Friday, January 19, 2018

Perhaps there is bliss in ignorance? There seems to be no significant downside – so why bother with security?
Security Breaches Don't Affect Stock Price
Interesting research: "Long-term market implications of data breaches, not," by Russell Lange and Eric W. Burger.
Abstract: This report assesses the impact disclosure of data breaches has on the total returns and volatility of the affected companies' stock, with a focus on the results relative to the performance of the firms' peer industries, as represented through selected indices rather than the market as a whole. Financial performance is considered over a range of dates from 3 days post-breach through 6 months post-breach, in order to provide a longer-term perspective on the impact of the breach announcement.




There are some things it is best NOT to ignore.
A friend tweeted to me tonight:
Commissioner Miner @fanCRTCProfling
.@PogoWasRight you have been beating this drum and saying this for a long time now... years. "report reveals they are instead 'frequently ignored or misunderstood". Now u have a report! ;) https://www.theinquirer.net/inquirer/news/3024702/hackerone-2018-hacker-report…
5:45 PM - Jan 18, 2018
Indeed we do.
Carly Page reports:
One in four ethical hackers have not reported a vulnerability that they found because the company didn’t have a channel to disclose it.
That’s according to HackerOne’s ‘2018 Hacker Report‘, which surveyed 1,698 members of the hacking community – making it the largest documented survey ever conducted of the ethical hacking community.
One of the standout discoveries was that almost 25 per cent of respondents said they were unable to disclose a security flaw because the bug-ridden company in question lacked a vulnerability disclosure policy (VDP).
This doesn’t mean the hackers don’t try – with HackerOne noting that many attempt to contact firms via social media and email but are “frequently ignored or misunderstood.”
Read more on Inquirer.net. And keep in mind that the rate of reporting will drop and/or be chilled if law enforcement treats ethical hackers or greyhats like blackhats and attempts to prosecute them. Our federal hacking statute, CFAA, needs updating and revision and the revisions need to provide protection to researchers who attempt to responsibly disclose what they have found.




Here’s another thing to ignore?
How to Comply with GDPR
… A recent study from HyTrust, conducted at the VMworld 2017 conference in Las Vegas, found that a whopping 79 percent of companies have no plans in place for GDPR. Another study from Varonis revealed that a whopping 90 percent of IT decision makers saw challenges complying with GDPR a year before the enforcement date.




Businesses must have surveillance cameras tied into the police system.
New year, new surveillance expansion. Chad Livengood reported this on January 3, and Joe Cadillic kindly sent it along for all of us to mutter about:
  • Plan would eventually mandate every retail business in Detroit with late-night hours to have surveillance cameras
  • City will start with requiring camera systems for businesses open midnight-4 a.m.
  • City will then move to businesses open after 10 p.m.
Mayor Mike Duggan’s administration is moving forward with a plan to eventually mandate every retail business in Detroit with late-night hours have surveillance cameras tied into Project Green Light, the Detroit Police Department’s real-time crime monitoring system credited with a decrease in carjackings and overall crime around participating businesses.
In an interview Wednesday with Crain’s, Duggan said he will ask City Council later this year to mandate Project Green Light high-definition video systems for all retail businesses open after 10 p.m.
Read more on Crain’s.




Why would this police officer want to disable the camera? To avoid another ‘through the door” shooting? But shouldn’t they reconnect the camera when done?
From the this-almost-feels-like-opposites-day dept., Meghan McRoberts reports:
An Indian River County man feels his privacy was violated after he captured Vero Beach police disconnecting a surveillance camera outside his front door.
Police were investigating a crime the man says he had nothing to do with.
Vero Beach Police Chief David Currey stands by his officers’ actions.
Of course he does. But this is a weird one – is removing surveillance a privacy violation? I think if we view it as law enforcement damaging or seizing property, then there’s an issue, but is it a privacy issue? Help!
Read more on ABC.




Makes me ask if these guys know how to run a bank.
Wells Fargo apologizes for glitch that emptied out some bank accounts
Reports show a glitch caused some online bill payments to be processed twice. That is triggering overdraft protection fees. Some customers have gotten emails saying their checking accounts had nothing in them.
"Some customers may be having an issue with their Bill Pay transactions. We are working to fix the issue and resolve this tonight. Thanks for your patience," the company tweeted Wednesday evening.
The bank said Thursday morning that technical teams have corrected the errors, but customers should still check to make sure all is well with their accounts.




Did you think of Lebanon as a major hacking nation?
Report links hacking campaign to Lebanese security agency
A major hacking operation tied to one of the most powerful security and intelligence agencies in Lebanon has been exposed after careless spies left hundreds of gigabytes of intercepted data exposed to the open internet, according to a report published Thursday.
Mobile security firm Lookout, Inc. and the Electronic Frontier Foundation, a digital rights group, said the haul, which includes nearly half a million intercepted text messages, had simply been left online by hackers linked to Lebanon’s General Directorate of General Security.
… EFF and Lookout’s report: https://www.lookout.com/info/ds-dark-caracal-ty




Another tease for my students.
What is blockchain? The most disruptive tech in decades
The distributed ledger technology, better known as blockchain, has the potential to eliminate huge amounts of record-keeping, save money and disrupt IT in ways not seen since the internet arrived.




Free tool for business.
WhatsApp officially launches its app for businesses in select markets
WhatsApp today officially launched its new WhatsApp Business app in select markets, including Indonesia, Italy, Mexico, the U.K. and the U.S., ahead of its planned worldwide rollout. The addition of business profiles and new messaging tools aimed at business customers is part of the company’s broader plan to generate revenue by charging larger enterprises for advanced tools to communicate with customers on the platform now used by over a billion people worldwide.
The WhatsApp Business app is the initial entry point in this market.
Aimed at smaller businesses, the free app – Android-only for now – helps companies better connect with their customers and establish an official presence on WhatsApp’s service. Essentially, it’s the WhatsApp version of a Facebook Page.




No one reads the Users Manual.
Guide offer tips and tricks to enhance value of Google Maps
Digital Trends: “Google Maps boasts more than 1 billion active users today, making it the most popular navigation software in the world. It gets millions of us where we need to go every day, but are you sure you’re getting the most out of it? It’s easy to miss new features or hidden options. That’s why we’ve compiled this guide on how to use Google Maps. It’s time to take your first step on the road to mastery with our Google Maps tips and tricks…”




I didn’t know you could still do this.




My students should be interested!
Google Opens Up Its Tech Training Program to All, Giving You a Reason to Learn New Skills
If you want to work at Google someday but aren’t sure you have the resume for it, the company wants to train you. To help prospective employees bridge skills gaps, the tech giant is partnering with online course provider Coursera to offer access to its IT training program, previously only open to existing Googlers.
It may seem counterintuitive for Google to invest in the education of people who don’t and may never work for the company. It could even bolster the skills of individuals who work for competitors, you might imagine. But of the 10,000 U.S. residents who receive scholarships from Google to complete the certificate, Google is betting that it will be able to hire some of them down the road.
… The program will involve 64 hours of video lessons as well as labs and evaluations, and it will teach IT basics such as troubleshooting, customer service, networking, operating systems, system administration, automation and security. It will take about eight months to complete if a student spends eight to 10 hours a week on the program, though students can work at their own pace, according to Coursera.
Those interested in financial aid can apply by Feb. 20, while others may be selected by participating nonprofits. You don’t need an IT background or a four-year college degree to qualify. For those who don’t get a free ride, the full cost of the program is $49 a month.


Thursday, January 18, 2018

The unexplored country? Every new technology must re-learn security from scratch?
Some Basic Rules for Securing Your IoT Stuff
Most readers here have likely heard or read various prognostications about the impending doom from the proliferation of poorly-secured “Internet of Things” or IoT devices. Loosely defined as any gadget or gizmo that connects to the Internet but which most consumers probably wouldn’t begin to know how to secure, IoT encompasses everything from security cameras, routers and digital video recorders to printers, wearable devices and “smart” lightbulbs.
Throughout 2016 and 2017, attacks from massive botnets made up entirely of hacked IoT devices had many experts warning of a dire outlook for Internet security. But the future of IoT doesn’t have to be so bleak. Here’s a primer on minimizing the chances that your IoT things become a security liability for you or for the Internet at large.




Another resource for my Data Management students!
Research Data Management at Harvard
Releasing in 2018
•Harvard-wide research data management website: http://datamanagement.harvard.edu (Q1)
•Single contact: datamanagement@harvard.edu (Q1)




Should we require software like this to go through testing like the FDA uses for new drugs?
Mechanical Turkers may have out-predicted the most popular crime-predicting algorithm
Our most sophisticated crime-predicting algorithms may not be as good as we thought. A study published today in Science Advances takes a look at the popular COMPAS algorithm — used to assess the likelihood that a given defendant will reoffend — and finds the algorithm is no more accurate than the average person’s guess.
… Reached by The Verge, Equivant contested the accuracy of the paper in a lengthy statement, calling the work “highly misleading.”
COMPAS has been criticized by ProPublica for racial bias (a claim some statisticians dispute), but the new paper, from Hany Farid and Julia Dressel of Dartmouth, tackles a more fundamental question: are COMPAS’ predictions any good? Drawing on ProPublica’s data, Farid and Dressel found the algorithm predicted reoffenses roughly 65 percent of the time — a low bar, given that roughly 45 percent of defendants reoffend.
In its statement, however, Equivant argues it has cleared the 70 percent AUC standard for risk assessment tools.




I’m kind of collecting tools like these.
Loom 2.0 - Create and Edit Screencasts
Loom is a free screencasting tool that works in the Chrome web browser. In addition to using it on a Chromebook, you can use Loom on a Mac or Windows computer as long as use the Chrome browser. Loom will let you create a recording of anything on your computer's screen. There's also an option to use your webcam while recording.
This week Loom announced the launch of version 2.0. Loom 2.0 includes the option to trim sections out of your videos. Initially, Loom limited recordings to ten minutes. That restriction has been removed in the latest version of Loom. Learn more about Loom 2.0 by watching the video that is embedded below. Watch for the bit about how you can use emoji reactions with your videos.




Denver is still in the hunt.
Amazon narrows HQ2 search to 20 cities, moving to next phase in contest for $5B economic prize
Amazon has selected 20 cities to move to the next phase in its HQ2 selection process, the latest twist in an unprecedented headquarters search that has turned into a national curiosity.
The cities, named by the company a few moments ago, are Toronto, Columbus, Indianapolis, Chicago, Denver, Nashville, Los Angeles, Dallas, Austin, Boston, New York City, Newark, Pittsburgh, Philadelphia, Montgomery County, Washington, D.C., Raleigh, Northern Virginia, Atlanta, and Miami.
… The company employs more than 540,000 people worldwide, taking into account its Whole Foods acquisition, up from just 20,000 a decade ago.
During that period, Amazon has expanded beyond its roots in e-commerce and digital reading into cloud computing, logistics, drones, brick-and-mortar retail stores, artificial intelligence and many other parts of the technology world.


Wednesday, January 17, 2018

I’m much more interested in the steps they’ve agreed to take now rather than before the breach.
There’s an update to the University of Central Florida breach that was first disclosed in early 2016. The Orlando Sentinel reports:
The University of Central Florida has agreed to spend an additional $1 million annually to protect students’ and employees’ personal information, according to a legal settlement reached with former students in the wake of a hacking that exposed 63,000 Social Security numbers.
UCF agreed to add three information security positions, designate a full-time internal senior information security auditor and tighten access to personal information, as part of the settlement filed in Orange Circuit Court late last year.
The FBI’s Jacksonville office investigated the incident, which became public in early 2016, but has not released information on how it happened.
Read more on Orlando Sentinel, but this is part of what’s wrong with these settlements:
The five plaintiffs named in the suit will each receive $500, and the university will pay $64,200 for attorney fees and costs.




No wonder they screwed up and issued a false alert.
Hawaii’s missile alert agency keeps its password on a Post-it note
… Serious questions have been asked about how the bogus missile alert could have been sent out, and what can be done to ensure that members of the public are more rapidly informed if more mistakes occur in the future.
My feeling is that although there was no foul play behind the false missile warning, HEMA might be wise to also look at its general approach to IT security.
As Business Insider describes, evidence has come to light that some of the organisation’s staff might be in the habit of sticking Post-it notes containing passwords onto their computer monitors.
That in itself is far from ideal, but what’s even worse is that these Post-it note passwords have been caught on camera by the media, and available for anybody to view on the internet.




How much should Amazon disclose?
Amazon won't say if it hands your Echo data to the government
Amazon has a transparency problem.
Three years ago, the retail giant became the last major tech company to reveal how many subpoenas, search warrants, and court orders it received for customer data in a half-year period. While every other tech giant had regularly published its government request figures for years, spurred on by accusations of participation in government surveillance, Amazon had been largely forgotten.
Eventually, people noticed and Amazon acquiesced.
… After its second report, we asked Amazon spokesperson Frank Fellows in July 2016 if the company would include data such as Echo audio, retail, and mobile service data in the future. He declined to comment.




My students have been asking about BlockChain.
Maersk, IBM create world's first blockchain-based, electronic shipping platform
Maersk and IBM today announced a joint venture to deploy a blockchain-based electronic shipping system that will digitize supply chains and track international cargo in real time.
The new platform could save the global shipping industry billions of dollars a year by replacing the current EDI- and paper-based system, which can leave containers in receiving yards for weeks, according to the companies.




Why didn’t Mark Zuckerberg write this article?




Get researching!
Dimensions – Next-generation research and discovery tool links 128 million documents
This is a free and fee based service launched by Digital Science – “Global technology company Digital Science is proud to announce the launch of Dimensions, a new platform that aims to democratise and transform scholarly search. A collaboration between six Digital Science portfolio companies (Altmetric, Digital Science Consultancy, Figshare, Readcube, Symplectic and ÜberResearch) and more than 100 research funders and universities, Dimensions offers a better, faster way to discover, understand and analyse the global research landscape, without wasting time searching for information across multiple poorly integrated tools. Dimensions breaks down barriers to discovery and innovation by making over 860 million academic citations freely available, and delivers one-click access to over 9 million Open Access articles.
… Built using real-world use cases, it combines advanced concept extraction, natural language processing, categorization and complex machine learning to create a flexible and robust tool that meets the most demanding modern research needs.”


Tuesday, January 16, 2018

What would have made this legal? Is there anything illegal about re-publishing data that has been publicly available for months? Isn’t that simply “data aggregation?”
Canadian Man Charged Over Leak of Three Billion Hacked Accounts
An Ontario man made his first court appearance Monday to answer charges of running a website that collected personal and password data from some three billion accounts, and sold them for profit.
Jordan Evan Bloom, 27, of Thornhill earned some Can$247,000 ($198,800 US) by selling the data for a "small fee" via leakedsource.com, the Royal Canadian Mounted Police said in a statement.
The information was stolen during massive hacks of websites including LinkedIn and the Ashley Madison online dating service.
Authorities have shut down Bloom's website, but another with the same domain name hosted by servers in Russia is still operating.




Something for my Computer Security students to consider. Why I start so many descriptions of technology with the phrase, “It’s like...”
Law, Metaphor and the Encrypted Machine
Gill, Lex, Law, Metaphor and the Encrypted Machine (2017). Available at SSRN: https://ssrn.com/abstract=2933269 – “The metaphors we use to imagine, describe and regulate new technologies have profound legal implications. This paper offers a critical examination of the metaphors we choose to describe encryption technology in particular, and aims to uncover some of the normative and legal implications of those choices. Part I provides a basic description of encryption as a mathematical and technical process. At the heart of this paper is a question about what encryption is to the law. It is therefore fundamental that readers have a shared understanding of the basic scientific concepts at stake. This technical description will then serve to illustrate the host of legal and political problems arising from encryption technology, the most important of which are addressed in Part II. That section also provides a brief history of various legislative and judicial responses to the encryption “problem,” mapping out some of the major challenges still faced by jurists, policymakers and activists. While this paper draws largely upon common law sources from the United States and Canada, metaphor provides a core form of cognitive scaffolding across legal traditions. Part III explores the relationship between metaphor and the law, demonstrating the ways in which it may shape, distort or transform the structure of legal reasoning. Part IV demonstrates that the function served by legal metaphor is particularly determinative wherever the law seeks to integrate novel technologies into old legal frameworks. Strong, ubiquitous commercial encryption has created a range of legal problems for which the appropriate metaphors remain unfixed. Part V establishes a loose framework for thinking about how encryption has been described by courts and lawmakers—and how it could be. What does it mean to describe the encrypted machine as a locked container or building? As a combination safe? As a form of speech? As an untranslatable library or an unsolvable puzzle? What is captured by each of these cognitive models, and what is lost? This section explores both the technological accuracy and the legal implications of each choice. Finally, the paper offers a few concluding thoughts about the utility and risk of metaphor in the law, reaffirming the need for a critical, transparent and lucid appreciation of language and the power it wields.”




Possible insights from a war fighting strategy?
U.S. Army Concept for Cyberspace and Electronic Warfare Operations 2025-2040
The U.S. Army Concept for Cyberspace and Electronic Warfare Operations 2025-2040, CRS report via FAS. “TRADOC Pamphlet 525-8- 6, The U.S. Army Concept for Cyberspace and Electronic Warfare Operations expands on the ideas presented in TRADOC Pamphlet 525-3- 1, The U.S. Army Operating Concept: Win in a Complex World (AOC). This document describes how the Army will operate in and through cyberspace and the electromagnetic spectrum and will fully integrate cyberspace, electronic warfare (EW), and electromagnetic spectrum operations as part of joint combined arms operations to meet future operational environment challenges. Cyberspace and EW operations provide commanders the ability to conduct simultaneous, linked maneuver in and through multiple domains, and to engage adversaries and populations where they live and operate. Cyberspace and EW operations provide commanders a full range of physical and virtual, as well as kinetic and non-kinetic, capabilities tailored into combinations that enhance the combat power of maneuver elements conducting joint combined operations. This concept serves as a foundation for developing future cyberspace and electronic warfare capabilities and helps Army leaders think clearly about future armed conflict, learn about the future through the Army’s campaign of learning, analyze future capability gaps and identify opportunities, and implement interim solutions to improve current and future force combat effectiveness..”


(Related)
Trust War: Dangerous Trends in Cyber Conflict




Perspective. Big Data requires big infrastructure.
Cloud computing: Now Google adds more data centers, plans its own undersea cable
… The advertising-to-cloud-computing giant said its new Netherlands and Montreal cloud computing regions will open in the first quarter of 2018, followed by Los Angeles, Finland, and Hong Kong.
Like other cloud infrastructure companies, Google orders its cloud computing resources into regions which are then subdivided into zones, which include one or more data centers from which customers can run their services. It currently has 15 regions made up of 44 zones.
… It's the second announcement of big cloud computing infrastructure spending of the day: Google's big rival Amazon Web Services has already announced it has opened its 50th data center availability zone, in London. AWS has plans for 12 more AZs and four more regions.




Student toolkit.
Search your Handwritten Notes with Gmail OCR
One of the most useful features of Evernote and OneNote is Image OCR. When you clip an image – be it a screenshot, a scanned business card, or a picture of the whiteboard – these tools automatically detect the text inside the image and make the image searchable.
Gmail text search has always been very capable but some might not know that Gmail, like Evernote, also performs OCR on images contained in email messages. When you perform searches inside Gmail or Google Inbox, the results always contain matching images that contain the search keywords.
… Text recognition in Gmail works for both image attachments as well as inline embedded images.
Google Drive and Google Keep are other Google products that offer you the ability to search for text within stored images. In the case of Google Keep, you also have the option to extract the text detected inside in an image and store it within the note itself.


(Ditto)


Monday, January 15, 2018

Heads up!
https://www.marketwatch.com/story/have-you-received-an-email-from-netflix-read-this-first-2018-01-12?reflink=MW_GoogleNews&google_editors_picks=true
Have you received an email from Netflix? Read this first…
Thousands of Netflix customers have been scammed into handing out their credit-card information through a convincing-looking false email.
The phishing scam prompted users to update their payment information on the site to avoid service being suspended. Once they clicked “update payment,” according to security company Mailguard, they were taken to what looked like a legitimate log-in portal to input credit-card information.
Scams like this, called “brandhacking,” rely on the strength of a company’s name to get users to trust such emails.






Interesting questions for Security experts who discover someone else’s breach.
https://www.troyhunt.com/streamlining-data-breach-disclosures-a-step-by-step-process/
Streamlining Data Breach Disclosures: A Step-by-Step Process
I don't know how many data breaches I'm sitting on that I'm yet to process. 100? 200? It's hard to tell because often I'm sent collections of multiple incidents in a single archive, often there's junk in there and often there's redundancy across those collections. All I really know is that there's hundreds of gigabytes spread across thousands of files. Sometimes - like in the case of the recent South Africa situation - I could be sitting on data for months that's actually very serious in nature and needs to be brought public awareness.
The biggest barrier by far to processing these is the effort involved in disclosure. I want to ensure that any incidents I load into Have I Been Pwned (HIBP) are first brought to the awareness of the organisations involved and whilst that may seem straight forward, it's often quite the opposite. There are notable exceptions (such as the recent Disqus disclosure), but more often than not, it's a laborious process of varying success. Because this is something I do over and over again, I want to streamline the process and more than that, I want to seek community input.
Tell me if I'm doing this right. This post documents how I intend to handle serious incidents with real consequences and frankly, I don't want to stuff it up.






Perhaps they should spend less time staring at encrypted phones?
FBI Is Disrupting 10X Fewer Cyber Crime Rings Than In 2015
Joseph Marks reports:
FBI agents took down or disrupted only about one-tenth as many cyber criminal operations during the 2017 fiscal year as they did three years earlier, according to annual reports.
The number of cyber crime operations that FBI agents dismantled or disrupted fell from nearly 2,500 in fiscal year 2014, the first year reliable records were kept, to just 262 in fiscal year 2017, according to annual audits.
Agents disrupted or dismantled 510 cyber crime operations in fiscal year 2015 and 259 operations in fiscal year 2016, according to the audits.
The FBI missed its own target of 500 disruptions or dismantlements in fiscal years 2016 and 2017, according to the report.
Read more on NextGov.






Perspective.
https://www.bloomberg.com/news/articles/2018-01-15/alibaba-s-ai-outgunned-humans-in-key-stanford-reading-test
Alibaba's AI Outguns Humans in Reading Test
Alibaba has developed an artificial intelligence model that scored better than humans in a Stanford University reading and comprehension test.
Alibaba Group Holding Ltd. put its deep neural network model through its paces last week, asking the AI to provide exact answers to more than 100,000 questions comprising a quiz that’s considered one of the world’s most authoritative machine-reading gauges. The model developed by Alibaba’s Institute of Data Science of Technologies scored 82.44, edging past the 82.304 that rival humans achieved.
Alibaba said it’s the first time a machine has out-done a real person in such a contest. Microsoft achieved a similar feat, scoring 82.650 on the same test, but those results were finalized a day after Alibaba’s, the company said.






Not sure I agree.
https://www.teachthought.com/literacy/5-dimensions-of-critical-digital-literacy/
5 Dimensions Of Critical Digital Literacy: A Framework
Digital Literacy is increasingly important in an age where many students read as much on screens as they do from books.
In fact, the very definition of many of these terms is changing as the overlap across media forms increases. Interactive eBooks can function like both long-form blogs and traditional books. Threaded email can look and function like social media. Email and texting and social media messaging are increasingly similar.
1. Decoding
Focus: the media–modes, structures, and conventions of digital media
2. Meaning Making
Focus: the reader–style, purpose, interpretation
3. Analyzing
Focus: the author–aesthetics, ethics, and related choices
4. Persona
Focus: a community–how others perceive the issue, topics, and context
5. Using
Focus: a marriage of self and community–problem-solving and data acquisition for a variety of authentic–and changing–purposes






Could be amusing.
https://www.engadget.com/2018/01/15/googles-museum-app-finds-your-fine-art-doppelganger/
Google's museum app finds your fine art doppelgänger
If you've ever wondered if there's a museum portrait somewhere that looks like you and you're ready to have your ego crushed, there's now an app for that. Google Arts & Culture's latest update now lets you take a selfie, and using image recognition, finds someone in its vast art collection that most resembles you. It will then present you and your fine art twin side-by-side, along with a percentage match, and let you share the results on social media, if you dare.



Sunday, January 14, 2018

Some big names on this list. Better check for your site!
by Steven Englehardt, Gunes Acar, and Arvind Narayanan
Recently we revealed that “session replay” scripts on websites record everything you do, like someone looking over your shoulder, and send it to third-party servers. This en-masse data exfiltration inevitably scoops up sensitive, personal information — in real time, as you type it. We released the data behind our findings, including a list of 8,000 sites on which we observed session-replay scripts recording user data.
As one case study of these 8,000 sites, we found health conditions and prescription data being exfiltrated from walgreens.com. These are considered Protected Health Information under HIPAA. The number of affected sites is immense; contacting all of them and quantifying the severity of the privacy problems is beyond our means. We encourage you to check out our data release and hold your favorite websites accountable.
Student data exfiltration on Gradescope
As one example, a pair of researchers at UC San Diego read our study and then noticed that Gradescope, a website they used for grading assignments, embeds FullStory, one of the session replay scripts we analyzed. We investigated, and sure enough, we found that student names and emails, student grades, and instructor comments on students were being sent to FullStory’s servers. This is considered Student Data under FERPA (US educational privacy law). Ironically, Princeton’s own Information Security course was also affected. We notified Gradescope of our findings, and they removed FullStory from their website within a few hours.
Read more on Freedom to Tinker.
wordpress.com
microsoft.com
adobe.com
godaddy.com
skype.com




An opportunity to talk about proper procedures with my Computer Security students. One accidental button push? Also, imagine the little fat kid who runs North Korea ordering his hackers to send these warnings.
Hawaii missile false alarm triggers shock, blame and apologies
The alert of an incoming ballistic missile was sent wrongly on Saturday morning by an emergency system worker.
Victims of the ordeal spoke of hysteria and panicked evacuations.
The false alarm sparked recriminations, with state officials apologising and President Donald Trump's response called into question.
It was a mistake by an employee at Hawaii's Emergency Management Agency (EMA) who "pushed the wrong button" during procedures that occur during the handover of a shift.
Mobile phone users received the message at 08:07 (18:07 GMT):
"Ballistic missile threat inbound to Hawaii. Seek immediate shelter. This is not a drill."
The alert was corrected by email 18 minutes later but there was no follow-up mobile text for 38 minutes, the Honolulu Star-Advertiser reports.




Tools for all my students.
In 2016, a University of Phoenix study revealed that two out of three U.S. adults were aware that their social media accounts had been hacked. Furthermore, a majority of adults limit what personal information they share.
But the hackers keep on coming.




Microsoft is asking the Supreme Court about this…
David Fraser of McInnes Cooper writes:
Whether a provincial court will grant police a “production order” under the Criminal Code of Canada requiring a non-Canadian company to produce any of its records has, to date, depended on the province in which police seek it. Some courts refuse an order where the company is wholly outside of Canada; some require an address in Canada for service to grant the order; and others grant the order, apparently unconcerned about the company’s Canadian “presence”. That could however change with the B.C. Court of Appeal’s January 9, 2018, decision in British Columbia (Attorney General) v. Brecknell. The Court’s decision that Craigslist is “present” in B.C. and can be subject to a Criminal Code production order issued from its provincial court might lead to greater national uniformity – and more exposure to foreign companies doing only virtual business in Canada:
[Much more follows. Bob]




Perspective.
John Sculley: Why AI Is the Tech Trend to Watch in 2018
… “AI is going to be foundational in every industry. I’m seeing it in fintech, market tech, health tech…. It’s one of those fundamental changes. In the previous industrial age, it was all about electricity and oil; in the future [AI is] going to be a commodity that will be deployed in many, many different ways, and will be something you can just plug into.




Perspective.
39 million Americans now own a smart speaker, report claims
One in six Americans now own a smart speaker, according to new research out this week from NPR and Edison Research – a figure that’s up 128 percent from January, 2017. Amazon’s Echo speakers are still in the lead, the report says, as 11 percent now own an Amazon Alexa device compared with 4 percent who own a Google Home product.
Today, 16 percent of Americans own a smart speaker, or around 39 million people.




Also one of my favorites.
W3Schools - Your HTML Reference
W3Schools is my go-to reference for all questions regarding how to write any aspect of HTML code. In fact, when I was recently asked a question about writing HTML that I couldn't immediately answer, I turned to W3Schools.
W3Schools offers complete tutorials for learning to write HTML, CSS, Javascript, and PHP. If you're just getting started, work through the tutorials in sequences. Each tutorial has a little interactive section where you can test your new knowledge. If you're experienced and just need a quick reminder or clarification, W3Schools has that too.
W3Schools is a great resource for the student who is capable of directing himself or herself through a sequence of tutorials. W3Schools is not great for a student who needs a clearly defined "do this now," "do this next" type of lesson. For that type of student, I would recommend trying Thimble by Mozilla.




Will the US Navy follow suit?
The Royal Navy updated a famous WWII propaganda poster to warn its sailors about tweeting



Saturday, January 13, 2018

Never leave your computer unattended.
Simple Attack Allows Full Remote Access to Most Corporate Laptops
Researchers have discovered a flaw in Intel's Advanced Management Technology (AMT) implementation that can be abused with less than a minute of physical access to the device.
An Evil Maid attack could ultimately give an adversary full remote access to a corporate network without having to write a single line of code.
The flaw was discovered by F-Secure senior security consultant Harry Sintonen, and disclosed today.
"In practice, it can give an attacker complete control over an individual's work laptop, despite even the most extensive security measures."
The problem is that setting a BIOS password (standard procedure) does not usually prevent access to the AMT BIOS extension – the Intel Management Engine BIOS Extension (MEBx). Unless this separate password is changed, and usually it is not, the default 'admin' password will give the attacker access to AMT.




Have politicians learned anything about security?
Shane Harris reports:
The Russian hackers who stole emails from the Democratic National Committee as part of a campaign to interfere in the 2016 election have been trying to steal information from the U.S. Senate, according to a report published Friday by a computer security firm.
Beginning last June, the Russian hackers set up websites that were meant to look like an email system available only to people using the Senate’s internal computer network, said the report by Trend Micro Inc. The sites were designed to trick people into divulging their personal credentials, such as usernames and passwords.
The Associated Press was first to write about the report.
Read more on Washington Post.




I wonder what the FBI uses?
Microsoft Brings End-to-End Encryption to Skype
Microsoft this week announced that end-to-end encrypted communications are now available for preview to Skype insiders.
Called Private Conversations, the newly introduced feature secures both text chat messages and audio calls, Microsoft Program Manager Ellen Kilbourne revealed.
Furthermore, end-to-end encryption is also applied to any files users send to their conversational partners, including images, audio files, and videos. Not only will the contents of these conversations be hidden in the chat list, but they won’t appear in notifications either, to keep user’s information private.
Private Conversations, Kilbourne explains in a post, is using the industry standard Signal Protocol by Open Whisper Systems. The protocol is already providing end-to-end encryption to users of popular messaging applications such as Signal, WhatsApp, and Facebook Messenger.




Getting you ducks in order.
The road to AI leads through information architecture
… The evolution of the auto industry is similar in form to the currently nascent world of artificial intelligence . And like the auto industry, in order for AI to flourish, organizations must adopt and embrace a prerequisite set of conditions, or building blocks. For example, AI requires machine learning, machine learning requires analytics, and analytics requires the right data and information architecture (IA). In other words, there is no AI without IA. These capabilities form the solid rungs of what we call the “AI Ladder” — the increasing levels of analytic sophistication that lead to, and buttress, a thriving AI environment.




I want to talk this through with my Data Management class. Think of what is required to implement it?
U.S. Supreme Court to Review Bid to Collect Internet Sales Tax
The U.S. Supreme Court will consider freeing state and local governments to collect billions of dollars in sales taxes from online retailers, agreeing to revisit a 26-year-old ruling that has made much of the internet a tax-free zone.
Heeding calls from traditional retailers and dozens of states, the justices said they’ll hear South Dakota’s contention that the 1992 ruling is obsolete in the e-commerce era and should be overturned.




Because I’m hoping they let me teach Math again…
10 Good Resources for Math Teachers and Students




I’m sure the President would (like to) agree with Dilbert.