Thursday, July 27, 2017

Cyber: 'Devil's Ivy' Vulnerability Could Afflict Millions of IoT Devices

If you’d like to test whether your human capacity for shock has been overworked to the point of total ruin by Donald Trump’s presidency, watch his Monday evening address to the Boy Scouts of America’s quadrennial jamboree. Every beat more self-obsessed, petty, and hateful than the last, the speech found Trump cussing and alluding to sexual exploits in front of a crowd of children, congratulating himself and demeaning his ideological opponents at an event that has pretty much steered clear of partisanship for 80 years.

Fake ‘ONI’ Twitter account is fake, PM’s department confirms. Satirical accounts walk a fine line. One purporting to be the Office of National Intelligence was shut down, while another account that uses a version of the Australian coat of arms and has the handle @ASIO is still up and running

FBI Seized Smashed Hard Drives From Debbie Wasserman Schultz IT Aide’s Home

Gov Info Security

A new offensive by Microsoft has been making inroads against the Russian government hackers behind last year’s election meddling, identifying over 120 new targets of the Kremlin’s cyber spying, and control-alt-deleting segments of Putin’s hacking apparatus. How are they doing it? It turns out Microsoft has something even more formidable than Moscow’s malware: Lawyers

The state of Colorado is moving to audit future digital election results, hiring a Portland-based startup to develop software to help ensure that electronic vote tallies are accurate.

A Democratic senator is pressing the Department of Homeland Security (DHS) to mandate the government-wide use of an email authentication tool “to ensure that hackers cannot send emails that impersonate federal agencies.” Sen. Ron Wyden (D-Ore.) made the request in a letter to a top official at the National Protection and Programs Directorate (NPPD), the DHS office in charge of securing cyber and physical infrastructure. “I write to ask you to take immediate steps to ensure that hackers cannot send emails that impersonate federal agencies,” Wyden wrote Tuesday to Jeanette Manfra, the DHS official. “The threat posed by criminals and foreign governments impersonating U.S. government agencies is real.” Rob Joyce, President Trump’s cybersecurity coordinator, was also copied on the letter. Specifically, Wyden asked DHS to require agencies to use a tool called the Domain-based Message Authentication, Reporting and Conformance (DMARC), a standard developed by the industry that lets organizations send impersonating emails to a spam folder or have them rejected by victims’ email providers.

After 2016 Hack, House Democratic Committee Switches To Encrypted Messaging

Hackers who breached a Kansas Department of Commerce data system used by multiple states gained access to more than 5.5 million Social Security Numbers and put the agency on the hook to pay for credit monitoring services for all victims. The number of SSNs exposed across the 10 states whose data was accessed has not been previously reported. The Kansas News Service, a collaboration of KCUR, Kansas Public Radio, KMUW and High Plains Public Radio, obtained the information through an open records request. More than half a million of the SSNs were from Kansas, according to the Department of Commerce. The data is from websites that help connect people to jobs, such as, where members of the public seeking employment can post their resumes and search job openings. Kansas was managing data for 16 states at the time of the hack, but not all were affected. In addition to the 5.5 million personal user accounts that included SSNs, about 805,000 more accounts that did not contain SSNs were also exposed. 

Ashley Madison wants to put that sordid data breach affair behind it. On Friday, Ashley Madison parent company Ruby Life, née Avid Dating Life, announced that it's reached an $11.2 million settlement agreement with plaintiffs in a consolidated lawsuit that was filed against the infidelity dating site following its massive July 2015 data breach. The full terms of the settlement agreement have yet to be approved by the court. But the proposal calls for Ruby to contribute "a total of $11.2 million to a settlement fund," designed, in part, to compensate "settlement class members who submit valid claims for alleged losses resulting from the data breach and alleged misrepresentations" tied to Ashley Madison, Ruby says in a statement.

The security woes of the internet of things stem from more than just connecting a bunch of cheap gadgets to a cruel and hacker-infested internet. Often dozens of different vendors run the same third-party code across an array of products. That means a single bug can impact a startling number of disparate devices. Or, as one security company's researchers recently found, a vulnerability in a single internet-connected security camera can expose a flaw that leaves thousands of different models of device at risk. On Tuesday, the internet-of-things-focused security firm Senrio revealed a hackable flaw it's calling "Devil's Ivy," a vulnerability in a piece of code called gSOAP widely used in physical security products, potentially allowing faraway attackers to fully disable or take over thousands of models of internet-connected devices from security cameras to sensors to access-card readers. In all, the small company behind gSOAP, known as Genivia, says that at least 34 companies use the code in their IoT products. And while Genivia has already released a patch for the problem, it's so widespread—and patching so spotty in the internet of things—that it could persist unfixed in a large swath of devices 

A new Harvard study shows that multiple researchers independently uncover the same security flaws more often than previously thought, a discovery that could affect the way governments determine whether to keep those flaws secret for use in espionage.
Study shows hacking techniques harder to keep secret than first thought

Estonia, the only country in the world where voters elect their leaders through online balloting, is taking steps to fend off potential hacking attacks as cyber-security fears intensify. A software overhaul for the system, introduced in 2005, is ready for testing before local elections in October, according to Tarvi Martens, the National Electoral Committee’s head of e-voting. The upgrade includes anti-tampering features known as end-to-end verifiability that addresses security concerns from groups such as the Organization for Security and Cooperation in Europe, he said. “End-to-end verifiability is the ‘Holy Grail’ for electronic voting,” Martens said this month in a phone interview. “When we talk about international criticism, the new software now addresses it.”

GCHQ Says Hackers Have Likely Compromised UK Energy Sector Targets

Cyberattack on Ukrainian clinics, pharmacies worries experts

A 29-year-old British man has confessed to carrying out a cyber-attack on Deutsche Telekom’s routers last year, claiming he had acted on behalf of a Liberian telecommunications company but that his mission had got out of hand. Speaking via a translator at a court in Cologne, the man, who was arrested under a European arrest warrant at Luton airport in February, described it as the “biggest mistake of my life”. The November attack hijacked about 900,000 routers and briefly stopped their owners getting online, affecting about 1.25 million Deutsche Telekom customers. The Bonn-based company estimated the cost of the attack to have been more than €2m (£1.79m).

Commons committee was hit by cyber attack

US Senator Ron Wyden (D-Ore.) criticized the Federal Communications Commission for failing to turn over its internal analysis of the DDoS attacks that hit the FCC's public comment system. The FCC declined to provide its analysis of the attacks to Gizmodo, which had filed a Freedom of Information Act (FoIA) request for a copy of all records related to the FCC analysis "that concluded a DDoS attack had taken place." The FCC declined the request, saying that its initial analysis on the day of the attack "did not result in written documentation." “If the FCC did suffer a DDoS attack and yet created no written materials about it, that would be deeply irresponsible and cast doubt on how the FCC could possibly prevent future attacks," Wyden told Gizmodo in a story today. "On the other hand, if FCC is playing word games to avoid responding to FoIA requests, it would clearly violate Chairman Ajit Pai’s pledge to increase transparency at the FCC.” Wyden also said that the FCC's response to the FoIA request raised "legitimate questions about whether the agency is being truthful when it claims a DDoS attack knocked its commenting system offline.”

Unprecedented Gerrymander ran out of oxygen in NSW

NSW premier Gladys Berejiklian. Photo: Daniel Muno
New South Wales premier Gladys Berejiklian has walked away from a key policy of her predecessor, Mike Baird, putting an end to forced council amalgamations in Sydney.
The decision ends an 18-month legal tussle with councils that chose to fight the mergers in the Supreme Court and comes five months after the government gave up on the regional mergers Baird said would deliver “huge benefits” for taxpayers.

Speaking of oxygen David St Pierre of Westpac fame: It is the story of Westpac selling a 30-year mortgage to a 98 year old nursing home

Harry Truman of Fact Checking

Story image for turnbull majority citizenship from The Sydney Morning HeraldTruly Men and Women of Australia what is going on ....More MPs could be at risk as dual citizenship crisis threatens to widen
The Sydney Morning Herald / and a fake whale  with a number of strange waterway citizenships beached itself in Paris this morning ...

'He is choosing to believe that he was never British': Malcolm Roberts denies he lied

Data Driven Jounalism – “Tweets of Congress is a project collating the daily Twitter output of both houses of the United States Congress, encompassing the accounts of members, political parties, committees and caucuses (around 1,070 accounts in total). There are two components to the project: a backend app for data collection and serialization and a frontend Github-hosted site offering JSON datasets for given days. The App – The backend app, the Congressional Tweet Automator, is a light NodeJS program backed by a Redis data store for tracking tweets and users. The app uses the Twit and Github modules, respectively, for interfacing with the Twitter and Github APIs. There are also some utility functions to track time and the like…”
Trust me you can dance - Vodka! #Weekend #Quote #Alcohol Might Delaware’s corporate dominance dwindle?

"We've signed more bills — and I'm talking about through the legislature — than any president ever. For a while Harry Truman had us. And now I think we have everybody...I better say 'think' otherwise they'll give me a Pinocchio, and I don't like those, I don't like Pinocchios."  U.S. President Donald Trump

Two new studies this week could encourage you to change the way you write and market your fact checks. A study co-authored by Kathleen Hall Jamieson indicates that using videos and humor in fact-checking can be more effective than text-only fact-checking. And research from Columbia University says that people are more likely to believe fake news when they're with other people, rather than alone. (For more fact-checking-related research, see the American Press Institute's collection.)

They didn't give him Pinocchios, but...
"Tempted as we are to give the president Pinocchios for his statement, he seemed to be speaking off the cuff," writes the Pinocchio-awarding Glenn Kessler in The Washington Post. Still, the quote is entirely off base. (And here's a video if you prefer.).
We see what you're doing there
Scottish fact-checkers The Ferret handed out the worst rating on their scale for the first time to a claim about British trade deals "in the bag."  By the way, the rating stands for "For Facts' Sake," no matter what you might think.

The arithmetic of fakery
Mathematical models can help us understand how misinformation goes viral, scientists say. Or if you prefer, here's a non-math way to explain it:  “The competition is so harsh that the good stuff cannot bubble to the top.”

Fighting Facebook fakes in Germany
With the German election approaching, POLITICO Europe speaks to Correctiv — freshly verified as an IFCN signatory — about their work as a third-party fact-checker on Facebook. "The results of this experiment, so far, are mixed," the article notes.

Fool me once...
A Maryland man who was fired from his job over a fake story he wrote about Hillary Clinton earlier this year is in trouble again — this time for a fact-less telephone poll foisted upon Maryland voters recently. 

Fact-checkers: Don't worry, be happy 
It might have been an annus horribilis for some fact-checkers, but here are a bunch of reasons to be optimistic, says Patrick Worrall in

Fake news, real danger
Though existence of the infamous "Blue Whale" conspiracy has not been proven, the game that encourages teens to harm themselves has placed people in danger, says the San Jose Mercury News.

The fake news chain — in mainstream media
A bogus story about a hotelier who wasn't able to fill an open vacancy because young Italians are too choosy went from local newspaper to national newspaper to the evening news. International Journalism Festival organizer Arianna Ciccone deconstructs the fakery; and a h/t to Espresso journalist Alessandro Gilioli's debunk.

More Global Fact 4 roundups
ICYM the annual fact-checkers' shindig in Madrid, here's a look at what's going on around the world from Africa Check Nigeria editor David Ajikobi, FactsCan founder Dana Wagner, The Washington Post Fact Checker reporter Michelle Lee and Hitofumi Yanai on Yahoo Japan.

12 quick fact-checking links
(1) First Draft, the verification coalition, staffs up. (2) France Info is discontinuing its "Le Vrai du Faux" segment and journalist Antoine Krempf isn't sure whether to thank politicians for five years of material. (3) Who planted fake news in Qatar? (4) The Institute for Government hosted a talk on "Post-truth and what we can do about it." (5) Here are the numbers behind  France's president Emmanuel Macron's controversial claim about African maternity rates. (6) Germany has a new fact-checker. (7) Can you tell which of these photos has been doctored? It's harder than it looks! (8) Building trust for fact-checking: Work in progress. (9) Is licensing journalists to fight fake news a bad idea or a good idea? (10) A new Oxford Internet Institute report looks at who is manipulating you on social media. (11) USAFacts releases its "State of the Facts" poll. (12) The Internet Archive TV News Lab launches Face-O-Matic, a Slack alert system for tracking U.S. political leaders. 

The Week in Fact-Checking:

Wednesday, July 26, 2017

Trust Us: 'We've Got Nothing to Hide’

Extreme communism like extreme capitalism are like cancers very hard to treat

He Investigated Dubious Firings for U.S. Then He Was Fired Bloomberg

People Voted Communist Because…

Italy had the largest communist party in Western Europe. Why did ordinary people vote communist? What did they believe in?
Trust Me Here’s why Sean Spicer left Washington’s worst job

Why the attack on the Polish judiciary is worse than you think

The Conversation: “…People don’t speak one universal language, or even a handful. Instead, today our species collectively speaks over 7,000 distinct languages. And these languages are not spread randomly across the planet. For example, far more languages are found in tropical regions than in the Cold River temperature zone ...

Solove, Daniel J., ‘I’ve Got Nothing to Hide’ and Other Misunderstandings of Privacy. San Diego Law Review, Vol. 44, p. 745, 2007; GWU Law School Public Law Research Paper No. 289. Available at SSRN:

“In this short essay, written for a symposium in the San Diego Law Review, Professor Daniel Solove examines the nothing to hide argument. When asked about government surveillance and data mining, many people respond by declaring: “I’ve got nothing to hide.” According to the nothing to hide argument, there is no threat to privacy unless the government uncovers unlawful activity, in which case a person has no legitimate justification to claim that it remain private. The nothing to hide argument and its variants are quite prevalent, and thus are worth addressing. In this essay, Solove critiques the nothing to hide argument and exposes its faulty underpinnings.”

A Four Corners investigation has confirmed that Mr Hanlon, Deputy Director General of the NSW Department of Primary Industries, did not approve a major operation targeting non-compliant irrigators in the north of NSW — an operation urged upon him by his own investigators after they collected evidence that billions of litres of water had been improperly pumped.
"I think that it was clear that there was no appetite for compliance anymore," said Jamie Morgan, who until midway through 2016 managed the department's Strategic Investigations Unit. Trust goes to water

Vale Dr G - the Elcho Island Angelic Voice

It is understood the singer had been receiving dialysis and had been ill for some time. His family are expected to be offered a state funeral, News Corp reported.
The singer, from the remote community of Galiwin’ku on Elcho Island, 500 kilometres east of Darwin, was a founding member of the groundbreaking Yothu Yindi band before shooting to solo stardom in 2008, winning an ARIA Award for his namesake album.
The album hit triple platinum in Australia, silver in the UK and charted in multiple countries worldwide.
Dr Yunupingu was described by veteran music critic Bruce Elder as possessing “the greatest voice this continent has ever recorded”.
Musician G Yunupingu dies aged 46

ABC Tribute to Dr G Yunupingu: world famous indigenous musician


So Much Left to Give ....

Risk Taking and Infrastructure

The Benefits of Private Financing for Public Works NYT. Ka-ching

Ponemon Institute© Research Report, Challenges & Trends in Public Sector IT Operations: United States. DevOps fuels optimism despite declining confidence, July 2017
“Public sector organizations are feeling the pains of digital transformation. Faced with modernization, data center upgrades and continuous cloud-first initiatives, this transformation of the IT environment is making it a challenge to deliver services, comply with service level agreements (SLAs), meet citizens’ expectations and achieve organizational missions

He Investigated Dubious Firings for U.S. Then He Was Fired Bloomberg
Uncertainty Quote 3 Picture Quote #1

Trump must eventually fire Robert Mueller, a partisan tool carrying water for his Establishment pals as he oversees an utterly corrupt “investigation” where the only person we actually know committed any wrongdoing is his bestest buddy Jim Comey. But Trump can’t just lash out and do it, though it is well within his political and moral right to do so. No, he’s got to do it cleverly, with cunning, in a way that shows the American people exactly why Mueller’s witch hunt is a flaming dumpster fire of conflicts of interest and contempt for the right of normal Americans to have a say in their own governance.

Up to us to restore faith: Albanese

Asset recycling story is 'getting through' to US, says IFM CEO Brett ...

The report shows the links between family members and their ownership of a over 80 business in the country, often via anonymous shell corporations. 

Many of these firms, which range from mining interests to hotels and telecoms, are the local subsidiaries of larger multinational companies. This raises some serious questions as to why these companies are doing business with such highly politically exposed people. Particularly when offshore companies are involved. 

These firms have also benefitted from contracts with organisations like the World Bank Group and the UN. 
A graph mapping out the interests of the Kabila Family can be found at Congo research , along with a copy of the report. 

Gov Info Security A new study into the state of consumer routers by Carnegie Mellon University researchers is unsparing in its criticism: It's a market of lemons, and virtually all of the test models have security problems. That won't come as news to those in computer security, but it underscores the increasing warnings about the internet of things, the catch-all term for computer devices with internet connectivity. The researchers knew they were heading into a well-trod area, but they hoped their study "may provide clear metrics" about the 'lemon market' effect."

The Sydney CBD Is The Wrong Space For A 'Startup Hub'

First stage of WestConnex opens to public

Confidential NSW Government blueprint shows toll-road pollution ...

$900 million set aside for Urbangrowth and other infrastructure ...

In 20 years, what will they say about how Gladys spent the boom?

The ANAO remains alert to the external environmental factors that the Government faces, including the performance of the Australian economy; and the social and political environment. Fiscal constraint, greater contestability for service delivery and the ongoing implementation of the Government’s public sector agenda requires the public sector to continue evolving and seeking alternative models of service delivery that provide more cost-effective ways of delivering government services. - ANAO Corporate Plan 2017-2018

Canterbury racecourse rezoning a 'one-off opportunity', turf club ...

Italian fraudsters and mafia associates are having fun with the lack of regulations at the UK business registry Companies House, as well as the well known poor language skills of the Brits. 

It has been revealed that an alleged mafia money launderer used UK companies to help him move the proceeds of crime. 

The UK was chosen because of the extremely light touch regulatory environment which means that practically anyone can set up a company in no time at all. At the same time, the use of a UK company in a chain of companies can bestow an illusion of respectability on the group. 

Indeed the Italians it seemed decided to test how far the UK's no questions asked culture went when filling out their forms. 

Companies they set up had addresses like "0, Street of the 40 thieves". Companies were set up by people with fake names such as "the chicken thief" who put down their occupation as "fraudster". All of these titles were in Italian, but still you might think someone might have checked what the Italian for fraudster was?