Bookmark and Share

An interesting panel at KU but fortunately streamed (see link at bottom). Note this is central time zone.

DATA & DEMOCRACY

Data & Democracy: What is Free Speech in the Age of Social Media?

7:00pm (CDT) Tuesday, March 25 | The Commons

Frank LoMonte – Executive Director, Student Press Law Center
Amy Gajda – Associate Professor of Law, Tulane University Law School
Stephen R. McAllister – E.S. & Tom W. Hampton Distinguished Professor of Law, University of Kansas School of Law
Moderator, Deanell Reece Tacha – Duane and Kelly Roberts Dean of the School of Law, Pepperdine University (formerly of 10th Circuit Court of Appeals)
Sponsored by The Commons, the School of Journalism, and the Office of the Provost

Amid a changing social landscape of connectivity and communication, the legal and societal landscape of what is meant by ‘free speech’ may be shifting as well. The First Amendment guarantees free speech, but what are the substance and forms of that protection in the age of social media?

As the use of social media in daily life grows exponentially, we consider what free speech and privacy mean in an era of immediate and unfettered access to wide dissemination, and whether there are new rules that characterize social engagement and free expression today.

A live feed of the event will be available here: http://www.thecommons.ku.edu/FreeSpeech/.
Questions may be submitted via Twitter using #DataDemocracy.

We have met the artisans….

February 2nd, 2014

Bookmark and Share

IT workers note:

It wasn’t work. We were making art. Steve insisted that we sign our names on a piece of paper with a Sharpie [pen] and he engraved it on to the mould [inside of the case of the first production run] so all of our signatures would be on it. And the reason is: real artists sign their work and they’re proud of it.“ Bill Atkinson a member of the original Apple Mac team.

We may complain at times that we are called upon to be either hero’s or artisans – let’s stop complaining about it and embrace the truth.

Discover Phish

January 29th, 2014

Bookmark and Share

No – this isn’t a post about marine life. For the last week we’ve been hearing from people who are receiving a malicious emails, apparently from Brandeis email accounts, requesting the recipient to log in for important information about his or her Discover card. This is known as phishing and you can find information on phishing on the LTS website. The email looks like this:

 

DiscoverPhish

Click to Enlarge

Most of these are going to folks outside of the university – several people who have no connection to Brandeis have called or emailed us to report them (very thoughtful and kind individuals), and some have gone to faculty, staff, and students on campus (around 50 at last count). A couple of things to note:

  • these are not actually being sent from Brandeis accounts – it’s trivial to configure email to look like it’s from any email address.
  • you can look at the actual sending address (using Gmail) by selecting “show original”:

    showoriginal

    Click to make Bigger

  • You’ll also note that by hovering your mouse over the URL they want you login to, the actual URL is pretty suspicious: in this case “http://xxxxxtsg.com/tmp/asisin.php” (I’m blanking out some of the URL intentionally – note that it’s not discover.com!)
  •  Finally the language is awkward and for what it’s worth a credit card company will never send a message like this – they’ll call you if they see suspicious activity on your account. And note that LTS nor any Brandeis unit will ever email you asking for your password.

If you get any email that you think is suspicious – either forward it to security@brandeis.edu or better yet, simply delete it. And don’t forget to check out additional more detailed  information on our LTS Phishing pages and/or the Brandeis Technology Forum which often has information about current phishing emails the community is seeing.

Quote of The Day

January 26th, 2014

Bookmark and Share

As Marianne Cooper observes in the Harvard Business Review, “High-achieving women experience social backlash because their very success— and specifically the behaviors that created that success—violates our expectations about how women are supposed to behave.”

Knock knock knock

January 24th, 2014

Bookmark and Share

I was onced asked by an executive “so, what would we do if we were subject to a cyberattack?”  What I was really being asked is “are we prepared for a cyberattack, and if not, what do we need to do to be ready?”, which is exactly the right question to ask your security staff. The problem here is that what they didn’t realize is that we (and by we I mean everyone) is under continuous cyberattack from the Internet. Granted, a lot of that activity is fairly mindless scanning – but here’s a lovely little example of what goes on pretty regularly.

SSH Attack

So what is this? This chart displays all of the failed attempts to log into the campus shell server (think secure command line if you don’t know what a shell is) for a period of ~22 minutes this morning (1:06:49 am to 1:28:02 am, 283 attempts) from a single location in Guangzhou China.

SSNLoginLocation

What I wanted to point out to the non IT professional, is that this isn’t an “attack” in the sense that someone is probing a machine for unpatched software – whoever is behind this attack is attempting to log into the server by trying a variety of “guessable” account names and probably a variety of empty or default passwords. In total 184 different usernames were tested. These range from the typical (root, oracle, visitor) to common names (matt, samuel, and sarah) to the less biblical (panorama, newsletter,  and zxin).  The attackers hope to find an account they log in with and from there launch a further more penetrating attack on the campus and it’s infrastructure.

The moral of the tale is that if you are responsible for setting up any computing equipment (software or hardware, including your home wireless router) – you really must change the default password for any accounts delivered with your system. You never know who’s knocking on your door at 1 in the morning.

This is not security

January 20th, 2014

Bookmark and Share

I wish this was simply malicious. But it’s ignorance (or at best, marketing trumping common sense). From the website of the new canary home security system:

4b: How secure is it?

We use bank-level security. All communication between your Canary, the Canary Cloud and your smart phone is encrypted over SSL (HTTPS). Video and audio are stored and encrypted using AES-256 bit encryption. You decide how long you want to store sensor data, if at all.

The fact that your data is transmitted via SSL is important, but is so basic, it’s almost akin to saying “the new Toyota now comes with a brake!” While it’s a good thing they’re encrypting your data while it’s stored (known as “data at rest”) it’s also no panacea – when and how data is encrypted is actually more nuanced then that. For example, if my laptop hard drive is fully encrypted but I’m using a weak, guessable, password, the encryption is of no value whatsoever.  Don’t get me wrong, I’m glad to see they’re doing this but to really assess a vendor’s security isn’t easy. Over the last 6 years, it’s safe to say that evaluating third party services has consumed more of my time (as a security professional) than any other activity. Many of my peers say the same thing.

If you really want to dive into the nitty-gritty of vendor assessments, feel free to drop by to discuss it but a great starting point is the excellent work being done by the good people at the cloud security alliance.

A Fantasy University League

January 19th, 2014

Bookmark and Share

So all weekend I’ve been enamored with the notion of a fantasy University league along the lines of the a fantasy sports league (full disclosure, the only fantasy sports league I’ve ever joined was professional bass fishing – truly I joined only to annoy my friends who were/are avid fantasy baseball fanatics).

Instead of forming a team, you’d form Colleges (and eventually Departments); instead of recruiting a pitcher, perhaps you’d build a startup package to recruit a top physicist or string quartet. A fully fleshed out game would allow you to manage an endowment, alumni and be loosely coupled to the actual economy based on the location your ‘team’ was based. Ideally your “team” (aka faculty) would would benefit as real faculty published papers, books, or won awards. A dynamic system would scour online services for publications or grants (“Why so chipper today, Mike?” “Professor Mendelssohn got an NFS grant! I’m sure to climb the US News rankings!”).

Of course, a real University is so much more than the academic success of it’s faculty – the modern University isn’t merely a business or  a school, it’s a municipality with banking functions, a police force, housing, a variety of IT services, and sometimes, I hear, athletics. What we’re really talking about here is a modeling effort, which sounds to me like a really fascinating student project.

Bookmark and Share

I remember a meeting on national security with an unnamed three letter agency, where the conversation revolved around international access to Intellectual Property. Obviously protecting our IP is a good thing.  However here’s a quick snapshot of the country of origin for logins to Brandeis systems in the last 24 hours.

loginsbycountry

Click to Enlarge

This isn’t to say that all of these represent a a student or faculty member from the listed country. Some are individuals doing field work, collaborating at other institutions, traveling through the listed country – and some are probably malicious logins from compromised accounts. But it’s a nice illustration of how borderless a University is these days.

 

Factoid of the Day – Email

January 15th, 2014

Bookmark and Share

On average around two thirds of the email sent to the Brandeis community is spam or phishing emails.  This is a remarkable number though by no means exceptional – many Universities see a reject rate of nearly 90% with even higher peaks.

delivered vs rejected email - 24 hours

FWIW, Educational communities continue to be the top target for spam globally (though not for phishing).

top targets

So why is this interesting? Most people who don’t work in IT find it surprising that such a high percentage of the email coming to campus is simply rejected out of hand (though to be fair, this is a smaller percentage then the physical mail I get at home that gets immediately tossed into the recycling).

At first blush it seems a bit odd that educational institutions would be  so highly targeted  - I’d like to think that our better educated population would make poor targets for spam and phishing – but in all likelihood this reflects the huge online footprint of our student populations. Most spammers aren’t really that sophisticated – it’s the professional phishing outfits that are scary.

But today’s factoid is a window on IT costs. Email, despite being the engine that powers so much of our operation, is a commodity. Google alone provides over 400 million accounts world wide. Brandeis, like so many others, shifted email out to Google not solely because Google Apps and Gmail are so good – there’s also the promise that they’ll be cheaper. For the most part they are, yet as the chart shows we still need to devote resources to filtering, scanning, and basically cleansing the email stream to stop both the merely annoying and the truly malicious. This investment allows the community to focus on  learning, teaching, research, and social engagement rather than spending half our day deleting 60% of our email and it lowers the risk that a malicious email message will result in a loss of personal or University information.