Wednesday, June 24, 2015

SECURITY - Software Code Cribbing

"Programmers are copying security flaws into your software, researchers warn" by Laura Hautala, CNet 6/23/2015

Many software developers are cribbing code, and its flaws, that someone else created. And the problem is only getting harder to keep up with.

It's easy to assume that hackers work way above our pay grade.  Electronic intruders must be able to exploit vulnerabilities in the software we use because they're evil geniuses, right?

That may be the case in some very sophisticated attacks, experts say, but in others, not so much.  Programmers -- the people who create the software -- don't write all their code from scratch, instead borrowing freely from others' work.  The problem: they're not vetting the code for security problems.

Working more as code assemblers than as writers, programmers are sourcing about 80 percent to 90 percent of the code in any given software application from third parties, many experts estimate.  Sometimes programmers buy code from other companies, and sometimes they use open-source code that's free for anyone to use.

The problem affects all software, which means everything from the mobile apps on your smartphone to your favorite website to the programs you run on your computer.  Everything except for the operating system on a device or computer is likely composed of building blocks of code rather than created wholly new, said Chris Wysopal, co-founder and executive at software security company Veracode.

The priority for all those highly paid programmers is speed, not security, Wysopal said.  His company, which assesses software for businesses, released a report Tuesday analyzing its own clients' habits when it comes to software use.

Veracode found 6.9 million flaws in more than 200,000 inspections of code used by its clients over the last year.  Those clients fixed 4.7 million of the flaws.  While in-house programmers likely wrote some of that code, industry numbers suggest the vast majority of it came from elsewhere.

"That's the trend -- to reuse as much code as possible," Wysopal said.  It speeds up production time and lets software programmers work on solving new problems instead of reinventing the wheel.

"Everything is good about that except for the inheriting-vulnerabilities part," Wysopal said.

Feds and flaws

Lowest ranking among the industries Veracode checked for security flaws was the federal government.  "Part of the reason for this is that the government still uses older programming languages," Veracode researchers wrote in the report.

That might not come as a surprise to those following news of multiple breaches of federal government workers' personal records, which compromised the Social Security numbers of millions of current and former federal workers and revealed sensitive personal information on everyone who has applied for a security clearance.

The problem of flawed source code is bad enough that Veracode has made a business out of checking software components for problems, and other companies are similarly offering to vet software components for those speed-hungry programmers.

One of those companies is Sonatype, and its chief technology Joshua Corman says he's on the side of the programmers hitting Ctrl-V, the keyboard shortcut for "paste."

Are programmers lazy?  No, Corman says, just efficient.

"The best way to put this is the time value of money," he said.  "You want to spend your unique talent pool on different problems."

Some companies are using services like Sonatype and Veracode, and some are hiring security "fellows" whose paychecks are dependent on finding security flaws in code.

Corman's company provides a repository of open-source code, but it also focuses on finding and eliminating problems in the code.  In fact, Corman went so far as to check out a major government project for flaws to see if it was vulnerable to hackers.

That project was Healthcare.gov, the website rolled out by the Obama administration to get people signed up for the health insurance mandated by the Affordable Care Act.

The website was notoriously buggy when it first went live, and Corman decided to look at the building blocks used by the government contractors who built it to see if hackers might have an avenue into it.

He looked at the third-party code accessed by the developers and concluded it contained some vulnerabilities.  But he wasn't sure if those flaws made it into the website's final code.  Nonetheless, this news alarmed lawmakers, Corman said.

Eventually, those lawmakers learned that federal law doesn't explicitly require software programmers contracted by the government to vet code they didn't write themselves.  A proposed fix to the problem-- a bill called H.R. 5793 -- would have required software developers to give the government a list of third-party code, assurance that all the code was free of known flaws, and a guarantee to fix any vulnerabilities that come up later.

Rep. Edward Royce (R-Calif.) introduced the bill in December at the end of the congressional session.  The bill never made it to a vote, and Corman said he thinks it might be better suited for an executive order.

Other industries have problems with faulty source code, too, according to Veracode's research.  Retail and hospitality companies that use Veracode to vet their software had a poor track record with their efforts to encrypt data, for example.  Again, this isn't surprising news given the breach of customer information at major retailers like revealed by Target and the Home Depot over the past year.

The pace of software development is only speeding up, meaning the problem is harder to keep up with, Wysopal said.

"New languages and new environments to write code in are continuously being invented, and companies want to push software out the door as quickly as possible," he said.  But speed doesn't have to sacrifice security, he argued.

"They don't need to be mutually exclusive.  If you build security processes in or if you require vendors to build it in, you can still go fast," Wysopal said.  But, he noted, "It can't be an afterthought."

Monday, June 8, 2015

CYBER WARS - China vs U.S.

"With a series of major hacks, China builds a database on Americans" by Ellen Nakashima, Washington Post 6/5/2015

China is building massive databases of Americans’ personal information by hacking government agencies and U.S. health-care companies, using a high-tech tactic to achieve an age-old goal of espionage:  recruiting spies or gaining more information on an adversary, U.S. officials and analysts say.

Groups of hackers working for the Chinese government have compromised the networks of the Office of Personnel Management, which holds data on millions of current and former federal employees, as well as the health insurance giant Anthem, among other targets, the officials and researchers said.

“They’re definitely going after quite a bit of personnel information,” said Rich Barger, chief intelligence officer of ThreatConnect, a Northern Virginia cybersecurity firm.  “We suspect they’re using it to understand more about who to target [for espionage], whether electronically or via human ­recruitment.”

The targeting of large-scale data­bases is a relatively new tactic and is used by the Chinese government to further its ­intelligence-gathering, the officials and analysts say.  It is government espionage, not commercial espionage, they say.

“This is part of their strategic goal — to increase their intelligence collection via big-data theft and big-data aggregation,” said a U.S. government official who, like others, spoke on the condition of anonymity to discuss a sensitive topic.  “It’s part of a strategic plan.”

One hack of OPM, which was disclosed by the government Thursday, dates at least to December, officials said.  Earlier last year, OPM discovered a separate intrusion into a highly sensitive database that contains information on employees seeking or renewing security clearances and on their background investigations.

Once harvested, the data can be used to glean details about key government personnel and potential spy recruits, or to gain information useful for counter­intelligence.  Records in OPM’s database of background investigations, for instance, could contain a complete history of where an individual has lived and all of his or her foreign contacts in, say, China.  “So now the Chinese counterintelligence authorities know which American officials are meeting with which Chinese,” a China cyber and intelligence expert said.

The data could help Chinese analysts do more effective targeting of individuals, said a former National Security Agency official.  “They can find specific individuals they want to go after, family members,” he said.

The trend has emerged and accelerated over the past 12 to 18 months, the official said.  An increase in Chinese capability has opened the way “for bigger data storage, for bigger data theft,” he said.  “And when you can gain it in bulk, you take it in bulk.”

The Chinese government, he said, is making use of Chinese companies that specialize in aggregating large sets of data “to help them in sifting through” the information for useful details.  “The analogy would be one of our intelligence organizations using Google, Yahoo, Accenture to aggregate data that we collected.”

China on Friday dismissed the allegation of hacking as “irresponsible and unscientific.”

Chinese Foreign Ministry spokesman Hong Lei said Beijing wanted to cooperate with other nations to build a peaceful and secure cyberspace.

“We wish the United States would not be full of suspicions, catching wind and shadows, but rather have a larger measure of trust and cooperation,” he told a regular news briefing,

OPM disclosed that the latest hack of one of its systems exposed personal data of up to 4 million current and former employees — the largest hack of federal employee data in recent years.

It is possible that officials as senior as Cabinet secretaries had their data exposed, a congressional aide said on a briefing call with government officials Friday.

U.S. officials privately said China was behind it.  The stolen information included Social Security numbers and performance evaluations.

“This is an intelligence operation designed to help the Chinese government,” the China expert said.  “It’s a new phase in an evolution of what they’re doing.  It certainly requires greater sophistication on their part in terms of being able to take out this much data.”

Barger’s firm has turned up technical evidence that the same Chinese group is behind the hacks of Premera Blue Cross and Empire BlueCross, which were discovered at roughly the same time earlier this year.

The first OPM incident has been linked to the health-care hacks by Barger and another security researcher, John Hultquist, senior manager for cyberespionage threat intelligence at iSight Partners.  Hultquist said the same group is responsible for all of them, and for other intrusions into commercial databases containing large sets of Americans’ personal information.

“They would leverage this data to get to diplomatic, political, military and economic intelligence that they typically target,” said Hultquist, who declined to comment on who was behind the attacks.

Though much Chinese cyber­espionage is attributed to the People’s Liberation Army, these hacks, Barger said, appeared to be linked to the Ministry of State Security, which is a spy agency responsible for foreign espionage and domestic counterintelligence.

Other Chinese entities, including the military, may also be involved in the campaign, analysts said.

Chinese government hackers “are like a vacuum cleaner” in sucking up information electronically, said Robert “Bear” Bryant, a former top counterespionage official in the government.  “They’re becoming much more sophisticated in tying it all together.  And they’re trying to harm us.”

Security researchers have pointed to a cyber tool or family of malicious software called Derusbi that has been linked exclusively to Chinese actors.  One group that has used Derusbi is Deep Panda, a name coined by the firm CrowdStrike, which has linked that group to the Anthem hack.

Disclosed in February, that incident exposed the Social Security numbers, addresses, phone numbers, e-mail addresses and member IDs of tens of millions of customers.  No medical data such as diagnosis or treatment information was compromised, the company said.

Researchers note that in contrast to the hacks of Home Depot and Target, personal data that might have been stolen from OPM, Anthem and the other companies has not shown up on the black market, where it can be sold to identity thieves.  That is another sign, they said, that the intrusions are not being made for commercial purposes.

“Usually if there’s a criminally or financially motivated breach like that, we see the data making its way into the black market soon after that,” Barger said.

The big-data approach being taken by the Chinese might seem to mirror techniques used abroad by the NSA, which has come under scrutiny for its data-gathering practices under executive authority.  But in China, the authorities do not tolerate public debate over the proper limits of large-scale spying in the digital age.

“This is what all intelligence services do if they’re good,” said the China cyber expert.  “If you want to find a needle, first you have to gather a haystack of needles.”

The massive data harvesting “reflects a maturity in Chinese” electronic intelligence gathering, the expert said.  “You have to put in place structured data repositories.  You have to have big-data management tools to be able to store and sift and analyze.”

Barger said that “with a large pool of data, they can prioritize who is the best to target electronically and who is the best to target via human recruitment.”

The U.S. official noted that the Chinese “would not take [the data] if they did not have the opportunity to aggregate it.”  And, he added, “they are taking it.”

How the Internet became so vulnerable

Thursday, June 4, 2015

TECHNOLOGY - Google's Gesture Control

"How Google's gesture control technology could revolutionize the way we use devices" by Conner Forrest, TechRepublic 6/3/2015

Soli, Google's new gesture technology, would allow users to interact with their devices without ever touching the device itself. Here's how it's poised to make an impact.

It seems like pop culture is obsessed with the idea of interacting with technology without actually touching a device to do so.  Movies such as Minority Report and Iron Man are the frontrunners in this -- the idea that the future of technology will be decidedly "hands-off."

That future could be coming sooner than we think.  Last week, at its annual I/O developer conference, Google announced Soli, a project that would allow users to interact with their devices using hand gestures performed near the device, without requiring contact with the device.

"Project Soli is the technical underpinning of human interactions with wearables, mobile devices as well as the Internet of Things," a Google ATAP (Advanced Technology and Projects) spokesperson said.

Soli was born out of Google's ATAP group.  It's a fingernail-sized chip that uses radar to read hand gestures and convert them to actions on the device.

So if a user was to touch his or her thumb to their forefinger, Soli would read that as a button being pressed.  Or, the user slides his or her forefinger back and forth on the pad of their thumb, that could operate a slider to adjust volume.

Unlike cameras, which are used in other motion sensing technologies, radar has a high positional accuracy, and thus works better in this context than cameras would.  It's able to pick up on slight movements better.

"Radar is a technology which transmits a radio wave towards a target, and then the receiver of the radar intercepts the reflected energy from that target," lead research engineer Jaime Lien said in a video about Soli. (below)

The radar waves bounce off of your hand and back to the receiver, allowing it to interpret changes in the shape or movement of your hand.  Radar is also important to the project, according to Soli team lead Ivan Poupyrev, because it can work through materials or be embedded into objects.

The technology is vaguely reminiscent of the theremin musical instrument developed in the 1920s by Léon Theremin, but much more intricate.  In the Soli video, Poupyrev mentioned that the technology could be used interact with "wearables, Internet of Things, and other computing devices."

The potential for Soli in wearables is perhaps the most obvious use case so far.  Small screens make it difficult to select certain apps or features, and being able to perform gestures next to the device might make navigation easier and intuitive.

According to 451 analyst Ryan Martin, it is important that a company like Google gets involved in this space because a project like Soli is important to the wearable and IoT ecosystems as a whole and it's important that it "be approached from a technology perspective, not a product perspective."

There are companies that focus solely on gesture-based interactions, but that can be risky and volatile as it will likely just be integrated as a feature.  Martin said that wrist-based wearables are actually less efficient if users actually have to touch them, and Soli could be a step forward in making them more efficient and usable.

Other potential use cases could be within connected cars or in the augmented reality (AR) or virtual reality (VR) spaces.  Imagine your Oculus Rift or Gear VR could support virtualized "hands" as another input without a third-party accessory.  Although, Martin said, it would probably work better as a complement to another input such as voice or touch.

Using Soli as an input tool is the glaring use case for now, but the project could provide value as an output technology as well.

"I think the killer application, or use case, long-term is going to be how to take this technology and have it be scanning around to provide context and enable automation that might not even necessitate gesture-based interaction, it might just happen," Martin said.

Gillette is one of many companies whose factories utilize high-speed cameras to analyze manufacturing processes and equipment to better understand when maintenance or repair is needed.  Soli could provide a similar service to advanced manufacturing facilities by consistently reading the machines and documenting their performance.

Time to market will depend on user experience.  As a device feature, Soli needs to be reliable and consistent or it will be detrimental to the partner brand or OEM that integrates it.

"Once the technology is able to meet that end, I think that's when we'll start to see it baked into products, but right now it's definitely in its development phase," Martin said.

According to the Google ATAP spokesperson, the company will be releasing a hardware and software development kit to developers soon.  If you want more information about Project Soli, you can contact the team at projectsoli@google.com.

Wednesday, May 6, 2015

SCIENTIFIC AMERICAN - Fear of Cyberattacks Should Not Lead Us to Destroy What Makes the Internet Special

"Freedom and Anonymity" by Jonathan Zittrain, Scientific American 2011

It’s starting to get weird out there.  When WikiLeaks released classified U.S. government documents in December, it sparked several rounds of online conflict.  WikiLeaks became the target of denial-of-service attacks and lost the support of its hosting and payment providers, which inspired sympathizers to counterattack, briefly bringing down the sites of MasterCard and a few other companies.  Sites related to the hackers were then attacked, and mirror sites sprang up claiming to host copies of the WikiLeaks documents—although some were said to carry viruses ready to take over the machines of those who downloaded the copies, for who knows what end.  Months before, an FBI official said disruption of the Internet was the greatest active risk to the U.S. “other than a weapon of mass destruction or a bomb in one of our major cities.”

Attacks on Internet sites and infrastructure, and the compromise of secure information, pose a particularly tricky problem because it is usually impossible to trace an attack back to its instigator.  This “attribution problem” is so troublesome that some law-enforcement experts have called for a wholesale reworking of Internet architecture and protocols, such that every packet of data is engraved with the identity of its source.  The idea is to make punishment, and therefore deterrence, possible.  Unfortunately, such a reworking would also threaten what makes the Internet special, both technologically and socially.

The Internet works thanks to loose but trusted connections among its many constituent parts, with easy entry and exit for new Internet service providers or new forms of expanding access.  That is not the case with, say, mobile phones, in which the telecom operator can tell which phone placed what call and to whom the phone is registered.  Establishing this level of identity on the Internet is no small task, as we have seen with authoritarian regimes that have sought to limit anonymity.  It would involve eliminating free and open WiFi access points and other ways of sharing connections.  Terminals in libraries and cybercafes would have to have verified sign-in rosters.  Or worse, Internet access would have to be predicated on providing a special ID akin to a government-issued driver’s license—perhaps in the form of a USB key.  No key, no bits.  To be sure, this step would not stop criminals and states wanting to act covertly but would force them to invest much more to achieve the anonymity that comes so naturally today.

The price to the rest of us would also be high.  The Internet’s distinct configuration may have made cyberattacks easy to launch, but it has also kindled the flame of freedom.  One repressive state after another has been caught between the promise of economic advancement through abundant Internet access and the fear of empowering its citizens to express themselves freely.  An Internet without the attribution problem would introduce a new issue: citizens could be readily identified and punished for their political activities.

We need better options for securing the Internet. Instead of looking primarily for top-down government intervention, we can enlist the operators and users themselves.  For example, Web site operators could opt into a system of “mirror as you link.”  Whenever their servers render a page, they cache the contents of the link.  Then, when someone tries to get to the site and can’t, he or she can go back to the original linking site and digitally say, “I can’t get that link you just directed me to.  Would you mind telling me what was there?”

Such a system of mutual aid would draw on the same cooperative and voluntary instinct behind the development of the Internet itself.  If I participate as a Web site, I will know that others linking to me will also mirror my material; we each help the other, not simply because it’s the right thing to do, but because we each benefit, spreading the risk of attack and cushioning its impact among all of us.  It’s a NATO for cyberspace, except it would be an alliance of Web sites instead of states.

A mutual aid framework could also make the Internet secure in other ways.  PCs can alert others not to run code that just sickened them, signaling health levels to others.  Internet providers could also develop technologies to validate their relationships to one another and ferret out misleading data, the way Wikipedia volunteers can quickly act to roll back thousands of acts of vandalism a day.

We rightly fear our networks and devices being attacked—but we should not let this fear cause us to destroy what makes the Internet special.  We have to become more involved and more subtle—and soon.

Monday, April 20, 2015

INTERNET - Ransomware

"The hack attack that takes your computer hostage till you pay" PBS NewsHour 4/18/2015

Excerpt

SUMMARY:  Ransomware, a type of software that computer hackers use to hold individuals' data hostage by blocking access to files unless they agree to pay a ransom, is on the rise.  And because anyone with an internet connection is vulnerable, the problem highlights a growing threat that consumers face on both their personal computers and mobile devices.

WILLIAM BRANGHAM (NewsHour):  Inna Simone is retired, a mother and grandmother from Russia who now lives outside of Boston.  Last November, her home computer started acting strangely.

INNA SIMONE:  My computer was working terribly.  It was not working, I mean, it was so slow.

WILLIAM BRANGHAM:  A few days later, while searching through her computer files, Inna saw dozens of these messages — they were all the same.   They read:  “Your files are encrypted.  To get the key to decrypt them, you have to pay $500 dollars.”  Her exact deadline — December 2nd at 12:48 pm – was just a few days away.

All her files were locked — tax returns, financial papers, letters — even the precious photos of her granddaughter Zoe.   Inna couldn’t open any of them.

INNA SIMONE:   It says, “If you won’t pay, within one week or whatever, your fine will double.  If you won’t pay by then, all your files will be deleted and you will lose them forever and never will get back."

Thursday, April 16, 2015

CYBERSECURITY - Big Business, No Incentive For Greater Security

"Data breaches may cost less than the security to prevent them" by Michael Kassner, TechRepublic 4/9/2015

Companies have little incentive to invest in cybersecurity, says Benjamin Dean.  The security expert says the reason why may be moral hazard.

When it comes to data breaches, 2014 was a banner year.  However, if Benjamin Dean, Fellow for Internet Governance and Cyber-security, School of International and Public Affairs at Columbia University, did his math right, 2015 will be more of the same.

In a March 2015 column on The Conversation, Dean provided a hard to disagree with defense of why things security-wise "ain't gonna change" soon.  "When we examine the evidence, though, the actual expenses from the recent breaches at Sony, Target and Home Depot amount to less than 1% of each company's annual revenues," wrote Dean.  "After reimbursement from insurance and minus tax deductions, the losses are even less."

Dean then administered the knockout punch:  "This indicates that the financial incentives for companies to invest in greater information security are low and suggests that government intervention might be needed."

The costs of the Target, Home Depot, and Sony data breaches

Target's data breach in late 2013 involving 40 million credit- and debit-card records, plus 70 million customer records (including addresses and phone numbers), came under Dean's microscope.  A Target financial statement revealed the data breach cost Target $252 million.  "When we subtract insurance reimbursement, the losses fall to $162 million," explained Dean.  "If we subtract tax deductions (yes, breach-related expenses are deductible), the net losses tally $105 million."

Dean pointed out that this sum equaled 0.1% of Target's 2014 sales.

Home Depot suffered a data breach in 2014 where attackers stole 56 million credit- and debit-card numbers plus 53 million email addresses.  According to Dean after an insurance reimbursement of $15 million, the data breach cost Home Depot $28 million or .01% of its sales in 2014.

Dean also looked at Sony's data breach that occurred near the end of 2014.  Sony at first suggested losses exceeded $100 million.  However, Dean found some equally-interesting numbers in Sony's third-quarter financial statement, "$15 million in 'investigation and remediation costs' and that it [Sony] doesn't expect to suffer any long-term consequences."

A senior general manager at Sony later said the figure would be closer to $35 million for the fiscal year ending March 31.  Dean offered some perspective about the losses:  "To give some scale to these losses, they represent from 0.9% to 2% of Sony's total projected sales for 2014 and a fraction of the initial estimates."

As to the question of Sony's reputation, Dean provided the following numbers on the movie "The Interview":

  • It cost $44 million to make the film; and
  • it has grossed $46.7 million in online sales and cinemas worldwide.

"If anything, the free publicity for a new movie on cable news, across social networks and daily newspapers, at Christmas to boot, represents a net financial benefit to Sony," mentioned Dean.  "There's no such thing as bad press, after all."

The moral hazard response

Dean then introduced a concept I had not heard of: moral hazard.  There are several versions of the definition, but this one from Wikipedia is relevant to this discussion:

"In economics, moral hazard occurs when one person takes more risks because someone else bears the burden of those risks."

Dean applied the concept of moral hazard to Target, Home Depot, and Sony.  "These companies are able to invest less in information security," said Dean in an email exchange with me.  "Because, in the event of a breach, other parties (banks, customers, etc) bear the lion's share of the costs of the breach."

In the case of Home Depot, Dean said credit- and debit-card providers plus Home Depot customers caught the brunt of the fallout.  "Credit unions claim to have spent $60 million in September 2014 alone replacing compromised cards," Dean added.  "Each customer whose card had to be replaced also incurred a cost in terms of inconvenience."

Dean then concluded it does not make economic sense for companies like Target, Home Depot, and Sony to invest heavily in information security, especially when insurance payments and tax deductions cut the financial outlay to where it is less than what it would cost to improve information security.

What is the answer?

Removing the moral hazard seems to be the logical answer.  But how would that come about -- government intervention?  "It's important to make sure the intervention doesn't make the problem of moral hazard worse," cautioned Dean.  "This is a huge problem because as we plough billions of dollars into intelligence agencies, supposedly to keep us all safe from 'cyber-attacks', it has the effect of further weakening the already low incentives for companies to invest in information security themselves."

"Unintended consequences of policies, even in instances where the case for government intervention is strong, can be worse than the consequences of doing nothing at all," further cautions Dean.  "I'm not saying that we do nothing at all -- just that we need verifiable and reliable data on which to begin making these complex policy decisions."

Monday, April 13, 2015

SOCIAL MEDIA - Book on the Privacy Issue

"How can we return privacy control to social media users?" PBS NewsHour 4/7/2015

Excerpt

SUMMARY:  What’s the cost of being constantly connected through social media?  A new book, “Terms of Service” examines the erosion of privacy in the digital era.  Author Jacob Silverman sits down with Jeffrey Brown to discuss what data is being tracked, stored and sold.

GWEN IFILL (NewsHour):  Now the latest addition to the NewsHour bookshelf, “Terms of Service.”  It’s a look at the erosion of privacy in the age of social media.

Jeffrey Brown recently talked to author Jacob Silverman at Busboys and Poets, a restaurant and bookstore chain in and around Washington.

JEFFREY BROWN (NewsHour):  Welcome to you.

JACOB SILVERMAN, Author, “Terms of Service”:  Thanks for having me.

JEFFREY BROWN:  The case you’re making — and it’s a strong case — we don’t know or we don’t seem to care enough about what we’re giving away in our digital lives.

JACOB SILVERMAN:  Right.

Well, the same systems that make it so easy to communicate with one another and live these lives where we’re essentially all public figures now also make it very easy to sort of spy on us, to collect personal information, whether you’re companies or governments or other bad actors.

And I think that a lot of people don’t really realize how much is being collected on each and every one of us, that there are big data brokers out there forming dossiers on hundreds of millions of people.

JEFFREY BROWN:  There’s been a lot of emphasis on government surveillance.   Here, you’re really pointing to what we perhaps don’t know as much about, corporate surveillance.

JACOB SILVERMAN:  Right.

Well, actually, corporations have really led the way turning the Internet into what is really a remarkable surveillance machine.  Ever since the introduction of the cookie about 15 years ago, we have sort of shifted paths to make the Internet all about monitoring what users do, so that we can direct ads toward them.

Monday, March 2, 2015

"Teaching computers how to play Atari better than humans" PBS NewsHour 2/25/2015

Excerpt

SUMMARY:  Tom Clarke of Independent Television News reports on how an artificial intelligence business owned by Google has created software that can teaching itself to play classic Atari games better than a human.

GWEN IFILL (NewsHour):  Next, Playing video games might seem like child’s play.

But, as Tom Clarke of Independent Television News reports, it’s also at the frontier of artificial intelligence.

TOM CLARKE, Independent Television News:  It was the late 1970s, and for the first generation of video gamers, Atari was king.  By the standards of the day, the graphics were mind-blowing, the sound out of this world.

And the selection of games just went on and on and on.

Ah.

Compared to the video games of today, Atari looks pretty clunky, but the games are still quite difficult to play, especially if you haven’t picked one up for 30 years, like me.  But it’s that exact combination of simple graphics, but quite challenging game play, that has attracted the cutting edge of artificial intelligence researchers back to the 1970s.

This version of “Space Invaders” isn’t being played by a person, but a system of computer algorithms that is learning how to play it just by looking at the pixels on the screen.  It may not sound like it, but it’s something of a breakthrough, the work of one of the finest young minds in A.I. research, North Londoner Demis Hassabis.

SECURITY - Vulnerablities 2014

COMMENT:  What is most important to security is which OS is the most targeted.  Microsoft is still the most popular and therefore the most targeted.

"Apple, Linux, not Windows, most vulnerable operating systems in 2014" by Ms. Smith, Network Wold 2/22/2015

OS X, iOS, and Linux were the top three most vulnerable operating systems in 2014, but Internet Explorer was the most vulnerable app.

A whopping average of 19 security vulnerabilities were reported every day in 2014.  The number of vulnerabilities discovered each year in operating systems, applications, and hardware has skyrocketed in a nasty trend, according to analysis by GFI Software.

Operating systems with most security vulnerabilities in 2014

The top spot for vulnerabilities in operating systems no longer goes to Microsoft Windows; in fact, Windows isn't even listed in the top three.  Instead, the most vulnerable OS was Apple Mac OS X, followed by Apple iOS and Linux kernel.  As you can see in the list below, Mac OS X had 147 vulnerabilities, with 64 being rated as high-severity bugs.  There were 127 in iOS, 32 of those rated as high.  Linux kernel had a rough year, with 119 security vulnerabilities and 24 being rated as high-severity.  The flip-side is that none of the security holes in Windows versions were rated as low severity.



"2014 was a tough year for Linux users from a security point of view, coupled with the fact that some of the most important security issues of the year were reported for applications that usually run on Linux systems," explained GFI Software manager Cristian Florian.  "Heartbleed, for example, is a critical security vulnerability detected in OpenSSL while Shellshock is a vulnerability that affects GNU Bash."

Most security vulnerabilities in apps during 2014

However, Microsoft can't crow too much about being "more secure," since Internet Exploder Explorer blew away the "competition" by having nearly twice as many security flaws than the second most vulnerable app, which was Google Chrome.  IE had 242 security flaws, with a whopping 220 of those being high-severity vulnerabilities.  Chrome had 124 total bugs with 86 of those rated as high.  With a 117 total, Firefox wasn't too far behind Chrome for security holes reported, but only 57 were high severity.



It's interesting to note that a separate report on security flaws by Secunia found that Google Chrome had the most vulnerabilities in January 2015; Chrome had 71, compared to the second place tie of 19 security glitches each in Oracle Java JRE and Oracle Java JDK.  Internet Explorer didn't even make the top 20 list for vulnerabilities discovered in the first month of this year.

Unsurprisingly, GFI said the worst offender in 2014 for having security flaws was third-party applications.  Apps made up a whopping 83% of reported bugs, followed by 13% in operating systems and then 4% in hardware.

Florian reported:

The applications listed here are pretty much the same as in 2013.  Not surprisingly at all, web browsers continue to have the most security vulnerabilities because they are a popular gateway to access a server and to spread malware on the clients.  Adobe free products and Java are the main challengers but web browsers have continuously topped the table for the last six years.  Mozilla Firefox had the most vulnerabilities reported in 2009 and 2012; Google Chrome in 2010 and 2011; Internet Explorer was at the top for the last two years.

Total security vulnerabilities reported in 2014

To review, last year an average of 19 new security vulnerabilities were reported every day to the National Vulnerability Database (NVD).



In total, there were 7,038 vulnerabilities in 2014.  That figure blows away the new flaws found in any other year.  For comparison, in 2013 there were 13 new security vulnerabilities per day for a total of 4,794; at that time, the number was the highest number of vulnerabilities in the last five years.



If you'd like to end with "good" news, then GFI found some in the fact that the percentage of vulnerabilities rated as "high severity" dropped to 24% in 2014.  Although that is lower than in 2013, there were still more total vulnerabilities discovered in 2014. Sixty-eight percent of vulnerabilities in 2014 were rated as "medium" for severity, with only 8% rated as "low."

Wednesday, February 25, 2015

INTERNET - My Latest Speed Test

Here my latest Speed Test on my Win7 Pro super-rig using AT&T U-verse broadband.



Here's the DU Meter results while viewing this post and some YouTube videos.


INTERNET - Net Neutrality Rules Update

THE PEOPLE ARE WINNING!  To understand, see short video at bottom.

"F.C.C. Net Neutrality Rules Clear Hurdle as Republicans Concede to Obama" by JONATHAN WEISMAN, New York Times 2/24/2015

Excerpt

Senior Republicans conceded on Tuesday that the grueling fight with President Obama over the regulation of Internet service appears over, with the president and an army of Internet activists victorious.

The Federal Communications Commission is expected on Thursday to approve regulating Internet service like a public utility, prohibiting companies from paying for faster lanes on the Internet.  While the two Democratic commissioners are negotiating over technical details, they are widely expected to side with the Democratic chairman, Tom Wheeler, against the two Republican commissioners.

And Republicans on Capitol Hill, who once criticized the plan as “Obamacare for the Internet,” now say they are unlikely to pass a legislative response that would undo perhaps the biggest policy shift since the Internet became a reality.

“We’re not going to get a signed bill that doesn’t have Democrats’ support,” said Senator John Thune, Republican of South Dakota and chairman of the Senate Commerce Committee.  “This is an issue that needs to have bipartisan support.”

The new F.C.C. rules are still likely to be tied up in a protracted court fight with the cable companies and Internet service providers that oppose it, and they could be overturned in the future by a Republican-leaning commission.  But for now, Congress’s hands appear to be tied.

The F.C.C. plan would let the agency regulate Internet access as if it is a public good.  It would follow the concept known as net neutrality or an open Internet, banning so-called paid prioritization — or fast lanes — for willing Internet content providers.

In addition, it would ban the intentional slowing of the Internet for companies that refuse to pay broadband providers.   The plan would also give the F.C.C. the power to step in if unforeseen impediments are thrown up by the handful of giant companies that run many of the country’s broadband and wireless networks.

Republicans hoped to pre-empt the F.C.C. vote with legislation, but Senate Democrats insisted on waiting until after Thursday’s F.C.C. vote before even beginning to talk about legislation for an open Internet.  Even Mr. Thune, the architect of draft legislation to override the F.C.C., said Democrats had stalled what momentum he could muster.

And an avalanche of support for Mr. Wheeler’s plan — driven by Internet companies as varied as Netflix, Twitter, Mozilla and Etsy — has swamped Washington.

“We’ve been outspent, outlobbied.  We were going up against the second-biggest corporate lobby in D.C., and it looks like we’ve won,” said Dave Steer, director of advocacy for the Mozilla Foundation, the nonprofit technology foundation that runs Firefox, a popular Web browser, referring to the cable companies.  “A year ago today, we did not think we would be in this spot.”

The net neutrality movement pitted new media against old and may well have revolutionized notions of corporate social responsibility and activism.  Top-down decisions by executives investing in or divesting themselves of resources, paying lobbyists and buying advertisements were upended by the mobilization of Internet customers and users.

“We don’t have an army of lobbyists to deploy.  We don’t have financial resources to throw around,” said Liba Rubenstein, director of social impact and public policy at the social media company Tumblr, which is owned by Yahoo, the large Internet company, but operated independently on the issue.  “What we do have is access to an incredibly engaged, incredibly passionate user base, and we can give folks the tools to respond.”

Internet service providers say heavy-handed regulation of the Internet will diminish their profitability and crush investment to expand and speed up Internet access.  It could even open the web to taxation to pay for new regulators.

Brian Dietz, a spokesman for the National Cable & Telecommunications Association, said the pro-net-neutrality advocates turned a complex and technical debate over how best to keep the Internet operating most efficiently into a matter of religion.  The forces for stronger regulation, he said, became viewed as for the Internet.  Those opposed to the regulation were viewed as against the Internet.

The Internet companies, he said, sometimes mislead their customers, and in some cases, are misled on the intricacies of the policy.

“Many of the things they have said just belie reality and common sense,” he said.

In April, a dozen New York-based Internet companies gathered at Tumblr’s headquarters in the Flatiron district to hear dire warnings that broadband providers were about to obtain the right to charge for the fastest speeds on the web.

The implication:  If they did not pony up, they would be stuck in the slow lane.

What followed was the longest, most sustained campaign of Internet activism in history.  A swarm of small players, like Tumblr, Etsy, BoingBoing and Reddit, overwhelmed the giants of the broadband world, Comcast, Verizon Communications and Time Warner Cable.  Two of the biggest players on the Internet, Amazon and Google, largely stayed in the background, while smaller participants — some household names like Twitter and Netflix, others far more obscure, like Chess.com and Urban Dictionary — mobilized a grass-roots crusade.

“Our community is the source of our power,” said Althea Erickson, director of public policy at Etsy, an online craft market, where users embroidered pillows and engraved spoons promoting net neutrality.

Monday, January 12, 2015

EMAIL CLIENT - Pegasus on Windows 7

Well, I finally found an eMail Client that works with Windows 7 64bit AND does everything I wanted.

Pegasus Mail

It has all the options that I had with Agent on my Windows XP system.  Agent failed to work on  my Windows 7 64bit due to a MAPI problem.

Here's my Pegasus window:


It has a nice, though hard to use, filtering system.  And setup was very good but not intuitive.

The options are extensive, but again something seems missing, like:
  • Notification Options, like turning off delete confirmations
  • Setting compose-email editor options, like setting default font and size
So far, I like it very much.

Monday, December 29, 2014

WINDOWS 7 - Classic Shell

Just found something that is outstanding for my Windows 7 Pro 64bit rig.

Classic Shell for Windows 7 & 8

Here are screenshots of just two examples:

This shows the style I'm using for the [Start] menu.



This is the file Explorer classic style.



There are more styles for other Windows UIs.

Why do I like this utility?  See my [Start] menu:

Monday, November 24, 2014

CYBER ATTACKS - Outdated Internet Browsers

"Your outdated Internet browser is a gateway for cyber attacks" PBS NewsHour 11/18/2014

Excerpt

JUDY WOODRUFF (NewsHour):  Major U.S. government agencies have been the target of cyber-attacks of late.  The State Department is the latest.  During the past week, officials had to temporarily shut down an unclassified e-mail system after a suspected hacking.  In recent months, the White House, the Postal Service and the National Weather Service all have been targeted.

Meanwhile, as the holiday season approaches, retailers and the business world are on the lookout for breaches.

A new book breaks down the pervasiveness of what’s happening.

Jeffrey Brown has our conversation.

JEFFREY BROWN (NewsHour):  Hardly a week goes by anymore without a report of some major cyber-breach, whether it’s targeting retailers, the government, or any and all of us.  The attacks are generated in a new netherworld of crime, some of it individualized, even chaotic, other parts of it extremely well-organized.

Writer and journalist Brian Krebs has uncovered some major breaches, including the one on Target that compromised the credit card data of tens of millions of people.  He writes about all of this on his blog Krebs on Security and now in his new book, “Spam Nation.”

And welcome to you.

BRIAN KREBS, Author, “Spam Nation”:  Thank you.

JEFFREY BROWN:  You are peering a world of cyber-crime that few of us ever see.  What does it look like?

BRIAN KREBS:  It’s a pretty dark place.

JEFFREY BROWN:  It is?

BRIAN KREBS:  Yes, absolutely.

But it’s not as dark as you might imagine.  If you’re somebody who doesn’t know their way around, there are plenty of people willing to show you the way.  They might take a cut of the action to help you do that, but it’s not as dark…

Wednesday, November 5, 2014

SOFTWARE - Hardware Monitor on My Windows 7 64bit Rig


Quite awhile back I posted an article bout CPUID's Hardware Monitor (aka HWMonitor).

Well, above is what it is showing for my custom built Windows 7 64bit 'Super Rig.'

I was surprised by the display of my UPS (Uninterpretable Power Supply) info.

This was not displayed in my dead-and-berried WinXP Rig.  Maybe it's because on my new rig the UPS is connect via USB.

Note that HWMonitor comes in a free none-Pro version.  HWMonitor Pro ($) allows you to create graphs.

Wednesday, October 15, 2014

WINDOWS - WinXP vs Win7

As I said in my previous post, I was forced to go to Windows 7.

I have found that Microdunce has 'broken' features in Win7:

[Send to]:  This is the first broken feature I ran into.  In WinXP you can put any shortcut in your [SendTo] folder and it will work when using the Context Menu [Send to] option.  NOT in Win7, you cannot use normal shortcuts in your [SendTo] folder.

POINTERS:  In WinXP you can set custom pointers sourced from anywhere, any CUR file.  In Win7 ALL pointers must be in C:\Windows\Cursors.  This means you have to copy cursors/pointers from your other sources to that folder for any Pointer Customization to hold on next boot, ALSO you should save a the DEFAULT cursor theme.

SOUNDS:  In Win7 there is no "Start Windows" sound listed.  "Exit Windows" is listed.  Luckily I found a utility to change the "Start Windows" sound.  Now tell me, what is the logic of NOT having "Start Windows" listed?


I consider features 'broken' if any change makes it HARDER to use Windows.

I will add more 'broken features' here as I find them.