotiate “a narrower scope,” limiting the amount of information provided than was requested by regulatory agencies, for more than 42 percent of requests.


Finding the next “Unabomber?”
USPS leveraging social media to target employee misconduct
by Sabrina I. Pacifici on
Via NextGov: “Paid consultants are scheduled to teach agents “Internet reconnaissance” during a three-day June workshop at the office’s Arlington, Virginia, headquarters, according to a November 2015 contracting notice.  The training will include methods “to identify the target individual/organization’s social media and Internet footprint,” the notice states, referring to government employees, contractors and other companies.  Developing the methods necessary to attack those targets successfully” via social media and other public Internet pathways will be one lesson.  A government or contract employee’s online footprint could include, among other things, dating websites, user name searches, phone searches, website downloads, people searches, and public records, according to the contract synopsis.  Specific websites mentioned are Facebook, YouTube, Pinterest, Google Image Recognition, CraigsList and Google Advanced Search.  The online surveillance performed must be covert “with no attribution back” to Postal Service agents, according to the contract…”


Eventually the FBI will leak everything about this hack.  Meanwhile, would Apple buy details of the security flaw they used?
FBI paid professional hackers one-time fee to crack San Bernardino iPhone
The FBI cracked a San Bernardino terrorist’s phone with the help of professional hackers who discovered and brought to the bureau at least one previously unknown software flaw, according to people familiar with the matter.
   The bureau in this case did not need the services of the Israeli firm Cellebrite, as some earlier reports had suggested, people familiar with the matter said.
   At least one of the people who helped the FBI in the San Bernardino case falls into a third category, often considered ethically murky: researchers who sell flaws — for instance, to governments or to companies that make surveillance tools.
This last group, dubbed “gray hats,” can be controversial.  Critics say they might be helping governments spy on their own citizens.  Their tools, however, might also be used to track terrorists or hack an adversary spying on the United States.  These researchers do not disclose the flaws to the companies responsible for the software, as the exploits’ value depends on the software remaining vulnerable.


Someone really, really needs to explain technology to this guy.  Learning security by watching TV News?  Is that the best the FBI can do?  (By the way, did you also disable the microphone on your laptop?) 
The Director of the FBI Puts a Piece of Tape Over his Laptop Webcam. Should You?
FBI Director James Comey said this week, while speaking about privacy issues at Kenyon College, that he places a piece of tape over his laptop webcam to mitigate the danger of secret surveillance.
I saw something in the news, so I copied it, I put a piece of tape over the camera,” Comey explained, “because I saw somebody smarter than I am had a piece of tape over their camera.”


Passwords are passé.  And they are far from adequately secure!
DoD tests public key infrastructure for DTIC secure website access
by Sabrina I. Pacifici on
SecureIDNews:  “The federal government’s use of user IDs and passwords for access to its applications could soon give way to more secure PKI-based credentials if more government entities follow the lead of the U.S. Department of Defense.  The Defense Department is leveraging PKI to better protect its information systems, with the intent of making access much more secure than the old login system.  The DOD’s Defense Technical Information Center (DTIC)  –  a DOD entity that serves the information needs of the defense community and maintains a large database of research information  –  announced that it would no longer enable users to access its secure websites by a user ID and password…”

(Related) “Two factor” is also less than perfect.
Two-Factor Authentication Bypassed in Simple Attacks
   In their paper called “How Anywhere Computing Just Killed Your Phone-Based Two-Factor Authentication,” researchers Radhesh Krishnan Konoth, Victor van der Veen, and Herbert Bos demonstrate practical attacks against both Android and iOS devices, showing how a Man-in-the-Browser attack can be elevated to bypass 2FA.


A tool to make Facebook’s job easier?  At least it provides the content owner a sense that they can do something. 
Facebook Launches Tool to Combat Video ‘Freebooting’
Amid complaints from video creators that their content is being stolen and re-uploaded across Facebook, the company on Tuesday announced the release of a new rights management tool for video producers and companies that aims to combat the “freebooting” piracy issue.
In a blog post, Facebook said that the tool, called Rights Manager, will allow video creators to “easily upload and maintain a reference library of the video content they want to monitor and protect.”  Creators can set rules that either permit or report copies of their work based on criteria like how much of the video has been clipped or how many views it has garnered.
   Video creators, many of whom make their living on Google’s YouTube through advertising, had griped for months that pirated clips were running wild across Facebook as the social network pushed more into expanding its video business.


Perspective.
The chatbots are coming — and they want to help you buy stuff
The battle for your online shopping dollars has largely been waged on websites and, more recently, smartphone apps.  Now, retailers are looking to another digital tool to win your money and your loyalty: An army of chatbots.
Chatbots — the name for robots that simulate human conversation — have been thrust into the spotlight in recent weeks amid a flurry of new experiments in how they might be used to shape the future of shopping. Retail heavyweights Sephora and H&M recently launched bots on messaging app Kik that help shoppers browse and buy their products.  Taco Bell showed off its TacoBot, a way to use the messaging app Slack to place a meal order.  And on Tuesday, Facebook announced it has created a platform that allows companies to develop bots that run within its Messenger app, which has some 900 million users worldwide.
   evangelists of the technology say that bots are poised to be at the center of a crucial paradigm shift in how we think about using the Internet.  While a Web browser might once have been our front door to the Internet and apps often play that role today, experts say that bots could soon become our primary digital gateway.  At a conference last month, Microsoft chief executive Satya Nadella said, “Bots are the new apps.”

Tuesday, April 12, 2016

If they can do it, what can opposition militaries do? 
Hacktivists Leak 43GB of Data From Syrian Government
A hacktivist group calling itself the Cyber Justice Group announced on Twitter that it has dumped 10GB of data from the Syrian government.  The hackers left a message on Pastebin and dumped the data to file sharing site Mega.  The data is compressed, and expands to a full 43GB.
The motivation for the dump is political, with the Cyber Justice Group positioning itself as anti Assad and anti ISIS.


For my Computer Security students.
3 Steps to Thriving in One of Cybersecurity's 1 Million Open Positions
Step One: Research the Reasons for the Role
Typically, a new security opening in a company means that something happened.  By the time a real job is posted or a recruiter is engaged, there has been some catalyzing event.
Step Two: Develop a comprehensible approach
The companies who have the most interesting jobs with the broadest scope will likely not know very much about the details of security.
Step 3: Start with a call and targeted questions
When you speak with the recruiter or HR executive, ask to follow-up with someone who works there.  This gives you the chance to refine your approach and test your assumptions.
This process is great for finding a new gig, but it can also help you reassess the way you are doing the job you have right now.  It’s important to better understand your peers and leaders, be sensitive to the business concerns of others in your industry, and flesh-out how you think organizations can improve.

(Related)
Recruitment Challenges Continue to Plague Cyber Security
   Consider the ISACA/RSA Conference report titled State of Cybersecurity 2016. 461 cyber security managers and practitioners were asked, among many other questions: "What are the most significant skills gaps you or your organization sees among today’s cybersecurity/information security professionals?"
Knowing that there is a skills gap, one might expect 'security technical skills' to be the most popular response.  It was not.  The primary skills gap lies in the ability of candidates to understand the business (75%).  A lack of technical skills scored only 61%; equal, in fact, to another non-technical issue – poor communication.


Worth reading. 
Will New York City’s Free Wi-Fi Help Police Watch You?
Internet access is getting faster and cheaper by the year.  Four out of five households in developed countries now have home Internet connections.  But a home connection is still out of reach of many in the United States.  People in major American cities pay more for basic broadband speeds than city-dwellers abroad.  Fewer than half of Americans who make less than $20,000 a year have broadband access at home, and the number-one reason that Americans give for not having broadband at home is that it’s too expensive.
   The kiosks are being built by a consortium that includes Qualcomm, and an Alphabet-funded company called Intersection.  The system’s kiosks actually broadcast two wi-fi networks: an open network that’s just a fast, citywide version of the Internet connection at your local Starbucks, and a “private” network that encrypts all the traffic between devices and the Link kiosk.  Both networks require users to input an email address to connect, but for now, only new Apple devices can access the private network.


For my next Data management class.
Linking Business Intelligence to a Knowledge-Based Sustainable Competitive Advantage in Organizations
by Sabrina I. Pacifici on
Muganda, Nixon and Mokwena, Thato, Linking Business Intelligence to a Knowledge-Based Sustainable Competitive Advantage in Organizations (April 10, 2016).  Available for download at SSRN: http://ssrn.com/abstract=2762025
“This paper looks at the use of sentiment analysis and opinion mining in business intelligence by organisations to develop and sustain a competitive advantage.  It discusses variables such as organisation structure, business intelligence, knowledge management, and opinions mining as some sources of competitive advantage.  There is literature available by other researchers that agrees that each of the above variables are sources of and do indeed provide competitive advantage.  Some of this literature is reviewed below.  

(Related)
FTC Announces Significant Enhancements to IdentityTheft.gov
by Sabrina I. Pacifici on
“For the first time, identity theft victims can now go online and get a free, personalized identity theft recovery plan as a result of significant enhancements to the Federal Trade Commission’s IdentityTheft.gov website.  The new one-stop website is integrated with the FTC’s consumer complaint system, allowing consumers who are victims of identity theft to rapidly file a complaint with the FTC and then get a personalized guide to recovery that helps streamline many of the steps involved.
IdentityTheft.gov Homepage. The upgraded site, which is mobile and tablet accessible, offers an array of easy-to-use tools, that enables identity theft victims to create the documents they need to alert police, the main credit bureaus and the IRS among others.”

(Related)
Links to Federal Statistics
by Sabrina I. Pacifici on
“A trusted source for federal statistical information since 1997.  FedStats supports a community of practice for over 100 agencies engaged in the production and dissemination of official federal statistics, and provides the public with a showcase of information, tools and news related to official federal statistics.”

(Related) Brief, but worth reading and following up on, 
Rethinking the Value of Customers in a Digital Economy
Customers, customer-centric marketers declare, are king.  Businesses consequently ignore customer behaviors at their own risk.  But the power and potential of network effects suggests that seeing customers as royalty may prove a poor idea and an even worse investment.
   The ‘Triple-S’ research framework asks executives to deconstruct network effects into three interrelated components: Segmentation, socialization, and skill-ification
·  Skill-ification is about creating new capabilities in users and user communities.  Sharing and editing imagery, for example, represents a capability that goes beyond sharing and editing text.  Skill-ification means enhancing human capital.


For all my students.  (and me)
5 Clever Writing Tools to Proofread Important Documents
Being good at writing isn’t the job most people sign up for, but it comes with the territory as you climb up the ladder.  Eventually, you’ll need to send important emails or submit official documents, and you need to make a good impression in those.  A spelling error or a badly written sentence can ruin all the professionalism and effort you put into it.
The good news is that you don’t need to be an excellent writer, since there are enough tools to help you out.  Extensions like Grammarly Lite help ensure your grammar is in shape, and a little searching on the web will lead you to many other such wonderful free sites.
Cool Websites and Apps presents five of the very best.
[For my International students:
Writefull (Windows, Mac): Analyze Text Against Google’s Language Database


Build a website.
Three Good Places to Learn HTML & CSS Skills
Visual editors in blog and website platforms like Blogger, WordPress, and Weebly make it easy for anyone to create a webpage in relatively little time.  The appeal of those tools is that you don't have to learn code in order to make a blog or website.  The downside to relying on visual editing tools is that if you don't understand the code it can be hard to make corrections when something does go wrong.  Not knowing HTML and CSS also limits you in terms of design formatting.
Over the years I've taught myself the basics of HTML and CSS through online tutorials.  A quick Google search will lead you to plenty of online tutorials that you can use to teach yourself or your students some useful HTML and CSS skills.  The following are the resources that I frequently recommend.
A Beginner's Guide to HTML & CSS is a nice resource developed by Shay Howe whose resume reveals that he works on the user interface for Groupon among other projects.  Shay currently offers twelve text-based lessons for beginners.  Once you've mastered the beginner lessons you can try your hand at the ten advanced lessons offered on the site.
Thimble is a free Mozilla product designed to help users learn how to write HTML and CSS.  Thimble features a split screen on which you can write code and see how it works at the same time.  On the left side of the screen you write your code and on the right side of the screen you instantly see what that code renders.  If you write the code correctly, you will know right away.  Likewise, if you don't write the code correctly, you will know right away.  Some of the sample projects you can work with include webpages, games, and avatars
w3Schools has long been my go-to place for quick directions when working in HTML.  If I get stuck while working on a project, a quick visit to w3Schools usually reveals the help I need to get past a stumbling block.  If you're completely new to writing HTML start with the introductory sections of w3Schools to learn the basics.