As you’ve heard, this month is National Cyber Security Awareness Month. Wayne State has decided to celebrate by helping folks develop awareness of phishing techniques. By now everyone should be familiar with phishing (note I don’t even use ‘scare quotes’ to mark the word). But even though we read about it in the papers, and online, a scary number of our colleagues got phished in the past twelve months. Some of them were tricked into getting their direct deposit checks rerouted to a pop-up bank in Nigeria (really!) while others got their computers infected and had to have them reformatted, occasionally losing the data stored on them. And yes, I’m talking about our Wayne State colleagues, not people somewhere else.
C&IT has developed a quiz designed specifically for the Wayne State community. It is intended to help you recognize the warning signs in a phishing message. We’re hoping that heightened awareness and some training (hidden in the quiz) will help protect not only you, but the entire WSU community.
We will be sending out an invitation by email to participate in the ‘survey’. Every completed quiz will be automatically entered in a drawing to win one of two prizes. Students are eligible for a $100 gift card to Barnes & Noble. Employees are eligible for a Wayne State prize pack. Winners will be notified in early November.
My next blog will include specific tips on how to recognize phishing email messages, such as hovering over any links to see whether what pops up matches the text you can see (and also whether, if it’s claiming to come from Wayne State it has a .wayne.edu address).
So watch your mailboxes for more on this topic.
I just read a particularly good discussion of the (now dying down) controversy over the leaking of celebrities’ sexted photos. It makes a number of points that haven’t been raised elsewhere:
- Saying ‘don’t take revealing pictures of yourself’ because they might leak is like saying ‘don’t use a credit card because your identity might get stolen’.
- Phones are a new kind of sex toy, and they and their use is not going away.
- People don’t know where their photos go when they use their phones. Almost all phones (iPhones, Androids, at least) automatically, and without our noticing, back photos up to the cloud.
- Cloud providers need to get their security act together, but probably won’t, because there isn’t enough shrieking going on.
By now everyone knows that a number of (primarily young, almost exclusively female) Hollywood stars had compromising pictures of themselves posted to a public Internet site, provoking much social commentary.
The reason for this post is not the fact that it happened–it happens frequently, and sometimes goes under the heading of ‘revenge porn’. What is more interesting, from my point of view, is the nature of the reactions.
I was discussing this story with some of my younger colleagues at C&IT the other day, and found their response simultaneously startling and familiar. Their answer was ‘Who cares?!! Privacy is dead, get over it.’
What was startling was that I have friends who actually feel that way. What was familiar was the meme ‘privacy is dead’. It was first said in that form by Scott McNealy in 1999. For those who aren’t familiar with McNealy, he was the founder of Sun Microsystems, an early major computer hardware and software company (responsible, among other things for Java, MySQL and NFS).
Discussion of the leaked nude photos has varied widely. The initial response was outrage, particularly from some of the celebrities themselves (although some have also claimed that the photos were fake, for which there is some forensic evidence). On the other hand, much of the early response consisted of statements that could be paraphrased as ‘if you don’t want nude pictures circulating on the internet, don’t take them.’
Interestingly, subsequent commentary has had two directions. One is to suggest that blaming the stars for having nude pictures floating around is like blaming women for being raped because they wore [fill in your favorite meme] clothing.
On the other hand, a number of commentators have suggested the fault lies in the poor security structure of iCloud, or perhaps of the iPhone (apparently a hack of the Find My iPhone may have permitted the Apple cloud storage system to be breached, although that vulnerability has since been patched).
Other commentators (including my buddy Nick Gillespie) have suggested that this is something for which the cure would be worse than the disease.
Finally, danah boyd, a radical feminist blogger who works for Microsoft (yes, you read that right) wrote very thoughtfully several years ago about the morality of ‘outing’ people on the Internet, an activity somewhat related to this.
I have no words of wisdom to provide here–I’m an onlooker watching how the world is changing around me. Thoughts?
Wayne State has signed up for Microsoft’s Student Advantage Program – C&IT now provides free downloads of the latest version of Microsoft Office to all currently registered Wayne State students. This includes full-featured current versions of Word, Excel, PowerPoint, and Outlook for PCs and Macs. PC users also get Access and OneNote. Students will be permitted to download five (5!) copies, which will run on Mac OS X, Windows, and Windows tablets running (real) Windows 8 (not RT).
Although the download process is a little complicated, there are clear instructions, and the Help Desk stands ready to provide assistance. C&IT didn’t forget faculty and staff – keep an eye out for Microsoft-related updates coming your way in the next year. Meanwhile, many folks have access to some version of Office through deals their colleges or departments have made–check with your tech support folks to find out. In some cases you can get a complete downloadable set for your home computer for the relatively low price of $75. The full details on the Student Advantage Program are available at computing.wayne.edu/office – tell your students at your first class. It’s a great deal!
Over the past couple of weeks a number of important privacy-related legal decisions have hit the IT policy landscape, and I thought I’d take time today to talk about one of them. The other will be a topic next week.
First, the European Court of Justice ruled that Google must stop linking to search results that are ‘inadequate, irrelevant or no longer relevant’ if someone requests it. It all revolves around someone who wanted Google to stop returning a newspaper article from the late nineties about his house being repossessed in the eighties.
Since then Google has received tens of thousands of requests to ‘be forgotten’, and is establishing a system to decide how to respond to those requests. It also has a warning (only on the European versions of its pages) that not all results are being displayed if that item has been ‘censored’.
As one might imagine, this has caused a firestorm. Numerous commentators have argued that this will simply permit politicians and other public figures to hide their shady pasts. Although the official court decision said ‘journalistic work may not be touched’ Google has delinked a number of blog posts on various European online newspapers, and Wikipedia itself has received at least fifty notices from Google that articles have been removed from search results. As a result Jimmy Wales, the founder of Wikipedia blasted the decision as a violation of the human right to have access to history.
An additional weird, but understandable, twist is that the ruling applies to Google, but only to European Google, so it has no effect on searches conducted from elsewhere in the world. Even more interesting, the publishers of the actual articles do not have to delete them–it’s simply that Google must not report them in a search. So the offending material is still on the web, and other search engines (such as https://duckduckgo.com/, which does not track you and does not note where you are), and computers whose IP addresses are concealed (such as with ‘Incognito Browsing’) will still find the relevant information.
In addition, it is likely that this result will trigger what has come to be known as the Streisand Effect–loudly attempting to hide something leads to it being even more visible. This is certainly the case for the Spanish guy who started the whole story (you can find his name yourself, as well as all the information he was trying to suppress, with very simple search tools).
On Monday I’ll tell you about a different case, where a US judge attacked European’s right to privacy in a totally different way.
Some folks may have heard the claim that the song ‘Happy Birthday’ is copyrighted, and you’re supposed to pay royalties if you ‘perform’ it. Certainly when restaurants used to have their staff gather round customers and sing birthday greetings there was a time when they sang other songs, because some restaurant or other had been sued for copyright violation.
If you don’t believe it, you can check Snopes, the famous myth debunking website and they confirm that this is true.
Interestingly enough, someone is challenging this claim, and the case was written up recently by a web buddy of mine on the Volokh Conspiracy blog, which I read fairly regularly. It’s a classic case of ‘Copyright Trolling’–the people who are claiming the copyright have no relation to the folks who wrote the song (which wasn’t ‘Happy Birthday to You’ in its original lyrics in any case)–the authors fumbled the copyright, but someone picked it up and their catalog was bought by someone who bought it, and it was subsequently sold to someone else and so on.
This case will be fun to watch–it’s still ongoing.
Strange twist–the original authors, a pair of schoolteacher sisters named ‘Hill’ were the aunts of a famous linguist of the mid twentieth century named Archibald Hill, who I once met. Apparently he was independently wealthy because the sisters left their estate to him. You never know…
The 2nd Circuit Court released a decision today in a case involving the Hathi Trust, which has been scanning old books and making them available online for search purposes. Some author’s unions sought to prevent them from doing this on copyright grounds, but Hathi (and many supporters) argued that the open-source non-profit partner with Google Books was entitled under the ‘fair use’ provision of the Copyright Act to scan millions of books (including, particularly, ‘orphan’ books whose copyright was still valid, but whose authors were either long gone or unlocatable) and make the results searchable.. Hathi Trust is an invaluable tool for historical, linguistic and literary research because it means that millions of out-of-print books were accessible to the world of research.
This doesn’t mean you can now just read any book in their repository. You can’t. What you can do, however, is search for every instance of a word in the millions of books and get the surrounding context for each use (which is a gold mine for linguists), or find mentions of historical events or people (or political theories or scientific experiments) in millions of books scattered around the country.
The court’s conclusion was that making snippets available through searches, and making entire texts available to the visually impaired constituted fair use through the ‘transformative’ clause of the fair use clause (you can read all about it on the WSU Library’s Copyright page).
Here are two news items on the court case:
Recently a number of universities (including Wayne State) have been hit by a particularly vicious phishing trick. Faculty with relatively high salaries receive what look like official notifications to ‘verify’ their login details. If they click on the link in the email they are sent to university web pages that look very much like the standard login page (complete with appropriate wordmarks, layout etc.) This kind of phishing is called ‘spearphishing’, because the attacks are not random, but carefully targeted, so the email message looked like it was directed to the addressee–it had their name in it, and perhaps their chair’s name, or the name of the VP for Administration. However, after they enter their credentials they eventually find that someone else has logged in and changed their direct deposit to a bank in another country. Often a pop-up bank (similar to a pop-up restaurant but not nearly as tasty). By the time the deception is discovered (usually when the victim notices that their real account never received the deposit) it’s too late.
All the universities that have had this happen have had to make good on the lost paychecks, and with lots of full professors getting caught that’s a lot of money the universities don’t have to spare. How can you resist getting sucked into these scams?
- Never log in to a Wayne State account by clicking on a link in an email.
- Always go directly to the appropriate website by typing its address into your browser (blackboard.wayne.edu, pipeline.wayne.edu, academica.wayne.edu).
- Make sure that the address that shows in the browser once the page has ‘painted’ begins ‘https://…‘
- Change your password immediately if you think you have fallen for one of these scams.
Here are some other universities that have been caught (so you can see we’re not outliers): https://oit.ncsu.edu/news-releases/look-out-for-phishing-email-targeting-your-direct-deposit http://www.bu.edu/today/2014/internet-scammers-change-some-bu-direct-deposit-accounts/ http://uis.georgetown.edu/page/1242745504502.html http://www.annarbor.com/news/university-of-michigan-spear-phishing/
Finally, our colleagues at U of M put together an excellent video about phishing which is worth watching (you can just ignore the hype about ‘Big Blue’ )