Saturday, March 11, 2017

They replace compromised credit cards and want the ‘breach-ee’ to pay for it.
Matt Day reports that another retailer has been sued by financial institutions hoping to recover their costs of a breach.  Veridian Credit Union filed suit, seeking class-action status, in Seattle federal court this week.
The complaint alleges negligence on the retailer’s part and seeks to compensate financial institutions for costs related to reissuing stolen credit and debit cards, refunding unauthorized transactions and other fallout from the malware breach that affected point of sale terminals in its brick-and-mortar stores.
The deficiencies in Eddie Bauer’s security system include “a lack of elementary security measures that even the most inexperienced (information technology) professional could identify as problematic,” the complaint said.
The company failed to implement chip-based card anti-fraud technology, and exacerbated the problem by failing to notify customers for weeks after learning about the problem, the lawsuit says.
Read more on Seattle Times.  In light of Home Depot’s settlement with banks over its 2014 breach, it will be interesting to see what happens with this one.


Abandoning a perfectly good parking spot is probable cause? 
Can police strip search a motorist over an unpaid $6.50 traffic ticket?  The New Jersey Superior Court’s Appellate Division said last week that such conduct is unconstitutional.  A three-judge panel considered the case of Robert L. Evans, who was subjected to a search on January 4, 2012, after a Vineland police officer saw Evans pulling into, and then out of, a parking spot at the Days Inn.
Read more on TheNewspaper.com.
A copy of the decision is available in a 160k PDF file on their site.
[From the article:  
The judges were upset that police failed to abide by the state attorney general's guidelines which say require a warrant for strip searches.  The panel saw no excuse for the failure to obtain one.


Not a real fear of Russians casting votes. 
Fears of election hacking spread in Europe
France has followed the Netherlands in placing its faith in paper-based voting systems ahead of key elections later this year, following allegations that Russian hackers influenced last year's U.S. presidential election.
   The move will only affect 11 of the 577 electoral districts voting, those representing French citizens living outside their home country.  These expatriates had previously been allowed to vote over the internet in some elections because the alternative was to require some of them to travel vast distances to the nearest embassy or consulate with a ballot box.
   That decision, though, was for reasons of electoral equality, not cybersecurity.
   In the Netherlands, it wasn't the internet that posed a security concern but the use of software to add up counts of paper votes.  Parliamentary elections will be held there on March 15.


“Well for one thing, you’re talking to a box…”   
'Alexa: What's Wrong With Me..?' Amazon's Virtual Assistant To Replace Your Doctor
Just when you thought Amazon’s virtual assistant knew enough already, WebMD – the hypochondriac’s favorite website - has teamed up with the retail giant to give Alexa medical diagnosis capabilities.
The integration will allow Amazon Echo, Echo Dot and Fire TV users to ask Alexa basic health queries, such as "Alexa, ask WebMD what are the symptoms of a heart attack", or "Alexa, ask WebMD how to treat a sore throat."
   "There are a number of reasons that voice-enabled interfaces are growing in popularity - they are generally hands-free, people can talk faster than they type, and when done right, they make it easier for consumers to quickly and easily get to the information they need."

Friday, March 10, 2017

A data breach (like a diamond) is forever!  Or at least a long, long time.
Jeff John Roberts reports:
Home Depot has taken another step to move on from its colossal 2014 data breach, which involved hackers stealing email or credit card information from more than 50 million customers by infiltrating self check-out terminals.
In a new settlement with dozens of banks, the retailer has agreed to pay $25 million for damages they incurred as a result of the breach, one of the biggest in history.
The settlement, filed this week in federal court in Atlanta, also requires Home Depot to tighten its cyber-security practices and to subject its vendors to more scrutiny—a measure tied to the fact that a security flaw by a third-party payment processor made the hacked self-checkout terminals vulnerable.
Read more on Fortune.


It’s hard to convince my Computer Security students that studies like this are correct.  
Presser, but has some interesting findings:
Evolve IP, The Cloud Services Company™, today released the results of a study of Dark Web email vulnerabilities in the healthcare industry.  The research, conducted in a collaboration between Evolve IP and ID Agent, reveals the pervasive nature of email-based cybersecurity attacks and sheds light on the quantity, variety, sources and consistent growth of these threats.
Healthcare IT leaders place a high priority on preventing breaches, but despite their best efforts, hackers often break through the organization’s weakest link – end user email credentials.  The study, which included an analysis of 1,000 healthcare organizations, illustrates the need for proactive threat monitoring coupled with near real-time disaster recovery solutions to prevent employee email liabilities from becoming major catastrophes.

Amongst other findings the landmark study uncovered:
  • 68 percent of the healthcare organizations analyzed have compromised email credentials as identified by ID Agent’s Dark Web ID analysis.  Nearly 80 percent of the positive data set includes actionable password information, simplifying hackers’ efforts to infiltrate the network.
  • An estimated 7,500 individual incidents occurred across the study where healthcare companies had email credentials compromised due to phishing or key logging attacks.  Any one of these vulnerabilities could rapidly escalate to ransomware, denial of service attacks or PHI breaches across an entire enterprise.
  • 23% of the passwords stolen were available for sale or trade on the Dark Web as unencrypted, clearly visible text.  While the remainder of passwords were encrypted, the level of encryption used presents no real hurdle to professional hackers that want to crack them. [See Comey article, below.  Bob]


Would my Security students fix this or eliminate it entirely?
Over on TechDirt, Mike Masnick writes:
For years we’ve pointed out the sheer insanity of the TSA’s security theater, which is intrusive, insulting and does little to actually make us any safer.  One aspect (of many) that has been particularly troubling is the way that the TSA has basically enabled sexual assault of travelers.  If you felt that wasn’t too bad, have no fear, the TSA is apparently increasing the sexual assaulty nature of these searches:
The new physical touching—for those selected to have a pat-down—will be what the federal agency officially describes as a more “comprehensive” physical screening, according to a Transportation Security Administration spokesman.
Denver International Airport, for example, notified employees and flight crews on Thursday that the “more rigorous” searches “will be more thorough and may involve an officer making more intimate contact than before.”
This is madness.  The answer to the TSA’s awful and useless security theater should never be to give TSA agents more power to sexually assault travelers with “more intimate contact.”  This is not about security.  This is about the TSA wanting to make it look like they’re doing something, and apparently that includes groping strangers who are just trying to get somewhere.  How the hell does sexually assaulting travelers make anyone any safer?
Remember when they told us that the full body scanners would keep us safer and diminish the need for intrusive pat-downs?  So now they have BOTH, and the public will go along with this like sheeple.  Again.
Between this and the CIA hacking tools leak with FBI director Comey telling everyone,  “There is no such thing as absolute privacy in America,” I fear some Americans are first waking up to what some of us have been yelling from the rooftops for years as we headed towards a dystopian society.  Frighteningly, some still may not have woken up.
   Reagan’s nine most terrifying words in the English language, ‘I’m from the government and I’m here to help,’ should be replaced with, “I’m from TSA and I’m here to grope you.”


I wonder how many law firms have had a Computer Security audit?  
Derek Borchardt and Michael F. Buchanan have an update on litigation previously noted on this site.  At its heart, a lawsuit claimed a Chicago law firm, Johnson & Bell, had inadequate data security.  There was no allegation of any actual breach – the suit was over inadequate data security.
Back in December of last year, we reported that for the first time, a U.S. law firm – Johnson & Bell, a mid-sized Chicago firm – was publicly named in a class action data security lawsuit.  Last month, the firm obtained a significant victory in the case.
To briefly recap, two of Johnson & Bell’s former clients claimed in their complaint that the firm had lax data security practices that put confidential client information at risk of exposure.  (Note that the plaintiffs did not claim that any actual breach had occurred, an omission which presents a significant question of standing under Article III, an issue this blog has recently covered.)
The retainer agreement between the firm and its former clients included an arbitration clause, which stated in pertinent part: “In the unlikely event of any dispute under this agreement, including a dispute regarding the amount of fees or the quality of our services, such dispute shall be determined through binding arbitration.”  Based on that clause, Johnson & Bell filed a motion to require the plaintiffs to arbitrate their dispute on an individual, rather than class, basis.  The firm argued that because the arbitration clause did not explicitly state that arbitration may be on a class basis, the only permissible arbitration was on an individual basis.  The court agreed.
Read more on Patterson Belknap Data Security Law Blog.
I asked Jay Edelson of Edelson, PC, lawyers for the plaintiffs, his perspective on the decision and its potential impact on other similar cases they had planned to file.  He replied:
We filed suit (under seal) seeking, first, injunctive relief to fix the alleged security vulnerabilities.  Once we were satisfied of the relevant fixes, we then moved to unseal the case and dismissed it.  The dismissal did not mean that we aren’t pursuing it, but rather was in recognition of the fact that there is an arbitration clause.  Johnson & Bell asked the Court to rule that we could arbitrate on an individual basis only (i.e. not on behalf of a class).
The Court agreed with them and we are going to appeal that decision.  However, regardless of whether this can be brought as a class action, we will still pursue the suit.  The question will be whether the class members are required to bring many individual arbitrations or can do it all at once.
In terms of other similar lawsuits, because this is a procedural issue (as opposed to one on the merits), it doesn’t have much impact unless a defendant has a similar arbitration clause as Johnson & Bell’s.  Even if they do, our guess is that because individual arbitrations are so expensive, it is unlikely that other defendants will choose to potentially face hundreds if not thousands of arbitrations instead of fighting one single (albeit larger) case.
So stay tuned, I guess.  I expect that there will still be issues raised of standing if there’s been no actual breach, but we’ll have to wait and see.


Propaganda 101: Make it sound like you are being picked upon.  The Evil US is doing something to poor, innocent, helpless China that no other country would ever do to another. 
China to US: Stop hacking us
China asked the U.S. government on Thursday to stop spying on and hacking other countries, after WikiLeaks revealed data showing that the CIA can hack a range of devices, including some manufactured in China.


Also Propaganda-like.  Wasn’t the “bargain” that there was a “right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures?”  Are warrants no longer adequate because of encryption? 
Comey: Strong encryption “shatters” privacy-security bargain
FBI Director James Comey told a Boston audience this morning that “ubiquitous strong encryption” – the kind now available on most smartphones and other digital devices – is threatening to undermine the “bargain” that he said has balanced privacy and security in the US since its founding.
Actually, he went further, declaring that such default encryption “shatters” the bargain.
   “Last fall we received 2,800 devices that we had lawful authority to open.  And there were 1,200 we couldn’t open with any technology tool.  These were devices recovered in criminal, gang, terror and pedophile investigations.”
   But he said with probable cause and a warrant approved by a court, “government can invade – that’s the bargain.  If government has probable cause, it can search and seize – take whatever the judge said it could.  Even our memories aren’t totally private.  The general principle is that there is no such thing as absolute privacy.”

(Related) Perhaps Comey could hire the Dutch if the FBI is not competent?
DutchNews.nl reports:
Dutch detectives have gained access to 3.6 million encrypted emails sent by criminal gangs which will be used in dozens of prosecutions, the public prosecution department said on Thursday.  The information in the mails will provide evidence for criminal cases, including murder, armed robbery, drugs, money laundering and other forms of organised crime, the department said in a statement.
The messages were found on servers in Canada belonging to a Dutch company called Ennetcom.  Last year, the public prosecution department won the right to have the Ennetcom servers copied and the seven terabytes of information sent to the Netherlands for investigation.
Read more at DutchNews.nl.
Update: Read about how they were able to decrypt the messages on HackRead.


Stranger how often my class discussions revolve around failures.
Lessons from Mismanaged Crises at Yahoo, Cuisinart and Wells Fargo
   Contrast the above-companies’ performance with Johnson & Johnson’s handling of its tampered-Tylenol crisis in 1982, long considered a paradigm of successful crisis management.  However, today even its response probably would be regarded as a failure.  The company took three days to decide how to respond.  In our internet age with its 24/7 news cycle, a company does not have three days to react; it may not have even three hours.  Advance planning is critical.

(Related) Bias is programmed failure.  Diversity is a solution.
How I'm fighting bias in algorithms
MIT grad student Joy Buolamwini was working with facial recognition software when she noticed a problem: the software didn't recognize her face — because the people who coded the algorithm hadn't taught it to identify a broad range of skin tones and facial structures.  Now she's on a mission to fight bias in machine learning, a phenomenon she calls the "coded gaze."  It's an eye-opening talk about the need for accountability in coding ... as algorithms take over more and more aspects of our lives.  


We’re going to need to understand this technology and the laws governing it.  This will be very difficult or impossible to replicate manually. 
Mapping the Global Legal Landscape of Blockchain Technologies
by Sabrina I. Pacifici on Mar 9, 2017
Maupin, Julie A., Mapping the Global Legal Landscape of Blockchain Technologies (February 14, 2017).  Available at SSRN: https://ssrn.com/abstract=2930077
“Blockchain technologies are beginning to push a broad array of global economic activities away from centralized and toward decentralized market structures.  Governments should tackle the new regulatory conundrums of an increasingly disintermediated global economy by focusing on blockchain’s individual use cases rather than its underlying enabling technologies.  Grouping the known use cases around common characteristics reveals three broad categories of blockchain/law interfaces: the green box, the dark box, and the sandbox.  Each raises distinctive legal, regulatory and policy challenges deserving of separate analysis.”


Disruption.  Clearly Staples et.al. could put up an online store.  Does this actually indicate that shoppers always start their buying search at Amazon?  (Only going to other sites if they don’t find what they want?)   
Staples and Office Depot Are Being Ripped to Shreds by Amazon and the Internet
Persistently plunging sales, weak profits and more store closures have become the new normal for office supplies retailers Staples and Office Depot as they battle online foes such as Amazon.


My latest ‘get rich quick’ scheme: Print up fancy labels you can slap on your bottle to make tap water look exotic.  For example, “Water from some glacier in the Himalayas.”
Americans drank more bottled water than soda in 2016

Thursday, March 09, 2017

Another “proof of concept” test?  Which would cause the most trouble, “can’t call” or the earlier “can’t stop calling and hanging up?” 
AT&T Cellphone Users Unable to Call 911 in at Least 14 States
Some AT&T cellphone users in at least 14 states and Washington, D.C., were unable to call 911 for a few hours on Wednesday night, officials said.
City, county, law enforcement and emergency response officials took to social media over the course of almost five hours to warn people across the country of the disruption.
   The telecommunications giant did not say when and how the problem began, or how many customers were affected.


For my Computer Security students.
Why the Ukraine power grid attacks should raise alarm
Since December of 2015, electric utilities in the United States and Canada have been wrestling with the postmortem reports and data findings from two significant grid hacking events in Ukraine.  The subject of these attacks have been addressed by those on Capitol Hill, trade associations, regulators, and the E-ISAC.
The hackers who struck utilities in Ukraine, which is the first confirmed hack to degrade a power grid, weren’t opportunists who just stumbled across the networks and launched an attack to test their abilities.  The attackers were highly skilled and planned their assault over many months, first doing reconnaissance to study the networks and steal operator credentials, then launching a synchronized attack against operating systems.
The perpetrators of a cyberattack on Ukraine's electric grid gained access to energy distribution company systems more than six months before [and no one noticed.  Bob] causing the Dec. 23, 2015 outage that temporarily left about 225,000 customers without power.


Perspective.  And a big question for my students from India: “Are you investing in this market?”
As the skies above India rain money, Qatar Airways lines up a domestic airline
Just three months after Qatari prime minister Sheikh Abdullah bin Nasser bin Khalifa Al Thani held talks in New Delhi, the state-owned carrier of the oil-rich middle eastern nation has announced plans to enter India’s aviation market.
“Yes, we will have a 100% owned domestic carrier in India that will belong to both the QR (Qatar Airways) and our state investment arm, as India has now allowed foreign direct investment in domestic carriers within India,”
   India is poised to become the world’s third largest aviation market by 2020.  Domestic air travel is expected to grow by 9.5% annually between 2011 and 2031, according to aircraft-maker Airbus.  Currently, only about 2% of India’s population uses airlines, providing a massive opportunity to expand the market.
India is also expected to order more than 1,600 aircraft over the next 20 years, according to Boeing and Airbus, the world’s two largest aircraft makers.  In January, SpiceJet, India’s fourth largest airline by market share, ordered as many as 205 new aircrafts from Boeing for $22 billion.  Meanwhile, India’s largest airline, IndiGo, too, has finalised orders for 250 carriers with Airbus.


Perspective.  It must mean something else in Chinese…  Or do pimps hold a lot of trademarks? 
Trump Organization granted trademark for ‘Trump Escorts’ in China
The Trump Organization was granted trademarks for 38 businesses in China on Wednesday, including “spas, massage parlors, golf clubs, hotels, insurance, finance and real estate companies, retail shops, restaurants, bars, and private bodyguard and escort services,” according to the Telegraph.  Yes, the president’s family business applied for, and received, a trademark for branded escort services in China.  Happy International Women’s Day.

Wednesday, March 08, 2017

Something for an Ethical Hacking background? 
WikiLeaks Releases Trove of Alleged C.I.A. Hacking Documents
In what appears to be the largest leak of C.I.A documents in history, WikiLeaks released on Tuesday thousands of pages describing sophisticated software tools and techniques used by the agency to break into smartphones, computers and even Internet-connected televisions.
The documents amount to a detailed, highly technical catalog of tools. [Not the actual tools.  Bob]  They include instructions for compromising a wide range of common computer tools for use in spying: the online calling service Skype; Wi-Fi networks; documents in PDF format; and even commercial antivirus programs of the kind used by millions of people to protect their computers.
The initial release, which WikiLeaks said was only the first installment in a larger collection of secret C.I.A. material, included 7,818 web pages with 943 attachments, many of them partly redacted by WikiLeaks editors to avoid disclosing the actual code for cyberweapons.  The entire archive of C.I.A. material consists of several hundred million lines of computer code, the group claimed.
   In some regard, the C.I.A. documents confirmed and filled in the details on abilities that have long been suspected in technical circles.


I thought I had reported this earlier. 
Jason Meisner and Steve Schmadeke report:
In the latest skirmish over privacy in the cellphone age, a federal judge in Chicago has rejected a law enforcement request to force potential targets in an ongoing investigation to provide fingerprints to unlock any iPhones or other Apple devices.
The order by U.S. Magistrate Judge David Weisman concerned a request for a warrant to search a residence where investigators believed someone was using the internet to traffic images of child pornography, court records show.
The prosecution filing seeking the search warrant on the FBI’s behalf remains under seal, but the judge’s opinion said the government requested “the authority to compel any individual who is present at the subject premises at the time of the search” to provide a fingerprint or thumbprint needed to unlock an Apple device.
Read more on Chicago Tribune


I know some IP lawyers who will be watching this like hawks.  Did this AI turn criminal on its own or was it programmed that way? 
Microsoft’s AI Is Now Writing Its Own Code by Looting Other Programs (MSFT)
Thou Shall Not Steal. [Unless thou hast a good lawyer?  Bob]  It’s a guiding principle that applies to everything.  But not anymore.  Not after a team of researchers from software giant Microsoft and Cambridge University built DeepCoder — a highly intelligent and sophisticated computer system that makes it possible for machines to write their own programs, by stealing code from other people (or other machines).  And if you forget the stealing part, its intentions are actually good.
With DeepCoder, it will now be possible for people who can’t code very well or don’t know how to code at all to write their own programs.  All they have to do is describe what it is they want done, and the computer will write the appropriate code to get it done.  Even better, it can create programs in a matter of seconds, unlike its older predecessors which needed several minutes to do the job.  Ideally, this means that people will have more time to spend on productive, rather than trivial stuff. [Rather insulting to us programmers!  Bob]
   “The potential for automation that this kind of technology offers could really signify an enormous [reduction] in the amount of effort it takes to develop code.  Generating a really big piece of code in one shot is hard, and potentially unrealistic.  But really big pieces of code are built by putting together lots of little pieces of code.”


Just another thing on that Internet of Things.  No doubt they will phone or text if anything changes. 
Pirelli, Goodyear Look to Gain Grip With Smart Tires
Companies show concept tires that send data including pressure, wear and temperature to a mobile app


Interesting to me, because they had to succeed at least 2,000 times to make $6,000,000
It’s finally over: Mastermind behind Prenda Law porn trolls pleads guilty
   After years of denial, John Steele admitted Monday that he and co-defendant Paul Hansmeier made more than $6 million by threatening Internet users with copyright lawsuits.
It's perfectly legal to sue Internet pirates—but not the way Steele did it.  Steele and Hansmeier set up "sham entities" to get copyrights to pornographic movies, "some of which they filmed themselves," according to the Department of Justice's statement on the plea.  Steele and Hansmeier then uploaded those movies to file-sharing websites such as The Pirate Bay and then sued the people who downloaded the content.


Perspective.  We are moving toward an ‘all mobile’ society. 
Android Poised To Topple Windows As World’s Most Used Operating System
It looks as though Google’s Android operating system is on the verge of making history.  According to analytics firm StatCounter, the current trending shows Android quickly approaching parity with Windows as the world’s most popular operating system among all computing devices.
What more striking, however, is the fact that Microsoft has been losing overall market share at a rapid pace since 2012.  At that time, Microsoft was riding high with 82 percent share of all global OS traffic.  But it has been a steady march downward, and today Microsoft’s Windows-based operating systems have a collective 38.6 percent share of the global OS market according to StatCounter.
   “The idea of Android almost matching Windows would have been unthinkable five years ago,” said StatCounter CEO Aodhan Cullen.  “Windows has won the desktop war but the battlefield has moved on.”
The changing of the guard can no doubt be attributed to the declining importance of PCs in the everyday lives of consumers, and the increasing ubiquity of smartphones as our “go to” tool for communications.


Perspective.  We do need broadcast TV or cable TV.
CTA – Number of Streaming Video Viewers Now Equal To Paid TV Subscribers
by Sabrina I. Pacifici on Mar 7, 2017
“For the first time ever, the percentage of free or paid streaming video subscribers in the U.S. (68 percent) has caught up to the number of paid TV subscribers (67 percent), according to new research from the Consumer Technology Association (CTA) ™.  The new study, The Changing Landscape for Video and Content, also shows the time consumers spend watching video content on TVs (51 percent in 2016, down 11 points since 2012) is now equaled by – within the sampling margin of error – time spent watching video content on all other consumer technology devices (49 percent) including laptops, tablets and smartphones.  “More and more consumers are embracing the freedom of connectivity – in this case, the anytime/anywhere access to video content,” said Steve Koenig, senior director of market research, CTA.  “This is one of the driving trends of our time.  Today’s advancement of technology delivers ‘content convenience’ that results in cultural changes such as binge watching, second screen behavior, content recommendations and the screens consumers use to consume video.  And we expect streaming subscribers to surpass paid TV services – and by a fair margin – in the next year or so.”


Perspective.  Groceries is a very low margin business.  I wondered how delivery services would make an money without pricing themselves out of business. 
Instacart raises $400 million at a $3.4 billion valuation to deliver groceries on-demand
   As TechCrunch has previously reported, Instacart has multiple revenue streams.  The company charges customers a markup on groceries, plus a fee for delivering items to their doors.  In addition, consumer packaged goods brands pay Instacart to advertise on its platform.  And the startup strikes revenue share agreements with partners including grocery chains like Whole Foods.


Imagine what this company would be worth if it was capable of making a profit!
Digital Financial Startup BankMobile to Be Sold for $175 Million
BankMobile, a two-year-old digital-banking upstart founded by a veteran executive of financial firms, announced Wednesday that it is being sold for $175 million after its parent company said it wouldn’t be able to operate the business profitably.


Something for the toolkit?  This could be handy!
   Markticle, available for Web, Chrome, and Android, is the solution.
It helps you mark your reading progress in articles so that you can come back to the exact spot on the webpage later.  In brief, it is a read-it-later bookmark tool that homes in not only to the article but also the particular line you want saved for later.


A warning for gamers?  Too much of a good thing is a bad thing.  Do we need an App that monitors your health and stops the game (or calls the ambulance) when you get over-stimulated?
Man suffers fatal heart attack after catching one of the rarest creatures in ‘Pokemon Go’
Pokemon Go has gotten countless players up off of the couch and on their feet in search of the endlessly charming creatures, and it’s been hailed as a great fitness tool for that very reason.  Unfortunately, it seems the pure joy of snatching a particularly elusive monster was a bit too much for one Singaporean man who, after nabbing a prized catch, suffered a fatal heart attack.

Tuesday, March 07, 2017

My Computer Security students already think like the hackers they will do battle with. 
To Improve Cybersecurity, Think Like a Hacker
   spending on cybersecurity is poised to accelerate.  Gartner Inc., the information technology (IT) research and advisory firm, has estimated that global spending on information security would reach $81 billion in 2016 and may grow to $101 billion by 2018, with the highest growth in security testing.3  Unfortunately, investment in security measures is only part of the answer; traditional methodologies can only do so much.  To be effective, executives in charge of cybersecurity need to adjust their mindsets and become as open and adaptive as possible.


How this happened might make an interesting case for my Computer Security students.
Alexander J. Martin reports:
Software company Solarwinds, which sells IT management tools, has infuriated customers after a faulty alert exposed customers’ entire client lists to their competitors.
An unspecified issue affecting the Texas-based business’ RemoteManagement tool, which it gained after acquiring Dundee-based LogicNow, led to a mass leaking of business data last Friday morning.
Read more on The Register.


What a wicked web we weave when…  Well, pretty much all the time!
Facebook reported the BBC — and itself — to police after the news organization flagged up 'sexualized' images of children being shared on the social network
   The BBC said it asked for an interview with Facebook's UK director of social policy, Simon Milner, to discuss its findings.  Milner agreed to be interviewed only on the condition its journalists provided examples of the photos that had been reported and not removed by moderators, according to the BBC.
The BBC said it cooperated with the request but Facebook then cancelled the interview and reported the news organization to the UK's National Crime Agency.
Therein follows a complex legal and ethical debate.  Under the Protection of Children Act, it is illegal in the UK to download or distribute images of child exploitation — something the BBC should have been well aware of.  However, Facebook had requested the images in order for an interview to take place — and these were photos which its own moderation system had apparently deemed legal.  Section 4 of the act also states one defence of distributing or being in possession of such indecent photographs is having a "legitimate reason" to do so.


Maybe there really is nothing there.
Amazon gives up fight for Alexa’s First Amendment rights after defendant hands over data
Amazon has abandoned its legal battle to protect its Alexa assistant with First Amendment rights — for now at least.  The company filed a motion against a police search warrant in an Arkansas murder case earlier this month, but has now dropped the case after the defendant agreed to hand over the data contained on his Echo speaker to police.
In documents filed last Monday, defendant James Andrew Bates said that he was willing to allow law enforcement officials to review information contained on his Amazon Echo speaker, before the company handed the data over on Friday.  Bates has pleaded not guilty to the murder of Victor Collins, who was found dead in Bates’ hot tub in November 2015.


Keeping up with the Donald?
As President Donald Trump made waves over the weekend with his latest tweets, another high-profile public official emerged as a lively—if less provocative—new voice on the social network.
Manhattan U.S. Attorney Preet Bharara, the prosecutor who has battled insider-trading and Albany’s top lawmakers, launched a personal Twitter account on Friday.  It was a rare step for a top federal law-enforcement official, and one that prompted a flurry of chatter in legal and political circles about his motives.
   But while Mr. Bharara’s embrace of the social platform stoked speculation that the move might signal his political ambitions or the announcement of a big new case, his office said the motivation was far simpler.
A spokesman for Mr. Bharara, Nicholas Biase, said the personal account is a result of the office’s compliance with a new social-media policy issued by the Justice Department that prohibits the use of account handles that identify only the individual’s name.
Mr. Bharara’s official account had used the handle @PreetBharara, and has now been switched to the handle @USAttyBharara, which meets the department’s protocol that handles signify affiliation with the agency, Mr. Biase said.
Mr. Bharara then took @PreetBharara for his personal use.


A lot of video from the Wall Street Journal today…
How Artificial Intelligence Will Change Everything
   Andrew Ng, chief scientist at Chinese internet giant Baidu Inc. and co-founder of education startup Coursera, and Neil Jacobstein, chair of the artificial intelligence and robotics department at Silicon Valley think tank Singularity University, sat down with The Wall Street Journal’s Scott Austin to discuss AI’s opportunities and challenges.
Here are edited excerpts.


I’m trying to make my Data Management students useful in this market.
Why CIOs Aren’t Prepared for Big Data
As companies scale their use of big data, the move brings a lot of questions.  Does it require new architecture?  Does it require new platforms?  The Wall Street Journal’s Jay Greene discussed the topic with Richard Sherlund, managing director and chairman, software investment banking, at Barclays.  The discussion covered everything from going beyond big data that looks to the past to newer applications that will be able to learn and make predictions.
Edited excerpts follow.
MR. GREENE: What’s fueling this platform are Internet of Things devices, right?
MR. SHERLUND: The new Airbus has 70,000 sensors.  None of that data comes down to earth.  That stays on the airplane.  That has to be processed locally.  There are security reasons that you don’t want that data going back and forth.


Not surprising, but disappointing.  What is the priority list like for a government bureaucracy?  1. Don’t get fired.  2. Grow my budget. 3. Grow my bureaucracy.  99. Improve productivity.  Perhaps “Rigorous Vetting” translates to “rigorous paper shuffling?”
U.S. immigration data is on paper and a mess, says report
The U.S. government spends $8o billion a year on information technology, but despite this money, its immigration data is in awful shape.  Some data is on paper, or of poor quality and out of synch with government systems used to track wages and employment.
Those are some of the takeaways from a new report that conducted what amounts to a headcount of nonimmigrant visa workers in the U.S. In the course of this investigation, the Economic Policy Institute (EPI) critiqued the information-gathering systems used by the government.


Perspective.  Soon, we will have no need for salesmen.
Salesforce's Einstein AI is Finally Here
Salesforce Einstein is now generally available to all Salesforce Free at Salesforce.com customers.  Einstein is an artificial intelligence-based (AI) assistant designed to leverage customer relationship management (CRM) data to help companies discover, predict, recommend, and automate enhanced business processes.  
Announced in September of last year, Einstein takes advantage of Salesforce's deep learning, machine learning (ML), predictive analytics, natural language processing, and image processing to serve as a robotic account manager.  For example, you can use Salesforce Sales Cloud and Einstein to determine if the person to whom you're pitching a product actually has buying power.


Have I mentioned (too often) that I like lists?  Always(?) try a free version first.  If it does everything you want, why pay more? 
The Best Free Software of 2017


For my researching students.  Select specific categories for targeting your video search. 
FaganFinder is Back
by Sabrina I. Pacifici on Mar 6, 2017
March 4, 2017 – “I decided it was about time for a Fagan Finder update.  The Video search page has been fully updates and is now much more comprehensive, going from 26 search options to 115.  It includes all sorts of videos from documentaries to animated GIFs, and even related information such as TV/movie reviews, scripts, and showtimes.  The Groups search page has been updated as well, and includes online groups (forums, IRC), meetups, and more.  Both pages have also been redesigned to be easier to use, load faster, and work better no matter what technology you use.  Do you have feedback on these updates, want to see other pages updated, or want to see whole new pages?  Let me know…” [Via Tara Penelope Calishain]


For my International students.  
Google’s smarter, A.I.-powered translation system expands to more languages
Last fall, Google introduced a new system for machine-assisted language translations, Google Neural Machine Translation system (GNMT), which takes advantage of deep neural networks to translate entire sentences – not just phrases – for greatly improved translations.  The company put the system to work in Google Translate for eight language pairs in November, and is today expanding support to three more: Russian, Hindi and Vietnamese.

Monday, March 06, 2017

You didn’t think that only the ‘good guys’ made dumb mistakes, did you?
Sometimes you just have to grin when the bad guys screw up, misconfigure their backup, and expose their entire operation to the world.  This is one of those times.  Chris Vickery of the MacKeeper Security Research team and Steve Ragan of Salted Hash have the mega leak of the year.
Steve writes:
This is the story of how River City Media (RCM), Alvin Slocombe, and Matt Ferris, accidentally exposed their entire operation to the public after failing to properly configure their Rsync backups.
The data from this well-known, but slippery spamming operation, was discovered by Chris Vickery, a security researcher for MacKeeper and shared with Salted Hash, Spamhaus, as well as relevant law enforcement agencies.
While security practitioners are familiar with spammers and their methods, this story afforded Salted Hash with a rare opportunity to look behind the curtain and view their day-to-day operations.
Grab your coffee and read their coverage on MacKeeper and Salted Hash while I try to wake up more.  Why should you read it, you wonder?  Because you or someone in your family is probably affected.  As Chris explains:
The situation presents a tangible threat to online privacy and security as it involves a database of 1.4 billion email accounts combined with real names, user IP addresses, and often physical address.  Chances are that you, or at least someone you know, is affected.


"The Capitalists will sell us the rope with which we will hang them."  Vladimir Ilyich Lenin  Was that the start of the Russian kleptocracy? 
Michael Riley reports:
Russian hackers are targeting U.S. progressive groups in a new wave of attacks, scouring the organizations’ emails for embarrassing details and attempting to extract hush money, according to two people familiar with probes being conducted by the FBI and private security firms.
At least a dozen groups have faced extortion attempts since the U.S. presidential election, said the people, who provided broad outlines of the campaign. The ransom demands are accompanied by samples of sensitive data in the hackers’ possession.
Read more on Bloomberg.


Dang!  I hope they don’t find the others… 
Bug Bounty Hunter exposes glitch in Uber that let users ride for free
Bengaluru-based Anand Prakash, a web applications security expert and a bug bounty hunter discovered a glitch in Uber’s payment system which could have been used to get unlimited rides.  The bug has been fixed now by Uber’s security team but the white hat hacker lays it all on his blog.
[Anand’s blog: http://www.anandpraka.sh/


Because it is better to have a tool to find perpetrators than to let them know how the FBI does it?  Either way, this means jobs for my Ethical Hacking students. 
To keep Tor hack source code secret, DOJ dismisses child porn case
Rather than share the now-classified technological means that investigators used to locate a child porn suspect, federal prosecutors in Washington state have dropped all charges against a man accused of accessing Playpen, a notorious and now-shuttered website.
The case, United States v. Jay Michaud, is one of nearly 200 cases nationwide that have raised new questions about the appropriate limitations on the government’s ability to hack criminal suspects.  Michaud marks just the second time that prosecutors have asked that case be dismissed.
   The DOJ has called this exploit a "network investigative technique," (NIT) while many security experts have dubbed it as "malware."
Defense attorneys have attempted to gain access to some, if not all, of the NIT’s source code as part of the criminal discovery process.  In a related case prosecuted in New York, an FBI search warrant affidavit described both the types of child pornography available to Playpen’s 150,000 members and the NIT’s capabilities.
Last year, US District Judge Robert Bryan ordered the government to hand over the NIT's source code in Michaud.  Since that May 2016 order, the government has classified the source code itself, thwarting efforts for criminal discovery in more than 100 Playpen-related cases that remain pending.
   However, some legal experts have argued that such "lawful hacking" is an appropriate way for the government to combat the so-called "going dark" problem—the widespread use of sophisticated anti-surveillance tools, such as Tor and other forms of encryption that stymie traditional law enforcement.


A carrot to match the VX nerve gas stick?  Is the North finally crumbling? 
Hoping to Lure High-Level Defectors, South Korea Increases Rewards
SEOUL, South Korea — South Korea said on Sunday that it would quadruple the cash reward it provides for North Korean defectors arriving with sensitive information to 1 billion won, or $860,000, in an effort to encourage more elite members from the North to flee.

(Related).  A flurry before crashing?  
North Korea launches more missiles; 3 land in Japanese waters
North Korea launched four missiles Monday morning, a provocative barrage that coincided both with joint U.S.-South Korean military exercises on the southern half of the peninsula and with the opening of the annual National People’s Congress in China.
   “Every year this time, they try to do something to defy the exercises,” said Bruce Bennett, a North Korea expert at the Rand Corp. in California.  “This time, I think they’re also interested in making a statement to the Chinese and to let Beijing know this coal ban is going to hurt,” he said, referring to Beijing’s decision last month to stop importing coal from North Korea, cutting off a major economic lifeline.
   China expressed its dismay over the launch, with a Foreign Ministry spokeswoman saying it “opposes” launches that undermine U.N. resolutions.  Russia, meanwhile, was more blunt, describing itself as “seriously worried” about the launches which raise tensions in the region.


Those who don’t study history are doom to have an AI do it for them?  Will reliance on AI always result in making the right decisions? 
Kensho's AI For Investors Just Got Valued At Over $500 Million In Funding Round From Wall Street
When the United Kingdom voted to leave the European Union in June, ultimately tanking the British pound, traders with access to Cambridge, Massachusetts-based artificial intelligence platform Kensho had a special advantage.
With a few keystrokes on Kensho's AI-powered platform, traders quickly combed through an intelligence-grade database [What does than mean?  Bob] of information and in seconds learned that populist votes such as Brexit historically led to an extended drop in the local currency, washing out any short-term recovery.  That's exactly what happened in the days and months after Brexit.  The pound plunged to three-decade lows in July, sinking to $1.28 versus the dollar, before rallying slightly to $1.33.  The currency has been in a slump since then and currently sits at $1.24.  It was one of the biggest trades in currency markets since billionaire George Soros broke the Bank of England in 1992.


Perspective.  Worth reading.
Will Democracy Survive Big Data and Artificial Intelligence?
The digital revolution is in full swing.  How will it change our world?  The amount of data we produce doubles every year.  In other words: in 2016 we produced as much data as in the entire history of humankind through 2015.  Every minute we produce hundreds of thousands of Google searches and Facebook posts.  These contain information that reveals how we think and feel.  Soon, the things around us, possibly even our clothing, also will be connected with the Internet.  It is estimated that in 10 years’ time there will be 150 billion networked measuring sensors, 20 times more than people on Earth.  Then, the amount of data will double every 12 hours


A geeky future!  I wonder if I can finally get a Jaguar XKE body with modern Ford running gear? 
Ford Starts Pilot Testing Stratasys Infinite Build 3D Printer
   Stratasys, one of the leading manufacturers of additive manufacturing systems has developed a means to build parts that theoretically have no size limit.  They use a combination of industrial robots and a print-head that extrudes the material in a way that is somewhat similar to the desktop Makerbot printers that it also produces.
   For its infinite build system, Stratasys uses containers of micropellets rather than a continuous filament in a process known as fused deposition modeling (FDM).  The FDM process still builds up layers of material like other systems, but because the robot head can move and rotate in 3 dimensions, the layers don’t have to be flat slices.  This enables the production of more complex shapes and potentially the optimizing the layout of the layers to maximize properties like the strength while reducing weight.


Or, I could just ask my students.
We’ve lost empathy and critical thinking.  We no longer try to understand things from the perspectives of others.  Instead, we’re quick to demonize dissenters.  We don’t want thoughtful discourse.  We want to be right and we want everyone else to agree.
But that’s not how life works.  Most issues are complex, so much so that black-and-white answers are often disingenuous at best and outright harmful at worst, which is why ProCon is such an important website for us today.


Helping my students get rich.
Y Combinator opens registration for its free Startup School online course
Y Combinator is making its Startup School event available to more people in the form of a massively open online course (MOOC).  Starting today, you can register for a spot to watch the various industry leaders and entrepreneurs that the startup program has lined up to guest lecture during this 10-week course.  Participants will also receive access to a Slack-powered community so they can converse with their classmates.
As for the final exam, participants will be invited to present what they’ve built to the entire class in what is essentially a pseudo Demo Day.  The best part is that Y Combinator is giving this all away for free.


For my students.
IBM's online quantum machine gets faster
The machine, based in New York, has been available via the internet since May last year.
   While the system it has made publicly available is currently only as powerful as a standard laptop, it is an important first step, said IBM scientist Dr Jerry Chow.
"It is about growing an eco-system of users, developing a community that can grow and define the software that will run it," he explained.
He added that the system now includes an interface which allows programmers to launch instructions for the machine using traditional programming languages.
   Most agree that when quantum computing hits 50 qubits - more powerful than the most powerful supercomputers currently available - that will be something of a magic number.
IBM's quantum computer will now offer simulation of 20 qubits, up from its original five.
"Classical computers are extraordinarily powerful and will continue to advance and underpin everything we do in business and society," said Tom Rosamilia, senior vice president of IBM Systems.
"But there are many problems that will never be penetrated by a classical computer.  To create knowledge from much greater depths of complexity, we need a quantum computer."


Just for me and my minions. 
Mockaroo
Need some mock data to test your app?
Mockaroo lets you generate up to 1,000 rows of realistic test data in CSV, JSON, SQL, and Excel formats.