Category Archives: Internet

‘Facebook, Axios And NBC Paid This Guy To Whitewash Wikipedia Pages’

The Huffington Post ran a bombshell report this week on one of a handful of people who have "figured out how to manipulate Wikipedia's supposedly neutral system to turn a profit." They're describing Ed Sussman, a former head of digital for Fast Company and Inc.com who's now paid to do damage control by relentlessly lobbying for changes to Wikipedia pages. "In just the past few years, companies including Axios, NBC, Nextdoor and Facebook's PR firm have all paid him to manipulate public perception using a tool most people would never think to check. And it almost always works." Spin reports: The benefit of hiring Sussman, aside from insulating talking heads from the humiliation of being found to have edited their own pages, is that he applies the exacting and annoying vigor of an attorney to Wikipedia's stringent editing rules. Further, because his opponents in these arguments are not opposing lawyers but instead Wikipedia's unpaid editors, he's really effective. From HuffPost: "Sussman's main strategy for convincing editors to make the changes his clients want is to cite as many tangentially related rules as possible (he is, after all, a lawyer). When that doesn't work, though, his refusal to ever back down usually will. He often replies to nearly every single bit of pushback with walls of text arguing his case. Trying to get through even a fraction of it is exhausting, and because Wikipedia editors are unpaid, there's little motivation to continue dealing with Sussman's arguments. So he usually gets his way." NBC and Axios confirmed that they hired Sussman, and an Axios spokesperson told HuffPost that the site "hired him to correct factual inaccuracies." The spokesperson added "pretty sure lots of people do this," which may or may not be true. Sussman's web site argues he's addressing "inaccurate or misleading information...potentially creating severe business problems for its subject," bragging in his FAQ that when he's finished, "the article looks exactly the same" to an outsider -- and that his success rate is 100%.

Read more of this story at Slashdot.

WordPress Now Powers Over One-Third of the Top 10 Million Sites on the Web

WordPress now powers over 1/3rd of the top 10 million sites on the web, according to W3Techs. From a blog post: Our market share has been growing steadily over the last few years, going from 29.9% just one year ago to 33.4% now. We are, of course, quite proud of these numbers! The path here has been very exciting. In 2005, we were celebrating 50,000 downloads. Six years later, in January 2011, WordPress was powering 13.1% of websites. And now, early in 2019, we are powering 33.4% of sites. Our latest release has already been downloaded close to 14 million times, and it was only released on the 21st of February.

Read more of this story at Slashdot.

Kids From At Least 112 Countries, Including the US, Go on Strike To Protest Climate Change

It started 29 weeks ago when 16-year-old Swede Greta Thunberg began skipping school on Fridays to protest climate change by standing outside of her nation's parliament building. Today, kids from more than 110 countries, including the United States, are following Thunberg's lead and will play hooky from classes for something they think is ultimately more important: preventing the warming of their planet. Live updates, from The Guardian. Further reading: Thousands of scientists are backing the kids striking for climate change.

Read more of this story at Slashdot.

Iranian hackers stole terabytes of data from software giant Citrix

Citrix is best-known for software that runs behind the scenes, but a massive data breach is putting the company front and center. The FBI has warned Citrix that it believes reports of foreign hackers compromising the company's internal network, swiping business documents in an apparent "password spraying" attack where the intruders guessed weak passwords and then used that early foothold to launch more extensive attacks. While Citrix didn't shed more light on the incident, researchers at Resecurity provided more detail of what likely happened in a conversation with NBC News.

Source: Citrix, NBC News

Belgian DPA Publishes Updated List of Processing Activities Requiring DPIA

The Belgian Data Protection Authority (the “Belgian DPA”) recently published (in French and in Dutch) the updated list of the types of processing activities which require a data protection impact assessment (“DPIA”). Article 35.4 of the EU General Data Protection Regulation (“GDPR”) obligates supervisory authorities (“SAs”) to establish a list of the processing operations that require a DPIA and transmit it to the European Data Protection Board (the “EDPB”).

The draft list was published in April 2018. In October, the EDPB adopted an Opinion on the draft DPIA lists established by the SAs, including the Belgian DPA. Following the EDPB’s Opinion, the Belgian DPA modified its list. The Belgian DPA asserts that this list is neither exhaustive nor final and could be modified in the future.

According to the Belgian DPA, the following data processing activities require companies to conduct a DPIA:

  • Processing of biometric data for the purpose of uniquely identifying individuals in a public area or private area that is publicly accessible;
  • Collecting personal data from third parties in order weigh that information in making a decision to refuse or end a contract with an individual;
  • Collecting health-related data by automated means through an active implantable medical device;
  • Processing of personal data collected on a large scale by third parties to analyze or predict the economic situation, health, preferences or personal interests, reliability or behavior, localization or movements of natural persons;
  • Systematic sharing between several data controllers of special categories of personal data (“sensitive personal data”) or data of a very personal nature (such as data related to poverty, unemployment, youth support or social work, data related to domestic and private activities and location data) between different data controllers;
  • Large-scale processing of data generated by devices with sensors that send data over the Internet or any another means (i.e., Internet of Things applications such as smart TV, smart household appliances, connected toys, smart cities, smart energy systems) for the purpose of analyzing or predicting individuals’ economic situation, health, preferences or personal interests, reliability or behavior, localization or movements;
  • Large-scale and/or systematic processing of telephony data, Internet data or other communication data, metadata or localization data of individuals, or that can lead to specific individuals (e.g., Wi-Fi tracking or processing of individuals’ localization data in public transports), when such processing is not strictly necessary for the service requested by the individuals; and
  • Large-scale processing of personal data where individuals’ behavior is observed, collected, established or influenced in a systematic manner and using automated means, including for advertising purposes.

Stolen user data from MyFitnessPal and other services hits the dark web

Stolen user information from 16 popular apps and services including Dubsmash and MyFitnessPal is now being sold on the dark web, according to a report from The Register. A seller on the dark web marketplace Dream Market has come forward offering login details for more than 617 million accounts for just under $20,000, to be paid in Bitcoin.

Source: The Register

US will map and disrupt North Korean botnet

The US government plans to turn the tables on North Korea-linked hackers trying to compromise key infrastructure. The Justice Department has unveiled an initiative to map the Joanap botnet and "further disrupt" it by alerting victims. The FBI and the Air Force Office of Special Investigations are running servers imitating peers on the botnet, giving them a peek at both technical and "limited" identifying info for other infected PCs. From there, they can map the botnet and send notifications through internet providers and foreign governments -- they'll even send personal notifications to people who don't have a router or firewall protecting their systems.

Source: Department of Justice

NBlog Jan 28 – creative technical writing


"On Writing and Reviewing ..." is a fairly lengthy piece written for EDPACS (the EDP Audit, Control, and Security Newsletter) by Endre Bihari. 

Endre discusses the creative process of writing and reviewing articles, academic papers in particular although the same principles apply more widely - security awareness briefings, for example, or training course notes. Articles for industry journals too. Even scripts for webcasts and seminars etc. Perhaps even blogs.

Although Endre's style is verbose and the language quite complex in places, I find his succinct bullet point advice to reviewers more accessible, for example on the conclusion section he recommends:
  • Are there surprises? Is new material produced?
  • How do the results the writer arrived at tie back to the purpose of the paper?
  • Is there a logical flow from the body of the paper to the conclusion?
  • What are the implications for further study and practice?
  • Are there limitations in the paper the reader might want to investigate? Are they pointed at sufficiently?
  • Does the writing feel “finished” at the end of the conclusion?
  • Is the reader engaged until the end?
  • How does the writer prompt the reader to continue the creative process?
I particularly like the way Endre emphasizes the creative side of communicating effectively. Even formal academic papers can be treated as creative writing. In fact, most would benefit from a more approachable, readable style. 

Interestingly, Endre points out that the author, reviewer and reader are key parties to the communication, with a brief mention of the editor responsible for managing the overall creative process. Good point!

Had I been asked to review Endre's paper, I might have suggested consolidating the bullet-points into a checklist, perhaps as an appendix or a distinct version of his paper. Outside of academia, the world is increasingly operating on Internet time due, largely, to the tsunami of information assaulting us all. Some of us want to get straight to the point, first, then if our interest has been piqued, perhaps explore in more detail from there which suggests the idea of layering the writing, more succinct and direct at first with successive layers expanding on the depth. [Endre does discuss the abstract (or summary, executive summary, precis, outline or whatever but I'm talking here about layering the entire article.]

Another suggestion I'd have made is to incorporate diagrams and figures, in other words using graphic images to supplement or replace the words. A key reason is that many of us 'think in pictures': we find it easier to grasp concepts that are literally drawn out for us rather than (just) written about. There is an art to designing and producing good graphics, though, requiring a set of competencies or aptitudes distinct from writing. 

Graphics are especially beneficial for technical documentation including security awareness materials, such as the NoticeBored seminar presentations and accompanying briefing papers. We incorporate a lot of graphics such as:
  • Screen-shots showing web pages or application screens such as security configuration options;
  • Graphs - pie-charts, bar-charts, line-charts, spider or radar diagrams etc. depending on the nature of the data;
  • Mind-maps separating the topic into key areas, sometimes pointing out key aspects, conceptual links and common factors;
  • Process flow charts;
  • Informational and motivational messages with eye-catching photographic images;
  • Conceptual diagrams, often mistakenly called 'models' [the models are what the diagrams attempt to portray: the diagrams are simply representational];
  • Other diagrams and images, sometimes annotated and often presented carefully to emphasize certain aspects.
Also, by the way, we use buttons, text boxes, colors and various other graphic devices to pep-up our pieces, for example turning plain (= dull!) bullet point lists into structured figures like this slide plucked from next month's management-level security awareness and training seminar on "Mistakes":

So, depending on its intended purpose and audience, a graphical version of Endre's paper might have been better for some readers, supplementing the published version. At least, that's my take on it, as a reviewer and tech author by day. YMMV


Massive data leak affects hundreds of German politicians

A number of German politicians have been the target of a massive data leak, one that contains extensive amounts of information. The data in question includes email addresses, private correspondence, passwords, phone numbers, work emails and photos, among other information, and those affected reportedly include journalists and celebrities as well as politicians. According to multiple reports, the data was leaked from the Twitter account @_0rbit -- which has since been suspended -- and the account began sharing the stolen information in December.

Via: TechCrunch

Hackers seize dormant Twitter accounts to push terrorist propaganda

As much progress as Twitter has made kicking terrorists off its platform, it still has a long way to go. TechCrunch has learned that ISIS supporters are hijacking long-dormant Twitter accounts to promote their ideology. Security researcher WauchulaGhost found that the extremists were using a years-old trick to get in. Many of these idle accounts used email addresses that either expired or never existed, often with names identical to their Twitter handles -- the social site didn't confirm email addresses for roughly a decade, making it possible to use the service without a valid inbox. As Twitter only partly masks those addresses, it's easy to create those missing addresses and reset those passwords.

Source: TechCrunch

Hackers claim to have insurance data linked to 9/11 attacks

The hackers who stole Orange is the New Black are back, and they've hit a new low. The group known as TheDarkOverlord claims to have stolen 18,000 documents from Hiscox Syndicates, Lloyds of London and Silverstein Properties, and threatened to release files providing "answers" for 9/11 attack "conspiracies" unless it received a ransom. A Hiscox spokesperson confirmed the hack to Motherboard and indicated that this was likely insurance data tied to litigation involving the terrorist campaign.

Via: Motherboard

Source: TheDarkOverlord (Twitter, archived)

Hackers steal personal data from 997 North Korean defectors

Hackers just caused grief for North Korean defectors. South Korea's Unification Ministry has revealed that attackers stole the personal data of 997 defectors, including their names and addresses. The breach came after a staff member at the Hana Foundation, which helps settle northerners, unwittingly opened email with malware. The defectors' data is normally supposed to be isolated from the internet and encrypted, but the unnamed staffer didn't follow those rules, officials said.

Source: Wall Street Journal