Thursday, April 26, 2018

Perhaps this is the birth of an interest in Computer Security?
Taryn Luna reports on a hack and phish that may leave you wondering whether this was a politically motivated attack or just a garden variety attack.
Luna reports the the victim is Sen. Richard Pan, D-Sacramento, whose re-election campaign account was robbed in a multi-step scheme that began with a hack of his email account in February.
The hackers appeared to study the campaign’s email pattern of approving payments, pretended to be him and sent a fake invoice to his treasurer requesting $46,000 to a vaccine-related nonprofit organization in mid-February, Pan said. He said the responsible parties were able to block communications with other people to hide their trail.
The vaccine connection is what raises the possibility of possible political motivation. Luna explains:
Pan is a doctor and has drawn the ire of a fervent community of activists who oppose his legislative work to toughen vaccination requirements for school children. Pan said there’s no evidence to suggest anyone associated with the anti-vaccination movement was actually involved in the theft, but he’s suspicious given violent threats he’s endured and prior interactions with his opponents. Among other related legislation, Pan successfully removed personal belief exemptions for vaccines in 2015.
The senator’s treasurer was appropriately cautious when she received the request to send the check, but she did not know she was going back and forth in email with the criminals and not with her boss.
As a result of this incident the campaign now uses two-factor authentication for any such requests.
Read more here on SacBee.




This week my students are designing a data center. Here’s something else to consider.
Loud Sound From Fire Alarm System Shuts Down Nasdaq's Scandinavian Data Center
A loud sound emitted by a fire suppression system has destroyed the hard drives of a Swedish data center, downing Nasdaq operations across Northern Europe.
The incident took place in the early hours of Wednesday, April 18, and was caused by a gas-based fire suppression system that is typically deployed in data centers because of their ability to put out fires without destroying non-burnt equipment.
These systems work by releasing inert gas at high speeds, a mechanism usually accompanied by a loud whistle-like sound. With non-calibrated systems, this sound can get very loud, a big no-no in data centers, where loud sounds are known to affect performance, shut down, or even destroy hard drives.
The latter scenario is what happened on Wednesday night, as the sound produced by the errant release of the inert gas destroyed hard drives for around a third of the Nasdaq servers located in the Digiplex data center.
… A Digiplex spokesperson told Bleeping Computer that Nasdaq only rents space in the data center, and uses its own equipment . Nasdaq said there weren't enough servers in the whole of Sweden to replace the destroyed ones, and had to import new machines.




Next week, we’ll be discussing encryption.
Democrats raise security concerns over Trump cellphone use
Democrats are demanding answers from the Trump administration on steps being taken to prevent the president from falling victim to foreign hackers, suggesting his personal cellphone use poses a national security threat.
… “While cybersecurity is a universal concern, the President of the United States stands alone as the single-most valuable intelligence target on the planet,” Reps. Ted Lieu (D-Calif.) and Ruben Gallego (D-Ariz.) wrote.
“Our national security should not depend on whether the President clicks on a malicious link on Twitter or his text application, or the fortuity of foreign agencies not knowing his personal cell number,” they wrote.
CNN reported earlier this week that Trump has begun to more frequently use his personal mobile device to contact those advising him outside the White House.




Something for all my students.




Is it a Trump thing?
In Trump's first year, FISA court denied record number of surveillance orders
In its first year, the Trump administration kept one little-known courtroom in the capital busy.
… Annual data published Wednesday by the US Courts shows that the Foreign Intelligence Surveillance (FISA) Court last year denied 26 applications in full, and 50 applications in part.
That's compared to 21 orders between when the court was first formed in 1978 and President Barack Obama's final year in office in 2016.




I didn’t know that.
… A Manhattan judge ruled Wednesday that there’s nothing “outrageous” about throwing the president’s supporters out of bars — because the law doesn’t protect against political discrimination.




Not the first time I’ve heard this argument.
The Politicization of Our Security Institutions
The politicization of the FBI has been swift and extreme. According to Reuters polling, just two years ago, 84 percent of Republicans viewed the FBI favorably. By February 2018, 73 percent agreed that “members of the FBI and Department of Justice are working to delegitimize Trump through politically motivated investigations,” according to a new Reuters poll. Thanks to a president eroding long-standing norms and America’s extreme political polarization, the FBI may not be alone. We are at risk of becoming more similar to struggling democracies, where most security and law enforcement institutions are simply assumed to be aligned with a political party.
It is not difficult to imagine a near-future in which the American public sees Immigration and Customs Enforcement (ICE) agents, sheriffs, many police forces, and the military as “Republican” institutions. In other words, the public would expect these institutions, as a matter of course, to tilt their analysis and actions towards helping their preferred party. Meanwhile, the public could come to see the FBI, more cerebral intelligence agencies such as that of the State Department and CIA, and big city police as “Democratic,” with the same politicized lean to their actions and public pronouncements.




Perspective. Any studies on the creation of new jobs in AI, VR, etc?
A study finds nearly half of jobs are vulnerable to automation
… A new working paper by the OECD, a club of mostly rich countries, employs a similar approach, looking at other developed economies. Its technique differs from Mr Frey and Mr Osborne’s study by assessing the automatability of each task within a given job, based on a survey of skills in 2015. Overall, the study finds that 14% of jobs across 32 countries are highly vulnerable, defined as having at least a 70% chance of automation. A further 32% were slightly less imperilled, with a probability between 50% and 70%. At current employment rates, that puts 210m jobs at risk across the 32 countries in the study.




A confusing meme. Was there a problem? We won’t know until late next year.
Finland set to scrap free money experiment after two-year trial
The Finnish Social Insurance Institute, often referred to as Kela, introduced a two-year trial of Universal Basic Income (UBI) in January 2017. The scheme saw its government pay a random sample of 2,000 unemployed citizens aged 25 to 58 a monthly payment of 560 euros ($684).
Kela's trial did not require the recipients of basic income to seek or accept employment, while those who took a job during this period would still continue to receive the same amount of cash.
However, Kela's request for extra funding to expand the two-year pilot to a group of employees this year was rejected by the government on Monday. Instead, the Finnish administration said it would prioritize other schemes in an effort to reform the Scandinavian country's social security system.
… The full results of the pilot are not scheduled to be released until late 2019, while Kela has vowed to stay in touch with the recipients of basic income to assess the long-term impact of the trial.




Perspective. Will others follow suit?
Ford dropping all but 2 cars from its North American dealerships
Ford said on Wednesday the only passenger car models it plans to keep on the market in North America will be the Mustang and the upcoming Ford Focus Active, a crossover-like hatchback that's slated to debut in 2019.
That means the Fiesta, Taurus, Fusion and the regular Focus will disappear in the United States and Canada.
Ford will, however, continue to offer its full gamut of trucks, SUVs and crossovers.




For the student toolkit. Works on Apple phones also.
How to scan without a scanner
… Microsoft Office Lens app uses your phone’s or table’s camera to take a picture of the document and then edit it to make it look scanned and it does all of that in a few seconds with a few steps. Another cool thing about the app is that once you “scan” the document you can export it in a file type that suites you or to a service of your choice. Also, using the OCR algorithm you can scan business card to convert them into contacts as well as photos that you need to have the text extracted.




An important tool.


Wednesday, April 25, 2018

Cheap at twice the price?
$35 Million Penalty for Not Telling Investors of Yahoo Hack
US securities regulators on Tuesday announced that Altaba will pay a $35 million penalty for not telling them hackers had stolen Yahoo's "crown jewels."
The 2014 breach blamed on Russian hackers affected hundreds of millions of Yahoo accounts, with stolen 'crown jewel' data including usernames, email addresses, phone numbers, birthdates, encrypted passwords, and security questions, according to the Securities and Exchange Commission.
While Yahoo discovered the data breach quickly, it remained mum about it until more than two years later when it was being acquired by telecom giant Verizon Communications, the SEC case maintained.
Although Yahoo is no longer an independent company -- its financial holdings are in a separate company now called Altaba -- Verizon has continued to operate the Yahoo brand, including its email service and a variety of news and entertainment websites.
In addition to the 2014 breach, a hack the previous year affected all three billion Yahoo user accounts, according to findings disclosed by Verizon after the acquisition.
Yahoo, which was once one of the leading internet firms, sold its main online operations to Verizon last year in a deal valued at $4.48 billion.
The purchase price was cut following revelations of the two major data breaches at Yahoo.




If it’s encrypted, it must be valuable?
Attacks on Encrypted Services
Encryption is one of the most basic necessities in the security arsenal. It’s what makes it possible for banks to offer online banking and funds transfers, or for consumers to make purchases online using their credit or debit cards. It’s what protects the public’s online interaction with government agencies or health care providers. It should surprise no one, however, that encrypted services are prime targets of DDoS attacks. Such services enable access to a wealth of personal, confidential and financial data. Identity thieves and cyber criminals can have a field day if they succeed in breaking web service encryption.
According to NETSCOUT Arbor’s 13th Annual Worldwide Infrastructure Security Report (WISR), attacks targeting encrypted web services have become increasingly common in recent years. Among enterprise, government and education (EGE) respondents, 53 percent of detected attacks targeted encrypted services at the application layer. And 42 percent of respondents experienced attacks targeting the TLS/SSL (Transport Layer Security/Secure Socket Layer) protocol governing client-server authentication and secure communications. Among service providers, the percentage seeing attacks targeting secure web services (HTTPS) rose significantly over the previous year, from 52 percent to 61 percent.


(Related) This is a One Time Pad.
… “It’s just a random three-digit number that corresponds to a sign and then we have 10 different cards with random numbers,” Iannetta said. “As soon as they [the MASN broadcast] zoomed in… we heard about it and switched cards immediately. We switched to a different card with a whole new set of numbers. There’s no way to memorize it. There’s a random-number generator spitting out a corresponding number [for the cards], and the coaches have the same cards.”
In explaining the process, Iannetta said he’ll look toward the dugout see a coach use his fingers to send in the three-digit code and then look on his card for the corresponding call. It could be a throw over to first or nothing, no action. Iannetta said three-digit codes are never repeated in-game for the same call.
“If I get ‘1-4-3,’ and it’s a throw over to first base, we’ll never use ‘1-4-3’ again to throw over,” Iannetta said. “There will never be repetition… It’s pretty impossible to steal signs if you use the system we are using.”




Very “James Bond.” Not research an amateur would undertake. Which intelligence service wanted this laptop enough to “show off” their hack?
Hotel Rooms Around the World Susceptible to Silent Breach
In 2003, researchers from F-Secure were attending a security conference in Berlin – specifically, the ph-neutral hacker conference – when a laptop was stolen from a locked hotel room.
More to the point, however, there was no sign of the door being forced, nor any indication from the electronic locking system's logs that anyone had entered the room in their absence.
F-Secure researchers told SecurityWeek, "Our guy was working on some really interesting and specific stuff; and, yes, it would absolutely have been of interest to any 3, 4 or 5 letter agency in many different nation-states."
With this background it is not surprising that the researchers started to investigate the locking system. Specifically, they were looking for a Vision by VingCard vulnerability that could be exploited without trace – and eventually they found one. It took thousands of hours work over the last 15 years examining the system and looking for the tiniest errors of logic.
In summary, with any existing, old or expired keycard to any room on the system, it is possible to generate a master key that can be used to gain entry to any of the hotel rooms without leaving a trace on the system. An attacker could book a room and then use that keycard as the source; or could even read the data remotely by standing close to someone who has a card in a pocket -- in a hotel elevator, for example.




Start ‘em young!
More than 1 million children in the United States were affected by identity theft last year, according to a new study highlighting what’s easily the most overlooked demographic impacted by breaches of personally identifiable information.
The study, released Tuesday by Javelin Strategy & Research, claims that in 2017, more than $2.6 billion in losses may be attributed to incidents of identity theft involving children. The out-of-pocket cost to families is estimated at over $540 million.
… The study, which was funded by theft-protection service Identity Guard, also found a “strong connection” between children who are bullied and those affected by fraud. Kids bullied online are nine times more likely to have their identities stolen, researchers found.




I’ve been telling (and telling and telling) my Computer Security students that management often does not know what is happening. How could anyone miss this?
Fajita heist: Texas man sentenced to 50 years for stealing $1.2 million worth of food
Gilberto Escamilla, 53, was employed at the Darrel B. Hester Juvenile Detention Center in San Benito, Texas, until August 2017 — when it was discovered that he had been placing orders for fajitas using county funds and then selling them for his own profit since December 2008, according to Cameron County Court filings.
… According to The Brownsville Herald, Escamilla's scheme unraveled last August after a delivery driver with Labatt Food Service phoned the detention center to give kitchen employees a heads up that an 800-pound delivery of fajitas had arrived.
Employees immediately thought the delivery to be suspicious as minors at the detention center are not served fajitas, however the delivery driver insisted that had been delivering fajitas to the detention center's kitchen for the past nine years.




More on Facebook, et. al.
From the better-late-than-never dept.
For readers who are interested and may have missed what’s occurring with the Facebook breach, Cambridge Analytica, SCL, SCL Canada, and AggegatedIQ (AIQ) in Canada, there have been some remarkable meetings and testimony occurring that are worth watching. The latest was testimony by Zackary Massingham, Chief Executive Officer, AIQ, and Jeff Silvester, Chief Operating Officer, AIQ.
As the AIQ CEOs were giving their testimony and stating they have replied to all of the questions the UK ICO asked of them, someone, apparently from the UK ICO, texted the committee in real time to state what they were stating isn’t true and stated why it wasn’t true. It was a ball dropper as the committee read the text out loud in real time to the CEOs.
You can watch the 2-hour video from the Standing Committee on Access to Information, Privacy and Ethics (ETHI) and their investigation into the “Breach of Personal Information Involving Cambridge Analytica and Facebook” here (meeting 101):
https://www.ourcommons.ca/DocumentViewer/en/42-1/ETHI/meeting-101/notice
Click on the green icon labeled, “Watch on ParlVu”, for the video.
On the 26th of April, the investigation continues Starring Professors Colin J. Bennett, Thierry Giasson and Mozilla. You will be able to watch it from this link (meeting 102):
https://www.ourcommons.ca/DocumentViewer/en/42-1/ETHI/meeting-102/notice
All previous meetings from this investigation, including the testimony from Chris Vickery, can be streamed by going to the following web page and by expanding the meeting dates (meetings 99 to 101 as of writing):
https://www.ourcommons.ca/Committees/en/ETHI/StudyActivity?studyActivityId=10044891




Just because it’s a lot of money.
Apple and Donohoe clear final hurdle for repayment of €13bn disputed tax bill
Apple will place the first tranche of its €13 billion Irish tax bill in an escrow account next month following the signing of a legal agreement between the Government and the US tech giant.
It is anticipated that Apple will make a series of unspecified payments into the account starting in May with the full amount expected to be recovered by the end of September.
… When interest is added the final figure could reach €15 billion but the Department of Finance said it was not possible to calculate the interest until all the money had been recovered.
… Both Apple and the Government are appealing the ruling on the grounds that Apple’s tax treatment was in line with Irish and European Union law.




A Privacy resource.
New on LLRX – Pete Recommends – weekly highlights on cyber security issues – April 23 2018
Via LLRXPete Recommends – weekly highlights on cyber security issues – April 23 2018 – Privacy and security issues impact every aspect of our lives – home, work, travel, education, health/medical, to name but a few. On a weekly basis Pete Weiss highlights articles and information that focus on the increasingly complex and wide ranging ways our privacy and security is diminished, often without our situational awareness.




How AI might be used.
New Product of the Year? Law Librarians Pick AI Research Tool from Bloomberg Law
A legal research tool that uses artificial intelligence to help legal researchers quickly find key language critical to a court’s reasoning has been selected by the American Association of Law Libraries as winner of its 2018 New Product Award.
AALL cited Points of Law, a tool developed by Bloomberg Law, for its ability to provide researchers with a court decision’s legal points and to identify legal precedents.
As I explained in my review of Points of Law last September, as a researcher scrolls through a court opinion, the tool highlights the essential language in the opinion, making it easier for the researcher to browse through the key discussion points and enabling the researcher to more quickly get the gist of the key holdings.
For each point of law within a case, a pop-up shows the top three cases cited in support of it.




Explaining BlockChain.
MIT Explainer: What is a blockchain?
  • “What is it? A public, permanent, append-only distributed ledger.
  • What’s that? A mathematical structure for storing data in a way that is nearly impossible to fake. It can be used for all kinds of valuable data.
  • Where did it come from? “I’ve been working on a new electronic cash system that’s fully peer-to-peer, with no trusted third party.” These are the words of Satoshi Nakamoto, the mysterious creator of Bitcoin, in a message sent to a cryptography-focused mailing list in October 2008. Included was a link to a nine-page white paper describing a technology that some are now convinced will disrupt the financial system…”




Know the players!
Senate confirms Trump's pick for NSA, Cyber Command
Lt. Gen. Paul Nakasone was unanimously confirmed by voice vote to serve as the "dual-hat" leader of both the National Security Agency and U.S. Cyber Command.




A tool for looking at Instagram’s data on you.
Instagram launches “Data Download” tool to let you leave
Instagram’s “Data Download” feature can be accessed here or through the app’s privacy settings. It lets users export their photos, videos, archived Stories, profile, info, comments, and non-ephemeral messages, though it can take a few hours to days for your download to be ready.


(Related) Hacking Instagram.




A guide for my students.




For coding tips when writing your own?




Dilbert’s fool-proof system for avoiding bad reviews?


Tuesday, April 24, 2018

Why are old, crash prone operating systems still in use?
Hackers Go After X-Ray, MRI Machines for Corporate Espionage
Fortunately, sabotage and patient data collection doesn't appear to be a motive behind the hacking. The attackers were probably focused on corporate espionage and studying how the medical software onboard the computers worked, the security firm Symantec said on Monday.
Over the past three years, the hacking group Orangeworm has been secretly delivering the Windows-based malware to about 100 different organizations, said Jon DiMaggio, a security researcher at Symantec. The biggest number of victims, at 17 percent, have been based in the US.
The hackers have been particularly interested in legacy Windows 95 systems, which can end up controlling the X-ray and MRI machines, he said. The malware used was capable of taking remote control over a computer, and spreading itself over a network.




I’m shocked, shocked I tell you! Where is Captain Obvious when the CIA needs him?
CIA agents in 'about 30 countries' being tracked by technology, top official says
CIA officers working overseas used to expect to be followed after hours by adversarial spies hoping to find their sources.
But now, foreign spies often don't need to bother because technology can do it for them, said Dawn Meyerriecks, deputy director of the CIA's science and technology division.
Digital surveillance, including closed-circuit television and wireless infrastructure, in about 30 countries is so good that physical tracking is no longer necessary, Meyerriecks told the audience at an intelligence conference in Tampa, Florida, on Sunday.
… But the CIA is spying back, she said. As of six months ago, the agency has been pursuing nearly 140 artificial intelligence projects.
In one, a small team "took a bunch of unclassified overhead and street view" and paired it with machine learning and artificial intelligence algorithms to create "a map of cameras in one of the big capitals that we don't have easy access to," Meyerriecks said.
That way, agents can try to figure out where they are being surveilled and how they might evade the camera eye.




Just in case someone does not take my Computer Security class.
Five myths about internet privacy where nothing is what is seems to be
You have precious little privacy on the web – whether you are browsing, using Facebook or Gmail, public WiFi, disk cleaning applications, or using the same “strong” passwords on multiple sites. USAToday reports – Many of us think we’re taking the right precautions, when in fact we’re putting our info at risk. The following are five such misconceptions, the truth behind them, and what to do about it…”




Interesting arguments? Here or nowhere?
Alexander Berengaut writes:
Last summer, Marcus Hutchins, the security researcher who stopped the “WannaCry” malware attack, was arrested and charged for his role in allegedly creating and conspiring to sell a different piece of malware, known as Kronos. As we have previously discussed on this blog, however, the indictment was notable for its lack of allegations connecting Hutchins to the United States, which raises constitutional due process issues, and Hutchins subsequently moved to dismiss the indictment on this basis.
The government has now responded to Hutchins’ motion. It makes two main arguments. First, the government maintains—as a factual matter—that the allegations in the indictment do allege a sufficient nexus between Hutchins and the United States. Second, the government argues, as a legal matter, that if Hutchins’ indictment is defective because it fails to allege conduct specifically directed at the United States, then there is no country on Earth where Hutchins could be prosecuted. Both arguments appear to fall short.
Read more on Covington & Burling Inside Privacy




Another legal conflict?
Clear Scope for Conflict Between Privacy Laws
The Clarifying Lawful Overseas Use of Data Act, or CLOUD Act, was enacted into U.S. federal law on March 23, 2018. It had been attached, at page 2212 of 2232 pages, to the omnibus spending bill, and allows law enforcement to demand access to data of concern wherever in the world that data is stored.
The General Data Protection Regulation, or GDPR, becomes European Law on May 25, 2018. It restricts companies that operate in Europe or process EU citizen data from transferring that data to third parties.
On the surface, there is clear scope for conflict between these two laws; but as always, it is more complex than that. The two key elements are, for CLOUD, section 2713; and for GDPR, article 48.
Section 2713 reads, "A provider of electronic communication service or remote computing service shall comply with the obligations of this chapter to preserve, backup, or disclose the contents of a wire of electronic communication and any record or other information relating to a customer or subscriber within such provider’s possession, custody, or control, regardless of whether such communication, record, or other information is located within or outside the United States."
Article 48 of GDPR states, "Any judgment of a court or tribunal and any decision of an administrative authority of a third country requiring a controller or processor to transfer or disclose personal data may only be recognised or enforceable in any manner if based on an international agreement, such as a mutual legal assistance treaty, in force between the requesting third country and the Union or a Member State, without prejudice to other grounds for transfer pursuant to this Chapter."
It gets complicated because CLOUD specifically allows for 'international agreements', but not mutual legal assistance treaties (MLATs), which it does not mention at all. Indeed, the U.S. government has always complained that MLATs are too complex and slow to be of any value to a fast-moving investigation.




Trying to keep up.
Lawmakers grill academic at heart of Facebook scandal
… Cambridge University researcher Aleksandr Kogan told "60 Minutes" he was "sincerely sorry" about the way he and "tens of thousands" of other app developers took advantage of what he said was Facebook's lax data policy enforcement, but he doesn't think he really did anything wrong.
On Tuesday, he told members of the British Parliament that Cambridge Analytica's suspended CEO, Alexander Nix, had blatantly lied to them during his testimony on the relationship between that company and his own.


(Related)
Facebook reveals 25 pages of takedown rules for hate speech and more
Facebook has never before made public the guidelines its moderators use to decide whether to remove violence, spam, harassment, self-harm, terrorism, intellectual property theft, and hate speech from social network until now. The company hoped to avoid making it easy to game these rules, but that worry has been overridden by the public’s constant calls for clarity and protests about its decisions. Today Facebook published 25 pages of detailed criteria and examples for what is and isn’t allowed.




Compare & contrast.
YouTube Took Down Over 8 Million Videos In 3 Months, And Machines Did Most Of The Work
Google-owned YouTube took down 8.3 million videos in the last three months of 2017, with machines doing most of the work in cleaning up the video-sharing platform.
The announcement comes alongside the launch of the Reporting History dashboard, which will allow YouTube users to see the status of videos that they have flagged.




What happens if you don’t want Amazon opening your front door?
Introducing In-Car Delivery
As a Prime member, get your Amazon packages securely delivered right into your vehicle parked at home, at work or near other locations in your address book. Park your vehicle in a publicly accessible area to receive in-car deliveries, and track your packages with real-time notifications. FREE for Prime members in select cities and surrounding areas with supported vehicles. Check your eligibility, or download the Amazon Key App to get started.
Amazon Key In-Car Delivery supports most 2015 model year or newer Chevrolet, Buick, GMC, Cadillac, and Volvo vehicles with an active connected car service plan such as OnStar or Volvo On Call. Stay tuned for future partner announcements.




Strangely enough, I’m in agreement.
Surprise! Monkeys can't sue for copyright, not even for 'monkey selfies.' Here's why.
As bananas as it sounds, the Ninth U.S. Court of Appeals ruled on Monday that monkeys do not have the right to sue for copyright infringement as argued in the case of a monkey whose selfie went viral around the world.
… After the image went viral, the site Wikimedia Commons — which is the media repository for Wikipedia — uploaded the image as an image in the public domain. It argued that “because as the work of a non-human animal, it has no human author in whom copyright is vested.”
… PETA used a rule called “next friend” that allowed the organization to sue on behalf of an animal. For a while, it wasn’t even clear that PETA was representing the right monkey. PETA argued that animals are so intelligent that they are capable of holding legal ownership of intellectual property.
Still, the case continued and in 2016 a federal judge ruled that a monkey cannot own copyright. The next year, PETA settled the suit with Slater but the Ninth Circuit refused to let either side drop the case.
And on Monday, the Ninth Circuit delivered a conclusive blow to one of the most-talked about copyright cases in modern times, and one that generated a wide range of reactions given its implications about the work of non-humans, including artificially intelligent machines.




Why does this sound like Hillary Clinton? It’s going to be difficult to plead ignorance after comments he made during the campaign.
Trump ramps up personal cell phone use
President Donald Trump is increasingly relying on his personal cell phone to contact outside advisers, multiple sources inside and outside the White House told CNN, as Trump returns to the free-wheeling mode of operation that characterized the earliest days of his administration.
… Sources cited Trump's stepped-up cell phone use as an example of chief of staff John Kelly's waning influence over who gets access to the President.
… While Trump never entirely gave up his personal cell phone once Kelly came aboard, one source close to the White House speculated that the President is ramping up the use of his personal device recently in part because "he doesn't want Kelly to know who he's talking to."




A toolkit for my Android using students.
The best privacy and security apps for Android
Table of Contents




For all that data I’ve been trying to explain.
Creating Data Visualizations Without Knowing How to Code
Center for Data Innovation: “A research collaboration between Adobe and Georgia Tech has published a free data visualization tool called Data Illustrator that allows users to create visualizations in a graphical interface without having to know how to code. Additionally, Dutch data visualization firm Vizualism has published a tutorial for Data Illustrator to walk users through how to create a visualization using data about life expectancy in Dutch cities.”


(Related)
Storyline JS - Turn Your Spreadsheets Into Stories
In yesterday's Practical Ed Tech Tip of the Week I featured the storytelling tools produced by Knight Lab at Northwestern University. One of those tools is called Storyline JS. Storyline JS lets you create an interactive, annotated line chart. The purpose of Storyline JS is to enable you to add detailed annotations to the data points displayed on your line charts. Watch my video below to see how to create an annotated line chart with Storyline JS.
Storyline JS could be a great tool for students to use to demonstrate their understanding of what the data in a line chart actually means. Similarly, using Storyline JS could be a good way for students to explain the causes for changes in the data displayed in their line charts.


Monday, April 23, 2018

This could work with any nationality if scammers can tell visitors from citizens. I wonder of it works in other countries?
Don’t give money to the “Chinese Consulate,” FTC says in scam-busting report
Scammers are using a combination of phishing techniques and social engineering to trick people with Chinese last names into handing over their personal information and even make direct payments to the scammer.
The scheme isn’t new, with reports going back as early as 2015 when the Federal Communications Commission (FCC) told phone carriers to start using robocall-blocking services.
Now the Federal Trade Commission has had it too. A statement by the FTC said it has recently recorded a surge in complaints from customers claiming that scammers are purporting to call from the Chinese Consulate asking them for personal information and even cash.




Do many people still use Internet Explorer?
Internet Explorer zero-day alert: Attackers hitting unpatched bug in Microsoft browser
A well-resourced hacking group is using a previously unknown and unpatched bug in Internet Explorer (IE) to infect Windows PCs with malware.
… According to the firm, the vulnerability affects the latest versions of IE and other applications that use the browser.




National Health Systems are large targets.
Sue Dunleavy reports:
The sensitive health data of Australians is subject to a data breach every two days and the organisations and governments that fail to protect it are facing no financial penalties.
As outrage builds over Facebook’s failure to protect privacy, a News Corp investigation has uncovered health data that shows if Australians have a sexually transmitted disease, mental illness, HIV or an abortion, even whether they’ve used a prostitute, is not properly protected.
A new mandatory notification scheme that requires businesses to report to the Office of the Australian Information Commissioner when there is a data breach shows in the first 37 days of the new regime a data breach occurred every two days in the health sector.
Read more on Daily Telegraph




Cities with inadequate backups are also easy targets.
City of Atlanta Ransomware Attack Proves Disastrously Expensive
City of Atlanta Ransomware Attack Showcases Ethical Problem in Whether to Pay a Ransom or Not
Over the course of the last week, it has become apparent that the City of Atlanta, Georgia, has paid out nearly $3 million dollars in contracts to help its recovery from a ransomware attack on March 22, 2018 – which (at the time of writing) is still without resolution.
Precise details on the Atlanta contracts are confused and confusing – but two consistent elements are that SecureWorks is being paid $650,000 for emergency incident response services, and Ernst & Young is being paid $600,000 for advisory services for cyber incident response. The total for all the contracts appears to total roughly $2.7 million. The eventual cost will likely be more, since it doesn't include lost staff productivity nor the billings of a law firm reportedly charging Atlanta $485 per hour for partners, and $300 per hour for associates. The ransom demand was for around $51,000.
Also worth considering is the SamSam attack on Hancock Health reported in January this year. Hancock chose to pay a ransom of around $55,000, and recovered its systems within a few days. It later admitted that it would not have been able to recover from backups since the attackers – which sound like the Gold Lowell group – had previously compromised them.




Is it possible that this a rogue AI?
Some Gmail Users Are Getting Spam Apparently Sent By Themselves
It's bad enough that several Gmail accounts are reporting unexplained spam in their inbox, but what's worse is they're apparently sent by themselves, even though most of the accounts employ hard-to-crack two-factor authentication.
Google's spam filtering technology is typically excellent at separating legitimate emails from spam, which makes the incident an odd aberration from Gmail's otherwise sterling security protections. However, a spam variant was successful at bypassing those protections, possibly by making it seem as if the spam recipient is also the sender.




More thoughts on Facebook.
Facebook in the Spotlight: Dataism vs. Privacy
JURIST Guest Columnist Chris Hoofnagle of Berkeley Law, discusses the policing of Facebook’s privacy policies and FTC enforcement: “Are our institutions up to the challenge of protecting users from information-age problems? This is the high-level question emerging from the Facebook-Cambridge Analytica debate. While on one hand Facebook and similarly-situated companies will pay some regulatory price, our public institutions are also in the crosshairs. In the U.S., the much-praised and admired Federal Trade Commission (“FTC”) approach is suffering a crisis of legitimacy. Facebook’s European regulator, the Irish data protection commissioner, is losing both control over its supervision of American companies and the respect of its regulatory colleagues. In a recent press release, the Article 29 Working Party announced that it was creating a working group focusing on social media, never mentioning the Irish in its statement. In this essay I explain the challenges the FTC faces in enforcing its 2012 consent agreement against Facebook and suggest ways it could nonetheless prevail. In the long run, everyone wins if our civil society institutions can police Facebook, including the company itself. While Facebook’s privacy problems have long been dismissed as harmless, advertising-related controversies, all now understand Facebook’s power over our broader information environment. After Brexit, the 2016 U.S. election, and violence in Myanmar, if consumer law fails, we risk turning to more heavy-handed regulatory tools, including cyber sovereignty approaches, with attendant consequences for civil society and internet freedom…”




Perhaps a wax (resin, whatever) mold of the finger/thumb prints should be mandatory?
Florida Detectives Tried Using Dead Man’s Finger to Unlock Cellphone
A pair of Florida detectives visited a funeral home last month in an attempt to unlock a cellphone belonging to a deceased man by using his fingerprint.
… They gained access to the corpse and held his fingerprint to the phone’s sensor but, according to the Tampa Bay Times, which first reported the case, the move was ultimately unsuccessful. Largo police lieutenant Randall Chaney said that the two detectives needed access in order to preserve data stored on the handset that was potentially tied to a separate drug inquiry involving the deceased suspect.
Chaney told the Tampa Bay Times there is typically a 48 to 72-hour period to open a cellphone that has been locked using a fingerprint. While Largo police officers got the device back within that period, Phillip’s body had already been transferred from state custody to the funeral home. Detectives believed a warrant was not needed because the suspect had little expectation of privacy, Chaney added.


(Related)
Florida police failed to unlock phone using a dead man's finger — but corpses may still help in hacking handsets
… Though it's not clear what brand of phone Phillip owned, Engadget years ago concluded that a finger from a corpse would not unlock an iPhone.
The Touch ID system uses two methods to sense and identify a fingerprint, capacitive and radio frequency. "A capacitive sensor is activated by the slight electrical charge running through your skin," wrote Engadget in 2013. "We all have a small amount of electrical current running through our bodies, and capacitive technology utilizes that to sense touch."
And the radio frequency waves in an iPhone sensor would also not open unless living tissue was present.




Should we all have this App?
This app maker says his work saved thousands during Hurricane Harvey — and he’s not done yet
… His idea was to create an application where a family in distress could quickly submit a call for help containing their location and information, which would instantly appear on a map. A responder could pull the location in order to execute the rescue. Once the family was safe, the information would be taken down so rescuers could focus on those still in need.
… At least 25,000 people were rescued in Houston using the app, Marchetti says.
… The service — now known as CrowdSource Rescue (CSR) — was meant to fill the deficit of public services during a time of immense, dizzying catastrophe. CSR reduced the redundancy created by reposting and sharing across multiple platforms. It crowdsourced every part of the operation: posting, dispatching, rescuing, and updating. It allowed Houstonians and outside volunteer organizations such as the Cajun Navy to work hand in hand with public officials.




Perspective. Well, perhaps Texas has a different perspective.
Emma Platoff reports:
An appeals court has struck down Texas’ “revenge porn” law, ruling that the statute is overly broad and violates the First Amendment.
The 2015 state law targets what author state Sen. Sylvia Garcia, D-Houston, called “a very disturbing internet trend” of posting a previous partner’s nude or semi-nude photos to the web without the partner’s permission, often with identifying information attached. Inspired in part by the testimony of Hollie Toups, a Southeast woman whose intimate photos were posted online, the law made posting private, intimate photos a misdemeanor, carrying a charge of up to a year in jail as well as a $4,000 fine.
Read more on Texas Tribune.




Perspective.
The future of e-commerce in India increasingly looks like an all-American affair
India’s technology industry is bracing itself for the next era of e-commerce warfare, which looks set to be waged and bankrolled by two gigantic corporations located halfway across the world: Amazon and Walmart.
Amazon is already deeply committed to the country, where it has pledged to deploy over $5 billion to grow its business, and now U.S. rival Walmart is said to be inching closer to a deal to buy Flipkart.
Bloomberg reports that Walmart is poised to acquire 60-80 percent of the company for $12 billion.


(Related) Is that why Amazon didn’t complete their bid for Flipkart?
Amazon expects groceries to account for over half of India business in the next 5 years
… Amit Agarwal, the India head of Amazon, said in an interview on Friday that groceries and goods such as creams, soaps and cleaning products, were already the largest product category on Amazon in terms of number of units sold in India.
“I would not speculate on when we would launch AmazonFresh but, absolutely, if you ask me the next five years of vision – from your avocados to your potatoes, and your meat to your ice cream – we’ll deliver everything to you in two hours,” he said.




For my History nerds.
Papers of Benjamin Franklin Now Online
“The papers of American scientist, statesman and diplomat Benjamin Franklin have been digitized and are now available online for the first time from the Library of Congress. The Library announced the digitization in remembrance of the anniversary of Franklin’s death on April 17, 1790. The Franklin papers consist of approximately 8,000 items mostly dating from the 1770s and 1780s. These include the petition that the First Continental Congress sent to Franklin, then a colonial diplomat in London, to deliver to King George III; letterbooks Franklin kept as he negotiated the Treaty of Paris that ended the Revolutionary War; drafts of the treaty; notes documenting his scientific observations, and correspondence with fellow scientists. The collection is online at: loc.gov/collections/benjamin-franklin-papers/about-this-collection.”




Looks like it might be useful for topics you are not already familiar with.
Peekier – privacy-oriented search engine
Peekier (pronounced /’pi·ki·er/) is a new way to search the web. Peek through search results fast and securely on a search engine that respects your privacy. Faster information discovery – Peekier shows you a website preview of the search results. Clicking on a result will maximize the preview and allow you to scroll through the website. You can then decide if the information displayed on the website interests you or not before clicking on the link. Here is what a normal search engine looks like on a widescreen monitor: 2/3rds of the screen real estate remain unused. Peekier utilizes 100% of your monitor, giving you all the information you need to know before you visit a website. This is the way searching will be done in the future.
… websites are loaded on our servers and we only send the rendered image to your browser, we deal with malware and other threats while protecting your privacy and providing a safe and secure experience while you stay on our website. You can still choose to visit a website that interests you―the choice is yours. Strict privacy policy – We take your privacy very seriously. We’re pretty sure we’re the search engine with the most privacy oriented features in the world. Peekier does not log your personal info or track you throughout your browsing sessions. For more information on how we protect your privacy click here…”




Tools.
In all the ruckus about the ban on torrent sites, we forget that there are many more legal uses for torrents than illegal ones.
Still not convinced?


Sunday, April 22, 2018

If it’s on the Internet, it must be true. An increasingly dangerous belief?
Where countries are tinderboxes and Facebook is a match
MEDAMAHANUWARA, Sri Lanka — Past the end of a remote mountain road, down a rutted dirt track, in a concrete house that lacked running water but bristled with smartphones, 13 members of an extended family were glued to Facebook. And they were furious.
A family member, a truck driver, had died after a beating the month before. It was a traffic dispute that had turned violent, the authorities said. But on Facebook, rumors swirled that his assailants were part of a Muslim plot to wipe out the country’s Buddhist majority.
For months, we had been tracking riots and lynchings around the world linked to misinformation and hate speech on Facebook, which pushes whatever content keeps users on the site longest — a potentially damaging practice in countries with weak institutions and histories of social instability.
Time and again, communal hatreds overrun the newsfeed unchecked as local media are displaced by Facebook and governments find themselves with little leverage over the company. Some users, energized by hate speech and misinformation, plot real-world attacks.




Still searching for a “This Might Work” technology?
Dan Peltier reports:
The U.S. Department of Homeland Security has processed travelers with facial recognition scans at many U.S. airports, part of pilot programs during the past year that the government now believes it’s ready to roll out nationwide.
That’s the view of Isabel Hill, director of the National Travel & Tourism Office, part of the U.S. Department of Commerce, who spoke at the World Travel & Tourism Council Global Summit in Buenos Aires, Argentina on Wednesday about the future of secure and seamless travel.
Read more on SKIFT.
So okay…. do we know the accuracy rate? Do we know the false positive rate for minorities of specific subpopulations? Is there a reasonable system for challenging and quickly correcting errors? Is this really ready for primetime or wider usage?




The topic must be hot, this collection sells for $120. However some are available online for free. (I think the Privacy Foundation needs to increase its Seminar prices!)
Professor Daniel Solove calls our attention to this new collection of essays on consumer privacy.
Evan Seligner, Jules Polonetsky, and Omer Tene have just published a terrific edited volume of essays called The Cambridge Handbook of Consumer Privacy. This is a truly impressive collection of writings by a wide array of authors from academia and practice. There’s a robust diversity of viewpoints on wide-ranging and cutting-edge issues. The book has a hefty price tag, but it is a terrific resource.
Read Dan’s full post, as he provides a table of contents and links to copies of the essays where they are already available for free online.




I think we could create an App to determine when a warrant is required and then to help generate one. Assuming there is some logic behind the process.
From the glad-to-see-the-court-got-this-right dept.:
If police want to snoop through a vehicle’s black box data — even after an accident — they will have to get a warrant. That was the conclusion Tuesday of the Missouri Court of Appeals, which took up the case of a black box seized from a truck involved in a major collision on July 1, 2015.
Read more about the case on TheNewspaper.com.
[From the article:
"The driver possesses an actual, subjective expectation of privacy in data recorded by an ECM regarding that driver's operation of the vehicle," Judge Cynthia L. Martin wrote for the court. "We can affirm the trial court's order granting the motion to suppress based on longstanding Fourth Amendment jurisprudence involving trespass as a basis to assert a Fourth Amendment violation as recently discussed in the United States Supreme Court's decision in Jones."
The judges noted that it did not matter that West had no idea there was a box recording his every move installed in the truck because the police officer made a physical intrusion into the vehicle to conduct his electronic search. There were no exigent circumstances to do so because there was no reason to think the truck contained anything illegal.




For those following Facebook. (They sell ads, Senator.)
April Glaser writes:
When Democrats and Republicans in Congress agree on something, it usually involves symbolic acts of patriotism or minimally decent acts of disaster relief. Add to that list: giving Mark Zuckerberg the third degree—and insisting that his company face some kind of consequence for the Cambridge Analytica scandal and how cavalierly it has often treated its users’ data. “I think it is time to ask whether Facebook may have moved too fast and broken too many things,” Rep. Greg Walden, a Republican from Oregon, said last Wednesday as he opened up a House committee hearing with Zuckerberg. “I don’t want to vote to have to regulate Facebook, but by God I will,” said Sen. John Kennedy, a Louisiana Republican, during a Senate joint committee hearing the day before the House’s. Democrats sounded even more gung-ho about cracking down on the company. “This incident demonstrates yet again that our laws are not working,” said Rep. Frank Pallone, a Democrat from New Jersey. Congresswoman Jan Schakowsky, a Democrat from Illinois, laid it out plainly while dressing down the 33-year-old CEO: “This is proof to me that self-regulation simply does not work.”
Read more on Slate. April asks why the pre-eminent privacy advocacy organizations have not proposed anything or even pressured Congress to take action. It’s an interesting question.
When you’ve read her article, read the responses to it on Twitter.


(Related)
From EPIC.org:
EPIC has filed a Freedom of Information Act lawsuit to obtain the release of the unredacted Facebook Assessments from the FTC. The FTC Consent Order required Facebook to provide to the FTC biennial assessments conducted by an independent auditor. In March, EPIC filed a Freedom of Information Act request for the 2013, 2015, 2017 Facebook Assessments and related records. EPIC’s FOIA request drew attention to a version of the 2017 report available at the FTC website. But that version is heavily redacted. EPIC is suing now for the release of unredacted report. EPIC has an extensive open government practice and has previously obtained records from many federal agencies. The case is EPIC v. FTC, No. 18-942 (D.D.C. filed April 20, 2018).


(Related)
Nicholas Confessore reports:
An auditing firm responsible for monitoring Facebook for federal regulators told them last year that the company had sufficient privacy protections in place, even after the social media giant lost control of a huge trove of user data that was improperly obtained by the political consulting firm Cambridge Analytica.
The assertion, by PwC, came in a report submitted to the Federal Trade Commission in early 2017. The report, a redacted copy of which is available on the commission’s website, is one of several periodic reviews of Facebook’s compliance with a 2011 federal consent decree, which required Facebook to take wide-ranging steps to prevent the abuse of users’ information and to inform them how it was being shared with other companies.
Read more on NY Times.




Interesting tech, with implications for smart bombs?
How Uber moves the ‘blue dot’ to improve GPS accuracy in big cities
You might have noticed a problem when you try to use your smartphone to navigate a big city: your GPS location is usually super inaccurate. Sometimes it's only by a few feet, but if you’re in a particularly dense part of the city where satellite signals are blocked by high-rise buildings, the discrepancy can be orders of magnitude greater. For most people, it’s just one of the many modern-day nuisances of urban life. But for companies that rely on two people with smartphones finding each other in a labyrinth of steel and concrete — like Uber — GPS inaccuracy is a source of never-ending pain and frustration.
… The Global Positioning System project was launched in the early 1970s as a way to overcome the limitations of previous navigation systems. It was originally designed for things that fly, like planes. So one of the core assumptions was that all satellites would have a direct line of sight, meaning the signal would always travel in a straight line. But now, those assumptions have changed, thanks to the ubiquity of smartphones and the rise of location-based services like Uber.
… To fix the problem, Iland and Irish used a process called occlusion modeling, by which Uber’s algorithm looks at a full 3D rendering of the city and does a probabilistic estimate of where you are based, which satellites you can see, and which you can’t.




As so often happens, I don’t get it. I can understand wanting to give everyone Internet access. Why do we need a “live” video of every place on earth?
Bill Gates, Airbus and SoftBank invest in satellite video startup that wants to help us ‘see and understand the Earth live and unfiltered’
Bellevue, Wash.-based EarthNow aims to operate a fleet of small satellites that will send continuous real-time video views of our planet from Earth orbit.
… Wyler made clear that EarthNow would leverage the design work that’s already been done for OneWeb.
“We created the world’s first low-cost, high-performance satellites for mass production to bridge the digital divide,” he said in today’s news release. “These very same satellite features will enable EarthNow to help humanity understand and manage its impact on Earth.”