Saturday, December 23, 2017

Apparently reporters now take the holidays off. Just like the President?




An interesting choice. Facebook remembers anything you followed, but not what you saw?
Here’s how to check if you interacted with Russian propaganda on Facebook during the 2016 election
Facebook has rolled out its new hub to help some users figure out if they interacted with Russian propaganda during the 2016 U.S. presidential election.
The social giant’s tool — available here, through its Help Center — specifically allows users to see if they followed or “Liked” any pages and accounts set up by Kremlin-backed trolls on either Facebook or Instagram.
Over the course of the 2016 election, Facebook estimates that roughly 140 million users may have seen Russian propaganda in their News Feeds or on Instagram. Much of that content sought to sow social and political unrest around divisive issues like race, religion and LGBT rights.
But only a small slice of those 140 million affected users can actually take advantage of Facebook’s new tool, which it first previewed in November. That’s because the portal only aids those who directly followed one of the accounts or pages set up by Russian sources on Instagram and Facebook. It does not help users who may have simply seen Kremlin-sponsored content because their friends “Liked” it and it subsequently appeared in their own News Feeds.


Friday, December 22, 2017

Once upon a time, this would have been considered a huge breach.
Nissan Canada Informs 1.1 Million Customers of Data Breach
Nissan Canada revealed on Thursday that the personal information of some customers may have been compromised as a result of a data breach discovered by the company on December 11.
The incident affects individuals who have financed their vehicles through Nissan Canada Finance (NCF) and INFINITI Financial Services Canada. The exact number of impacted customers has yet to be determined, but Nissan is notifying all 1.13 million current and past customers.




Plodding through the muddle?
Intelligence Committee Outlines UK's Offensive and Defensive Cyber Posture
The UK Intelligence and Security Committee, which has oversight of the UK intelligence community, published its 2016-2017 annual report (PDF) on Wednesday. With the rider that the report was written prior to April 2017, but delayed in publication, it provides insight into the UK perspective on global cyber threats. Its discussion includes commentary on nation state adversaries, the potential impact of the Trump administration on UKUSA, and the effect of Brexit on GCHQ operations.
The primary cyber threats are perceived to come from state actors, organized criminals and terrorist groups.




I guess I see no problem with this as long as it is, “Is this the guy we’re looking for? No? Delete all records of this scan.” Unfortunately, that’s not how it will work.
Ron Nixon reports:
A new report concludes that a Department of Homeland Security pilot program improperly gathers data on Americans when it requires passengers embarking on foreign flights to undergo facial recognition scans to ensure they haven’t overstayed visas.
The report, released on Thursday by researchers at the Center on Privacy and Technology at Georgetown University’s law school, called the system an invasive surveillance tool that the department had installed at nearly a dozen airports without going through a required federal rule-making process.
Read more on The New York Times.
[From the Report:
… DHS should not be scanning the faces of Americans as they depart on international flights—but DHS is doing it anyway.
… CBP recommends that its partners delete the matching results within 14 days . . . . However, once the images are shared with CBP, the airline or airport authority, along with their approved integrator or vendor, may choose to retain the newly-captured photos consistent with their contractual relationship with the traveler.




Is North Korea a naughty boy or a criminal? Why are we debating this question?
WannaCry and the International Law of Cyberspace
… Assuming that the ransomware attacks were attributable to North Korea, a topic discussed below, the question is whether the operation breached any international law obligations North Korea owed another State, such that it constituted an “internationally wrongful act.” In cases involving States, the international law rules most likely to be violated are the prohibition on the use of force, the prohibition on intervention into other States’ internal or external affairs, the obligation to respect the sovereignty of other States, and the obligation to exercise due diligence.
… The WannaCry attacks raise an interesting question of law that is not fully resolved in the cyber context. The extent to which the attacks were directed at particular entities is unclear. But, assuming for the sake of discussion that the attacks were indiscriminate, could they nevertheless qualify as uses of force vis-à-vis States that might have suffered qualifying consequences? In our view, they could, so long as the nature of the consequences was foreseeable, even if the attacker may not have known precisely where they would manifest. We hasten to add that this issue remains unresolved.




We could probably do better. Would you trust a courtroom designed and managed by Facebook?
New York State Courts Announce High-Tech Courtrooms
National Center for State Courts – “A state-of-the-art courtroom designed to speed the progress of complex commercial cases is now up and running in Westchester County Supreme Court’s Commercial Division, which serves as a forum for the resolution of complicated business disputes. The Division’s Integrated Courtroom Technology (ICT) part, located in Westchester County’s Supreme and County Courthouse in White Plains, has been specially outfitted to ease the handling of complex commercial cases, with such features as:
  • Atech-based evidence system that enhances the presentation of evidence, permitting attorneys to display physical and electronic evidence-and witnesses to annotate the evidence-in a controlled fashion to all court participants
  • Wireless internet access for all courtroom participants, including secure wi-fi access for judges with state-issued “smart” tablets and laptops
  • Advanced acoustical elements to ensure proper sound levels throughout the courtroom, including assistive-listening aids for hearing-impaired individuals
  • Real-time court reporting capabilities for instantaneous voice-to-text transcription•Advanced audio-recording equipment
  • Audio-visual conferencing capabilities
The White Plains ICT part seamlessly incorporates multiple high-tech components in a modular, user-friendly platform designed to ensure full access to all court participants. The New York Courts’ first ICT part opened in Westchester, in Yonkers Family Court in 2016. The new White Plains high-tech courtroom is the latest in a series of technological advances introduced over the years by the New York State Supreme Court’s Commercial Division, which in addition to Westchester County operates in Albany, Kings, Nassau, New York, Onondaga and Queens counties and in the State’s Seventh Judicial District and Eighth Judicial District….”




Perspective.
YouTube Now Clocks Over 100 Million Hours Watch-Time on TVs per Day
YouTube is now seeing over 100 million hours of watch time on living room devices every single day. The new data point was revealed by Google CEO Sundar Pichai during the company’s Q3 2017 earnings call Thursday, where executives also once again called out the video service as a major revenue driver. “YouTube continues to see phenomenal growth,” said Pichai.
This was the first time Google specifically referenced the total watch time on smart TVs and other living room devices. Earlier this year, the company revealed that it now sees more than 1 billion hours of watch time across all devices.
This means that viewing on TV is accounting for roughly 10 percent of all YouTube watch time. The company previously said that more than half of its views come from mobile devices.




Perspective. “Ye Olde Internet”
Newly discovered map shows what internet looked like in 1973
What the Entire Internet Looked Like in 1973: An Old Map Gets Found in a Pile of Research Papers – “Modern “maps” of the internet can indeed look like sprawling clusters of star systems, pulsing with light and color. But the “weird combination of physical and conceptual things,” Betsy Mason remarks at Wired, results in such an abstract entity that it can be visually illustrated with an almost unlimited number of graphic techniques to represent its hundreds of millions of users. When the internet began as ARPANET in the late sixties, it included a total of four locations, all within a few hundred miles of each other on the West Coast of the United States. (See a sketch of the first four “nodes” from 1969 here.) By 1973, the number of nodes had grown from U.C.L.A, the Stanford Research Institute, U.C. Santa Barbara, and the University of Utah to include locations all over the Midwest and East Coast, from Harvard to Case Western Reserve University to the Carnegie Mellon School of Computer Science in Pittsburgh, where David Newbury’s father worked (and still works). Among his father’s papers, Newbury found the map above from May of ’73, showing what seemed like tremendous growth in only a few short years…”




For our Java students?




The real downside of technology?


Thursday, December 21, 2017

The Secret Service should be concerned. This would also allow tracking of the President’s limo in real time.
Romanian hackers infiltrated 65% of DC's outdoor surveillance cameras
Two Romanian hackers infiltrated nearly two-thirds of the outdoor surveillance cameras in Washington, DC, as part of an extortion scheme, according to federal court documents.
In a criminal complaint filed last week in the US District Court for the District of Columbia, the US government alleges that the two Romanian hackers operating outside the United States infiltrated 65% of the outdoor surveillance cameras operated by DC city police — that's 123 cameras out of 187 in the city. The alleged hacking occurred during a four-day period in early January.
The hacking suspects, Mihai Alexandru Isvanca and Eveline Cismaru, are also accused of using the computers behind the surveillance cameras to distribute ransomware through spam emails, according to an affidavit by Secret Service agent James Graham in support of the government's criminal complaint.




You can opt-out of getting notices, but Facebook sill knows.
Facebook's New Facial Recognition Feature Is Unnerving Privacy Experts (and Maybe You Too)
In its newest feature, announced on Tuesday, social media giant Facebook disclosed that it can now let you know when a photo of you has been posted – even if you don't get tagged in the photo. Since new facial recognition technology is currently being added to devices and applications everywhere – Apple's iPhone X is the perfect example here – it comes as no great surprise that Facebook would be next to incorporate some kind of facial scanning in its own platform.
The new feature is meant to act as a control measure for one's image, ultimately, as users can now pinpoint exactly where and how they show up, all across social media. Although this is the first official announcement that the company is moving more intensely towards facial technology -- and perhaps farther away from previous forms of individual security as it skews more towards control over one's presence – facial recognition has long been a part of Facebook's platform.




“Of course this has noting to do with Net Neutrality. We raise prices because we hold a monopoly in Houston. The Net Neutrality raises come later, when the alternative is degraded access to Facebook.”
Comcast, DirecTV, Dish all raising rates in January
Comcast has told its customers in the Houston area that it will be raising rates for many of its cable TV and internet products, starting with their January 2018 bill.
… Dish TV also plans increases next month, according to Multichannel News, which covers the cable TV industry.
… The Comcast and Dish hikes come just days after the Federal Communications Commission voted along party lines to repeal net neutrality rules. (The AT&T/DirecTV hike was announced Dec. 6.) Mark Vena, an analyst with Moor Insights & Strategy, said while the hikes may not be related to the FCC's action, it doesn't look good.
"The timing is auspicious, I'll say that," Vena said. "Given the monumental announcement the FCC just made, it is just odd to me that they would do this in the wake of it."
Vena said that while cable and internet providers do indeed face increasing costs, "this is not the kind of Christmas present people want."


Wednesday, December 20, 2017

Unless something bigger happens, this is probably the breach I’ll talk about in my first Computer Security class. Not just another case of: “The default is ‘Public’ and we forgot to change it.” Amazon has changed the default to “Specified users only.” These bozos changed it to, “Anyone with a free Amazon Web Services Account!”
Massive leak exposes data on 123 million US households
… Though no names were exposed, the data set included 248 different data fields covering a wide variety of specific personal information, including address, age, gender, education, occupation and marital status. Other fields included mortgage and financial information, phone numbers and number of children in the household.
"From home addresses and contact information, to mortgage ownership and financial histories, to very specific analysis of purchasing behavior, the exposed data constitutes a remarkably invasive glimpse into the lives of American consumers," UpGuard researchers Chris Vickery and Dan O'Sullivan wrote in their analysis.
… The repository contained massive data sets belonging to Alteryx partner Experian, a consumer credit reporting agency that competes with Equifax, and the US Census Bureau, researchers said.


(Related). More details…
Home Economics: How Life in 123 Million American Households Was Exposed Online
While the Census data consists entirely of publicly accessible statistics and information, Experian’s ConsumerView marketing database, a product sold to other enterprises, contains a mix of public details and more sensitive data. Taken together, the exposed data reveals billions of personally identifying details and data points about virtually every American household.
… While, in the words of Experian, “protecting consumers is our top priority,” the accumulation of this data in “compliance with legal guidelines,” only to then see it left downloadable on the public internet, exposes affected consumers to large-scale misuse of their information - whether through spamming and unwanted direct marketing, organized fraud techniques like “phantom debt collection,” or through the use of personal details for identity theft and security verification.
… On October 6, 2017, UpGuard Director of Cyber Risk Research Chris Vickery discovered an Amazon Web Services S3cloud storage bucket located at the subdomain “alteryxdownload” containing sensitive consumer information. While the default security setting for S3 buckets would allow only specifically authorized users to access the contents, this bucket was configured via permission settings to allow any AWS “Authenticated Users” to download its stored data. In practical terms, an AWS “authenticated user” is “any user that has an Amazon AWS account,” a base that already numbers over a million users; registration for such an account is free. Simply put, one dummy sign-up for an AWS account, using a freshly created email address, is all that was necessary to gain access to this bucket’s contents.
… While the spreadsheet uses anonymized record IDs to identify households, the other information in the fields - as well as another spreadsheet in the bucket, to be discussed shortly - are sufficiently detailed as to be not merely often identifying, but with a high degree of specificity.
[A very long list of fields follows this paragraph. Bob]




Good News: The threat from North Korea is temporarily reduced. Bad News: Angering the “little fat guy” might result in an attack like the one on Sony.
U.S. says Facebook and Microsoft disabled North Korean cyber threats
Facebook Inc and Microsoft Corp disabled a number of North Korean cyber threats last week, a White House official said on Tuesday, as the United States publicly blamed Pyongyang for a May cyber attack that crippled hospitals, banks and other companies.


(Related).
Australia, Canada, Others Blame North Korea for WannaCry Attack
The United States is not the only country to officially accuse North Korea this week of being behind the WannaCry ransomware campaign. Canada, Japan, Australia and New Zealand have also blamed Pyongyang for the attack.
The U.K. accused North Korea in late October, and the other Five Eyes countries and Japan have now done the same.


(Related).
Three Questions on the WannaCry Attribution to North Korea
… Nonetheless, the attribution raises several important questions.
1. Where’s the evidence?
2. What should be the respective roles of the government and private companies?
3. Did North Korea violate international law?




If any of my Computer Security students admit to using one of these passwords, they immediately fail the course.




An excellent example of a social media “Oopsie!”
Elon Musk accidentally tweets his private phone number
Energy and transport entrepreneur Elon Musk accidentally tweeted his private phone number to his 16.7 million followers on Tuesday.
The Telsa and SpaceX CEO divulged the number in what was meant to be a message to John Carmack, head of technology at virtual reality firm Oculus.
"Do you have a sec to talk? My cell is ..." Mr Musk wrote.




Social media monitoring? We don’t offer that class, yet. (Had some training on similar topics last night though.)
The People Who Read Your Airline Tweets
… Nowadays, people have gotten used to having back-and-forths with customer service representatives. In any given hour, JetBlue makes public contact with 10, 15, 20 different people. American Airlines receives 4500 mentions an hour, 70 to 80 percent of them on Twitter. Both companies staff their social teams with long-time employees who are familiar with the airlines’ systems. Both hire internally out of the “reservations” team, so they know how to rebook flights and make things happen. At American, the average social-media customer-support person has been at the company for 17 years.
Every major airline has a team like this. Southwest runs what it calls a “Listening Center.” American Airlines calls it their “social-media hub” in Fort Worth, Texas. Alaska has a “social care” team in Seattle that responds to the average tweet for help in two minutes and 34 seconds, according to a report by Conversocial.




“We settled on this, so it’s a new law?”
Cory L. Andrews of Washington Legal Foundation has an OpEd that begins:
The Federal Trade Commission (FTC) has developed a well-known penchant for using individually negotiated settlement agreements and consent decrees to announce for the first time what qualifies as “unfair” or “deceptive” conduct under the FTC Act. In the data-privacy arena, FTC views these enforcement actions (and the resulting consent decrees) as a source of “common law” that places the business community on sufficient notice of what data-security practices § 5 of the FTC Act requires.
The U.S. District Court for the Western District of Washington recently ratified that view in a controversial ruling, Veridian Credit Union v. Eddie Bauer. The case arose following a 2016 cyberattack on Eddie Bauer’s network that compromised customers’ payment-card data. Veridian Credit Union, whose cardholders had their data stolen after shopping at Eddie Bauer, brought suit under Washington’s Consumer Protection Act (CPA), which like § 5 of the FTC Act also allows courts to award treble damages to private plaintiffs who are injured by “unfair” or “deceptive” acts. Veridian alleged that Eddie Bauer’s failure to adopt data-security measures that FTC has required in other cases constitutes an “unfair” practice under the Washington CPA.
Read more on Forbes.
The concerns raised in this piece will sound familiar to those who have followed the LabMD case and/or the academic scholarship of Dan Solove and Woodrow Hartzog, who have written extensively about the consent decrees as a source of “common law.”




I suppose I will need to explain the “Streisand Effect” to my Computer Security students.
So I’m not sure whether to tag this as “shoot the messenger” or an attack on press freedom – or maybe both, but MANX Radio reports:
The firm at the centre of the Paradise Papers says it’s pursuing legal action against those who made allegations.
Appleby, which has a large office in Douglas, had millions of confidential files leaked earlier this year, sparking a global debate about tax ethics.
Many of them surrounded the affairs of wealthy individuals operating in the Isle of Man.
There has been speculation over the legality of the data leak since it went public in November – and now Appleby has formally hit back, saying it is ‘obliged’ to file proceedings against the UK outlets who broke many of the stories.
I know that press rules are different in the UK and other areas than they are here, but I’d love to know exactly what law(s) Appleby alleges have been violated – are they claiming that the news outlets violated law by simply receiving/possessing the leaked documents?
Bosses have demanded The Guardian and the BBC hand over the documents they’ve seen and used in investigations.
Oh my. I don’t know how that works elsewhere, but over here, there would certainly be vigorous resistance to any such demand.
The firm is also seeking damages, claiming there was ‘no public interest’ in any of the stories published.
Did the public read the stories and discuss them? Did they seek more coverage? And if so, was their interest just idle curiosity or was there something meaningful to the public about revelations in the news reports?
Both media outlets have vowed to defend themselves in any future proceedings.
I wonder if Appleby’s has heard of the Streisand Effect. I just don’t see this litigation really helping them.




Interesting. Could the state of Colorado do the same?
High-speed broadband to be legal right for UK homes and businesses
Government says internet providers will be legally obliged from 2020 to meet user requests for speeds of at least 10Mbps




Perspective.
Here come the drones
December 19, 2017 – 8% of Americans say they own a drone, while more than half have seen one in operation: “Drones are catching on as consumer goods. As of mid-2017, 8% of Americans say they own a drone and 59% say they have seen one in action, according to a Pew Research Center survey. But while drones – that is, aircraft without on-board human pilots – are more prevalent than they were a few years ago, many have reservations about where and under what circumstances their use should be allowed. The survey shows modest differences in rates of ownership by gender and age. Slightly more men (11%) than women (6%) say they own a drone, as do more people ages 18 to 49 (12%) compared with those 50 and older (4%).




Perspective.
New consumer survey shows cable subscribers are now EVEN with Netflix
… In an October study with nearly 2,000 American participants aged 18 to 59, the percentage of consumers who utilized cable TV and Netflix in 2017 were even.
The report reveals that 73 percent of respondents were subscribed to pay-TV this year, which is 'down from 76 per cent last year and 79 per cent the year before,' according to the survey conducted by PricewaterhouseCoopers.
Likewise, the same percentage said they were subscribed to Netflix this year.
Another shocking part of the survey finds that a whopping 82 per cent of sports watchers admit they would 'end or trim their pay-TV subscription if they no longer needed it to access live sports.'




As we expand our use of the “flipped classroom” these become more useful. Ans not just on Chromebooks.
Seven Ways to Create Screencasts on Chromebooks
With the addition of Screencast-O-Matic there are now seven tools that teachers and students can use to create screencast videos on their Chromebooks.
If you missed yesterday's news, Screencast-O-Matic is currently offering a public beta of their Chrome app. To use Screencast-O-Matic on your Chromebook you will need to go to this page while on your Chromebook, click launch recorder, install the Chrome app when prompted, and then start recording your screen. Screencast-O-Matic on a Chromebook will let you record for up to fifteen minutes per video. You can include your own narration as well as sounds from your Chromebook in your screencasts. Completed videos can be saved to Chromebook or saved directly to Google Drive.
Loom is a free screencasting tool that works on Chromebooks, Macs, and Windows computers. Loom is a Chrome extension. With Loom installed you can record your desktop, an individual tab, and or your webcam. That means that you could use Loom to just record a webcam video on a Chromebook. Of course, this also means that you can use Loom to record your webcam while also recording your desktop. Loom recordings can be up to ten minutes long. A completed recording can be shared via social media and email. You can also download your recordings as MP4 files to upload to YouTube or any other video hosting service.
Soapbox is a free tool from Wistia that makes it easy to create great screencast videos on a Chromebook or any computer that is using the Chrome web browser. With Soapbox installed in the Chrome web browser you can quickly record your screen and your webcam at the same time. The most distinguishing feature of Soapbox is that you can have your video transition from your screen to your webcam to a combination of the two. Soapbox includes some simple editing tools for zooming in on an area of your screen and calling attention to specific parts of your screen.
ViewedIt is a free Chrome extension that makes it quick and easy to create and share screencast videos. With the extension installed you can record your entire screen or just one window tab. ViewedIt will let you record yourself with your webcam too. The best part of ViewedIt is that you can track who watches your video. To record on ViewedIt you simply have to click the extension icon then choose what you want to record. When you're done recording your video is automatically stored on ViewedIt. From ViewedIt you can share your video via email and social media. If you choose to share via email, you will be able to track who watched your video.
Nimbus Screenshot is my favorite tool on this list because of its ease of installation and it is the only tool on this list that provided a customizable countdown timer. I like the countdown timer because it gives me a few seconds to prepare to start talking over my screencast. The other tools just started recording the second that I hit the record button. Nimbus Screenshot was also the easiest to install and configure on my Chromebook. Screencasts recorded with Nimbus Screenshot can be saved to your local drive or to an online Nimbus account. I usually choose to save to my local drive then upload to my YouTube channel. You can also save to your local drive then send it to Google Drive or another online storage service.
CaptureCast lets you record your webcam while recording your screen which you cannot do with the Nimbus tool. You can choose to record your screen, your screen and your webcam, or just your screen or just your webcam. CaptureCast gives you three options for recording definition. So if you're on a slower network you can choose a lower resolution recording to save processing time. CaptureCast lets you save a recording locally or send it to YouTube or to Vimeo.
Screencastify might have the most name recognition in this list, but I don't like it as much as some other tech bloggers like it. The set-up process asks a lot questions that could confuse new users. The free version limits recordings to ten minutes and puts a watermark on the recording. On the upside, there is an option to upload directly to YouTube.




Since Math is a prerequisite for any of the programming classes, this could become useful too.
ADA Project - An Open Multimedia Mathematics Textbook
ADA Project is a great resource being developed by a mathematics teacher named Sam Powell. The ADA Project is an open multimedia mathematics textbook that covers everything from basic arithmetic through calculus.
When you visit the ADA Project's homescreen you can choose a category then choose a topic. Within each topic you will find a set of sample problems. Each sample problem is accompanied by a link to reveal the answer, the solution, a video about the solution, and a link to a discussion forum. Take a look at this set of long division problems to get a sense of how the ADA Project works.
Teachers are invited to contribute to the ADA Project's development by submitting problems, solutions, videos, and discussions. You can submit one or all four of those pieces for inclusion in the ADA Project. The submission form is found here.
Although it is off to a great start, the ADA Project is still a work in progress. At this point it will make a good supplement to the textbook and other reference materials that you use in your mathematics lessons.
The ADA Project will get better through the contributions of other mathematics teachers who make submissions to it.


Tuesday, December 19, 2017

Another failure to change the defaults.
California Voter Data Stolen from Insecure MongoDB Database
An improperly secured MongoDB database has provided cybercriminals with the possibility to steal information on the entire voting population of California, Kromtech security researchers reported.
The information was taken from an unprotected instance of a MongoDB database that was exposed to the Internet, meaning that anyone connected to the web could have accessed, viewed, or edited the database’s content.
Named 'cool_db', the database contained two collections, one being a manually crafted set of voter registration data for a local district, while the other apparently including data on the voting population from the entire state of California: a total of 19,264,123 records.
Bob Diachenko, head of communications, Kromtech Security Center, explains that the security firm was “unable to identify the owner of the database or conduct a detailed analysis.” It appears that the database has been erased by cybercriminals who dropped a ransom note demanding 0.2 Bitcoin for the data.
Given the presence of said ransom note, the incident is believed to be related to the MongoDB ransack campaign that resulted in tens of thousands of databases being erased in January 2017. Similar attacks were observed in September as well, when MongoDB decided to implement new data security measures.
Kromtech's security researchers haven’t determined who compiled the voter database but believe that a political action committee might have been behind it, given the unofficial name the repository had.
The researchers note that the database has been taken down after being initially discovered in early December. The Secretary of State of California was aware of the leak and “looking into it,” Diachenko said.




Smarter criminals will be monitoring Police social media accounts.
Australia Police Accidentally Broadcast Arrest Plans on Social Media
Australian police accidentally broadcast on social media details of an operation to arrest a suspected North Korean agent -- three days before he was taken into custody, media reported Wednesday.
The Sydney-based man, described by authorities as a "loyal agent of North Korea", was arrested on Saturday and charged with trying to sell missile parts and technology on the black market to raise money for Pyongyang in breach of international sanctions.
But a minute of conversation about the case between federal police officers, including the timing of the arrest, was broadcast on Periscope Wednesday and linked to on Twitter, The West Australian reported Tuesday.
The newspaper said it had listened to the discussion, which included a suggestion that officers are "not going in all guns blazing, it's only half-a-dozen people and a forensic van".
The paper added that while the tweet was deleted, the broadcast remained live—and was watched by 40 people – before it was also removed after the publication alerted federal police.
Federal police confirmed part of a conversation was mistakenly broadcast via its Periscope account while "testing a piece of social media broadcasting equipment". [This is another reason why you should NEVER test with live data. Bob]




For my Computer Security students, who understand that “official” isn’t always the same as “true.”
It’s Official: North Korea Is Behind WannaCry
Cybersecurity isn’t easy, but simple principles still apply. Accountability is one, cooperation another. They are the cornerstones of security and resilience in any society. In furtherance of both, and after careful investigation, the U.S. today publicly attributes the massive “WannaCry” cyberattack to North Korea.




Another topic for my Computer Security class.
Normative Challenges of Identification in the Internet of Things: Privacy, Profiling, Discrimination, and the GDPR
Wachter, Sandra, Normative Challenges of Identification in the Internet of Things: Privacy, Profiling, Discrimination, and the GDPR (December 6, 2017). Available at SSRN: https://ssrn.com/abstract=3083554
“In the Internet of Things (IoT), identification and access control technologies provide essential infrastructure to link data between a user’s devices with unique identities, and provide seamless and linked up services. At the same time, profiling methods based on linked records can reveal unexpected details about users’ identity and private life, which can conflict with privacy rights and lead to economic, social, and other forms of discriminatory treatment. A balance must be struck between identification and access control required for the IoT to function and user rights to privacy and identity. Striking this balance is not an easy task because of weaknesses in cybersecurity and anonymisation techniques. The EU General Data Protection Regulation (GDPR), set to come into force in May 2018, may provide essential guidance to achieve a fair balance between the interests of IoT providers and users. Through a review of academic and policy literature, this paper maps the inherit tension between privacy and identifiability in the IoT. It focuses on four challenges: (1) profiling, inference, and discrimination; (2) control and context-sensitive sharing of identity; (3) consent and uncertainty; and (4) honesty, trust, and transparency. The paper will then examine the extent to which several standards defined in the GDPR will provide meaningful protection for privacy and control over identity for users of IoT. The paper concludes that in order to minimise the privacy impact of the conflicts between data protection principles and identification in the IoT, GDPR standards urgently require further specification and implementation into the design and deployment of IoT technologies.”


(Related). And here’s why that is important.
Cybersecurity can cause organizational migraines. In 2016, breaches cost businesses nearly $4 billion and exposed an average of 24,000 records per incident. In 2017, the number of breaches is anticipated to rise by 36%. The constant drumbeat of threats and attacks is becoming so mainstream that businesses are expected to invest more than $93 billion in cyber defenses by 2018. Even Congress is acting more quickly to pass laws that will — hopefully — improve the situation.
Despite increased spending and innovation in the cybersecurity market, there is every indication that the situation will only worsen. The number of unmanaged devices being introduced onto networks daily is increasing by orders of magnitude, with Gartner predicting there will be 20 billion in use by 2020. Traditional security solutions will not be effective in addressing these devices or in protecting them from hackers, which should be a red flag, as attacks on IoT devices were up 280% in the first part of 2017. In fact, Gartner anticipates a third of all attacks will target shadow IT and IoT by 2020.
This new threat landscape is changing the security game. Executives who are preparing to handle future cybersecurity challenges with the same mindset and tools that they’ve been using all along are setting themselves up for continued failure.




The government goes to Facebook (and other social media) because “That’s where the data is!”
Governments are asking Facebook for a lot more user account data
The number of user data requests Facebook received from governments around the world in first half of 2017 reached an all time high of 78,890, up 21 percent on the 64,279 requests it received in the second half of 2016.
The social network revealed the figure in its Transparency Report covering January to June 2017. Previously it was called the Government Requests Report, but it's since been renamed as it now also includes data regarding intellectual property requests.
The largest source of user data requests came from the US, where the government served Facebook 32,716 requests for data from 52,280 accounts.




Might be an interesting topic for a Data Management paper.
The Supreme Court Should Heed Friendly Advice on Microsoft Ireland
A slew of interesting amicus briefs were filed in the Microsoft Ireland case last week. They include independent briefs (meaning not for either party) by the United Kingdom, Ireland, European Commission (EC) and more. Not surprisingly, 36 state governments also filed in support of the United States, reminding the court of the many difficulties faced in accessing sought-after evidence that have resulted from the Second Circuit ruling, and urging reversal as a result.
Of the many issues raised, one of the most interesting – and still unresolved – is the question as to whether and in what situations a decision in favor of the U.S. government will generate a conflict of laws. The issue is at the heart of the Irish government and EC briefs. It is also raised in the brief of the New Zealand Privacy Commissioner. But despite the extensive amount of ink spent on the matter, the answers remain murky – as is the reality. The actual answer: It depends.
Given that reality, the e-Discovery Institute’s brief is particularly notable – and one that I hope that Court takes into account.




Monopoly is getting harder to define.
Germany Says Facebook Abuses Market Dominance to Collect Data
Germany’s top antitrust enforcer opened a new front against big tech firms on Tuesday when it said the way Facebook Inc. harvests user data constitutes an abuse of market dominance.
In what lawyers call a novel use of competition law, Germany’s Federal Cartel Office published preliminary investigative findings Tuesday that accuse Facebook of abusing its power as the dominant social network in Germany to strong-arm users into allowing it to collect data about them from third-party sources, like websites with “like” buttons.


(Related) What social media is really “dominant?”
Snapchat is still the network of choice for U.S. teens — and Instagram is Facebook’s best shot at catching up
Some good news for Snap: Despite its sluggish business and slumping stock price, Snapchat still dominates among teenagers, a core demographic that represents the future wave of internet consumers and what they care about.
RBC Capital published the latest update to its regular social media survey this week, and a few things stood out — especially in the battle over teenagers, where Snapchat, Instagram and Facebook are all fighting for the next generation’s attention.
  • Some 79 percent of U.S. 13- to 18-year-olds surveyed said they have a Snapchat account, more than any other type of social media. Of that age group, 73 percent have an Instagram account and just 57 percent say they are on Facebook.
  • Respondents had to choose only one social network they could keep if they were “trapped on a deserted island.” This time, 44 percent of teens picked Snapchat, ahead of Instagram (24 percent) and Facebook (14 percent).




So, could there be Trump videos in our future?
Bloomberg’s TicToc 24/7 news channel launches as Twitter doubles down on live video
… Starting at 8 a.m. on the East Coast, Bloomberg begins broadcasting TicToc, a 24/7 news channel that exists solely on Twitter.
The landing page for TicToc marries a video livestream with a curated Twitter stream. In essence, it combines the second-screen experience many have hacked together over the years as they watch big events like the Super Bowl or the Oscars. Live TV viewing has long been one of Twitter’s most popular use cases, and over the past year the company has sought to integrate that experience into its platform.




Something to amuse my geeky friends.
Paper Signals - Build Physical Objects to Control With Your Voice
Paper Signals is a neat resource produced by Google that could prove to be a fun way to provide students with hands-on programming experience. Paper Signals is a set of templates that students can follow to program physical objects to respond to voice commands.
There are some physical products that you will need to have on hand in order to use Paper Signals. You may already have the necessary items in your school. First, you'll need a printer to print a template (you'll be folding and cutting paper). Second, you're going to need a small circuit board, some wires/ cables, and a bit of glue. If you don't want to source those items yourself, you can buy a little kit for less than $25.
Learn more about Paper Signals in the video embedded below.




Just like social media users?




Worth exploring.




Because this is important enough to catch the attention of one of the best statistics websites? No, it’s important because I’m a fan.
… I consulted the most comprehensive archival material related to “Star Wars.” No, not the archives of Jocasta Nu in the heart of the Jedi Temple. I’m talking about Wookieepedia, one of the best-maintained databases on anything and everything Star Wars. We pulled the color of every lightsaber described in “Star Wars”1 — that’s the chart you see above. That comes out to 132 unique lightsabers with a known blade color. (Even Darksaber.)


Monday, December 18, 2017

Something for my Computer Security class to consider.
Note: this report out of the University of Melbourne is a follow-up study related to a breach disclosed in 2016.
Allie Coyne reports:
Researchers from the University of Melbourne have been able to easily re-identify patients from confidential data released by the federal Health department, without using decryption methods.
Dr Chris Culnane, Dr Benjamin Rubinstein and Dr Vanessa Teague found that de-identified Australian Medicare benefits scheme (MBS) and pharmaceutical benefits scheme (PBS) claims data released to the public in August 2016 can be used to re-identify the patients involved.
Read more on IT News.
[From the article:
The dataset included the de-identified medical billing records of 2.9 million people, or 10 percent of all Australians, from 1984 to 2014. It also included year of birth, gender, and medical events data.
It was published on the department's open data portal. Only supplier and patient IDs were encrypted.
The dataset was removed by the Health department in September 2016, just a month after it was published, after the same researchers pointed out that the practitioner details could be decrypted.
Related: Research report:
Health Data in an Open World
(Submitted on 15 Dec 2017)
With the aim of informing sound policy about data sharing and privacy, we describe successful re-identification of patients in an Australian de-identified open health dataset. As in prior studies of similar datasets, a few mundane facts often suffice to isolate an individual. Some people can be identified by name based on publicly available information. Decreasing the precision of the unit-record level data, or perturbing it statistically, makes re-identification gradually harder at a substantial cost to utility. We also examine the value of related datasets in improving the accuracy and confidence of re-identification. Our re-identifications were performed on a 10% sample dataset, but a related open Australian dataset allows us to infer with high confidence that some individuals in the sample have been correctly re-identified. Finally, we examine the combination of the open datasets with some commercial datasets that are known to exist but are not in our possession. We show that they would further increase the ease of re-identification.




...and I’ll teach my students how to deal with every one of them!
Our top 7 cyber security predictions for 2018


Sunday, December 17, 2017

Is failure to change the default password the same as a Privacy Setting of “Pubic?” In other words, could I do this here?
Russian website streaming hundreds of cameras in Canada, experts warn your connected devices could be at risk
The Toronto-area dental office didn’t know it but the security camera in its waiting room was being streamed live on the Internet.
Anyone could log on to the website and watch as patients came and went. Front-desk staff answering phones and working on their computers entering patient information.
It could be a serious breach of patient privacy. But it’s more than that – unsecured cameras also leave the entire network open for virtual intruders.
The video was being broadcast on Insecam.org, a website originating from Russia. The site picked it up and streamed it along with hundreds of other security cameras that still have factory-default passwords or are left with minimal security.
… Websites like Shodan and NestCam Directory, both hosted in the U.S. and Insecam, currently livestream thousands of cameras from around the world, with up to 400 being livestreamed from Canada.




Could this be a prelude to banning or ranking countries?
Google News warns sites not to hide country of origin
In an attempt to take on fake news head on, Google News has updated its guidelines to prohibit sites that misrepresent or conceal their country of origin or are directed at users in another country under false premises.




Something I can use in several classes. Important for Privacy (anonymity).
What zero-knowledge proofs will do for blockchain
… A zero-knowledge proof or protocol allows a “prover” to assure a “verifier” that they have knowledge of a secret or statement without revealing the secret itself.
An oft-cited example of how a ZK proof works references the “Where’s Waldo?” game and cryptography’s favorite fictional characters, Alice and Bob. If Alice has found Waldo on a particular page, how can she prove this to Bob without revealing Waldo’s location? How does she convince Bob she’s not lying without actually showing him where Waldo is? A low-tech solution involves a large piece of cardboard with a small rectangle cut out of it. Out of Bob’s sight, Alice positions the page behind the cardboard so that only Waldo’s picture is showing through the rectangle, then calls Bob over to show him. As the cardboard is much larger than the book, Bob has no idea where on the page Waldo is located — no other images on the page are exposed — but he can see that Alice has, indeed, discovered him. She can further validate her claim by covering the rectangle with one hand and carefully sliding the book out from beneath the cardboard with the other to reveal the entire page and prove to Bob that the Waldo seen in the rectangle was indeed located on the page under consideration.
… To qualify as zero-knowledge, these protocols must satisfy three requirements:
  1. Completeness: If the statement is true, an honest verifier will be convinced by an honest prover.
  2. Soundness: If the statement is false, no cheating prover can convince an honest verifier that it is true.
  3. Zero-knowledge: If the statement is true, no cheating verifier learns anything other than the fact that the statement is true.




Once again I am mystified. What did I ever do to France?