Monday, April 23, 2018

This could work with any nationality if scammers can tell visitors from citizens. I wonder of it works in other countries?
Don’t give money to the “Chinese Consulate,” FTC says in scam-busting report
Scammers are using a combination of phishing techniques and social engineering to trick people with Chinese last names into handing over their personal information and even make direct payments to the scammer.
The scheme isn’t new, with reports going back as early as 2015 when the Federal Communications Commission (FCC) told phone carriers to start using robocall-blocking services.
Now the Federal Trade Commission has had it too. A statement by the FTC said it has recently recorded a surge in complaints from customers claiming that scammers are purporting to call from the Chinese Consulate asking them for personal information and even cash.

Do many people still use Internet Explorer?
Internet Explorer zero-day alert: Attackers hitting unpatched bug in Microsoft browser
A well-resourced hacking group is using a previously unknown and unpatched bug in Internet Explorer (IE) to infect Windows PCs with malware.
… According to the firm, the vulnerability affects the latest versions of IE and other applications that use the browser.

National Health Systems are large targets.
Sue Dunleavy reports:
The sensitive health data of Australians is subject to a data breach every two days and the organisations and governments that fail to protect it are facing no financial penalties.
As outrage builds over Facebook’s failure to protect privacy, a News Corp investigation has uncovered health data that shows if Australians have a sexually transmitted disease, mental illness, HIV or an abortion, even whether they’ve used a prostitute, is not properly protected.
A new mandatory notification scheme that requires businesses to report to the Office of the Australian Information Commissioner when there is a data breach shows in the first 37 days of the new regime a data breach occurred every two days in the health sector.
Read more on Daily Telegraph

Cities with inadequate backups are also easy targets.
City of Atlanta Ransomware Attack Proves Disastrously Expensive
City of Atlanta Ransomware Attack Showcases Ethical Problem in Whether to Pay a Ransom or Not
Over the course of the last week, it has become apparent that the City of Atlanta, Georgia, has paid out nearly $3 million dollars in contracts to help its recovery from a ransomware attack on March 22, 2018 – which (at the time of writing) is still without resolution.
Precise details on the Atlanta contracts are confused and confusing – but two consistent elements are that SecureWorks is being paid $650,000 for emergency incident response services, and Ernst & Young is being paid $600,000 for advisory services for cyber incident response. The total for all the contracts appears to total roughly $2.7 million. The eventual cost will likely be more, since it doesn't include lost staff productivity nor the billings of a law firm reportedly charging Atlanta $485 per hour for partners, and $300 per hour for associates. The ransom demand was for around $51,000.
Also worth considering is the SamSam attack on Hancock Health reported in January this year. Hancock chose to pay a ransom of around $55,000, and recovered its systems within a few days. It later admitted that it would not have been able to recover from backups since the attackers – which sound like the Gold Lowell group – had previously compromised them.

Is it possible that this a rogue AI?
Some Gmail Users Are Getting Spam Apparently Sent By Themselves
It's bad enough that several Gmail accounts are reporting unexplained spam in their inbox, but what's worse is they're apparently sent by themselves, even though most of the accounts employ hard-to-crack two-factor authentication.
Google's spam filtering technology is typically excellent at separating legitimate emails from spam, which makes the incident an odd aberration from Gmail's otherwise sterling security protections. However, a spam variant was successful at bypassing those protections, possibly by making it seem as if the spam recipient is also the sender.

More thoughts on Facebook.
Facebook in the Spotlight: Dataism vs. Privacy
JURIST Guest Columnist Chris Hoofnagle of Berkeley Law, discusses the policing of Facebook’s privacy policies and FTC enforcement: “Are our institutions up to the challenge of protecting users from information-age problems? This is the high-level question emerging from the Facebook-Cambridge Analytica debate. While on one hand Facebook and similarly-situated companies will pay some regulatory price, our public institutions are also in the crosshairs. In the U.S., the much-praised and admired Federal Trade Commission (“FTC”) approach is suffering a crisis of legitimacy. Facebook’s European regulator, the Irish data protection commissioner, is losing both control over its supervision of American companies and the respect of its regulatory colleagues. In a recent press release, the Article 29 Working Party announced that it was creating a working group focusing on social media, never mentioning the Irish in its statement. In this essay I explain the challenges the FTC faces in enforcing its 2012 consent agreement against Facebook and suggest ways it could nonetheless prevail. In the long run, everyone wins if our civil society institutions can police Facebook, including the company itself. While Facebook’s privacy problems have long been dismissed as harmless, advertising-related controversies, all now understand Facebook’s power over our broader information environment. After Brexit, the 2016 U.S. election, and violence in Myanmar, if consumer law fails, we risk turning to more heavy-handed regulatory tools, including cyber sovereignty approaches, with attendant consequences for civil society and internet freedom…”

Perhaps a wax (resin, whatever) mold of the finger/thumb prints should be mandatory?
Florida Detectives Tried Using Dead Man’s Finger to Unlock Cellphone
A pair of Florida detectives visited a funeral home last month in an attempt to unlock a cellphone belonging to a deceased man by using his fingerprint.
… They gained access to the corpse and held his fingerprint to the phone’s sensor but, according to the Tampa Bay Times, which first reported the case, the move was ultimately unsuccessful. Largo police lieutenant Randall Chaney said that the two detectives needed access in order to preserve data stored on the handset that was potentially tied to a separate drug inquiry involving the deceased suspect.
Chaney told the Tampa Bay Times there is typically a 48 to 72-hour period to open a cellphone that has been locked using a fingerprint. While Largo police officers got the device back within that period, Phillip’s body had already been transferred from state custody to the funeral home. Detectives believed a warrant was not needed because the suspect had little expectation of privacy, Chaney added.

Florida police failed to unlock phone using a dead man's finger — but corpses may still help in hacking handsets
… Though it's not clear what brand of phone Phillip owned, Engadget years ago concluded that a finger from a corpse would not unlock an iPhone.
The Touch ID system uses two methods to sense and identify a fingerprint, capacitive and radio frequency. "A capacitive sensor is activated by the slight electrical charge running through your skin," wrote Engadget in 2013. "We all have a small amount of electrical current running through our bodies, and capacitive technology utilizes that to sense touch."
And the radio frequency waves in an iPhone sensor would also not open unless living tissue was present.

Should we all have this App?
This app maker says his work saved thousands during Hurricane Harvey — and he’s not done yet
… His idea was to create an application where a family in distress could quickly submit a call for help containing their location and information, which would instantly appear on a map. A responder could pull the location in order to execute the rescue. Once the family was safe, the information would be taken down so rescuers could focus on those still in need.
… At least 25,000 people were rescued in Houston using the app, Marchetti says.
… The service — now known as CrowdSource Rescue (CSR) — was meant to fill the deficit of public services during a time of immense, dizzying catastrophe. CSR reduced the redundancy created by reposting and sharing across multiple platforms. It crowdsourced every part of the operation: posting, dispatching, rescuing, and updating. It allowed Houstonians and outside volunteer organizations such as the Cajun Navy to work hand in hand with public officials.

Perspective. Well, perhaps Texas has a different perspective.
Emma Platoff reports:
An appeals court has struck down Texas’ “revenge porn” law, ruling that the statute is overly broad and violates the First Amendment.
The 2015 state law targets what author state Sen. Sylvia Garcia, D-Houston, called “a very disturbing internet trend” of posting a previous partner’s nude or semi-nude photos to the web without the partner’s permission, often with identifying information attached. Inspired in part by the testimony of Hollie Toups, a Southeast woman whose intimate photos were posted online, the law made posting private, intimate photos a misdemeanor, carrying a charge of up to a year in jail as well as a $4,000 fine.
Read more on Texas Tribune.

The future of e-commerce in India increasingly looks like an all-American affair
India’s technology industry is bracing itself for the next era of e-commerce warfare, which looks set to be waged and bankrolled by two gigantic corporations located halfway across the world: Amazon and Walmart.
Amazon is already deeply committed to the country, where it has pledged to deploy over $5 billion to grow its business, and now U.S. rival Walmart is said to be inching closer to a deal to buy Flipkart.
Bloomberg reports that Walmart is poised to acquire 60-80 percent of the company for $12 billion.

(Related) Is that why Amazon didn’t complete their bid for Flipkart?
Amazon expects groceries to account for over half of India business in the next 5 years
… Amit Agarwal, the India head of Amazon, said in an interview on Friday that groceries and goods such as creams, soaps and cleaning products, were already the largest product category on Amazon in terms of number of units sold in India.
“I would not speculate on when we would launch AmazonFresh but, absolutely, if you ask me the next five years of vision – from your avocados to your potatoes, and your meat to your ice cream – we’ll deliver everything to you in two hours,” he said.

For my History nerds.
Papers of Benjamin Franklin Now Online
“The papers of American scientist, statesman and diplomat Benjamin Franklin have been digitized and are now available online for the first time from the Library of Congress. The Library announced the digitization in remembrance of the anniversary of Franklin’s death on April 17, 1790. The Franklin papers consist of approximately 8,000 items mostly dating from the 1770s and 1780s. These include the petition that the First Continental Congress sent to Franklin, then a colonial diplomat in London, to deliver to King George III; letterbooks Franklin kept as he negotiated the Treaty of Paris that ended the Revolutionary War; drafts of the treaty; notes documenting his scientific observations, and correspondence with fellow scientists. The collection is online at:”

Looks like it might be useful for topics you are not already familiar with.
Peekier – privacy-oriented search engine
Peekier (pronounced /’pi·ki·er/) is a new way to search the web. Peek through search results fast and securely on a search engine that respects your privacy. Faster information discovery – Peekier shows you a website preview of the search results. Clicking on a result will maximize the preview and allow you to scroll through the website. You can then decide if the information displayed on the website interests you or not before clicking on the link. Here is what a normal search engine looks like on a widescreen monitor: 2/3rds of the screen real estate remain unused. Peekier utilizes 100% of your monitor, giving you all the information you need to know before you visit a website. This is the way searching will be done in the future.
… websites are loaded on our servers and we only send the rendered image to your browser, we deal with malware and other threats while protecting your privacy and providing a safe and secure experience while you stay on our website. You can still choose to visit a website that interests you―the choice is yours. Strict privacy policy – We take your privacy very seriously. We’re pretty sure we’re the search engine with the most privacy oriented features in the world. Peekier does not log your personal info or track you throughout your browsing sessions. For more information on how we protect your privacy click here…”

In all the ruckus about the ban on torrent sites, we forget that there are many more legal uses for torrents than illegal ones.
Still not convinced?

Sunday, April 22, 2018

If it’s on the Internet, it must be true. An increasingly dangerous belief?
Where countries are tinderboxes and Facebook is a match
MEDAMAHANUWARA, Sri Lanka — Past the end of a remote mountain road, down a rutted dirt track, in a concrete house that lacked running water but bristled with smartphones, 13 members of an extended family were glued to Facebook. And they were furious.
A family member, a truck driver, had died after a beating the month before. It was a traffic dispute that had turned violent, the authorities said. But on Facebook, rumors swirled that his assailants were part of a Muslim plot to wipe out the country’s Buddhist majority.
For months, we had been tracking riots and lynchings around the world linked to misinformation and hate speech on Facebook, which pushes whatever content keeps users on the site longest — a potentially damaging practice in countries with weak institutions and histories of social instability.
Time and again, communal hatreds overrun the newsfeed unchecked as local media are displaced by Facebook and governments find themselves with little leverage over the company. Some users, energized by hate speech and misinformation, plot real-world attacks.

Still searching for a “This Might Work” technology?
Dan Peltier reports:
The U.S. Department of Homeland Security has processed travelers with facial recognition scans at many U.S. airports, part of pilot programs during the past year that the government now believes it’s ready to roll out nationwide.
That’s the view of Isabel Hill, director of the National Travel & Tourism Office, part of the U.S. Department of Commerce, who spoke at the World Travel & Tourism Council Global Summit in Buenos Aires, Argentina on Wednesday about the future of secure and seamless travel.
Read more on SKIFT.
So okay…. do we know the accuracy rate? Do we know the false positive rate for minorities of specific subpopulations? Is there a reasonable system for challenging and quickly correcting errors? Is this really ready for primetime or wider usage?

The topic must be hot, this collection sells for $120. However some are available online for free. (I think the Privacy Foundation needs to increase its Seminar prices!)
Professor Daniel Solove calls our attention to this new collection of essays on consumer privacy.
Evan Seligner, Jules Polonetsky, and Omer Tene have just published a terrific edited volume of essays called The Cambridge Handbook of Consumer Privacy. This is a truly impressive collection of writings by a wide array of authors from academia and practice. There’s a robust diversity of viewpoints on wide-ranging and cutting-edge issues. The book has a hefty price tag, but it is a terrific resource.
Read Dan’s full post, as he provides a table of contents and links to copies of the essays where they are already available for free online.

I think we could create an App to determine when a warrant is required and then to help generate one. Assuming there is some logic behind the process.
From the glad-to-see-the-court-got-this-right dept.:
If police want to snoop through a vehicle’s black box data — even after an accident — they will have to get a warrant. That was the conclusion Tuesday of the Missouri Court of Appeals, which took up the case of a black box seized from a truck involved in a major collision on July 1, 2015.
Read more about the case on
[From the article:
"The driver possesses an actual, subjective expectation of privacy in data recorded by an ECM regarding that driver's operation of the vehicle," Judge Cynthia L. Martin wrote for the court. "We can affirm the trial court's order granting the motion to suppress based on longstanding Fourth Amendment jurisprudence involving trespass as a basis to assert a Fourth Amendment violation as recently discussed in the United States Supreme Court's decision in Jones."
The judges noted that it did not matter that West had no idea there was a box recording his every move installed in the truck because the police officer made a physical intrusion into the vehicle to conduct his electronic search. There were no exigent circumstances to do so because there was no reason to think the truck contained anything illegal.

For those following Facebook. (They sell ads, Senator.)
April Glaser writes:
When Democrats and Republicans in Congress agree on something, it usually involves symbolic acts of patriotism or minimally decent acts of disaster relief. Add to that list: giving Mark Zuckerberg the third degree—and insisting that his company face some kind of consequence for the Cambridge Analytica scandal and how cavalierly it has often treated its users’ data. “I think it is time to ask whether Facebook may have moved too fast and broken too many things,” Rep. Greg Walden, a Republican from Oregon, said last Wednesday as he opened up a House committee hearing with Zuckerberg. “I don’t want to vote to have to regulate Facebook, but by God I will,” said Sen. John Kennedy, a Louisiana Republican, during a Senate joint committee hearing the day before the House’s. Democrats sounded even more gung-ho about cracking down on the company. “This incident demonstrates yet again that our laws are not working,” said Rep. Frank Pallone, a Democrat from New Jersey. Congresswoman Jan Schakowsky, a Democrat from Illinois, laid it out plainly while dressing down the 33-year-old CEO: “This is proof to me that self-regulation simply does not work.”
Read more on Slate. April asks why the pre-eminent privacy advocacy organizations have not proposed anything or even pressured Congress to take action. It’s an interesting question.
When you’ve read her article, read the responses to it on Twitter.

EPIC has filed a Freedom of Information Act lawsuit to obtain the release of the unredacted Facebook Assessments from the FTC. The FTC Consent Order required Facebook to provide to the FTC biennial assessments conducted by an independent auditor. In March, EPIC filed a Freedom of Information Act request for the 2013, 2015, 2017 Facebook Assessments and related records. EPIC’s FOIA request drew attention to a version of the 2017 report available at the FTC website. But that version is heavily redacted. EPIC is suing now for the release of unredacted report. EPIC has an extensive open government practice and has previously obtained records from many federal agencies. The case is EPIC v. FTC, No. 18-942 (D.D.C. filed April 20, 2018).

Nicholas Confessore reports:
An auditing firm responsible for monitoring Facebook for federal regulators told them last year that the company had sufficient privacy protections in place, even after the social media giant lost control of a huge trove of user data that was improperly obtained by the political consulting firm Cambridge Analytica.
The assertion, by PwC, came in a report submitted to the Federal Trade Commission in early 2017. The report, a redacted copy of which is available on the commission’s website, is one of several periodic reviews of Facebook’s compliance with a 2011 federal consent decree, which required Facebook to take wide-ranging steps to prevent the abuse of users’ information and to inform them how it was being shared with other companies.
Read more on NY Times.

Interesting tech, with implications for smart bombs?
How Uber moves the ‘blue dot’ to improve GPS accuracy in big cities
You might have noticed a problem when you try to use your smartphone to navigate a big city: your GPS location is usually super inaccurate. Sometimes it's only by a few feet, but if you’re in a particularly dense part of the city where satellite signals are blocked by high-rise buildings, the discrepancy can be orders of magnitude greater. For most people, it’s just one of the many modern-day nuisances of urban life. But for companies that rely on two people with smartphones finding each other in a labyrinth of steel and concrete — like Uber — GPS inaccuracy is a source of never-ending pain and frustration.
… The Global Positioning System project was launched in the early 1970s as a way to overcome the limitations of previous navigation systems. It was originally designed for things that fly, like planes. So one of the core assumptions was that all satellites would have a direct line of sight, meaning the signal would always travel in a straight line. But now, those assumptions have changed, thanks to the ubiquity of smartphones and the rise of location-based services like Uber.
… To fix the problem, Iland and Irish used a process called occlusion modeling, by which Uber’s algorithm looks at a full 3D rendering of the city and does a probabilistic estimate of where you are based, which satellites you can see, and which you can’t.

As so often happens, I don’t get it. I can understand wanting to give everyone Internet access. Why do we need a “live” video of every place on earth?
Bill Gates, Airbus and SoftBank invest in satellite video startup that wants to help us ‘see and understand the Earth live and unfiltered’
Bellevue, Wash.-based EarthNow aims to operate a fleet of small satellites that will send continuous real-time video views of our planet from Earth orbit.
… Wyler made clear that EarthNow would leverage the design work that’s already been done for OneWeb.
“We created the world’s first low-cost, high-performance satellites for mass production to bridge the digital divide,” he said in today’s news release. “These very same satellite features will enable EarthNow to help humanity understand and manage its impact on Earth.”

Saturday, April 21, 2018

Reinforcing the points made in yesterdays Privacy Foundation seminar. Authorized employees are a substantial risk! “Became Aware” is not the same as “Discovered.” Likely someone told them what was happening. Interesting again that the offer Identity Protection to all of their clients.
From their press release:
SunTrust Banks, Inc. (NYSE: STI) is now offering Identity Protection for all current and new consumer clients at no cost on an ongoing basis. Experian IDnotify™ will be provided to those who sign up for the service.
SunTrust cares deeply about the privacy and security of client information. The company became aware of potential theft by a former employee of information from some of its contact lists. Although the investigation is ongoing, SunTrust is proactively notifying approximately 1.5 million clients that certain information, such as name, address, phone number and certain account balances may have been exposed. The contact lists did not include personally identifying information, such as social security number, account number, PIN, User ID, password, or driver’s license information. SunTrust is also working with outside experts and coordinating with law enforcement.
Read the full press release here.

More resources for my Computer Security students.

...and a tool for Privacy.

Interesting arguments?
Government hacking tactics questioned at OURSA
Jennifer Granick, surveillance and cybersecurity counsel at the American Civil Liberties Union, took the stage at OURSA on Tuesday to discuss the state of modern surveillance and hacking performed by the U.S. government, arguing that both cross the line of traditional legal searches.
"Increasingly, modern surveillance is mass surveillance," Granick said. "We used to target people for surveillance because of their political opinions or their religion or their race. Now the mainstream is being surveilled."
… The U.S. doesn't currently have specific hacking laws, though the U.S. government uses hacking for law enforcement and intelligence operations. Instead, noted Granick, the U.S. relies on the same legal process for hacking that it does for regular searches – the warrant. While warrants are crucial, they don't cover enough ground.
"Government hacking is different from regular searches in five particular ways that the warrant requirement can't really address," Granick said.
Those ways include the amount of data being collected; the invasiveness of the techniques the government uses to hack and surveil, such as turning on the cameras and microphones on personal laptops and smart devices; and, the falsification of data.
… "If this information is being collected for criminal prosecution purposes, how can we know that the very act of accessing the computer hasn't changed the information that's there in ways that impinge upon the defendants' rights?" Granick posed. "How can the defense test that theory and see that the evidence is not altered in any way if the government insists on keeping the exploit and the vulnerability secret? It interferes the with due process rights of the defendant in the criminal justice system."
The fourth way in which government hacking is out-of-scope with regular search warrants is the potential cybersecurity harms.

Fodder for my IT Management class.
Wells Fargo Fined $1B for Mortgage, Auto Lending Abuses
Wells Fargo will pay $1 billion to federal regulators to settle charges tied to misconduct at its mortgage and auto lending business, the latest punishment levied against the banking giant for widespread customer abuses.
… Starting in September 2016, Wells has admitted to a number of abusive practices across multiple parts of its business that duped consumers out of millions of dollars. Regulators, in turn, have fined Wells several times and put unprecedented restrictions on its ability to do business, including forcing the bank to replace directors on its board
… In Friday's announcement, the CFPB and the OCC penalized Wells for improperly charging fees to borrowers who wanted to lock in an interest rate on a pending mortgage loan and for sticking auto loan customers with insurance policies they didn't want or need. The bank admitted that tens of thousands of customers who could not afford the combined auto loan and extra insurance payment fell behind on their payments and had their cars repossessed.
These abuses are separate from Wells Fargo's well-known sales practices scandal, where employees opened as many as 3.5 million bank and credit card accounts without getting customers' authorization. The account scandal torpedoed Wells Fargo's reputation as the nation's best-run bank.

Helping my students select a major.
A.I. Researchers Are Making More Than $1 Million, Even at a Nonprofit
One of the poorest-kept secrets in Silicon Valley has been the huge salaries and bonuses that experts in artificial intelligence can command. Now, a little-noticed tax filing by a research lab called OpenAI has made some of those eye-popping figures public.
OpenAI paid its top researcher, Ilya Sutskever, more than $1.9 million in 2016. It paid another leading researcher, Ian Goodfellow, more than $800,000 — even though he was not hired until March of that year. Both were recruited from Google.
A third big name in the field, the roboticist Pieter Abbeel, made $425,000, though he did not join until June 2016, after taking a leave from his job as a professor at the University of California, Berkeley. Those figures all include signing bonuses.

Friday, April 20, 2018

When is taking advantage of a Security Failure not a crime? An old and well (or at least frequently) documented problem.
Is Enumerating Resources on a Website "Hacking"?
I saw a story pop up this week which made a bunch of headlines and upon sharing it, also sparked some vigorous debate. It all had to do with a 19-year-old bloke in Canada downloading some publicly accessible documents which, as it later turned out, shouldn't have been publicly accessible. Let's start with this video as it pretty succinctly explains the issue in consumer-friendly terms:
… This was public data. Whether it was intended to be public or not does not change the fact that it was published to a location which exposed it to the world without any requirement for authorisation whatsoever. His "crime" was simply to use the technology as it was designed to work. There was a lot of support for this position

For my Ethical Hacking students. Be sure to wear the electronic equivalent of a bio-hazard suit.

I’m sure my lawyer friends will be able to explain this one. Sure.
Matt Burgess reports:
“Do not pretend that I do not exist, do not ignore me or break the deadlines,” was the message from one unknown hacker to a British company targeted in February 2018. The person stole a “very large quantity of data”.
Both the hacker and the hacked company are the subject of a High Court injunction. The legal ruling from judge Matthew Nicklin, has been taken out to stop the company being named and prohibits hacked data from being stolen.
The case gives an insight into one hacker’s demands to a company and how it responded. It is the latest in a number of injunctions being taken out by companies that are looking to protect information that has been stolen from their servers.
Read more on Wired (UK).
OK, I don’t see how this is going to stop the hackers from dumping data if they don’t get paid. Maybe some web hosts will honor/comply with an injunction and remove data, but there are just too many ways/places to dump data for this to really make a serious dent in the problem. And what would stop a U.S. journalist from reporting on the breach, naming the company, and discussing any stolen data???

Good news for the White House? (Where would the President be without “Fake News” to blame?)
Americans Favor Protecting Information Freedoms Over Government Steps to Restrict False News Online
… Nearly six-in-ten Americans (58%) say they prefer to protect the public’s freedom to access and publish information online, including on social media, even if it means false information can also be published. Roughly four-in-ten (39%) fall the other way, preferring that the U.S. government take steps to restrict false information even if it limits those freedoms, according to a survey

I’ll believe it when my students start reading ToS.
The ‘Terms and Conditions’ Reckoning Is Coming
Eleanor Margolis had used PayPal for more than a decade when the online payment provider blocked her account in January. The reason: She was 16 years old when she signed up, and PayPal Holdings Inc. insists she should have known the minimum age is 18, because the rule is clearly stated in terms and conditions she agreed to. Clearly stated, that is, in a document longer than The Great Gatsby—almost 50,000 words spread across 21 separate web pages. “They didn’t have any checks in place to make sure I was over 18,” says Margolis, now 28. “Instead, they contact me 12 years later. It’s completely absurd.”
… GDPR, which comes into force in Europe in May and calls for fines as high as 4 percent of a company’s global revenue for violations, will make it tougher to get away with book-length user agreements, says Eduardo Ustaran, co-director of the cybersecurity practice at law firm Hogan Lovells. He suggests that companies streamline their rules and make sure they’re written in plain English. If a typical user wouldn’t understand the documents, the consent that companies rely on for their business activities would be legally invalid. “Your whole basis for using people’s personal data would disappear,” Ustaran says.

No other comment.
The FBI Restored Its Missing Crime Data
On Tuesday, the FBI restored 70 data tables that were missing from the 2016 Crime in the United States report, providing data that researchers consider crucial to their understanding of crime trends in the U.S. over time. The yearly report is considered the gold standard for tracking crime statistics in the United States, gathered from over 18,000 law-enforcement agencies in cities around the country. But the 2016 report, the first compiled under the Trump administration, was missing dozens of data tables that researchers rely on.

Thursday, April 19, 2018

If you have data, someone will collect and aggregate it.
Data firm leaks 48 million user profiles it scraped from Facebook, LinkedIn, others
A little-known data firm was able to build 48 million personal profiles, combining data from sites and social networks like Facebook, LinkedIn, Twitter, and Zillow, among others -- without the users' knowledge or consent.
Localblox, a Bellevue, Wash.-based firm, says it "automatically crawls, discovers, extracts, indexes, maps and augments data in a variety of formats from the web and from exchange networks." Since its founding in 2010, the company has focused its collection on publicly accessible data sources, like social networks Facebook, Twitter, and LinkedIn, and real estate site Zillow to name a few, to produce profiles.
But earlier this year, the company left a massive store of profile data on a public but unlisted Amazon S3 storage bucket without a password, allowing anyone to download its contents.
The bucket, labeled "lbdumps," contained a file that unpacked to a single file over 1.2 terabytes in size. The file listed 48 million individual records, scraped from public profiles, consolidated, then stitched together.
The data was subsequently found by Chris Vickery, director of cyber risk research at security firm UpGuard. Vickery, a well-known ethical data breach hunter, disclosed the leak to Localblox's chief technology officer Ashfaq Rahman in late February. The bucket was secured hours later.

(Related) A long look at a company operating on the fringe? Making a business of Big Brotherly surveillance. If nothing else, the background image is worth viewing.
Palantir Knows Everything About You

Useful! I will share this with my Computer Security students. (PDF)
Chart on Admissibility of Electronic Evidence
Craig Ball posted a well documented chart, Admissibility of Electronic Evidence, authored by U.S. District Judge Paul Grimm and attorney Kevin Brady.

The other side of the “All AI Algorithms are Biased” argument.
Upping Your Diversity Game: Tech That Enables a More Diverse Talent Pool
Diversity is a common topic of discussion for HR teams and internal recruiters, and with good reason. Few people question that a diverse team makes a company stronger. But finding the right pool of candidates can be a challenge.
It's surprising where some of those challenges come from. Many people think subconscious bias during resume review could be the cause, and that's one of the issues. But even the way you write your job descriptions can impact the kinds of candidates that apply.
… Corporations have tried to combat unconscious bias through training, but critics and even some studies say that traditional diversity training is the least effective means of removing bias from hiring.
… Several applications exist that allow companies to find candidates solely based on skills. Software like Hundred5 allows applicants to take a skills-based test, and those that score the lowest are weeded out of the pack of potential hires before anyone can make assumptions about gender or race.
… Similarly, platforms Pymetrics and Gapjumpers use online surveys and quizzes without demographic information attached. Applicants answer questions on Gapjumpers, what they call "blind auditions", and employers review the answers to decide if the applicant is worth pursuing. According to their website, Gapjumpers sees women making up 60 percent of the top performers in blind auditions.
Pymetrics combines neuroscience games and AI to match people with jobs. After roughly 20 minutes playing behavior-based games, the AI matches the results with the profile of a position. If there is a match, the applicant moves on to the next round.

Jeff Bezos reveals Amazon has 100 million Prime members in letter to shareholders

A supplement for my students.
Linkedin – The Skills Companies Need Most in 2018 – And The Courses to Get Them
Linkedin Learning Blog: “Whenever there is change, there is opportunity. With report after report showing the world of work changing faster than ever today, it’s fair to assume there’s more opportunity than ever. The challenge? It isn’t easy to know where that opportunity exists. If only some organization with the resources necessary to answer that question could release a roadmap… Well, consider this is your roadmap. Using a combination of LinkedIn data and survey results, we determined both the soft and the hard skills companies need most. And then we provided LinkedIn Learning courses that teach those skills, which we’ve made free for all of January 2018…”
[As I read their course descriptions, it looks like they actually offer First Month Free. Bob]


For all my students.
You can think of Grasshopper as an app that teaches you how to code in Javascript similar to how apps like Duolingo teach you how to learn a foreign language. After signing in with your Google account, you will be walked through the basics of programming and given several quizzes. As you continue on, you will be given more subject matter to learn and exercises to help you retain the knowledge.
… My one real hope is that as Grasshopper grows, the Google developers working on the app will add new programming languages for users to learn.
If you’re interested in checking out Grasshopper for yourself, you can download it for free from the Play Store. Additionally, if you’re running iOS, you can download it from Apple’s App Store.

Wednesday, April 18, 2018

Good news for my Computer Security majors.
Closing the Enterprise Security Skills Gap
… The term "skills gap," in a nutshell, refers to specific challenges organizations have confronted over the past few years in finding and retaining competent, trained resources for security efforts. It is a measurable trend across the industry as a whole.
For example, it takes most organizations (54 percent) more than three months to fill open security positions, the recently released 2018 ISACA Global State of Cybersecurity Survey found. That figure is consistent with its prior year's findings.

(Related) Go where management is worried.
Security Pros at Energy Firms Concerned About 'Catastrophic' Attacks
Many cybersecurity professionals working in the energy sector are concerned that an attack on their organization’s industrial control systems (ICS) could have “catastrophic” consequences, according to a study conducted recently by Dimensional Research on behalf of security and compliance solutions provider Tripwire.
Of the more than 150 respondents, including IT and OT security professionals in energy and oil and gas companies, 91% say they are worried about the risk of attacks on ICS. Nearly all respondents are very concerned or somewhat concerned about an attack leading to operational shutdowns or downtime that impacts customers.
Other areas of major concern include physical damage to infrastructure, employee safety, impact on the organization’s reputation, and data theft.
High-profile pieces of malware such as Trisis and Industroyer have had a significant impact on security investments, but incidents involving ransomware have had the same degree of impact, the study shows.

Stay current (better yet, stay ahead) with your security updates. Constantly remind your employees of the risks.
NSA: Hackers Weaponize Known Vulnerabilities Within 24 Hours
How do you break into the US military's defense networks? Apparently, hackers are trying to do so by leveraging every publicly-known vulnerability they can find.
The turnaround can be quick, said Dave Hogue, a technical director with the US National Security Agency. Once a security flaw goes public, it can be added into the arsenal of state-sponsored attackers in less than a day.
"Within 24 hours I would say now, whenever an exploit or a vulnerability is released, its weaponized and used against us," Hogue said in a talk at the RSA security conference on Tuesday.
… Hogue said the top attack method the agency is running into are phishing messages.
"We see 36 million emails per day, and we reject about 85 percent of those," he said.
It's also rare for the agency to encounter a "zero-day" exploit, or a cyber attack that leverages a previously unknown vulnerability. In fact, the NSA has not responded to an intrusion that uses a zero-day vulnerability in over 24 months, Hogue said.

My guess is that this was not a Russian hack.
IRS website unavailable for efiling most of tax day!
IRS electronic filing systems working again after agency’s Tax Day technology meltdown“The Internal Revenue Service’s system for accepting online tax returns is working again after being inoperational for much of the day Tuesday [April 17, 2018]. IRS officials promised that people hampered by the technology failures would not be penalized for late returns, but they have not yet announced any specific exemptions to the deadline. This story will be updated. [ IRS gives taxpayers one more day to file after payment site crashes. ]

So much for the good fight? Not sure ‘resolved’ is the right word.
U.S. top court rules that Microsoft email privacy dispute is moot
The U.S. Supreme Court on Tuesday dropped Microsoft Corp’s privacy fight with the Justice Department over whether prosecutors can force technology companies to hand over data stored overseas after Congress passed legislation that resolved the dispute.
… President Donald Trump on March 22 signed legislation into law that makes clear that U.S. judges can issue warrants for such data while giving companies an avenue to object if the request conflicts with foreign law.

“Solutions” my software architecture students should consider. Is India the testing sandbox for new innovations?
Amazon made a lightweight browser for India, and it's fantastic
Amazon introduced the Kindle Lite app late last month, offering a similar experience as the full-fledged Kindle client for a fraction of the size. Now, the retailer has rolled out a lightweight web browser dubbed Internet, which comes in at just 2MB and takes up just 26MB of storage space on your phone.
One of the key highlights with Amazon's browser is a private mode, which is essentially the same thing as Chrome's incognito mode.

(Related) Perhaps my software architecture students could generalize this to address our ongoing self-driving car debate?
Algorithmic Impact Assessments: A Practical Framework for Public Agency Accountability
GCN: Algorithmic Impact Assessments: A Practical Framework for Public Agency Accountability, a report by the AI Now Institute, a partnership between New York University, the American Civil Liberties Union and the Partnership on AI. [h/t Pete Weiss]
Why: As public agencies increasingly turn to automated processes and algorithms to make decisions, they need frameworks for accountability that can address inevitable questions – from software bias to the system’s impact on the community. The AI Now Institute’s Algorithmic Impact Assessment gives public agencies a practical way to assess automated decision systems and to ensure public accountability.
Proposal: Just as an environmental impact statement can increase agencies’ sensitivity to environmental values and effectively inform the public of coming changes, an AIA aims to do the same for algorithms before governments put them to use. The process starts with a pre-acquisition review in which an agency, other public officials and the public at large are given a chance to review the proposed technology before the agency enters into any formal agreements. Part of this process would include defining what the agency considers an “automated decision system,” disclosing details about the technology and its use, evaluating the potential for bias and inaccuracy as well as planning for third-party researchers to study the system after it becomes operational…”

Talk about stroking an ego! Or are we looking to understand the often inexplicable?
Every top New York Times best-seller this year has been about Trump

Tuesday, April 17, 2018

Is it election season already?
U.S. and U.K. Are Blaming Russia for a Global Hacking Campaign and Giving Advice on How to Thwart It
… This is the second time this year that the U.S. and U.K. have attributed cyberattacks on Russia, following their unprecedented attribution in February of last year’s extremely expensive NotPetya attack. It is also the first time that British and American agencies have combined such an announcement with technical advice on countering the threat, aimed at organizations who might be affected.
The new announcement, which comes in the context of tensions over Syria, relates to attacks on government and private-sector organizations, as well as critical infrastructure providers. The Internet service providers serving these organizations were also targeted, according to a joint statement by the U.S.’s Federal Bureau of Investigation (FBI) and Department of Homeland Security, and the National Cyber Security Centre division of the U.K.’s GCHQ intelligence agency.

The difference between competent security researchers and Facebook? Two hours vs. nine years!!!
Deleted Facebook Cybercrime Groups Had 300,000 Members
Hours after being alerted by KrebsOnSecurity, Facebook last week deleted almost 120 private discussion groups totaling more than 300,000 members who flagrantly promoted a host of illicit activities on the social media network’s platform. The scam groups facilitated a broad spectrum of shady activities, including spamming, wire fraud, account takeovers, phony tax refunds, 419 scams, denial-of-service attack-for-hire services and botnet creation tools. The average age of these groups on Facebook’s platform was two years.
On Thursday, April 12, KrebsOnSecurity spent roughly two hours combing Facebook for groups whose sole purpose appeared to be flouting the company’s terms of service agreement about what types of content it will or will not tolerate on its platform.
… Each of these closed groups solicited new members to engage in a variety of shady activities. Some had existed on Facebook for up to nine years; approximately ten percent of them had plied their trade on the social network for more than four years.

Of course, Google, Facebook, et. al. have our (user) agreement for email scanning…
Protecting Email Privacy—A Battle We Need to Keep Fighting
EFF: “We filed an amicus brief in a federal appellate case called United States v. Ackerman Friday, arguing something most of us already thought was a given—that the Fourth Amendment protects the contents of your emails from warrantless government searches. Email and other electronic communications can contain highly personal, intimate details of our lives. As one court noted, through emails, “[l]overs exchange sweet nothings, and businessmen swap ambitious plans, all with the click of a mouse button.” In an age where almost all of us now communicate via email, text, or some other messaging service, electronic communications are, in effect, no different from letters, which the Supreme Court held were protected by the Fourth Amendment way back in 1878. Most of us thought this was pretty uncontroversial, especially since another federal appellate court held as much in a 2010 case called United States v. Warshak. However, in Ackerman, the district court added a new wrinkle. It held the Fourth Amendment no longer applies once an email user violates a provider’s terms of service and the provider shuts down the user’s account…

Something my Computer Security students will do in Week Six.
France builds WhatsApp rival due to surveillance risk
The French government is building its own encrypted messenger service to ease fears that foreign entities could spy on private conversations between top officials, the digital ministry said on Monday.
None of the world’s major encrypted messaging apps, including Facebook’s WhatsApp and Telegram – a favorite of President Emmanuel Macron – are based in France, raising the risk of data breaches at servers outside the country.

Continuing our exploration of Facebook.
Hard Questions: What Data Does Facebook Collect When I’m Not Using Facebook, and Why?
When does Facebook get data about people from other websites and apps?
Many websites and apps use Facebook services to make their content and ads more engaging and relevant. These services include:
  • Social plugins, such as our Like and Share buttons, which make other sites more social and help you share content on Facebook;
  • Facebook Login, which lets you use your Facebook account to log into another website or app;
  • Facebook Analytics, which helps websites and apps better understand how people use their services; and
  • Facebook ads and measurement tools, which enable websites and apps to show ads from Facebook advertisers, to run their own ads on Facebook or elsewhere, and to understand the effectiveness of their ads.

These Ex-Spies Are Harvesting Facebook Photos For A Massive Facial Recognition Database
… over the last five years a secretive surveillance company founded by a former Israeli intelligence officer has been quietly building a massive facial recognition database consisting of faces acquired from the giant social network, YouTube and countless other websites.
… That database forms the core of a facial recognition service called Face-Int, now owned by Israeli vendor Verint after it snapped up the product's creator, little-known surveillance company Terrogence, in 2017. Both Verint and Terrogence have long been vendors for the U.S. government, providing bleeding-edge spy tech to the NSA, the U.S. Navy and countless other intelligence and security agencies.

How they hack the iPhone?
Stop Using 6-Digit iPhone Passcodes
… In September 2014, Apple made disk encryption the default on iPhone. In theory, that means that if your phone is locked and protected with a passcode, someone who gets their hands on it can’t read or extract the data from it unless they know or can guess the passcode.
… To protect against these kind of attacks, Apple has made a few changes in recent years. First of all, iPhones now require 6 digit passcodes by default (but people who have restored backups when upgrading to newer iPhones may still have 4 digit PINs). Second, after a certain amount of wrong guesses to unlock the device, iPhones are programmed to delay new guesses. Finally, there’s even a setting that you can turn on to wipe all data from the phone after 10 failed passcode attempts, as Apple’s iOS security guide explains.
If GrayKey works as advertised, it means Grayshift has found a way to avoid these delays and just keep guessing passcodes.

Too good to be true?
Clients hang up in disbelief when lawyer calls to tell them of $61M verdict over unwanted calls
… Lawyer John Barrett and his colleagues are having a hard time getting their message across when they call to deliver the news, the Wall Street Journal reports. The clients are hanging up before the lawyers or a paralegal can explain, or they are hanging up in disbelief after hearing the figures.
Barrett and co-counsel Brian Glaser won a $20.4 million verdict against Dish last year, an amount that was tripled by the judge. As a result, more than 18,000 people who received the calls are each eligible receive $2,400 to $30,000, before payment of attorney fees and expenses.
The firm began making the calls after fewer than 8 percent of clients who received a letter about the verdict failed to return the required forms.

Something for my Software Architecture student project. (Building an ATM APP to replace physical ATMs)
Asian consumers love digital banking — here’s why Americans are less excited about it

NBER – The Impact of Artificial Intelligence on Innovation
The Impact of Artificial Intelligence on Innovation, Iain M. Cockburn, Rebecca Henderson, Scott Stern, NBER Working Paper No. 24449. Issued in March 2018.
“Artificial intelligence may greatly increase the efficiency of the existing economy. But it may have an even larger impact by serving as a new general-purpose “method of invention” that can reshape the nature of the innovation process and the organization of R&D.

Netflix hits 125 Million streaming subscribers
… Since, it was a financial data from the company, they have also disclosed the revenue and profit they have earned through the first quarter of this current year. As per their official financial report, Netflix has generated $3.7 billion in revenue for Q1 with a net profit of $290 million.

Preparing my geeks.
Google’s new DIY AI kits could help shape the future
… Google just announced two new “AIY” (it’s like DIY, but for artificial intelligence) kits that build upon the ideas the company set forth with its first-generation kits. This time around, however, the new kits ship with everything a student might need to build AI solutions, including a Raspberry Pi Zero WH board.
“We’re taking the first of many steps to help educators integrate AIY into STEM lesson plans and help prepare students for the challenges of the future by launching a new version of our AIY kits,” Billy Rutledge, Director of AIY Projects at Google, wrote in a blog post. “The Voice Kit lets you build a voice controlled speaker, while the Vision Kit lets you build a camera that learns to recognize people and objects. The new kits make getting started a little easier with clearer instructions, a new app and all the parts in one box.”
He continued, “To make setup easier, both kits have been redesigned to work with the new Raspberry Pi Zero WH, which comes included in the box, along with the USB connector cable and pre-provisioned SD card. Now users no longer need to download the software image and can get running faster. The updated AIY Vision Kit v1.1 also includes the Raspberry Pi Camera v2.”
Here’s a video of the Vision Kit in action:
This is a very cool example of a tech company taking some initiative to help encourage communities to enhance their STEM programs in schools. Google’s new AIY Voice Kit and Vision Kit are already available online at and in Target stores across the country, and Google hopes to offer them in other regions in the coming months. The Voice Kit is available for $49.99, while the more complex Vision Kit costs $89.99.