The Samsung ‘failure du jour?’  By now, this looks like ‘enemy action.’

Samsung warns viewers: Our smart TVs could be snooping on your private conversations

Katherine Rushton reports:

If you settle down to watch television this evening, you might want to think twice about what you say out loud.

Samsung has warned owners of its internet-connected ‘smart TV’ that anything they discuss while sitting near the device may be overheard.

The popular televisions are voice activated, so users can switch channels or ask for suggestions of what to watch simply by giving a verbal command.

Read more on DailyMail.

Backups are so simple to implement this should never happen.

Ransomware makes California nursing school feel ill

Ryan Francis reports:

About three months ago, an instructor at Gurnick Academy, a California-based nursing school, had his biggest fear come alive.  When he tried to access his lectures, the files were encrypted.  The teacher was literally locked out of his classroom.

If it wasn’t for a quick acting IT department, the entire school might have been in the same situation.  They noticed the incident at the early stage and managed to prevent the encryption from spreading by disconnecting the Infected device from the corporate network.

Read more on CSO Online.

Can it really be that simple?

http://www.cbsnews.com/news/beware-new-can-you-hear-me-scam/

Beware new "can you hear me" scam

…   Virginia police are now warning about the scheme, which also sparked warnings by Pennsylvania authorities late last year.  The “can you hear me” con is actually a variation on earlier scams aimed at getting the victim to say the word “yes” in a phone conversation.  That affirmative response is recorded by the fraudster and used to authorize unwanted charges on a phone or utility bill or on a purloined credit card.

“You say ‘yes,’ it gets recorded and they say that you have agreed to something,”

Gee, if Harvard says so, it must be true!

4 Models for Using AI to Make Decisions

Charismatic CEOs enjoy leading and inspiring people, so they don’t like delegating critical business decisions to smart algorithms.  Who wants clever code bossing them around?  But that future’s already arrived.  At some of the world’s most successful enterprises — Google, Netflix, Amazon, Alibaba, Facebook — autonomous algorithms, not talented managers, increasingly get the last word.  Elite MBAs (Management by Algorithm) are the new normal.

…   “You need a Chief AI Officer,” Baidu chief scientist Andrew Ng told Fortune at January’s Consumer Electronics Show.  (He explained why he thinks so in a recent HBR article.)

My students annoy me, so I guess I should send this to them.

The New Flappy Bird Is Guaranteed to Annoy You

…   Ninja Spinki Challenges is available on Android and on iOS right now. It’s free to play, but you will have to put up with ads.  Rather ingeniously, watching a short video ad after you mess up will allow you to carry on from the point where it all went wrong.

What do you disclose and when do you disclose it?  ‘Who; will always be everyone. 

Investors Sue Yahoo Over Post-Hack Stock Plunge

I don’t think investors’ lawsuits related to data breaches have been a particularly winning strategy to date, but if any investors’ suit has a chance, this one might – or at least, should have a chance.  Maria Dinzeo reports that those who invested in Yahoo! are suing the company:

A proposed class of hundreds of thousands of Yahoo shareholders led by investor Mark Madrack says Yahoo’s quarterly financial statements filed with the Securities and Exchange Commission made false and misleading claims about the effectiveness of its encryption system and caused them to buy Yahoo shares at artificially inflated prices.

The lawsuit, which also names Yahoo CEO Marissa Mayer and CFO Kenneth Goldman as defendants, seeks an unspecified amount in damages on behalf of all investors who purchased shares between Nov. 13, 2013, and Dec. 14, 2016.

Read more on Courthouse News.

I think their strongest argument might ultimately be the delays in discovering and disclosing the massive breaches to investors – apart from what seems to be less than appropriate security like encryption.  I’m not a Yahoo! investor, but if I had invested, I think I’d be arguing that I never would have purchased the stock at the price I purchased it at if I known that the company had not timely disclosed a major breach that it had become aware of, had not properly addressed it by forcing a password reset, had not then timely discovered an even larger breach that had occurred earlier because it dismissed reports by a security firm and only paid attention when the government came to them with the same information, etc.  All of those factors, I think, would be material to any decision to invest.  But then, IANAL, of course.

I am thankful that President Trump is supplying me with so much information for my Computer Security students!  I love bad examples!

http://www.pcworld.com/article/3162055/security/trump-administration-is-giving-us-a-good-lesson-on-twitter-security.html

Trump administration is giving us a good lesson on Twitter security

…   It turns out that several White House-related Twitter accounts -- including the president's official account, @POTUS -- until recently were revealing sensitive information that hackers might be able to exploit.

The problem revolves around the service’s password reset function.  If the account holder doesn't take certain steps to secure it, Twitter exposes information that anyone with the right skills can use to uncover what email address -- in redacted form -- was used to secure a Twitter account.

…   Exposing your email address to the public may seem harmless.  But for government officials or business executives, it can be asking for trouble.   

That’s what happened in last year’s election.  An aide to presidential candidate Hillary Clinton was hacked by suspected Russian cyberspies through a phishing attack sent to his Gmail address.  His emails were eventually stolen and leaked to the public.

…   To prevent exposing your email address over Twitter, you can go into your account’s security settings and click “Require personal information to reset my password.”  That’ll force anyone trying to reset your password to enter the correct email address or phone number to continue.  

…   Securing a presidential Twitter account with a Gmail address highlights another problem: Why are White House officials using third-party email providers?

…   He also suggests that people secure their Twitter accounts with two-factor authentication.  This requires the user to enter both a password and a one-time special code sent to their mobile phone or generated over an authenticator app.

…   On Thursday, White House Press Secretary Sean Spicer was found tweeting and then deleting what appeared to be a password, although it’s still unclear what really happened.

More for my Computer Security students.

http://www.securityweek.com/42-billion-records-exposed-data-breaches-2016-report

4.2 Billion Records Exposed in Data Breaches in 2016: Report

The latest release of Risk Based Security’s annual Data Breach QuickView report shows that there were 4,149 data breaches reported during 2016, down from the 4,326 data breaches reported in 2015.  The number of exposed records, however, reached an all-time high that might not be easily equaled: 4.281 billion.  The previous record was established in 2013 at 1.106 billion.

…   According to Risk Based Security’s report (PDF), no less than 94 breaches in 2016 had exposed one million or more records.

They are not us! 

Trump Is Killing Obama Plans For World Privacy Rights

Thomas Fox-Brewster reports:

Amongst president Trump’s many decrees in the last week was an ostensibly shocking order to ensure non-Americans wouldn’t get the same privacy rights as U.S. citizens.  But Trump didn’t actually make any significant changes to U.S. law.  Instead, according to one legal expert, he sent a message to immigrants: the Obama administration’s plans to guarantee better privacy for individuals travelling or moving to the U.S. are being canned.

The wording in the Enhancing Public Safety executive order signed yesterday caused immediate, inevitable panic: “Privacy Act. Agencies shall, to the extent consistent with applicable law, ensure that their privacy policies exclude persons who are not United States citizens or lawful permanent residents from the protections of the Privacy Act regarding personally identifiable information.”

Read more on Forbes.

Amazing how many ‘content creators’ are finding President Trump valuable. 

https://fivethirtyeight.com/features/trumpbeat-there-is-no-pivot/

TrumpBeat: There Is No Pivot

Welcome to TrumpBeat, FiveThirtyEight’s new weekly feature looking at how developments in Washington affect people in the real world.  We’re still experimenting with the format, so tell us what you think.  Email us or drop a note in the comments.

Dilbert is exploring the downside of Tweeting this week.

http://dilbert.com/strip/2017-01-27

At last!  Something worth it’s price!

This Audiobook on Decluttering Your Life Is Free for One Week (US & Canada)

Unless you’ve been living under a rock, you’ve probably already heard of Marie Kondo’s book, The Life-Changing Magic of Tidying Up.  The self-improvement title walks readers through how purging possessions that don’t bring you joy can make for a more organized life.

So if you want this audiobook for free how do you go about getting it?  You will need an Audible account to download it, but if you don’t already have one, you can just log in with your Amazon credentials (and also take advantage of select free content available through Amazon.)  If you already have an Audible account, you’re already one step closer to getting this audiobook for free.  And you don’t need to sign up for an Audible subscription to take advantage of this giveaway.

After you’ve logged into Audible you can search for the title or just use this link while logged in

Beware the Bear!  The Russians are hacking, the Russians are hacking! 

Russians suspected of hacking Wisconsin Dems

From the I-just-report-’em-I-don’t-necessarily-believe-them dept.

Paul Srubas reports:

County websites of the Democratic Party in the area have been under attack, at least one apparently by Russian hackers, an officer of the party said.

What appears to have been Russian hackers compromised the website of the 8th Congressional District Democratic Party as well as the sites of seven county Democratic party organizations, said Mary Ginnebaugh, who chairs the congressional district as well as the Brown County Democratic parties.

Read more on USA Today.

[From the USA Article: 

The hackers may have been targeting the state site and stumbled onto the 8th Congressional District site, Ginnebaugh said.  “We’re one letter off,” she said.  “We’re wiscdems.com and the state is wisdems.com.”

One size fits all?  You put as much effort in protecting your Recycle Ban as you do your M&A records?  

http://www.csoonline.com/article/3161028/data-protection/study-62-of-security-pros-dont-know-where-their-sensitive-data-is.html?google_editors_picks=true

Study: 62% of security pros don’t know where their sensitive data is

…   the value of data security is still largely defined “in terms of risk, cost, and regulatory compliance,” notes Forrester Research in the executive summary of a new report commissioned by data protection software provider Varonis Systems.

One of the key findings of the Forrester survey of 150 data security professionals in the U.S. and Canada is that while 76% of respondents claim a mature security strategy, the vast majority report facing technical challenges (93%) and organizational challenges (90%) with data security.  And, Forrester says, they “are focused on threats rather than their data, and do not have a good handle on understanding and controlling sensitive data.”  

For example, just 31 percent of respondents say they classify corporate data in the cloud based on its sensitivity.  

…   Forty-one percent of survey respondents said they know where their employee data is located, while 38% said they know where their customer data and sensitive structured data is located.

…   To learn more about what security pros have to say about the state of data security in their organizations, download the Forrester/Varonis report.

Is this technology sufficiently error free?  Spoof proof?  If it goes down, is there human backup? 

‘World first’: Government moves to radically overhaul Australia’s international airports

Michael Koziol reports:

International passengers would be whisked through immigration and customs without stopping or even encountering humans, while passport scanners and paper cards would be a thing of the past, under a radical overhaul of Australia’s airports due to start this year.

[…]

Instead, passengers will be processed by biometric recognition of the face, iris and/or fingerprints, matched to existing data.  By 2020 the government wants a system in place to process 90 per cent of travellers automatically, with no human involvement.

Read more on SMH.

My students seem to think you should not wait for an audit.  Why not have your systems notify you of unusual activity immediately?  

Covenant – Saginaw fires employee who improperly accessed 6,000 patients’ records

Brianna Owczarzak & Kate Nadolski report that an employee who improperly accessed thousands of patients’ files was fired after the Covenant in Saginaw detected the improper access through an audit:

The hospital sent letters to more than 6,000 individuals who may have been affected.

One of those people is Gabriella Economous.

“I received a letter from Covenant and it was in regards to my son saying that someone had accessed his records with his medical treatment, where we live, personal info, driver license numbers,” Economous said.

The incidents occurred between Feb. 1, 2016 and Nov. 21, 2016.

Read more on Crossroads Today.  Although it sounds like a snooping incident, they don’t seem to actually say what the employee’s motivation was and whether there is any evidence that data were copied or exfiltrated.  As of the time of this posting, there doesn’t seem to be a copy of the notification letter on their web site, so this post may be updated if more information becomes available.

Is it possible they do not know how to regain control of their data? 

http://www.pewinternet.org/2017/01/26/americans-and-cybersecurity/

Americans and Cybersecurity

...   Previous Pew Research Center studies of the digital privacy environment have found that many Americans fear they have lost control of their personal information and many worry whether government agencies and major corporations can protect the customer data they collect.  As part of this ongoing series of studies on the state of online privacy and security, the Center conducted a national survey of 1,040 adults in the spring of 2016 to examine their cybersecurity habits and attitudes.  This survey finds that a majority of Americans have directly experienced some form of data theft or fraud, that a sizeable share of the public thinks that their personal data have become less secure in recent years, and that many lack confidence in various institutions to keep their personal data safe from misuse.  In addition, many Americans are failing to follow digital security best practices in their own personal lives, and a substantial majority expects that major cyberattacks will be a fact of life in the future.   

I’m trying to explain to my students that proper Governance should have caught this very early in the process.  Why did it continue? 

http://fortune.com/2017/01/25/the-wells-fargo-scandal-is-now-reaching-vw-proportions/

The Wells Fargo Scandal Is Now Reaching VW Proportions

I thought it would be a long time before a corporate scandal got bigger and worse than the Volkswagen emissions-cheating mess.  I still think that, but almost every day the Wells Fargo situation makes me wonder if it might soon surpass even VW in overall awfulness.  The latest news certainly shortens the odds.  Before we examine the dismal state of affairs, let’s jump straight to the bottom line: Even if this scandal does not widen further, it reflects a massively broken corporate culture, not just the acts of a few bad men and women.  It has trashed the reputation of former CEO John Stumpf and at least casts doubt, fairly or not, on the reputation of his predecessor, Richard Kovacevich; both were among America’s most admired CEOs.  The No. 1 job of CEO Tim Sloan is culture change, and the big lesson from others’ experience is not to talk about culture but to model and enforce the right behavior—and to be patient.

Recent developments go way beyond the original revelation, that the bank opened as many as 2.1 million accounts without customers’ permission or knowledge.  Lots of people had to know of such widespread wrongdoing, but...

—New evidence shows that employees who called the company’s ethics hotline were sometimes fired or otherwise punished.  That’s illegal under federal law.  The bank has hired an outside investigator to learn more.

—Branch managers were warned 24 hours before internal auditors showed up to conduct inspections.  Employees were sometimes ordered to work into the night or all night to shred documents and forge signatures so the branch would pass inspection, the Wall Street Journal reports.

—The bank allegedly caused customers to miss deadlines for extending a promised interest rate, then charged those customers late fees.  The process typically cost customers $1,000 to $1,500.  So say four former employees from the Los Angeles region, as reported by ProPublica.  One of the four ex-workers claims that total proceeds to the bank were in the millions of dollars.

A local contact for the AI discussion?

http://sloanreview.mit.edu/article/what-managers-need-to-know-about-artificial-intelligence/

What Managers Need to Know About Artificial Intelligence

The field of artificial intelligence (AI) is finally yielding valuable smart devices and applications that do more than win games against human champions.  According to a report from the Frederick S. Pardee Center for International Futures at the University of Denver, the products of AI are changing the competitive landscape in several industry sectors and are poised to upend operations in many business functions.

This will probably get referenced a lot over the next four years. 

http://www.bespacific.com/libguide-on-presidential-power/

LibGuide on Presidential Power

by Sabrina I. Pacifici on Jan 25, 2017

Mary Whisner – Librarian – Gallagher Law Library: “In November two of our brilliant young professors decided to put together a class on Presidential Power for winter quarter.  It immediately filled and drew a waiting list.  And there was a lot of interest from outside the law school.  People from other university departments and the community asked if they could audit or at least get the reading list.  The professors didn’t have room for a flock of auditors, but they did think that sharing their readings was a good idea, and they asked me to set up a public web page.  In case the topic also interests any of you, see http://guides.lib.uw.edu/law/prespower.  Check back from time to time: they are developing the syllabus (and I’m adding links) as events unfold.”

For my gamers…

4 Sites Where You Can Download Old PC Games For Free

How important is customer protection?  That determines how you design your processes.  For example, this breach is very uncommon.  Do you have a procedure to catch it? 

Telus releases Hamilton woman’s personal information to her stalker

Adam Carter reports on a small-N breach that reminds us all how horrifying the consequences of a privacy breach can be:

A Hamilton woman says Telus violated her privacy and put her and her family in grave danger by allowing her stalker to access her phone account without her consent.

Ellie, whose name has been changed to protect her identity and safety, told CBC News that her ex-boyfriend was able to get her personal information and make changes to her account, just by having another woman call Telus and pose as her.

The security breach led to a terrifying weekend of harassing messages, she says, culminating with being assaulted and later, chased down in a car.  Police have laid charges against her ex in connection with these allegations, and Telus has acknowledged that her account security was breached.

Read more on CBC.ca.

Is this really a ‘fear of Trump’ thing?  Is that the only reason for them to do this?  Isn’t there an ethical argument here somewhere? 

http://www.geekwire.com/2017/fearing-trump-administrations-reach-seattle-city-council-fights-fbi-spds-warrantless-surveillance-cameras/

Fearing Trump administration’s reach, Seattle City Council fights FBI and SPD’s ‘warrantless surveillance cameras’

Seattle City Councilmember Kshama Sawant, the ACLU, and privacy advocates are championing an effort to regulate and remove surveillance cameras they claim have been installed without the city’s permission or knowledge.

…   “I think that it is totally unacceptable for the city of Seattle to be complicit in federal law enforcement and intelligence agencies surveilling Seattle’s public spaces,” she said at a meeting of the Council’s Energy and Environment Committee Tuesday.  “As a sanctuary city, we should not be filming our general population and we certainly should not be sending that data to law enforcement agencies now being run by the Trump administration.  Many find this chilling and the Council has a duty to protect constituents from being surveilled.”

(Related).  Maybe Trump doesn’t want to tell anyone anything about government activities?  Maybe he wants to be free to make up ‘false news?’ 

http://www.bespacific.com/wapo-trump-officials-order-agencies-to-restrict-dispatches-to-public/

WaPo Trump officials order agencies to restrict dispatches to public

by Sabrina I. Pacifici on Jan 24, 2017

Washington Post: “The new limits on public communications appear to be targeting agencies that are charged with overseeing environmental and scientific policy, prompting criticism from officials within the agencies and from outside groups focused on climate change.  A memo to EPA communications staff said “no social media will be going out” and incoming media requests will be “carefully screened.”

• See also – For hours, a national park’s Twitter account went rogue on a gag order

For my Data Management students.  More than half of the ‘senior executives’ surveyed are blind to the obvious? 

http://sloanreview.mit.edu/article/companies-brace-for-decade-of-disruption-from-ai/

Companies Brace for Decade of Disruption From AI

Executives of the nation’s biggest corporations fear that major disruption is on the horizon.  This is a central finding of the 2017 Big Data Executive Survey from NewVantage Partners, which tracks the views of senior corporate executives on disruptive capabilities, ranging from Big Data to artificial intelligence.

According to the fifth annual survey, which was released this month, nearly half of senior executives surveyed — a remarkable 46.6% — see disruptive change coming fast, with many fearing that their companies are at significant risk of disruption or displacement.

Do you think the average CEO (or CIO for that matter) knows how live, streaming video could be used? 

http://venturebeat.com/2017/01/24/will-facebook-miss-the-opportunity-for-cordless-live-television/?google_editors_picks=true

Will Facebook miss the opportunity for cordless live television?

Last week, President Trump’s inauguration broke live video streaming records and became the largest live news event streamed, with 4.6 million viewers watching it concurrently at its peak.  The massive online turnout was the capstone for a year that witnessed the advent of Facebook Live, Instagram Live, Twitter’s #GoLive, and musical.ly’s live.ly, as well as Periscope’s continued growth.  2016 was the year that pushed live video streaming into mainstream media and onto everyone’s phones.

…   as the world’s largest and most mainstream social network, Facebook is in an advantageous position to capitalize on the synergistic social aspects that accompany live video.  It’s human nature to want to watch live events unfold with others  – it’s why we have watch parties for presidential debates or the Super Bowl.  Also, socialization on Facebook is less likely to attract trolls or harassment than on YouTube or Twitter — even amongst strangers — because it’s more difficult for users to hide behind anonymous usernames.

I don’t see this as unanticipated.  There are still companies making a good living selling tack for horses, black powder guns, record players and many other ‘obsolete’ products. 

http://www.marketwatch.com/story/thanks-amazon-now-indie-bookstores-are-booming-2017-01-25?reflink=MW_GoogleNews&google_editors_picks=true

Thanks, Amazon! Now indie bookstores are booming

…   In the latest sign of the power of print, a spate of indie bookstores will enter the New York City area in the coming months, even as larger chains have exited.  Labor Department data show that the number of bookstores nationwide declined by 12% from 2012 to last year, but the American Booksellers Association, an independent bookstores trade group, has seen membership grow by almost 13% in the five years leading up to 2016.

Indies are thriving because of Amazon, not in spite of the internet behemoth.  This is a story of two different types of bookstores: one with vast inventory, low prices and algorithm-driven recommendations, and another that lures customers seeking tightly curated collections and a community of bookworms.

For my (not MBA) students who still think every well-known company must be profitable. 

http://knowledge.wharton.upenn.edu/article/growth-vs-profits-ubers-cash-burn-dilemma/

Growth vs. Profits: Uber’s Cash Burn Dilemma

As global ride-hailing startup Uber heads toward a possible IPO this year, Wall Street’s eyes will be on its financials.  Revenues have continued to grow quickly for the eight-year-old Silicon Valley company, but the bottom line isn’t pretty: Uber was on track to lose about $3 billion in 2016 on net revenue of $5.5 billion, according to Bloomberg News.  That’s remarkable for a startup that has raised more than $11 billion with scant capital costs — it does not own a global fleet of cars or much of other hard assets.  Uber itself is valued at more than $60 billion.

For all my students.  Not sure I would feel comfortable working for someone who looked me up on their smartphone?  

You Need a Mobile Résumé in 2017: 4 CV Formatting Tips for Phones

Hiring managers and recruiters, like everyone else, use their mobile phones for everything — and that includes reading résumés.

You can bet that if your résumé doesn’t show up well on their phone, they’re going to skip right over it.  So you need to make sure that you’ll put your best (mobile) foot forward.

Interesting tech, looking for ideas. 

https://www.entrepreneur.com/article/288177?utm_source=google-news&utm_medium=syndication&utm_campaign=google-editors-pick&google_editors_picks=true

Seeing Through Walls Is the Least Cool Thing This Tech Does

…   I looked toward a wall in the hotel room and saw a person-shaped image.  Back in reality, a Vayyar employee was stepping side to side in the bathroom.  I was able to track his movements from the other room.

To put it bluntly, I was seeing through walls.

…   the company used its 3-D imaging sensor Walabot to scan a demonstration wall.  As the phone-like device was slowly swept side to side, an image on a nearby screen showed where the pipes hidden behind it were.  It could also see inside the wall as a mouse ran from one side to the other.

…   Another demonstration I witnessed was a Vayyar employee go from standing to lying on the bathroom floor.  A sensor on the wall immediately started beeping.  As Melamed points out, this is a way to have peace of mind as older people take showers while protecting their privacy, because there's no camera.

In another test, I laid on a bed while a sensor hung from the ceiling.  I was told to breath normally, which was visible on a nearby monitor.  I then drew a deep breath and held it, which caused my image on the monitor to disappear.  Vayyar said its sensor, which detects the tiny movements of the lungs, could be used to diagnose sleep apnea.

Something to toss out to my students just before finals week? 

A New Pokemon Game Is Available on Android and iOS

Without a word of warning, Nintendo has launched a new Pokemon game on Android and iOS.  It’s called Pokemon Duel, having previously been known as Pokemon Co-master in Japan.  Pokemon Duel is like a Pokemon board game for your mobile, which IS as geeky as it sounds.

In 2016, The Pokemon Company released a mobile game called Pokemon Co-master in Japan.  Pokemon Co-master, made in collaboration with Heroz Japan, paired virtual collectibles with a strategy game like Go or Shogi.  

Perhaps something like this could help my International students?

http://www.freetech4teachers.com/2017/01/slick-write-helps-you-analyze-your.html#.WIi_stRH4wg

Slick Write Helps You Analyze Your Writing

Slick Write is a free tool that helps you analyze your writing or that of others.  To use Slick Write you can write new text in the provided text editor or copy and paste chunks of existing text into Slick Write's text editor.  Either way Slick Write will provide you with an analysis of your writing.  That analysis will include typical things like a word count, a readability score, and an estimated reading time for your document.  Slick Write will also analyze your use of adverbs and prepositional phrases throughout your document.

You can customize Slick Write's analysis settings by choosing what you would like Slick Write analyze in your document.  For example, you can choose to have Slick Write identify clichés in your document.  There is also an option in Slick Write's settings to have it analyze your use of conjunctions and contractions.  There is a total of thirty analysis options that you can enable or disable in Slick Write.

Quis custodiet ipsos custodes?  The OIG and every terrorist in the world. 

http://www.bespacific.com/summary-report-on-audits-of-security-controls-for-tsa-information-technology-systems-at-airports/

Summary Report on Audits of Security Controls for TSA Information Technology Systems at Airports

by Sabrina I. Pacifici on Jan 23, 2017

DHS OIG – Summary Report on Audits of Security Controls for TSA Information Technology Systems at Airports, December 30, 2016. OIG-17-14.

“Our previous reports identified numerous deficiencies in security controls for TSA’s IT systems and equipment at airports.  These deficiencies included inadequate physical security for TSA server rooms at airports, unpatched software, missing security documentation, and incomplete reporting of IT costs.  TSA has undertaken various actions to address the recommendations we made in these reports.  Based on our review of the corrective actions taken as of May 2016, we consider most of the recommendations resolved and closed.  However, TSA has not yet resolved recommendations we made in two key areas.  TSA officials indicate it will take time, money, and contract changes to include security requirements in the Security Technology Integrated Program, a data management system that connects airport screening equipment to servers.  TSA also disagrees that closed-circuit televisions, including cameras, at airports constitute IT equipment and that TSA is responsible for maintaining them.  Further, as a result of our analysis to compile this report, we are making two new recommendations to improve security controls for TSA’s IT systems at airports.  Specifically, TSA needs to assess the risk of not having redundant data communications capability to sustain operations at airports in case of circuit outages.  Additionally, while TSA has undertaken reviews of security controls for its IT systems at airports, it would benefit from establishing a plan to conduct the reviews on a recurring basis nationwide.”

In theory, this research should have been done before Pattern Locks were introduced.  But, where’s the fun in that?

http://hothardware.com/news/researchers-crack-androids-popular-pattern-lock-security-within-5-attempts

Researchers Crack Android’s Popular Pattern Lock Security Within 5 Attempts

Researchers from Lancaster University, Northwest University in China, and the University of Bath have demonstrated that attackers could easily unlock a phone in less than five attempts.

First off, what is Pattern Lock?  In order to unlock a device’s content or functions, users must draw a pattern on a grid of dots.  Users typically have five chances to get it right before they are locked out.  40% of Android users utilize Pattern Lock and prefer it over using a PIN or password.

Researchers took video of owners unlocking their phones with Pattern Lock.  The attacks worked regardless of screen size or content on the phone’s screen, and were able to be tracked from roughly eight feet away.  Hackers were then able to use software to track the owner's fingertip movements relative to the position of the device.  The researchers collected 120 patterns and were able to unlock 95% of them within five attempts.

Ironically, the more complicated passwords were easier to crack.  Guixin Ye, the leading student author from Northwest University, remarked, “Contrary to many people's perception that more complex patterns give better protection, this attack actually makes more complex patterns easier to crack and so they may be more secure using shorter, simpler patterns”.  Researchers were able to uncover all but one of the “complex” patterns, 87.5% of the “medium” patterns and 60% of “simple” patterns on their first attempt.

For my Computer Security, Ethical Hacking and Forensic students.

http://www.bespacific.com/ftc-releases-new-report-on-cross-device-tracking/

FTC Releases New Report on Cross-Device Tracking

by Sabrina I. Pacifici on Jan 23, 2017

“The Federal Trade Commission has released Cross-Device Tracking: An FTC Staff Report that describes the technology used to track consumers across multiple Internet-connected devices, the benefits and challenges associated with it, and industry efforts to address those challenges.  The report concludes by making recommendations to industry about how to apply traditional principles like transparency, choice, and security to this relatively new practice.  The report draws upon comments and discussions from a November 2015 Cross-Device Tracking Workshop and explains that cross-device tracking associates multiple devices with the same consumer and links a consumer’s activity across her devices (e.g., smartphones, tablets, personal computers, and other connected devices).  It describes how cross-device tracking facilitates seamless experiences, can help to prevent fraud and more effectively target ads, and can increase competition in advertising.  However, the report also acknowledges that cross-device tracking often takes place without consumers’ knowledge.  It also discusses that consumers have limited choices to control such tracking, and that it can result in caches of more—and more sensitive—data that need to be protected.”

For my Ethical Hacking and Forensic students.

http://www.securityweek.com/researchers-link-de-identified-browsing-history-social-media-accounts

Researchers Link "de-identified" Browsing History to Social Media Accounts

While the use of cookies and other tracking mechanisms used to track computers is widespread and well understood, it is often believed that the data collected is effectively de-identified; that is, the cookies track the computer browser, not the person using the computer.

This is the message often promulgated by the advertising industry: tracking cookies allow targeted advertising without compromising personal privacy.  Now new research from academics at Stanford and Princeton universities demonstrates that this need not be so.

In the new study 'De-anonymizing Web Browsing Data with Social Networks' (due to be presented at the 2017 World Wide Web Conference Perth, Australia, in April) the researchers show that de-identified web browsing histories can be linked to social media profiles using only publicly available data.  Once the social media profile associated with a browsing pattern is known, the person is known.

Should you join them?

http://www.wsj.com/articles/messaging-app-has-bipartisan-support-amid-hacking-concerns-1485215028?mod=rss_Technology

Messaging App Has Bipartisan Support Amid Hacking Concerns

Aides to Trump, Obama and de Blasio use Signal, a smartphone app that encrypts messages

Signal, a smartphone app that allows users to send encrypted messages, is gaining popularity in the political world amid rising fears about hacking and surveillance in the wake of a tumultuous election year.

When I teach a Data Management class, articles like this really start the conversation going.  Yes, people value Data Management.  

https://techcrunch.com/2017/01/18/collibra/

Collibra nabs $50M led by ICONIQ to fix companies’ data governance

Data governance and management startup Collibra … has raised $50 million in its latest round of funding.

…   “Big data” has been the term du jour in the enterprise software space for at least the past two years… the phrase has become so over-used that it’s almost a punch line.

However, behind the jargon is a hard fact that data is important.  It’s good for businesses to know where their data comes from, how reliable it is, and how best to use it.

That’s the problem that Collibra purports to solve.  Services that it covers includes compliance with BCBS 239, CCAR MRAs and GDPR; demonstrating data protection and security; fixing bad data; analytics; and data discovery.

“Data’s day has come.  And with that, organizations have recognized that data can only be leveraged as a strategic resource to the extent it can be accessed and, most important, trusted,” said Felix Van de Maele, CEO and co-founder of Collibra, in a statement.

Is Ford, like Tesla, saying, “We don’t need no stinking dealers!”  

http://www.marketwatch.com/story/ford-teams-with-startup-for-online-car-shopping-2017-01-23

Ford teams with startup for online car shopping

Ford Motor Credit Co. said Monday that it would use software developed by AutoFi Inc. to let car buyers shop for a Ford or Lincoln car and secure a loan online through its dealers’ websites.

As part of the new deal, Ford Motor Credit also announced an equity investment in AutoFi.  It didn’t disclose the amount.

AutoFi doesn’t make any credit decisions or loans itself.  The company operates a marketplace where dealers can select which banks, credit unions or other lenders can pitch loans to car buyers.  Customers can choose among competing offers.  AutoFi gets paid a fee by both the dealer and the lender if its service is used in a purchase.

Perspective.  Then ask yourself, ‘Should I care?’

These 3 Text Messaging Stats Will Surely Surprise You

1. In 2014, over 561 billion text messages were sent in one month.  That equates to 18.7 billion text messages per day, 779 million text messages per hour, 13 million text messages per minute, or 216,000 text messages per second.  Now imagine how much worse it’s gotten in the two years since!

2. In 2016, Millenials prefer texting to calling for all communications.  Of those aged between 18–24, when given a choice between only being able to text or only being able to call, about 75 percent chose texting.  Not only that, but about 75 percent of Millenials prefer to receive texts for things like appointments, payments, order alerts, etc.

3. Messaging apps are taking over traditional text messages.  As of 2015, about 49 percent of smartphone owners between 18–29 years of age preferred to use messaging apps.  The older folks are catching on, too: about 37 percent of those aged 30–49 and 24 percent of those aged 50+ use messaging apps.

But do they have the one I need?  

http://www.bespacific.com/courtlistener-free-legal-research-website-millions-of-legal-opinions-from-federal-and-state-courts/

CourtListener – free legal research website – millions of legal opinions from federal and state courts

by Sabrina I. Pacifici on Jan 23, 2017

“Search millions of opinions by case name, topic, or citation. 418 Jurisdictions.  Sponsored by the Non-Profit Free Law Project.  With CourtListener, lawyers, journalists, academics, and the public can research an important case, stay up to date with new opinions as they are filed, or do deep analysis using our raw data.”

(Related)  I wonder what Watson could do with this data?

http://www.bespacific.com/judge-profiles-on-courtlistener-now-show-oral-arguments-heard/

Judge Profiles on CourtListener Now Show Oral Arguments Heard

by Sabrina I. Pacifici on Jan 23, 2017

Free Law Project Blog – “We’re proud to share that we’ve now linked together our database of judges and our database of oral argument recordings.  This means that as of now if you look at the profile page for a judge, you may see a list of oral argument recordings for cases that judge heard.  Clicking on the button at the bottom takes you back to our database of oral argument recordings where you can further refine your search.  If the judge is active, there is an icon in the upper right that lets you subscribe to a podcast of the cases heard by that judge.  At this time, these features are only available for the Supreme Court and for jurisdictions where the judges for specific cases are provided by the court website.   We hope to expand this in the future.  To our knowledge, a linkage like this has never previously existed on any system, and we hope that it will make research and exploration faster and easier for our users.  To get started with this addition, you can browse the judges in CourtListener, or explore our APIs and Bulk Data, where files now include this information.”  [Awesome!]

Perspective.  The world is changing when a retailer can create content that meets or beats the content creators.

http://www.hollywoodreporter.com/news/oscars-amazon-nabs-streamings-first-best-picture-nomination-manchester-by-sea-967757

Oscars: Amazon Nabs Streaming's First Best Picture Nomination With 'Manchester by the Sea'

With the nomination of Amazon Studios' Manchester by the Sea for best picture on Tuesday morning, the Academy of Motion Picture Arts and Sciences has officially put streaming services in the Oscar features game. 

Amazon has not only scored its first Oscar nominations with Manchester, it has also become the first streaming service to earn a best picture nod.

For such a simple (and cheap) device, a lot of big players seem interested in connecting to it.  Perhaps they see it as a way to identify geeks they might like to hire?

http://hothardware.com/news/google-to-enable-its-ai-and-machine-learning-tech-on-raspberry-pi-this-year?google_editors_picks=true

Google To Enable Its AI And Machine Learning Tech On Raspberry Pi This Year

If you’re a Raspberry Pi developer that is at all interested in artificial intelligence (AI) and machine learning, we’ve got a treat in store for you.  Google is looking to bring its AI and machine learning tools to the Raspberry Pi starting this year, but it wants your help and input to make it happen.

Google has launched a survey that includes questions about how often developers spend working on software and hardware projects, and if they are interested in fields ranging from wearables to drones to IoT to robotics to 3D printing.  It will use input gained from this survey to narrow its focus on the tools that are provided later this year.

(Related)

http://www.networkworld.com/article/3160028/hardware/cluster-hat-the-easiest-way-to-build-a-raspberry-pi-zero-cluster.html?google_editors_picks=true

Cluster HAT, the easiest way to build a Raspberry Pi Zero cluster

I recently compiled a list of Raspberry Pi clusters and reader Alex Hortin wrote in to suggest I looked at a cluster framework for up to four Raspberry Pi Zeros called the Cluster HAT produced by 8086 Consultancy. 

Does this suggest a major failure (holes found) or a major success (now we can fix them)?  Remember, Russia (probably many countries) are doing the same thing 24X7X365.  They just don’t bother telling DoD when they succeed. 

http://www.securityweek.com/expert-hacks-internal-dod-network-army-website

Expert Hacks Internal DoD Network via Army Website

A security researcher who took part in the Hack the Army bug bounty program managed to gain access to an internal Department of Defense (DoD) network from a public-facing Army recruitment website.

Hack the Army ran via the HackerOne platform between November 30 and December 21, and the results of the program have now been made public.  A total of 371 people registered, including 25 government employees, and they submitted 416 vulnerability reports – the first one came within five minutes of launch.

Roughly 118 of the reports have been classified as unique and actionable

…   The most noteworthy submission came from a researcher who managed to chain multiple vulnerabilities in order to get from the goarmy.com Army careers website to an internal DoD network that can normally be accessed only by authorized users.

…   Thanks to the success of these programs, similar events will likely be launched in the future.

In the meantime, researchers who find flaws in the DoD’s *.defense.gov and *.mil websites are still encouraged to report them.  The Pentagon recently published its vulnerability disclosure policy in an effort to provide guidance to white hat hackers on how to legally report their findings.

For my Computer Security students.

http://www.thedailybeast.com/cheats/2017/01/23/yahoo-faces-sec-probe-over-data-breach-disclosures.html

Yahoo Faces SEC Probe Over Data-Breach Disclosures

Yahoo is facing a probe by the Securities and Exchange Commission over how it handled the disclosure of two massive data breaches.  A source familiar with the matter told The Wall Street Journal the investigation will likely focus on a 2014 cyberattack that saw the personal data of 500 million users released.  The company disclosed that breach only in September 2016, which may have violated civil securities laws, the report said.  The investigation will also cover a 2013 breach that was only announced last December.  While the SEC issued guidelines in 2011 calling for companies to disclose any security breaches, the guidelines did not specify a timeframe, meaning the Yahoo case could set a precedent and provide clarification.

For my Ethical Hacking students.  This could be like texting “Fire!” in a crowded theater.  

https://www.theatlantic.com/technology/archive/2017/01/the-demon-voice-that-can-talk-to-your-smartphone/513743/?utm_source=feed

The Demon Voice That Can Control Your Smartphone

Researchers have created creepy sounds that are unintelligible to humans but still capable of talking to phones’ digital assistants.

…   what if there was a way to talk to phones with sounds other than words?  Unless the phones’ owners were prompted for confirmation—and realized what was going on in time to intervene—they’d have no idea that anything was being texted on their behalf.

Turns out there’s a gap between the kinds of sounds that people and computers understand as human speech.  Last summer, a group of Ph.D. candidates at Georgetown and Berkeley exploited that gap: They developed a way to create voice commands that computers can parse—but that sound like meaningless noise to humans.  These “hidden voice commands,” as the researchers called them, can deliver a message to Google Assistant-enabled Android phones nearby through bursts of what sounds like scratchy static.

…   The primary way people interact with smartphones is by touching them.  That’s why smartphone screens can be thoroughly locked down, requiring a passcode or thumbprint to access.  But voice is becoming an increasingly important interface, too, turning devices into always-listening assistants ready to take on any task their owner yells their way.  Put in Apple’s new wireless earphones, and Siri becomes your point of contact for interacting with your smartphone without taking it out of your pocket or bag.

The more sensors get packed into our ubiquitous pocket-computers, the more avenues someone can use to control them.

For my IT Governance students.  Even small things have major impacts.  How can you tell it isn’t Russian hackers?  

http://www.nbcnews.com/business/travel/united-airlines-computer-glitches-delay-flights-infuriate-flyers-n666206

United Airlines Computer Glitches Delay Flights, Infuriate Flyers

Tempers boiled in departure lounges around the world overnight as two separate problems with United Airlines' computer systems caused widespread delays.

…   The first glitch, concerning United's luggage weighing systems, was resolved late Thursday, King said.  Another issue caused more delays before being resolved at 3 a.m. ET — although King said she did not know its nature nor its cause.

…   Amy Zandy, a 32-year-old sales director from Chicago, was among those affected.

"You are literally a global conglomerate," she told NBC News, referring to United.  "You don't have backup systems?  You don't know how to manually process this information?"

Also for my Governance students? 

RESOURCE: Two Books by Daniel Solove on Privacy Now Freely Available

Privacy law scholar Daniel Solove has made two of his books freely available online:

The Digital Person: Technology and Privacy in the Information Age (2004) [296 pp] and

The Future of Reputation: Gossip, Rumor, and Privacy on the Internet (2007) [257 pp.]

Both books have inspired a lot of scholarly debate and reflection on the course of privacy and privacy law in this country.

Great thanks to Dan and the publishers for making them available.  Go grab your copies now, if you don’t have copies already.

An interesting case.  How should this have been handled? 

Special education student who secretly recorded school administrator threatening him to be charged for violating wiretap law

It is an issue that has come up a number of times for me with one of my other “hats” on: do you send a child to school with a wire to record what’s going on in the school if they claim they are being harassed or abused so that you have proof?  Maybe you’ve see bruises on them and can get no real answer from the school.  Maybe your child is telling you that a school administrator is cursing them and threatening them.  Maybe you don’t know what to believe.  Or maybe you do believe your child, but no one else will believe what’s going on.

We know, from studies, that students with disabilities are more likely to be harassed or abused in school.  We’ve all seen the horrific footage of such abuse in other cases.  Now it’s your child who may be being mistreated by school personnel.

What would you do if you decide you can’t just remove your child from that school because you can’t find an alternative placement?  Or maybe there are alternatives, but you decide that the school should not get away with this because they’ll continue doing it to other children, if not yours.

What would you do?

If you live in a state where two-party consent is required for audio and/or video recording, then under the law, they should not secretly record any conversation – even if, as may be in the case at hand – you have gone to the police on several occasions to no avail.

So what do you do to protect your child or to get evidence of what’s going on?

I know what we’ve done in the past, but because my lawyer would probably prefer I not publicly admit to any possible crimes, I won’t say here.

But it sounds like there may be that kind of situation in Pennsylvania, where a Woodland Hills High School administrator allegedly was verbally abusive and threatened a student with disabilities.  CBS reports:

There was harsh criticism of Allegheny County District Attorney Stephen Zappala outside the Woodland Hills School District Administration building Wednesday night.

Protestors gathered for a demonstration sponsored by a group called the Alliance for Police Accountability.

Brandi Fisher, of the Alliance for Police Accountability, told the gathering, “Not only does the D.A. need to charge the principal, the D.A. needs to resign.”

The controversy stems from Zappala’s recent decision not to file charges against high school Principal Kevin Murray after an expletive-filled reprimand he gave to a student.

The student secretly recorded the conversation.

Read more on CBS Pittsburgh.

The stations’s past coverage of the case is linked from here.  The recording allegedly catches the administrator saying, ““I’m going to [expletive] punch you in the face.  Man-to-man, bro.  I don’t care if you are [expletive] 14-years-old or not.  I will punch you in your face, and when we go down to court, it’s your word against mine, and mine wins every time.”

Reading the coverage, it appears that the district decided that the recording could not legally be used against the administrator because the recording was made in violation of wiretap laws.

So police can violate the law and the evidence can be used in many cases under some “good faith” exception,” but evidence against a school administrator is not entitled to any good faith exception and would have to be suppressed?  And then you charge the teenager for violating the wiretap law?

Something’s very wrong here.

Maybe Orin Kerr or Scott Greenfield can help me understand why this is a correct course of action – to not use the tape and to charge the teenager.  Somehow, I doubt I will be easily convinced.

Is this how to compete in the Digital Age? 

http://www.marketwatch.com/story/decaf-with-your-deposit-bank-branches-transform-into-cafes-more-2017-01-23?reflink=MW_GoogleNews&google_editors_picks=true

Decaf with your deposit? Bank branches transform into cafes, more

If you’re like many Americans, you may be making fewer trips to the bank and instead taking care of check deposits with a mobile app or tracking account balances with a few mouse clicks.

Digital banking is undeniably gaining ground over the old brick-and-mortar process.  But about 84% of banking customers still visit branches at least occasionally, according to a March 2016 Federal Reserve report.

Interesting.  I wonder if there is a truly neutral version of this?  No, not the New York Times.

http://www.seattletimes.com/business/local-techies-launch-fact-focused-trump-wiki-site/?utm_source=news.google.com&utm_medium=Referral&utm_campaign=rss_editors_picks_feed_technology&google_editors_picks=true

Local techies launch fact-focused Trump wiki site

Jan Miksovsky was worried about how citizens will be able to keep up with the Donald Trump administration.

So, in a bout of entrepreneurial spirit, he helped build a tool to address the matter.

The longtime Seattle software engineer, who spent 16 years at Microsoft before founding two Seattle startups, helped gather the crew of developers and writers behind Presterity.org, a web portal pitched as a Wikipedia-like chronicle of the Trump administration.

The aim isn’t nonpartisan.

“We’d like to create what you might call a reference desk for people to try to resist the damages of the Trump administration,” Miksovsky said.

I wondered what went wrong with the polls…  A guideline for Mark Zuckerberg?

https://fivethirtyeight.com/features/the-electoral-college-blind-spot/

The Electoral College Blind Spot

(Related)

https://fivethirtyeight.com/features/it-wasnt-clintons-election-to-lose/

It Wasn’t Clinton’s Election To Lose

(Related)

https://fivethirtyeight.com/features/the-invisible-undecided-voter/

The Invisible Undecided Voter

Something to consider in my Spring Quarter Spreadsheet class.  Sounds a bit overblown.

http://www.bespacific.com/uk-research-project-documents-decline-of-statistics-and-rise-of-big-data/

UK research project documents decline of statistics and rise of big data

by Sabrina I. Pacifici on Jan 22, 2017

“How statistics lost their power – and why we should fear what comes next,” by William Davies, The Guardian: “The ability of statistics to accurately represent the world is declining.  In its wake, a new age of big data controlled by private companies is taking over – and putting democracy in peril…  In theory, statistics should help settle arguments.  They ought to provide stable reference points that everyone – no matter what their politics – can agree on.  Yet in recent years, divergent levels of trust in statistics has become one of the key schisms that have opened up in western liberal democracies.  Shortly before the November presidential election, a study in the US discovered that 68% of Trump supporters distrusted the economic data published by the federal government.  In the UK, a research project by Cambridge University and YouGov looking at conspiracy theories discovered that 55% of the population believes that the government “is hiding the truth about the number of immigrants living here”.

Perhaps I’ll ask my students to create a 3D Video.  The next ‘Avatar?’

http://www.digitaltrends.com/cool-tech/mindshow-lets-anybody-make-3d-movies-in-vr/?google_editors_picks=true

Why let Pixar have all the fun? Mindshow lets anybody make 3D movies in VR

…   “It’s a lot like a cartoon that you can walk around in,” says Visionary CEO and Chief Creative Officer Jonnie Ross, “but there’s a lot more to it than that.”

In a nutshell, Mindshow is a VR sandbox that allows you to create virtual scenes, then animate them with your own body movements, voice, and imagination.