STE WILLIAMS

Survey says local school districts and education departments lack even the most basic safeguards.

A new study released today by EdTech Strategies found that the websites of leading state education departments and local school districts lack even the most basic online security and privacy protections.

Douglas Levin, president of the Arlington, Va., consulting group, says his study comes out in the context of an intense discussion the past several years about the online privacy of students.

“We need to protect students, but in many ways that is too narrow a focus,” Levin says. “Keep in mind that technology is used at school districts for human resources, food, health and transportation, and it is also used by educators and parents.”

Levin based the study on automated and manual reviews of the 50 state department of education websites and the websites of 159 K-12 school districts nationally. The study, “Tracking EDU: Education Agency Website Security” was conducted from October 2017 to January of this year.

Here are some highlights from the study:

Lack of secure browsing. Most state and local education websites do not support secure browsing, which puts both schools and websites at risk. And, at least 12 states offer no HTTPS support for secure browsing: Arkansas, Connecticut, Kansas, Maryland, Mississippi, Nevada, New Mexico, Oklahoma, Rhode Island, Vermont, Virginia or Washington.

Widespread use of tracking cookies. Virtually every state and local district (158 out of 159 tracked) has partnered with online advertising companies to deploy sophisticated user tracking and surveillance on their websites.  Many states and the vast majority of local school district websites do not disclose the presence and nature of this ad tracking and user surveillance, or the mechanism for how users can opt out of these data collections.

Absence of privacy policies. Nearly 15% of state department of education websites do not publish a privacy policy of any kind. Of the 43 state agencies that publish a privacy policy, only 32 disclosed the use of ad tracking or surveillance cookies.

Noncompliance with Google terms of service. Despite the near universal deployment of Google Analytics on state and local education websites, only four state and two local school districts were found in compliance with Google’s terms of service which require specific privacy-related disclosures by its customers to their users, including what data is collected, and how users can opt out.

Moving forward, Levin says K-12 state departments of education and schools district should consider deploying HTTPS to offer more secure web browsing, and find ways to notify users of the presence of ad trackers. He says the websites posted by the states of Maine and Utah demonstrate that state and local agency websites can offer meaningful experiences to parents, educators and other stakeholders that offer privacy without resorting to invasive and undisclosed ad tracking. Maine, for example does not record personal information without the user’s permission.

Follow this link for a more complete list of action items.

Related Content:

• 6 Tips for Building a Data Privacy Culture
• Privacy: The Dark Side of the Internet of Things
• Why Your Business Must Care about Privacy

 

Steve Zurier has more than 30 years of journalism and publishing experience, most of the last 24 of which were spent covering networking and security technology. Steve is based in Columbia, Md. View Full Bio

Article source: https://www.darkreading.com/operations/k-12-study-gives-schools-low-marks-for--protecting-student-privacy-online-/d/d-id/1330952?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Authentication security methods are getting better all the time, but they are still not infallible.

Passwords present many security concerns. Users still choose short and obvious passwords or use the same ones across all their accounts. Meanwhile, the organizations we trust to safeguard our data often suffer breaches and end up losing millions of customer credentials. All this results in an authentication standard we can’t trust.

But don’t fret yet! Passwords aren’t the only possible factor for authentication. You can use many other factors to identify yourself, including digital certificates, hardware tokens, and biometrics. Right now, biometrics are in vogue, primarily because they’re more convenient. Rather than having to remember a hundred different, long passwords, isn’t it great to just push your finger against a sensor, or look at your computer or phone to log in? As you’ve probably noticed, this seems to be the future of authentication, with new examples like Microsoft’s Hello and Apple’s FaceID.

But do biometrics really solve all our authentication security problems?

I would say no. While biometrics are fairly accurate, they’re not infallible. Over the years, hackers and researchers have beaten biometric solutions many times. Let’s look at the top four biometric hacks from the past.

1. Gummy Bears Beat Up Fingerprint Readers
When you think biometrics, you probably think fingerprints. Fingerprint readers were one of the first forms of biometrics used in computing, and they’re pretty ubiquitous today. However, they were also one of the first biometrics that researchers figured out how to defeat on the cheap.

In 2002, a researcher named Tsutomu Matsumoto shared how to defeat fingerprint readers with plain old gummy bears. Matsumoto pulled prints from a glass using the same techniques as law enforcement, and then used the prints to make a finger out of the gummy materials. With a little work, many of these crafty creations tricked the fingerprint sensors.

Of course, over time biometrics have become more advanced. Modern sensors read at higher resolutions or look for new factors such as heat or heartbeat. However, the techniques researchers use to defeat them have also evolved. In 2013, the Chaos Computer Club defeated the iPhone’s TouchID reader shortly after its release. Even more recently, researchers hacked fingerprint readers with paper and glue.

While I love that fingerprint readers have made accessing our smartphones easier, we can’t totally trust them yet.

2. Faking Out Iris Scanners
We’ve all seen fancy iris scanners in the movies, but these eye-based biometrics don’t just exist in fiction.

Unfortunately, they’re no more foolproof than fingerprint readers. In 2012, researchers shared how they could bypass iris readers with replica images of irises. The most interesting aspect of this research was how they replicated the fake irises based on the iris data stored in the biometric system’s database. In the same way that password database leaks result in hacked passwords, an iris database breach could result in fooled eye scanners.

3. Paper Faces Fool Facial Scanners
The latest hot trend in biometrics is facial scanning. With features like Microsoft’s Hello, you can unlock your computer or phone by looking at it. This sounds like a usability dream, but it’s still trivial to beat.

Back in 2011, a blogger and researcher quickly learned that you could easily fool Android facial scanners with a still picture. You take a still picture of yourself, show it to the phone, and voila, you’re in. To vendors’ credit, they updated their facial scanner technology to perform “liveness” checks, looking for some sort of motion to make sure the face looking at the camera was a real person. Unfortunately, a Photoshopped blink could bypass that new check. Just by editing your eyes closed and then switching between two still photos, you could get past those early liveness checks. The good news is that facial recognition is still evolving.

4. 3-D Printers Crack 3-D Facial Scanners
In 2017, Apple released a new facial scanning feature called FaceID. On the surface, the user’s experience is like any other facial reader. However, underneath the phone’s glass is technology that should make facial recognition much more accurate and hard to beat. Essentially, the phone includes a sensor (TrueDepth) that sends out thousands of infrared beams of light, which accurately map your face. This allows the phone to store a kind of 3-D digital representation of your face, which it can recognize from many angles. Apple reinforces this feature with machine learning, which can recognize you even when you wear hats, glasses, or other accessories that might confuse classic facial scanners.

All this should make facial biometrics pretty bulletproof, and it does make it stronger. However, about a week after Apple released FaceID, a Vietnamese security group claimed to have cracked it. The hack required a 3-D printer, 2-D infrared images of eyes, stone powder, and lots of handcrafting to create a mask that could fool FaceID. To be fair, no other research group (to my knowledge) has independently verified this attack yet.

I suspect we might see updates that make it harder to fool, but so far both 2-D and 3-D facial scanning are not perfect.

It may seem I’m painting a bleak picture for the future of biometrics, but that’s not true. Biometric vendors are learning from these mistakes and will add new features that make their systems more robust. Meanwhile, new biometrics options continue to emerge, such as heartbeat, typing cadence, and even brain waves.

History has shown us that motivated attackers can find a way to copy, steal, or bypass the factors they need. If we rely on biometrics alone, we’ll likely suffer the same types of issues passwords have experienced. Only now, when a hacker replicates your fingerprint or face, you can no longer use it for authentication.

Biometrics will play an important role in the future of authentication. However, no authentication token is infallible. Rather than depending entirely on some new form of advanced biometrics, the safest course of action is to implement multifactor authentication — using more than one factor — for anything you want to secure.

Related Content:

• Emerging IT Security Technologies: 13 Categories, 26 Vendors
• iPhone X Face ID a Facial Biometrics Catalyst?
• What CISOs Need To Know Before Adopting Biometrics

Corey Nachreiner regularly contributes to security publications and speaks internationally at leading industry trade shows like RSA. He has written thousands of security alerts and educational articles and is the primary contributor to the WatchGuard Security Center blog, … View Full Bio

Article source: https://www.darkreading.com/operations/passwords-4-biometric-tokens-and-how-they-can-be-beaten/a/d-id/1330939?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Putting the tracking and product manufacturing of fruits and vegetables onto blockchain technology.

No, I don’t know what that means either. But this was the sales pitch that Lithuanian cryptocoin startup Prodeum handed its investors before it exit-scammed, leaving just one thing behind: the word “penis” on its website.

After briefly leaving that one word as a goodbye, the website reportedly switched to redirecting to an anonymous Twitter account. As of Tuesday evening, the domain linked to a Los Angeles-based registrar called Namecheap where it was recently registered.

Well, that makes sense: there’s a lot of produce grown in California, and the losses incurred in this scam were not, allegedly, “millions.” Rather, it sounds like they were pretty lowball.

Pretty lowball as in, $11.

According to Business Insider, that’s how much Prodeum raised in an online fundraiser before it blinked out of existence on Sunday.

Three blockchain experts listed as team members or advisors on Prodeum’s TokenDesk fundraising page – Darius Rugevicius, Vytautas Kaseta, and Mario Pazos – told BI that they’re victims of identity theft and have nothing to do with Prodeum, which was on the Ethereum blockchain.

Before it went away on Sunday, Prodeum tried an unregulated fundraising technique with a dodgy reputation called an initial coin offering (ICO). ICOs are used by blockchain companies where cyptocurrencies like Bitcoin and Ethereum are used to purchase “tokens” from a startup: if the company takes off, they’ll theoretically be worth something.

Somebody claiming to be the scammer behind Prodeum posted about making $3,000 with the produce scam and $50,000 total with two other ICOs, Bitflur and Magnalis.

The writer asked for forgiveness but advised readers that “all ICOs are scams.”

Well, thanks a lot for the advice, you lousy fruit and vegetable crook! You took the money and left us with nothing but an eggplant.

Follow @LisaVaas
Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/al4rEZg1C8Y/

Social media can be bad for you, admits “yea, we did it anyway” Facebook.

Technology glitterati are shunning it like it’s a cyber roach motel with psychological bedbugs.

Facebook founder Mark Zuckerberg’s made it his yearly personal goal to scrub out hate/abuse/political machination/depression-spawning. So how does Facebook kick off this year of change?

…It rolls out Messenger for Kids, aimed at children between the ages of six and 12 who would otherwise be (technically, per Facebook policy) banned from becoming Facebook users.

Great. Or instead, how about NO??!!??, the Campaign for a Commercial-Free Childhood (CCFC) has suggested to Zuckerberg.

The tall glass of Nope was suggested in a letter on Tuesday. In it, the CCFC asked Zuckerberg to axe Messenger for Kids, regardless of the fact that the app is advertising-free.

The coalition of 97 child health advocates cited “a growing body of research [that] demonstrates that excessive use of digital devices and social media is harmful to children and teens” and that the app is likely to “undermine children’s healthy development.”

We are writing to urge you to discontinue Messenger Kids, Facebook’s first social media app designed specifically for children under the age of 13. Given Facebook’s enormous reach and marketing prowess, Messenger Kids will likely be the first social media platform widely used by elementary school children.

The letter was signed by individuals and 19 nonprofits including Common Sense Media, Campaign for a Commercial-Free Childhood, and Parents Across America. They cited recent studies that link increased depression, poor sleeping habits, and unhealthy body image in children and teens with higher use of social media and digital devices.

Younger children are simply not ready to have social media accounts. They are not old enough to navigate the complexities of online relationships, which often lead to misunderstandings and conflicts even among more mature users. They also do not have a fully developed understanding of privacy, including what’s appropriate to share with others and who has access to their conversations, pictures, and videos.

In spite of such findings, when Facebook launched Messenger for Kids in December, it told TechCrunch that it had hired a special team to build tools for kids – such as fidget spinners, dinosaur-augmented reality (AR) masks, and crayon-style stickers – that would keep them engaged with the app for longer than they could manage if Facebook weren’t tinkering with their brains.

TechCrunch quoted Facebook’s head of Messenger, David Marcus:

Video calls become so much more playful with AR. Sometimes after five or ten minutes it’s really hard to have a sustained conversation with a 7-year-old.

Imagine that. 7-year-olds find it difficult to glue their butts to their seats. Sheesh! What would they rather do, go outside and get exercise? Talk to somebody in the flesh?

As Wired notes, the CCFC’s letter adds to the pile of growing concern about the impact of technology on our minds and bodies. Wired cited a public letter written in January by two major Apple shareholders who cited some of the same studies as the CCFC. They asked Apple to address the potentially negative effect of smartphone usage on children, including funding research and building better tools for parents.

Some of the findings they cite:

• Eighth graders who are heavy users of social media have a 27% higher risk of depression, while those who exceed the average time spent playing sports, hanging out with friends in person, or doing homework have a significantly lower risk.
• US teenagers who spend three hours a day or more on electronic devices are 35% more likely, and those who spend five hours or more are 71% more likely, to have a risk factor for suicide than those who spend less than one hour. (This finding comes from the research of Professor Jean M. Twenge, psychologist at San Diego State University, who is also a co-signer of the CCFC’s letter to Zuckerberg.)
• Teens who spend five or more hours a day (versus less than one hour) on electronic devices are 51% more likely to get less than seven hours of sleep (versus the recommended nine hours). Sleep deprivation is linked to long-term issues like weight gain and high blood pressure.
• A study by UCLA researchers showed that after five days at a device-free outdoor camp, children performed far better on tests for empathy than a control group.

In its letter, the CCFC also noted Facebook’s rocky road over the past year, including increased scrutiny over its dissemination of fake news; the revelation that it had researched how to target teens as young as 14 when they feel “worthless;” how it’s allowed advertisers to discriminate based on age and race; and how it’s enabled advertisers to target messages to racists and anti-Semites.

Mark Zuckerberg has pledged to “do better.” The CCFC knows exactly how he can do that: he can instruct Facebook to leave young children alone, leaving them to “develop without the pressures that come with social media use.”

In short, Mr. Facebook president, tear down that app:

Raising children in our new digital age is difficult enough. We ask that you do not use Facebook’s enormous reach and influence to make it even harder. Please make a strong statement that Facebook is committed to the wellbeing of children and society by pulling the plug on Messenger Kids.

Follow @LisaVaas
Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/ui7g7GHxeLM/

Researchers have discovered a way of identifying those who bought or sold goods on the dark web, by forensically connecting them to Bitcoin transactions.

It sounds counter-intuitive. The dark web comprises thousands of hidden services accessed through an anonymity-protecting system, usually Tor.

Bitcoin transactions, meanwhile, are supposed to be pseudonymous, which is to say visible to everyone but not in a way that can easily be connected to someone’s identity.

If you believe that putting these two technologies together should result in perfect anonymity, you might want to read When A Small Leak Sinks A Great Ship to hear some bad news:

Bitcoin lacks retroactive operational security, which means historical pieces of information could be used to identify a certain user.

Which is to say, every Bitcoin transaction that has ever happened exists as a public record, or ledger, that links addresses sending and receiving cryptocurrency.

The task, then, was to find a way to connect these transactions to the onine identities of the people responsible for them.

Not easy, you’d assume, but a big weakness of Bitcoin, the dark web, indeed of the whole notion of anonymity on the internet turns out to be the careless way people use social media and specialist forums.

First, researchers trawled 1,500 hidden services on the dark web, from which they managed to uncover 88 active Bitcoin addresses from public data on their landing pages (an address being a single-use token hashed from the owner’s public key).

The same principle was used to uncover 4,100 Bitcoin addresses carelessly advertised on Twitter (from 5bn tweets) and 41,000 (from 1m pages) on the popular BitcoinTalk Forum.

Armed with two sets of Bitcoin addresses – one from the dark web, the second public domain – the researchers set out to connect them, first by using a statistical technique called wallet closure to reliably group lots of transactions to individal wallets.

Thanks to the architecture of the Bitcoin ledger:

If any address of a user is found as an input in any transaction where a hidden service address appears as an output, then the user has a relationship with that hidden service, and thus, a link is established.

This revealed 125 identities that had used dark web services, including WikiLeaks (46 identities), Silk Road (22), the Snowden Defense Fund (11) and The Pirate Bay (10), among others.

De-anonymising these online identities depended on how much information individuals had revealed online but in many cases led to named people in a range of countries.

The researchers concluded:

Bitcoin addresses should always be assumed compromised as they can be used to deanonymize users.

A few caveats

A lot of what the researchers uncover in this study relates to individuals using Bitcoin and the dark web in its early days between about 2010 and 2015 when users were naïve about the anonymity Bitcoins offer. Apparently, none of these individuals made any attempt to hide transactions using Bitcoin laundering services.

Anyone who was aware of the need to obscure transactions, or was careful to use fake online identities not traceable to personally identifiable information (PII), would be safe from this technique.

The number of real people they were able to identify is also incredibly small relative to the volume of Bitcoin transactions heading to or out of the dark web addresses identified.

Nevertheless, given the privacy limitations of Bitcoin, one at least begins to get some sense of what might be driving some dark web users (including criminals) to newer and hypothetically more anonymity-preserving cryptocurrencies such as Monero.

Follow @NakedSecurity
Follow @JohnEDunn

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/T02GgqcHXoc/

The UK must reduce the dependency of its critical infrastructure and emergency services on GPS technology to mitigate against the potentially disastrous impact of signal jamming, a government report has warned.

In a forward to the long-awaited doc from the Government Office of Science, Cabinet Office minister Oliver Dowden said global navigation satellite systems (GNSS) are often described as an “invisible utility”. He said: “It is in our national interest, as this report makes clear, that we recognise the precise nature and extent of our dependence on GNSS.

“We must take steps to increase the resilience of our critical services in the event of GNSS disruption, including by adopting potential back-up systems where necessary,” he wrote in the The Satellite-derived time and position: A Study of Critical Dependencies report (PDF).

Last year the government warned the UK stands to lose £1bn per day in the event of a major disruption to GPS. In 2016 it emerged the decommissioning of a US satellite caused an error in the GPS network, having a knock-on effect across a number of UK industries.

But one of the biggest threats is the increasing interference to GNSS-derived signals through “jamming” and “spoofing”, said the report.

“The last 15 years have seen a dramatic proliferation of GNSS jamming systems: from the preserve of the military, through criminal groups, to the point where jammers are now sought and owned by everyday citizens seeking to hide from a perceived risk of being tracked during their day-to-day lives.”

The emergency services have two main applications for GNSS, using data from a caller’s phone to locate the emergency; and navigating there rapidly and successfully.

The technology is also widespread in financial services, with transactions often driven by algorithmic trading, which requires timestamps at millisecond to microsecond level. This form of precision timing also requires traceability for audit purposes.

Charles Curry, founder of GPS resilience company Chronos Technology and contributor to the report, told El Reg: “There is no difference in my mind between a cyber attack over the internet and a cyber attack using GPS-jamming technology. It’s something that North Korea has been doing for some time, as well as Russia. What is to stop someone from switching on a high power jammer in central London and taking out the financial services sector?”

He said the government must act to lead in putting a back-up system in place, as simply using legal deterrents to prevent jamming is not enough.

Under the Wireless and Telegraphy Act (2006) it is an offence to deliberately transmit within the GNSS frequency band without a licence or exemption notice. So the use of jamming devices is an offence – but possession of a device is not. “This means that courts have to prove intent to use, which can be difficult” said the report.

Initially GPS was a military system, giving civil users access to degraded services – with accuracy within tens of metres – but after Korean Airlines Flight 007 was shot down by Russia in 1983 after accidentally flying off course, Ronald Reagan signed an executive order allowing the civilian use of GPS.

The report calls for an increase in awareness of our dependency of GNSS; the need to protect the GNSS spectrum; to improve the national risk assessment; and the need to provision for backups – such as the Enhanced low-frequency, LOng-RAnge Navigation (LORAN) system. It said the government, industry and academia will also need to take a more joined-up approach. ®

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/01/31/forget_cyber_crims_its_time_to_start_worrying_about_gps_jammers_gov_report/

A vulnerability has been unearthed in Oracle MICROS point-of-sale (POS) terminals that allowed hackers to read sensitive data from devices.

The flaw (CVE-2018-2636) was fixed in Oracle’s January 2018 patch batch, allowing business app security firm ERPScan to go public with its findings. Left unresolved, the bug would enable an attacker to read any file and receive information about various services from a vulnerable MICROS workstation without authentication, ERPScan warned.

CVE-2018-2636 states for a directory traversal vulnerability in Oracle MICROS EGateway Application Service. In case an insider has access to the vulnerable URL, he or she can pilfer numerous files from the MICROS workstation including services logs and read files like SimphonyInstall.xml or Dbconfix.xml that contain usernames and encrypted passwords to connect to DB, get information about ServiceHost, etc.

So, the attacker can snatch DB usernames and password hashes, brute them and gain full access to the DB with all business data. There are several ways of its exploitation, leading to the whole MICROS system compromise.

Oracle’s MICROS technology is used by more than 330,000 cash registers worldwide, including 200,000-plus food and beverage outlets and more than 30,000 hotels in 180 countries. At least 170 MICROS POS systems are exposed to the internet, ERPScan reported.

Oracle declined to comment on ERPScan’s research.

MICROS security has been in the spotlight before. In 2016 hackers attacked the system through its customer support portal. ®

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/01/31/oracle_micros_pos_vuln/

Even if you aren’t British, you’ve probably heard of the New Year’s Honours List, when you find out which illustrious citizens get to call themselves Sirs and Dames.

Sir Ringo Starr, for example.

Technically, Sir Richard Starkey, of course, though he’s on the list under both names.

Well, now we have the 2018 English Language Honours List, too.

Here’s a sample: EULA is now a word, according to the OED.

Yes, it’s written all in capitals, but it’s a word in its own right, pronounced “you-luh”, and it means End User Licence Agreement. OED is the Oxford English Dictionary, but you have to spell that one out as “oh-eee-dee”. Ironically, perhaps, for the first-amongst-equals of Anglophone lexicography, the OED’s initials don’t make a convenient word in the very language that it defines. Sorry, that it describes.

Other internet-era words that made it into the OED this year include: selfie, e-shopping, and – get this – esc, pronounced to rhyme with “desk”.

That’s esc as in Hit [Escape] to continue, or Press the [Esc] key to exit: not only is it now a word, it’s a regular noun, without a capital letter.

So Apple’s trendy esc key has suddenly become orthographically normal, while the more formal-looking Esc favoured by the likes of Lenovo and Dell is now old-fashioned.

But the word you’ll be unsurprised and yet unhappy to see in the latest OED is the word ransomware, which Oxford describes very succinctly as:

A type of malicious software designed to block access to a computer system until a sum of money is paid.

Interestingly, given that the word has only now been announced by the OED, two of its sister editions have contained this definition since at least July 2017.

The Oxford Dictionary of English and the New Oxford American Dictionary, with database datestamps on macOS 10.13 of 25 July 2017, have these entries:

Take a look at the difference we’ve highlighted above.

It’s subtle, and intriguing: the British editors insist that ransomware is a mass noun, so you always use the word in the singular, while the American editors don’t, leaving you free to write ransomwares if you need to refer to several different ones.

Sadly, given the results in our just-published State of Endpoint Security survey, the plural of the word ransomware might be more ueful than you think.

54% organisations we surveyed hit by were hit by ransomware in the past year – and they were more likely to have had two or more ransomware attacks than just one.

A cheery ending

What else made it into the OED for 2018?

The weirdest entry that we spotted was Smith’s longspur.

The OED has had the word longspur for years – describing it as a “chiefly Canadian” bird, though it’s also native to Alaska – but not, it seems, Smith’s longspur.

The long form of the name apparently commemorates a friend of the great US naturalist John James Audubon, author of book The Birds of America back in the first half of the nineteenth century.

And although that little detail has little to do with computer security, we think it’s a cheerier note on which to end than the observation that ransomware is now so common that it’s become a truly everyday word.

Follow @NakedSecurity
Follow @duckblog

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/fvIAibLnXxo/

Even if you aren’t British, you’ve probably heard of the New Year’s Honours List, when you find out which illustrious citizens get to call themselves Sirs and Dames.

Sir Ringo Starr, for example.

Technically, Sir Richard Starkey, of course, though he’s on the list under both names.

Well, now we have the 2018 English Language Honours List, too.

Here’s a sample: EULA is now a word, according to the OED.

Yes, it’s written all in capitals, but it’s a word in its own right, pronounced “you-luh”, and it means End User Licence Agreement. OED is the Oxford English Dictionary, but you have to spell that one out as “oh-eee-dee”. Ironically, perhaps, for the first-amongst-equals of Anglophone lexicography, the OED’s initials don’t make a convenient word in the very language that it defines. Sorry, that it describes.

Other internet-era words that made it into the OED this year include: selfie, e-shopping, and – get this – esc, pronounced to rhyme with “desk”.

That’s esc as in Hit [Escape] to continue, or Press the [Esc] key to exit: not only is it now a word, it’s a regular noun, without a capital letter.

So Apple’s trendy esc key has suddenly become orthographically normal, while the more formal-looking Esc favoured by the likes of Lenovo and Dell is now old-fashioned.

But the word you’ll be unsurprised and yet unhappy to see in the latest OED is the word ransomware, which Oxford describes very succinctly as:

A type of malicious software designed to block access to a computer system until a sum of money is paid.

Interestingly, given that the word has only now been announced by the OED, two of its sister editions have contained this definition since at least July 2017.

The Oxford Dictionary of English and the New Oxford American Dictionary, with database datestamps on macOS 10.13 of 25 July 2017, have these entries:

Take a look at the difference we’ve highlighted above.

It’s subtle, and intriguing: the British editors insist that ransomware is a mass noun, so you always use the word in the singular, while the American editors don’t, leaving you free to write ransomwares if you need to refer to several different ones.

Sadly, given the results in our just-published State of Endpoint Security survey, the plural of the word ransomware might be more ueful than you think.

54% organisations we surveyed hit by were hit by ransomware in the past year – and they were more likely to have had two or more ransomware attacks than just one.

A cheery ending

What else made it into the OED for 2018?

The weirdest entry that we spotted was Smith’s longspur.

The OED has had the word longspur for years – describing it as a “chiefly Canadian” bird, though it’s also native to Alaska – but not, it seems, Smith’s longspur.

The long form of the name apparently commemorates a friend of the great US naturalist John James Audubon, author of book The Birds of America back in the first half of the nineteenth century.

And although that little detail has little to do with computer security, we think it’s a cheerier note on which to end than the observation that ransomware is now so common that it’s become a truly everyday word.

Follow @NakedSecurity
Follow @duckblog

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/fvIAibLnXxo/

The Australian government has suffered what must as one of the most ridiculously embarrassing security breach in its history: cabinet records from five successive governments were sent to a second-hand furniture store.

The trove ended up in the hands of the Australian Broadcasting Corporation (ABC – which is in the process of publishing what it judges safe to publish here).

It appears that someone decided to sell two filing cabinets intact because they’d lost the key (really); the buyer applied a power drill to the locks, and the rest is history.

And what a history it’s turned out to be: for the ABC. The broadcaster says it’s “withheld documents if there are national security reasons, if the information is already public, or to protect the privacy of public servants.”

The Department of Prime Minister and Cabinet has already issued a statement saying it will investigate the incredible idiocy that made this possible what happened and won’t comment further for now.

Early NBN negotiating notes among the goodies

Among the documents revealed by the ABC are details of confidential briefings about how the Rudd government intended to fund Australia’s always-controversial National Broadband Network (NBN).

This needs context: in 2009, when it first conceived a universal fibre-to-the-premises build, Australia’s government was dealing with an obstructionist and hostile Telstra, Australia’s dominant telco. Under the “three amigos” led by CEO Sol Trujillo (the other two were Phil Burgess and Bill Stewart, both from Trujillo’s time at US West), Telstra was trying to block the Australian Competition and Consumer Commission’s competitive regulatory interventions (wth High Court action), and delaying or white-anting government attempts to encourage high-speed broadband.

The government of the day conceived its NBN in part to unblock the regulatory deadlocks – but it needed to fund the network and didn’t want the cost to be directly attributed to the federal budget.

One of the documents reveals the range of funding options brought to cabinet. As well as the government’s eventual model of investing equity in NBN Co, various bond sales were considered. The bond options included letting retail investors in at an attractive rate; or long-term infrastructure bonds.

If Australian animals don’t poison you or eat you, they’ll BURN DOWN YOUR HOUSE

READ MORE

The government of the day also had hopes that Telstra would buy into the build, since the NBN’s customer access network would replace its own.

The document entitled “Strategy for negotiating with potential investors in NBN Co” states “there are likely to be many early approaches by a range of possible investors, including Telstra”.

However, the cabinet briefing also stated that nobody would buy in “until the details of the company and the regulatory framework (and, in all likelihood, the legislation) are settled”.

This didn’t bother the government of the day too much, it seems, since its intention was to privatise the network after build: “the Government does not need to rush into negotiations with investors making early offers”, the paper states.

The government had some hope that the existence of NBN Co would make Telstra more co-operative (and, perhaps, offer a chance for a change in strategy).

“The ideal outcome, over time, is the structural separation of Telstra by action of the Board”, the paper states, while noting that an intransigent Telstra might “choose to compete … using platforms such as the HFC network”.

With a fully structurally-separated Telstra, the document shows, the government had no trouble contemplating investment in NBN Co from Telstra Wholesale: before the network was completed, the government would remain its majority shareholder and therefore able to protect retail customers.

Nearly all of those discussions are now moot, since the network that now exists isn’t a particularly saleable asset.

The government was also acutely aware of the kinds of things Telstra would want if it were given a free hand in negotiations. The establishment of NBN Co and its wholesale-only status was non-negotiable from the start; Telstra might want to fold in assets like duct access which would be capped; the carrier would not be given a voice in matters like NBN access, price, rollout timing, and the government clearly expected it to lobby against fibre-to-the-premises.

The Rudd government knew Telstra was likely to be troublesome. Image: the Australian Broadcasting Corporation

Telstra was expected to lobby the government over regulation, something the government wanted nixed, but it would (as has since happened) be allowed to take part in the rollout.

Vulture South will keep our eyes on the cabinet leaks to look for other snippets of interest to our readers. And for chances to point-and-laugh at the government. ®

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/01/31/australian_cabinet_leaked_a_cabinet/