Monday, April 20, 2015

INTERNET - Ransomware

"The hack attack that takes your computer hostage till you pay" PBS NewsHour 4/18/2015

Excerpt

SUMMARY:  Ransomware, a type of software that computer hackers use to hold individuals' data hostage by blocking access to files unless they agree to pay a ransom, is on the rise.  And because anyone with an internet connection is vulnerable, the problem highlights a growing threat that consumers face on both their personal computers and mobile devices.

WILLIAM BRANGHAM (NewsHour):  Inna Simone is retired, a mother and grandmother from Russia who now lives outside of Boston.  Last November, her home computer started acting strangely.

INNA SIMONE:  My computer was working terribly.  It was not working, I mean, it was so slow.

WILLIAM BRANGHAM:  A few days later, while searching through her computer files, Inna saw dozens of these messages — they were all the same.   They read:  “Your files are encrypted.  To get the key to decrypt them, you have to pay $500 dollars.”  Her exact deadline — December 2nd at 12:48 pm – was just a few days away.

All her files were locked — tax returns, financial papers, letters — even the precious photos of her granddaughter Zoe.   Inna couldn’t open any of them.

INNA SIMONE:   It says, “If you won’t pay, within one week or whatever, your fine will double.  If you won’t pay by then, all your files will be deleted and you will lose them forever and never will get back."

Thursday, April 16, 2015

CYBERSECURITY - Big Business, No Incentive For Greater Security

"Data breaches may cost less than the security to prevent them" by Michael Kassner, TechRepublic 4/9/2015

Companies have little incentive to invest in cybersecurity, says Benjamin Dean.  The security expert says the reason why may be moral hazard.

When it comes to data breaches, 2014 was a banner year.  However, if Benjamin Dean, Fellow for Internet Governance and Cyber-security, School of International and Public Affairs at Columbia University, did his math right, 2015 will be more of the same.

In a March 2015 column on The Conversation, Dean provided a hard to disagree with defense of why things security-wise "ain't gonna change" soon.  "When we examine the evidence, though, the actual expenses from the recent breaches at Sony, Target and Home Depot amount to less than 1% of each company's annual revenues," wrote Dean.  "After reimbursement from insurance and minus tax deductions, the losses are even less."

Dean then administered the knockout punch:  "This indicates that the financial incentives for companies to invest in greater information security are low and suggests that government intervention might be needed."

The costs of the Target, Home Depot, and Sony data breaches

Target's data breach in late 2013 involving 40 million credit- and debit-card records, plus 70 million customer records (including addresses and phone numbers), came under Dean's microscope.  A Target financial statement revealed the data breach cost Target $252 million.  "When we subtract insurance reimbursement, the losses fall to $162 million," explained Dean.  "If we subtract tax deductions (yes, breach-related expenses are deductible), the net losses tally $105 million."

Dean pointed out that this sum equaled 0.1% of Target's 2014 sales.

Home Depot suffered a data breach in 2014 where attackers stole 56 million credit- and debit-card numbers plus 53 million email addresses.  According to Dean after an insurance reimbursement of $15 million, the data breach cost Home Depot $28 million or .01% of its sales in 2014.

Dean also looked at Sony's data breach that occurred near the end of 2014.  Sony at first suggested losses exceeded $100 million.  However, Dean found some equally-interesting numbers in Sony's third-quarter financial statement, "$15 million in 'investigation and remediation costs' and that it [Sony] doesn't expect to suffer any long-term consequences."

A senior general manager at Sony later said the figure would be closer to $35 million for the fiscal year ending March 31.  Dean offered some perspective about the losses:  "To give some scale to these losses, they represent from 0.9% to 2% of Sony's total projected sales for 2014 and a fraction of the initial estimates."

As to the question of Sony's reputation, Dean provided the following numbers on the movie "The Interview":

  • It cost $44 million to make the film; and
  • it has grossed $46.7 million in online sales and cinemas worldwide.

"If anything, the free publicity for a new movie on cable news, across social networks and daily newspapers, at Christmas to boot, represents a net financial benefit to Sony," mentioned Dean.  "There's no such thing as bad press, after all."

The moral hazard response

Dean then introduced a concept I had not heard of: moral hazard.  There are several versions of the definition, but this one from Wikipedia is relevant to this discussion:

"In economics, moral hazard occurs when one person takes more risks because someone else bears the burden of those risks."

Dean applied the concept of moral hazard to Target, Home Depot, and Sony.  "These companies are able to invest less in information security," said Dean in an email exchange with me.  "Because, in the event of a breach, other parties (banks, customers, etc) bear the lion's share of the costs of the breach."

In the case of Home Depot, Dean said credit- and debit-card providers plus Home Depot customers caught the brunt of the fallout.  "Credit unions claim to have spent $60 million in September 2014 alone replacing compromised cards," Dean added.  "Each customer whose card had to be replaced also incurred a cost in terms of inconvenience."

Dean then concluded it does not make economic sense for companies like Target, Home Depot, and Sony to invest heavily in information security, especially when insurance payments and tax deductions cut the financial outlay to where it is less than what it would cost to improve information security.

What is the answer?

Removing the moral hazard seems to be the logical answer.  But how would that come about -- government intervention?  "It's important to make sure the intervention doesn't make the problem of moral hazard worse," cautioned Dean.  "This is a huge problem because as we plough billions of dollars into intelligence agencies, supposedly to keep us all safe from 'cyber-attacks', it has the effect of further weakening the already low incentives for companies to invest in information security themselves."

"Unintended consequences of policies, even in instances where the case for government intervention is strong, can be worse than the consequences of doing nothing at all," further cautions Dean.  "I'm not saying that we do nothing at all -- just that we need verifiable and reliable data on which to begin making these complex policy decisions."

Monday, April 13, 2015

SOCIAL MEDIA - Book on the Privacy Issue

"How can we return privacy control to social media users?" PBS NewsHour 4/7/2015

Excerpt

SUMMARY:  What’s the cost of being constantly connected through social media?  A new book, “Terms of Service” examines the erosion of privacy in the digital era.  Author Jacob Silverman sits down with Jeffrey Brown to discuss what data is being tracked, stored and sold.

GWEN IFILL (NewsHour):  Now the latest addition to the NewsHour bookshelf, “Terms of Service.”  It’s a look at the erosion of privacy in the age of social media.

Jeffrey Brown recently talked to author Jacob Silverman at Busboys and Poets, a restaurant and bookstore chain in and around Washington.

JEFFREY BROWN (NewsHour):  Welcome to you.

JACOB SILVERMAN, Author, “Terms of Service”:  Thanks for having me.

JEFFREY BROWN:  The case you’re making — and it’s a strong case — we don’t know or we don’t seem to care enough about what we’re giving away in our digital lives.

JACOB SILVERMAN:  Right.

Well, the same systems that make it so easy to communicate with one another and live these lives where we’re essentially all public figures now also make it very easy to sort of spy on us, to collect personal information, whether you’re companies or governments or other bad actors.

And I think that a lot of people don’t really realize how much is being collected on each and every one of us, that there are big data brokers out there forming dossiers on hundreds of millions of people.

JEFFREY BROWN:  There’s been a lot of emphasis on government surveillance.   Here, you’re really pointing to what we perhaps don’t know as much about, corporate surveillance.

JACOB SILVERMAN:  Right.

Well, actually, corporations have really led the way turning the Internet into what is really a remarkable surveillance machine.  Ever since the introduction of the cookie about 15 years ago, we have sort of shifted paths to make the Internet all about monitoring what users do, so that we can direct ads toward them.

Monday, March 2, 2015

"Teaching computers how to play Atari better than humans" PBS NewsHour 2/25/2015

Excerpt

SUMMARY:  Tom Clarke of Independent Television News reports on how an artificial intelligence business owned by Google has created software that can teaching itself to play classic Atari games better than a human.

GWEN IFILL (NewsHour):  Next, Playing video games might seem like child’s play.

But, as Tom Clarke of Independent Television News reports, it’s also at the frontier of artificial intelligence.

TOM CLARKE, Independent Television News:  It was the late 1970s, and for the first generation of video gamers, Atari was king.  By the standards of the day, the graphics were mind-blowing, the sound out of this world.

And the selection of games just went on and on and on.

Ah.

Compared to the video games of today, Atari looks pretty clunky, but the games are still quite difficult to play, especially if you haven’t picked one up for 30 years, like me.  But it’s that exact combination of simple graphics, but quite challenging game play, that has attracted the cutting edge of artificial intelligence researchers back to the 1970s.

This version of “Space Invaders” isn’t being played by a person, but a system of computer algorithms that is learning how to play it just by looking at the pixels on the screen.  It may not sound like it, but it’s something of a breakthrough, the work of one of the finest young minds in A.I. research, North Londoner Demis Hassabis.

SECURITY - Vulnerablities 2014

COMMENT:  What is most important to security is which OS is the most targeted.  Microsoft is still the most popular and therefore the most targeted.

"Apple, Linux, not Windows, most vulnerable operating systems in 2014" by Ms. Smith, Network Wold 2/22/2015

OS X, iOS, and Linux were the top three most vulnerable operating systems in 2014, but Internet Explorer was the most vulnerable app.

A whopping average of 19 security vulnerabilities were reported every day in 2014.  The number of vulnerabilities discovered each year in operating systems, applications, and hardware has skyrocketed in a nasty trend, according to analysis by GFI Software.

Operating systems with most security vulnerabilities in 2014

The top spot for vulnerabilities in operating systems no longer goes to Microsoft Windows; in fact, Windows isn't even listed in the top three.  Instead, the most vulnerable OS was Apple Mac OS X, followed by Apple iOS and Linux kernel.  As you can see in the list below, Mac OS X had 147 vulnerabilities, with 64 being rated as high-severity bugs.  There were 127 in iOS, 32 of those rated as high.  Linux kernel had a rough year, with 119 security vulnerabilities and 24 being rated as high-severity.  The flip-side is that none of the security holes in Windows versions were rated as low severity.



"2014 was a tough year for Linux users from a security point of view, coupled with the fact that some of the most important security issues of the year were reported for applications that usually run on Linux systems," explained GFI Software manager Cristian Florian.  "Heartbleed, for example, is a critical security vulnerability detected in OpenSSL while Shellshock is a vulnerability that affects GNU Bash."

Most security vulnerabilities in apps during 2014

However, Microsoft can't crow too much about being "more secure," since Internet Exploder Explorer blew away the "competition" by having nearly twice as many security flaws than the second most vulnerable app, which was Google Chrome.  IE had 242 security flaws, with a whopping 220 of those being high-severity vulnerabilities.  Chrome had 124 total bugs with 86 of those rated as high.  With a 117 total, Firefox wasn't too far behind Chrome for security holes reported, but only 57 were high severity.



It's interesting to note that a separate report on security flaws by Secunia found that Google Chrome had the most vulnerabilities in January 2015; Chrome had 71, compared to the second place tie of 19 security glitches each in Oracle Java JRE and Oracle Java JDK.  Internet Explorer didn't even make the top 20 list for vulnerabilities discovered in the first month of this year.

Unsurprisingly, GFI said the worst offender in 2014 for having security flaws was third-party applications.  Apps made up a whopping 83% of reported bugs, followed by 13% in operating systems and then 4% in hardware.

Florian reported:

The applications listed here are pretty much the same as in 2013.  Not surprisingly at all, web browsers continue to have the most security vulnerabilities because they are a popular gateway to access a server and to spread malware on the clients.  Adobe free products and Java are the main challengers but web browsers have continuously topped the table for the last six years.  Mozilla Firefox had the most vulnerabilities reported in 2009 and 2012; Google Chrome in 2010 and 2011; Internet Explorer was at the top for the last two years.

Total security vulnerabilities reported in 2014

To review, last year an average of 19 new security vulnerabilities were reported every day to the National Vulnerability Database (NVD).



In total, there were 7,038 vulnerabilities in 2014.  That figure blows away the new flaws found in any other year.  For comparison, in 2013 there were 13 new security vulnerabilities per day for a total of 4,794; at that time, the number was the highest number of vulnerabilities in the last five years.



If you'd like to end with "good" news, then GFI found some in the fact that the percentage of vulnerabilities rated as "high severity" dropped to 24% in 2014.  Although that is lower than in 2013, there were still more total vulnerabilities discovered in 2014. Sixty-eight percent of vulnerabilities in 2014 were rated as "medium" for severity, with only 8% rated as "low."

Wednesday, February 25, 2015

INTERNET - My Latest Speed Test

Here my latest Speed Test on my Win7 Pro super-rig using AT&T U-verse broadband.



Here's the DU Meter results while viewing this post and some YouTube videos.


INTERNET - Net Neutrality Rules Update

THE PEOPLE ARE WINNING!  To understand, see short video at bottom.

"F.C.C. Net Neutrality Rules Clear Hurdle as Republicans Concede to Obama" by JONATHAN WEISMAN, New York Times 2/24/2015

Excerpt

Senior Republicans conceded on Tuesday that the grueling fight with President Obama over the regulation of Internet service appears over, with the president and an army of Internet activists victorious.

The Federal Communications Commission is expected on Thursday to approve regulating Internet service like a public utility, prohibiting companies from paying for faster lanes on the Internet.  While the two Democratic commissioners are negotiating over technical details, they are widely expected to side with the Democratic chairman, Tom Wheeler, against the two Republican commissioners.

And Republicans on Capitol Hill, who once criticized the plan as “Obamacare for the Internet,” now say they are unlikely to pass a legislative response that would undo perhaps the biggest policy shift since the Internet became a reality.

“We’re not going to get a signed bill that doesn’t have Democrats’ support,” said Senator John Thune, Republican of South Dakota and chairman of the Senate Commerce Committee.  “This is an issue that needs to have bipartisan support.”

The new F.C.C. rules are still likely to be tied up in a protracted court fight with the cable companies and Internet service providers that oppose it, and they could be overturned in the future by a Republican-leaning commission.  But for now, Congress’s hands appear to be tied.

The F.C.C. plan would let the agency regulate Internet access as if it is a public good.  It would follow the concept known as net neutrality or an open Internet, banning so-called paid prioritization — or fast lanes — for willing Internet content providers.

In addition, it would ban the intentional slowing of the Internet for companies that refuse to pay broadband providers.   The plan would also give the F.C.C. the power to step in if unforeseen impediments are thrown up by the handful of giant companies that run many of the country’s broadband and wireless networks.

Republicans hoped to pre-empt the F.C.C. vote with legislation, but Senate Democrats insisted on waiting until after Thursday’s F.C.C. vote before even beginning to talk about legislation for an open Internet.  Even Mr. Thune, the architect of draft legislation to override the F.C.C., said Democrats had stalled what momentum he could muster.

And an avalanche of support for Mr. Wheeler’s plan — driven by Internet companies as varied as Netflix, Twitter, Mozilla and Etsy — has swamped Washington.

“We’ve been outspent, outlobbied.  We were going up against the second-biggest corporate lobby in D.C., and it looks like we’ve won,” said Dave Steer, director of advocacy for the Mozilla Foundation, the nonprofit technology foundation that runs Firefox, a popular Web browser, referring to the cable companies.  “A year ago today, we did not think we would be in this spot.”

The net neutrality movement pitted new media against old and may well have revolutionized notions of corporate social responsibility and activism.  Top-down decisions by executives investing in or divesting themselves of resources, paying lobbyists and buying advertisements were upended by the mobilization of Internet customers and users.

“We don’t have an army of lobbyists to deploy.  We don’t have financial resources to throw around,” said Liba Rubenstein, director of social impact and public policy at the social media company Tumblr, which is owned by Yahoo, the large Internet company, but operated independently on the issue.  “What we do have is access to an incredibly engaged, incredibly passionate user base, and we can give folks the tools to respond.”

Internet service providers say heavy-handed regulation of the Internet will diminish their profitability and crush investment to expand and speed up Internet access.  It could even open the web to taxation to pay for new regulators.

Brian Dietz, a spokesman for the National Cable & Telecommunications Association, said the pro-net-neutrality advocates turned a complex and technical debate over how best to keep the Internet operating most efficiently into a matter of religion.  The forces for stronger regulation, he said, became viewed as for the Internet.  Those opposed to the regulation were viewed as against the Internet.

The Internet companies, he said, sometimes mislead their customers, and in some cases, are misled on the intricacies of the policy.

“Many of the things they have said just belie reality and common sense,” he said.

In April, a dozen New York-based Internet companies gathered at Tumblr’s headquarters in the Flatiron district to hear dire warnings that broadband providers were about to obtain the right to charge for the fastest speeds on the web.

The implication:  If they did not pony up, they would be stuck in the slow lane.

What followed was the longest, most sustained campaign of Internet activism in history.  A swarm of small players, like Tumblr, Etsy, BoingBoing and Reddit, overwhelmed the giants of the broadband world, Comcast, Verizon Communications and Time Warner Cable.  Two of the biggest players on the Internet, Amazon and Google, largely stayed in the background, while smaller participants — some household names like Twitter and Netflix, others far more obscure, like Chess.com and Urban Dictionary — mobilized a grass-roots crusade.

“Our community is the source of our power,” said Althea Erickson, director of public policy at Etsy, an online craft market, where users embroidered pillows and engraved spoons promoting net neutrality.

Monday, January 12, 2015

EMAIL CLIENT - Pegasus on Windows 7

Well, I finally found an eMail Client that works with Windows 7 64bit AND does everything I wanted.

Pegasus Mail

It has all the options that I had with Agent on my Windows XP system.  Agent failed to work on  my Windows 7 64bit due to a MAPI problem.

Here's my Pegasus window:


It has a nice, though hard to use, filtering system.  And setup was very good but not intuitive.

The options are extensive, but again something seems missing, like:
  • Notification Options, like turning off delete confirmations
  • Setting compose-email editor options, like setting default font and size
So far, I like it very much.

Monday, December 29, 2014

WINDOWS 7 - Classic Shell

Just found something that is outstanding for my Windows 7 Pro 64bit rig.

Classic Shell for Windows 7 & 8

Here are screenshots of just two examples:

This shows the style I'm using for the [Start] menu.



This is the file Explorer classic style.



There are more styles for other Windows UIs.

Why do I like this utility?  See my [Start] menu:

Monday, November 24, 2014

CYBER ATTACKS - Outdated Internet Browsers

"Your outdated Internet browser is a gateway for cyber attacks" PBS NewsHour 11/18/2014

Excerpt

JUDY WOODRUFF (NewsHour):  Major U.S. government agencies have been the target of cyber-attacks of late.  The State Department is the latest.  During the past week, officials had to temporarily shut down an unclassified e-mail system after a suspected hacking.  In recent months, the White House, the Postal Service and the National Weather Service all have been targeted.

Meanwhile, as the holiday season approaches, retailers and the business world are on the lookout for breaches.

A new book breaks down the pervasiveness of what’s happening.

Jeffrey Brown has our conversation.

JEFFREY BROWN (NewsHour):  Hardly a week goes by anymore without a report of some major cyber-breach, whether it’s targeting retailers, the government, or any and all of us.  The attacks are generated in a new netherworld of crime, some of it individualized, even chaotic, other parts of it extremely well-organized.

Writer and journalist Brian Krebs has uncovered some major breaches, including the one on Target that compromised the credit card data of tens of millions of people.  He writes about all of this on his blog Krebs on Security and now in his new book, “Spam Nation.”

And welcome to you.

BRIAN KREBS, Author, “Spam Nation”:  Thank you.

JEFFREY BROWN:  You are peering a world of cyber-crime that few of us ever see.  What does it look like?

BRIAN KREBS:  It’s a pretty dark place.

JEFFREY BROWN:  It is?

BRIAN KREBS:  Yes, absolutely.

But it’s not as dark as you might imagine.  If you’re somebody who doesn’t know their way around, there are plenty of people willing to show you the way.  They might take a cut of the action to help you do that, but it’s not as dark…

Wednesday, November 5, 2014

SOFTWARE - Hardware Monitor on My Windows 7 64bit Rig


Quite awhile back I posted an article bout CPUID's Hardware Monitor (aka HWMonitor).

Well, above is what it is showing for my custom built Windows 7 64bit 'Super Rig.'

I was surprised by the display of my UPS (Uninterpretable Power Supply) info.

This was not displayed in my dead-and-berried WinXP Rig.  Maybe it's because on my new rig the UPS is connect via USB.

Note that HWMonitor comes in a free none-Pro version.  HWMonitor Pro ($) allows you to create graphs.

Wednesday, October 15, 2014

WINDOWS - WinXP vs Win7

As I said in my previous post, I was forced to go to Windows 7.

I have found that Microdunce has 'broken' features in Win7:

[Send to]:  This is the first broken feature I ran into.  In WinXP you can put any shortcut in your [SendTo] folder and it will work when using the Context Menu [Send to] option.  NOT in Win7, you cannot use normal shortcuts in your [SendTo] folder.

POINTERS:  In WinXP you can set custom pointers sourced from anywhere, any CUR file.  In Win7 ALL pointers must be in C:\Windows\Cursors.  This means you have to copy cursors/pointers from your other sources to that folder for any Pointer Customization to hold on next boot, ALSO you should save a the DEFAULT cursor theme.

SOUNDS:  In Win7 there is no "Start Windows" sound listed.  "Exit Windows" is listed.  Luckily I found a utility to change the "Start Windows" sound.  Now tell me, what is the logic of NOT having "Start Windows" listed?


I consider features 'broken' if any change makes it HARDER to use Windows.

I will add more 'broken features' here as I find them.


Saturday, September 13, 2014

HARDWARE - My New Super-PC (updated)

Well.... after 20+ years my old WinXP desktop PC died, gave up the ghost.

So I got new custom built PC, went BIG.

  • Windows 7 Pro  64bit
  • CPU:  Intel Core i5-4690 @ 3.50GHz (aka Quad Core)
  • Memory:  8gb
  • Hard Drive:  4 Terabytes, Hybread (Solid State + SATA)
  • Video Card:  GeForce GTX 770 CUDA Core, 2k memory

What the hybread hard does?  Think of the SSD as a super-cache.  The drives copies the most used programs to SSD, which is actually memory, and works much faster.

NOTE:  The original build was with Windows 7 Home Professional.  I used Windows Anytime Update to change to Windows 7 Pro.  The update was flawless and took under 15min.



AND..... I upgraded to broadband network (AT&T U-verse, really had no choice, they're dumping DSL).  Speed test below.


via Speed Test NET

Wednesday, August 27, 2014

SECURITY - NSA's Secret 'Google'

"The Surveillance Engine:  How the NSA Built Its Own Secret Google" by Ryan Gallagher, The Intercept 8/25/2014

Excerpt

The National Security Agency is secretly providing data to nearly two dozen U.S. government agencies with a “Google-like” search engine built to share more than 850 billion records about phone calls, emails, cellphone locations, and internet chats, according to classified documents obtained by The Intercept.

The documents provide the first definitive evidence that the NSA has for years made massive amounts of surveillance data directly accessible to domestic law enforcement agencies.  Planning documents for ICREACH, as the search engine is called, cite the Federal Bureau of Investigation and the Drug Enforcement Administration as key participants.

ICREACH contains information on the private communications of foreigners and, it appears, millions of records on American citizens who have not been accused of any wrongdoing.  Details about its existence are contained in the archive of materials provided to The Intercept by NSA whistleblower Edward Snowden.

Earlier revelations sourced to the Snowden documents have exposed a multitude of NSA programs for collecting large volumes of communications.  The NSA has acknowledged that it shares some of its collected data with domestic agencies like the FBI, but details about the method and scope of its sharing have remained shrouded in secrecy.

ICREACH has been accessible to more than 1,000 analysts at 23 U.S. government agencies that perform intelligence work, according to a 2010 memo.  A planning document from 2007 lists the DEA, FBI, Central Intelligence Agency, and the Defense Intelligence Agency as core members.  Information shared through ICREACH can be used to track people’s movements, map out their networks of associates, help predict future actions, and potentially reveal religious affiliations or political beliefs.

The creation of ICREACH represented a landmark moment in the history of classified U.S. government surveillance, according to the NSA documents.

“The ICREACH team delivered the first-ever wholesale sharing of communications metadata within the U.S. Intelligence Community,” noted a top-secret memo dated December 2007.  “This team began over two years ago with a basic concept compelled by the IC’s increasing need for communications metadata and NSA’s ability to collect, process and store vast amounts of communications metadata related to worldwide intelligence targets.”

The search tool was designed to be the largest system for internally sharing secret surveillance records in the United States, capable of handling two to five billion new records every day, including more than 30 different kinds of metadata on emails, phone calls, faxes, internet chats, and text messages, as well as location information collected from cellphones.  Metadata reveals information about a communication — such as the “to” and “from” parts of an email, and the time and date it was sent, or the phone numbers someone called and when they called — but not the content of the message or audio of the call.

Monday, August 11, 2014

INTERNET - Criminals Steal 1.2 Billion Web Credentials

"After criminals steal 1.2 billion web credentials, how to protect personal info from data breaches" PBS NewsHour 8/6/2014

Excerpt

GWEN IFILL (NewsHour):  Computer hacking and the breaches of privacy that come with them are becoming a regular and unwelcome feature of our wired world.

Now The New York Times and a security firm based in the Midwest are reporting a massive one that includes the collection of more than a billion username and password combinations and more than 500 million e-mail addresses.  What’s more, the perpetrators appear to be a shadowy Russian crime ring.

Details, including the names of the victims, are hard to come by.  But the news has raised eyebrows around the world.  So, how serious is it?

For that, we turn to Dmitri Alperovitch, co-founder and chief technology officer of CrowdStrike, a Web security firm.

Mr. Alperovitch, tell us just in context of all these other breaches we have had in the past year, say, how — relative to those, how big is this?

DMITRI ALPEROVITCH, CrowdStrike:  Well, the number is certainly striking; 1.2 billion credentials is a lot.  In the past, we have seen some big breaches that numbered in the hundreds of millions.

But this is certainly the biggest one that I — that I can remember.

LINUX - More Cities and Nations Ditch Microsoft

"Turin to Be First Italian City to Adopt Ubuntu, Unshackle from the 'Tyranny of Proprietary Software'" by Silviu Stahie, SoftPedia 8/8/2014

Turin wants to be the first city in Italy to switch completely to open source and Ubuntu and entirely ditch all the Microsoft products.

The number of local authorities that decide to switch to open source to match the IT needs of a city is slowly increasing and now it looks like the city of Turin in Italy is also doing the same thing.

One of the main tools that are available for the local governments to decrease the public spending is to make some changes when it comes to upgrading the proprietary software.  Usually, this procedure costs a lot of money and the only way that you can save funds is to adopt open source solutions.

In the case of Turin, that can be done by adopting Ubuntu, which is a Linux distribution developed by Canonical and which has complete support for the Italian language.  Ubuntu is a free operating system and it's supported for a period of five years.  Even when the support ends, the IT department only has to upgrade to the next release.

According to a report on repubblica.it, Turin wants to become the first city in Italy to move completely to open source for its 8,300 PCs used by the local authorities.

“The transition will begin this fall and it will take a year and a half to complete.  It will become the first Italian open source city and we'll to get a saving on expenses for the computers that will go 20-40 percent compared to today,” says one of the managers of the project, Gianmarco Montanari.

“If we abandon proprietary software we will save €6 million ($8 million) in five years.  The initial investment is low but, once installed programs and taught employees how to use them, the system will go ahead on its own feet, allowing the city to lower the cost even more,” notes the director of Information Systems, Sandro Golzio.

The complete price of migrating the PCs from a version of Windows to another, together with the Office suite, would cost the city €22 million ($29.5 million) over a five-year span, but with the adoption of Ubuntu, that price will go down to €16 million ($21,4 million).

A flurry of cities in Europe are doing similar things.  In Germany, the city of Munich has already finished the transition to their own Linux distribution, and in Toulouse, France, the process is ongoing and it will be over in a couple of years.

Tuesday, July 22, 2014

INTERNET - The Impossible to Block Tracking Device

"Meet the Online Tracking Device That is Virtually Impossible to Block" by Julia Angwin, ProPublica 7/21/2014

Update: A YouPorn.com spokesperson said that the website was "completely unaware that AddThis contained a tracking software that had the potential to jeopardize the privacy of our users." After this article was published, YouPorn removed AddThis technology from its website.

A new, extremely persistent type of online tracking is shadowing visitors to thousands of top websites, from WhiteHouse.gov to YouPorn.com.

First documented in a forthcoming paper by researchers at Princeton University and KU Leuven University in Belgium, this type of tracking, called canvas fingerprinting, works by instructing the visitor’s Web browser to draw a hidden image.  Because each computer draws the image slightly differently, the images can be used to assign each user’s device a number that uniquely identifies it.

Like other tracking tools, canvas fingerprints are used to build profiles of users based on the websites they visit — profiles that shape which ads, news articles, or other types of content are displayed to them.

But fingerprints are unusually hard to block.  They can’t be prevented by using standard Web browser privacy settings or using anti-tracking tools such as AdBlock Plus.

The researchers found canvas fingerprinting computer code, primarily written by a company called AddThis, on 5 percent of the top 100,000 websites.  Most of the code was on websites that use AddThis’ social media sharing tools.  Other fingerprinters include the German digital marketer Ligatus and the Canadian dating site Plentyoffish. (A list of all the websites on which researchers found the code is here).

Rich Harris, chief executive of AddThis, said that the company began testing canvas fingerprinting earlier this year as a possible way to replace “cookies,” the traditional way that users are tracked, via text files installed on their computers.

“We’re looking for a cookie alternative,” Harris said in an interview.

Harris said the company considered the privacy implications of canvas fingerprinting before launching the test, but decided “this is well within the rules and regulations and laws and policies that we have.”

He added that the company has only used the data collected from canvas fingerprints for internal research and development.  The company won’t use the data for ad targeting or personalization if users install the AddThis opt-out cookie on their computers, he said.

Arvind Narayanan, the computer science professor who led the Princeton research team, countered that forcing users to take AddThis at its word about how their data will be used, is “not the best privacy assurance.”

Device fingerprints rely on the fact that every computer is slightly different: Each contains different fonts, different software, different clock settings and other distinctive features. Computers automatically broadcast some of their attributes when they connect to another computer over the Internet.

Tracking companies have long sought to use those differences to uniquely identify devices for online advertising purposes, particularly as Web users are increasingly using ad-blocking software and deleting cookies.

In May 2012, researchers at the University of California, San Diego, noticed that a Web programming feature called “canvas” could allow for a new type of fingerprint — by pulling in different attributes than a typical device fingerprint.

In June, the Tor Project added a feature to its privacy-protecting Web browser to notify users when a website attempts to use the canvas feature and sends a blank canvas image.  But other Web browsers did not add notifications for canvas fingerprinting.

A year later, Russian programmer Valentin Vasilyev noticed the study and added a canvas feature to freely available fingerprint code that he had posted on the Internet.  The code was immediately popular.

But Vasilyev said that the company he was working for at the time decided against using the fingerprint technology.  “We collected several million fingerprints but we decided against using them because accuracy was 90 percent,” he said, “and many of our customers were on mobile and the fingerprinting doesn’t work well on mobile.”

Vasilyev added that he wasn’t worried about the privacy concerns of fingerprinting.  “The fingerprint itself is a number which in no way is related to a personality,” he said.

AddThis improved upon Vasilyev’s code by adding new tests and using the canvas to draw a pangram “Cwm fjordbank glyphs vext quiz” — a sentence that uses every letter of the alphabet at least once.  This allows the company to capture slight variations in how each letter is displayed.

AddThis said it rolled out the feature to a small portion of the 13 million websites on which its technology appears, but is considering ending its test soon.  “It’s not uniquely identifying enough,” Harris said.

AddThis did not notify the websites on which the code was placed because “we conduct R&D projects in live environments to get the best results from testing,” according to a spokeswoman.

She added that the company does not use any of the data it collects — whether from canvas fingerprints or traditional cookie-based tracking — from government websites including WhiteHouse.gov for ad targeting or personalization.

The company offered no such assurances about data it routinely collects from visitors to other sites, such as YouPorn.com.  YouPorn.com did not respond to inquiries from ProPublica about whether it was aware of AddThis’ test of canvas fingerprinting on its website.