Monthly Archives: March 2014

Howard Schultz, left, chairman and CEO of Starbucks Coffee Company, pours tea for Oprah Winfrey, right, to announce their partnership to offer Teavana Oprah Chai tea, Wednesday, March 19, 2014, at Starbucks’ annual shareholders meeting in Seattle. (AP Photo/Ted S. Warren)

Starbucks is going to start selling alcohol at thousands of stores. In addition to wine and beer, Starbuck’s after-4p.m evening menu will include bacon-wrapped dates, truffle mac n’ cheese, chocolate fondue and other wine bar-type fare.

The rollout will take several years, Chief Operating Officer Troy Alstead told Bloomberg.

Starbucks first tested the idea in 2010 at a Seattle store, then tried it in 25 other locations in Chicago, Southern California, and Atlanta starting in 2012. “As we bring the evening program to stores, there’s a meaningful increase in sales during that time of the day,” Alstead said.

The expanded menu is better suited to bustling urban areas near other restaurants and theaters, Alstead told Bloomberg.

In recent years, Starbucks has been looking to boost its revenue by expanding beyond its standard coffee and croissant offerings – a good idea given the recent hike in wholesale prices of coffee and milk.

In the last three years the Seattle-based company bought the juice company Evolution Fresh Inc. for $30 million, La Boulange, a Bay Area bakery, for $100 million, and the Atlanta tea chain Teavana Holdings Inc. for $620 million.

Starbucks will even be selling a celebrity-endorsed tea.  Oprah Winfrey announced at Starbucks’ annual meeting on Wednesday that she would back the brand. “Oprah Chai Tea” debuts April 29 at both Starbucks and Teavana stores, with proceeds going to education charities including the Oprah Winfrey Leadership Academy for Girls.

Starbucks’ innovation isn’t limited to their menu. Starting Wednesday customers can tip baristas through the Starbucks iPhone app. They are also testing mobile order-ahead options that would allow customers with smartphones to avoid long lines.

Via: washingtonpost

Two-factor authentication! In this age of endless massive hacks we seem to be in the middle of, it’s one of the easiest ways you can dramatically boost security on your online accounts.

But which sites actually support it? It can be a pain to keep track. Fortunately, a new, community-driven list keeps a running list of all the big sites that have some form of 2FA enabled (and encourages you to nag at those that don’t).

Still not quite sure what two-factor authentication is? Don’t worry — it’s less complicated than its name makes it sound. The basic idea is that to log into an account, you’d need two things to verify you are who you say you are: something you know (like a password), and something you have (like your cell phone, tied to a verified phone number).

While the exact implementation varies, this generally means that once you’ve punched in your password, a service will ask you to type in a randomly generated code that they’ve sent to your cell phone. In order to gain access to your account, then, a hacker would need your password and access to your cell phone (or some way of intercepting messages). It’s not bulletproof, but it makes hacking an account a helluva lot more complicated.

TwoFactorAuth.org is an attempt to compile a list of how every relatively large service implements (or doesn’t implement) two-factor login. If a company supports it, it offers an at-a-glance look at the methods used — LinkedIn, for example, uses the texting method mentioned above, while the Steam gaming store sends your code via email, instead.

And if a listed company doesn’t support two-factor, they get a big ol’ “Tell them to support 2FA” button placed right next to their name. Press it, and it’ll auto-generate a tweet to the company for you that calls them out for their security practices.

The whole thing is managed through a public GitHub repo, allowing anyone with a bit of basic coding knowledge to offer up suggestions for additions or modifications to the list.

The current big offenders? According to the list: Mint, Amazon (they support it for their developer-focused web services, but not for their retail store or payments service), Zappos, BitBucket and Heroku.

Via: techcrunch

Mozilla  launched the latest version of its Firefox browser. The main feature in this release was originally supposed to be support for the Windows 8 Metro mode, but as the organization announced last week, it decided to scrap this because of low user adoption during the beta process.

Without Windows 8 support, the new features in today’s release are relatively minor. They include support for VP9 video decoding and the OS X notification center, so that notifications from web apps can now appear there. Also new is support for volume control for HTML5 audio and video and support for WebM Opus audio.

All of these updates are for both the desktop and Android version.

In addition, the mobile app is also getting support for native text selection, cut and copy, as well as additional quick share buttons and predictive lookup for Awesomebar entries.

None of this is earth shattering, but it’s really just the quiet before the storm. Firefox 29, currently scheduled for release next month, is currently scheduled to be the first to feature Firefox’s new Australis user interface (though it could slip to Firefox 30). The new interface will surely stir up quite a bit of dust, as it is a major departure from the existing one and resembles Chrome in many ways. It highlights customization and is meant to simplify the browser UI.

Mozilla has been working on this new UI for a long time now, but started talking about it more publicly about a year ago. Still, it’ll be interesting to see how people react when the next version launches (and somebody will surely develop a skin that brings back the old interface).

Via: techcrunch

The Financial Times revealed that Google has given British security the power to quickly yank terrorist content offline.

The UK government doesn’t want to stop there, though – what it really wants is the power to pull “unsavory” content, regardless of whether it’s actually illegal – in other words, it wants censorship power.

The news outlet quoted UK’s security and immigration minister, James Brokenshire, who said that the government must do more to deal with material “that may not be illegal but certainly is unsavory and may not be the sort of material that people would want to see or receive.”

He further told Wired.co.uk in a statement that the targeting of content is part of the government’s fight against terror:

Terrorist propaganda online has a direct impact on the radicalisation of individuals and we work closely with the internet industry to remove terrorist material hosted in the UK or overseas.

Brokenshire says that the government is also gung-ho about options wherein social media sites tweak their algorithms to keep nasty content from popping its head up at all, or at least get to the point that such content is served up with more balanced material.

Of specific concern are Britons getting radicalised by travelling to take part in the ongoing Syrian conflict, Wired reports.

The Home Office told Wired that any videos flagged by the Metropolitan Police’s Counter Terrorism Internet Referral Unit (CTIRU) for review have been found to be in breach of counter-terrorism laws, with 29,000 such having been removed across the web since February 2010.

Brokenshire’s comments came in the context of an interview around the UK government’s alleged “super flagger” status – i.e., the power to request that masses of clips are pulled on a large-scale basis instead of flagging individual videos, one by one, that breach guidelines.

The Home Office told Wired that the CTIRU doesn’t, actually, have super flagger status, in spite of wide news reports to that effect. Rather, it’s risen to the rank of Trusted Flagger, which designates users that regularly, correctly flag questionable content.

Google confirmed to the Financial Times that the Home Office has been given the powerful flagging permissions on YouTube but that Google itself still has the final say on what stays and what goes.

What goes is definitely content that incites violence, as the FT quotes YouTube:

We have a zero-tolerance policy on YouTube towards content that incites violence. Our community guidelines prohibit such content and our review teams respond to flagged videos around the clock, routinely removing videos that contain hate speech or incitement to commit violent acts.

To increase the efficiency of this process, we have developed an invite-only program that gives users who flag videos regularly tools to flag content at scale.

Jaani Riordan, a barrister specialising in technology litigation, told Wired that the concept of government going beyond takedown of illegal content to compel takedown of undesirable material is censorship, plain and simple:

It is [censorship]… Removal of lawful material by government simply because it offends governmental or public policy is without justification. Conversely, a private enterprise, such as YouTube, would always remain free to remove content which offends its Terms of Use or other policies, and there is very limited if any recourse against it for doing so.

The push against “unsavory” content is in line with the UK’s pressure on service providers to provide filters in an ever-increasing range of subject material, starting with child abuse content and expanding to include pornography, with the 2012 Online Safety Bill stating that ISPs and mobile telcos should provide a porn-free internet connection by default.

Wired points out that if, in fact, the government were to take the reins and actually force YouTube to remove content, it would be breaching Article 10(2) of the European Convention on Human Rights, related to the right to freedom of expression.

What’s your take? Should legal content glorifying terrorism be yanked, whether it’s legal under countries’ laws or not?

Is tweaking algorithms to keep it from rising high in search results – in effect, smothering content – more desirable than outright deletion?

Via: nakedsecurity

We’ve heard that Google Voice is getting dragged to the trash can and most of its functionality will be incorporated into the G+ Hangouts apps on both Android and iOS. This has already happened to an extent with the ability to phone friends on Hangouts, but we’re hearing the full shuttering and depreciation of the app is the next step.

What’s interesting here is that VoIP-to-phones is expected to be integrated into the Hangouts iOS and Android apps so that, just like with the Web version, you could be able to actually make (and receive) VoIP calls directly from your Google phone number. Whether the carriers and Apple are okay with this isn’t certain, and the thought is that it could be enabled by carrier like Apple’s FaceTime (or could be scrapped altogether) depending on the global market and the carrier.

Google recently allowed Hangouts to take over the SMS functionality of Android phones, and as Android Police points out in the image above, the direction in which Google is trending seems to be pushing all telephony communications into Hangouts.

The VoIP functionality would allow those willing to trust Google with their number to have a way to drop their carrier voice plans altogether – an extremely controversial move and one we’d expect to see challenged by carriers.

No specific timing on the Google Voice migration was given, but it is said to be “months out” which would make Google I/O a good bet for an announcement. The move is part of a larger overhaul on the company’s apps which we’ll have more info on later this week.

————————-

Comment:

Some of y’all are freaking out for no reason. The headline is terrible, so I get it. Google is not “killing” Google Voice. They’re merging Google Voice functionality into Hangouts. They ARE, however, killing the Google Voice API. Which means that third party apps that currently use Voice will cease to function once the merger is complete.

Your Voice number is not going away. Voice functionality is not going away. They’re simply replacing the Voice app and shunting those features over to Hangouts (and, as mentioned by others, this is already available on iOS). I’ve been anxiously awaiting this, as third party solutions (like GrooveIP) are very kludgey and don’t work well or reliably.

Via: 9to5google

As more countries join in the search for the missing Malaysia Airlines Flight 370, we are seeing cybercriminals use this highly talked-about topic to unleash different online threats.

One involves a fake video about this flight, which we believe is spreading via email. The video is supposedly a five-minute clip about MH70 named Malaysian Airlines MH370 5m Video.exe. In reality, it is a backdoor detected as detected as BKDR_OTOPROXY.WR. As is the case with most backdoors, this malware allows a remote attacker to execute various commands on the system, including downloading and running files from its servers  and collect various system information.

There is one unusual aspect to this backdoor. Its command-and-control (C&C) server at www-dpmc-dynssl-com (replace dashes with dots) was noted by other security researchers in October of last year as being related to a targeted attack. It is unusual for a targeted attack to share the same infrastructure as a more “conventional” cybercrime campaign, yet that appears to be the case here. We currently have no information that this particular backdoor is being used in targeted attacks.

We also saw survey scams that took advantage of this tragedy. One such incident actually uses the fake breaking news that the missing aircraft has been found at sea. Users who click the link will be directed to a website that closely mimics the layout of Facebook. This site has an embedded video, supposedly of the discovery of the missing plane. Clicking anywhere on the page actually opens another page with a fake video about the sequel of the movie Avatar.

Figure 1. Malicious site with embedded “video”

When the user clicks on any of these videos, they will be prompted to share it to their social media followers before viewing.  is restricted unless it is shared. After sharing, the user is required to verify their age by completing a test. These tests are actually nothing more than a survey scam. These scams prompt users to answer multiple surveys in exchange for something (in this case, a supposed video) which doesn’t actually exist. Feedback from the Smart Protection Network indicates that 32% of users accessing this page are in North America; more than 40% are from the Asia-Pacific region.

Another survey scam incident involves one site mimicking the layout of YouTube to present yet another video of the “discovery” of the missing plane. Like the previous incident, it requires users to share the video and take a “test” before they can watch it. Once again, this test leads to a survey scam site.

Figure 2. Another site promoting a late-breaking “video”

Current events and news updates have become go-to social engineering bait of cybercriminals. This has become an unfortunately frequent occurrence – events like the Tohoku earthquake, Boston marathon and Typhoon Haiyan were all abused to spread various threats.

We advise users to rely on reputable and trusted news sites to get information on current events, rather than through emails or social networking sites.

Via: trendmicro

Spying by the NSA, its British counterpart, the GCHQ, and other organizations pushed Google to expand encryption, but protecting searches still falls short of encrypting other important and widely used services like Gmail. However, Google’s decision to encrypt searches is a good start, said Charles King, principal analyst with Pund-It.

Search giant Google is expanding the encryption of searches that are placed on its search engine in light of last year’s revelations that the U.S. National Security Agency (NSA) was spying on U.S. citizens, according to published reports.

By encrypting the traffic, it will be more difficult for an agency like the NSA to see what people are looking up. When the rollout of encryption begins — a timeline has not yet been released — Google will be looking at countries like China first, since those governments actively censor search results. The Washington Post is reporting that Google has already started encrypting searches in China.

Google’s decision to encrypt searches falls right in line with the thinking of whistleblower Edward Snowden, the former NSA contractor responsible for stealing secret agency documents, who has continued to suggest that encryption would go along way toward safeguarding privacy.

Following the release of those documents in 2013, Google’s name was tarnished as the company was accused of helping the government agency. Since then, it has tried to salvage its reputation by publicly railing against the NSA and announcing that encryption is one of the ways that it will protect user data.

Fighting Government Censorship

The so-called Great Firewall that has been constructed in China is possibly one of the most complex Internet censorship systems in the world. Despite the massive growth in China’s economy and its vital relationships with countries in the West, Chinese citizens are still not allowed to access content that the government deems harmful.

Blocking Google altogether is still an option for the Chinese government if it chooses to fight back against the new search encryption. Until then however, Google should be able to help citizens within the country look for things that would normally be blocked. And because searches like “Dalai Lama” are not allowed in China, people within the country may finally have a better understanding of the world.

China may have the best Internet censorship program but other countries, like Saudi Arabia and Vietnam, have also chosen to filter searches. To fix this problem, Google appears to be expanding encryption to those areas prior to a global rollout that will eventually include people in North America and Europe.

Anti-NSA

Outside of providing a way to subvert government censorship, the encryption of its searches is also a way for Google to take a stand against government spying.

We asked Charles King, principal analyst with Pund-IT, if encryption would be worthwhile in light of the NSA revelations. He told us that spying by the NSA, its British counterpart, the GCHQ, and other organizations pushed Google to expand encryption, but protecting searches still falls short of encrypting other important and widely used services like Gmail.

“Encrypting search is the right thing to do but it’s also good business for a company whose influence is worldwide,” he said. “[But] Google’s action falls short of the calls for globally encrypted e-mail espoused by activists including Edward Snowden. But it’s a good start.”

Via: enterprise-security-today

“Have you ever had the opportunity to work with someone who is the best in the world?’ That question got at the heart of a presentation from Jim McKelvey, co-founder of mobile payments company Square, at a rather unusual event that I attended at our newly renovated central library downtown. I’ll get to Jim in a moment, but first I want to tell you the context of the event.

In St. Louis, like many areas of the world, we have a technology talent shortage. There are dozens of companies, some big and some just getting started, that can’t hire good programmers. It isn’t from lack of trying, or resources: they have the money, the open positions, and the need. The problem in the past has been explained that either they can’t find them or don’t know where to look. But there is a third possibility: the coders exist, they just need some training to get started. That is where an effort called LaunchCode comes into play.

For the past several weeks, hundreds of folks have been taking the beginning computer science programming class, CS50 that Harvard offers over the EdX online platform. The class started with more than a thousand participants and is now down to about 300 or so hardy souls who spend 20 hours per week or more learning how to code. Each week they gather in our library to listen to the lectures and work together on the various programming problem sets.

David Malan, who went to Harvard himself and is a rockstar teacher, teaches the course. I watched a couple of his lectures and found them interesting and engaging, even when he covers some basic concepts that I have long known. If I had him teaching me programming back in the day, I might have stuck with it and become a coder myself.

The CS50.tv collection online is pretty amazingly complete: there are scans of the handouts, quizzes, problem tests, additional readings, supplemental lectures and so forth. The courseware is very solidly organized and designed and very impressive, from my short time spend looking around.

But here is the problem: while the online class is fantastic, only one percent of the people who take the class complete it satisfactorily. That is almost a mirror image of the completion rate for those attending in-person at the Harvard campus, where 99% of the students finish. I was surprised at those numbers, because Malan goes quickly through his lectures. You have to stop and rewind them frequently to catch what he is doing.

This is where LaunchCode comes into play. The operation, which is an all-volunteer effort, is trying to short-circuit the coder hiring process by pairing the students who complete the course with experienced programmers in one of more than a 100 tech companies who are looking for talent. They think of what they are doing as going around the traditional HR process and building a solid local talent pool. It is a great idea. I spoke to a few students, many of who come from technical backgrounds but who don’t have current coding experience. They are finding the class challenging but doable.

LaunchCode is also supplementing the CS50 lectures and online courseware with meetspace assistance. They have space reserved downtown for the students to get together and help each other. Some students have actually moved to St. Louis so they could take the class here: that was pretty amazing! LaunchCode has created mailing lists and Reddit forums where students can share ideas. But that isn’t enough, and last night we learned that Malan is coming to town in a few weeks, bringing a dozen of his teaching assistants with him for a special evening hackathon for the class participants. Wow. Will that help get more students to finish the class? I hope so, because I want Malan & Co. to make a regular trip here to see the next class, and the next.

The problem with learning programming is that you have to just do it to become good at it. No amount of academic study is going to help you understand how to parse algorithms, debug your code, figure out what pieces of the puzzle you need and how to organize them in such a way to make more efficient code. You just have to go do “build something” as McKelvey told us all last night.

Back to his question posed at the top of my post. Obviously, he thinks Malan is the best programming teacher in the world. He challenged everyone in the auditorium to think about what questions they would ask Malan when he comes into town, and how they can leverage their time with the master. He used the analogy of when he built his glassblowing studio he was able to spend time with Lino Talgiapietra, a master Venetian glassblower. Last night he once again told the story of how humbling an experience that was and how he was allowed to only ask a single question of the “maestro.” Wow.

McKelvey was very gracious with his time, and answered lots of questions from the LaunchCode students. Many of the questions last night were how the students were going to position themselves to get a coding job once the class was over in a few weeks. McKelvey kept emphasizing that they need to just “rock the class” and not worry about whether they were going to be programming in php or Ruby. “That isn’t important,” he kept saying: just demonstrate to Malan that they could write the best possible code when he comes here in a few weeks.

I have heard McKelvey speak before and last night he was in fine form. Will LaunchCode succeed at seeding lots of beginning coders? Only time will tell. But my hat is off to them for trying a very unconventional approach, and I hope it works.

Via: itworld

About a year ago, the UK’s National Audit Office put out a report that said the paucity of cybersecurity skills is tripping up the government’s progress in keeping up with the Cyber Security Strategy strategy, a security blueprint it put out in 2011.

Young people are dribbling out of computer science or ICT programs in schools and universities at a pathetically slow rate, the report said.

Furthermore, what few security pros the government has are being lured away by the sweet smell of big bucks wafting from the private sector.

According to the report, the whole country’s IT development is coasting by on the graces of a few handfuls of “highly skilled people”, and the pipeline of graduates and practitioners is down to such a trickle that it could take 20 years to address the skills gap at all levels of education.

So the government is going to start teaching children as young as 11 about careers in cybersecurity, it says.

The UK’s Department for Business, Innovation & Skills on Thursday released a report on the issue of the cybersecurity skills gap, announcing that it’s getting “special learning materials” into the hands of 11- to 14-year-olds.

It’s also planning cybersecurity apprenticeships, has plans to train teachers so they can pass on cybersecurity smarts to their students, and will get universities to boost their own teaching in the field.

Security internships will also be a part of the puzzle, to get students the work experience that employers need, the report says.

Universities and Science Minister David Willetts had this to say, as quoted in a press release about the report:

Today countries that can manage cyber security risks have a clear competitive advantage.

By ensuring cyber security is integral to education at all ages, we will help equip the UK with the professional and technical skills we need for long-term economic growth.

The plans are an outgrowth of the government mulling over these issues together with the employers who hire security people.

One of the explicit examples of how they will work is a plan to incorporate professional qualifications into degrees, as well as getting businesses involved in course design and embedding cybersecurity into software engineering and computing degrees.

Another idea they’ve had is support for a Massive Open Online Course (MOOC) to provide a mass audience with introductory training on cybersecurity.

They’re also trying to get advanced degrees that are security-centric, and they want to inject security into vocational training as well.

The government’s ambitions are well-grounded in a compelling need for more security skills.

Whether it finds the funds to pay for it all could make or break the skills pipeline, in the UK as in every other skills-strapped country.

Via: sophos

Recent study indicates growing list of risks for healthcare security, prompting experts to call for the improved analyses.

Healthcare organizations see an expanding landscape of uncertainty that has raised concerns among security pros and points to the need for more thorough threat analyses, a study showed.

Risks posed by health insurance and information exchanges, employee negligence, cloud services and mobile device usage has dampened confidence in protecting patient data, the Fourth Annual Benchmark Study on Patient Privacy & Data Security found. The study, released Wednesday, was conducted by the Ponemon Institute and sponsored by data breach prevention company ID Experts.

Despite the concerns, the study showed progress on the security front. The average cost of data breaches for organizations represented in the study fell to $2 million over a two-year period, compared to $2.4 million in last year’s report.

In addition the number of data breaches fell slightly. The survey found that 38 percent of the respondents had more than five incidents in the last two years, down from 45 percent last year.

“This coupled with an increase in organizations’ level of confidence in data breach detections suggests that modest improvements have been made in reducing threats to patient data,” the report said.

At the same time, security pros have been battling a rising number of data breaches caused by criminal activity in and outside an organization. Such breaches accounted for 40 percent of all incidents of data loss compared to 20 percent in 2010, the study found.

Three-quarters of the organizations said employee negligence represented the greatest security risk.

Almost seven in 10 organizations believed the Affordable Care Act, known as Obamacare, increased risks through the establishment of more than a dozen state health insurance marketplaces and the federal government site. The primary concern was insecure exchange of patient information between healthcare providers and government.

Employees using their own mobile device on the corporate network were also a major concern, yet nearly nine in 10 organizations condoned the practice.

While cloud services were also a big concern, 40 percent of the respondents used the cloud heavily, an increase of 32 percent from last year. Services most used included backup and storage, file sharing, business applications and document sharing and collaboration.

Another major area of concern was trusting sensitive patient data to third parties or business associates. Almost three-quarters of the organizations surveyed either had no confidence or were only somewhat confident in these entities.

Overall, the study points to a need for more thorough risk assessments to reduce security concerns, Rick Kam, founder and president of ID Experts, said.

“Whether it’s with a business associate or a government entity, they should all be working together to do a risk analysis and understand what the current threats and vulnerabilities are, so they can collectively find ways to mitigate those risks,” Kam said.

The survey is based on interviews with senior-level personnel at 91 healthcare providers.

Via: csoonline