Garbage in, garbage out: Why Ars ignored this week’s massive
password breach
Earlier this week, mass panic ensued when a security firm
reported the recovery
of a whopping 272 million account credentials belonging to users of Gmail,
Microsoft, Yahoo, and a variety of overseas services. "Big
data breaches found at major email services" warned Reuters, the news
service that broke the news. Within
hours, other news services were running stories based on the report with
headlines like "Tech
experts: Change your email password now."
Since then, both Google and a Russia-based e-mail service
unveiled analyses that call into question the validity of the security firm's
entire report.
"More than 98% of the Google account credentials in
this research turned out to be bogus," a Google representative wrote in an
e-mail. "As we always do in this
type of situation, we increased the level of login protection for users that
may have been affected." According
to the report, the compromised credential list included logins to almost 23
million Gmail accounts.
(Related)
Here's how I verify data breaches
A continuous process.
Nothing new there. Perhaps if we
combine IBM’s Watson with their Quantum Computer…
Mohit Kumar writes:
Defense Advanced Projects Agency
(DARPA) is offering funding for security researchers who can help the agency to
develop algorithms that can identify hackers under its new game-changing
initiative called ‘Enhanced
Attribution Program’.
Although organizations and
countries give their best to identify cyber campaigns who infiltrated their
critical infrastructure, tracking down the culprits has always been a difficult
task — thanks to TOR, Virtual Private Networks (VPNs), and other methods
used to hide the attack source.
However, through this new
initiative, the United States military research agency DARPA hopes that
agencies would quickly track and identify sophisticated hackers
or criminal groups by monitoring their exact behavior and physical
biometrics.
The aim of Enhanced Attribution
program is to track personas continuously and create “algorithms for
developing predictive behavioral profiles.”
“The goal of the Enhanced
Attribution (EA) program is to develop technologies for generating
operationally and tactically relevant information about multiple concurrent
independent malicious cyber campaigns, each involving several operators; and
the means to share such information with any of a number of interested parties
without putting at risk the sources and methods used for collection,” reads the
project’s official site.
In other words, the Enhanced
Attribution Program will not only help the government characterize the cyber
criminal but also share the criminal’s modus operandi with potential victims
and predict the attacker’s next target.
Read more on The Hacker News.
Wait… “without putting at risk the sources and methods
used for collection?” That sounds to me
like a response to recent court cases where the government has dismissed cases
rather than reveal their surveillance methods
Does Congress know about this? Do computers have a “Right to Privacy?” Perhaps a “Right to be left alone?”
Lindsay Tonsager writes:
In a blog
post published on the Federal Trade Commission (FTC) website, Jessica
Rich, Director of the FTC’s Bureau of Consumer Protection,
recently stated that:
“we regard data as ‘personally
identifiable,’ and thus warranting privacy protections, when it can be reasonably
linked to a particular person, computer,
or device. In many cases,
persistent identifiers such as device identifiers, MAC addresses, static IP
addresses, or cookies meet this test.”
The post (which
reiterates Ms. Rich’s remarks at the Network Advertising Initiative’s
April meeting) suggests a shift in the FTC’s treatment of IP addresses and
other numbers that identify a browser or device. The FTC
previously has taken the position that browser and device
identifiers are deserving of privacy protections, but the FTC generally
has avoided classifying these identifiers as equivalent to
personally identifiable information (such as name, email, and
address) except in the narrow context of children’s privacy.
Read more on Covington & Burling Inside
Privacy.
I don’t post much from Kellogg. I’m not sure why that is.
Is Reading Someone’s Emails Like Entering Their Home?
… In the late
nineteenth century, when considering laws about intercepting confidential
messages, Congress debated whether the telegraph was comparable to the postal
service. Protecting the privacy of a telegram,
after all, only made sense if everyone agreed that telegrams were analogous to
personal letters—a view that, though it never became an official act of
Congress, was eventually supported by state laws.
But the rise of electronic communications has made this
analogical reasoning even more of a headache. By 1995, courts were debating whether
encryption software belonged on a list of regulated munitions (alongside bombs
and flamethrowers) or whether encryption was in fact a “language act” protected
by the first amendment.
Wouldn’t this fall under the same exemption as your
fingerprints? It’s pretty hard NOT
seeing your face, does a photograph make that much of a difference?
Defeat for Facebook in Court Is Bad News for Firms That Scan
Faces
Who owns your
face?
A California judge on Thursday ruled against Facebook in a lawsuit that says the company violated user privacy by
scanning their faces without permission and inviting others to “tag” them in
photographs.
The case is significant because it’s one of the first to
test the boundaries of how companies use facial recognition software, a
rapidly-advancing technology that treats faces as the modern-day equivalent of
a fingerprint. (At Facebook, the company
has internally referred to the tool as a “faceprint.”)
… In the ruling,
which you can read
here, U.S. District Judge James Donato agreed that Facebook’s scanning and
tagging feature qualified as a use of biometric identifier covered by the
statute. On a key procedural issue, he
refused Facebook’s request to decide the case under California law, where
companies don’t face restrictions on the use of biometrics.
Statistically backed assertions.
… How large is this
secret ECPA docket? Extrapolating from a
Federal Judicial Center study
of 2006 federal case filings, I have estimated
that more than 30,000 secret ECPA orders were issued that year alone. Given recent DOJ disclosures,
the current annual volume is probably twice that number. And those figures do not include surveillance
orders obtained by state
and local authorities, who handle more than 15 times the number of felony
investigations that the feds
do. Based on that ratio, the annual
rate of secret surveillance orders by federal and state courts combined could
easily exceed half a million. Admittedly
this is a guess; no one truly knows, least of all our lawmakers in Congress. That is precisely the problem.
Some interesting (or at least amusing) speculation.
Panama
Papers Source Offers to Aid Inquiries if Exempt From Punishment
The anonymous source behind the huge leak of documents
known as the Panama Papers has
offered to aid law enforcement officials in prosecutions related to offshore
money laundering and tax evasion, but only if assured of protection from
punishment.
“Legitimate
whistle-blowers who expose unquestionable wrongdoing, whether insiders or
outsiders, deserve immunity from government retribution,” the source, who has
still not revealed a name or nationality, said in a statement
issued Thursday night.
This should amuse my researching students.
OSoMe: The IUNI observatory on social media
by Sabrina I. Pacifici on May 6, 2016
OSoMe: The IUNI
observatory on social media. PeerJ
Preprints 4:e2008v1 https://doi.org/10.7287/peerj.preprints.2008v1
“The study of social phenomena is becoming increasingly
reliant on big data from online social networks. Broad access to social media data, however,
requires software development skills that not all researchers possess. Here we present the IUNI Observatory on
Social Media, an open analytics platform designed to facilitate
computational social science. The system
leverages a historical, ongoing collection of over 70 billion public messages
from Twitter. We illustrate a number of
interactive open-source tools to retrieve, visualize, and analyze derived data
from this collection. The Observatory,
now available at osome.iuni.iu.edu,
is the result of a large, six-year collaborative effort coordinated by the
Indiana University Network Science Institute.”
Wisdom from my favorite statistical website. (I think #4 will become critical)
The Four Things I Learned From The Donald Trump Primary
1. Don’t rule out the ahistorical
when there’s little history.
2. Take a nuanced view of the
polls.
3. Maybe favorability ratings
aren’t as hard to change as we thought.
4. Don’t assume the party knows
what it’s doing.
Let’s give some credit to Trump himself! No, I don’t think that Trump is a strategic
and tactical mastermind who planned every move he made, or even that every move
was successful. On the whole, though,
more of what he did worked than didn’t work. Trump generated
a ton of free media coverage; that helped him. He was willing
to challenge Republican orthodoxy; that, at the very least, didn’t hurt
him. I don’t know whether he’s built a
new political coalition or the Trump phenomenon is sui generis, but whatever
the guy did, it worked.
Local. Fluffy. Looks like it was written by DU’s Marketing
team. http://www.csoonline.com/article/3065841/leadership-management/universities-developing-cybersecurity-degrees-to-fill-jobs-gap.html?google_editors_picks=true
Universities developing cybersecurity degrees to fill jobs
gap
If they want to continue to protect our nation’s most
valuable data from cyber-attacks, leading security practitioners need to look
to the future of the security industry and develop ways to grow the talent
needed to fill the looming jobs gap.
My Saturday sillies.
Hack Education Weekly News
… The Justice
Department has warned
North
Carolina that its new anti-trans bathroom law violates the Civil Rights Act.
According
to the AP, “North Carolina’s prized public universities could be the
biggest losers as state leaders defend a new law limiting the rights of LGBT
people. The 17-university system, which
includes the University of North Carolina at Chapel Hill and North Carolina
State University as well several historically black colleges, risks losing more
than $1.4 billion in federal funds if the Republicans who run the Legislature
don’t reverse the law. The U.S. Justice
Department wants an answer by the end of business on Monday.” The new head of the UNC system, “Margaret Spellings
Is Caught Between Her State and the Federal Government. Now What?” asks
The Chronicle of Higher Education.
… Via
Inside Higher Ed: “The Federal Trade Commission announced Thursday that the
operators of Gigats.com
agreed to settle deception charges. Gigats.com
is an education lead-generation company based in Orlando, Fla., that
claims to prescreen job applicants for employers. However, the company was
instead gathering information for for-profit colleges and career
training programs, according to the FTC.”
For my Computer Security and Ethical Hacking students.
Pay What You Want for the Ethical Hacker and Pentester Pro
Learning Bundle
… Anyone can start
learning them with the Ethical Hacker and Pentester Pro Bundle at MakeUseOf Deals.
It combines nine high-quality video courses,
and you can pay what you want for the tuition. Read on to find out more.
… All of these courses come with lifetime access, and you can
stream the lessons on desktop and mobile devices. Best of all, you can claim a certificate of
completion to put on your CV when you master each subject.
… You can name your price on the last two courses in this deal, but to unlock the full bundle, you simply need to beat the
average price paid. These
nine courses are normally worth $1,431 put together, so grab the bundle now to
enjoy a huge markdown!