Saturday, October 31, 2015

My New iPhone 6 iOS9 (Updated)

(Right-hand Pic edited to my arrangement)

My old Android (Google) was dying, so I just got an Apple iPhone 6 iOS9.

I found out that if you are running iOS9, Android has a Move from Android to iPhone app.

This made getting all my data (contacts, pictures, etc.) transferred to my iPhone easy.

It is a very nice smartphone, but it took me about 20hrs tinkering to get it the way I wanted it.  Then there's the cost (don't ask) even though I use Consumer Cellular which provides low cost phones, no-contract account, and you customize you plan.  Also give AARP discounts, which is great for us 70-somethings.

The madding thing is Apple insisting in forcing you to use iTunes to upload/sync anything.  I had a very @#!@@#! time figuring out how to get my ringtones on the iPhone.  In fact, it's iTunes that loads the driver so you can see you iPhone on your PC.

Finally found a YouTube video on how to do that, but if you watch it you'll see it is complicated.  But its better than trying any sync/download app to work as advertised.

UPDATE:  There are some mistakes in the above video, the author seems to be using an older version of iTunes.  Also there is a ringtone download site that you can use to get ringtones in the correct .m4r format.  ZEDGE Ringtones (screenshots below)

Home Page for my iPhone

Example Download page
I suggest you download to your computer so you can drag-drop to iTunes, therefore be available for new phones.  On my Win7 Pro 64bit rig, downloads go to the Downloads folder, do drag/drop to iTunes is easy.  Since the downloaded files are ringtone-ready, no need to go through the complicated steps of creating .m4r files.

CORRECTIONS:  Here are screen shots for newer versions of iTunes you need.

There were several sites that helped, here's two:

So far, I do like iPhone 6 iOS9..... so far.

Monday, September 28, 2015


"Inside the British government’s sweeping cyber surveillance program" PBS NewsHour 9/26/2015


SUMMARY:  For years, the British government has reportedly tracked and stored billions of records of Internet use by British citizens and those outside the UK in an effort to track every visible user on the Internet.  Ryan Gallagher of "The Intercept" joins Hari Sreenivasan via Skype from Brighton, England, with more on UK cyber surveillance.

HARI SREENIVASAN (NewsHour):  For years, the British government has reportedly tracked and stored billions of records of Internet use by British citizens and people outside the U.K., in an effort to track every visible user on the internet.  That finding comes from “The Intercept” Web site, which is publishing findings from National Security Agency contractor (traitor) Edward Snowden’s leak on government surveillance practices.

“Intercept” reporter Ryan Gallagher wrote the story and joins me now via Skype from Brighton, England.

First of all, explain the scale of surveillance that was happening from the British equivalent of the NSA, the GCHQ.

RYAN GALLAGHER, THE INTERCEPT:  Well, the skill is quite phenomenal.  I mean, it’s hard to translate it when you just see the numbers.  But you’re talking about 50 (ph) to 100 billion metadata records of phone calls and e-mails every single day.  So vast, vast quantities of information they’re sweeping up.  And they were talking by 2030 having in place the world’s largest surveillance system, so, a system that surpasses even what the NSA and U.S. has built itself.

HARI SREENIVASAN:  OK, when somebody hears that there’s millions and billions and possibly trillions of pieces of data, they’re going to say, you know, what, how do you actually identify this is specifically me that’s doing this, or going to the site, or saying this thing in a chat room?

RYAN GALLAGHER:  Uh-huh. Well, I mean, we have — we don’t actually — one of the interesting parts of the story is that we had a bunch of specific cases where, for example, we had monitored something like 200,000 people from something like 185 different countries, so almost every country in the world, they have listened to radio source (ph) through their computer.  In one case, they decided to pick out just one of these people.  It seems like at random, and what web site he had been viewing.

So, it’s kind of an all-seeing system.  When you’re gathering that amount of information, it’s going to be something that does have an impact and effect in all of us really.

SPYWARE - Lenovo Machines

"Lenovo in the News Again for Installing Spyware on Its Machines" by Manish Singh, Computer Help Forums 9/24/2015

Despite launching a number of interesting products this year, Lenovo has perhaps got more press time for the things it has done wrong.  The Chinese technology conglomerate is back in news, this time for allegedly installing a program on at least some of its refurbished notebook lineup that is programmed to send users' feedback data to Lenovo.  Upon further inspection, the program seems to have an association with a third-party marketing and Web analytics firm.

As per many users' report, the company ships its factory refurbished laptops with a program called "Lenovo Customer Feedback Program 64" that is scheduled to run every day.  According to its description, Lenovo Customer Feedback Program 64 "uploads Customer Feedback Program data to Lenovo."

Upon further digging, Michael Horowitz of Computerworld found these files in the folder of the aforementioned program: "Lenovo.TVT.CustomerFeedback.Agent.exe.config, Lenovo.TVT.CustomerFeedback.InnovApps.dll, and Lenovo.TVT.CustomerFeedback.OmnitureSiteCatalyst.dll."
As he further pointed out, Omniture, as mentioned in the suffix of one of the files, is an online marketing and Web analytics firm, which suggests that the laptops are tracking and monitoring users' activities.

On its support website, the largest PC vendor noted that it may include software components that communicate with servers on the Internet.  These applications could be on any and every ThinkCentre, ThinkStation, and ThinkPad lineups.  One of the applications listed on the website is Lenovo.TVT.CustomerFeedback.Agent.exe.config.

This isn't the first time Lenovo has been caught shipping what appears to be a spyware on its machines.  Earlier this year, Lenovo was found bundling a spyware called "Superfish" on its machines.  In August, the company was caught covertly downloading and installing software on its Windows PCs.  The program modified the BIOS to force the computer to download its programs upon each login.

Tuesday, September 8, 2015

MICROSOFT - Privacy Invasion Port to Windows 7 and 8

"Microsoft backports privacy-invading Windows 10 features to Windows 7, 8" by Joel Hruska, Extreme Tech 9/31/2015


Every time Microsoft releases a new version of an operating system, there’s always a few users bitterly unhappy at the company’s decision not to support new features on older products.  Microsoft has finally listened to these die-hard devotees of older operating systems.  If you felt like Windows 7 and Windows 8 offered you a little too much privacy, rejoice: Microsoft is updating those operating systems with the same telemetry gathering software it deployed on Windows 10.

What?  You wanted DirectX 12? has discovered four KB updates for Windows 7 and 8, each of which is described as an “Update for customer experience and diagnostic telemetry.”  Each is detailed below:

KB 3068708:  This update introduces the Diagnostics and Telemetry tracking service to existing devices.  By applying this service, you can add benefits from the latest version of Windows to systems that have not yet upgraded.  The update also supports applications that are subscribed to Visual Studio Application Insights.

KB 3068708 is listed as collecting diagnostics about functional issues on systems that take part in the Customer Experience Improvement Program.  Determining whether or not you are a member of the CEIP, however, is less than obvious.  The KB also notes that “Most programs make CEIP options available on the Help menu, although for some products, you might have to check settings, options, or preferences menus.”  This is a recommended Windows update.

KB 3022345:  This update has been superseded by KB 3068708, but previously provided the same telemetry-tracking services.  It’s not clear how the two updates differ, but if you want to remove all traces of telemetry tracking, you’ll want to remove this update as well.

KB 3075249:  This update adds telemetry points to the User Account Control (UAC) feature to collect information on elevations that come from low integrity levels.  What this appears to mean is that MS wants more information about the kinds of applications that trigger UAC in the first place, presumably because it wants to know what they do and why they need that access.  This update is classified as Optional.

KB 3080149:  This update is described in identical language to the first two.  “This package updates the Diagnostics and Telemetry tracking service to existing devices.  This service provides benefits from the latest version of Windows to systems that have not yet upgraded.  The update also supports applications that are subscribed to Visual Studio Application Insights.”  It is provided as an Optional update, even though the first was classified a “Recommended” update.

Hard-coded phoning home

One of the assumptions made by various privacy advocates and journalists, including me, is that third-party utilities would be able to shut down the tracking Microsoft deployed in Windows 10.  To some degree, that’s already happened, but there are certain new “features” of Windows 10 that can’t be blocked by any OS-level tweaks, including the hosts file.  The updates listed above connect to and  These addresses are hard-coded to bypass the hosts file and cannot be prevented from connecting.  It’s been reported that software firewalls aren’t sufficient to block them, though this is unclear.

IMPORTANT:  You should uninstall updates in reverse order starting with KB3080149 and Restart after each uninstall run.  Uninstall KB3068708 LAST (it is the key update, the others are updates to this one).

The upshot for Windows 7 & 8 users who want MORE privacy, uninstall the listed 'updates' and hide them when they come up again.

There is more in the full article.

Monday, September 7, 2015

MICROSOFT - More Bullying, Browsers

"Microsoft steering Windows 10 users away from non-Microsoft browsers" by Cindy E, Computer Help Forums 9/6/2015

Microsoft is aggressively pushing its new web browser, Edge, to Windows 10 users when they attempt to search for other browsers - like Firefox or Chrome - using Microsoft's own browser.

The tactic was first spotted by VentureBeatand also picked up by MarketingLand, which ran several searches in Bing on Windows 10 to show the various ways that Microsoft is pushing Edge.

Right now, when Windows 10 users try to search for and download Google Chrome or Firefox from Microsoft's Edge browser, a dark bar appears at the top of the search results page saying that Microsoft recommends they use Edge, with a 'Learn Why' button.  Learn Why simply leads to a marketing page for the Edge browser.  (This experience was only reported in the U.S., by the way; we can't confirm whether this is something that Windows 10 users in other markets are seeing, as well.)

Tech companies promoting their own browsers, or preferred partner browsers, isn't new.  Google, for example, often suggests consumers use Google Chrome as their default browser while they're running Google searches.

But since Microsoft (and others) have been pointing fingers at Google for years for what they believe are anti-competitive practices, the move by Microsoft to push its own browsers when users try to download others is...interesting.

Mozilla CEO Chris Beard had already accused Microsoft of making it too difficult for Windows 10 users to choose Mozilla Firefox as the default browser in the new operating system.

"Microsoft Edge was designed exclusively for Windows 10 with features and functionality that enhance the browsing experience such as Cortana, Web Note and Quick answers," a Microsoft spokesperson said in a statement to The Verge.  "These notifications were created to provide people with quick, easy information that can help them get to know these experiences better.  That said, with Windows 10 you can easily choose the default browser and search engine of your choice."

Wednesday, September 2, 2015

WINDOWS 10 - Food For Thought, Ubuntu (Linux)

NOTE:  Ubuntu is free for non-commercial users.  Also, I have a Ubuntu laptop.

"Windows 10:  is it finally time to migrate to Ubuntu?" by Maria Bonnefon, Ubuntu Desktop 8/27/2015

Public and private enterprises across the world have been using Microsoft Windows for years, but it calls into question whether this is in fact the best choice or simply force of habit?

With recent security and performance issues coming to the fore, an increasing number of companies are exploring the benefits of using alternative Operating Systems, and harvesting the benefits of ultra secure, robust, high performance options.  Plus, the cherry on the top is that royalty, maintenance and training costs for users can be reduced by as much as 70 percent!

Ten years ago, such alternatives were only something companies could dream of.   They were locked into proprietary models that financially squeezed them, yet still failed to provide all the services required.  This is slightly reminiscent of Henry Ford’s choice of color for ‘Model T’ …. ‘you can have a car painted any color so long as it is black.’

Increasingly, CTOs are questioning whether they actually need to remain in this locked-in situation.  Frequently asked questions include: can I deploy an alternate OS in our computer park without compromising on productivity whilst reducing costs?  Will the performance of the OS deliver on its promise?  Will I be able to drive down royalty costs without having to make hefty financial investments on technical support and training?  The answer is yes.  Ubuntu can offer this and more.

So, now that Windows 10 has been announced, customers should ask themselves is this the right time to transition?  The ‘comfortable’ next move would be to simply upgrade; however, the heavy resource constraints on devices and meatier royalty fees have turned off even the most fervent Windows followers.  Top media across the globe are analyzing ways to snub Windows 10 (see Le Monde August 4, 2015 article ‘5 operating systems to snub Windows 10’) and, in my opinion, for mainstream users who care about their privacy, this is probably the best possible time to take a closer look at other choices.

Ubuntu continues to grow in popularity, not only with mainstream consumers, but also with Fortune 500 companies.  Moreover, government and top notch education entities across the globe have realized they can save millions of dollars, and invest funds more prudently for social programmes.

Microsoft is offering a free download of Windows 10 for a limited time.  This is great for many users, but it’s only available to those running Windows 7, Windows 8.1, and selected Windows Phone 8.1.  For everyone else, it’ll be available for $199USD for Windows 10 Home* or $199USD Windows 10 Pro*.

This is great if you are in the category of people that are able to spend this kind of cash.  However, that money might be better put towards more altruistic or even epicurean objectives, whilst still allowing you to benefit from a tremendous OS.  Food for thought?

Tuesday, August 4, 2015

WINDOWS 10 - Violates Privacy

"Windows 10 violates your privacy by default, here's how you can protect yourself" by Conner Forrest, TechRepublic 8/4/2015


Upon installation, Windows 10 defaults to some pretty serious privacy invasions.  Here are some steps you can take to keep your personal data private.

Since the July 29 release of Windows 10, the tech world has been talking about the latest OS update from Microsoft.  A mere 24 hours after its release, more than 14 million users had downloaded Windows 10.

The quick ramp up was due, in part, to Microsoft releasing the update as a free download for existing Windows users.  Windows 10 also came with a new service model as Windows will be releasing service packs every few months to users.

The model itself got some backlash, especially from organizations that don't want to upgrade their system that frequently.  More recently, though, some criticism has arisen over privacy concerns brought on by the new OS.

The first issue is that Windows 10 automatically assigns an advertising ID to each user on a device tied to the email address that's on file.  Using that ID, the company can tailor ads for web-browsing and using certain applications.

The next concern is that much of users' personal data is synced with Microsoft's servers.  Some of this information, like your WiFi password, can then be encrypted and shared with your contacts, using a feature called WiFi sense.  Although, some have argued that this isn't a security risk, because the user must choose to share the network.

Additionally, Microsoft's personal assistant, Cortana, must collect data as well to provide the kind of service it does, but it is likely not better or worse than its Apple and Google contemporaries.

One of the biggest worries, though, is Microsoft's policy on disclosing or sharing your personal information.  The following is an excerpt from the privacy policy:

"We will access, disclose and preserve personal data, including your content (such as the content of your emails, other private communications or files in private folders), when we have a good faith belief that doing so is necessary to protect our customers or enforce the terms governing the use of the services."

The problem is that many users want personalized services, but it's difficult to draw the line at what data should be collected.  Forrester's Tyler Shields said that instead of making these features default, Microsoft could have allowed users to opt-in later if they wanted to enable them.

"This is more of a privacy-friendly stance that may have been palatable to the general public," Shields said.  "However, Microsoft would have had less adoption to its value added services had it made them opt-in, thus lessening the potential success of the Windows 10 launch."

So, how do you protect yourself from these issues?  Here are some steps you can take to opt-on or disable some of the problematic features.

The first thing to note is that, if you haven't yet installed Windows 10 but you plan on doing so, make sure you that you do a custom install so you'll be able to pick and choose what is enabled at the onset.  But, if you installed Windows 10 using Express settings, you can still disable some of the default privacy settings.

From the start button, click "Settings" and then click "Privacy" and click the "General" tab on the left sidebar.  Under that tab you'll see a few sliders where you can toggle certain features on or off.

The top toggle button is the most important as it disables the advertising ID for each user.  But, if you want to cover your bases, you should go ahead disable the rest of the options as well.

NOTE:  Full article has screenshots of settings that need change.

Monday, August 3, 2015

WINDOWS 10 - Not Really Ready for Prim-Time

Like ALL previous releases of Windows the initial release of Windows 10 should be installed with a very big grain-of-salt.

I have been a desktop user of Windows since Windows ME.  Upgraded to WinXP and now use Win7 64bit.

The initial release of distributions of Windows have always been very faulty.  The upshot for those who are thinking of 'upgrading' to Windows 10 is 'if it ain't broke, don't fix it.'

If your present version of Windows works fine, DO NOT upgrade to Windows 10 for at least a year AFTER release.

"Windows 10 Vs Windows 8 Vs Windows 7:  What's The Difference?" by Gordon Kelly, Forbes 8/02/2015

NOTE:  I personally have no intention to 'upgrade' to Windows 10.

Monday, July 13, 2015

"Can the government get special encryption access while preserving privacy?" PBS NewsHour 7/8/2015


SUMMARY:  The U.S. government wants to be able to read certain data that's inaccessible to intelligence agencies due to encryption.  At a Senate hearing, FBI director James Comey said the privacy technology can be a double-edged sword, detrimental to public safety.  Gwen Ifill speaks to former Homeland Security Department official Stewart Baker and Susan Landau of the Worcester Polytechnic Institute.

GWEN IFILL (NewsHour):  Earlier in the day, the Obama administration went to Capitol Hill to make its case to allow government great access to encrypted information.  Essentially, the government wants to be able to read certain data that intelligence agencies cannot get now because it’s been protected with special codes.  That’s at the heart of an ongoing battle with tech companies.

JAMES COMEY, FBI Director:  Encryption is a great thing.  It keeps us all safe.  It protects innovation.

GWEN IFILL:  But, FBI Director James Comey warned at Senate hearings today, it’s also a double-edged sword.  That’s because the technologies that seal off smartphones from surveillance also impede efforts to track criminals and terrorists.

JAMES COMEY:  We are moving inexorably to a place where all of our lives, all of our papers and effects, all of our communications will be covered by universal strong encryption.  And that is a world that in some ways is wonderful and in some ways has serious public safety ramifications.

GWEN IFILL:  Google, Apple and other tech firms have ramped up data encryption in the wake of Edward Snowden’s revelations of sweeping government surveillance.  They’re also responding to stepped-up hacking coming from Russia and China.

But, at the same time, Islamic State followers and other militants are now using encrypted communications to recruit at a rapid pace.  Deputy Attorney General Sally Yates underscored that point today.

SALLY YATES, Deputy Attorney General:  ISIL currently communicates on Twitter, sending communications to thousands of would-be followers right here in our country.  When someone responds and the conversations begin, they are then directed to encrypted platforms for further communication.

And even with a court order, we can’t see those communications.  This is a serious threat.  And our inability to access these communications with valid court orders is a real national security problem.

GWEN IFILL:  And the FBI’s Comey suggested it’s just a matter of time before that leads to a terror attack.

JAMES COMEY:  We are stopping these things so far through tremendous hard work, the use of sources, the use of online undercovers, but it is incredibly difficult.  I cannot see me stopping these indefinitely.

Wednesday, June 24, 2015

SECURITY - Software Code Cribbing

"Programmers are copying security flaws into your software, researchers warn" by Laura Hautala, CNet 6/23/2015

Many software developers are cribbing code, and its flaws, that someone else created. And the problem is only getting harder to keep up with.

It's easy to assume that hackers work way above our pay grade.  Electronic intruders must be able to exploit vulnerabilities in the software we use because they're evil geniuses, right?

That may be the case in some very sophisticated attacks, experts say, but in others, not so much.  Programmers -- the people who create the software -- don't write all their code from scratch, instead borrowing freely from others' work.  The problem: they're not vetting the code for security problems.

Working more as code assemblers than as writers, programmers are sourcing about 80 percent to 90 percent of the code in any given software application from third parties, many experts estimate.  Sometimes programmers buy code from other companies, and sometimes they use open-source code that's free for anyone to use.

The problem affects all software, which means everything from the mobile apps on your smartphone to your favorite website to the programs you run on your computer.  Everything except for the operating system on a device or computer is likely composed of building blocks of code rather than created wholly new, said Chris Wysopal, co-founder and executive at software security company Veracode.

The priority for all those highly paid programmers is speed, not security, Wysopal said.  His company, which assesses software for businesses, released a report Tuesday analyzing its own clients' habits when it comes to software use.

Veracode found 6.9 million flaws in more than 200,000 inspections of code used by its clients over the last year.  Those clients fixed 4.7 million of the flaws.  While in-house programmers likely wrote some of that code, industry numbers suggest the vast majority of it came from elsewhere.

"That's the trend -- to reuse as much code as possible," Wysopal said.  It speeds up production time and lets software programmers work on solving new problems instead of reinventing the wheel.

"Everything is good about that except for the inheriting-vulnerabilities part," Wysopal said.

Feds and flaws

Lowest ranking among the industries Veracode checked for security flaws was the federal government.  "Part of the reason for this is that the government still uses older programming languages," Veracode researchers wrote in the report.

That might not come as a surprise to those following news of multiple breaches of federal government workers' personal records, which compromised the Social Security numbers of millions of current and former federal workers and revealed sensitive personal information on everyone who has applied for a security clearance.

The problem of flawed source code is bad enough that Veracode has made a business out of checking software components for problems, and other companies are similarly offering to vet software components for those speed-hungry programmers.

One of those companies is Sonatype, and its chief technology Joshua Corman says he's on the side of the programmers hitting Ctrl-V, the keyboard shortcut for "paste."

Are programmers lazy?  No, Corman says, just efficient.

"The best way to put this is the time value of money," he said.  "You want to spend your unique talent pool on different problems."

Some companies are using services like Sonatype and Veracode, and some are hiring security "fellows" whose paychecks are dependent on finding security flaws in code.

Corman's company provides a repository of open-source code, but it also focuses on finding and eliminating problems in the code.  In fact, Corman went so far as to check out a major government project for flaws to see if it was vulnerable to hackers.

That project was, the website rolled out by the Obama administration to get people signed up for the health insurance mandated by the Affordable Care Act.

The website was notoriously buggy when it first went live, and Corman decided to look at the building blocks used by the government contractors who built it to see if hackers might have an avenue into it.

He looked at the third-party code accessed by the developers and concluded it contained some vulnerabilities.  But he wasn't sure if those flaws made it into the website's final code.  Nonetheless, this news alarmed lawmakers, Corman said.

Eventually, those lawmakers learned that federal law doesn't explicitly require software programmers contracted by the government to vet code they didn't write themselves.  A proposed fix to the problem-- a bill called H.R. 5793 -- would have required software developers to give the government a list of third-party code, assurance that all the code was free of known flaws, and a guarantee to fix any vulnerabilities that come up later.

Rep. Edward Royce (R-Calif.) introduced the bill in December at the end of the congressional session.  The bill never made it to a vote, and Corman said he thinks it might be better suited for an executive order.

Other industries have problems with faulty source code, too, according to Veracode's research.  Retail and hospitality companies that use Veracode to vet their software had a poor track record with their efforts to encrypt data, for example.  Again, this isn't surprising news given the breach of customer information at major retailers like revealed by Target and the Home Depot over the past year.

The pace of software development is only speeding up, meaning the problem is harder to keep up with, Wysopal said.

"New languages and new environments to write code in are continuously being invented, and companies want to push software out the door as quickly as possible," he said.  But speed doesn't have to sacrifice security, he argued.

"They don't need to be mutually exclusive.  If you build security processes in or if you require vendors to build it in, you can still go fast," Wysopal said.  But, he noted, "It can't be an afterthought."

Monday, June 8, 2015

CYBER WARS - China vs U.S.

"With a series of major hacks, China builds a database on Americans" by Ellen Nakashima, Washington Post 6/5/2015

China is building massive databases of Americans’ personal information by hacking government agencies and U.S. health-care companies, using a high-tech tactic to achieve an age-old goal of espionage:  recruiting spies or gaining more information on an adversary, U.S. officials and analysts say.

Groups of hackers working for the Chinese government have compromised the networks of the Office of Personnel Management, which holds data on millions of current and former federal employees, as well as the health insurance giant Anthem, among other targets, the officials and researchers said.

“They’re definitely going after quite a bit of personnel information,” said Rich Barger, chief intelligence officer of ThreatConnect, a Northern Virginia cybersecurity firm.  “We suspect they’re using it to understand more about who to target [for espionage], whether electronically or via human ­recruitment.”

The targeting of large-scale data­bases is a relatively new tactic and is used by the Chinese government to further its ­intelligence-gathering, the officials and analysts say.  It is government espionage, not commercial espionage, they say.

“This is part of their strategic goal — to increase their intelligence collection via big-data theft and big-data aggregation,” said a U.S. government official who, like others, spoke on the condition of anonymity to discuss a sensitive topic.  “It’s part of a strategic plan.”

One hack of OPM, which was disclosed by the government Thursday, dates at least to December, officials said.  Earlier last year, OPM discovered a separate intrusion into a highly sensitive database that contains information on employees seeking or renewing security clearances and on their background investigations.

Once harvested, the data can be used to glean details about key government personnel and potential spy recruits, or to gain information useful for counter­intelligence.  Records in OPM’s database of background investigations, for instance, could contain a complete history of where an individual has lived and all of his or her foreign contacts in, say, China.  “So now the Chinese counterintelligence authorities know which American officials are meeting with which Chinese,” a China cyber and intelligence expert said.

The data could help Chinese analysts do more effective targeting of individuals, said a former National Security Agency official.  “They can find specific individuals they want to go after, family members,” he said.

The trend has emerged and accelerated over the past 12 to 18 months, the official said.  An increase in Chinese capability has opened the way “for bigger data storage, for bigger data theft,” he said.  “And when you can gain it in bulk, you take it in bulk.”

The Chinese government, he said, is making use of Chinese companies that specialize in aggregating large sets of data “to help them in sifting through” the information for useful details.  “The analogy would be one of our intelligence organizations using Google, Yahoo, Accenture to aggregate data that we collected.”

China on Friday dismissed the allegation of hacking as “irresponsible and unscientific.”

Chinese Foreign Ministry spokesman Hong Lei said Beijing wanted to cooperate with other nations to build a peaceful and secure cyberspace.

“We wish the United States would not be full of suspicions, catching wind and shadows, but rather have a larger measure of trust and cooperation,” he told a regular news briefing,

OPM disclosed that the latest hack of one of its systems exposed personal data of up to 4 million current and former employees — the largest hack of federal employee data in recent years.

It is possible that officials as senior as Cabinet secretaries had their data exposed, a congressional aide said on a briefing call with government officials Friday.

U.S. officials privately said China was behind it.  The stolen information included Social Security numbers and performance evaluations.

“This is an intelligence operation designed to help the Chinese government,” the China expert said.  “It’s a new phase in an evolution of what they’re doing.  It certainly requires greater sophistication on their part in terms of being able to take out this much data.”

Barger’s firm has turned up technical evidence that the same Chinese group is behind the hacks of Premera Blue Cross and Empire BlueCross, which were discovered at roughly the same time earlier this year.

The first OPM incident has been linked to the health-care hacks by Barger and another security researcher, John Hultquist, senior manager for cyberespionage threat intelligence at iSight Partners.  Hultquist said the same group is responsible for all of them, and for other intrusions into commercial databases containing large sets of Americans’ personal information.

“They would leverage this data to get to diplomatic, political, military and economic intelligence that they typically target,” said Hultquist, who declined to comment on who was behind the attacks.

Though much Chinese cyber­espionage is attributed to the People’s Liberation Army, these hacks, Barger said, appeared to be linked to the Ministry of State Security, which is a spy agency responsible for foreign espionage and domestic counterintelligence.

Other Chinese entities, including the military, may also be involved in the campaign, analysts said.

Chinese government hackers “are like a vacuum cleaner” in sucking up information electronically, said Robert “Bear” Bryant, a former top counterespionage official in the government.  “They’re becoming much more sophisticated in tying it all together.  And they’re trying to harm us.”

Security researchers have pointed to a cyber tool or family of malicious software called Derusbi that has been linked exclusively to Chinese actors.  One group that has used Derusbi is Deep Panda, a name coined by the firm CrowdStrike, which has linked that group to the Anthem hack.

Disclosed in February, that incident exposed the Social Security numbers, addresses, phone numbers, e-mail addresses and member IDs of tens of millions of customers.  No medical data such as diagnosis or treatment information was compromised, the company said.

Researchers note that in contrast to the hacks of Home Depot and Target, personal data that might have been stolen from OPM, Anthem and the other companies has not shown up on the black market, where it can be sold to identity thieves.  That is another sign, they said, that the intrusions are not being made for commercial purposes.

“Usually if there’s a criminally or financially motivated breach like that, we see the data making its way into the black market soon after that,” Barger said.

The big-data approach being taken by the Chinese might seem to mirror techniques used abroad by the NSA, which has come under scrutiny for its data-gathering practices under executive authority.  But in China, the authorities do not tolerate public debate over the proper limits of large-scale spying in the digital age.

“This is what all intelligence services do if they’re good,” said the China cyber expert.  “If you want to find a needle, first you have to gather a haystack of needles.”

The massive data harvesting “reflects a maturity in Chinese” electronic intelligence gathering, the expert said.  “You have to put in place structured data repositories.  You have to have big-data management tools to be able to store and sift and analyze.”

Barger said that “with a large pool of data, they can prioritize who is the best to target electronically and who is the best to target via human recruitment.”

The U.S. official noted that the Chinese “would not take [the data] if they did not have the opportunity to aggregate it.”  And, he added, “they are taking it.”

How the Internet became so vulnerable

Thursday, June 4, 2015

TECHNOLOGY - Google's Gesture Control

"How Google's gesture control technology could revolutionize the way we use devices" by Conner Forrest, TechRepublic 6/3/2015

Soli, Google's new gesture technology, would allow users to interact with their devices without ever touching the device itself. Here's how it's poised to make an impact.

It seems like pop culture is obsessed with the idea of interacting with technology without actually touching a device to do so.  Movies such as Minority Report and Iron Man are the frontrunners in this -- the idea that the future of technology will be decidedly "hands-off."

That future could be coming sooner than we think.  Last week, at its annual I/O developer conference, Google announced Soli, a project that would allow users to interact with their devices using hand gestures performed near the device, without requiring contact with the device.

"Project Soli is the technical underpinning of human interactions with wearables, mobile devices as well as the Internet of Things," a Google ATAP (Advanced Technology and Projects) spokesperson said.

Soli was born out of Google's ATAP group.  It's a fingernail-sized chip that uses radar to read hand gestures and convert them to actions on the device.

So if a user was to touch his or her thumb to their forefinger, Soli would read that as a button being pressed.  Or, the user slides his or her forefinger back and forth on the pad of their thumb, that could operate a slider to adjust volume.

Unlike cameras, which are used in other motion sensing technologies, radar has a high positional accuracy, and thus works better in this context than cameras would.  It's able to pick up on slight movements better.

"Radar is a technology which transmits a radio wave towards a target, and then the receiver of the radar intercepts the reflected energy from that target," lead research engineer Jaime Lien said in a video about Soli. (below)

The radar waves bounce off of your hand and back to the receiver, allowing it to interpret changes in the shape or movement of your hand.  Radar is also important to the project, according to Soli team lead Ivan Poupyrev, because it can work through materials or be embedded into objects.

The technology is vaguely reminiscent of the theremin musical instrument developed in the 1920s by Léon Theremin, but much more intricate.  In the Soli video, Poupyrev mentioned that the technology could be used interact with "wearables, Internet of Things, and other computing devices."

The potential for Soli in wearables is perhaps the most obvious use case so far.  Small screens make it difficult to select certain apps or features, and being able to perform gestures next to the device might make navigation easier and intuitive.

According to 451 analyst Ryan Martin, it is important that a company like Google gets involved in this space because a project like Soli is important to the wearable and IoT ecosystems as a whole and it's important that it "be approached from a technology perspective, not a product perspective."

There are companies that focus solely on gesture-based interactions, but that can be risky and volatile as it will likely just be integrated as a feature.  Martin said that wrist-based wearables are actually less efficient if users actually have to touch them, and Soli could be a step forward in making them more efficient and usable.

Other potential use cases could be within connected cars or in the augmented reality (AR) or virtual reality (VR) spaces.  Imagine your Oculus Rift or Gear VR could support virtualized "hands" as another input without a third-party accessory.  Although, Martin said, it would probably work better as a complement to another input such as voice or touch.

Using Soli as an input tool is the glaring use case for now, but the project could provide value as an output technology as well.

"I think the killer application, or use case, long-term is going to be how to take this technology and have it be scanning around to provide context and enable automation that might not even necessitate gesture-based interaction, it might just happen," Martin said.

Gillette is one of many companies whose factories utilize high-speed cameras to analyze manufacturing processes and equipment to better understand when maintenance or repair is needed.  Soli could provide a similar service to advanced manufacturing facilities by consistently reading the machines and documenting their performance.

Time to market will depend on user experience.  As a device feature, Soli needs to be reliable and consistent or it will be detrimental to the partner brand or OEM that integrates it.

"Once the technology is able to meet that end, I think that's when we'll start to see it baked into products, but right now it's definitely in its development phase," Martin said.

According to the Google ATAP spokesperson, the company will be releasing a hardware and software development kit to developers soon.  If you want more information about Project Soli, you can contact the team at

Wednesday, May 6, 2015

SCIENTIFIC AMERICAN - Fear of Cyberattacks Should Not Lead Us to Destroy What Makes the Internet Special

"Freedom and Anonymity" by Jonathan Zittrain, Scientific American 2011

It’s starting to get weird out there.  When WikiLeaks released classified U.S. government documents in December, it sparked several rounds of online conflict.  WikiLeaks became the target of denial-of-service attacks and lost the support of its hosting and payment providers, which inspired sympathizers to counterattack, briefly bringing down the sites of MasterCard and a few other companies.  Sites related to the hackers were then attacked, and mirror sites sprang up claiming to host copies of the WikiLeaks documents—although some were said to carry viruses ready to take over the machines of those who downloaded the copies, for who knows what end.  Months before, an FBI official said disruption of the Internet was the greatest active risk to the U.S. “other than a weapon of mass destruction or a bomb in one of our major cities.”

Attacks on Internet sites and infrastructure, and the compromise of secure information, pose a particularly tricky problem because it is usually impossible to trace an attack back to its instigator.  This “attribution problem” is so troublesome that some law-enforcement experts have called for a wholesale reworking of Internet architecture and protocols, such that every packet of data is engraved with the identity of its source.  The idea is to make punishment, and therefore deterrence, possible.  Unfortunately, such a reworking would also threaten what makes the Internet special, both technologically and socially.

The Internet works thanks to loose but trusted connections among its many constituent parts, with easy entry and exit for new Internet service providers or new forms of expanding access.  That is not the case with, say, mobile phones, in which the telecom operator can tell which phone placed what call and to whom the phone is registered.  Establishing this level of identity on the Internet is no small task, as we have seen with authoritarian regimes that have sought to limit anonymity.  It would involve eliminating free and open WiFi access points and other ways of sharing connections.  Terminals in libraries and cybercafes would have to have verified sign-in rosters.  Or worse, Internet access would have to be predicated on providing a special ID akin to a government-issued driver’s license—perhaps in the form of a USB key.  No key, no bits.  To be sure, this step would not stop criminals and states wanting to act covertly but would force them to invest much more to achieve the anonymity that comes so naturally today.

The price to the rest of us would also be high.  The Internet’s distinct configuration may have made cyberattacks easy to launch, but it has also kindled the flame of freedom.  One repressive state after another has been caught between the promise of economic advancement through abundant Internet access and the fear of empowering its citizens to express themselves freely.  An Internet without the attribution problem would introduce a new issue: citizens could be readily identified and punished for their political activities.

We need better options for securing the Internet. Instead of looking primarily for top-down government intervention, we can enlist the operators and users themselves.  For example, Web site operators could opt into a system of “mirror as you link.”  Whenever their servers render a page, they cache the contents of the link.  Then, when someone tries to get to the site and can’t, he or she can go back to the original linking site and digitally say, “I can’t get that link you just directed me to.  Would you mind telling me what was there?”

Such a system of mutual aid would draw on the same cooperative and voluntary instinct behind the development of the Internet itself.  If I participate as a Web site, I will know that others linking to me will also mirror my material; we each help the other, not simply because it’s the right thing to do, but because we each benefit, spreading the risk of attack and cushioning its impact among all of us.  It’s a NATO for cyberspace, except it would be an alliance of Web sites instead of states.

A mutual aid framework could also make the Internet secure in other ways.  PCs can alert others not to run code that just sickened them, signaling health levels to others.  Internet providers could also develop technologies to validate their relationships to one another and ferret out misleading data, the way Wikipedia volunteers can quickly act to roll back thousands of acts of vandalism a day.

We rightly fear our networks and devices being attacked—but we should not let this fear cause us to destroy what makes the Internet special.  We have to become more involved and more subtle—and soon.

Monday, April 20, 2015

INTERNET - Ransomware

"The hack attack that takes your computer hostage till you pay" PBS NewsHour 4/18/2015


SUMMARY:  Ransomware, a type of software that computer hackers use to hold individuals' data hostage by blocking access to files unless they agree to pay a ransom, is on the rise.  And because anyone with an internet connection is vulnerable, the problem highlights a growing threat that consumers face on both their personal computers and mobile devices.

WILLIAM BRANGHAM (NewsHour):  Inna Simone is retired, a mother and grandmother from Russia who now lives outside of Boston.  Last November, her home computer started acting strangely.

INNA SIMONE:  My computer was working terribly.  It was not working, I mean, it was so slow.

WILLIAM BRANGHAM:  A few days later, while searching through her computer files, Inna saw dozens of these messages — they were all the same.   They read:  “Your files are encrypted.  To get the key to decrypt them, you have to pay $500 dollars.”  Her exact deadline — December 2nd at 12:48 pm – was just a few days away.

All her files were locked — tax returns, financial papers, letters — even the precious photos of her granddaughter Zoe.   Inna couldn’t open any of them.

INNA SIMONE:   It says, “If you won’t pay, within one week or whatever, your fine will double.  If you won’t pay by then, all your files will be deleted and you will lose them forever and never will get back."

Thursday, April 16, 2015

CYBERSECURITY - Big Business, No Incentive For Greater Security

"Data breaches may cost less than the security to prevent them" by Michael Kassner, TechRepublic 4/9/2015

Companies have little incentive to invest in cybersecurity, says Benjamin Dean.  The security expert says the reason why may be moral hazard.

When it comes to data breaches, 2014 was a banner year.  However, if Benjamin Dean, Fellow for Internet Governance and Cyber-security, School of International and Public Affairs at Columbia University, did his math right, 2015 will be more of the same.

In a March 2015 column on The Conversation, Dean provided a hard to disagree with defense of why things security-wise "ain't gonna change" soon.  "When we examine the evidence, though, the actual expenses from the recent breaches at Sony, Target and Home Depot amount to less than 1% of each company's annual revenues," wrote Dean.  "After reimbursement from insurance and minus tax deductions, the losses are even less."

Dean then administered the knockout punch:  "This indicates that the financial incentives for companies to invest in greater information security are low and suggests that government intervention might be needed."

The costs of the Target, Home Depot, and Sony data breaches

Target's data breach in late 2013 involving 40 million credit- and debit-card records, plus 70 million customer records (including addresses and phone numbers), came under Dean's microscope.  A Target financial statement revealed the data breach cost Target $252 million.  "When we subtract insurance reimbursement, the losses fall to $162 million," explained Dean.  "If we subtract tax deductions (yes, breach-related expenses are deductible), the net losses tally $105 million."

Dean pointed out that this sum equaled 0.1% of Target's 2014 sales.

Home Depot suffered a data breach in 2014 where attackers stole 56 million credit- and debit-card numbers plus 53 million email addresses.  According to Dean after an insurance reimbursement of $15 million, the data breach cost Home Depot $28 million or .01% of its sales in 2014.

Dean also looked at Sony's data breach that occurred near the end of 2014.  Sony at first suggested losses exceeded $100 million.  However, Dean found some equally-interesting numbers in Sony's third-quarter financial statement, "$15 million in 'investigation and remediation costs' and that it [Sony] doesn't expect to suffer any long-term consequences."

A senior general manager at Sony later said the figure would be closer to $35 million for the fiscal year ending March 31.  Dean offered some perspective about the losses:  "To give some scale to these losses, they represent from 0.9% to 2% of Sony's total projected sales for 2014 and a fraction of the initial estimates."

As to the question of Sony's reputation, Dean provided the following numbers on the movie "The Interview":

  • It cost $44 million to make the film; and
  • it has grossed $46.7 million in online sales and cinemas worldwide.

"If anything, the free publicity for a new movie on cable news, across social networks and daily newspapers, at Christmas to boot, represents a net financial benefit to Sony," mentioned Dean.  "There's no such thing as bad press, after all."

The moral hazard response

Dean then introduced a concept I had not heard of: moral hazard.  There are several versions of the definition, but this one from Wikipedia is relevant to this discussion:

"In economics, moral hazard occurs when one person takes more risks because someone else bears the burden of those risks."

Dean applied the concept of moral hazard to Target, Home Depot, and Sony.  "These companies are able to invest less in information security," said Dean in an email exchange with me.  "Because, in the event of a breach, other parties (banks, customers, etc) bear the lion's share of the costs of the breach."

In the case of Home Depot, Dean said credit- and debit-card providers plus Home Depot customers caught the brunt of the fallout.  "Credit unions claim to have spent $60 million in September 2014 alone replacing compromised cards," Dean added.  "Each customer whose card had to be replaced also incurred a cost in terms of inconvenience."

Dean then concluded it does not make economic sense for companies like Target, Home Depot, and Sony to invest heavily in information security, especially when insurance payments and tax deductions cut the financial outlay to where it is less than what it would cost to improve information security.

What is the answer?

Removing the moral hazard seems to be the logical answer.  But how would that come about -- government intervention?  "It's important to make sure the intervention doesn't make the problem of moral hazard worse," cautioned Dean.  "This is a huge problem because as we plough billions of dollars into intelligence agencies, supposedly to keep us all safe from 'cyber-attacks', it has the effect of further weakening the already low incentives for companies to invest in information security themselves."

"Unintended consequences of policies, even in instances where the case for government intervention is strong, can be worse than the consequences of doing nothing at all," further cautions Dean.  "I'm not saying that we do nothing at all -- just that we need verifiable and reliable data on which to begin making these complex policy decisions."