Tech Drives NYC's Private Sector Growth

From a report for the Bloomberg Technology Summit:

• New York City’s share of the nation’s private sector employment has reached its highest level in 20 years because of the growth of the tech/information sector.

• There are 262,000 workers in the New York tech/information sector, contributing almost $30 billion annually in wages to the local economy.

• While the financial sector, including real estate, is the most single important engine of the New York economy, the tech/information sector is now number two, surpassing the private health care sector.

• Between 2007 and 2012, the number of private sector jobs in NYC rose by about 4 percent, com- pared to a 3 percent decline nationally.

•Since 2007, when the Great Recession started, New York City’s tech/information sector has grown by 11 percent, or some 26,000 jobs, adding $5.8 billion in additional wages to the economy. Indeed, these wage gains accounted for two-thirds of the growth in private sector wages over that stretch.

• Using a conservative estimate, the tech/information boom was responsible for roughly one-third of the private sector job creation in New York City since 2007.

• New York City also significantly outperformed its suburbs during this period. According to the Bureau of Labor Statistics, private sector jobs actually declined by 3.8 percent from 2007-2012 in the New York metro area outside the city. Tech/information jobs also dropped by 6.9 percent in the suburbs, compared to an 11 percent gain in the city.

• The growth of Brooklyn’s tech/information sector has outpaced every other large county in the country, with the exception of San Francisco. This includes traditional tech hubs such as Austin; Seattle; Cambridge, MA; the Research Triangle; and Silicon Valley.

Book Review: Hacking Secret Ciphers with Python

Hacking Secret Ciphers with Python is a free introductory textbook on cryptography, computer programming and the Python programming language written by Albert Sweigert, a software developer from San Francisco.  Hacking Secret Ciphers with Python is Sweigert's third book on Python, and the first that teaches the programming language through cryptography and traditional cryptographic protocols.

Published under a creative commons license, the work can be read for free online, downloaded as a .pdf or purchased from Amazon, with all proceeds going to the Electronic Frontier Foundation, Creative Commons and the Tor Project.  From the book's description:

“Hacking Secret Ciphers with Python” teaches complete beginners how to program in the Python programming language. The reader not only learns about several classical ciphers, but also how to write programs that encrypt and hack these ciphers. The full source code is given and explained line-by-line for ciphers such as the Caesar cipher, transposition cipher, simple substitution cipher, multiplicative & affine ciphers, Vigenere cipher, and hacking programs for each of these ciphers. The final chapters cover public key cryptography and the modern RSA cipher.

Clocking in at 416 pages, the book is broken down into 24 chapters covering virtually everything from the ancient Caesar Cipher to modern public key cryptography.  It thus provides a practical overview of the history of cryptography, while simultaneously introducing the reader to progressively more advanced aspects of the Python programming language. 

The book begins at the beginning, showing the reader first how to create rudimentary ciphers with paper and scissors.  It then gives a quick introduction on how to install Python, how to work with the interactive shell, and provides a quick overview of Python basics before jumping in to its first major coding chapter on the Reverse Cipher.  For each cipher covered in the book, it provides the Python code to run that cipher, followed by a chapter covering a second program that can be used to hack that cipher.  Python basics are covered in the analysis of the code used to create and then hack the given cipher.

Highly recommended for beginner to intermediate Python programmers who are interested in cryptography.  And since it is available free online, you can dive right in.

Unplugged: The Key to Longer Laptop Battery Life

From Wired:

In order to squeeze as much life out of your lithium-polymer battery, once your laptop hits 100 percent, unplug it. In fact, you should unplug it before that.

Cadex Electronics CEO Isidor Buchmann told WIRED that ideally everyone would charge their batteries to 80 percent then let them drain to about 40 percent. This will prolong the life of your battery — in some cases by as much as four times. The reason is that each cell in a lithium-polymer battery is charged to a voltage level. The higher the charge percentage, the higher the voltage level. The more voltage a cell has to store, the more stress it’s put under. That stress leads to fewer discharge cycles. For example, Battery University states that a battery charged to 100 percent will have only 300-500 discharge cycles, while a battery charged to 70 percent will get 1,200-2,000 discharge cycles. 

Is the GMail Model Legally a Wiretapping Scheme?

According to at least one court, it may well be.  From Wired:

A federal judge today found that Google may have breached federal and California wiretapping laws for machine-scanning Gmail messages as part of its business model to create user profiles and provide targeted advertising.

The decision by U.S. District Judge Lucy Koh was rendered in a proposed class-action alleging Google wiretaps Gmail as part of its business model. Google sought to have the federal case in California dismissed under a section of the Wiretap Act that authorizes email providers to intercept messages if the interception facilitated the message’s delivery or was incidental to the functioning of the service in general.

Newsflash: Significant Percentage of Online Reviews Are By Paid Flacks

In case you hadn't realized already, a significant proportion of online opinion is nothing more than paid advertising.  Is there an app that detects bullshit?  From Market Watch:

On Monday, Attorney General Eric T. Schneiderman announced that 19 companies agreed to cease their practice of writing fake online reviews and pay hefty penalties for false advertising and deceptive business practices. Dubbed “Operation Clean Turf,” his investigation found that these businesses – ranging from bus companies to teeth whitening services — systematically tried to game the system by paying freelance writers from Philippines, Bangladesh and Eastern Europe between $1 to $10 per review. Schneiderman’s office cited a 2011 study by Michael Luca, assistant professor at Harvard Business School, which said a one-star rating hike on Yelp can mean a 5% to 9% rise in restaurant revenue. 

Hacked Identity Theft Service Reveals Breaches of Numerous Consumer Data Aggregators

We're all up for sale online.  From Krebs on Security:

An identity theft service that sells Social Security numbers, birth records, credit and background reports on millions of Americans has infiltrated computers at some of America’s largest consumer and business data aggregators, according to a seven-month investigation by KrebsOnSecurity.

The Web site ssndob[dot]ms (hereafter referred to simply as SSNDOB) has for the past two years marketed itself on underground cybercrime forums as a reliable and affordable service that customers can use to look up SSNs, birthdays and other personal data on any U.S. resident. Prices range from 50 cents to $2.50 per record, and from $5 to $15 for credit and background checks. Customers pay for their subscriptions using largely unregulated and anonymous virtual currencies, such as Bitcoin and WebMoney. Until very recently, the source of the data sold by SSNDOB has remained a mystery. That mystery began to unravel in March 2013, when teenage hackers allegedly associated with the hacktivist group UGNazi showed just how deeply the service’s access went.

Spain to Criminalize Linking

Coming off a recent proposal to tax sunlight, the government of Spain appears to be on a roll, and is poised to criminalize linking to allegedly infringing copyrighted content.  From ZDNet:

Spain is introducing tough new penalties for owners of websites that link to pirated versions of copyrighted material, after pressure from the US over its piracy record.

Under new legislation introduced as part of a wider reform of the country's penal code, owners of sites found to be making money from linking to pirated material will face prison sentences of up to six years and the closure of their site.

Sophos: Firefox Voted Most Trustworthy Browser

What's your preferred browser?  A Sophos survey finds Firefox in the lead.  From Naked Security:

About a month ago I asked Naked Security readers Which web browser do you trust? Your answer was emphatic: it's Firefox.  I asked this question because trustworthiness has become an important selection criteria for web browsers and there is no objective test for it.

Modern web browsers are mature and complex products and, despite inflated version numbers and conspicuously busy release cycles, their feature sets evolve quite slowly.

Selecting the right web browser is no longer a question of what the software can do, it's about whether or not it can do the things we expect it to do quickly, securely and with due regard for our privacy.

Our poll offered readers the chance to vote for one of the six most popular web browsers -  Chrome, Firefox, Internet Explorer, Opera, Safari and Chromium - and asked which you trusted the most.

Image source: The Bandwidth Blog.

LinkedIn Accused of Hacking Users Address Books to Spam Their Contacts

Is anyone else sick and tired of getting spammed with email requests to join LinkedIn from family, friends and co-workers?  It appears that LinkedIn users are now sick and tired of having their contact lists surreptitiously mined and exploited by the service.  From Bloomberg:

LinkedIn, owner of the world’s most popular professional-networking website, was sued by customers who claim the company appropriated their identities for marketing purposes by hacking into their external e-mail accounts and downloading contacts’ addresses.

The customers, who aim to lead a group suit against LinkedIn, asked a federal judge in San Jose, California, to bar the company from repeating the alleged violations and to force it to return any revenue stemming from its use of their identities to promote the site to non-members, according to a court filing . . . 

Copyright Extremists Seek Censored Search

Copyright extremists and their lobbying organizations such as the MPAA and the RIAA are at it again.  From Tech Dirt:

Remember how back after SOPA ended, the MPAA's Chris Dodd kept going on and on about how he was going to take a more conciliatory and partnership-based approach to the tech industry (which he mistakenly seems to believe is defined by "Google")? Apparently that's out the window. Today both the MPAA and the RIAA have launched a one-two punch on Google, which is clearly designed to do one thing: get Google to start censoring its search results so that it no longer returns what people are looking for, but instead returns what the MPAA and RIAA think should be the right search results. The fundamental problem, of course, is that the MPAA and RIAA both seem to think that Google is supposed to deliver the answers they want the public to see, when everyone else recognizes Google's role is to return the results its users are searching for.

Research Group Cracks Taiwan's National "Smart Card" Digital Certificates

Ironically, it is often the ineptitude and incompetence of our security protocols that leave us the most insecure.  Is there anyone more vulnerable to attack that the person who thinks they are invulnerable because they have received reassuring platitudes and slogans from those running the security racket?  From Smart Facts, a report by a group of international researchers:  

An attacker can efficiently factor at least 184 distinct 1024-bit RSA keys from Taiwan's national "Citizen Digital Certificate" database. The big story here is that these keys were generated by government-issued smart cards that were certified secure. The certificates had all the usual buzzwords: FIPS certification from NIST (U.S. government) and CSE (Canadian government), and Common Criteria certification from BSI (German government).

These 184 keys include 103 keys that share primes and that are efficiently factored by a batch-GCD computation. This is the same type of computation that was used last year by two independent teams (USENIX Security 2012: Heninger, Durumeric, Wustrow, Halderman; Crypto 2012: Lenstra, Hughes, Augier, Bos, Kleinjung, Wachter) to factor tens of thousands of cryptographic keys on the Internet.

The remaining 81 keys do not share primes. Factoring these 81 keys requires taking deeper advantage of randomness-generation failures: first using the shared primes as a springboard to characterize the failures, and then using Coppersmith-type partial-key-recovery attacks. This is the first successful public application of Coppersmith-type attacks to keys found in the wild.

Blue Jay: Police Twitter Surveillance App

Ars Technica has a lengthy and interesting piece on Blue Jay, a Twitter live feed scanner intended for use by law enforcement officers, from a company with connections deep inside the US intelligence bureaucracy.  From Ars:

  . . . the "Law Enforcement Twitter Crime Scanner," which provides real-time, geo-fenced access to every single public tweet so that local police can keep tabs on #gunfire, #meth, and #protest (yes, those are real examples) in their communities. BlueJay is the product of BrightPlanet, whose tagline is "Deep Web Intelligence" and whose board is populated with people like Admiral John Poindexter of Total Information Awareness infamy.

BlueJay allows users to enter a set of Twitter accounts, keywords, and locations to scan for within 25-mile geofences (BlueJay users can create up to five such fences), then it returns all matching tweets in real-time. If the tweets come with GPS locations, they are plotted on a map. The product can also export databases of up to 100,000 matching tweets at a time.

Online Learning: Three Free Introduction to Computer Science Courses

These days, with a bit of perseverance and discipline, it is entirely possible to receive a world class education in computer science for free online from the comfort of your own home.  Many of the top computer science departments at US universities make their course lectures and materials freely available on the net, providing motivated individuals with a range of choices that is almost unbelievable in its scope.  In this post, we'll take a look a three Introduction to Computer Science courses that have been made freely available online from Harvard, MIT and Stanford.  The Harvard course provides an introduction to C, PHP and JavaScript.  Stanford focuses on Java. And MIT utilizes the Python programming language. 

Harvard's Intensive Introduction to Computer Science
Course site and description:

This free online computer science course is an introduction to the intellectual enterprises of computer science. Topics include algorithms (their design, implementation, and analysis); software development (abstraction, encapsulation, data structures, debugging, and testing); architecture of computers (low-level data representation and instruction processing); computer systems (programming languages, compilers, operating systems, and databases); and computers in the real world (networks, websites, security, forensics, and cryptography). The course teaches students how to think more carefully and how to solve problems more effectively. Problem sets involve extensive programming in C as well as PHP and JavaScript.

Stanford's Introduction to Computer Science and Programming Methodology
Course site and description:

This course is the largest of the introductory programming courses and is one of the largest courses at Stanford. Topics focus on the introduction to the engineering of computer applications emphasizing modern software engineering principles: object-oriented design, decomposition, encapsulation, abstraction, and testing. 

Programming Methodology teaches the widely-used Java programming language along with good software engineering principles. Emphasis is on good programming style and the built-in facilities of the Java language. The course is explicitly designed to appeal to humanists and social scientists as well as hard-core techies. In fact, most Programming Methodology graduates end up majoring outside of the School of Engineering. 

MIT's Introduction to Computer Science and Programming
Course site and description:

This subject is aimed at students with little or no programming experience. It aims to provide students with an understanding of the role computation can play in solving problems. It also aims to help students, regardless of their major, to feel justifiably confident of their ability to write small programs that allow them to accomplish useful goals. The class will use the Python programming language.  Many of the problem sets focus on specific topics, such as virus population dynamics, word games, optimizing routes, or simulating the movement of a Roomba.

iPhone Fingerprint ID: More Trouble Than It's Worth?

If you believe the security pronouncements of any of the giant tech firms, please leave your information in the comments, I have a bridge to sell you.  Of course, the mainstream media are not nearly so skeptical.  Indeed, they're eating it up.  From Bloomberg:

Apple’s use of fingerprint scanning in its new iPhone models could lead more device makers to adopt the authentication method as a successor to passwords - - and that’s fine with privacy advocates.

The introduction coincides with the rise of cybercrime and revelations that the U.S. National Security Agency has intercepted Internet communications and cracked encryption codes on devices including the iPhone.

Apple said that on the new iPhone, information about the fingerprint is stored on the device and not uploaded to company networks -- meaning it wouldn’t be in data batches that may be sent to or collected by U.S. intelligence agencies under court orders.

“They’re not building some vast biometric database with your identity associated with your fingerprint that the NSA could then get access to,” Joseph Lorenzo Hall . . . .

That latter quote is rather funny, as governments and corporations routinely deny that they are building vast databases on us as they build vast databases on us.  Wired is a bit more circumspect:

There’s a lot of talk around biometric authentication since Apple introduced its newest iPhone, which will let users unlock their device with a fingerprint. Given Apple’s industry-leading position, it’s probably not a far stretch to expect this kind of authentication to take off. Some even argue that Apple’s move is a death knell for authenticators based on what a user knows (like passwords and PIN numbers).

While there’s a great deal of discussion around the pros and cons of fingerprint authentication — from the hackability of the technique to the reliability of readers — no one’s focusing on the legal effects of moving from PINs to fingerprints.

Because the constitutional protection of the Fifth Amendment, which guarantees that “no person shall be compelled in any criminal case to be a witness against himself,” may not apply when it comes to biometric-based fingerprints . . .

Technophobic Court Warns Against Open Source Software

From the EFF:

Should we fear open source software? Of course not. But that hasn’t stopped federal courts from issuing bizarre warnings like this:

The court would like to make CM/ECF filers aware of certain security concerns relating to a software application or .plug-in. called RECAP … Please be aware that RECAP is “open-source” software, which can be freely obtained by anyone with Internet access and modified for benign or malicious purposes … .

To understand this strange edict, we need to review the history of RECAP and why it might be unpopular with court officials . . .

Read the whole thing for all the gory details. 

Technologically Illiterate Court Claims Use of Open Wifi Is Wiretapping

While government agencies illegally and routinely spy on our everyday communications without repercussion, a court has ruled that sniffing open wifi signals may be considered wiretapping.  From Tech Dirt:

A couple years ago, we were disappointed to see a judge take the technologically wrong stance that data transmitted over WiFi is not a "radio communication," thereby making sniffing of unencrypted WiFi signals potentially a form of wiretapping. Indeed, based on that, the court eventually ruled that Google's infamous WiFi sniffing could be a violation of wiretap laws. This is wrong on so many levels... and tragically, an appeals court has now upheld the lower court's ruling.

There are serious problems with this. Under no reasonable view is WiFi not a radio communication first of all. That's exactly what it is. Second, sniffing unencrypted packets on an open network is a perfectly normal thing to do. The data is unencrypted and it's done on a network that is decidedly open. It's like saying it's "wiretapping" for turning on your radio and having it catch the signals your neighbor is broadcasting. That's not wiretapping. Third, even the court here admits that based on this ruling, parts of the law don't make any sense, because it renders those parts superfluous. Generally speaking, when a court ruling would render a part of a law completely superfluous, it means that the court misinterpreted the law . . . 

Coming Soon: Wireless Charging

From Tech Crunch:

Wireless power. It’s less sci-fi sounding than it once was, thanks to induction charging like that based on the Qi standard, but that’s still a tech that essentially requires contact, if not incredibly close proximity. Magnetic resonance is another means to achieve wireless power, and perfect for much higher-demand applications, like charging cars. But there’s been very little work done in terms of building a solution that can power your everyday devices in a way that doesn’t require thought or changing the way we use our devices dramatically. That’s where Cota by Ossia comes in.

The startup is the brainchild of physicist Hatem Zeine, who decided to focus on delivering wireless power in a way that was commercially viable, both for large-scale industrial applications and for consumer use . . . 

Verizon Lawsuit Against Open Internet in Court Today

From Ars Technica:

In December 2010, the Federal Communications Commission adopted the Open Internet Order, enshrining the concept of "network neutrality"—that Internet Service Providers must treat all data on the Internet equally—into law. . . .

ISPs don't like this, naturally, but Verizon has objected most strenuously of all. The company sued to halt the Open Internet Order, and after a couple of years worth of legal filings the case is now set to be decided by the US Court of Appeals for the District of Columbia Circuit.

Verizon and the FCC on Monday will each get 20 minutes to make their oral arguments . . . 

Google Seeks to Get in Ahead of NSA Scheme to Undermine Internet Encryption

From The Washington Post:

Google is racing to encrypt the torrents of information that flow among its data centers around the world in a bid to thwart snooping by the NSA and the intelligence agencies of foreign governments, company officials said Friday.

The move by Google is among the most concrete signs yet that recent revelations about the National Security Agency’s sweeping surveillance efforts have provoked significant backlash within an American technology industry that U.S. government officials long courted as a potential partner in spying programs.

Google’s encryption initiative, initially approved last year, was accelerated in June as the tech giant struggled to guard its reputation as a reliable steward of user information amid controversy about the NSA’s PRISM program . . . 

Netizen Self-Defense Against the NSA Adversary

Bruce Schneier literally wrote the book on Applied Cryptography.  In an article for the Guardian, provides some advice for those who are concerned about privacy and security and explains what measures he takes in order to secure his information.  From the Guardian:

I have five pieces of advice:

1) Hide in the network. Implement hidden services. Use Tor to anonymize yourself. Yes, the NSA targets Tor users, but it's work for them. The less obvious you are, the safer you are.

2) Encrypt your communications. Use TLS. Use IPsec. Again, while it's true that the NSA targets encrypted connections – and it may have explicit exploits against these protocols – you're much better protected than if you communicate in the clear.

3) Assume that while your computer can be compromised, it would take work and risk on the part of the NSA – so it probably isn't. If you have something really important, use an air gap. Since I started working with the Snowden documents, I bought a new computer that has never been connected to the internet. If I want to transfer a file, I encrypt the file on the secure computer and walk it over to my internet computer, using a USB stick. To decrypt something, I reverse the process. This might not be bulletproof, but it's pretty good.

4) Be suspicious of commercial encryption software, especially from large vendors. My guess is that most encryption products from large US companies have NSA-friendly back doors, and many foreign ones probably do as well. It's prudent to assume that foreign products also have foreign-installed backdoors. Closed-source software is easier for the NSA to backdoor than open-source software. Systems relying on master secrets are vulnerable to the NSA, through either legal or more clandestine means.

5) Try to use public-domain encryption that has to be compatible with other implementations. For example, it's harder for the NSA to backdoor TLS than BitLocker, because any vendor's TLS has to be compatible with every other vendor's TLS, while BitLocker only has to be compatible with itself, giving the NSA a lot more freedom to make changes. And because BitLocker is proprietary, it's far less likely those changes will be discovered. Prefer symmetric cryptography over public-key cryptography. Prefer conventional discrete-log-based systems over elliptic-curve systems; the latter have constants that the NSA influences when they can.

Since I started working with Snowden's documents, I have been using GPG, Silent Circle, Tails, OTR, TrueCrypt, BleachBit, and a few other things I'm not going to write about.

Is Any Private Data Safe from the Prying Eyes of Government?

Apparently not.  From the Guardian:

US and British intelligence agencies have successfully cracked much of the online encryption relied upon by hundreds of millions of people to protect the privacy of their personal data, online transactions and emails, according to top-secret documents revealed by former contractor Edward Snowden.

The files show that the National Security Agency and its UK counterpart GCHQ have broadly compromised the guarantees that internet companies have given consumers to reassure them that their communications, online banking and medical records would be indecipherable to criminals or governments.

The agencies, the documents reveal, have adopted a battery of methods in their systematic and ongoing assault on what they see as one of the biggest threats to their ability to access huge swathes of internet traffic – "the use of ubiquitous encryption across the internet".

What Do They Have on You?

A secretive consumer surveillance company is unveiling a new website that will let people see just what information has been collected on them.  What do they have on you?  From the New York Times:

Acxiom, one of the most secretive and prolific collectors of consumer information, is embarking on a novel public relations strategy: openness. On Wednesday, it plans to unveil a free Web site where United States consumers can view some of the information the company has collected about them, just as Mr. Howe did.

The data on the site, called AbouttheData.com, includes biographical facts, like education level, marital status and number of children in a household; homeownership status, including mortgage amount and property size; vehicle details, like the make, model and year; and economic data, like whether a household member is an active investor with a portfolio greater than $150,000. Also available will be the consumer’s recent purchase categories, like plus-size clothing or sports products; and household interests like golf, dogs, text-messaging, cholesterol-related products or charities.

It is quite a clever campaign since, in order to find out what information they have on you, you have to give them all your information.

A Closer Look at the Syrian Electronic Army

From Krebs on Security:

A hacking group calling itself the Syrian Electronic Army (SEA) has been getting an unusual amount of press lately, most recently after hijacking the Web sites of The New York Times and The Washington Post, among others. But surprisingly little light has been shed on the individuals behind these headline-grabbing attacks. Beginning today, I’ll be taking a closer look at this organization, starting with one of the group’s core architects.

Earlier this year I reported that — in apparent observation of international trade sanctions against Syria – Network Solutions LLC. and its parent firm Web.com had seized hundreds of domains belonging to various Syrian entities. Among the domains caught in that action were several sites belonging to the SEA . . .

Big Business and Big Government Working Together to Erode the Fourth Amendment

The war on drugs and the war on terror are in fact nothing more than a war on the Bill of Rights and the constitution of the United States.  From the New York Times:

For at least six years, law enforcement officials working on a counternarcotics program have had routine access, using subpoenas, to an enormous AT&T database that contains the records of decades of Americans’ phone calls — parallel to but covering a far longer time than the National Security Agency’s hotly disputed collection of phone call logs.

The Hemisphere Project, a partnership between federal and local drug officials and AT&T that has not previously been reported, involves an extremely close association between the government and the telecommunications giant. 

The government pays AT&T to place its employees in drug-fighting units around the country. Those employees sit alongside Drug Enforcement Administration agents and local detectives and supply them with the phone data from as far back as 1987.