Saturday, May 14, 2016

A most interesting question.  It may be a country sponsoring or executing these attacks, or it may be a criminal organization.  Would that make a difference?  Why would SWIFT be special? 
Are Attacks Against SWIFT Acts of Cyberwar?
   In a report posted today, BAE Systems warns of the difficulty in making positive attribution to cyber attacks.  Nevertheless, it gives enough clues for any reader to point the finger ultimately at North Korea.  For example, BAE Systems first suggests a very strong likelihood that the same group is behind both the Bangladeshi and Vietnam breaches using malware based on msoutc.exe.  This it then links to 'a larger toolkit described in US-CERT Alert TA14-353A.'

(Related) Is this more or less critical than a bank?
German Spy Service Says Russia Behind Major Cyber Attacks
Germany's domestic secret service said Friday it had evidence that Russia was behind a series of cyber attacks, including one that targeted the German parliament last year.
The operations cited by the BfV intelligence agency ranged from an aggressive attack called Sofacy or APT 28 that hit NATO members and knocked French TV station TV5Monde off air, to a hacking campaign called Sandstorm that brought down part of Ukraine's power grid last year.  


This could get strange.  I don’t have to give them my password or tell them which of the hundreds of social media tools I use.  How will they determine which are mine and which belong to students who create a post in my name? 
The government has released a first-ever social media policy for background investigations, which will scan what applicants have posted on Facebook, Twitter and other sites to determine their trustworthiness.  Read the full story on the Washington Post, and see the policy document.


Why would they need to do this?  Does it make them feel more James Bond-like? 
Philly Police Admit They Disguised a Spy Truck as a Google Streetview Car
The Philadelphia Police Department admitted today that a mysterious unmarked license plate surveillance truck disguised as a Google Maps vehicle, which Motherboard first reported on this morning, is its own.
In an emailed statement, a department spokesperson confirmed:
“We have been informed that this unmarked vehicle belongs to the police department; however, the placing of any particular decal on the vehicle was not approved through any chain of command.  With that being said, once this was brought to our attention, it was ordered that the decals be removed immediately.”
   “For one, I would think it's highly illegal to have Google's markings on there, but that's another issue entirely,” Worf said.  “But it boils down to the fact that most people at first glance wouldn't recognize an ALPR system if they saw it, and for those that do, they likely wouldn't know what Google would be doing with one.
“Frankly, what I don't get is why they felt a need to hide something like this. It certainly makes one question the motive for doing so," he added.
“It’s certainly concerning if the city of Philadelphia is running mass surveillance and going out of its way to mislead people,” said Dave Maass, a former journalist and researcher at the nonprofit advocacy group Electronic Frontier Foundation.


Will this give them a significant ‘competitive advantage?’
Large law firm licenses IBM Watson technology
by Sabrina I. Pacifici on
[Note – not affiliations whatsoever – just interesting announcement] – “ROSS Intelligence is proud to announce that AmLaw100 law firm BakerHostetler has agreed to retain use of ROSS Intelligence’s artificial intelligence legal research product, ROSS Intelligence Co-Founder Andrew Arruda officially announced the partnership at Vanderbilt Law School’s “Watson, Esq.” conference in Nashville, Tennessee in April.  BakerHostetler will license ROSS for use in its Bankruptcy, Restructuring and Creditors’ Rights team.  The ROSS platform is built upon Watson, IBM’s cognitive computer.  With the support of Watson’s cognitive computing and natural language processing capabilities, lawyers ask ROSS their research question in natural language, as they would a person, then ROSS reads through the law, gathers evidence, draws inferences and returns highly relevant, evidence-based candidate answers.  ROSS also monitors the law around the clock to notify users of new court decisions that can affect a case.  The program continually learns from the lawyers who use it to bring back better results each time…”


Obama will need to send in the Army.  Imagine all the government agencies that could be replaced by contractors doing their job better and cheaper!  Government would become a Libertarian dream. 
Phoenix airport mulling use of contractor instead of TSA
Phoenix’s busiest airport could cut ties with the TSA in the wake of a baggage-screening system breakdown that caused travelers a massive luggage delay, city officials said Friday.
Deborah Ostreicher, the city’s assistant aviation director, said Thursday’s chaos at Phoenix Sky Harbor International Airport was the latest in a growing list of frustrations with the Transportation Security Administration.
She also cited long wait times and a lack of a TSA PreCheck process.
   Calling the current level of service “unacceptable,” Ostreicher said officials are reviewing several options to improve things for travelers.
“One of those options is to utilize a contractor to provide security as some other airports have done,” Ostreicher said in a statement.
Phoenix is not alone.  The world’s busiest airport in Atlanta and the New York/New Jersey region’s airports are also scrutinizing their relationship with TSA.


This is actually for my Architecture class.  If they can’t build it secure, no one will trust it.
Privacy fears 'deterring' US web users from online shopping
Almost half of American households with at least one internet user have been "deterred" from online activity recently because of privacy or security concerns, a survey has said.
Their concerns had stopped them either using online banking or shopping or posting on social media, the survey by a Department of Commerce agency said.
The study asked 41,000 households about their activity in the past 12 months.
A US official said mistrust about privacy was causing "chilling effects".
The agency that carried out the study, the National Telecommunications and Information Administration (NTIA), called for encryption and security to be improved.
[You might find it here, I couldn’t: 


If I program this right, I can flunk all my students at the push of a button!
Amazon Rolls Out $20 Programmable Dash Button For IoT Tinkering, Promptly Sells Out
We’ve all seen Amazon’s Dash buttons; the little Wi-Fi connected devices that allow you to quickly reorder products without even having to visit Amazon’s website.
   The AWS IoT Button isn’t meant for restocking your pantry, bathroom or laundry room — instead, it’s destined to integrate into your digital life to automate tasks.
   If you’d like to learn more about AWS IoT Button, Amazon has a handy step-by-step tutorial that walks you through setting up the device and integrating it into your workflow.  But first of all, you’ll have to get your hands on one, which at this time is unfortunately a bit hard to do.  Amazon has already sold out of the $20 device after less than a day on the market.
Amazon likely didn’t realize what a hot commodity it had on its hands and is going to need to crank up the production numbers pronto to appease tech fiends that are quickly embracing the IoT movement.


Just in time for our 3D Printing class.  (Includes “Build Your Own Printer” links)
5 of the Coolest 3D Printed Arduino Projects


Another silly Saturday.
Hack Education Weekly News
   Trump’s presidential campaign co-chair describes The Donald’s higher education platform: “getting government out of student lending, requiring colleges to share in risk of loans, discouraging borrowing by liberal arts majors and moving OCR to Justice Department.”
   “Frustrated with how colleges have handled their claims of sexual abuse, more students are turning to social media to publicize their cases,” Inside Higher Ed reports.
   Famed tech startup accelerator program Y Combinator is launching HARC, the Human Advancement Research Community.  The mission is to copy the old Xerox PARC model and to “ensure human wisdom exceeds human power, by inventing and freely sharing ideas and technology that allow all humans to see further and understand more deeply.”
   Dropbox’s new education tier has most of its business features for a third of the price,” says The Next Web.


Wally illustrates perfect (circular) logic.

Friday, May 13, 2016

One way to get hard currency.  No doubt North Korea will deny any involvement.  What would we do if we proved they did it? 
Bangladesh Bank heist similar to Sony hack; second bank hit by malware
Investigators probing the cyber heist of $81 million from the Bangladesh central bank connected it on Friday to the hack at Sony Corp's film studio in 2014, while global financial network SWIFT disclosed a previously unreported attack on a commercial bank.
SWIFT did not say which commercial bank it was or whether it had lost money, but cyber-security firm BAE Systems said a Vietnamese bank, which it did not name, had been a target.  It was not clear if they were referring to the same attack and there was no immediate comment from authorities in Hanoi.
   In Bangladesh, cyber-security experts hired by the central bank said in a report that hackers were still inside the bank's network, monitoring the investigation into one of the biggest cyber heists in the world.
   The report said investigators knew little about a third group of hackers found inside the network, referred to as Group Two, except that they were using mostly commodity, or off-the-shelf, hacking tools. [So any teenager with an adequate allowance could hack this bank.  Bob]

(Related) “It is better to look good than to feel good.”  Hernando (and politicians everywhere)
Congress hits FDIC cyber breach that ‘boggles the mind’
A series of cybersecurity incidents at the federal office safeguarding bank deposits has seriously shaken the confidence of House members who were dismayed by agency testimony Thursday.
Lawrence Gross, the Federal Deposit Insurance Corp.’s chief information and chief privacy officer, was called before the panel to explain the removal of sensitive electronic data by employees.  Members also accused the agency of obstructing a congressional investigation into the cyber-issues.
The House Science, Space and Technology oversight subcommittee also sought more information on a sophisticated cybertheft of FDIC data that subcommittee Chairman Barry Loudermilk (R-Ga.) said was likely done by the Chinese.
Since October, a series of violations by seven employees as they were leaving the agency, including five cases The Post reported earlier this week, resulted in the breach of personal information belonging to more than 160,000 individuals, according to Loudermilk.
“To date, FDIC has failed to notify any of those individuals that their private information may have been compromised,” he added.


“This is a guideline.  Only a fool would submit 99 identical subpoenas and expect a judge not to notice.”  
Alan Feuer reports:
A federal judge in Brooklyn ruled on Thursday that prosecutors could not force Facebook to remain silent about 15 grand-jury subpoenas involving the company’s customers.
The judge, James Orenstein, said that the prosecutors had legitimate concerns that their investigations might be compromised, but he added that the government’s boilerplate requests, made in identical language in each of the 15 applications for a gag order, were insufficiently detailed.
Read more on NY Times.


Is there an expectation that ‘social media’ is a better forecaster of future behavior?  Or merely more trendy?
Overnight Tech: Feds pressed to review social media in background checks
   The House Oversight Committee has called officials to testify from the Office of Personnel Management (OPM) and the Office of the Director of National Intelligence. Congress is pressing agencies to start using social media and other public information online in background checks. OPM has recently been soliciting vendors for a pilot project to use software that automatically scrapes the web for information helpful in a background check. You can read our preview of the hearing here.


An interesting exercise.  Perhaps we could automate this process to compare all countries as the laws change?  Would be fun to try with IBM’s Watson and a few other free tools!
If These Canadians Lived in the United States, How Would They Protect Their Privacy?
by Sabrina I. Pacifici on
Regan, Priscilla M. and Bennett, Colin and Bayley, Robin, If These Canadians Lived in the United States, How Would They Protect Their Privacy?  The Functional Equivalence of Privacy Redress Mechanisms in Canada and the US (May 10, 2016). 2016 Privacy Law Scholars Conference, George Washington University, June 2-3, 2016. Available at SSRN: http://ssrn.com/abstract=2778070
“Recent commentary has contended that, despite the fact that the U.S. Does not have a comprehensive data protection statute nor a data protection authority, the entire regime for the protection of privacy is essentially and functionally equivalent to those in other advanced democratic states.  We subject that hypothesis to empirical examination by investigating seven actual complaints and investigations conducted under the Canadian Personal Information Protection and Electronic Documents Act (PIPEDA).  These are real cases brought by real individuals. In each case, we ask the question, if these same fact situations occurred in the U.S.  How would these individuals try to advance their privacy rights and seek redress? We examine cases from different sectors: credit reporting, insurance, online advertising, online dating, banking, hotels and cellular communications.  The cases are not representative.  Nevertheless, our results highlight the advantages of a single point of contact, a comprehensive legal framework, and of a system that relies less on litigation.”


As a concerned citizen, I might start an independent LLC to gather funds earmarked for all potential political hot buttons.  I would take a modest 98% administration fee. 
The Rise of Dark Money in US Elections
by Sabrina I. Pacifici on
Dark Money Watch, a project of MapLight, is a hub for information about dark money in U.S. elections.  Our goal is to support investigations of dark money in order to help the public understand how hidden donors can influence our political system….  Dark money comes from groups that are not required to disclose their donors.  It pays for ads and other efforts to influence elections, but voters often don’t know who is behind those efforts.”


For my geekier students.
Meet Google's cool new natural language tool, Parsey McParseface
Google announced a new SyntaxNet open-source neural network framework that developers can use to build applications that understand human language.  As part of that release, Google also introduced Parsey McParseface, a new English language parser that was trained using SyntaxNet.
The launch is a move to democratize the tools for building applications powered by machine learning.


Perspective.  This is why we’re adding bots to our course offerings.
Half the Web's traffic comes from bots
Roughly half of all Web traffic comes from bots and crawlers, and that's costing companies a boatload of money.

That's one finding from a report released Thursday by DeviceAtlas, which makes software to help companies detect the devices being used by visitors to their websites.
Non-human sources accounted for 48 percent of traffic to the sites analyzed for DeviceAtlas's Q1 Mobile Web Intelligence Report, including legitimate search-engine crawlers as well as automated scrapers and bots generated by hackers, click fraudsters and spammers, the company said.
   "We used to think of bots as passive ambient noise," Cremin said. "That's now changed to the point where they actually interact with the sites they visit and mimic human traffic exactly."

Because eventually they’re gonna get you.
Act NOW to Keep Your Windows 10 Upgrade Free After July 29

Thursday, May 12, 2016

Update:  Not sure where the $104 million figure comes from.  The article says $81 million which is what has been reported elsewhere.
Arun Devnath and Michael Riley report:
Investigators examining the theft of $104 million from Bangladesh’s central bank have uncovered evidence of three hacking groups — including two nation states — inside the bank’s network but say it was the third, unidentified group that pulled off the heist, according to two people briefed on the progress of the bank’s internal investigation.
FireEye Inc., the company hired by the bank to conduct the forensics investigation, identified digital fingerprints of hacking groups from Pakistan and North Korea, the two people said.  It hasn’t found enough data to determine whether the third group, the actual culprit, was a criminal network or the agent of another nation.
Read more on Bloomberg.
So all these hackers were in there and the Bank never detected any of them? 


Somehow, I doubt this will happen.  Everything we want would be an aid to terrorists.  Only the FBI can secure the country.
Mozilla wants U.S. to disclose to it first any vulnerability found in Tor
Mozilla has asked a court that it should be provided information on a vulnerability in the Tor browser ahead of it being provided to a defendant in a lawsuit, as the browser is based in part on Firefox browser code.

“At this point, no one (including us) outside the government knows what vulnerability was exploited and whether it resides in any of our code base,” wrote Denelle Dixon-Thayer, chief legal and business officer at Mozilla, in a blog post Wednesday.
Mozilla is asking the U.S. District Court for the Western District of Washington, in the interest of Firefox users, to ensure that the government disclose the vulnerability to it before it is revealed to any other party.  The rationale behind the request, according to Mozilla: Any disclosure without advance notice to Mozilla will increase the likelihood that the exploit will become public before Mozilla can fix any associated vulnerability in Firefox.
   The government has so far refused to tell Mozilla whether the vulnerability at issue in the case involves a Mozilla product.  But Mozilla said in the filing that it has reason to believe that the exploit used by the government “is an active vulnerability in its Firefox code base that could be used to compromise users and systems running the browser.”
The government has also refused to tell Mozilla if the exploit went through the Vulnerabilities Equities Process (“VEP”), which is a government process for deciding whether to share or not information on security vulnerabilities, according to Mozilla.
If Mozilla is not allowed to intervene in the case to protect its interests, the court should certainly allow Mozilla to appear as a friend of the court or amicus curiae, according to the filing.


If GPS points to your front door…
Christin McMeley and John D. Seiver of Davis Wright Tremaine write:
On April 29, 2016, the U.S. Court of Appeals for the First Circuit handed down its widely anticipated opinion in Yershov v. Gannett Satellite Information Network, Inc., in which it expanded the reach of the Video Privacy Protection Act(“VPPA” or “Act”) by endorsing a considerably expanded view of how the statute applies in the digital media context.   In its decision, the court held that
(1) “personally identifiable information” (“PII”) includes the GPS coordinates of a device; and
(2) a user of a mobile application – even one who does not pay or otherwise register to use the app – qualifies as a “consumer” entitled to the protections of the Act.
Although the information Gannett transferred to a third party also included unique device identifiers (i.e., an Android ID), the court noted that its holding “need not be quite as broad as [its] reasoning suggests,” leaving unanswered the question of whether device identifiers alone would constitute PII.
With this condition set out in the holding, the decision may not be as far out of step with a slew of prior federal district court decisions holding that a consumer’s personal data, when disclosed, must identify a particular individual, without more, to qualify as PII.  The court found that GPS coordinates are more like a traditional street address than numeric device IDs such that their disclosure “effectively reveal[ed] the name of the video viewer.”
Read more on Davis Wright Tremaine.


“It’s no big deal until it is.”  I don’t know who said that, but they were correct.
Josh Kerns reports:
State workers are raising deep concern after learning a prominent anti-union group is seeking their personal information, including their birth dates, worrying it could lead to widespread privacy violations and identity theft.
Complaints began pouring into various unions representing state workers over the last month after the Olympia-based Freedom Foundation filed public records requests for information about thousands of workers.
Read more on MyNorthwest.com.
[From the article: 
State law says specifically that birth dates of state workers are disclosable and not exempt from privacy statutes.


For my Computer Security students: See, your tuition was well spent!
High-demand cybersecurity skill sets
   According to a survey of 299 IT and cybersecurity professionals:
·         33% of organizations say they have a shortage of cloud security specialists.
·         28% of organizations say they have a shortage of network security specialists
·         27% of organizations say they have a shortage of security analysts
·         26% of organizations say they have a shortage of data security specialists. 


For the Computer Security club hacking team.
Facebook Open Sources CTF Platform
Facebook announced today that the source code of its capture the flag (CTF) platform has been made available on GitHub.
The social media giant says its goal is to help those who want to learn about hacking and allow them to put their skills to the test.  The company wants to make security education more accessible to schools, students and non-profit organizations.  The platform has been released under a Creative Commons license for use by non-commercial entities for educational purposes.
Facebook’s CTF platform includes everything one needs to run a hacking competition, including a game map, team registration and a scoring system.  Some challenges can also be provided upon request, including for reverse engineering, web application security, forensics, binary exploitation, and cryptography.  Users can also utilize the Facebook CTF platform to build custom challenges.


For my Architecture students.  I learned this, many moons ago, as “disintermediation.”
What Platforms Do Differently than Traditional Businesses
One of the oldest business models in the world is using new technology to trample traditional businesses, drive innovation, and create new and immense sources of value.  Matchmakers, the subject of our new book, make it easy for two or more groups of customers, like drivers and riders in the case of Uber, to get together and do business.  They operate platforms that make it easy and efficient for participants to connect and exchange value.


Someone might find a use for this.
LitCharts Offers Guides to Popular & Classic Literature
LitCharts is a relatively new service that provides teachers and students with guides and summaries of classic and popular literature.  The service currently offers more than 300 titles.
LitCharts guides can be viewed online or you can download the guides as PDFs.  To download a PDF you do have to enter your email address.  The online version of the guides available on LitCharts feature background information on a book's author, a color-coded list of themes in the book, a plot summary, a character list and summary, and an interactive chart board of themes in the book.
The interactive chart boards on LitCharts offer a way to explore the entire guide from one place.  The chart board is a wheel of chapters of a book.  The wheel is color-coded with themes from the book.  When you click on a chapter and color in the chart board you will be shown a short summary of that section of the book followed by a link to read more.  Color-coding makes it fairly easy to follow a theme through the book.


Makes me want to geek.
How to Set the ISS’s Earth Live Feed as Your Screensaver

Wednesday, May 11, 2016

Update.  Looks like the FBI is confirming what everyone suspected from the beginning.  Still no arrests? 
FBI Suspects Insiders in $81 Million Bangladesh Central Bank Theft: Report
Quoting sources familiar with the matter, the Journal said FBI agents investigating the case "have found evidence pointing to at least one bank employee acting as an accomplice."
But it added that "a handful of others" may have also aided the hackers in breaking into the computers of Bangladesh Bank.
   The involvement of the New York Fed has brought the FBI into the case, but the Fed is not being viewed as blameworthy.
Separately, the global financial transfers network SWIFT on Monday rejected reported accusations by Bangladesh police and bank officials that it was to blame for low security protections.
"SWIFT was not responsible for any of the issues cited by the officials, or party to the related decisions," it said in a statement.


If they only subscribe to other services, do they need to inform anyone?
Catalin Cimpanu writes:
This past Thursday, the FBI proposed that its biometric database be exempt from several provisions of the Privacy Act, US legislation that mandates that any federal agency must inform individuals about the records they collect and keep about them.
The FBI’s Next Generation Identification System (NGIS) is a database of biometrics information such as fingerprints, eye scans, facial scans, and even DNA samples.
The database is often used to identify crime suspects, and while in past times the database was rarely used, with the emergence of modern biometrics authentication systems, the database’s importance has grown tenfold because it also allows the FBI access to locked devices.
Read more on Softpedia.
[From the Softpedia article: 
Back in 2015, after a long battle in court, the Electronic Frontier Foundation discovered that the database already contained details for over 52 million people.  The US has a population of around 320 million.
In March 2016, The San Diego Union-Tribune discovered that the FBI was actively going after biometrics data contained in private databases managed by services such as Ancestry.com and 23andme.


Drones.  When you hear that word, think of the Hitchcock movie “The Birds.”
Delivery Drones: Coming to the Sky Near You?
by Sabrina I. Pacifici on
CRS Reports & Analysis Legal Sidebar – Delivery Drones: Coming to the Sky Near You? – 05/06/2016: “Can you prevent a drone from flying over your house to deliver a package to your neighbor?  Until now, that question has been of purely theoretical interest.  However, the Senate recently passed a bill that could significantly change the operational landscape for unmanned aircraft systems (UAS or drones) and make these kinds of hypothetical delivery drones a reality..”


Think this will spread to more states? 
From the Tenth Amendment Center:
The Vermont legislature has passed a sweeping bill that would establish robust privacy protections in the state.  If ultimately signed into law, it would not only limit warrantless surveillance and help ensure electronic privacy in Vermont, but would also hinder several federal surveillance programs that rely on cooperation and data from state and local law enforcement.
As passed, the legislation would ban the warrantless use of stingray devices to track the location of phones and sweep up electronic communications, restrict the use of drones for surveillance by police, and generally prohibit law enforcement officers from obtaining electronic data from service providers without a warrant or a judicially issued subpoena.
Read more on Tenth Amendment Center and hope the Governor signs this into law.


One of the few things Congress can respond to quickly…  
GOP sinks teeth into Facebook bias allegations
Allegations of political bias at Facebook exploded into national view on Tuesday as a Senate chairman pressed the company on whether conservative content is suppressed on the site.
Senate Commerce Committee Chairman John Thune (R-S.D.) sent a letter asking Facebook CEO Mark Zuckerberg to address the “serious allegations” that conservative content has been excluded from the site’s “Trending Topics” section.
   Facebook vehemently denies the charge, with an executive stating flatly on Tuesday that the company has “found no evidence that the anonymous allegations are true.”
“Facebook does not allow or advise our reviewers to systematically discriminate against sources of any ideological origin and we’ve designed our tools to make that technically not feasible,” said Tom Stocky, vice president for search at the social network, in a post.  “At the same time, our reviewers’ actions are logged and reviewed, and violating our guidelines is a fireable offense.”

(Related) This may be why the Republicans believe the rumors.  Still, this amount is trivial compared to a bias in favor of Hillary. 
Clinton is largest beneficiary of Facebook donations
Facebook employees as individuals have donated more than $114,000 to Democratic front-runner Hillary Clinton this election cycle, by far the most of any presidential candidate.

(Related) You know politics has sunk to a new low when they can be used to market Apps that help you leave the country.
Dating app may help anti-Trump Americans move to Canada
If Donald Trump is elected president, a new dating app known as Maple Match promises to help Americans fall in love with their neighbors to the north and move to Canada. 
“Make dating great again,” reads the slogan from Maple Match, which promises to “make it easy for Americans to find the ideal Canadian partner to save them from the unfathomable horror of a Trump presidency.”
The matchmaking service has yet to launch, but nearly 5,000 people have already signed up, according to The Guardian.


Access to a new tool.  As I read it, you have to have the mobile app on your phone first. 
WhatsApp Finally Launches Desktop Apps For Windows And Mac
Though it’s the biggest messaging application in the world with more than 1 billion active users, WhatsApp has for years lived primarily on mobile phones.  That could change significantly from Wednesday, when WhatsApp launched its first desktop apps for Windows 8 and Mac OS 10.9 and up.
The apps sync with a WhatsApp user’s account on their mobile device, once they’ve downloaded them and scanned a QR code from inside Settings > WhatsApp Web on the mobile app.


Because: Europe?
Facebook Moments: Facial recognition app launched that isn’t allowed to recognise people’s faces
Facebook has launched its facial-recognition photos app in Europe and Canada – without facial recognition.
The company first launched its “Moments” app in the US last year.  It is meant as an easy way of sharing photos, using recognition technology to pick out photos that include the same people and grouping them together.
But since people were automatically opted into that feature, and so had their faces and identities analysed by people who were using the app, privacy watchdogs in the EU and Canada stopped it coming from the UK.


Perspective.  Slack is big enough to take on the big boys. 
'Sign-in With Slack' Takes on Facebook, Google, and Microsoft
   On Tuesday, Slack, the company behind the hot corporate chat service of the same name, said users can now sign into non-Slack services using their existing Slack identities.  This is something you can already do with Facebook Connect, Twitter, Google Apps Identity and Microsoft’s Azure Active Directory services.
According to an online post, people can now use Sign in with Slack to log into Quip, a document creation application.  Users can then give their existing Slack team members access to Quip documents and lists.  And it’s easy to convert Slack chats to Quip documents, if needed.
Five other companies Figma, Kifi, OfficeVibe, Slackline, and Smooz have also integrated their apps with Slack, the company said.
   That means fewer passwords to remember, which most will agree is a good thing.


Amusing, but I probably won’t be sharing this one with my Computer Security students.
This Popular Porn Site Debuted a Bug Bounty Program on the Same Platform as the Pentagon
Maximum bounty for hackers: $25,000.
Pornhub, one of the world’s most popular pornography sites, unveiled a bug bounty program on Tuesday.
The company, owned by Canadian private firm MindGeek, will pay white hat hackers for finding computer bugs on its site and reporting those vulnerabilities to its owners.  The site is running the program through the startup HackerOne, a bug bounty software startup that spun out of Facebook and that operates similar programs for companies such as General Motors, Uber, Twitter, Yahoo, Dropbox—and even the United States Department of Defense.


I want the App for that!  
The 2016 Rich List of the World's Top-Earning Hedge Fund Managers
At a conference a year ago, David Siegel, co-­chairman of quantitative hedge fund firm Two Sigma and an artificial-intelligence expert, predicted that computer-driven managers will one day rule the markets.  "The challenge facing the investment world is that the human mind has not become any better than it was 100 years ago, and it's very hard for someone using traditional methods to juggle all the information of the global economy in their head," he said.  "Eventually, the time will come that no human investment manager will be able to beat the computer."
Apparently, Siegel's future has already become a reality.  This year about half of the 25 highest-earning hedge fund managers topping Alpha's 15th annual Rich List used computer-­generated investing strategies to produce all or some of their investment gains.  They include Siegel and John Overdeck, his Two Sigma co-chairman and co-founder, who qualify for the Rich List for the first time.  They tie for seventh place after earning $500 million each last year.
In fact, six of the top eight on this year's ranking are considered to be full-fledged quants: managers who rely heavily on sophisticated computer programs as part of their process.  This is a far cry from 2002, when just two computer-driven managers qualified for the initial ranking, including Renaissance Technologies founder James Simons, the only person to appear all 15 years.
This year Simons shares the top spot with Citadel's Kenneth Griffin, who has invested huge sums over the years in what he touts as a state-of-the-art computer system.  They each earned $1.7 billion in 2015 after posting roughly midteens gains in their main hedge funds.
Bridgewater Associates'  Raymond Dalio, who also strongly relies on computers for making investment decisions, is tied for No. 3 with Appaloosa Management's David Tepper, the most successful hedge fund manager of all time among those who don't depend on computers.

Tuesday, May 10, 2016

Maybe they just wanted the computers.  Maybe they want the election?
MyJoyOnline reports:
Four computers used by the Electoral Commission (EC) for the Limited Biometric Voter Registration exercise have been stolen at Savelugu in the Northern region.
The office of the Commission was broken into through the window Sunday night.
“The locks were still on as if nothing had happened” when electoral officers went to the office, Joy News Northern regional correspondent Matina Bugri reported.
Read more on MyJoyOnline.com.
[From the article:
He explained that the computers and biometric verification devices containing data gathered on the last day of the registration exercise on Sunday were all missing. [Did they wait until all the data had been gathered?  Bob]


For my Ethical Hacking students.  Try not to cross the line and if you do be sure to have a scapegoat handy. 
Researcher Arrested For Hacking Elections Websites
David Levin, owner of Vanguard Cybersecurity, discovered in December that the elections website of Lee County was plagued by an SQL injection vulnerability that allowed access to credentials stored in plain text.  The expert later also identified security holes on the Florida Division of Elections website.
Levin contacted a supervisor of elections candidate and in January they made a video demonstrating the existence of the SQL injection flaw on the Lee County elections website and showed how exposed credentials could be used to access accounts and information.  The security hole was only then reported to the Supervisor of Elections Office.
According to local reports, the white hat hacker was arrested last week and charged with three counts of unauthorized access to a computer or a computer system.  He was released on a $15,000 bond after a few hours.
  “Dave obviously found a serious risk but rather than just stopping there and reporting it, he pointed a tool at it that sucked out a volume of data.  That data included credentials stored in plain text (another massive oversight on their behalf) which he then used to log onto the website and browse around private resources (or at least resources which were meant to be private),” said Troy Hunt, a security expert who has often been involved in the disclosure of serious vulnerabilities.
Hunt pointed out that in the case of SQL injection vulnerabilities such as the one found by Levin, it’s easy to demonstrate that a risk exists without actually accessing any potentially sensitive data.


Try anything, you never know when you might hit a soft spot. 
Important news out of the UK this morning, where the government (National Crime Agency) tried to get a court to compel Lauri Love to provide decryption key to devices they had seized from him.  Love had refused, arguing (understandably), that he had never been charged with any crime, and that they were attempting to do an end-run around protections under RIPA by a back-door route (“case management”) to forcing compliance.
This morning, the court denied the government’s motion.  The Free Lauri campaign explains:
This morning at Westminster Magistrates’ Court, District Judge Nina Tempia rejected a National Crime Agency (NCA) request to use the court’s case management powers to order Lauri Love to hand over his encryption keys, preventing a dangerous precedent that would have given UK police new powers to compel people to decrypt their electronic devices, even if they are not suspected of a crime.
Remarking on the NCA’s application, the judge said that authorities must instead use the existing legal regime created by the Regulation of Investigatory Powers Act (RIPA) if they wish to compel someone to surrender encryption keys, and that the court’s case management powers cannot be used by authorities to circumvent statutory safeguards in RIPA.
Read more on Free Lauri.
The information on the encrypted devices may, or may not, contain evidence relating to charges Love faces in the U.S., and the US has previously applied to the UK to extradite Love.  Love has been fighting the extradition, claiming that if there are any charges, they should be filed and tried in the UK.  But the UK did not find evidence/grounds to prosecute Love there.
So if Love’s going to prosecuted for hacking – and he’s been indicted in three federal districts here by now – it’s going to be in the US, and today’s ruling in the UK means that the US won’t be getting any additional evidence from his devices in the foreseeable future.  Of course, they will argue that they already have enough evidence and just need the UK to extradite Love, but today’s ruling is likely a disappointment to prosecutors here.


No apology, that’s what these Apps are supposed to do.
GAO Report – Smartphone Data: Information and Issues Regarding Surreptitious Tracking Apps That Can Facilitate Stalking
by Sabrina I. Pacifici on
Smartphone Data: Information and Issues Regarding Surreptitious Tracking Apps That Can Facilitate Stalking, GAO-16-317: Published: Apr 21, 2016.  Publicly Released: May 9, 2016.
“GAO found that the majority of the reviewed websites for smartphone tracking applications (apps) marketed their products to parents or employers to track the location of their children or employees, respectively, or to monitor them in other ways, such as intercepting their smartphone communications.  Several tracking apps were marketed to individuals for the purpose of tracking or intercepting the communications of an intimate partner to determine if that partner was cheating.  About one-third of the websites marketed their tracking apps as surreptitious, specifically to track the location and intercept the smartphone communications of children, employees, or intimate partners without their knowledge or consent.  The key concerns of the stakeholders with whom GAO spoke—including domestic violence groups, privacy groups, and academics—were questions about:
(1) the applicability of current federal laws to the manufacture, sale, and use of surreptitious tracking apps;
(2) the limited enforcement of current laws; and
(3) the need for additional education about tracking apps.
GAO found that some federal laws apply or potentially apply to smartphone tracking apps, particularly those that surreptitiously intercept communications such as e-mails or texts, but may not apply to some instances involving surreptitiously tracking location.  Statutes that may be applicable to surreptitious tracking apps, depending on the circumstances of their sale or use, are statutes related to wiretapping, unfair or deceptive trade practices, computer fraud, and stalking.  Stakeholders also expressed concerns over what they perceived to be limited enforcement of laws related to tracking apps and stalking.  Some of these stakeholders believed it was important to prosecute companies that manufacture surreptitious tracking apps and market them for the purpose of spying.  Domestic violence groups stated that additional education of law enforcement officials and consumers about how to protect against, detect, and remove tracking apps is needed.  The federal government has undertaken educational, enforcement, and legislative efforts to protect individuals from the use of surreptitious tracking apps, but stakeholders differed over whether current federal laws need to be strengthened to combat stalking.  Educational efforts by the Department of Justice (DOJ) have included funding for the Stalking Resource Center, which trains law enforcement officers, victim service professionals, policymakers, and researchers on the use of technology in stalking.  With regard to enforcement, DOJ has prosecuted a manufacturer and an individual under the federal wiretap statute for the manufacture or use of a surreptitious tracking app.  Some stakeholders believed the federal wiretap statute should be amended to explicitly include the interception of location data and DOJ has proposed amending the statute to allow for the forfeiture of proceeds from the sale of smartphone tracking apps and to make the sale of such apps a predicate offense for money laundering.  Stakeholders differed in their opinions on the applicability and strengths of the relevant federal laws and the need for legislative action.  Some industry stakeholders were concerned that legislative actions could be overly broad and harm legitimate uses of tracking apps.  However, stakeholders generally agreed that location data can be highly personal information and are deserving of privacy protections.”


Worth sharing with my students.  All of them.
10 companies that can help you fight phishing
According to the most recent Verizon data breach report, a phishing email is often the first phase of an attack.  That's because it works well, with 30 percent of phishing messages opened, but only 3 percent reported to management.
   The Anti-Phishing Working Group offers a variety of resources, including a phishing education landing page that companies can use in conjunction with their anti-phishing campaigns.  Some of the vendors below, including Phishme and KnowBe4, also offer free resources.
Another free tool is MSI Simple Phish from MicroSolved, which allows security teams to run their own phishing tests inside their organization.

(Related)  Keep the glossary up to date!  (Voice and SMS)
New Phishing Techniques To Be Aware of: Vishing and Smishing


Something for my Computer Security students to ponder.  What should you tell Watson and what should you keep from ‘him?’  (Note that you make copies of a non-specific Watson and then teach whatever he needs to know.)
IBM Watson Brings AI Wonders to Cybersecurity
   Ginni Rometty, CEO of IBM ibm , will introduce a cybersecurity-specific version of Watson at an IBM computer security summit on Tuesday, the company said.  The project, powered by IBM’s Bluemix cloud computing platform, includes a partnership between IBM and eight universities that begins in the fall.
   IBM researchers have already begun feeding Watson with all sorts of computer security data sourced from its open access threat intelligence platform, called X-Force Exchange.
   Watson is also designed to ingest research papers, blog posts, news stories, media reports, alerts, textbooks, social media posts, and more to build up knowledge about all the latest cyber threats.  Students at the partnering schools will help input and annotate this so-called unstructured data (meaning data that’s not easily machine readable) to train the system.


Would there be a market for a truly secure smartphone?  Perhaps my students could write the OS as a final exam? 
The government wants to know why it takes so long for your smartphone to get security updates
We trust our smartphones with an astounding amount of information, but all too often those devices may not be protected with the latest security fixes.  That's the problem at the heart of a new government project announced today in which the Federal Communications Commission and the Federal Trade Commission are teaming up to examine the sometimes messy way security patches are delivered to consumers' smartphones.


Another area to ponder. 
Computers Gone Wild: Impact and Implications of Developments in Artificial Intelligence on Society
by Sabrina I. Pacifici on
Computers Gone Wild: Impact and Implications of Developments in Artificial Intelligence on Society May 9, 2016 The following summary was written by Samantha Bates:
“The second “Computers Gone Wild: Impact and Implications of Developments in Artificial Intelligence on Society” workshop took place on February 19, 2016 at Harvard Law School.   Marin Soljačić, Max Tegmark, Bruce Schneier, and Jonathan Zittrain convened this informal workshop to discuss recent advancements in artificial intelligence research.  Participants represented a wide range of expertise and perspectives and discussed four main topics during the day-long event:
the impact of artificial intelligence on labor and economics,
algorithmic decision-making, particularly in law,
autonomous weapons, and
the risks of emergent human-level artificial intelligence.

Each session opened with a brief overview of the existing literature related to the topic from a designated participant, followed by remarks from two or three provocateurs.  The session leader then moderated a discussion with the larger group.  At the conclusion of each session, participants agreed upon a list of research questions that require further investigation by the community.  A summary of each discussion as well as the group’s recommendations for additional areas of study are included here…”


Made for attack ads.  Of greater concern, have they lost anything else?  (If we’re lucky, they only “loose” emails that might embarrass the administration – or the next one.) 
State Dept. says it has no emails from ex-Clinton staffer
The State Department can find no emails to or from a former Hillary Clinton aide who worked for the agency and also managed Clinton’s private computer server while she served as secretary of state, the government said in a new court filing on Monday.
The government said as much in U.S. District Court in Washington in answer to a lawsuit by the Republican National Committee.  The committee had sued over its public records request for all work-related emails sent to or received by Clinton’s former aide, Bryan Pagliano, between 2009 and 2013, the years of Clinton’s tenure.
   agency officials continue to search for “Mr. Pagliano’s emails, which the department may have otherwise retained.”


Oh the horror of change!  Does this rise to “big deal” level? 
Google is testing a change to one of its most iconic designs
Google is testing an alternative to its iconic blue links in search results: Turning them black.
The company A/B tests various tweaks to its products all the time, but this swap feels particularly jarring since the search engine has kept the same overall color scheme since its earliest days of "10 bare blue links."
Google has proven in the past that its scale means that something like a small shift in shade can have big consequences.  In the early days, Google tested 40 different shades of blue for its links and the winning hue helped it reel in an extra $200 million a year in ad revenue.
Some users are saying that the change makes it harder to differentiate between which links they've clicked and which they haven't. 


Perspective.  Soon, my only option will be to buy a smartphone that talks to me.  “What took you so long, Bob?” 
Sales of PCs, laptops, and tablets fell 13% in Q1; reaching lowest point since 2011
   According to the latest report from market research firm Canalys, shipments of PC devices (including desktops, notebooks, two-in-ones, and tablets) amounted to 101 million units in the first quarter of 2016.  That represents a decline of 13 percent from the same period a year ago — the lowest volume since the second quarter of 2011.


A time waster for my students?  
Panama Papers Database Goes Live
by Sabrina I. Pacifici on
Follow up to previous posting – ICIJ to Release Panama Papers Offshore Companies Data – today’s news – Offshore Leaks Database – Find out who’s behind almost 320,000 offshore companies and trusts from the Panama Papers and the Offshore Leaks investigations – accompanied by the following warning: “There are legitimate uses for offshore companies and trusts.  We do not intend to suggest or imply that any persons, companies or other entities included in the ICIJ Offshore Leaks Database have broken the law or otherwise acted improperly.  Many people and entities have the same or similar names.  We suggest you confirm the identities of any individuals or entities located in the database based on addresses or other identifiable information.  If you find an error in the database please get in touch with us.”
“This database contains information on almost 320,000 offshore entities that are part of the Panama Papers and the Offshore Leaks investigations.  The data covers nearly 40 years – from 1977 through 2015 – and links to people and companies in more than 200 countries and territories.  The real value of the database is that it strips away the secrecy that cloaks companies and trusts incorporated in tax havens and exposes the people behind them.  This includes, when available, the names of the real owners of those opaque structures.  In all, the interactive application reveals more than 360,000 names of people and companies behind secret offshore structures.  They come from leaked records and not a standardized corporate registry, so there may be duplicates.  In some cases, companies are listed as shareholders for another company or a trust, arrangement that often helps obscure the flesh-and-blood people behind offshore entities.  ICIJ obtained the data through two massive leaks.  The majority of the names in this database come from Panamanian law firm Mossack Fonseca, whose inner workings were exposed in the Panama Papers investigation published in April 2016 in conjunction with Süddetsche Zeitung and more than 100 other media partners.  Around a third of the offshore entities were incorporated through Portcullis Trustnet (now Portcullis) and Commonwealth Trust Limited, two offshore service providers exposed as part of ICIJ’s 2013 Offshore Leaks exposé.  This was the first information added to this database when it was released in June 2013, which was then produced in conjunction with Costa Rican newspaper La Nación.  The database does not disclose the totality of the leaked records.  It doesn’t divulge raw documents or personal information en masse.  It contains a great deal of information about company owners, proxies and intermediaries in secrecy jurisdictions, but it doesn’t disclose bank accounts, email exchanges and financial transactions contained in the documents. ICIJ is publishing the information in the public interest.  While many of the activities carried out through offshore entities are perfectly legal, extensive reporting by ICIJ and its media partners for more than four years has shown that the anonymity granted by the offshore economy facilitates money laundering, tax evasion, fraud and other crimes.  Even when it’s legal, transparency advocates argue that the use of an alternative, parallel economy undermines democracy because it benefits a few at the expense of the majority.  Read more about why ICIJ is making this information public here.  The questions and answers below address the most frequent questions about this data.  If you still have questions after reading them, please get in touch with us.”


For those students who always have those plug thingies in their ears.  “What lecture?” 
7+ Easy Ways to Discover New Music You Will Love